power saving, starr, jelly, akkoma

2026-03-20 13:59:08 +01:00 · 2026-03-20 13:59:08 +01:00 · a0d19a672e
commit a0d19a672e
parent 8f6d63909a
20 changed files with 439 additions and 22 deletions
--- a/services/backup.nix
+++ b/services/backup.nix
@ -1,7 +1,5 @@
 { config, pkgs, ... }:
-
 {
- 
  services.postgresql.backup = {
    enable = true;
    location = "/var/lib/data/backups/postgres";
@ -13,7 +11,6 @@
    paths = [
      "/var/lib/data"          
      "/var/lib/vaultwarden"   
-      "/etc/nixos"             
    ];
    
    exclude = [
--- a/services/caddy.nix
+++ b/services/caddy.nix
@ -1,10 +1,11 @@
 { config, pkgs, ... }:

 {
+  # TODO: remove from user
  users.users.caddy.extraGroups = [ "users" ];
  systemd.tmpfiles.rules = [
-    "d /var/www/website 0755 daniel users - -"
-    "d /var/www/website/public 0755 daniel users - -"
+    "d /var/www/danielk.me 0755 daniel users - -"
+    "d /var/www/danielk.me/public 0755 daniel users - -"
  ];
  services.caddy = {
    enable = true;
@ -24,12 +25,6 @@
          root * /var/www/danielk.me/public
          file_server browse
        }
-  
-        handle_path /git/* {
-          root * /var/www/danielk.me/git
-          file_server
-        }
-        reverse_proxy localhost:3333
      '';
    };
  };
--- a/services/fedi.nix
+++ b/services/fedi.nix
@ -0,0 +1,128 @@
+{ config, pkgs, ... }:
+let
+  frontendConfig = {
+        alwaysShowSubjectInput = true;
+        background = "/static/bg.png";
+        collapseMessageWithSubject = false;
+        greentext = false;
+        hideFilteredStatuses = false;
+        hideMutedPosts = false;
+        hidePostStats = false;
+        hideSitename = false;
+        hideUserStats = false;
+        loginMethod = "password";
+        logo = "/static/logo.png";
+        logoMargin = ".1em";
+        logoMask = true;
+        logoLeft = false;
+        nsfwCensorImage = "";
+        postContentType = "text/plain";
+        redirectRootLogin = "/main/friends";
+        redirectRootNoLogin = "/main/all";
+        showFeaturesPanel = true;
+        showInstanceSpecificPanel = true;
+        sidebarRight = false;
+        subjectLineBehavior = "email";
+        theme = "kemonomimi-theme";
+        webPushNotifications = true;
+      };
+in
+{
+  # probably move them out? atm they stay since they only serve kemonomimi
+  services.cloudflared.enable = true;
+  services.cloudflared.tunnels."65c093ce-a3ac-4369-b240-2169514be106" = {
+    credentialsFile = "/etc/secrets/65c093ce-a3ac-4369-b240-2169514be106.json";
+    ingress = {
+      "kemonomimi.pet" = "http://localhost:8679";
+      "fedi.kemonomimi.pet" = "http://localhost:8678";
+      "media.kemonomimi.pet" = "http://localhost:8678";
+    };
+    default = "http_status:404";
+  };
+
+  services.akkoma.enable = true;
+  # ill have to enable this
+  # services.akkoma.config.":pleroma".":media_proxy" = {
+  #   enabled = true;
+  #   proxy_opts.redirect_on_failure = true;
+  # };
+  services.akkoma.config = {
+    ":pleroma" = {
+      "Pleroma.Captcha".enabled = false;
+
+      ":instance" = {
+        name = "Kemonomimi.pet";
+        description = "Akkoma instance for kemonomimi.pet";
+        email = "admin@kemonomimi.pet";
+        registrations_open = false;
+	healthcheck = true;
+	allow_relay = true;
+	public = true;
+      };
+
+      "Pleroma.Web.Endpoint" = {
+      	url.host = "fedi.kemonomimi.pet";
+	url.port = 443;
+	url.scheme = "https";
+        http.ip = "127.0.0.1";
+        http.port = 8678;
+      };
+      ":configurable_from_database" = false;
+      "Pleroma.Upload".base_url = "https://media.kemonomimi.pet:443/media";
+
+      ":frontend_configurations" = {
+        pleroma_fe = frontendConfig;
+      };
+    };
+  };
+  services.akkoma.frontends.admin.name = "admin-fe";
+  services.akkoma.frontends.admin.ref = "stable";
+  services.akkoma.frontends.admin.package = pkgs.akkoma-admin-fe;
+
+  services.akkoma.frontends.primary.name = "akkoma-fe";
+  services.akkoma.frontends.primary.ref = "stable";
+  services.akkoma.frontends.primary.package =
+    pkgs.runCommand "akkoma-fe"
+    {
+      config = builtins.toJSON frontendConfig;
+      nativeBuildInputs = with pkgs; [
+        jq
+        lndir
+      ];
+      passAsFile = [ "config" ];
+    }
+    ''
+      mkdir $out
+      lndir ${pkgs.akkoma-fe} $out
+
+      rm $out/static/config.json
+      jq -s add ${pkgs.akkoma-fe}/static/config.json $configPath \
+        > $out/static/config.json
+    '';
+
+  services.akkoma.extraStatic = 
+    let
+      mkPackage = src: pkgs.runCommand "akkoma-asset" {} ''
+        cp -r ${src} $out
+      '';
+    in {
+      "favicon.png" = mkPackage ../akkoma-static/favicon.png;
+      "static"      = mkPackage ../akkoma-static/static;
+      "instance"    = mkPackage ../akkoma-static/instance;
+    };
+
+  systemd.services.local-static-http = {
+    description = "Temporary server for under construction";
+    wants = [ "network.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.python3}/bin/python3 -m http.server 8679 --bind 127.0.0.1";
+      WorkingDirectory = "/var/www/kemonomimi.pet";
+      Restart = "on-failure";
+      User = "daniel";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+  
+}
+
--- a/services/immich.nix
+++ b/services/immich.nix
@ -1,28 +1,33 @@
 { config, pkgs, ... }:
+let
+  domain = "photos.danielk.me";
+  bind = "127.0.0.1";
+  port = 2283;
+  data = "/var/lib/data/immich";
+in
 {
  services.immich = {
    enable = true;
-    mediaLocation = "/var/lib/data/immich";
-    host = "127.0.0.1";
-    port = 2283;
+    mediaLocation = data;
+    host = bind;
+    port = port;
    machine-learning.environment.MACHINE_LEARNING_REQUEST_THREADS = "2";
  };


-  services.caddy.virtualHosts."photos.danielk.me" = {
+  services.caddy.virtualHosts."${domain}" = {
    extraConfig = ''
-      reverse_proxy 127.0.0.1:2283
+      reverse_proxy ${bind}:${toString port}
    '';
  };

-  # Thumbnails on ssd for faster loading
  fileSystems."/var/lib/data/immich/thumbs" = {
    device = "/var/lib/immich-thumbnails";
    options = [ "bind" ];
  };

  systemd.tmpfiles.rules = [
-    "d /var/lib/data/immich 0750 immich immich -"
+    "d ${data} 0750 immich immich -"
    "d /var/lib/immich-thumbnails 0750 immich immich -"
  ];
 }
--- a/services/jelly.nix
+++ b/services/jelly.nix
@ -0,0 +1,38 @@
+{ config, pkgs, ... }:
+{
+  users.users.jellyfin.extraGroups = [ "media" "render" ];
+  services.jellyfin = {
+    enable = true;
+    dataDir = "/var/lib/jellyfin";
+  };
+
+  services.caddy.virtualHosts."jelly.danielk.me" = {
+    extraConfig = ''
+      reverse_proxy 127.0.0.1:8096
+    '';
+  };
+
+  systemd.tmpfiles.rules = [
+    # not needed I think
+    # "d /var/lib/jellyfin 0750 jellyfin jellyfin -"
+    "d /var/lib/data/media 0770 daniel media -"
+  ];
+  
+  environment.systemPackages = with pkgs; [
+    jellyfin
+    jellyfin-web
+    jellyfin-ffmpeg
+  ];
+
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-compute-runtime
+      intel-vaapi-driver
+      libva-vdpau-driver
+      libva
+      libvdpau-va-gl
+    ];
+  };
+}
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@ -0,0 +1,61 @@
+{ config, pkgs, ... }:
+let
+  webUIport = 55555;
+  forwardPort = 8888;
+  torrentPort = 49114;
+  namespace = "wg-mullvad-namespace";
+  interface = "wg-mullvad";
+in
+{
+  users.users.qbittorrent.extraGroups = [ "media" ];
+  services.qbittorrent = {
+    enable = true;
+    webuiPort = webUIport;
+    serverConfig = {
+      LegalNotice.Accepted = true;
+      Preferences = {
+        WebUI = {
+	  StatusbarExternalIPDisplayed = true;
+	  HostHeaderValidation = false;
+          Username = "admin";
+          Password_PBKDF2 = "@ByteArray(WHjV8k2o78gWuL4xAUu0Ww==:eSOIQzJvNmW2JNbvC5DsS3h4JxAvkqJ0g0o1STTLplWLq9cDPjBME3/+dJ/c+p2crLIP2JEoO7KzD0JvLlU9TA==)";
+        };
+        General.Locale = "en";
+      };
+      BitTorrent = {
+        Session = {
+	  Port = torrentPort;
+	  GlobalMaxRatio = 5;
+	  ShareLimitAction = "RemoveWithContent";
+	  QueueingSystemEnabled = false;
+	  DefaultSavePath = "/var/lib/torrents";
+	  Interface = interface;
+	  InterfaceName = interface;
+	  MaxConnections = -1;
+          MaxConnectionsPerTorrent = -1;
+          MaxUploads = -1;
+          MaxUploadsPerTorrent = -1;
+	};
+      };
+    };
+  };
+
+  systemd.services.qbittorrent.serviceConfig = {
+    NetworkNamespacePath = "/var/run/netns/${namespace}";
+    BindReadOnlyPaths = [
+      "/etc/netns/${namespace}/resolv.conf:/etc/resolv.conf"
+    ];
+  };
+  systemd.services.qbittorrent.after = [ "wireguard-${interface}.target" ];
+
+  systemd.services.forward-namespace = {
+    description = "Proxy LAN to VPN namespace";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    script = "${pkgs.socat}/bin/socat TCP-LISTEN:${toString forwardPort},fork,reuseaddr TCP:10.200.200.2:${toString webUIport}";
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/torrents 0750 qbittorent qbittorrent -"
+  ];
+}
--- a/services/starr.nix
+++ b/services/starr.nix
@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+{
+  services.jackett.enable = true;
+  nixpkgs.overlays = [ (final: prev: { jackett = prev.jackett.overrideAttrs (_oldAttrs: {
+    doCheck = false; } ); } ) 
+  ];
+
+  users.users.sonarr.extraGroups = [ "media" ];
+  services.sonarr.enable = true;
+}
--- a/services/status.nix
+++ b/services/status.nix
@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+{
+  services.glances = {
+    enable = true;
+    port = 61208;
+  };
+
+  services.caddy.virtualHosts."status.danielk.me" = {
+    extraConfig = ''
+      reverse_proxy 127.0.0.1:61208
+    '';
+  };
+}
--- a/services/wireguard.nix
+++ b/services/wireguard.nix
@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+{
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+    wg-mullvad = {
+      # Use a separate network namespace for the VPN.
+      # sudo ip netns exec wg-qbittorrent curl --interface wg-mullvad https://am.i.mullvad.net/connected
+    
+      privateKeyFile = "/etc/secrets/vpn.txt";
+      ips = ["10.155.12.117/32" "fd7d:76ee:e68f:a993:3523:7cc2:943c:18a9/128"];
+      interfaceNamespace = "wg-mullvad-namespace";
+      mtu = 1320;
+    
+      preSetup = ''
+        ip netns add wg-mullvad-namespace
+        ip -n wg-mullvad-namespace link set lo up
+
+	ip link add veth-host type veth peer name veth-vpn
+	ip link set veth-vpn netns wg-mullvad-namespace
+	ip addr add 10.200.200.1/24 dev veth-host
+	ip netns exec wg-mullvad-namespace ip addr add 10.200.200.2/24 dev veth-vpn
+	ip link set veth-host up
+	ip netns exec wg-mullvad-namespace ip link set veth-vpn up
+	ip netns exec wg-mullvad-namespace ip route add default via 10.200.200.1
+
+        mkdir -p /etc/netns/wg-mullvad-namespace
+        echo "nameserver 10.128.0.1" > /etc/netns/wg-mullvad-namespace/resolv.conf
+        echo "nameserver fd7d:76ee:e68f:a993::1" >> /etc/netns/wg-mullvad-namespace/resolv.conf
+      '';
+    
+      postShutdown = ''
+        ip netns del wg-mullvad-namespace
+
+	ip link del veth-host
+      '';
+    	
+      peers = [
+        {
+          publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+	  presharedKey = "YAbLXCB/uuKPfulaFAylvGbh3nuE881GupBZ/HBULpQ=";
+          allowedIPs = ["0.0.0.0/0" "::0/0"];
+          endpoint = "europe3.vpn.airdns.org:1637";
+	  persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+}