feat: move servers to nixos-stable

2 files changed, 108 insertions, 52 deletions

diff --git a/nixos/server/configuration.nix b/nixos/server/configuration.nix
index 4fdb3ec..3ae272c 100644
--- a/nixos/server/configuration.nix
+++ b/nixos/server/configuration.nix
@@ -3,6 +3,8 @@
   lib,
   pkgs,
   config,
+  inputs,
+  outputs,
   ...
 }: let
   domain = "kcu.su";
@@ -10,18 +12,23 @@ in {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
+    "${inputs.nixpkgs}/nixos/modules/services/web-apps/filebrowser.nix"
     ./disk-config.nix
     ../serverModules/nginx.nix
-    ../serverModules/files.nix
-    ../serverModules/gonic.nix
+    ../serverModules/directories.nix
   ];
 
-  nixpkgs.config.allowUnfree = true;
-  
+  nixpkgs = {
+    overlays = [
+      outputs.overlays.unstable-packages
+    ];
+    config.allowUnfree = true;
+  };
+
   sops = {
     defaultSopsFile = ../../secrets/ltrr-home/secrets.yaml;
     defaultSopsFormat = "yaml";
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
   };
 
   boot.loader.grub = {
@@ -29,7 +36,10 @@ in {
     efiInstallAsRemovable = true;
   };
 
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+  };
 
   environment.systemPackages = with pkgs; [
     curl
@@ -39,28 +49,31 @@ in {
 
   users.users = {
     root = {
-      openssh.authorizedKeys.keys =
-        [
-          # change this to your ssh key
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJ8UW1BXDGDmlaiARO3a9boTG8wknUyITMz0Z0OJpHx spleefer6@yandex.ru"
-        ];
-      hashedPassword = "$y$j9T$v3n61T5.hOGZUgzeHKOp41$qli1X0.ewVopbLcMrqUX/rKggtvsYAKz2VwsSE/7pAA";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJ8UW1BXDGDmlaiARO3a9boTG8wknUyITMz0Z0OJpHx spleefer6@yandex.ru"
+      ];
     };
   };
 
-  filesDir = {
-    enable = true;
-    subPaths = [
-      {
-        path = "music";
-        group = "music";
-      }
-      {
-        path = "images";
-        group = "images";
-      }
+  users.files = {
+    isNormalUser = true;
+    group = "files";
+    extraGroups = [
+      "music"
+      "images"
     ];
   };
+  createPaths = {
+    "/srv/files" = {
+      owner = "files";
+      permissions = "0770";
+      group = "files";
+      subPaths = {
+        "music".group = "music";
+        "images".group = "images";
+      };
+    };
+  };
 
   networking.hostName = "ltrr-home";
   networking.firewall = {
@@ -99,6 +112,7 @@ in {
       "navidrome".proxyPass = "http://127.0.0.1:4533";
       "files".proxyPass = "http://127.0.0.1:${toString config.services.filebrowser.settings.port}";
       "track".proxyPass = "http://127.0.0.1:7093";
+      "tube".proxyPass = "http://127.0.0.1:5410";
     };
   };
 
@@ -160,6 +174,7 @@ in {
   users.users.navidrome.extraGroups = ["files" "music"];
   services.navidrome = {
     enable = true;
+    package = pkgs.unstable.navidrome;
     settings = {
       BaseUrl = "https://navidrome.${domain}";
       MusicFolder = "/srv/files/music";
@@ -170,6 +185,29 @@ in {
     environmentFile = config.sops.secrets.navidrome-env.path;
   };
 
+  sops.secrets.xray-config = {
+    restartUnits = ["xray.service"];
+  };
+  services.xray = {
+    enable = true;
+    settingsFile = config.sops.secrets.xray-config.path;
+  };
+
+  services.invidious = {
+    enable = true;
+    address = "127.0.0.1";
+    port = 5410;
+    domain = "tube.${domain}";
+    settings = {
+      http_proxy = {
+        host = "127.0.0.1";
+        port = 10801;
+        user = "";
+        password = "";
+      };
+    };
+  };
+
   virtualisation.oci-containers.backend = "podman";
   virtualisation.oci-containers.containers = {
     aonsoku = {
diff --git a/nixos/tw/configuration.nix b/nixos/tw/configuration.nix
index f851d12..4078ba1 100644
--- a/nixos/tw/configuration.nix
+++ b/nixos/tw/configuration.nix
@@ -1,17 +1,34 @@
-{ modulesPath, config, lib, pkgs, ... }: {
+{
+  modulesPath,
+  config,
+  lib,
+  pkgs,
+  outputs,
+  inputs,
+  ...
+}: let
+  domain = "kcu.su";
+in {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
+    "${inputs.nixpkgs}/nixos/modules/services/networking/headscale.nix" # replacing the options with ones for a newer version
     ./disk-config.nix
     ../serverModules/nginx.nix
   ];
 
+  disabledModules = ["services/networking/headscale.nix"];
+
+  nixpkgs.overlays = [
+    outputs.overlays.unstable-packages
+  ];
+
   sops = {
     defaultSopsFile = ../../secrets/ltrr-tw/secrets.yaml;
     defaultSopsFormat = "yaml";
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
   };
-  
+
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
@@ -19,10 +36,12 @@
 
   networking = {
     interfaces.ens3 = {
-      ipv4.addresses = [{
-        address = "77.232.139.132";
-        prefixLength = 24;
-      }];
+      ipv4.addresses = [
+        {
+          address = "77.232.139.132";
+          prefixLength = 24;
+        }
+      ];
     };
     defaultGateway = {
       address = "77.232.139.1";
@@ -30,7 +49,7 @@
     };
   };
 
-  networking.nameservers = [ "8.8.8.8" "1.1.1.1" ];
+  networking.nameservers = ["8.8.8.8" "1.1.1.1"];
 
   networking.useDHCP = lib.mkDefault false;
 
@@ -39,7 +58,7 @@
   services.openssh = {
     enable = true;
   };
-  
+
   environment.systemPackages = map lib.lowPrio [
     pkgs.curl
     pkgs.gitMinimal
@@ -63,22 +82,22 @@
   networking.nat = {
     enable = true;
     externalInterface = "ens3";
-    internalInterfaces = [ "wg0" ];
+    internalInterfaces = ["wg0"];
   };
 
-  sops.secrets.wg_private_key = {};
+  sops.secrets.wg-private-key = {};
   networking.wg-quick = {
     interfaces.wg0 = {
-      address = [ "10.1.1.1/32" ];
+      address = ["10.1.1.1/32"];
       listenPort = 51820;
 
-      privateKeyFile = config.sops.secrets.wg_private_key.path;
+      privateKeyFile = config.sops.secrets.wg-private-key.path;
 
       preUp = "sysctl -w net.ipv4.ip_forward=1";
 
       peers = [
         {
-          allowedIPs = [ "10.1.1.2/32" ];
+          allowedIPs = ["10.1.1.2/32"];
           publicKey = "kzXzxJu1AdcRI5UwtGOrN6WuTZYqJo++PYRrXdOu/lY=";
           persistentKeepalive = 25;
         }
@@ -86,9 +105,9 @@
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  networking.firewall.allowedUDPPorts = [ 51820 ];
-  
+  networking.firewall.allowedTCPPorts = [80 443];
+  networking.firewall.allowedUDPPorts = [51820];
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "notspl3g+acme@duck.com";
@@ -98,7 +117,7 @@
     enable = true;
     acme.enable = true;
 
-    domain = "kcu.su";
+    inherit domain;
     subdomains = {
       "headscale" = {
         proxyPass = "http://127.0.0.1:8768";
@@ -115,24 +134,23 @@
       };
     };
 
-    home =
-      let
-        homeConfig = import ../server/configuration.nix { inherit modulesPath config lib pkgs; };
-      in {
-        subdomains = homeConfig.nginx.subdomains;
-        url = "http://10.1.1.2";
-      };
+    home = let
+      homeConfig = import ../server/configuration.nix {inherit modulesPath config lib pkgs;};
+    in {
+      subdomains = homeConfig.nginx.subdomains;
+      url = "http://10.1.1.2";
+    };
   };
 
-
   services.headscale = {
     enable = true;
+    package = pkgs.unstable.headscale;
     port = 8768;
     settings = {
-      server_url = "https://headscale.kcu.su:443";
+      server_url = "https://headscale.${domain}:443";
       dns = {
-        base_domain = "tailnet.kcu.su";
-        nameservers.global = [ "8.8.8.8" ];
+        base_domain = "tailnet.${domain}";
+        nameservers.global = ["8.8.8.8"];
       };
     };
   };