commit 835fb85c2572608d680fefa0c98507fe9bc92206 Author: bart Date: Sat Nov 1 08:44:41 2025 -0500 server config init from guix-confs diff --git a/docs_luks_notes.txt b/docs_luks_notes.txt new file mode 100644 index 0000000..0db1289 --- /dev/null +++ b/docs_luks_notes.txt @@ -0,0 +1,57 @@ +# cryptsetup -v -c aes-xts-plain64 -h sha512 -s 512 luksFormat /dev/sdc /etc/cryptkey +# cryptsetup -v -c aes-xts-plain64 -h sha512 -s 512 luksFormat /dev/sde /etc/cryptkey + +cryptsetup -v -c aes-xts-plain64 -h sha512 -s 512 luksFormat /dev/sdc - +cryptsetup -v -c aes-xts-plain64 -h sha512 -s 512 luksFormat /dev/sde - + +cryptsetup luksHeaderBackup --header-backup-file ~/sde.header.bak /dev/sde +cryptsetup luksHeaderBackup --header-backup-file ~/sdc.header.bak /dev/sdc + +/etc/crypttab +doc1 UUID=dcfc1a1e-7920-43e4-a55a-e841fb23a389 /etc/cryptkey luks,noearly #,discard (for SSDs) +doc2 UUID=8445e3f9-4c73-4726-966b-1b8ec8fa9675 /etc/cryptkey luks,noearly #,discard (for SSDs) + +/dev/sde: UUID="cf6bafca-b225-46ca-8dfc-b82fb6ab5560" TYPE="crypto_LUKS" +/dev/sdc: UUID="05f833fb-1c68-4453-9df5-68a454f59845" TYPE="crypto_LUKS" + +# cryptsetup open --key-file=/etc/cryptkey --type luks /dev/sde doc1 +# cryptsetup open --key-file=/etc/cryptkey --type luks /dev/sdc doc2 + +cryptsetup open --type luks /dev/sde doc1 +cryptsetup open --type luks /dev/sdc doc2 + + +mkfs.btrfs -f -L docs -m raid1 -d raid1 /dev/mapper/doc1 /dev/mapper/doc2 + +Label: docs +UUID: 2ae0eae2-bc13-4dbc-baa7-6e902847e0a6 +Node size: 16384 +Sector size: 4096 +Filesystem size: 1.82TiB +Block group profiles: + Data: RAID1 1.00GiB + Metadata: RAID1 1.00GiB + System: RAID1 8.00MiB +SSD detected: no +Zoned device: no +Incompat features: extref, skinny-metadata, no-holes, free-space-tree +Runtime features: free-space-tree +Checksum: crc32c +Number of devices: 2 +Devices: + ID SIZE PATH + 1 931.51GiB /dev/mapper/doc1 + 2 931.51GiB /dev/mapper/doc2 + + + +mount -t btrfs -o defaults,noatime,compress=zstd -L docs /docs + + +sudo blkid /dev/mapper/doc1 +/dev/mapper/doc1: LABEL="docs" UUID="cd4efb2f-a791-41de-8f19-65baf747c57c" UUID_SUB="c0356a61-57e8-4f1e-b9cb-7ca16c5e8c0b" BLOCK_SIZE="4096" TYPE="btrfs" + + +/dev/mapper/doc1: LABEL="docs" UUID="cd4efb2f-a791-41de-8f19-65baf747c57c" UUID_SUB="c0356a61-57e8-4f1e-b9cb-7ca16c5e8c0b" BLOCK_SIZE="4096" TYPE="btrfs" + +/dev/mapper/doc2: LABEL="docs" UUID="cd4efb2f-a791-41de-8f19-65baf747c57c" UUID_SUB="d3266122-df77-49e6-be86-4bb6226e96df" BLOCK_SIZE="4096" TYPE="btrfs" diff --git a/server/caddy/Caddyfile b/server/caddy/Caddyfile new file mode 100644 index 0000000..d8a6c33 --- /dev/null +++ b/server/caddy/Caddyfile @@ -0,0 +1,70 @@ +{ + debug +} + +*.akeley.tech { + tls { + dns namecheap { + api_key af43a35060854eb98fd0c0837113a384 + user bakeley + api_endpoint https://api.namecheap.com/xml.response + # client_ip 70.112.209.162 + client_ip 172.58.55.28 + } + } + + @actual host actual.akeley.tech + handle @actual { + reverse_proxy actual:5006 + } + + @miniflux host miniflux.akeley.tech + handle @miniflux { + reverse_proxy miniflux:8080 + } + + @forgejo host forgejo.akeley.tech + handle @forgejo { + reverse_proxy forgejo:3000 + } + + @plex host plex.akeley.tech + handle @plex { + reverse_proxy plex:32400 + } + + @jellyfin host jellyfin.akeley.tech + handle @jellyfin { + reverse_proxy jellyfin:8096 + } + + @sonarr host sonarr.akeley.tech + handle @sonarr { + reverse_proxy sonarr:8989 + } + + @radarr host radarr.akeley.tech + handle @radarr { + reverse_proxy radarr:7878 + } + + @prowlarr host prowlarr.akeley.tech + handle @prowlarr { + reverse_proxy prowlarr:9696 + } + + @nzbget host nzbget.akeley.tech + handle @nzbget { + reverse_proxy nzbget:6789 + } + + @sftp host sftp.akeley.tech + handle @sftp { + reverse_proxy sftpgo:8080 + } + + @immich host immich.akeley.tech + handle @immich { + reverse_proxy immich-server:2283 + } +} diff --git a/server/caddy/Dockerfile b/server/caddy/Dockerfile new file mode 100644 index 0000000..8fca860 --- /dev/null +++ b/server/caddy/Dockerfile @@ -0,0 +1,8 @@ +FROM caddy:2.9-builder AS builder + +RUN xcaddy build \ + --with github.com/caddy-dns/namecheap + +FROM caddy:2.9 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/server/config.scm b/server/config.scm new file mode 100644 index 0000000..2af5f48 --- /dev/null +++ b/server/config.scm @@ -0,0 +1,318 @@ +;; Indicate which modules to import to access the variables +;; used in this configuration. +(use-modules (gnu)) +(use-package-modules databases) +(use-service-modules cups desktop networking ssh xorg docker dbus databases) + +(operating-system + (locale "en_US.utf8") + (timezone "America/Chicago") + (keyboard-layout (keyboard-layout "us")) + (host-name "excellon") + + ;; The list of user accounts ('root' is implicit). + (users + (cons* (user-account + (name "bartronx7") + (comment "bartronx7") + (group "users") + (home-directory "/home/bartronx7") + (supplementary-groups '("wheel" "netdev" "audio" "video" "docker"))) + %base-user-accounts)) + + ;; Below is the list of system services. To search for available + ;; services, run 'guix system search KEYWORD' in a terminal. + (services + (append (list + ;; To configure OpenSSH, pass an 'openssh-configuration' + ;; record as a second argument to 'service' below. + (service openssh-service-type) + (service dhcp-client-service-type) + (service ntp-service-type) + (service elogind-service-type + (elogind-configuration (handle-suspend-key 'ignore))) + (service dbus-root-service-type) + (service containerd-service-type) + (service docker-service-type (docker-configuration + (environment-variables (list + "TMPDIR=/tmp/dockerd")))) + + (service oci-container-service-type (list + + (oci-container-configuration + (image "localhost:5000/caddy:latest") + (provision "caddy") + (respawn? #t) + (network "sandbox") + (ports '( + ("80" . "80") + ("443" . "443"))) + (environment (list + '("NAMECHEAP_API_KEY" . "af43a35060854eb98fd0c0837113a384") + '("NAMECHEAP_API_USER" . "bakeley") + '("PUBLIC_IP" . "70.112.209.162"))) + (volumes (list + '("/data/docker/volumes/caddy/Caddyfile" . "/etc/caddy/Caddyfile") + '("/data/docker/volumes/caddy/data" . "/data") + '("/data/docker/volumes/caddy/config" . "/config")))) + + (oci-container-configuration + (image "docker.io/actualbudget/actual-server:latest") + (provision "actual") + (network "sandbox") + (ports '( + ("5006" . "5006"))) + (volumes (list + '("/data/docker/volumes/actual/data" . "/data")))) + + (oci-container-configuration + (image "miniflux/miniflux:latest") + (provision "miniflux") + (network "sandbox") + (requirement '(miniflux-db)) + (ports '( + ("8081" . "8080"))) + (environment (list + '("DATABASE_URL" . "postgres://miniflux:99uskas0_l@miniflux-db/miniflux?sslmode=disable") + '("RUN_MIGRATIONS" . "1") + '("CREATE_ADMIN" . "1") + '("ADMIN_USERNAME" . "admin") + '("ADMIN_PASSWORD" . "982#@2gGGHjf")))) + + (oci-container-configuration + (image "docker.io/postgres:17-alpine") + (provision "miniflux-db") + (network "sandbox") + (ports '( + ("5432" . "5432"))) + (environment (list + '("POSTGRES_USER" . "miniflux") + '("POSTGRES_PASSWORD" . "99uskas0_l") + '("POSTGRES_DB" . "miniflux"))) + (volumes (list + '("/data/docker/volumes/miniflux_db" . "/var/lib/postgresql/data")))) + + (oci-container-configuration + (image "codeberg.org/forgejo/forgejo:10") + (provision "forgejo") + (network "sandbox") + (ports '( + ("3000" . "3000") + ("2222" . "22"))) + (environment (list + '("USER_UID" . "1000") + '("USER_GID" . "1000"))) + (volumes (list + '("/data/docker/volumes/forgejo" . "/data") + '("/etc/timezone" . "/etc/timezone:ro") + '("/etc/localtime" . "/etc/localtime:ro")))) + + (oci-container-configuration + (image "packetriot/pktriot:latest") + (provision "pktriot") + (respawn? #t) + (network "sandbox") + (volumes (list + '("/data/docker/volumes/pktriot" . "/data:rw")))) + + (oci-container-configuration + (image "plexinc/pms-docker") + (provision "plex") + (network "sandbox") + (extra-arguments '("--device=/dev/dvb")) + (ports '( + ("32400" . "32400") + ("8324" . "8324") + ("32469" . "32469") + ("1900" . "1900") + ("32410" . "32410") + ("32412" . "32412") + ("32413" . "32413") + ("32414" . "32414"))) + (environment (list + '("TZ" . "America/Chicago") + '("PLEX_CLAIM:" . "claim-7-N1LVT5AMco6ayhy4Tm") + '("ADVERTISE_IP:" . "http://192.168.1.3:32400/"))) + (volumes (list + '("/data/docker/volumes/plex/config" . "/config") + '("/data/docker/volumes/plex/transcode" . "/transcode") + '("/data" . "/data:rw")))) + + (oci-container-configuration + (image "jellyfin/jellyfin:latest") + (provision "jellyfin") + (network "sandbox") + (ports '( + ("8096" . "8096"))) + (volumes (list + '("/data/docker/volumes/jellyfin/config" . "/config") + '("/data/docker/volumes/jellyfin/cache" . "/cache") + '("/data/shows" . "/shows") + '("/data/movies" . "/movies") + '("/data/music" . "/music")))) + + (oci-container-configuration + (image "lscr.io/linuxserver/sonarr:latest") + (provision "sonarr") + (requirement '(prowlarr)) + (network "sandbox") + (ports '( + ("8989" . "8989"))) + (environment (list + '("PUID" . "1000") + '("PGID" . "1000") + '("TZ" . "US/America/Chicago"))) + (volumes (list + '("/data/docker/volumes/sonarr/config" . "/config") + '("/data/shows" . "/data/shows") + '("/data/downloads" . "/data/downloads")))) + + (oci-container-configuration + (image "ghcr.io/hotio/radarr:latest") + (provision "radarr") + (requirement '(prowlarr)) + (network "sandbox") + (ports '( + ("7878" . "7878"))) + (environment (list + '("PUID" . "1000") + '("PGID" . "1000") + '("UMASK" . "002") + '("TZ" . "US/America/Chicago"))) + (volumes (list + '("/data/docker/volumes/radarr/config" . "/config") + '("/data/downloads" . "/data/downloads") + '("/data/movies" . "/data/movies")))) + + (oci-container-configuration + (image "ghcr.io/hotio/prowlarr:latest") + (provision "prowlarr") + (network "sandbox") + (ports '( + ("9696" . "9696"))) + (environment (list + '("PUID" . "1000") + '("PGID" . "1000") + '("TZ" . "US/America/Chicago"))) + (volumes (list + '("/data/docker/volumes/prowlarr/config" . "/config")))) + + (oci-container-configuration + (image "ghcr.io/hotio/nzbget:latest") + (provision "nzbget") + (network "sandbox") + (ports '( + ("6789" . "6789"))) + (environment (list + '("PUID" . "1000") + '("PGID" . "1000") + '("UMASK" . "002") + '("TZ" . "US/America/Chicago"))) + (volumes (list + '("/data/docker/volumes/nzbget/config" . "/config") + '("/data/downloads" . "/data/downloads") + '("/data/movies" . "/data/movies") + '("/data/shows" . "/data/shows")))) + + (oci-container-configuration + (image "drakkan/sftpgo:latest") + (provision "sftpgo") + (network "sandbox") + (ports '( + ("8082" . "8080") + ("2022" . "2022"))) + (volumes (list + '("/data/movies" . "/movies") + '("/data/shows" . "/shows") + '("/data/music" . "/music") + '("/data/pictures" . "/pictures")))) + + (oci-container-configuration + (image "ghcr.io/immich-app/immich-server:release") + (provision "immich-server") + (network "sandbox") + (requirement '(immich-redis immich-postgres)) + (volumes (list + '("/data/docker/volumes/immich/server" . "/data") + '("/data/docker/volumes/immich/pgdata" . "/db") + '("/data/pictures" . "/pictures") + '("/etc/localtime" . "/etc/localtime") + )) + (environment (list + '("DB_DATA_LOCATION" . "/db") + '("DB_HOSTNAME" . "immich-postgres") + '("DB_DATABASE_NAME" . "immich") + '("DB_USERNAME" . "immich") + '("DB_PASSWORD" . "i7_qpV3$0o") + '("REDIS_HOSTNAME" . "immich-redis"))) + (ports '( + ("2283" . "2283")))) + + (oci-container-configuration + (image "ghcr.io/immich-app/immich-machine-learning:release") + (provision "immich-ml") + (network "sandbox") + (respawn? #t) + (volumes (list + '("/data/docker/volumes/immich/ml/cache" . "/cache")))) + + (oci-container-configuration + (image "docker.io/valkey/valkey:8-bookworm") + (provision "immich-redis") + (network "sandbox") + (respawn? #t) + (volumes (list + '("/data/docker/volumes/immich/valkey" . "/data")))) + + (oci-container-configuration + (image "ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0") + (provision "immich-postgres") + (network "sandbox") + (respawn? #t) + (environment (list + '("POSTGRES_PASSWORD" . "i7_qpV3$0o") + '("POSTGRES_USER" . "immich") + '("POSTGRES_DB" . "immich") + '("POSTGRES_INITDB_ARGS" . "--data-checksums") + '("DB_STORAGE_TYPE" . "HDD"))) + (volumes (list + '("/data/docker/volumes/immich/pgdata" . "/var/lib/postgresql/data")))) + + ))) %base-services)) + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets (list "/dev/sda")) + (keyboard-layout keyboard-layout))) + + ;; The devices that make up the luks "docs" labelled filesystem + (mapped-devices + (list (mapped-device + (source (uuid "cf6bafca-b225-46ca-8dfc-b82fb6ab5560")) + (target "doc1") + (type luks-device-mapping)) + (mapped-device + (source (uuid "05f833fb-1c68-4453-9df5-68a454f59845")) + (target "doc2") + (type luks-device-mapping)))) + + ;; The list of file systems that get "mounted". The unique + ;; file system identifiers there ("UUIDs") can be obtained + ;; by running 'blkid' in a terminal. + (file-systems + (cons* (file-system + (mount-point "/") + (device (file-system-label "guixos")) + (type "btrfs")) + + (file-system + (mount-point "/data") + (device (file-system-label "datapool")) + (type "btrfs")) + + (file-system + (mount-point "/docs") + (device "/dev/mapper/doc1") + (type "btrfs")) + + %base-file-systems))) diff --git a/server/docs_luks_notes.txt b/server/docs_luks_notes.txt new file mode 100644 index 0000000..0db1289 --- /dev/null +++ b/server/docs_luks_notes.txt @@ -0,0 +1,57 @@ +# cryptsetup -v -c aes-xts-plain64 -h sha512 -s 512 luksFormat /dev/sdc /etc/cryptkey +# cryptsetup -v -c aes-xts-plain64 -h sha512 -s 512 luksFormat /dev/sde /etc/cryptkey + +cryptsetup -v -c aes-xts-plain64 -h sha512 -s 512 luksFormat /dev/sdc - +cryptsetup -v -c aes-xts-plain64 -h sha512 -s 512 luksFormat /dev/sde - + +cryptsetup luksHeaderBackup --header-backup-file ~/sde.header.bak /dev/sde +cryptsetup luksHeaderBackup --header-backup-file ~/sdc.header.bak /dev/sdc + +/etc/crypttab +doc1 UUID=dcfc1a1e-7920-43e4-a55a-e841fb23a389 /etc/cryptkey luks,noearly #,discard (for SSDs) +doc2 UUID=8445e3f9-4c73-4726-966b-1b8ec8fa9675 /etc/cryptkey luks,noearly #,discard (for SSDs) + +/dev/sde: UUID="cf6bafca-b225-46ca-8dfc-b82fb6ab5560" TYPE="crypto_LUKS" +/dev/sdc: UUID="05f833fb-1c68-4453-9df5-68a454f59845" TYPE="crypto_LUKS" + +# cryptsetup open --key-file=/etc/cryptkey --type luks /dev/sde doc1 +# cryptsetup open --key-file=/etc/cryptkey --type luks /dev/sdc doc2 + +cryptsetup open --type luks /dev/sde doc1 +cryptsetup open --type luks /dev/sdc doc2 + + +mkfs.btrfs -f -L docs -m raid1 -d raid1 /dev/mapper/doc1 /dev/mapper/doc2 + +Label: docs +UUID: 2ae0eae2-bc13-4dbc-baa7-6e902847e0a6 +Node size: 16384 +Sector size: 4096 +Filesystem size: 1.82TiB +Block group profiles: + Data: RAID1 1.00GiB + Metadata: RAID1 1.00GiB + System: RAID1 8.00MiB +SSD detected: no +Zoned device: no +Incompat features: extref, skinny-metadata, no-holes, free-space-tree +Runtime features: free-space-tree +Checksum: crc32c +Number of devices: 2 +Devices: + ID SIZE PATH + 1 931.51GiB /dev/mapper/doc1 + 2 931.51GiB /dev/mapper/doc2 + + + +mount -t btrfs -o defaults,noatime,compress=zstd -L docs /docs + + +sudo blkid /dev/mapper/doc1 +/dev/mapper/doc1: LABEL="docs" UUID="cd4efb2f-a791-41de-8f19-65baf747c57c" UUID_SUB="c0356a61-57e8-4f1e-b9cb-7ca16c5e8c0b" BLOCK_SIZE="4096" TYPE="btrfs" + + +/dev/mapper/doc1: LABEL="docs" UUID="cd4efb2f-a791-41de-8f19-65baf747c57c" UUID_SUB="c0356a61-57e8-4f1e-b9cb-7ca16c5e8c0b" BLOCK_SIZE="4096" TYPE="btrfs" + +/dev/mapper/doc2: LABEL="docs" UUID="cd4efb2f-a791-41de-8f19-65baf747c57c" UUID_SUB="d3266122-df77-49e6-be86-4bb6226e96df" BLOCK_SIZE="4096" TYPE="btrfs"