{ config, lib, pkgs, ... }: let shinobi-port = "7080"; shinobi-od-port = "7082"; state-dir = "/state"; # This must be a string! in { boot.loader.grub.copyKernels = true; networking = { interfaces = { enp3s0f0.useDHCP = false; enp3s0f1.useDHCP = false; enp4s0f0.useDHCP = false; enp4s0f1.useDHCP = false; intif0.useDHCP = true; }; }; fudo.secrets = { host-secrets.lambda = { host-keytab = { source-file = /state/secrets/kerberos/lambda.keytab; target-file = "/etc/krb5.keytab"; user = "root"; }; }; secret-group = "fudo-secrets"; secret-users = [ "niten" ]; secret-paths = [ "/state/secrets" ]; }; fudo.games.valheim = { enable = true; state-directory = "/state/games/valheim"; password = "silkymilky"; }; systemd.tmpfiles.rules = [ "L /root/.gnupg - - - - ${state-dir}/user/root/gnupg" "L /root/.ssh/id_rsa - - - - ${state-dir}/user/root/ssh/id_rsa" "L /root/.ssh/id_rsa.pub - - - - ${state-dir}/user/root/ssh/id_rsa.pub" "L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts" ]; services.openssh.hostKeys = [ { path = "${state-dir}/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } { path = "${state-dir}/ssh/ssh_host_ed25519_key"; type = "ed25519"; bits = 4096; } ]; environment.etc = { "ssh/ssh_host_rsa_key" = { source = "${state-dir}/ssh/ssh_host_rsa_key"; user = "root"; group = "root"; mode = "0400"; }; "ssh/ssh_host_rsa_key.pub" = { source = "${state-dir}/ssh/ssh_host_rsa_key.pub"; user = "root"; group = "root"; mode = "0444"; }; "ssh/ssh_host_ed25519_key" = { source = "${state-dir}/ssh/ssh_host_ed25519_key"; user = "root"; group = "root"; mode = "0400"; }; "ssh/ssh_host_ed25519_key.pub" = { source = "${state-dir}/ssh/ssh_host_ed25519_key.pub"; user = "root"; group = "root"; mode = "0444"; }; nixos.source = "/etc/nixos-live"; "machine-id".source = "${state-dir}/host/machine-id"; "host-config.nix".source = "/state/host/host-config.nix"; adjtime.source = "/state/host/adjtime"; NIXOS.source = "/state/host/NIXOS"; }; security.sudo.extraConfig = '' # Due to rollback, sudo will lecture after every reboot Defaults lecture = never ''; virtualisation = { docker = { enable = true; enableOnBoot = true; autoPrune = { enable = true; }; }; oci-containers = { containers = { shinobi = { image = "shinobisystems/shinobi:latest"; ports = [ "${shinobi-port}:8080" ]; volumes = [ "/state/shinobi/plugins:/home/Shinobi/plugins" "/state/shinobi/config:/home/Shinobi/config" "/state/shinobi/videos:/home/Shinobi/videos" "/state/shinobi/db-data:/var/lib/mysql" "/etc/localtime:/etc/localtime:ro" ]; }; # shinobi-od = { # image = "shinobisystems/shinobi-tensorflow:latest"; # volumes = # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ]; # ports = [ "${shinobi-od-port}:8082" ]; # environment = { # PLUGIN_HOST = "panopticon.sea.fudo.org"; # PLUGIN_PORT = shinobi-port; # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3"; # }; # }; # photoprism = { image = "photoprism/photoprism"; }; }; }; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; virtualHosts = { "panopticon.sea.fudo.org" = { locations."/" = { # localhost defaults to IPv6 proxyPass = "http://127.0.0.1:${shinobi-port}/"; extraConfig = '' proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; ''; }; }; # "panopticon-od.sea.fudo.org" = { # locations."/" = { # proxyPass = "http://localhost:${shinobi-od-port}"; # extraConfig = '' # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "Upgrade"; # ''; # }; # }; }; }; }