odie
/
nixos-combined-flake
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-combined-flake/profiles/nixos/pi0/configuration.nix

139 lines
3.5 KiB
Nix
Raw Blame History

{ inputs
, pkgs
, outputs
, vars
, config
, lib
, ...
}:
let
haproxy = rec {
dataDir = "/var/lib/haproxy";
certDir = "${dataDir}/crt";
domains = [
"pi0.odie.home.arpa"
"jellyfin.odie.home.arpa"
"gokosync.odie.home.arpa"
];
};
in
{
imports = [
inputs.nixos-hardware.nixosModules.raspberry-pi-4
outputs.nixosModules.base
outputs.nixosModules.home-manager
outputs.nixosModules.mediacenter
outputs.nixosModules.sops
outputs.nixosModules.raspberry-pi
./hardware-configuration.nix
] ++ map (name: (import ../../../lib/genSslCert.nix {
inherit name;
inherit (config.services.haproxy) user;
dataDir = haproxy.certDir;
domain = name;
wantedBy = [ "haproxy.service" ];
Before = [ "haproxy.service" ];
})) haproxy.domains;
networking = {
inherit (vars) hostName domain;
};
fileSystems = {
"/media/net/hel_Public" = {
device = "hel.odie.home.arpa:/nfs/Public";
fsType = "nfs";
};
"/media/net/hel_USB" = {
device = "hel.odie.home.arpa:/nfs/USB_Video";
fsType = "nfs";
};
"/media/net/svartalbenheim_Video" = {
device = "svartalbenheim.odie.home.arpa:/volume1/media/Video";
fsType = "nfs";
};
};
home-manager = {
users = {
kodi = let profile = "kodi@pi0"; in import ../../home-manager/${profile}/home.nix;
};
};
security.rtkit.enable = true;
environment.systemPackages = with pkgs; [
libraspberrypi
raspberrypi-eeprom
libcec
kitty
nfs-utils
];
programs.zsh.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
services = {
gokosync.enable = true;
haproxy = {
enable = true;
config =
let
certs = lib.strings.concatMapStrings (d: "crt ${haproxy.certDir}/${d}.pem ") haproxy.domains;
in
''
global
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http
bind *:80
bind *:443 ssl ${certs} default-crt ${haproxy.certDir}/pi0.odie.home.arpa.pem
redirect scheme https code 301 if !{ ssl_fc }
use_backend be_jellyfin if { ssl_fc_sni jellyfin.odie.home.arpa }
use_backend be_gokosync if { ssl_fc_sni gokosync.odie.home.arpa }
default_backend be_null
backend be_null
http-request return status 204
backend be_jellyfin
option httpchk
option forwardfor
http-check send meth GET uri /health
http-check expect string Healthy
server server1 127.0.0.1:8920 maxconn 32 ssl verify none
server server2 127.0.0.1:8096 maxconn 32
backend be_gokosync
server server1 ${config.services.gokosync.addr}:${builtins.toString config.services.gokosync.port} maxconn 32
'';
};
udev.extraRules = ''
# allow access to raspi cec device for video group (and optionally register it as a systemd device, used below)
KERNEL=="vchiq", GROUP="video", MODE="0660", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/dev/vchiq"
'';
};
systemd.tmpfiles.rules = [
"d ${haproxy.certDir} 0770 ${config.users.users.haproxy.name} ${config.users.groups.haproxy.name} -"
];
nixpkgs = {
overlays = [
(final: prev: {
makeModulesClosure = x: prev.makeModulesClosure (x // { allowMissing = true; });
libcec = prev.libcec.override { withLibraspberrypi = true; };
})
];
};
}
Reference in New Issue View Git Blame Copy Permalink