infrastructure/hosts/phoenix.lewd.wtf/c3moc.nix

{ lib, pkgs, config, ... }:
with lib;                      
let
  cfg = config.c3moc;
in {
  options.c3moc = {
    enable = mkEnableOption "enable c3moc services";
    switchNfs = mkEnableOption "switch nfs config to c3moc one";
  };
  config = mkIf cfg.enable {
    fileSystems = {
      "/mnt/zbigdata/c3moc_dropfolder" = {
        device = "zbigdata/c3moc_dropfolder";
        fsType = "zfs";
      };
      "/export/c3moc/media" = lib.mkIf cfg.switchNfs {
        device = "/mnt/zbigdata/media";
        options = [ "bind" ];
      };
      "/export/c3moc/games" = lib.mkIf cfg.switchNfs {
        device = "/mnt/zbigdata/games";
        options = [ "bind" ];
      };
      "/export/c3moc/dropfolder" = lib.mkIf cfg.switchNfs {
        device = "/mnt/zbigdata/c3moc_dropfolder";
        options = [ "bind" ];
      };
    };
  
    containers.c3moc = {
      autoStart = true;
      privateNetwork = true;
      hostAddress = "192.168.69.1";
      hostAddress6 = "aa69::1";
      localAddress = "192.168.69.10";
      localAddress6 = "aa69::69";
  
      bindMounts = {
        "/home/c3moc/media" = {
          hostPath = "/mnt/zbigdata/media";
          isReadOnly = true;
        };
        "/home/c3moc/games" = {
          hostPath = "/mnt/zbigdata/games";
          isReadOnly = true;
        };
        "/home/c3moc/dropfolder" = {
          hostPath = "/mnt/zbigdata/c3moc_dropfolder";
          isReadOnly = false;
        };
      };
  
      config = { config, pkgs, ... }: {
        system.stateVersion = "24.05";
    
        networking = {
          firewall = {
            enable = true;
          };
          useHostResolvConf = lib.mkForce false;
        };
        
        services.resolved.enable = true;
  
        users.groups.c3moc = {};
        users.users.c3moc = {
          group = "c3moc";
          password = "c3moc";
          isNormalUser = true;
          home = "/home/c3moc";
        };

        # Jellyfin
        environment.systemPackages = with pkgs; [
          jellyfin-ffmpeg
        ];
      
        services.jellyfin = {
          enable = true;
          openFirewall = true;
        };
  
        # FTP access
        services.vsftpd = {
          enable = true;
          writeEnable = true;
          anonymousUser = true;
          anonymousUserNoPassword = true;
          anonymousUserHome = "/home/c3moc";
          anonymousUploadEnable = true;
          anonymousMkdirEnable = true;
          anonymousUmask = "000";
        };
  
        # SFTP access
        services.openssh = {
          enable = true;
          extraConfig = ''
            Match Group c3moc
              ChrootDirectory /home
              ForceCommand internal-sftp
              AllowTcpForwarding no
          '';
        };
  
        # CIFS access
        services.samba = {
          enable = true;
          openFirewall = true;
          extraConfig = ''
            workgroup = WORKGROUP
            server string = c3moc
            netbios name = c3moc
            security = user 
            use sendfile = yes
            guest account = nobody
            map to guest = bad user
          '';
          shares = {
            c3moc = {
              path = "/home/c3moc";
              browseable = "yes";
              "read only" = "no";
              "guest ok" = "yes";
              "create mask" = "0777";
              "directory mask" = "0777";
              "force user" = "c3moc";
              "force group" = "c3moc";
            };
          };
        };
      };
    };
  
    services.nfs.server.exports = mkIf cfg.switchNfs ''
      /export        (ro,fsid=0,no_subtree_check)
      /export/c3moc  (ro,nohide,insecure,no_subtree_check)
      /export/c3moc/games  (ro,nohide,insecure,no_subtree_check)
      /export/c3moc/media  (ro,nohide,insecure,no_subtree_check)
      /export/c3moc/dropfolder  (rw,nohide,insecure,no_subtree_check)
    '';
    
    networking.nat.forwardPorts = [
      # FTP
      {
        destination = "192.168.69.10:20";
        proto = "tcp";
        sourcePort = 20;
      }
      {
        destination = "192.168.69.10:21";
        proto = "tcp";
        sourcePort = 21;
      }
      # SFTP
      {
        destination = "192.168.69.10:22";
        proto = "tcp";
        sourcePort = 22;
      }
      # SMB
      {
        destination = "192.168.69.10:137";
        proto = "udp";
        sourcePort = 137;
      }
      {
        destination = "192.168.69.10:138";
        proto = "udp";
        sourcePort = 138;
      }
      {
        destination = "192.168.69.10:139";
        proto = "tcp";
        sourcePort = 139;
      }
      {
        destination = "192.168.69.10:445";
        proto = "tcp";
        sourcePort = 445;
      }
      # FTP
      {
        destination = "aa69::69:20";
        proto = "tcp";
        sourcePort = 20;
      }
      {
        destination = "aa69::69:21";
        proto = "tcp";
        sourcePort = 21;
      }
      # SFTP
      {
        destination = "aa69::69:22";
        proto = "tcp";
        sourcePort = 22;
      }
      # SMB
      {
        destination = "aa69::69:137";
        proto = "udp";
        sourcePort = 137;
      }
      {
        destination = "aa69::69:138";
        proto = "udp";
        sourcePort = 138;
      }
      {
        destination = "aa69::69:139";
        proto = "tcp";
        sourcePort = 139;
      }
      {
        destination = "aa69::69:445";
        proto = "tcp";
        sourcePort = 445;
      }
    ];

    # Monitoring Stuff
    services.prometheus.exporters.node = {
      enable = true;
      port = 9100;
      enabledCollectors = [
        "logind"
        "systemd"
      ];
      disabledCollectors = [
        "textfile"
      ];
    };
    services.prometheus = {
      enable = true;

      scrapeConfigs = [
        {
          job_name = "node";
          static_configs = [{
            targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
          }];
        }
      ];
    };
    services.grafana = {
      enable = true;
      settings = {
        server = {
          # Listening Address
          http_addr = "127.0.0.1";
          # and Port
          http_port = 3000;
          # Grafana needs to know on which domain and URL it's running
          domain = "gpn22.c3moc.lol";
          root_url = "https://gpn22.c3moc.lol/stats/"; # Not needed if it is `https://your.domain/`
          serve_from_sub_path = true;
        };
        "auth.anonymous" = {
          enabled = true;
          org_name = "Public";
        };
      };
    };


    # Nginx Stuff
    services.nginx = {
      virtualHosts."gpn22.c3moc.lol" = {
        serverName = "gpn22.c3moc.lol";
        enableACME = true;
        forceSSL = true;
        locations = {
          "= /" = {
            extraConfig = ''
              return 302 https://$host/web/;
            '';
          };
          "/" = {
            extraConfig = ''
              proxy_pass http://192.168.69.10:8096;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Forwarded-Protocol $scheme;
              proxy_set_header X-Forwarded-Host $http_host;
              proxy_buffering off;
            '';
          };
          "= /web/" = {
            extraConfig = ''
              proxy_pass http://192.168.69.10:8096/web/index.html;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Forwarded-Protocol $scheme;
              proxy_set_header X-Forwarded-Host $http_host;
              proxy_buffering off;
            '';
          };
          "/socket" = {
            extraConfig = ''
              proxy_pass http://192.168.69.10:8096/socket;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Forwarded-Protocol $scheme;
              proxy_set_header X-Forwarded-Host $http_host;
            '';
          };
	  "/stats/" = {
            proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
            proxyWebsockets = true;
            recommendedProxySettings = true;
          };
        };
      };
    };
  };
}