Initial commit

roles/server/avahi.nix

@@ -0,0 +1,11 @@
+{ config, ... }:
+
+{
+	services.avahi = {
+		openFirewall = true;
+		publish = {
+			enable = true;
+			userServices = true;
+		};
+	};
+}

roles/server/beep.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+	# Beep as soon as possible in the initrd
+	boot.initrd = {
+		kernelModules = [ "pcspkr" ];
+		extraFiles.beep.source = pkgs.beep;
+		postDeviceCommands = "/beep/bin/beep -f 3000 -l 50 -r 2";
+	};
+	/*systemd.services.startupBeep = {
+		description = "Beep when system started booting";
+		wantedBy = [ "sysinit.target" ];
+		script = "${pkgs.beep}/bin/beep -f 3000 -l 50 -r 2";
+ 		serviceConfig = { Type = "oneshot"; }; 
+	};*/
+}

roles/server/ddclient.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+
+{
+	# Set up secrets
+	age.secrets = { ddclient-passwd.file = ../../secrets/ddclient-passwd; };
+
+	services.ddclient = {
+		enable = true;
+		use = "web, web=dynamicdns.park-your-domain.com/getip";
+		protocol = "namecheap";
+		server = "dynamicdns.park-your-domain.com";
+		username = "toast003.xyz";
+		passwordFile = config.age.secrets.ddclient-passwd.path;
+		domains = [ "@" ];
+	};
+}

roles/server/default.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+
+{
+	imports = [
+		./avahi.nix
+		./nfs.nix
+		./samba.nix
+		./ssh.nix
+		./gitea.nix
+		./syncthing.nix
+		./endlessh.nix
+		./transmission.nix
+		./ddclient.nix
+		./beep.nix
+	];
+}

roles/server/endlessh.nix

@@ -0,0 +1,10 @@
+{ config, ... }: 
+
+{
+	# I prefer using the go implementation
+	services.endlessh-go = {
+		enable = true;
+		openFirewall = true;
+		extraOptions =  [ "-alsologtostderr" "-v=1"] ;
+	};
+}

roles/server/gitea.nix

@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+{
+	specialisation.giteaEnableRegistration.configuration.services.gitea.settings.service.DISABLE_REGISTRATION = false;
+	services.gitea = {
+		enable = true;
+		# TODO: Make this not be hardcoded
+		rootUrl = "http://everest.local:3000";
+		settings = {
+			#server.SSH_PORT = 69;
+			service.DISABLE_REGISTRATION = lib.mkDefault true;
+		};
+	};
+	networking.firewall = {
+		allowedTCPPorts = [ 3000 ];
+	};
+}

roles/server/nfs.nix

@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+
+{
+	services = {
+		nfs.server = {
+			enable = true;
+			exports = ''
+${config.services.transmission.settings.download-dir} *.local(ro,all_squash,anonuid=${toString config.users.users.transmission.uid},anongid=${toString config.users.groups.transmission.gid})
+					'';
+					# NFSv3 uses random ports, so you need to make them static to be able to pass though the firewall
+					statdPort = 4000;
+					lockdPort = 4001;
+					mountdPort = 4002;
+		};
+
+		avahi.extraServiceFiles = {
+			Transmission-downloads-nfs = ''
+<?xml version="1.0" standalone='no'?>
+<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+<service-group>
+	<name replace-wildcards="yes">Transmission Downloads on %h (NFS)</name>
+	<service>
+		<type>_nfs._tcp</type>
+		<port>2049</port>
+		<txt-record>path=${config.services.transmission.settings.download-dir}</txt-record>
+	</service>
+</service-group>
+'';
+		};
+	};
+
+	networking.firewall = {
+		allowedTCPPorts = [ 111 2049 4000 40001 4002 ]; 
+		allowedUDPPorts = [ 111 2049 4000 40001 4002 ];
+	};
+}

roles/server/samba.nix

@@ -0,0 +1,37 @@
+{ config, lib, ... }:
+
+{
+	services = {
+		samba = {
+			enable = true;
+			openFirewall = true;
+			extraConfig = ''
+map to guest = bad user
+guest account = transmission
+'';
+			shares = {
+				"Transmission downloads" = {
+					path = "${config.services.transmission.settings.download-dir}";
+					"read only" = true;
+					public = true;
+					"guest only" = true;
+					browseable = true;
+				};
+			};
+		};
+
+		avahi.extraServiceFiles = {
+			Transmission-downloads-smb = ''
+<?xml version="1.0" standalone='no'?>
+<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+<service-group>
+	<name replace-wildcards="yes">SMB shares on %h</name>
+	<service>
+		<type>_smb._tcp</type>
+		<port>139</port>
+	</service>
+</service-group>
+'';
+		};
+	};
+}

roles/server/ssh.nix

@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+	services.openssh = {
+		enable = true;
+		startWhenNeeded = true;
+		permitRootLogin = "no"; 
+		passwordAuthentication = false;
+	};
+}

roles/server/syncthing.nix

@@ -0,0 +1,33 @@
+{ config, ... }:
+
+{
+	age.secrets = {
+		syncthingKey.file = ../../secrets/syncthing/key;
+		syncthingCert.file = ../../secrets/syncthing/cert;
+	};
+	services.syncthing = {
+		enable = true;
+		key = config.age.secrets.syncthingKey.path;
+		cert = config.age.secrets.syncthingCert.path;
+		guiAddress = "0.0.0.0:8384";
+		devices = {
+			"phone" = {
+				id = "K7KNZ5V-XREUADL-CROQXPV-6AA4H65-2VUD34Z-VQWKJ6S-LWWW4EE-XPNEZQ6";
+				name = "Xiaomi Redmi Note 10 Pro";
+			};
+			"pc" = {
+				name = "Archie";
+				id = "MGMYYA2-4PXGHHH-2LOVD5N-I7IYBBS-4Y4UQNK-H73S2JG-ZCK5GCN-NHTWMAR";
+				addresses = [ "tcp://archie.local:22000" "tcp://192.168.0.160:22000"];
+			};
+		};
+		folders = {
+			"passwords" = {
+				label = "KeePassXC Passwords";
+				id = "rdyaq-ex659";
+				path = "${config.services.syncthing.dataDir}/passwords";
+				devices = [ "phone" "pc" ];
+			};
+		};
+	};
+}

roles/server/transmission.nix

@@ -0,0 +1,14 @@
+{ config , ... }:
+
+{
+	services.transmission = {
+		enable = true;
+		openFirewall = true;
+		openRPCPort = true;
+		settings = {
+			incomplete-dir-enabled = false;
+			rpc-bind-address = "0.0.0.0";
+			rpc-whitelist = "127.0.0.1,192.168.0.16*";
+		};
+	};
+}