{ config, lib, pkgs, ... }: with lib.my; { imports = [ ./hardware-configuration.nix ../server.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "library"; networking.domain = "mesh.vimium.net"; networking.hostId = "d24ae953"; networking.firewall = { enable = true; allowedTCPPorts = [ 22 # SSH ]; interfaces."podman+" = { allowedUDPPorts = [ 53 ]; allowedTCPPorts = [ 53 ]; }; }; networking.networkmanager.enable = true; nix.package = pkgs.nixFlakes; nix.extraOptions = '' experimental-features = nix-command flakes ''; users.defaultUserShell = pkgs.zsh; system.stateVersion = "22.11"; services.zfs = { autoScrub = { enable = true; pools = [ "library" ]; }; autoSnapshot = { enable = true; flags = "-k -p --utc"; frequent = 0; hourly = 0; daily = 7; monthly = 1; }; }; systemd.services.vps1-tunnel = { enable = true; description = "vps1.mesh.vimium.net SSH tunnel"; after = [ "network-online.target" "podman-jellyfin.service" ]; wants = [ "network-online.target" ]; serviceConfig = { Type="simple"; ExecStart=pkgs.lib.mkForce '' ${pkgs.openssh}/bin/ssh \ -NT \ -o ExitOnForwardFailure=yes \ -o ServerAliveInterval=60 \ -o TCPKeepAlive=no \ -i %h/.ssh/id_jellyfin \ -R localhost:3579:localhost:3579 \ -R localhost:7878:localhost:7878 \ -R localhost:8000:localhost:8000 \ -R localhost:8096:localhost:8096 \ -R localhost:8686:localhost:8686 \ -R localhost:8989:localhost:8989 \ jellyfin@vps1.mesh.vimium.net ''; Restart="on-failure"; }; wantedBy = [ "default.target" ]; }; services.nginx = let proxyConfig = '' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; ''; in { enable = true; package = pkgs.openresty; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; clientMaxBodySize = "2G"; virtualHosts = { "jellyfin.vimium.com" = { default = true; listen = { addr = "127.0.0.1"; port = 8000; }; locations."/" = { proxyPass = "http://localhost:8096"; extraConfig = proxyConfig; }; locations."/downloads" = { proxyPass = "http://localhost:8080"; extraConfig = proxyConfig; }; locations."/lidarr" = { proxyPass = "http://localhost:8686"; extraConfig = proxyConfig; }; locations."/prowlarr" = { proxyPass = "http://localhost:9696"; extraConfig = proxyConfig; }; locations."/radarr" = { proxyPass = "http://localhost:7878"; extraConfig = proxyConfig; }; locations."/requests" = { proxyPass = "http://localhost:3579"; extraConfig = proxyConfig; }; locations."/sonarr" = { proxyPass = "http://localhost:8989"; extraConfig = proxyConfig; }; }; }; }; virtualisation.podman = { enable = true; defaultNetwork.settings.dns_enabled = true; extraPackages = [ pkgs.zfs ]; }; virtualisation.containers.storage.settings = { storage = { driver = "zfs"; graphroot = "/var/lib/containers/storage"; runroot = "/run/containers/storage"; }; }; virtualisation.oci-containers.containers = { authelia = { image = "docker.io/authelia/authelia"; autoStart = true; ports = [ "127.0.0.1:9091:9091/tcp" ]; extraOptions = [ "--label=io.containers.autoupdate=registry" ]; }; jellyfin = { image = "docker.io/jellyfin/jellyfin:10.8.10"; autoStart = true; ports = [ "8096:8096/tcp" ]; volumes = [ "jellyfin-cache:/cache:Z" "jellyfin-config:/config:Z" ]; extraOptions = [ "--detach" "--privileged" "--label=io.containers.autoupdate=registry" "--group-add=989" "--mount=type=bind,source=/mnt/library,target=/library,ro=true" "--device=/dev/dri:/dev/dri" ]; }; lidarr = { image = "lscr.io/linuxserver/lidarr:latest"; autoStart = true; ports = [ "127.0.0.1:8686:8686/tcp" ]; environment = { PUID = "0"; PGID = "1000"; }; volumes = [ "lidarr-config:/config:Z" "downloads:/downloads" ]; extraOptions = [ "--label=io.containers.autoupdate=registry" "--mount=type=bind,source=/mnt/library/music,target=/music" ]; dependsOn = [ "prowlarr" "qbittorrent" ]; }; ombi = { image = "lscr.io/linuxserver/ombi:latest"; autoStart = true; ports = [ "127.0.0.1:3579:3579/tcp" ]; environment = { BASE_URL = "/requests"; }; volumes = [ "ombi-config:/config:Z" ]; extraOptions = [ "--label=io.containers.autoupdate=registry" ]; dependsOn = [ "jellyfin" ]; }; prowlarr = { image = "lscr.io/linuxserver/prowlarr:latest"; autoStart = true; ports = [ "127.0.0.1:9696:9696/tcp" ]; volumes = [ "prowlarr-config:/config:Z" ]; extraOptions = [ "--label=io.containers.autoupdate=registry" ]; }; qbittorrent = { image = "cr.hotio.dev/hotio/qbittorrent:latest"; autoStart = true; ports = [ "127.0.0.1:8080:8080/tcp" "127.0.0.1:6881:6881/tcp" "127.0.0.1:6881:6881/udp" ]; environment = { PUID = "1000"; PGID = "1000"; }; volumes = [ "qbittorrent-config:/config:Z" "downloads:/downloads" ]; extraOptions = [ "--label=io.containers.autoupdate=registry" ]; }; radarr = { image = "lscr.io/linuxserver/radarr:latest"; autoStart = true; ports = [ "127.0.0.1:7878:7878/tcp" ]; environment = { PUID = "0"; PGID = "1000"; }; volumes = [ "radarr-config:/config:Z" "downloads:/downloads" ]; extraOptions = [ "--label=io.containers.autoupdate=registry" "--mount=type=bind,source=/mnt/library/movies,target=/movies" ]; dependsOn = [ "prowlarr" "qbittorrent" ]; }; sonarr = { image = "lscr.io/linuxserver/sonarr:latest"; autoStart = true; ports = [ "127.0.0.1:8989:8989/tcp" ]; environment = { PUID = "0"; PGID = "1000"; }; volumes = [ "sonarr-config:/config:Z" "downloads:/downloads" ]; extraOptions = [ "--label=io.containers.autoupdate=registry" "--mount=type=bind,source=/mnt/library/tv,target=/tv" ]; dependsOn = [ "prowlarr" "qbittorrent" ]; }; }; modules = { security = { gpg.enable = true; }; shell = { zsh.enable = true; }; }; }