Add library configuration

flake.nix

@@ -77,6 +77,7 @@
         eos = mkNixosSystem { system = "x86_64-linux"; name = "eos"; };
         helios = mkNixosSystem { system = "x86_64-linux"; name = "helios"; };
         hypnos = mkNixosSystem { system = "x86_64-linux"; name = "hypnos"; };
+        library = mkNixosSystem { system = "x86_64-linux"; name = "library"; };
         odyssey = mkNixosSystem { system = "x86_64-linux"; name = "odyssey"; };
         pi = mkNixosSystem { system = "aarch64-linux"; name = "pi"; extraModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; };
         vps1 = mkNixosSystem { system = "x86_64-linux"; name = "vps1"; };

hosts/library/README.md

@@ -0,0 +1,46 @@
+# Library
+
+## Overview
+Media and public file server.
+
+## Specs
+* CPU - AMD Ryzen 5 5600G @ 3.90GHz
+* Chipset - AMD B550
+* Memory - 64 GB DDR4
+* Motherboard - ASRock B550M Pro4
+* Case - Fractal Design Node 804
+
+### Disks
+Device | Partitions _(filesystem, size, usage)_
+--- | ---
+Samsung 980 Evo | `/dev/nvme0n1p1` (EFI, 512 MiB, NixOS Boot) <br> `/dev/nvme0n1p2` (ZFS `rpool`, 200 GiB, NixOS Root)
+
+#### ZFS datasets
+```
+rpool/
+├── local
+│   ├── nix
+│   └── tmp
+├── system
+│   ├── root
+│   └── var
+└── user
+    └── home
+
+library/
+├── books
+├── fonts
+├── movies
+├── music
+├── software
+├── tv
+├── videos
+└── web
+```
+
+See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind the `rpool` datasets.
+
+### Networks
+- DHCP on `10.0.1.0/24` subnet.
+- Tailscale on `100.64.0.0/10` subnet. FQDN: `library.mesh.vimium.net`.
+

hosts/library/default.nix

@@ -0,0 +1,170 @@
+{ config, lib, pkgs, ... }:
+
+with lib.my;
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../server.nix
+  ];
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+  };
+
+  networking = {
+    domain = "mesh.vimium.net";
+    hostId = "d24ae953";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22  # SSH
+      ];
+      interfaces."podman+" = {
+        allowedUDPPorts = [ 53 ];
+        allowedTCPPorts = [ 53 ];
+      };
+    };
+    networkmanager.enable = true;
+  };
+
+  services.zfs = {
+    autoScrub = {
+      enable = true;
+      pools = [ "library" ];
+    };
+    autoSnapshot = {
+      enable = true;
+      flags = "-k -p --utc";
+      frequent = 0;
+      hourly = 0;
+      daily = 7;
+      monthly = 1;
+    };
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+      zfs = {
+        enable = true;
+        port = 9003;
+      };
+    };
+    scrapeConfigs = [
+      {
+        job_name = "library";
+        static_configs = [{
+          targets = [
+            "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
+            "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}"
+          ];
+        }];
+      }
+    ];
+  };
+
+  systemd.services.vps1-tunnel = {
+    enable = true;
+    description = "vps1.mesh.vimium.net SSH tunnel";
+    after = [
+      "network-online.target"
+      "jellyfin.service"
+    ];
+    wants = [ "network-online.target" ];
+    serviceConfig = {
+      Type="simple";
+      ExecStart=pkgs.lib.mkForce ''
+        ${pkgs.openssh}/bin/ssh \
+          -NT \
+          -o ExitOnForwardFailure=yes \
+          -o ServerAliveInterval=60 \
+          -o TCPKeepAlive=no \
+          -i %h/.ssh/id_jellyfin \
+          -R localhost:8000:localhost:8000 \
+          jellyfin@vps1.mesh.vimium.net
+      '';
+      Restart="always";
+      RestartSec=20;
+    };
+    wantedBy = [ "default.target" ];
+  };
+
+  services.nginx = let
+    proxyConfig = ''
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header Host $host;
+
+      proxy_set_header Range $http_range;
+      proxy_set_header If-Range $http_if_range;
+
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+    '';
+  in {
+    enable = true;
+    package = pkgs.openresty;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "2G";
+    virtualHosts = {
+      "library.mesh.vimium.net" = {
+        locations."/" = {
+          root = "/mnt/library";
+          extraConfig = ''
+            autoindex on;
+          '';
+        };
+      };
+      "jellyfin.vimium.com" = {
+        default = true;
+        listen = [
+          {
+            addr = "127.0.0.1";
+            port = 8000;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://localhost:8096";
+          extraConfig = proxyConfig;
+        };
+        locations."/metrics" = {
+          return = "404";
+        };
+      };
+    };
+  };
+
+  services.jellyfin.enable = true;
+
+  modules = {
+    security = {
+      gpg.enable = true;
+    };
+    shell = {
+      zsh.enable = true;
+    };
+    services = {
+      borgmatic = {
+        enable = true;
+        directories = [
+          "/home/jordan"
+        ];
+        repoPath = "ssh://b61758r4@b61758r4.repo.borgbase.com/./repo";
+      };
+    };
+  };
+
+  system.stateVersion = "22.11";
+}
+

hosts/library/hardware-configuration.nix

@@ -0,0 +1,113 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "rpool/system/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var" = {
+    device = "rpool/system/var";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var/log" = {
+    device = "rpool/system/var/log";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var/tmp" = {
+    device = "rpool/system/var/tmp";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var/lib/containers/storage" = {
+    device = "rpool/system/var/lib-containers-storage";
+    fsType = "zfs";
+  };
+
+  fileSystems."/nix" = {
+    device = "rpool/local/nix";
+    fsType = "zfs";
+  };
+
+  fileSystems."/tmp" = {
+    device = "rpool/local/tmp";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home" = {
+    device = "rpool/user/home";
+    fsType = "zfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/F697-F1C0";
+    fsType = "vfat";
+  };
+
+  fileSystems."/mnt/library" = {
+    device = "library";
+    fsType = "zfs";
+  };
+
+  fileSystems."/mnt/library/books" = {
+    device = "library/books";
+    fsType = "zfs";
+  };
+
+  fileSystems."/mnt/library/fonts" = {
+    device = "library/fonts";
+    fsType = "zfs";
+  };
+
+  fileSystems."/mnt/library/movies" = {
+    device = "library/movies";
+    fsType = "zfs";
+  };
+
+  fileSystems."/mnt/library/music" = {
+    device = "library/music";
+    fsType = "zfs";
+  };
+
+  fileSystems."/mnt/library/software" = {
+    device = "library/software";
+    fsType = "zfs";
+  };
+
+  fileSystems."/mnt/library/tv" = {
+    device = "library/tv";
+    fsType = "zfs";
+  };
+
+  fileSystems."/mnt/library/videos" = {
+    device = "library/videos";
+    fsType = "zfs";
+  };
+
+  fileSystems."/mnt/library/web" = {
+    device = "library/web";
+    fsType = "zfs";
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
+