waffentrager: init

2026-06-24 17:36:41 +00:00 · 2026-06-24 00:06:21 +02:00
parent 29adb6e6b0
commit fb653eb0f4
30 changed files with 1325 additions and 11 deletions
@@ -0,0 +1,65 @@
+{ mkk, config, lib, pkgs, ... }:
+{
+  options.waffentragerService.elements.enable = mkk.lib.mkBoolOpt false "Enable elements drive";
+  options.waffentragerService.elements.path = lib.mkOption { default = "/var/lib/elements"; };
+  options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; };
+  options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; };
+  options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; };
+  options.waffentragerService.elements.lldapDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/lldap"; };
+  options.waffentragerService.elements.jellyfinDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/jellyfin"; };
+  options.waffentragerService.elements.malojaDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/maloja"; };
+
+  config =
+    let
+      cfg = config.waffentragerService.elements;
+    in
+    lib.mkIf cfg.enable {
+
+      systemd.services.elements-mount = {
+        description = "Decrypt and mount elements drive";
+        wantedBy = [ "multi-user.target" ];
+        path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ];
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = true;
+        script = ''
+          mkdir -p ${cfg.path}
+          cryptsetup luksOpen /dev/disk/by-uuid/${cfg.uuid} elements -d ${config.sops.secrets.elements.path}
+          mount /dev/mapper/elements ${cfg.path}
+        ''
+
+        ;
+        preStop = ''
+          umount ${cfg.path}
+          cryptsetup luksClose elements
+        '';
+      };
+
+      systemd.services.elements-dirmake = {
+        description = "Create dirs in elements drive";
+        path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ];
+
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = false;
+        script = lib.optionalString config.waffentragerService.postgresql.enable ''
+          mkdir -p ${cfg.postgresqlDir}/${config.waffentragerService.postgresql.version}
+          chown -R postgres:postgres ${cfg.postgresqlDir}
+        '' + lib.optionalString config.waffentragerService.nextcloud.enable ''
+          mkdir -p ${cfg.nextcloudDir}
+          chown -R nextcloud:nextcloud ${cfg.nextcloudDir}
+        '' + lib.optionalString config.waffentragerService.auth.lldap.enable ''
+          mkdir -p ${cfg.lldapDir}
+          chown -R lldap:lldap ${cfg.lldapDir}
+        '' + lib.optionalString config.waffentragerService.jellyfin.enable ''
+          mkdir -p ${cfg.jellyfinDir}
+          chown -R materus:nextcloud ${cfg.jellyfinDir}
+        '' + lib.optionalString config.waffentragerService.scrobbling.enable ''
+          mkdir -p ${cfg.malojaDir}/multi-scrobbler
+          chown -R scrobbler:scrobbler ${cfg.malojaDir}
+        ''
+
+
+        ;
+      };
+
+    };
+}
@@ -0,0 +1,62 @@
+{ config, lib, mkk, ... }:
+{
+  options.waffentragerService.gitea.enable = mkk.lib.mkBoolOpt false "Enable gitea";
+
+
+  config =
+    let
+      cfg = config.waffentragerService.gitea;
+    in
+    lib.mkMerge
+      [
+        (lib.mkIf cfg.enable {
+          waffentragerService.postgresql.enable = true;
+          waffentragerService.elements.enable = true;
+
+          services.gitea.enable = true;
+          services.gitea.lfs.enable = true;
+          services.gitea.stateDir = "${config.waffentragerService.elements.path}/services/gitea";
+          services.gitea.settings.service.DISABLE_REGISTRATION = true;
+          services.gitea.settings.server.DOMAIN = "baka.materus.pl";
+          services.gitea.settings.server.ROOT_URL = lib.mkForce "https://baka.materus.pl/";
+          services.gitea.settings.server.PROTOCOL = "fcgi+unix";
+          services.gitea.settings.cors = {
+            ENABLED = true;
+            X_FRAME_OPTIONS = "ALLOW-FROM https://*.materus.pl/";
+          };
+
+          services.gitea.database.type = "postgres";
+          services.gitea.database.socket = "/var/run/postgresql/";
+
+        })
+        (lib.mkIf (cfg.enable && config.waffentragerService.nginx.enable) {
+
+          services.nginx.virtualHosts = {
+            "baka.materus.pl" = {
+              sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+              sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+              sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+              addSSL = true;
+              http2 = false;
+              locations."/" = {
+                extraConfig = ''
+                  client_max_body_size 2G;
+                  include ${config.services.nginx.package}/conf/fastcgi.conf;
+                  include ${config.services.nginx.package}/conf/fastcgi_params;
+                  proxy_http_version 1.1;
+                  proxy_set_header    Host                $host;
+                  proxy_set_header    X-Real-IP           $remote_addr;
+                  proxy_set_header    X-Forwarded-Ssl     on;
+                  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+                  proxy_set_header    X-Forwarded-Proto   $scheme;
+
+                  fastcgi_pass  unix:/var/run/gitea/gitea.sock;
+                '';
+              };
+
+            };
+          };
+        }
+        )
+      ];
+}
@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  mkk,
+  ...
+}:
+{
+  options.waffentragerService.mount-acme.enable = mkk.lib.mkBoolOpt false "Enable mount-acme";
+
+  config =
+    let
+      cfg = config.waffentragerService.mount-acme;
+    in
+    lib.mkIf cfg.enable {
+      environment.systemPackages = with pkgs; [ sshfs ];
+      systemd.mounts = [
+        {
+          description = "Mount remote acme dir from valkyrie";
+          what = "acme@valkyrie:/var/lib/acme";
+          where = "/var/lib/mnt_acme";
+          type = "fuse.sshfs";
+          options = "reconnect,gid=${toString config.ids.gids.nginx},_netdev,rw,nosuid,allow_other,default_permissions,follow_symlinks,idmap=user,compression=yes,identityfile=/materus/root/ssh_host_ed25519_key";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "wg-quick-wg0.service" ];
+        }
+      ];
+    };
+}
@@ -0,0 +1,100 @@
+{ config, lib, pkgs, mkk, ... }:
+{
+  options.waffentragerService.nextcloud.enable = mkk.lib.mkBoolOpt false "Enable nextcloud";
+
+  config =
+    let
+      cfg = config.waffentragerService.nextcloud;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+      waffentragerService.postgresql.enable = true;
+      waffentragerService.nginx.enable = true;
+      environment.systemPackages = [ pkgs.samba pkgs.exiftool pkgs.ffmpeg-headless ];
+      sops.secrets.nextcloud-adminpass.owner = config.users.users.nextcloud.name;
+      sops.secrets.nextcloud-adminpass.group = config.users.users.nextcloud.group;
+
+      services.postgresql.ensureDatabases = [ "nextcloud" ];
+      services.postgresql.ensureUsers = [{
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }];
+      services.nextcloud = {
+        enable = true;
+        package = pkgs.nextcloud33;
+        hostName = "waffentrager.materus.pl";
+        home = config.waffentragerService.elements.nextcloudDir;
+        config.adminuser = "nextcloud-master";
+        config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
+        config.dbtype = "pgsql";
+        extraAppsEnable = true;
+        maxUploadSize = "8G";
+        https = true;
+        enableImagemagick = true;
+        configureRedis = true;
+        webfinger = true;
+        appstoreEnable = true;
+        database.createLocally = true;
+        extraApps = with pkgs.nextcloud33Packages.apps; {
+          inherit notify_push previewgenerator;
+        };
+        settings = {
+          log_type = "file";
+          "profile.enabled" = true;
+          default_phone_region = "PL";
+          trusted_proxies = [ mkk.network.valkyrie.ip mkk.wireguard.peers.valkyrie.ip mkk.wireguard.peers.waffentrager.ip ];
+          mail_smtpmode = "sendmail";
+          mail_sendmailmode = "pipe";
+          enable_previews = true;
+          preview_format = "webp";
+          enabledPreviewProviders = [
+            ''OC\Preview\Movie''
+            ''OC\Preview\PNG''
+            ''OC\Preview\JPEG''
+            ''OC\Preview\GIF''
+            ''OC\Preview\BMP''
+            ''OC\Preview\XBitmap''
+            ''OC\Preview\MP3''
+            ''OC\Preview\OGG''
+            ''OC\Preview\OPUS''
+            ''OC\Preview\MP4''
+            ''OC\Preview\TXT''
+            ''OC\Preview\MarkDown''
+            ''OC\Preview\PDF''
+            ''OC\Preview\WebP''
+            ''OC\Preview\OpenDocument''
+            ''OC\Preview\Krita''
+            ''OC\Preview\AVIF''
+          ];
+          "overwrite.cli.url" = "https://${config.services.nextcloud.hostName}";
+        };
+
+        phpOptions = {
+          "opcache.memory_consumption" = "512";
+          "opcache.interned_strings_buffer" = "64";
+          "opcache.max_accelerated_files"="50000";
+          "opcache.jit" = "1255";
+          "opcache.jit_buffer_size" = "128M";
+          "opcache.validate_timestamps" = "0";
+          "opcache.revalidate_freq" = "0";
+          "opcache.fast_shutdown" = "1";
+          "opcache.save_comments" = "1";
+        };
+        phpExtraExtensions = ex: [ ex.zip ex.zlib ex.tidy ex.smbclient ex.sodium ];
+      };
+      services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+        forceSSL = true;
+        http3 = true;
+        sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+        sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+        sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+        extraConfig = ''
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          dav_methods PUT DELETE MKCOL COPY MOVE;
+          dav_ext_methods PROPFIND OPTIONS;
+          create_full_put_path on;
+          dav_access user:rw group:rw all:r;
+        '';
+      };
+    };
+}
@@ -0,0 +1,57 @@
+{ lib, pkgs, config, mkk, ... }:
+{
+  options.waffentragerService.samba.enable = mkk.lib.mkBoolOpt false "Enable samba";
+
+  config =
+    let
+      cfg = config.waffentragerService.samba;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+
+      systemd.services.samba-nmbd = {
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
+      systemd.services.samba-wsdd = {
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
+      services.samba-wsdd.enable = true;
+      services.samba-wsdd.openFirewall = true;
+      services.samba = {
+        enable = true;
+        package = pkgs.sambaFull;
+        securityType = "user";
+        openFirewall = true;
+        settings = 
+          {
+            global = {
+              "workgroup" = "WORKGROUP";
+              "server string" = "smbwaffentrager";
+              "netbios name" = "smbwaffentrager";
+              "security" = "user"; 
+              "hosts allow" = "${mkk.wireguard.sambaIp} 192.168.100. 127.0.0.1 localhost";
+              "hosts deny" = "0.0.0.0/0";
+              "guest account" = "nobody";
+              "map to guest" = "bad user";
+              "mangled names" = "no";
+              "dos charset" = "CP850";
+              "unix charset" = "UTF-8";
+	            "display charset" = "UTF-8";
+              "catia:mappings" = "0x22:0xa8,0x2a:0xa4,0x2f:0xf8,0x3a:0xf7,0x3c:0xab,0x3e:0xbb,0x3f:0xbf,0x5c:0xff,0x7c:0xa6";
+            };
+            materus = {
+              "path" = "${config.waffentragerService.elements.path}/storage/materus";
+              "browseable" = "yes";
+              "read only" = "no";
+              "guest ok" = "no";
+              "create mask" = "0770";
+              "directory mask" = "0770";
+              "force user" = "materus";
+              "force group" = "nextcloud";   
+            };
+          };
+      };
+    };
+}
@@ -0,0 +1,26 @@
+{ lib, config, mkk, ... }:
+{
+  options.waffentragerService.syncthing.enable = mkk.lib.mkBoolOpt false "Enable syncthing";
+
+  config =
+    let
+      cfg = config.waffentragerService.syncthing;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;      networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
+      networking.firewall.allowedUDPPorts = [ 22000 21027 ];
+      systemd.services.syncthing = {
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
+      services = {
+        syncthing = {
+            enable = true;
+            user = "materus";
+            group = "nextcloud";
+            dataDir = "${config.waffentragerService.elements.path}/storage/materus";
+            configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/";  
+        };
+      };
+    };
+}