dotfiles/hosts/tanzanite/default.nix

{ config, lib, pkgs, modulesPath, ... }:
let

in {
  imports = [ ../default.nix ];

  stitchyconf = {
    form = "server";
  };

  networking.hostName = "tanzanite";
  time.timeZone = "America/Los_Angeles";

  virtualisation.docker = {
    enable = true;
    daemon.settings = {
      data-root = "/opt/data/docker-data";
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "stitchy@stitchy.moe";
    defaults.dnsProvider = "porkbun";
    defaults.environmentFile = "/persist/acme/porkbun.tokens";
    certs = {
      "turn.stitchy.moe" = {};
    };
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    clientMaxBodySize = "100m";
    virtualHosts = {
      "stitchy.moe" = {
        enableACME = true;
        forceSSL = true;
        root = "/opt/www/stitchy.moe/public";
        extraConfig = ''
          add_header 'Access-Control-Allow-Origin' '*' always;
          error_page 404 /404.html;
          location = /404.html {
            internal;
          }
          location ^~/shaders/ {
            alias /opt/www/shader-web-test/;
          }
          location ^~/files/ {
            alias /opt/www/files/;
          }
          location ^~/linux_isos/ {
            alias /opt/docker-containers/torrenting/data/torrents/;
          }
        '';
      };
      "gay.stitchy.moe" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:3333";
        };
      };
      "matrix.stitchy.moe" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:9008";
        };
        locations."/metrics" = {
          return = "404";
        };
      };
      "pics.stitchy.moe" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://[::1]:${toString config.services.immich.port}";
          proxyWebsockets = true;
          recommendedProxySettings = true;
        };
      };
      "grafana.stitchy.moe" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:3000";
        };
        extraConfig = ''
          allow 10.100.0.0/24;
          allow 192.168.51.2;
          allow 192.168.51.1;
          deny all;
        '';
      };
    };
  };

  services = {
    grafana = {
      enable = true;
      settings = {
        analytics = {
          feedback_links_enabled = false;
          reporting_enabled = false;
        };
      };
    };
    immich = {
      enable = true;
      port = 2283;
      mediaLocation = "/opt/services/immich";
    };
    postgresql = {
      dataDir = "/opt/services/postgresql/${config.services.postgresql.package.psqlSchema}";
    };
    prometheus = {
      enable = true;
      exporters = {
        node = {
          enable = true;
        };
        unpoller = {
          enable = true;
          controllers = [{
            user = "flyingstitchman";
            pass = "/persist/unifi-pass.txt";
            verify_ssl = false;
            url = "https://localhost:7443";
            save_dpi = true;
          }];
        };
      };
      globalConfig.scrape_interval = "10s";
      scrapeConfigs = [{
        job_name = "node";
        static_configs = [{
          targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}"];
        }];
      }
      {
        job_name = "dendrite";
        static_configs = [{
          targets = [ "localhost:9008"];
        }];
      }
      {
        job_name = "unpoller";
        static_configs = [{
          targets = [ "localhost:9130"];
        }];
      }
      ];
    };
    unpoller = {
    };
  };

  networking.firewall = {
    allowedTCPPorts = [ 22 80 222 443 3478 5349 ];
    allowedUDPPorts = [ 3478 5349 ];
    allowedUDPPortRanges = [
    { from = 19000; to = 20000; }
    ];
  };

  # Boot Config
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  # Redundant Storage
  fileSystems."/opt/data" = {
    device = "/dev/disk/by-uuid/0acaee69-07df-45f3-a2f4-65e2f3fda529";
    fsType = "btrfs";
    options = [ "subvol=@data" "compress=zstd" ];
  };

  fileSystems."/opt/docker-containers" = {
    device = "/dev/disk/by-uuid/0acaee69-07df-45f3-a2f4-65e2f3fda529";
    fsType = "btrfs";
    options = [ "subvol=@docker-containers" "compress=zstd" ];
  };

  fileSystems."/opt/services" = {
    device = "/dev/disk/by-uuid/0acaee69-07df-45f3-a2f4-65e2f3fda529";
    fsType = "btrfs";
    options = [ "subvol=@services" "compress=zstd" ];
  };

  fileSystems."/opt/www" = {
    device = "/dev/disk/by-uuid/0acaee69-07df-45f3-a2f4-65e2f3fda529";
    fsType = "btrfs";
    options = [ "subvol=@www" "compress=zstd" ];
  };

  # Non-Redundant Storage
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/ac31f656-1882-415e-bbb7-b4d24c0af01c";
      fsType = "btrfs";
      options = [ "subvol=@nix-root" "compress=zstd"];
    };

  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/ac31f656-1882-415e-bbb7-b4d24c0af01c";
      fsType = "btrfs";
      options = [ "subvol=@nix-home" "compress=zstd"];
    };

  fileSystems."/nix/store" =
    { device = "/dev/disk/by-uuid/ac31f656-1882-415e-bbb7-b4d24c0af01c";
      fsType = "btrfs";
      options = [ "subvol=@nix" "noatime" "compress=zstd"];
    };

  fileSystems."/persist" =
    { device = "/dev/disk/by-uuid/ac31f656-1882-415e-bbb7-b4d24c0af01c";
      fsType = "btrfs";
      options = [ "subvol=@persist" "compress=zstd"];
    };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/262D-F161";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/5c007a16-9f0f-42d0-8761-63bea3120f6d"; }
    ];

  # Static Networking
  systemd.network.enable = true;
  networking.useNetworkd = true;
  systemd.network.networks."10-lan" = {
    matchConfig.Name = "enp0s31f6";
    address = [
        "192.168.51.3/24"
    ];
    routes = [
      { Gateway = "192.168.51.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
  };

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  system.stateVersion = "24.11";
}
feat!: init tanzanite host! 2024-12-21 19:17:11 -08:00			`{ config, lib, pkgs, modulesPath, ... }:`
			`let`

			`in {`
			`imports = [ ../default.nix ];`

			`stitchyconf = {`
			`form = "server";`
			`};`

			`networking.hostName = "tanzanite";`
			`time.timeZone = "America/Los_Angeles";`
feat(tanzanite): use old docker data dir 2024-12-21 19:18:09 -08:00
			`virtualisation.docker = {`
			`enable = true;`
			`daemon.settings = {`
fix(tanzanite): use correct docker dir 2024-12-21 22:24:12 -08:00			`data-root = "/opt/data/docker-data";`
feat(tanzanite): use old docker data dir 2024-12-21 19:18:09 -08:00			`};`
			`};`
feat(tanzanite): nginx configuration for website 2024-12-21 19:19:45 -08:00
feat(tanzanite): acme cert configuration 2024-12-21 19:18:43 -08:00			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "stitchy@stitchy.moe";`
			`defaults.dnsProvider = "porkbun";`
			`defaults.environmentFile = "/persist/acme/porkbun.tokens";`
			`certs = {`
feat(tanzanite): open coturn ports This opening the ports required for my coturn docker container. In the near future, I would like to use agenix and do a fully nix-based coturn configuration. It doesn't have any persistant data, so it should be a good candidate to moving to a 100% nix based config. 2024-12-22 22:20:31 -08:00			`"turn.stitchy.moe" = {};`
feat(tanzanite): acme cert configuration 2024-12-21 19:18:43 -08:00			`};`
			`};`

feat(tanzanite): nginx configuration for website 2024-12-21 19:19:45 -08:00			`services.nginx = {`
			`enable = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
fix(tanzanite): proper upload size 2025-02-04 11:24:14 -08:00			`clientMaxBodySize = "100m";`
feat(tanzanite): nginx configuration for website 2024-12-21 19:19:45 -08:00			`virtualHosts = {`
			`"stitchy.moe" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`root = "/opt/www/stitchy.moe/public";`
fix(tanzanite): configure custom 404 page 2024-12-22 02:50:33 -08:00			`extraConfig = ''`
fix(tanzanite): matrix not being able to sign in 2024-12-22 20:53:39 -08:00			`add_header 'Access-Control-Allow-Origin' '*' always;`
fix(tanzanite): configure custom 404 page 2024-12-22 02:50:33 -08:00			`error_page 404 /404.html;`
			`location = /404.html {`
			`internal;`
			`}`
feat(tanzanite): add shaders location to website 2025-01-09 19:05:13 -08:00			`location ^~/shaders/ {`
			`alias /opt/www/shader-web-test/;`
			`}`
feat(tanzanite): add files location to website 2025-01-09 19:05:00 -08:00			`location ^~/files/ {`
			`alias /opt/www/files/;`
			`}`
chore(tanzanite): isos 2025-10-11 01:53:49 -07:00			`location ^~/linux_isos/ {`
			`alias /opt/docker-containers/torrenting/data/torrents/;`
			`}`
fix(tanzanite): configure custom 404 page 2024-12-22 02:50:33 -08:00			`'';`
feat(tanzanite): nginx configuration for website 2024-12-21 19:19:45 -08:00			`};`
feat(tanzanite): nginx configuration for forgio 2024-12-21 19:20:17 -08:00			`"gay.stitchy.moe" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:3333";`
			`};`
			`};`
feat(tanzanite): nginx config for matrix 2024-12-21 22:24:51 -08:00			`"matrix.stitchy.moe" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:9008";`
			`};`
security(nginx): disable /metrics from dendrite 2025-08-02 22:57:10 -07:00			`locations."/metrics" = {`
			`return = "404";`
			`};`
feat(tanzanite): nginx config for matrix 2024-12-21 22:24:51 -08:00			`};`
feat(tanzanite): immich Added immich as a service that I host. We shall see if it stays 2025-10-10 00:45:39 -07:00			`"pics.stitchy.moe" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://[::1]:${toString config.services.immich.port}";`
			`proxyWebsockets = true;`
			`recommendedProxySettings = true;`
			`};`
fix(tanzanite): forgotten bracket that was a hard one ngl 2025-10-11 05:23:27 -07:00			`};`
feat(tanzanite): init grafana and prometheus 2025-08-02 22:57:57 -07:00			`"grafana.stitchy.moe" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:3000";`
			`};`
			`extraConfig = ''`
			`allow 10.100.0.0/24;`
			`allow 192.168.51.2;`
			`allow 192.168.51.1;`
			`deny all;`
			`'';`
			`};`
			`};`
			`};`

			`services = {`
			`grafana = {`
			`enable = true;`
fix(tanzanite): disable grafana analytics 2025-08-02 23:38:05 -07:00			`settings = {`
			`analytics = {`
			`feedback_links_enabled = false;`
			`reporting_enabled = false;`
			`};`
			`};`
feat(tanzanite): init grafana and prometheus 2025-08-02 22:57:57 -07:00			`};`
feat(tanzanite): immich Added immich as a service that I host. We shall see if it stays 2025-10-10 00:45:39 -07:00			`immich = {`
			`enable = true;`
			`port = 2283;`
			`mediaLocation = "/opt/services/immich";`
			`};`
chore: migrate postgresql directory to redundant drives 2025-10-10 00:44:40 -07:00			`postgresql = {`
			`dataDir = "/opt/services/postgresql/${config.services.postgresql.package.psqlSchema}";`
			`};`
feat(tanzanite): init grafana and prometheus 2025-08-02 22:57:57 -07:00			`prometheus = {`
			`enable = true;`
			`exporters = {`
			`node = {`
			`enable = true;`
			`};`
feat(grafana): add unifi polling via unpoller 2025-10-10 00:46:16 -07:00			`unpoller = {`
			`enable = true;`
			`controllers = [{`
			`user = "flyingstitchman";`
			`pass = "/persist/unifi-pass.txt";`
			`verify_ssl = false;`
			`url = "https://localhost:7443";`
			`save_dpi = true;`
			`}];`
			`};`
feat(tanzanite): init grafana and prometheus 2025-08-02 22:57:57 -07:00			`};`
			`globalConfig.scrape_interval = "10s";`
			`scrapeConfigs = [{`
			`job_name = "node";`
			`static_configs = [{`
			`targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}"];`
			`}];`
			`}`
			`{`
			`job_name = "dendrite";`
			`static_configs = [{`
			`targets = [ "localhost:9008"];`
			`}];`
			`}`
feat(grafana): add unifi polling via unpoller 2025-10-10 00:46:16 -07:00			`{`
			`job_name = "unpoller";`
			`static_configs = [{`
			`targets = [ "localhost:9130"];`
			`}];`
			`}`
feat(tanzanite): init grafana and prometheus 2025-08-02 22:57:57 -07:00			`];`
feat(tanzanite): acme cert configuration 2024-12-21 19:18:43 -08:00			`};`
feat(grafana): add unifi polling via unpoller 2025-10-10 00:46:16 -07:00			`unpoller = {`
			`};`
feat(tanzanite): nginx configuration for website 2024-12-21 19:19:45 -08:00			`};`

feat!: init tanzanite host! 2024-12-21 19:17:11 -08:00			`networking.firewall = {`
feat(tanzanite): open coturn ports This opening the ports required for my coturn docker container. In the near future, I would like to use agenix and do a fully nix-based coturn configuration. It doesn't have any persistant data, so it should be a good candidate to moving to a 100% nix based config. 2024-12-22 22:20:31 -08:00			`allowedTCPPorts = [ 22 80 222 443 3478 5349 ];`
			`allowedUDPPorts = [ 3478 5349 ];`
			`allowedUDPPortRanges = [`
			`{ from = 19000; to = 20000; }`
			`];`
feat(tanzanite): nginx configuration for website 2024-12-21 19:19:45 -08:00			`};`
feat!: init tanzanite host! 2024-12-21 19:17:11 -08:00
feat(tanzanite): nginx config for matrix 2024-12-21 22:24:51 -08:00			`# Boot Config`
feat!: init tanzanite host! 2024-12-21 19:17:11 -08:00			`boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];`
			`boot.initrd.kernelModules = [ ];`
			`boot.kernelModules = [ "kvm-intel" ];`
			`boot.extraModulePackages = [ ];`

feat(tanzanite): redundant storage configuration 2024-12-21 19:17:45 -08:00			`# Redundant Storage`
			`fileSystems."/opt/data" = {`
			`device = "/dev/disk/by-uuid/0acaee69-07df-45f3-a2f4-65e2f3fda529";`
			`fsType = "btrfs";`
			`options = [ "subvol=@data" "compress=zstd" ];`
feat!: init tanzanite host! 2024-12-21 19:17:11 -08:00			`};`

feat(tanzanite): redundant storage configuration 2024-12-21 19:17:45 -08:00			`fileSystems."/opt/docker-containers" = {`
			`device = "/dev/disk/by-uuid/0acaee69-07df-45f3-a2f4-65e2f3fda529";`
			`fsType = "btrfs";`
			`options = [ "subvol=@docker-containers" "compress=zstd" ];`
feat!: init tanzanite host! 2024-12-21 19:17:11 -08:00			`};`
feat(tanzanite): redundant storage configuration 2024-12-21 19:17:45 -08:00
feat(tanzanite): services hosted on redundant hdds 2025-10-11 01:54:15 -07:00			`fileSystems."/opt/services" = {`
			`device = "/dev/disk/by-uuid/0acaee69-07df-45f3-a2f4-65e2f3fda529";`
			`fsType = "btrfs";`
			`options = [ "subvol=@services" "compress=zstd" ];`
			`};`

feat(tanzanite): redundant storage configuration 2024-12-21 19:17:45 -08:00			`fileSystems."/opt/www" = {`
			`device = "/dev/disk/by-uuid/0acaee69-07df-45f3-a2f4-65e2f3fda529";`
			`fsType = "btrfs";`
			`options = [ "subvol=@www" "compress=zstd" ];`
			`};`

feat!: init tanzanite host! 2024-12-21 19:17:11 -08:00			`# Non-Redundant Storage`
			`fileSystems."/" =`
			`{ device = "/dev/disk/by-uuid/ac31f656-1882-415e-bbb7-b4d24c0af01c";`
			`fsType = "btrfs";`
			`options = [ "subvol=@nix-root" "compress=zstd"];`
			`};`

			`fileSystems."/home" =`
			`{ device = "/dev/disk/by-uuid/ac31f656-1882-415e-bbb7-b4d24c0af01c";`
			`fsType = "btrfs";`
			`options = [ "subvol=@nix-home" "compress=zstd"];`
			`};`

			`fileSystems."/nix/store" =`
			`{ device = "/dev/disk/by-uuid/ac31f656-1882-415e-bbb7-b4d24c0af01c";`
			`fsType = "btrfs";`
			`options = [ "subvol=@nix" "noatime" "compress=zstd"];`
			`};`

			`fileSystems."/persist" =`
			`{ device = "/dev/disk/by-uuid/ac31f656-1882-415e-bbb7-b4d24c0af01c";`
			`fsType = "btrfs";`
			`options = [ "subvol=@persist" "compress=zstd"];`
			`};`

			`fileSystems."/boot" =`
			`{ device = "/dev/disk/by-uuid/262D-F161";`
			`fsType = "vfat";`
			`options = [ "fmask=0077" "dmask=0077" ];`
			`};`

			`swapDevices =`
			`[ { device = "/dev/disk/by-uuid/5c007a16-9f0f-42d0-8761-63bea3120f6d"; }`
			`];`

			`# Static Networking`
			`systemd.network.enable = true;`
			`networking.useNetworkd = true;`
			`systemd.network.networks."10-lan" = {`
			`matchConfig.Name = "enp0s31f6";`
			`address = [`
			`"192.168.51.3/24"`
			`];`
			`routes = [`
			`{ Gateway = "192.168.51.1"; }`
			`];`
			`linkConfig.RequiredForOnline = "routable";`
			`};`

			`nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";`
			`hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;`
			`system.stateVersion = "24.11";`
			`}`