moved nixos to a dir

nixos/common/default.nix

@@ -0,0 +1,41 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    # User account definitions
+    ./users
+    ./services
+  ];
+
+  # Clean /tmp on boot.
+  boot.cleanTmpDir = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  # Nix Settings
+  nix = {
+    package = pkgs.nixUnstable;
+    autoOptimiseStore = true;
+    binaryCaches =
+      [ "https://cachix.cachix.org" "https://nix-community.cachix.org" "https://nixpkgs-review-bot.cachix.org" ];
+    binaryCachePublicKeys = [
+      "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE="
+    ];
+    trustedUsers = [ "root" "victor" ];
+    extraOptions = ''
+      experimental-features = nix-command flakes ca-references
+    '';
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  # Limit the systemd journal to 100 MB of disk or the
+  # last 7 days of logs, whichever happens first.
+  services.journald.extraConfig = ''
+    SystemMaxUse=100M
+    MaxFileSec=7day
+  '';
+}

nixos/common/generic-lxc.nix

@@ -0,0 +1,9 @@
+{ ... }: {
+  # See also: https://blog.xirion.net/posts/nixos-proxmox-lxc/
+
+  # Supress systemd services that don't work (correctly) on LXC
+  systemd.suppressedSystemUnits = [ "dev-mqueue.mount" "sys-kernel-debug.mount" "sys-fs-fuse-connections.mount" ];
+
+  # Enable SSH daemon support.
+  services.openssh.enable = true;
+}

nixos/common/generic-vm.nix

@@ -0,0 +1,14 @@
+{ lib, ... }: {
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  services.openssh.permitRootLogin = lib.mkDefault "yes";
+
+  # Enable qemu guest agent
+  services.qemuGuest.enable = true;
+}

nixos/common/services/default.nix

@@ -0,0 +1 @@
+{ config, lib, pkgs, ... }: { imports = [ ./flood.nix ./unpackerr.nix ./vmagent.nix ]; }

nixos/common/services/flood.nix

@@ -0,0 +1,152 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let cfg = config.services.flood;
+in {
+  options.services.flood = {
+    enable = mkEnableOption "flood";
+
+    user = mkOption {
+      default = "flood";
+      type = types.str;
+      description = ''
+        User account under which flood runs.
+      '';
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "rtorrent";
+      description = ''
+        Group under which flood runs.
+        Flood needs to have the correct permissions if accessing rtorrent through the socket.
+      '';
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.flood;
+      defaultText = "pkgs.flood";
+      description = ''
+        The flood package to use.
+      '';
+    };
+
+    host = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = ''
+        Address flood binds to.
+      '';
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 3000;
+      description = ''
+        The flood web port.
+      '';
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to open the firewall for the port in <option>services.flood.port</option>.
+      '';
+    };
+
+    rpcSocket = mkOption {
+      type = types.str;
+      readOnly = true;
+      default = "/run/rtorrent/rpc.sock";
+      description = ''
+        RPC socket path.
+        (Only used when auth=none).
+      '';
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/flood";
+      description = ''
+        The directory where flood stores its data files.
+      '';
+    };
+
+    downloadDir = mkOption {
+      type = types.str;
+      default = "/var/lib/rtorrent/download";
+      description = ''
+        Root directory for downloaded files.
+      '';
+    };
+
+    authMode = mkOption {
+      type = types.str;
+      default = "none";
+      description = ''
+        Access control and user management method.
+        Either 'default' or 'none'.
+      '';
+    };
+
+    ssl = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Enable SSL. 
+        key.pem and fullchain.pem needed in runtime directory.
+      '';
+    };
+
+    baseURI = mkOption {
+      type = types.str;
+      default = "/";
+      description = ''
+        This URI will prefix all of Flood's HTTP requests
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Create group if set to default
+    users.groups = mkIf (cfg.group == "rtorrent") { rtorrent = { }; };
+
+    # Create user if set to default
+    users.users = mkIf (cfg.user == "flood") {
+      flood = {
+        group = cfg.group;
+        shell = pkgs.bashInteractive;
+        home = cfg.dataDir;
+        description = "flood Daemon user";
+        isSystemUser = true;
+      };
+    };
+
+    # Open firewall if option is set to do so.
+    networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall) [ cfg.port ];
+
+    # The actual service
+    systemd.services.flood = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "flood system service";
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Type = "simple";
+        Restart = "on-failure";
+        WorkingDirectory = cfg.dataDir;
+        ExecStart =
+          "${cfg.package}/bin/flood --baseuri ${cfg.baseURI} --rundir ${cfg.dataDir} --host ${cfg.host} --port ${
+            toString cfg.port
+          } ${
+            if cfg.ssl then "--ssl" else ""
+          } --auth ${cfg.authMode}  --rtsocket ${cfg.rpcSocket} --allowedpath ${cfg.downloadDir}";
+      };
+    };
+
+    # This is needed to create the dataDir with the correct permissions.
+    systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0755 ${cfg.user} ${cfg.group} -" ];
+  };
+}

nixos/common/services/unpackerr.nix

@@ -0,0 +1,314 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.services.unpackerr;
+  mkStarrOptions = { name, url }: {
+    url = mkOption {
+      type = types.str;
+      default = "";
+      example = "${url}";
+      description = ''
+        The URL to access ${name}
+      '';
+    };
+    apiKey = mkOption {
+      type = types.str;
+      default = "";
+      description = ''
+        The API key for accessing ${name}
+      '';
+    };
+    paths = mkOption {
+      type = types.str;
+      default = "";
+      example = "/downloads,/moreDownloads";
+      description = ''
+        List of paths where content is downloaded for ${name}
+      '';
+    };
+    protocols = mkOption {
+      type = types.str;
+      default = "torrent";
+      example = "torrent,usenet";
+      description = ''
+        Protocols to process
+      '';
+    };
+    timeout = mkOption {
+      type = types.str;
+      default = "10s";
+      description = ''
+        How long to wait for ${name} to respond
+      '';
+    };
+    deleteOrginal = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Delete archives after import? 
+        Recommend not setting this to true
+      '';
+    };
+    deleteDelay = mkOption {
+      type = types.str;
+      default = "5m";
+      description = ''
+        Extracts are deleted this long after import. `-1` to disable.
+      '';
+    };
+  };
+in {
+  options.services.unpackerr = {
+    enable = mkEnableOption "unpackerr";
+
+    user = mkOption {
+      default = "unpackerr";
+      type = types.str;
+      description = ''
+        User account under which unpackerr runs.
+      '';
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "unpackerr";
+      description = ''
+        Group under which unpackerr runs.
+      '';
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.unpackerr;
+      defaultText = "pkgs.unpackerr";
+      description = ''
+        The unpackerr package to use.
+      '';
+    };
+
+    debug = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Turns on more logs.
+      '';
+    };
+
+    interval = mkOption {
+      type = types.str;
+      default = "2m";
+      description = ''
+        How often apps are polled, recommended 1m to 5m
+      '';
+    };
+
+    startDelay = mkOption {
+      type = types.str;
+      default = "1m";
+      description = ''
+        Files are queued at least this long before extraction
+      '';
+    };
+
+    retryDelay = mkOption {
+      type = types.str;
+      default = "5m";
+      description = ''
+        Failed extractions are retried after at least this long
+      '';
+    };
+
+    maxRetries = mkOption {
+      type = types.int;
+      default = 3;
+      description = ''
+        Times to retry failed extractions. `0` = unlimited.
+      '';
+    };
+
+    parallel = mkOption {
+      type = types.int;
+      default = 1;
+      description = ''
+        Concurrent extractions, 1 is recommended.
+      '';
+    };
+
+    fileMode = mkOption {
+      type = types.str;
+      default = "0644";
+      description = ''
+        Extracted files are written with this mode
+      '';
+    };
+
+    dirMode = mkOption {
+      type = types.str;
+      default = "0755";
+      description = ''
+        Extracted folders are written with this mode
+      '';
+    };
+
+    sonarr = mkStarrOptions {
+      name = "Sonarr";
+      url = "http://localhost:8989";
+    };
+
+    radarr = mkStarrOptions {
+      name = "Radarr";
+      url = "http://localhost:7878";
+    };
+
+    lidarr = mkStarrOptions {
+      name = "Lidarr";
+      url = "http://localhost:8686";
+    };
+
+    readarr = mkStarrOptions {
+      name = "Readarr";
+      url = "http://localhost:8787";
+    };
+
+    folder = {
+      path = mkOption {
+        type = types.str;
+        default = "";
+        description = ''
+          folder path, not for Starr apps.
+        '';
+      };
+      extractPath = mkOption {
+        type = types.str;
+        default = "";
+        description = ''
+          Where to extract to, Defaults to <option>services.unpackerr.folder.path</option>.
+        '';
+      };
+      deleteAfter = mkOption {
+        type = types.str;
+        default = "";
+        example = "10m";
+        description = ''
+          Delete extracted files and/or archives after this duration, `0` to disable.
+        '';
+      };
+      deleteOrginal = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Delete archives after extraction
+        '';
+      };
+      deleteFiles = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Delete extracted files after successful extraction
+        '';
+      };
+      moveBack = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Move extracted items back into original folder
+        '';
+      };
+    };
+
+    extraConfig = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        Extra environment variables
+      '';
+      example = { UN_WEBHOOK_0_URL = "http://example.com"; };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Create group if set to default
+    users.groups = mkIf (cfg.group == "unpackerr") { unpackerr = { }; };
+
+    # Create user if set to default
+    users.users = mkIf (cfg.user == "unpackerr") {
+      unpackerr = {
+        group = cfg.group;
+        shell = pkgs.bashInteractive;
+        createHome = false;
+        description = "unpackerr Daemon user";
+        isSystemUser = true;
+      };
+    };
+
+    # The actual service
+    systemd.services.unpackerr = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "unpackerr system service";
+      # Filter out all unset variables else unpackerr complains
+      environment = filterAttrs (n: v: stringLength v > 0) {
+        # General options
+        UN_DEBUG = "${toString cfg.debug}";
+        UN_INTERVAL = "${cfg.interval}";
+        UN_START_DELAY = "${cfg.startDelay}";
+        UN_RETRY_DELAY = "${cfg.retryDelay}";
+        UN_MAX_RETRIES = "${toString cfg.maxRetries}";
+        UN_PARALLEL = "${toString cfg.parallel}";
+        UN_FILE_MODE = "${cfg.fileMode}";
+        UN_DIR_MODE = "${cfg.dirMode}";
+
+        # Sonarr
+        UN_SONARR_0_URL = "${cfg.sonarr.url}";
+        UN_SONARR_0_API_KEY = "${cfg.sonarr.apiKey}";
+        UN_SONARR_0_PATHS_0 = "${cfg.sonarr.paths}";
+        UN_SONARR_0_PROTOCOLS = "${cfg.sonarr.protocols}";
+        UN_SONARR_0_TIMEOUT = "${cfg.sonarr.timeout}";
+        UN_SONARR_0_DELETE_ORIG = "${toString cfg.sonarr.deleteOrginal}";
+        UN_SONARR_0_DELETE_DELAY = "${cfg.sonarr.deleteDelay}";
+
+        # Radarr
+        UN_RADARR_0_URL = "${cfg.radarr.url}";
+        UN_RADARR_0_API_KEY = "${cfg.radarr.apiKey}";
+        UN_RADARR_0_PATHS_0 = "${cfg.radarr.paths}";
+        UN_RADARR_0_PROTOCOLS = "${cfg.radarr.protocols}";
+        UN_RADARR_0_TIMEOUT = "${cfg.radarr.timeout}";
+        UN_RADARR_0_DELETE_ORIG = "${toString cfg.radarr.deleteOrginal}";
+        UN_RADARR_0_DELETE_DELAY = "${cfg.radarr.deleteDelay}";
+
+        # Lidarr
+        UN_LIDARR_0_URL = "${cfg.lidarr.url}";
+        UN_LIDARR_0_API_KEY = "${cfg.lidarr.apiKey}";
+        UN_LIDARR_0_PATHS_0 = "${cfg.lidarr.paths}";
+        UN_LIDARR_0_PROTOCOLS = "${cfg.lidarr.protocols}";
+        UN_LIDARR_0_TIMEOUT = "${cfg.lidarr.timeout}";
+        UN_LIDARR_0_DELETE_ORIG = "${toString cfg.lidarr.deleteOrginal}";
+        UN_LIDARR_0_DELETE_DELAY = "${cfg.lidarr.deleteDelay}";
+
+        # Readarr
+        UN_READARR_0_URL = "${cfg.readarr.url}";
+        UN_READARR_0_API_KEY = "${cfg.readarr.apiKey}";
+        UN_READARR_0_PATHS_0 = "${cfg.readarr.paths}";
+        UN_READARR_0_PROTOCOLS = "${cfg.readarr.protocols}";
+        UN_READARR_0_TIMEOUT = "${cfg.readarr.timeout}";
+        UN_READARR_0_DELETE_ORIG = "${toString cfg.readarr.deleteOrginal}";
+        UN_READARR_0_DELETE_DELAY = "${cfg.readarr.deleteDelay}";
+
+        # Folder
+        UN_FOLDER_0_PATH = "${cfg.folder.path}";
+        UN_FOLDER_0_EXTRACT_PATH = "${cfg.folder.extractPath}";
+        UN_FOLDER_0_DELETE_AFTER = "${cfg.folder.deleteAfter}";
+        UN_FOLDER_0_DELETE_ORIGINAL = "${toString cfg.folder.deleteOrginal}";
+        UN_FOLDER_0_DELETE_FILES = "${toString cfg.folder.deleteFiles}";
+        UN_FOLDER_0_MOVE_BACK = "${toString cfg.folder.moveBack}";
+      } // cfg.extraConfig;
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Type = "simple";
+        Restart = "on-failure";
+        ExecStart = "${cfg.package}/bin/unpackerr";
+      };
+    };
+  };
+}

nixos/common/services/vmagent.nix

@@ -0,0 +1,111 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let cfg = config.services.vmagent;
+in {
+  options.services.vmagent = {
+    enable = mkEnableOption "vmagent";
+
+    user = mkOption {
+      default = "vmagent";
+      type = types.str;
+      description = ''
+        User account under which vmagent runs.
+      '';
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "vmagent";
+      description = ''
+        Group under which vmagent runs.
+      '';
+    };
+
+    package = mkOption {
+      default = pkgs.v.vmagent;
+      defaultText = "pkgs.v.vmagent";
+      type = types.package;
+      description = ''
+        vmagent package to use. 
+      '';
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/vmagent";
+      description = ''
+        The directory where vmagent stores its data files.
+      '';
+    };
+
+    remoteWriteUrl = mkOption {
+      default = "http://localhost:8428/api/v1/write";
+      type = types.str;
+      description = ''
+        The remote storage endpoint such as VictoriaMetrics 
+      '';
+    };
+
+    prometheusConfig = mkOption {
+      default = "";
+      type = types.str;
+      example = ''
+        global:
+          scrape_interval: 5s
+        scrape_configs:
+          - job_name: 'apache'
+            static_configs:
+            - targets: ['apache-exporter:9117']
+      '';
+      description = ''
+        Config for prometheus style metrics
+      '';
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to open the firewall for the default ports.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Create group if set to default
+    users.groups = mkIf (cfg.group == "vmagent") { vmagent = { }; };
+
+    # Create user if set to default
+    users.users = mkIf (cfg.user == "vmagent") {
+      vmagent = {
+        group = cfg.group;
+        shell = pkgs.bashInteractive;
+        description = "vmagent Daemon user";
+        home = cfg.dataDir;
+        isSystemUser = true;
+      };
+    };
+
+    # Open firewall if option is set to do so.
+    networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall) [ 8429 ];
+
+    # The actual service
+    systemd.services.vmagent = let prometheusConfig = pkgs.writeText "prometheus.yml" cfg.prometheusConfig;
+    in {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "vmagent system service";
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Type = "simple";
+        Restart = "on-failure";
+        WorkingDirectory = cfg.dataDir;
+        ExecStart =
+          "${cfg.package}/bin/vmagent -remoteWrite.url=${cfg.remoteWriteUrl} -promscrape.config=${prometheusConfig}";
+      };
+    };
+
+    systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0755 ${cfg.user} ${cfg.group} -" ];
+  };
+}

nixos/common/users/default.nix

@@ -0,0 +1,63 @@
+# common/users/default.nix
+
+# Inputs to this NixOS module, in this case we are
+# using `pkgs` so we can have some user specific packages and config
+# to configure the root ssh key.
+{ config, pkgs, ... }:
+
+{
+  # Setup ZSH to use grml config
+  programs.zsh = {
+    enable = true;
+    enableCompletion = true;
+    syntaxHighlighting.enable = true;
+    interactiveShellInit = ''
+      source "${pkgs.grml-zsh-config}/etc/zsh/zshrc"
+      export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow"
+      source "${pkgs.fzf}/share/fzf/key-bindings.zsh"
+      source "${pkgs.fzf}/share/fzf/completion.zsh"
+      eval "$(${pkgs.zoxide}/bin/zoxide init zsh)"
+    '';
+    # otherwise it'll override the grml prompt
+    promptInit = "";
+  };
+  
+  environment.pathsToLink = [ "/share/zsh" ];
+
+  # Install Neovim and set it as alias for vi(m)
+  programs.neovim.enable = true;
+  programs.neovim.viAlias = true;
+
+  # Disable sudo prompt for `wheel` users.
+  security.sudo.wheelNeedsPassword = false;
+
+  # The block that specifies my user account.
+  users.extraUsers.victor = {
+    # This account is intended for a non-system user.
+    isNormalUser = true;
+
+    # My default shell
+    shell = pkgs.zsh;
+
+    # My SSH keys.
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFuxekX5WzX4GjbshtjaGyQcvMUgClugnK6T+OYIxw9 victor@null"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8llUcEBHsLqotFZc++LNP2fjItuuzeUsu5ObXecYNj victor@eevee"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBhJAp7NWlHgwDYd2z6VNROy5RkeZHRINFLsFvwT4b3 victor@bastion"
+    ];
+
+    # Make me admin
+    extraGroups = [ "wheel" ];
+  };
+
+  # Configure the root account
+  users.extraUsers.root = {
+    # Allow my SSH keys for logging in as root.
+    openssh.authorizedKeys.keys = config.users.users.victor.openssh.authorizedKeys.keys;
+    # Also use zsh for root
+    shell = pkgs.zsh;
+  };
+
+  # Setup packages available everywhere
+  environment.systemPackages = with pkgs; [ fzf git htop rsync ripgrep zoxide ];
+}