diff --git a/flake.nix b/flake.nix index 7247682..80da229 100644 --- a/flake.nix +++ b/flake.nix @@ -140,6 +140,11 @@ host = "valkyrie"; stable = true; }; + waffentrager = makeSystem { + host = "waffentrager"; + stable = true; + arch = "aarch64-linux"; + }; }; homeConfigurations = { @@ -158,6 +163,13 @@ host = "valkyrie"; stable = true; }; + + "materus@waffentrager" = makeHome { + user = "materus"; + host = "waffentrager"; + arch = "aarch64-linux"; + stable = true; + }; }; }; diff --git a/nix-config/home/materus/default.nix b/nix-config/home/materus/default.nix index 9e7cac6..f7a101f 100644 --- a/nix-config/home/materus/default.nix +++ b/nix-config/home/materus/default.nix @@ -2,7 +2,6 @@ config, pkgs, lib, - materusArgs, ... }: diff --git a/nix-config/host/materusPC/boot.nix b/nix-config/host/materusPC/boot.nix index 0323749..5f8d7ad 100644 --- a/nix-config/host/materusPC/boot.nix +++ b/nix-config/host/materusPC/boot.nix @@ -1,7 +1,6 @@ { pkgs, lib, - materusArgs, mkk, ... }: @@ -83,7 +82,7 @@ ssh = { enable = true; port = 22; - authorizedKeyFiles = [ materusArgs.files.ssh-keys.materus ]; + authorizedKeyFiles = [ mkk.files.ssh-keys.materus ]; hostKeys = [ "/mkk/keys/ssh_host_ed25519_key" "/mkk/keys/ssh_host_rsa_key" diff --git a/nix-config/host/materusPC/configuration.nix b/nix-config/host/materusPC/configuration.nix index b2474ad..c6759cf 100644 --- a/nix-config/host/materusPC/configuration.nix +++ b/nix-config/host/materusPC/configuration.nix @@ -6,13 +6,13 @@ config, lib, pkgs, - materusArgs, + mkk, ... }: let patchedBwrap = pkgs.bubblewrap.overrideAttrs (o: { patches = (o.patches or [ ]) ++ [ - materusArgs.files.patches.bwrap + mkk.files.patches.bwrap ]; }); in diff --git a/nix-config/host/materusPC/home-manager/materus.nix b/nix-config/host/materusPC/home-manager/materus.nix index ee7ed25..38a252d 100644 --- a/nix-config/host/materusPC/home-manager/materus.nix +++ b/nix-config/host/materusPC/home-manager/materus.nix @@ -1,6 +1,5 @@ { pkgs, - materusArgs, config, lib, ... diff --git a/nix-config/host/oldie/configuration.nix b/nix-config/host/oldie/configuration.nix index 0efcd31..9f16368 100644 --- a/nix-config/host/oldie/configuration.nix +++ b/nix-config/host/oldie/configuration.nix @@ -6,7 +6,6 @@ config, lib, pkgs, - materusArgs, mkk, ... }: diff --git a/nix-config/host/valkyrie/default.nix b/nix-config/host/valkyrie/default.nix index 269d551..a91adfa 100644 --- a/nix-config/host/valkyrie/default.nix +++ b/nix-config/host/valkyrie/default.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running `nixos-help`). -{ lib, pkgs, materusArgs, config, ... }: +{ lib, pkgs, mkk, materusArgs, config, ... }: { imports = @@ -70,10 +70,10 @@ extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. packages = [ ]; - openssh.authorizedKeys.keyFiles = [ "${materusArgs.files.ssh-keys.materus}" ]; + openssh.authorizedKeys.keyFiles = [ "${mkk.files.ssh-keys.materus}" ]; shell = pkgs.zsh; }; - users.users.acme.openssh.authorizedKeys.keyFiles = [ "${materusArgs.files.ssh-keys.waffentrager}" ]; + users.users.acme.openssh.authorizedKeys.keyFiles = [ "${mkk.files.ssh-keys.waffentrager}" ]; users.users.acme.shell = pkgs.scponly; # List packages installed in system profile. To search, run: # $ nix search wget diff --git a/nix-config/host/waffentrager/configuration.nix b/nix-config/host/waffentrager/configuration.nix new file mode 100644 index 0000000..6f77217 --- /dev/null +++ b/nix-config/host/waffentrager/configuration.nix @@ -0,0 +1,168 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running `nixos-help`). + +{ config, pkgs, mkk, lib, materusArgs, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + networking.firewall.allowedTCPPorts = [ 1900 ]; + networking.firewall.allowedUDPPorts = [ 1900 7359]; + environment.etc."current-flake".source = materusArgs.self; + + nix.settings = { + experimental-features = lib.mkMerge [ + [ + "nix-command" + "flakes" + ] + ]; + auto-optimise-store = true; + trusted-users = [ + "root" + "@wheel" + ]; + + substituters = [ + "https://nix-community.cachix.org" + "https://cache.nixos.org/" + "https://nixerus.cachix.org/" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "nixerus.cachix.org-1:2x7sIG7y1vAoxc8BNRJwsfapZsiX4hIl4aTi9V5ZDdE=" + ]; + }; + + environment.systemPackages = with pkgs; [ + libraspberrypi + raspberrypi-eeprom + git + + p7zip + unrar + bzip2 + unzip + zstd + xz + zip + gzip + + ]; + + boot.tmp.useTmpfs = true; + services.xserver.enable = false; + networking.hostName = "waffentrager"; + + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "no"; + + users.users.materus = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keyFiles = [ mkk.files.ssh-keys.materus ]; + hashedPasswordFile = config.sops.secrets."users/materus".path; + shell = pkgs.zsh; + }; + + # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) + boot.loader.grub.enable = false; + # Enables the generation of /boot/extlinux/extlinux.conf + boot.loader.generic-extlinux-compatible.enable = true; + # networking.hostName = "nixos"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkbOptions in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + + + + # Configure keymap in X11 + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + services.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.alice = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # packages = with pkgs; [ + # firefox + # tree + # ]; + # }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + # environment.systemPackages = with pkgs; [ + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget + # ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + nixpkgs.config.allowUnfree = true; + programs.zsh.enable = true; + system.stateVersion = "23.11"; # Did you read the comment? + +} + diff --git a/nix-config/host/waffentrager/default.nix b/nix-config/host/waffentrager/default.nix new file mode 100644 index 0000000..4ccc19d --- /dev/null +++ b/nix-config/host/waffentrager/default.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: +{ + + imports = [ + + ./configuration.nix + ./private + ./services + ]; + + virtualisation.podman.autoPrune.enable = true; + virtualisation.podman.autoPrune.dates = "daily"; + virtualisation.podman.defaultNetwork.settings = { + default_subnet = "10.88.0.0/16"; + }; + virtualisation.oci-containers.backend = "podman"; + +} diff --git a/nix-config/host/waffentrager/hardware-configuration.nix b/nix-config/host/waffentrager/hardware-configuration.nix new file mode 100644 index 0000000..8710f13 --- /dev/null +++ b/nix-config/host/waffentrager/hardware-configuration.nix @@ -0,0 +1,52 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, materusArgs, ... }: +let + crossPkgs = import pkgs.path { + localSystem = "x86_64-linux"; + crossSystem = pkgs.stdenv.hostPlatform.system; + }; + rpi4-kernel = + crossPkgs.callPackage (materusArgs.inputs.nixos-hardware.outPath + "/raspberry-pi/common/kernel.nix") + { + rpiVersion = 4; + }; +in +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + materusArgs.inputs.nixos-hardware.nixosModules.raspberry-pi-4 + ]; + + #boot.kernelPackages = pkgs.linuxPackagesFor materusArgs.inputs.nixos-hardware.packages.aarch64-linux.rpi4-kernel; + boot.kernelPackages = crossPkgs.linuxPackagesFor rpi4-kernel; + boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.kernel.sysctl = { + "vm.swappiness" = 10; + }; + fileSystems."/" = + { + device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; + swapDevices = [{ + device = "/var/.swapfile"; + size = 8 * 1024; + }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.end0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = "aarch64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/nix-config/host/waffentrager/home-manager/materus.nix b/nix-config/host/waffentrager/home-manager/materus.nix new file mode 100644 index 0000000..c5b014b --- /dev/null +++ b/nix-config/host/waffentrager/home-manager/materus.nix @@ -0,0 +1,5 @@ +{ config, pkgs, lib, ... }: +{ + home.stateVersion = "23.11"; + home.homeDirectory = "/home/materus"; +} diff --git a/nix-config/host/waffentrager/private/default.nix b/nix-config/host/waffentrager/private/default.nix new file mode 100644 index 0000000..5251c71 Binary files /dev/null and b/nix-config/host/waffentrager/private/default.nix differ diff --git a/nix-config/host/waffentrager/private/secrets.yaml b/nix-config/host/waffentrager/private/secrets.yaml new file mode 100644 index 0000000..6b3ddf8 Binary files /dev/null and b/nix-config/host/waffentrager/private/secrets.yaml differ diff --git a/nix-config/host/waffentrager/services/auth/authelia.nix b/nix-config/host/waffentrager/services/auth/authelia.nix new file mode 100644 index 0000000..e29fbc8 --- /dev/null +++ b/nix-config/host/waffentrager/services/auth/authelia.nix @@ -0,0 +1,80 @@ +{ config, pkgs, lib, mkk, ... }: +{ + options.waffentragerService.auth.authelia.enable = mkk.lib.mkBoolOpt false "Enable authelia"; + config = + let + cfg = config.waffentragerService.auth.authelia; + port = 9091; + in + lib.mkIf cfg.enable { + sops.secrets."authelia-storagekey" = { owner = "authelia"; }; + sops.secrets."authelia-database" = { owner = "authelia"; }; + sops.secrets."ldap-master" = { owner = "authelia"; }; + users.users.authelia = { + group = "lldap"; + isSystemUser = true; + }; + services.authelia.instances.main = { + enable = true; + user = "authelia"; + environmentVariables = { + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."ldap-master".path; + AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = config.sops.secrets."authelia-database".path; + }; + secrets = { + jwtSecretFile = config.sops.secrets.jwt.path; + storageEncryptionKeyFile = config.sops.secrets."authelia-storagekey".path; + }; + settings = { + access_control = { + default_policy = "one_factor"; + }; + authentication_backend = { + ldap.url = "ldap://127.0.0.1:3890"; + ldap.implementation = "custom"; + ldap.base_dn = config.services.lldap.settings.ldap_base_dn; + ldap.user = "CN=master,ou=people,DC=podkos,DC=pl"; + ldap.additional_users_dn = "OU=people"; + ldap.users_filter = "(&({username_attribute}={input})(objectClass=person))"; + ldap.additional_groups_dn = "OU=groups"; + ldap.groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; + }; + storage = { + postgres.host = "/var/run/postgresql"; + postgres.port = "5432"; + postgres.database = "authelia"; + postgres.username = "authelia"; + + }; + notifier = { + disable_startup_check = false; + filesystem.filename = "/tmp/test_notification.txt"; + }; + session = { + name = "materus-session"; + domain = "materus.pl"; + }; + + default_redirection_url = "https://materus.pl"; + server.port = port; + }; + }; + services.nginx.virtualHosts."gatekeeper.materus.pl" = { + forceSSL = true; + http3 = true; + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString port}"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + }; +} diff --git a/nix-config/host/waffentrager/services/auth/default.nix b/nix-config/host/waffentrager/services/auth/default.nix new file mode 100644 index 0000000..3ac11bd --- /dev/null +++ b/nix-config/host/waffentrager/services/auth/default.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: +{ + imports = + [ + ./lldap.nix + ./authelia.nix + ]; + config = + { + waffentragerService.auth.lldap.enable = true; + waffentragerService.auth.authelia.enable = true; + }; +} diff --git a/nix-config/host/waffentrager/services/auth/lldap.nix b/nix-config/host/waffentrager/services/auth/lldap.nix new file mode 100644 index 0000000..babc258 --- /dev/null +++ b/nix-config/host/waffentrager/services/auth/lldap.nix @@ -0,0 +1,87 @@ +{ + config, + pkgs, + lib, + mkk, + ... +}: +{ + options.waffentragerService.auth.lldap.enable = mkk.lib.mkBoolOpt false "Enable lldap"; + config = + let + cfg = config.waffentragerService.auth.lldap; + in + lib.mkIf cfg.enable { + waffentragerService.elements.enable = true; + waffentragerService.nginx.enable = true; + services.nginx.virtualHosts."mamba.podkos.pl" = { + forceSSL = true; + http3 = true; + sslTrustedCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/mamba.podkos.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/fullchain.pem"; + locations."/" = { + proxyPass = "http://127.0.0.1:17170"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + + allow ${mkk.wireguard.ip-masks.main}; + allow 192.168.100.0/24; + deny all; + ''; + }; + }; + + systemd.services.lldap = { + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + serviceConfig = { + DynamicUser = lib.mkForce false; + WorkingDirectory = lib.mkForce config.waffentragerService.elements.lldapDir; + }; + }; + users.groups.lldap = { }; + users.users.lldap = { + group = "lldap"; + isSystemUser = true; + }; + sops.secrets.jwt = { + owner = "lldap"; + group = "lldap"; + mode = "0440"; + }; + sops.secrets."lldap-database" = { + owner = "lldap"; + group = "lldap"; + }; + services.lldap.enable = true; + services.lldap.environmentFile = config.sops.templates."lldap.env".path; + sops.templates."lldap.env" = { + content = '' + LLDAP_JWT_SECRET_FILE="${config.sops.secrets.jwt.path}" + LLDAP_DATABASE_URL="postgres://lldap:${ + config.sops.placeholder."lldap-database" + }@%2Fvar%2Frun%2Fpostgresql/lldap" + ''; + owner = "lldap"; + group = "lldap"; + }; + services.lldap.silenceForceUserPassResetWarning = true; + services.lldap.settings = { + ldap_base_dn = "dc=podkos,dc=pl"; + + ldap_host = "127.0.0.1"; + http_url = "https://mamba.podkos.pl"; + ldap_user_dn = "master"; + ldap_user_email = "materus@podkos.pl"; + ldap_port = 3890; + key_seed = mkk.waffentrager.lldap.seed; + ldap_user_pass_file = config.sops.secrets.LLDAP_LDAP_USER_PASS_FILE.path; + }; + }; +} diff --git a/nix-config/host/waffentrager/services/default.nix b/nix-config/host/waffentrager/services/default.nix new file mode 100644 index 0000000..c57dca0 --- /dev/null +++ b/nix-config/host/waffentrager/services/default.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + imports = + [ + ./storage/elements.nix + ./storage/mount-acme.nix + ./storage/gitea.nix + ./storage/nextcloud.nix + ./storage/samba.nix + ./storage/syncthing.nix + ./multimedia/jellyfin.nix + ./multimedia/scrobbling.nix + ./monitoring.nix + ./nginx.nix + ./postgresql.nix + ./auth + ]; + waffentragerService.elements.enable = true; + waffentragerService.postgresql.enable = true; + waffentragerService.mount-acme.enable = true; + waffentragerService.gitea.enable = true; + waffentragerService.nginx.enable = true; + waffentragerService.nextcloud.enable = true; + waffentragerService.samba.enable = true; + waffentragerService.jellyfin.enable = true; + waffentragerService.scrobbling.enable = true; + + waffentragerService.syncthing.enable = true; + waffentragerService.monitoring.enable = false; +} \ No newline at end of file diff --git a/nix-config/host/waffentrager/services/monitoring.nix b/nix-config/host/waffentrager/services/monitoring.nix new file mode 100644 index 0000000..8755437 --- /dev/null +++ b/nix-config/host/waffentrager/services/monitoring.nix @@ -0,0 +1,57 @@ +{ config, lib, mkk, ... }: +{ + options.waffentragerService.monitoring.enable = mkk.lib.mkBoolOpt false "Enable monitoring"; + config = + let + cfg = config.waffentragerService.monitoring; + in + lib.mkIf cfg.enable { + services.grafana = { + dataDir = "${config.waffentragerService.elements.path}/services/grafana"; + enable = true; + settings = { + server = { + http_addr = "127.0.0.1"; + http_port = 3232; + + domain = "watchman.materus.pl"; + serve_from_sub_path = true; + }; + }; + }; + services.prometheus = { + enable = true; + port = 3233; + globalConfig.scrape_interval = "30s"; + stateDir = "elements/services/prometheus"; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + ]; + }; + services.prometheus.exporters.node = { + enable = true; + port = 3234; + enabledCollectors = [ "systemd" ]; + extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ]; + + }; + services.nginx.virtualHosts."watchman.materus.pl" = { + addSSL = true; + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + http2 = false; + http3 = true; + locations."/" = { + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + }; +} diff --git a/nix-config/host/waffentrager/services/multimedia/jellyfin.nix b/nix-config/host/waffentrager/services/multimedia/jellyfin.nix new file mode 100644 index 0000000..c236abf --- /dev/null +++ b/nix-config/host/waffentrager/services/multimedia/jellyfin.nix @@ -0,0 +1,150 @@ +{ lib, config, mkk, ... }: +{ + options.waffentragerService.jellyfin.enable = mkk.lib.mkBoolOpt false "Enable jellyfin"; + + config = + let + cfg = config.waffentragerService.jellyfin; + in + lib.mkIf cfg.enable { + services.jellyfin = rec { + enable = true; + openFirewall = true; + user = "materus"; + group = "nextcloud"; + dataDir = config.waffentragerService.elements.jellyfinDir; + cacheDir = "${dataDir}/cache"; + }; + /* + services.jellyseerr = { + enable = true; + openFirewall = true; + };*/ + + services.nginx = { + appendHttpConfig = '' + map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; } + map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; } + ''; + proxyCachePath."jellyfin" = { + enable = true; + maxSize = "1g"; + levels = "1:2"; + keysZoneName = "jellyfin"; + keysZoneSize = "100m"; + inactive = "1d"; + useTempPath = false; + + }; + virtualHosts = { + "noot.materus.pl" = { + extraConfig = '' + client_max_body_size 20M; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous + add_header X-Content-Type-Options "nosniff"; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + ''; + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + addSSL = true; + http2 = false; + http3 = true; + locations."~ /Items/(.*)/Images" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + proxy_cache jellyfin; + proxy_cache_revalidate on; + proxy_cache_lock on; + ''; + }; + locations."~ ^/web/htmlVideoPlayer-plugin.[0-9a-z]+.chunk.js$" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + proxy_set_header Accept-Encoding ""; + + sub_filter_types *; + sub_filter 'return u=30' 'return u=600'; + sub_filter 'return u=6' 'return u=60'; + sub_filter 'maxBufferLength:u' 'maxBufferLength:u,maxBufferSize:180000000'; + sub_filter_once on; + ''; + }; + locations."~* ^/Videos/(.*)/(?!live)" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + # Set size of a slice (this amount will be always requested from the backend by nginx) + # Higher value means more latency, lower more overhead + # This size is independent of the size clients/browsers can request + slice 2m; + + proxy_cache jellyfin; + proxy_cache_valid 200 206 301 302 30d; + proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires; + proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; + proxy_connect_timeout 15s; + proxy_http_version 1.1; + proxy_set_header Connection ""; + # Transmit slice range to the backend + proxy_set_header Range $slice_range; + + # This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time + # The first client will trigger the download, the other clients will have to wait until the slice is cached + # Esp. practical during SyncPlay + proxy_cache_lock on; + proxy_cache_lock_age 60s; + + proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range"; + + ''; + }; + locations."/" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + proxy_pass_request_headers on; + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + + + ''; + }; + locations."/socket" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + proxy_pass_request_headers on; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + + ''; + }; + + }; + }; + }; + }; +} diff --git a/nix-config/host/waffentrager/services/multimedia/scrobbling.nix b/nix-config/host/waffentrager/services/multimedia/scrobbling.nix new file mode 100644 index 0000000..a977f6f --- /dev/null +++ b/nix-config/host/waffentrager/services/multimedia/scrobbling.nix @@ -0,0 +1,240 @@ +{ config, pkgs, lib, mkk, ... }: +{ + options.waffentragerService.scrobbling.enable = mkk.lib.mkBoolOpt false "Enable scrobbling"; + + + + + config = + let + cfg = config.waffentragerService.scrobbling; + in + + + #### MALOJA -------------------------------------------------------------------- + lib.mkIf cfg.enable { + sops.templates."maloja.env".content = '' + MALOJA_DATA_DIRECTORY=/data + MALOJA_DIRECTORY_STATE=/data/state + MALOJA_DIRECTORY_CACHE=/data/cache + + MALOJA_SKIP_SETUP=yes + MALOJA_FORCE_PASSWORD=${config.sops.placeholder.maloja} + MALOJA_SPOTIFY_API_ID=${config.sops.placeholder.spotify-client-id} + MALOJA_SPOTIFY_API_SECRET=${config.sops.placeholder.spotify-client-secret} + + MALOJA_NAME=Melody + + MALOJA_WEEK_OFFSET=1 + + PUID=${builtins.toString config.users.users.scrobbler.uid} + PGID=${builtins.toString config.users.groups.scrobbler.gid} + TC=Europe/Warsaw + TIMEZONE=Europe/Warsaw + ''; + services.nginx.virtualHosts = { + "melody.materus.pl" = { + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + addSSL = true; + http2 = false; + http3 = true; + locations."/" = { + proxyPass = "http://127.0.0.1:42010"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + ''; + }; + + }; + + }; + + + virtualisation.oci-containers.containers.maloja = + { + + image = "krateng/maloja:latest"; + ports = [ + "42010:42010" + ]; + volumes = [ + "${config.waffentragerService.elements.malojaDir}:/data" + ]; + environmentFiles = [ + config.sops.templates."maloja.env".path + ]; + }; + systemd.services."${config.virtualisation.oci-containers.backend}-maloja" = + + let + malojaCfg = pkgs.writeText "settings.ini" ''[MALOJA] +directory_config = /data +lastfm_api_key = False +audiodb_api_key = False +spotify_api_id = False +spotify_api_secret = False +delimiters_feat = ["ft.","ft","feat.","feat","featuring","Ft.","Ft","Feat.","Feat","Featuring"] +delimiters_informal = ["vs.","vs","&","with"] +delimiters_formal = ["; ",";"] +metadata_providers = ["spotify","deezer","lastfm","audiodb","musicbrainz"] + +''; + in + { + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + preStart = ''cp --update=none ${malojaCfg} ${config.waffentragerService.elements.malojaDir}/settings.ini''; + + }; + + #### MULTI SCROBBLER -------------------------------------------------------------------- + users.groups.scrobbler = { gid = 3000; }; + users.users.scrobbler = { + group = "scrobbler"; + uid = 3000; + isSystemUser = true; + }; + sops.templates."multi-scrobbler.env".content = '' + TC=Europe/Warsaw + CONFIG_DIR=/config + PUID=${builtins.toString config.users.users.scrobbler.uid} + PGID=${builtins.toString config.users.groups.scrobbler.gid} + ''; + sops.templates."multi-scrobbler.json".owner = "scrobbler"; + sops.templates."multi-scrobbler.json".group = "scrobbler"; + sops.templates."multi-scrobbler.json".content = builtins.toJSON { + baseUrl = "https://scrobbler.materus.pl"; + disableWeb = false; + debugMode = false; + sources = [ + { + name = "materus-spotify"; + enable = true; + clients = [ "maloja" ]; + data = { + clientId = "${config.sops.placeholder.spotify-client-id}"; + clientSecret = "${config.sops.placeholder.spotify-client-secret}"; + redirectUri = "https://scrobbler.materus.pl/callback"; + interval = 30; + }; + type = "spotify"; + } + { + name = "materus-jellyfin"; + enable = true; + clients = [ "maloja" ]; + data = { + users = [ + "materus" + ]; + servers = [ + "waffentrager" + ]; + }; + options = { + logPayload = false; + logFilterFailure = "warn"; + }; + type = "jellyfin"; + } + ]; + clients = [ + { + name = "maloja"; + enable = true; + data = { + url = "https://melody.materus.pl/"; + apiKey = "${config.sops.placeholder.maloja-api}"; + }; + type = "maloja"; + } + { + name = "materus-brainz"; + enable = true; + configureAs = "client"; + data = { + token = "${config.sops.placeholder.listenbrainz-api}"; + username = "materus"; + }; + type = "listenbrainz"; + } + { + name = "materus-lastfm"; + enable = true; + configureAs = "client"; + data = { + apiKey = "${config.sops.placeholder.lastfm-api}"; + secret = "${config.sops.placeholder.lastfm-secret}"; + redirectUri = "https://scrobbler.materus.pl/lastfm/callback"; + }; + type = "lastfm"; + } + + ]; + + }; + + + + + services.nginx.virtualHosts = { + "scrobbler.materus.pl" = { + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + addSSL = true; + http2 = false; + http3 = true; + locations."/" = { + proxyPass = "http://127.0.0.1:42011"; + extraConfig = '' + allow ${mkk.wireguard.ip-masks.main}; + allow 192.168.100.0/24; + deny all; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + ''; + }; + + }; + + }; + systemd.services."${config.virtualisation.oci-containers.backend}-multi-scrobbler" = + { + preStart = ''cp -f ${config.sops.templates."multi-scrobbler.json".path} ${config.waffentragerService.elements.malojaDir}/multi-scrobbler/config.json''; + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + }; + virtualisation.oci-containers.containers.multi-scrobbler = { + image = "foxxmd/multi-scrobbler:latest"; + ports = [ + "127.0.0.1:42011:9078" + ]; + volumes = [ + "${config.waffentragerService.elements.malojaDir}/multi-scrobbler:/config" + ]; + environmentFiles = [ + config.sops.templates."multi-scrobbler.env".path + ]; + }; + + + + + + + }; +} diff --git a/nix-config/host/waffentrager/services/nginx.nix b/nix-config/host/waffentrager/services/nginx.nix new file mode 100644 index 0000000..4f0daff --- /dev/null +++ b/nix-config/host/waffentrager/services/nginx.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, mkk, ... }: +{ + options.waffentragerService.nginx.enable = mkk.lib.mkBoolOpt false "Enable nginx"; + + + config = + let + cfg = config.waffentragerService.nginx; + in + lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + package = pkgs.tengine; + virtualHosts."default" = { + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + forceSSL = true; + http2 = false; + default = true; + locations."/" = { extraConfig = ''deny all;''; }; + }; + }; + + systemd.services.nginx = { + requires = [ "var-lib-mnt_acme.mount" ]; + after = [ "var-lib-mnt_acme.mount" ]; + serviceConfig = { + restart = "always"; + restartSec = 60; + }; + }; + }; + +} diff --git a/nix-config/host/waffentrager/services/postgresql.nix b/nix-config/host/waffentrager/services/postgresql.nix new file mode 100644 index 0000000..15d8ac3 --- /dev/null +++ b/nix-config/host/waffentrager/services/postgresql.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, mkk, ... }: +{ + options.waffentragerService.postgresql.enable = mkk.lib.mkBoolOpt false "Enable postgresql"; + options.waffentragerService.postgresql.version = lib.mkOption { default = "16"; }; + + config = + let + cfg = config.waffentragerService.postgresql; + in + lib.mkIf cfg.enable { + waffentragerService.elements.enable = true; + + services.postgresql.enable = true; + services.postgresql.package = pkgs."postgresql_${cfg.version}"; + services.postgresql.dataDir = "${config.waffentragerService.elements.postgresqlDir}/${cfg.version}"; + services.postgresql.enableJIT = true; + services.postgresql.authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 scram-sha-256 + host all all ::1/128 scram-sha-256 + ''; + systemd.services.postgresql = { + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + }; + }; +} diff --git a/nix-config/host/waffentrager/services/storage/elements.nix b/nix-config/host/waffentrager/services/storage/elements.nix new file mode 100644 index 0000000..c04500d --- /dev/null +++ b/nix-config/host/waffentrager/services/storage/elements.nix @@ -0,0 +1,65 @@ +{ mkk, config, lib, pkgs, ... }: +{ + options.waffentragerService.elements.enable = mkk.lib.mkBoolOpt false "Enable elements drive"; + options.waffentragerService.elements.path = lib.mkOption { default = "/var/lib/elements"; }; + options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; }; + options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; }; + options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; }; + options.waffentragerService.elements.lldapDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/lldap"; }; + options.waffentragerService.elements.jellyfinDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/jellyfin"; }; + options.waffentragerService.elements.malojaDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/maloja"; }; + + config = + let + cfg = config.waffentragerService.elements; + in + lib.mkIf cfg.enable { + + systemd.services.elements-mount = { + description = "Decrypt and mount elements drive"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ]; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + script = '' + mkdir -p ${cfg.path} + cryptsetup luksOpen /dev/disk/by-uuid/${cfg.uuid} elements -d ${config.sops.secrets.elements.path} + mount /dev/mapper/elements ${cfg.path} + '' + + ; + preStop = '' + umount ${cfg.path} + cryptsetup luksClose elements + ''; + }; + + systemd.services.elements-dirmake = { + description = "Create dirs in elements drive"; + path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ]; + + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = false; + script = lib.optionalString config.waffentragerService.postgresql.enable '' + mkdir -p ${cfg.postgresqlDir}/${config.waffentragerService.postgresql.version} + chown -R postgres:postgres ${cfg.postgresqlDir} + '' + lib.optionalString config.waffentragerService.nextcloud.enable '' + mkdir -p ${cfg.nextcloudDir} + chown -R nextcloud:nextcloud ${cfg.nextcloudDir} + '' + lib.optionalString config.waffentragerService.auth.lldap.enable '' + mkdir -p ${cfg.lldapDir} + chown -R lldap:lldap ${cfg.lldapDir} + '' + lib.optionalString config.waffentragerService.jellyfin.enable '' + mkdir -p ${cfg.jellyfinDir} + chown -R materus:nextcloud ${cfg.jellyfinDir} + '' + lib.optionalString config.waffentragerService.scrobbling.enable '' + mkdir -p ${cfg.malojaDir}/multi-scrobbler + chown -R scrobbler:scrobbler ${cfg.malojaDir} + '' + + + ; + }; + + }; +} diff --git a/nix-config/host/waffentrager/services/storage/gitea.nix b/nix-config/host/waffentrager/services/storage/gitea.nix new file mode 100644 index 0000000..8dce3d1 --- /dev/null +++ b/nix-config/host/waffentrager/services/storage/gitea.nix @@ -0,0 +1,62 @@ +{ config, lib, mkk, ... }: +{ + options.waffentragerService.gitea.enable = mkk.lib.mkBoolOpt false "Enable gitea"; + + + config = + let + cfg = config.waffentragerService.gitea; + in + lib.mkMerge + [ + (lib.mkIf cfg.enable { + waffentragerService.postgresql.enable = true; + waffentragerService.elements.enable = true; + + services.gitea.enable = true; + services.gitea.lfs.enable = true; + services.gitea.stateDir = "${config.waffentragerService.elements.path}/services/gitea"; + services.gitea.settings.service.DISABLE_REGISTRATION = true; + services.gitea.settings.server.DOMAIN = "baka.materus.pl"; + services.gitea.settings.server.ROOT_URL = lib.mkForce "https://baka.materus.pl/"; + services.gitea.settings.server.PROTOCOL = "fcgi+unix"; + services.gitea.settings.cors = { + ENABLED = true; + X_FRAME_OPTIONS = "ALLOW-FROM https://*.materus.pl/"; + }; + + services.gitea.database.type = "postgres"; + services.gitea.database.socket = "/var/run/postgresql/"; + + }) + (lib.mkIf (cfg.enable && config.waffentragerService.nginx.enable) { + + services.nginx.virtualHosts = { + "baka.materus.pl" = { + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + addSSL = true; + http2 = false; + locations."/" = { + extraConfig = '' + client_max_body_size 2G; + include ${config.services.nginx.package}/conf/fastcgi.conf; + include ${config.services.nginx.package}/conf/fastcgi_params; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + fastcgi_pass unix:/var/run/gitea/gitea.sock; + ''; + }; + + }; + }; + } + ) + ]; +} diff --git a/nix-config/host/waffentrager/services/storage/mount-acme.nix b/nix-config/host/waffentrager/services/storage/mount-acme.nix new file mode 100644 index 0000000..9a80fec --- /dev/null +++ b/nix-config/host/waffentrager/services/storage/mount-acme.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + pkgs, + mkk, + ... +}: +{ + options.waffentragerService.mount-acme.enable = mkk.lib.mkBoolOpt false "Enable mount-acme"; + + config = + let + cfg = config.waffentragerService.mount-acme; + in + lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ sshfs ]; + systemd.mounts = [ + { + description = "Mount remote acme dir from valkyrie"; + what = "acme@valkyrie:/var/lib/acme"; + where = "/var/lib/mnt_acme"; + type = "fuse.sshfs"; + options = "reconnect,gid=${toString config.ids.gids.nginx},_netdev,rw,nosuid,allow_other,default_permissions,follow_symlinks,idmap=user,compression=yes,identityfile=/materus/root/ssh_host_ed25519_key"; + wantedBy = [ "multi-user.target" ]; + after = [ "wg-quick-wg0.service" ]; + } + ]; + }; +} diff --git a/nix-config/host/waffentrager/services/storage/nextcloud.nix b/nix-config/host/waffentrager/services/storage/nextcloud.nix new file mode 100644 index 0000000..778f980 --- /dev/null +++ b/nix-config/host/waffentrager/services/storage/nextcloud.nix @@ -0,0 +1,100 @@ +{ config, lib, pkgs, mkk, ... }: +{ + options.waffentragerService.nextcloud.enable = mkk.lib.mkBoolOpt false "Enable nextcloud"; + + config = + let + cfg = config.waffentragerService.nextcloud; + in + lib.mkIf cfg.enable { + waffentragerService.elements.enable = true; + waffentragerService.postgresql.enable = true; + waffentragerService.nginx.enable = true; + environment.systemPackages = [ pkgs.samba pkgs.exiftool pkgs.ffmpeg-headless ]; + sops.secrets.nextcloud-adminpass.owner = config.users.users.nextcloud.name; + sops.secrets.nextcloud-adminpass.group = config.users.users.nextcloud.group; + + services.postgresql.ensureDatabases = [ "nextcloud" ]; + services.postgresql.ensureUsers = [{ + name = "nextcloud"; + ensureDBOwnership = true; + }]; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud33; + hostName = "waffentrager.materus.pl"; + home = config.waffentragerService.elements.nextcloudDir; + config.adminuser = "nextcloud-master"; + config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path; + config.dbtype = "pgsql"; + extraAppsEnable = true; + maxUploadSize = "8G"; + https = true; + enableImagemagick = true; + configureRedis = true; + webfinger = true; + appstoreEnable = true; + database.createLocally = true; + extraApps = with pkgs.nextcloud33Packages.apps; { + inherit notify_push previewgenerator; + }; + settings = { + log_type = "file"; + "profile.enabled" = true; + default_phone_region = "PL"; + trusted_proxies = [ mkk.network.valkyrie.ip mkk.wireguard.peers.valkyrie.ip mkk.wireguard.peers.waffentrager.ip ]; + mail_smtpmode = "sendmail"; + mail_sendmailmode = "pipe"; + enable_previews = true; + preview_format = "webp"; + enabledPreviewProviders = [ + ''OC\Preview\Movie'' + ''OC\Preview\PNG'' + ''OC\Preview\JPEG'' + ''OC\Preview\GIF'' + ''OC\Preview\BMP'' + ''OC\Preview\XBitmap'' + ''OC\Preview\MP3'' + ''OC\Preview\OGG'' + ''OC\Preview\OPUS'' + ''OC\Preview\MP4'' + ''OC\Preview\TXT'' + ''OC\Preview\MarkDown'' + ''OC\Preview\PDF'' + ''OC\Preview\WebP'' + ''OC\Preview\OpenDocument'' + ''OC\Preview\Krita'' + ''OC\Preview\AVIF'' + ]; + "overwrite.cli.url" = "https://${config.services.nextcloud.hostName}"; + }; + + phpOptions = { + "opcache.memory_consumption" = "512"; + "opcache.interned_strings_buffer" = "64"; + "opcache.max_accelerated_files"="50000"; + "opcache.jit" = "1255"; + "opcache.jit_buffer_size" = "128M"; + "opcache.validate_timestamps" = "0"; + "opcache.revalidate_freq" = "0"; + "opcache.fast_shutdown" = "1"; + "opcache.save_comments" = "1"; + }; + phpExtraExtensions = ex: [ ex.zip ex.zlib ex.tidy ex.smbclient ex.sodium ]; + }; + services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { + forceSSL = true; + http3 = true; + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + dav_methods PUT DELETE MKCOL COPY MOVE; + dav_ext_methods PROPFIND OPTIONS; + create_full_put_path on; + dav_access user:rw group:rw all:r; + ''; + }; + }; +} diff --git a/nix-config/host/waffentrager/services/storage/samba.nix b/nix-config/host/waffentrager/services/storage/samba.nix new file mode 100644 index 0000000..43a5d41 --- /dev/null +++ b/nix-config/host/waffentrager/services/storage/samba.nix @@ -0,0 +1,57 @@ +{ lib, pkgs, config, mkk, ... }: +{ + options.waffentragerService.samba.enable = mkk.lib.mkBoolOpt false "Enable samba"; + + config = + let + cfg = config.waffentragerService.samba; + in + lib.mkIf cfg.enable { + waffentragerService.elements.enable = true; + + systemd.services.samba-nmbd = { + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + }; + systemd.services.samba-wsdd = { + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + }; + services.samba-wsdd.enable = true; + services.samba-wsdd.openFirewall = true; + services.samba = { + enable = true; + package = pkgs.sambaFull; + securityType = "user"; + openFirewall = true; + settings = + { + global = { + "workgroup" = "WORKGROUP"; + "server string" = "smbwaffentrager"; + "netbios name" = "smbwaffentrager"; + "security" = "user"; + "hosts allow" = "${mkk.wireguard.sambaIp} 192.168.100. 127.0.0.1 localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + "mangled names" = "no"; + "dos charset" = "CP850"; + "unix charset" = "UTF-8"; + "display charset" = "UTF-8"; + "catia:mappings" = "0x22:0xa8,0x2a:0xa4,0x2f:0xf8,0x3a:0xf7,0x3c:0xab,0x3e:0xbb,0x3f:0xbf,0x5c:0xff,0x7c:0xa6"; + }; + materus = { + "path" = "${config.waffentragerService.elements.path}/storage/materus"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0770"; + "directory mask" = "0770"; + "force user" = "materus"; + "force group" = "nextcloud"; + }; + }; + }; + }; +} diff --git a/nix-config/host/waffentrager/services/storage/syncthing.nix b/nix-config/host/waffentrager/services/storage/syncthing.nix new file mode 100644 index 0000000..e600550 --- /dev/null +++ b/nix-config/host/waffentrager/services/storage/syncthing.nix @@ -0,0 +1,26 @@ +{ lib, config, mkk, ... }: +{ + options.waffentragerService.syncthing.enable = mkk.lib.mkBoolOpt false "Enable syncthing"; + + config = + let + cfg = config.waffentragerService.syncthing; + in + lib.mkIf cfg.enable { + waffentragerService.elements.enable = true; networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port]; + networking.firewall.allowedUDPPorts = [ 22000 21027 ]; + systemd.services.syncthing = { + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + }; + services = { + syncthing = { + enable = true; + user = "materus"; + group = "nextcloud"; + dataDir = "${config.waffentragerService.elements.path}/storage/materus"; + configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/"; + }; + }; + }; +} diff --git a/nix-config/shared/default.nix b/nix-config/shared/default.nix index ba78d52..16654b2 100644 --- a/nix-config/shared/default.nix +++ b/nix-config/shared/default.nix @@ -27,6 +27,7 @@ isHm: config._module.args.mkk = rec { nixerus.pkgs = materusArgs.inputs.nixerus.packages."${config.nixpkgs.hostPlatform.system}"; lib = nixerus.pkgs.lib; - + files = materusArgs.files; + args = materusArgs; } // config.mkk.var; } diff --git a/nix-config/shared/private/variables.nix b/nix-config/shared/private/variables.nix index e79c278..b0e94dd 100644 Binary files a/nix-config/shared/private/variables.nix and b/nix-config/shared/private/variables.nix differ