materus/nixos-config
1
0
Fork 0
mirror of https://github.com/materusPL/nixos-config synced 2026-06-24 17:36:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

waffentrager: init

Browse Source
This commit is contained in:
Mateusz Słodkowicz
2026-06-24 00:06:21 +02:00
parent 29adb6e6b0
commit fb653eb0f4
30 changed files with 1325 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nix-config/host/waffentrager/services/auth/authelia.nix
+80
View File
@@ -0,0 +1,80 @@
{ config, pkgs, lib, mkk, ... }:
{
options.waffentragerService.auth.authelia.enable = mkk.lib.mkBoolOpt false "Enable authelia";
config =
let
cfg = config.waffentragerService.auth.authelia;
port = 9091;
in
lib.mkIf cfg.enable {
sops.secrets."authelia-storagekey" = { owner = "authelia"; };
sops.secrets."authelia-database" = { owner = "authelia"; };
sops.secrets."ldap-master" = { owner = "authelia"; };
users.users.authelia = {
group = "lldap";
isSystemUser = true;
};
services.authelia.instances.main = {
enable = true;
user = "authelia";
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."ldap-master".path;
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = config.sops.secrets."authelia-database".path;
};
secrets = {
jwtSecretFile = config.sops.secrets.jwt.path;
storageEncryptionKeyFile = config.sops.secrets."authelia-storagekey".path;
};
settings = {
access_control = {
default_policy = "one_factor";
};
authentication_backend = {
ldap.url = "ldap://127.0.0.1:3890";
ldap.implementation = "custom";
ldap.base_dn = config.services.lldap.settings.ldap_base_dn;
ldap.user = "CN=master,ou=people,DC=podkos,DC=pl";
ldap.additional_users_dn = "OU=people";
ldap.users_filter = "(&({username_attribute}={input})(objectClass=person))";
ldap.additional_groups_dn = "OU=groups";
ldap.groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
};
storage = {
postgres.host = "/var/run/postgresql";
postgres.port = "5432";
postgres.database = "authelia";
postgres.username = "authelia";
};
notifier = {
disable_startup_check = false;
filesystem.filename = "/tmp/test_notification.txt";
};
session = {
name = "materus-session";
domain = "materus.pl";
};
default_redirection_url = "https://materus.pl";
server.port = port;
};
};
services.nginx.virtualHosts."gatekeeper.materus.pl" = {
forceSSL = true;
http3 = true;
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
}
nix-config/host/waffentrager/services/auth/default.nix
+13
View File
@@ -0,0 +1,13 @@
{ config, lib, pkgs, ... }:
{
imports =
[
./lldap.nix
./authelia.nix
];
config =
{
waffentragerService.auth.lldap.enable = true;
waffentragerService.auth.authelia.enable = true;
};
}
nix-config/host/waffentrager/services/auth/lldap.nix
+87
View File
@@ -0,0 +1,87 @@
{
config,
pkgs,
lib,
mkk,
...
}:
{
options.waffentragerService.auth.lldap.enable = mkk.lib.mkBoolOpt false "Enable lldap";
config =
let
cfg = config.waffentragerService.auth.lldap;
in
lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
waffentragerService.nginx.enable = true;
services.nginx.virtualHosts."mamba.podkos.pl" = {
forceSSL = true;
http3 = true;
sslTrustedCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/mamba.podkos.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/fullchain.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:17170";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
allow ${mkk.wireguard.ip-masks.main};
allow 192.168.100.0/24;
deny all;
'';
};
};
systemd.services.lldap = {
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
serviceConfig = {
DynamicUser = lib.mkForce false;
WorkingDirectory = lib.mkForce config.waffentragerService.elements.lldapDir;
};
};
users.groups.lldap = { };
users.users.lldap = {
group = "lldap";
isSystemUser = true;
};
sops.secrets.jwt = {
owner = "lldap";
group = "lldap";
mode = "0440";
};
sops.secrets."lldap-database" = {
owner = "lldap";
group = "lldap";
};
services.lldap.enable = true;
services.lldap.environmentFile = config.sops.templates."lldap.env".path;
sops.templates."lldap.env" = {
content = ''
LLDAP_JWT_SECRET_FILE="${config.sops.secrets.jwt.path}"
LLDAP_DATABASE_URL="postgres://lldap:${
config.sops.placeholder."lldap-database"
}@%2Fvar%2Frun%2Fpostgresql/lldap"
'';
owner = "lldap";
group = "lldap";
};
services.lldap.silenceForceUserPassResetWarning = true;
services.lldap.settings = {
ldap_base_dn = "dc=podkos,dc=pl";
ldap_host = "127.0.0.1";
http_url = "https://mamba.podkos.pl";
ldap_user_dn = "master";
ldap_user_email = "materus@podkos.pl";
ldap_port = 3890;
key_seed = mkk.waffentrager.lldap.seed;
ldap_user_pass_file = config.sops.secrets.LLDAP_LDAP_USER_PASS_FILE.path;
};
};
}
nix-config/host/waffentrager/services/default.nix
+30
View File
@@ -0,0 +1,30 @@
{ ... }:
{
imports =
[
./storage/elements.nix
./storage/mount-acme.nix
./storage/gitea.nix
./storage/nextcloud.nix
./storage/samba.nix
./storage/syncthing.nix
./multimedia/jellyfin.nix
./multimedia/scrobbling.nix
./monitoring.nix
./nginx.nix
./postgresql.nix
./auth
];
waffentragerService.elements.enable = true;
waffentragerService.postgresql.enable = true;
waffentragerService.mount-acme.enable = true;
waffentragerService.gitea.enable = true;
waffentragerService.nginx.enable = true;
waffentragerService.nextcloud.enable = true;
waffentragerService.samba.enable = true;
waffentragerService.jellyfin.enable = true;
waffentragerService.scrobbling.enable = true;
waffentragerService.syncthing.enable = true;
waffentragerService.monitoring.enable = false;
}
nix-config/host/waffentrager/services/monitoring.nix
+57
View File
@@ -0,0 +1,57 @@
{ config, lib, mkk, ... }:
{
options.waffentragerService.monitoring.enable = mkk.lib.mkBoolOpt false "Enable monitoring";
config =
let
cfg = config.waffentragerService.monitoring;
in
lib.mkIf cfg.enable {
services.grafana = {
dataDir = "${config.waffentragerService.elements.path}/services/grafana";
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3232;
domain = "watchman.materus.pl";
serve_from_sub_path = true;
};
};
};
services.prometheus = {
enable = true;
port = 3233;
globalConfig.scrape_interval = "30s";
stateDir = "elements/services/prometheus";
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
];
};
services.prometheus.exporters.node = {
enable = true;
port = 3234;
enabledCollectors = [ "systemd" ];
extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
};
services.nginx.virtualHosts."watchman.materus.pl" = {
addSSL = true;
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
http2 = false;
http3 = true;
locations."/" = {
proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
}
nix-config/host/waffentrager/services/multimedia/jellyfin.nix
+150
View File
@@ -0,0 +1,150 @@
{ lib, config, mkk, ... }:
{
options.waffentragerService.jellyfin.enable = mkk.lib.mkBoolOpt false "Enable jellyfin";
config =
let
cfg = config.waffentragerService.jellyfin;
in
lib.mkIf cfg.enable {
services.jellyfin = rec {
enable = true;
openFirewall = true;
user = "materus";
group = "nextcloud";
dataDir = config.waffentragerService.elements.jellyfinDir;
cacheDir = "${dataDir}/cache";
};
/*
services.jellyseerr = {
enable = true;
openFirewall = true;
};*/
services.nginx = {
appendHttpConfig = ''
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
'';
proxyCachePath."jellyfin" = {
enable = true;
maxSize = "1g";
levels = "1:2";
keysZoneName = "jellyfin";
keysZoneSize = "100m";
inactive = "1d";
useTempPath = false;
};
virtualHosts = {
"noot.materus.pl" = {
extraConfig = ''
client_max_body_size 20M;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
add_header X-Content-Type-Options "nosniff";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
'';
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
addSSL = true;
http2 = false;
http3 = true;
locations."~ /Items/(.*)/Images" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_cache jellyfin;
proxy_cache_revalidate on;
proxy_cache_lock on;
'';
};
locations."~ ^/web/htmlVideoPlayer-plugin.[0-9a-z]+.chunk.js$" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_set_header Accept-Encoding "";
sub_filter_types *;
sub_filter 'return u=30' 'return u=600';
sub_filter 'return u=6' 'return u=60';
sub_filter 'maxBufferLength:u' 'maxBufferLength:u,maxBufferSize:180000000';
sub_filter_once on;
'';
};
locations."~* ^/Videos/(.*)/(?!live)" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
# Set size of a slice (this amount will be always requested from the backend by nginx)
# Higher value means more latency, lower more overhead
# This size is independent of the size clients/browsers can request
slice 2m;
proxy_cache jellyfin;
proxy_cache_valid 200 206 301 302 30d;
proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_connect_timeout 15s;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Transmit slice range to the backend
proxy_set_header Range $slice_range;
# This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time
# The first client will trigger the download, the other clients will have to wait until the slice is cached
# Esp. practical during SyncPlay
proxy_cache_lock on;
proxy_cache_lock_age 60s;
proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";
'';
};
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
'';
};
locations."/socket" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
};
};
}
nix-config/host/waffentrager/services/multimedia/scrobbling.nix
+240
View File
@@ -0,0 +1,240 @@
{ config, pkgs, lib, mkk, ... }:
{
options.waffentragerService.scrobbling.enable = mkk.lib.mkBoolOpt false "Enable scrobbling";
config =
let
cfg = config.waffentragerService.scrobbling;
in
#### MALOJA --------------------------------------------------------------------
lib.mkIf cfg.enable {
sops.templates."maloja.env".content = ''
MALOJA_DATA_DIRECTORY=/data
MALOJA_DIRECTORY_STATE=/data/state
MALOJA_DIRECTORY_CACHE=/data/cache
MALOJA_SKIP_SETUP=yes
MALOJA_FORCE_PASSWORD=${config.sops.placeholder.maloja}
MALOJA_SPOTIFY_API_ID=${config.sops.placeholder.spotify-client-id}
MALOJA_SPOTIFY_API_SECRET=${config.sops.placeholder.spotify-client-secret}
MALOJA_NAME=Melody
MALOJA_WEEK_OFFSET=1
PUID=${builtins.toString config.users.users.scrobbler.uid}
PGID=${builtins.toString config.users.groups.scrobbler.gid}
TC=Europe/Warsaw
TIMEZONE=Europe/Warsaw
'';
services.nginx.virtualHosts = {
"melody.materus.pl" = {
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
addSSL = true;
http2 = false;
http3 = true;
locations."/" = {
proxyPass = "http://127.0.0.1:42010";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
virtualisation.oci-containers.containers.maloja =
{
image = "krateng/maloja:latest";
ports = [
"42010:42010"
];
volumes = [
"${config.waffentragerService.elements.malojaDir}:/data"
];
environmentFiles = [
config.sops.templates."maloja.env".path
];
};
systemd.services."${config.virtualisation.oci-containers.backend}-maloja" =
let
malojaCfg = pkgs.writeText "settings.ini" ''[MALOJA]
directory_config = /data
lastfm_api_key = False
audiodb_api_key = False
spotify_api_id = False
spotify_api_secret = False
delimiters_feat = ["ft.","ft","feat.","feat","featuring","Ft.","Ft","Feat.","Feat","Featuring"]
delimiters_informal = ["vs.","vs","&","with"]
delimiters_formal = ["; ",";"]
metadata_providers = ["spotify","deezer","lastfm","audiodb","musicbrainz"]
'';
in
{
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
preStart = ''cp --update=none ${malojaCfg} ${config.waffentragerService.elements.malojaDir}/settings.ini'';
};
#### MULTI SCROBBLER --------------------------------------------------------------------
users.groups.scrobbler = { gid = 3000; };
users.users.scrobbler = {
group = "scrobbler";
uid = 3000;
isSystemUser = true;
};
sops.templates."multi-scrobbler.env".content = ''
TC=Europe/Warsaw
CONFIG_DIR=/config
PUID=${builtins.toString config.users.users.scrobbler.uid}
PGID=${builtins.toString config.users.groups.scrobbler.gid}
'';
sops.templates."multi-scrobbler.json".owner = "scrobbler";
sops.templates."multi-scrobbler.json".group = "scrobbler";
sops.templates."multi-scrobbler.json".content = builtins.toJSON {
baseUrl = "https://scrobbler.materus.pl";
disableWeb = false;
debugMode = false;
sources = [
{
name = "materus-spotify";
enable = true;
clients = [ "maloja" ];
data = {
clientId = "${config.sops.placeholder.spotify-client-id}";
clientSecret = "${config.sops.placeholder.spotify-client-secret}";
redirectUri = "https://scrobbler.materus.pl/callback";
interval = 30;
};
type = "spotify";
}
{
name = "materus-jellyfin";
enable = true;
clients = [ "maloja" ];
data = {
users = [
"materus"
];
servers = [
"waffentrager"
];
};
options = {
logPayload = false;
logFilterFailure = "warn";
};
type = "jellyfin";
}
];
clients = [
{
name = "maloja";
enable = true;
data = {
url = "https://melody.materus.pl/";
apiKey = "${config.sops.placeholder.maloja-api}";
};
type = "maloja";
}
{
name = "materus-brainz";
enable = true;
configureAs = "client";
data = {
token = "${config.sops.placeholder.listenbrainz-api}";
username = "materus";
};
type = "listenbrainz";
}
{
name = "materus-lastfm";
enable = true;
configureAs = "client";
data = {
apiKey = "${config.sops.placeholder.lastfm-api}";
secret = "${config.sops.placeholder.lastfm-secret}";
redirectUri = "https://scrobbler.materus.pl/lastfm/callback";
};
type = "lastfm";
}
];
};
services.nginx.virtualHosts = {
"scrobbler.materus.pl" = {
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
addSSL = true;
http2 = false;
http3 = true;
locations."/" = {
proxyPass = "http://127.0.0.1:42011";
extraConfig = ''
allow ${mkk.wireguard.ip-masks.main};
allow 192.168.100.0/24;
deny all;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
systemd.services."${config.virtualisation.oci-containers.backend}-multi-scrobbler" =
{
preStart = ''cp -f ${config.sops.templates."multi-scrobbler.json".path} ${config.waffentragerService.elements.malojaDir}/multi-scrobbler/config.json'';
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
};
virtualisation.oci-containers.containers.multi-scrobbler = {
image = "foxxmd/multi-scrobbler:latest";
ports = [
"127.0.0.1:42011:9078"
];
volumes = [
"${config.waffentragerService.elements.malojaDir}/multi-scrobbler:/config"
];
environmentFiles = [
config.sops.templates."multi-scrobbler.env".path
];
};
};
}
nix-config/host/waffentrager/services/nginx.nix
+39
View File
@@ -0,0 +1,39 @@
{ config, lib, pkgs, mkk, ... }:
{
options.waffentragerService.nginx.enable = mkk.lib.mkBoolOpt false "Enable nginx";
config =
let
cfg = config.waffentragerService.nginx;
in
lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
package = pkgs.tengine;
virtualHosts."default" = {
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
forceSSL = true;
http2 = false;
default = true;
locations."/" = { extraConfig = ''deny all;''; };
};
};
systemd.services.nginx = {
requires = [ "var-lib-mnt_acme.mount" ];
after = [ "var-lib-mnt_acme.mount" ];
serviceConfig = {
restart = "always";
restartSec = 60;
};
};
};
}
nix-config/host/waffentrager/services/postgresql.nix
+27
View File
@@ -0,0 +1,27 @@
{ config, lib, pkgs, mkk, ... }:
{
options.waffentragerService.postgresql.enable = mkk.lib.mkBoolOpt false "Enable postgresql";
options.waffentragerService.postgresql.version = lib.mkOption { default = "16"; };
config =
let
cfg = config.waffentragerService.postgresql;
in
lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
services.postgresql.enable = true;
services.postgresql.package = pkgs."postgresql_${cfg.version}";
services.postgresql.dataDir = "${config.waffentragerService.elements.postgresqlDir}/${cfg.version}";
services.postgresql.enableJIT = true;
services.postgresql.authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
'';
systemd.services.postgresql = {
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
};
};
}
nix-config/host/waffentrager/services/storage/elements.nix
+65
View File
@@ -0,0 +1,65 @@
{ mkk, config, lib, pkgs, ... }:
{
options.waffentragerService.elements.enable = mkk.lib.mkBoolOpt false "Enable elements drive";
options.waffentragerService.elements.path = lib.mkOption { default = "/var/lib/elements"; };
options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; };
options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; };
options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; };
options.waffentragerService.elements.lldapDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/lldap"; };
options.waffentragerService.elements.jellyfinDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/jellyfin"; };
options.waffentragerService.elements.malojaDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/maloja"; };
config =
let
cfg = config.waffentragerService.elements;
in
lib.mkIf cfg.enable {
systemd.services.elements-mount = {
description = "Decrypt and mount elements drive";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script = ''
mkdir -p ${cfg.path}
cryptsetup luksOpen /dev/disk/by-uuid/${cfg.uuid} elements -d ${config.sops.secrets.elements.path}
mount /dev/mapper/elements ${cfg.path}
''
;
preStop = ''
umount ${cfg.path}
cryptsetup luksClose elements
'';
};
systemd.services.elements-dirmake = {
description = "Create dirs in elements drive";
path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = false;
script = lib.optionalString config.waffentragerService.postgresql.enable ''
mkdir -p ${cfg.postgresqlDir}/${config.waffentragerService.postgresql.version}
chown -R postgres:postgres ${cfg.postgresqlDir}
'' + lib.optionalString config.waffentragerService.nextcloud.enable ''
mkdir -p ${cfg.nextcloudDir}
chown -R nextcloud:nextcloud ${cfg.nextcloudDir}
'' + lib.optionalString config.waffentragerService.auth.lldap.enable ''
mkdir -p ${cfg.lldapDir}
chown -R lldap:lldap ${cfg.lldapDir}
'' + lib.optionalString config.waffentragerService.jellyfin.enable ''
mkdir -p ${cfg.jellyfinDir}
chown -R materus:nextcloud ${cfg.jellyfinDir}
'' + lib.optionalString config.waffentragerService.scrobbling.enable ''
mkdir -p ${cfg.malojaDir}/multi-scrobbler
chown -R scrobbler:scrobbler ${cfg.malojaDir}
''
;
};
};
}
nix-config/host/waffentrager/services/storage/gitea.nix
+62
View File
@@ -0,0 +1,62 @@
{ config, lib, mkk, ... }:
{
options.waffentragerService.gitea.enable = mkk.lib.mkBoolOpt false "Enable gitea";
config =
let
cfg = config.waffentragerService.gitea;
in
lib.mkMerge
[
(lib.mkIf cfg.enable {
waffentragerService.postgresql.enable = true;
waffentragerService.elements.enable = true;
services.gitea.enable = true;
services.gitea.lfs.enable = true;
services.gitea.stateDir = "${config.waffentragerService.elements.path}/services/gitea";
services.gitea.settings.service.DISABLE_REGISTRATION = true;
services.gitea.settings.server.DOMAIN = "baka.materus.pl";
services.gitea.settings.server.ROOT_URL = lib.mkForce "https://baka.materus.pl/";
services.gitea.settings.server.PROTOCOL = "fcgi+unix";
services.gitea.settings.cors = {
ENABLED = true;
X_FRAME_OPTIONS = "ALLOW-FROM https://*.materus.pl/";
};
services.gitea.database.type = "postgres";
services.gitea.database.socket = "/var/run/postgresql/";
})
(lib.mkIf (cfg.enable && config.waffentragerService.nginx.enable) {
services.nginx.virtualHosts = {
"baka.materus.pl" = {
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
addSSL = true;
http2 = false;
locations."/" = {
extraConfig = ''
client_max_body_size 2G;
include ${config.services.nginx.package}/conf/fastcgi.conf;
include ${config.services.nginx.package}/conf/fastcgi_params;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
fastcgi_pass unix:/var/run/gitea/gitea.sock;
'';
};
};
};
}
)
];
}
nix-config/host/waffentrager/services/storage/mount-acme.nix
+29
View File
@@ -0,0 +1,29 @@
{
config,
lib,
pkgs,
mkk,
...
}:
{
options.waffentragerService.mount-acme.enable = mkk.lib.mkBoolOpt false "Enable mount-acme";
config =
let
cfg = config.waffentragerService.mount-acme;
in
lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [ sshfs ];
systemd.mounts = [
{
description = "Mount remote acme dir from valkyrie";
what = "acme@valkyrie:/var/lib/acme";
where = "/var/lib/mnt_acme";
type = "fuse.sshfs";
options = "reconnect,gid=${toString config.ids.gids.nginx},_netdev,rw,nosuid,allow_other,default_permissions,follow_symlinks,idmap=user,compression=yes,identityfile=/materus/root/ssh_host_ed25519_key";
wantedBy = [ "multi-user.target" ];
after = [ "wg-quick-wg0.service" ];
}
];
};
}
nix-config/host/waffentrager/services/storage/nextcloud.nix
+100
View File
@@ -0,0 +1,100 @@
{ config, lib, pkgs, mkk, ... }:
{
options.waffentragerService.nextcloud.enable = mkk.lib.mkBoolOpt false "Enable nextcloud";
config =
let
cfg = config.waffentragerService.nextcloud;
in
lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
waffentragerService.postgresql.enable = true;
waffentragerService.nginx.enable = true;
environment.systemPackages = [ pkgs.samba pkgs.exiftool pkgs.ffmpeg-headless ];
sops.secrets.nextcloud-adminpass.owner = config.users.users.nextcloud.name;
sops.secrets.nextcloud-adminpass.group = config.users.users.nextcloud.group;
services.postgresql.ensureDatabases = [ "nextcloud" ];
services.postgresql.ensureUsers = [{
name = "nextcloud";
ensureDBOwnership = true;
}];
services.nextcloud = {
enable = true;
package = pkgs.nextcloud33;
hostName = "waffentrager.materus.pl";
home = config.waffentragerService.elements.nextcloudDir;
config.adminuser = "nextcloud-master";
config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
config.dbtype = "pgsql";
extraAppsEnable = true;
maxUploadSize = "8G";
https = true;
enableImagemagick = true;
configureRedis = true;
webfinger = true;
appstoreEnable = true;
database.createLocally = true;
extraApps = with pkgs.nextcloud33Packages.apps; {
inherit notify_push previewgenerator;
};
settings = {
log_type = "file";
"profile.enabled" = true;
default_phone_region = "PL";
trusted_proxies = [ mkk.network.valkyrie.ip mkk.wireguard.peers.valkyrie.ip mkk.wireguard.peers.waffentrager.ip ];
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
enable_previews = true;
preview_format = "webp";
enabledPreviewProviders = [
''OC\Preview\Movie''
''OC\Preview\PNG''
''OC\Preview\JPEG''
''OC\Preview\GIF''
''OC\Preview\BMP''
''OC\Preview\XBitmap''
''OC\Preview\MP3''
''OC\Preview\OGG''
''OC\Preview\OPUS''
''OC\Preview\MP4''
''OC\Preview\TXT''
''OC\Preview\MarkDown''
''OC\Preview\PDF''
''OC\Preview\WebP''
''OC\Preview\OpenDocument''
''OC\Preview\Krita''
''OC\Preview\AVIF''
];
"overwrite.cli.url" = "https://${config.services.nextcloud.hostName}";
};
phpOptions = {
"opcache.memory_consumption" = "512";
"opcache.interned_strings_buffer" = "64";
"opcache.max_accelerated_files"="50000";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "128M";
"opcache.validate_timestamps" = "0";
"opcache.revalidate_freq" = "0";
"opcache.fast_shutdown" = "1";
"opcache.save_comments" = "1";
};
phpExtraExtensions = ex: [ ex.zip ex.zlib ex.tidy ex.smbclient ex.sodium ];
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
forceSSL = true;
http3 = true;
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on;
dav_access user:rw group:rw all:r;
'';
};
};
}
nix-config/host/waffentrager/services/storage/samba.nix
+57
View File
@@ -0,0 +1,57 @@
{ lib, pkgs, config, mkk, ... }:
{
options.waffentragerService.samba.enable = mkk.lib.mkBoolOpt false "Enable samba";
config =
let
cfg = config.waffentragerService.samba;
in
lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
systemd.services.samba-nmbd = {
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
};
systemd.services.samba-wsdd = {
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
};
services.samba-wsdd.enable = true;
services.samba-wsdd.openFirewall = true;
services.samba = {
enable = true;
package = pkgs.sambaFull;
securityType = "user";
openFirewall = true;
settings =
{
global = {
"workgroup" = "WORKGROUP";
"server string" = "smbwaffentrager";
"netbios name" = "smbwaffentrager";
"security" = "user";
"hosts allow" = "${mkk.wireguard.sambaIp} 192.168.100. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
"mangled names" = "no";
"dos charset" = "CP850";
"unix charset" = "UTF-8";
"display charset" = "UTF-8";
"catia:mappings" = "0x22:0xa8,0x2a:0xa4,0x2f:0xf8,0x3a:0xf7,0x3c:0xab,0x3e:0xbb,0x3f:0xbf,0x5c:0xff,0x7c:0xa6";
};
materus = {
"path" = "${config.waffentragerService.elements.path}/storage/materus";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0770";
"directory mask" = "0770";
"force user" = "materus";
"force group" = "nextcloud";
};
};
};
};
}
nix-config/host/waffentrager/services/storage/syncthing.nix
+26
View File
@@ -0,0 +1,26 @@
{ lib, config, mkk, ... }:
{
options.waffentragerService.syncthing.enable = mkk.lib.mkBoolOpt false "Enable syncthing";
config =
let
cfg = config.waffentragerService.syncthing;
in
lib.mkIf cfg.enable {
waffentragerService.elements.enable = true; networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
systemd.services.syncthing = {
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
};
services = {
syncthing = {
enable = true;
user = "materus";
group = "nextcloud";
dataDir = "${config.waffentragerService.elements.path}/storage/materus";
configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/";
};
};
};
}