mirror of
https://github.com/materusPL/nixos-config
synced 2026-06-24 17:36:41 +00:00
waffentrager: init
This commit is contained in:
@@ -140,6 +140,11 @@
|
||||
host = "valkyrie";
|
||||
stable = true;
|
||||
};
|
||||
waffentrager = makeSystem {
|
||||
host = "waffentrager";
|
||||
stable = true;
|
||||
arch = "aarch64-linux";
|
||||
};
|
||||
};
|
||||
|
||||
homeConfigurations = {
|
||||
@@ -158,6 +163,13 @@
|
||||
host = "valkyrie";
|
||||
stable = true;
|
||||
};
|
||||
|
||||
"materus@waffentrager" = makeHome {
|
||||
user = "materus";
|
||||
host = "waffentrager";
|
||||
arch = "aarch64-linux";
|
||||
stable = true;
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
@@ -2,7 +2,6 @@
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
materusArgs,
|
||||
...
|
||||
}:
|
||||
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
materusArgs,
|
||||
mkk,
|
||||
...
|
||||
}:
|
||||
@@ -83,7 +82,7 @@
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 22;
|
||||
authorizedKeyFiles = [ materusArgs.files.ssh-keys.materus ];
|
||||
authorizedKeyFiles = [ mkk.files.ssh-keys.materus ];
|
||||
hostKeys = [
|
||||
"/mkk/keys/ssh_host_ed25519_key"
|
||||
"/mkk/keys/ssh_host_rsa_key"
|
||||
|
||||
@@ -6,13 +6,13 @@
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
materusArgs,
|
||||
mkk,
|
||||
...
|
||||
}:
|
||||
let
|
||||
patchedBwrap = pkgs.bubblewrap.overrideAttrs (o: {
|
||||
patches = (o.patches or [ ]) ++ [
|
||||
materusArgs.files.patches.bwrap
|
||||
mkk.files.patches.bwrap
|
||||
];
|
||||
});
|
||||
in
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
{
|
||||
pkgs,
|
||||
materusArgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
materusArgs,
|
||||
mkk,
|
||||
...
|
||||
}:
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running `nixos-help`).
|
||||
|
||||
{ lib, pkgs, materusArgs, config, ... }:
|
||||
{ lib, pkgs, mkk, materusArgs, config, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
@@ -70,10 +70,10 @@
|
||||
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||
packages = [
|
||||
];
|
||||
openssh.authorizedKeys.keyFiles = [ "${materusArgs.files.ssh-keys.materus}" ];
|
||||
openssh.authorizedKeys.keyFiles = [ "${mkk.files.ssh-keys.materus}" ];
|
||||
shell = pkgs.zsh;
|
||||
};
|
||||
users.users.acme.openssh.authorizedKeys.keyFiles = [ "${materusArgs.files.ssh-keys.waffentrager}" ];
|
||||
users.users.acme.openssh.authorizedKeys.keyFiles = [ "${mkk.files.ssh-keys.waffentrager}" ];
|
||||
users.users.acme.shell = pkgs.scponly;
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
|
||||
@@ -0,0 +1,168 @@
|
||||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running `nixos-help`).
|
||||
|
||||
{ config, pkgs, mkk, lib, materusArgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [ 1900 ];
|
||||
networking.firewall.allowedUDPPorts = [ 1900 7359];
|
||||
environment.etc."current-flake".source = materusArgs.self;
|
||||
|
||||
nix.settings = {
|
||||
experimental-features = lib.mkMerge [
|
||||
[
|
||||
"nix-command"
|
||||
"flakes"
|
||||
]
|
||||
];
|
||||
auto-optimise-store = true;
|
||||
trusted-users = [
|
||||
"root"
|
||||
"@wheel"
|
||||
];
|
||||
|
||||
substituters = [
|
||||
"https://nix-community.cachix.org"
|
||||
"https://cache.nixos.org/"
|
||||
"https://nixerus.cachix.org/"
|
||||
];
|
||||
trusted-public-keys = [
|
||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||
"nixerus.cachix.org-1:2x7sIG7y1vAoxc8BNRJwsfapZsiX4hIl4aTi9V5ZDdE="
|
||||
];
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
libraspberrypi
|
||||
raspberrypi-eeprom
|
||||
git
|
||||
|
||||
p7zip
|
||||
unrar
|
||||
bzip2
|
||||
unzip
|
||||
zstd
|
||||
xz
|
||||
zip
|
||||
gzip
|
||||
|
||||
];
|
||||
|
||||
boot.tmp.useTmpfs = true;
|
||||
services.xserver.enable = false;
|
||||
networking.hostName = "waffentrager";
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.settings.PermitRootLogin = "no";
|
||||
|
||||
users.users.materus = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keyFiles = [ mkk.files.ssh-keys.materus ];
|
||||
hashedPasswordFile = config.sops.secrets."users/materus".path;
|
||||
shell = pkgs.zsh;
|
||||
};
|
||||
|
||||
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
|
||||
boot.loader.grub.enable = false;
|
||||
# Enables the generation of /boot/extlinux/extlinux.conf
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
# networking.hostName = "nixos"; # Define your hostname.
|
||||
# Pick only one of the below networking options.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||||
|
||||
# Set your time zone.
|
||||
# time.timeZone = "Europe/Amsterdam";
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n.defaultLocale = "en_US.UTF-8";
|
||||
# console = {
|
||||
# font = "Lat2-Terminus16";
|
||||
# keyMap = "us";
|
||||
# useXkbConfig = true; # use xkbOptions in tty.
|
||||
# };
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
# services.xserver.enable = true;
|
||||
|
||||
|
||||
|
||||
|
||||
# Configure keymap in X11
|
||||
# services.xserver.layout = "us";
|
||||
# services.xserver.xkbOptions = "eurosign:e,caps:escape";
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
|
||||
# Enable sound.
|
||||
# sound.enable = true;
|
||||
# hardware.pulseaudio.enable = true;
|
||||
|
||||
# Enable touchpad support (enabled default in most desktopManager).
|
||||
services.libinput.enable = true;
|
||||
|
||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||
# users.users.alice = {
|
||||
# isNormalUser = true;
|
||||
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||
# packages = with pkgs; [
|
||||
# firefox
|
||||
# tree
|
||||
# ];
|
||||
# };
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
# environment.systemPackages = with pkgs; [
|
||||
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
||||
# wget
|
||||
# ];
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
# programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = {
|
||||
# enable = true;
|
||||
# enableSSHSupport = true;
|
||||
# };
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
# services.openssh.enable = true;
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# Copy the NixOS configuration file and link it from the resulting system
|
||||
# (/run/current-system/configuration.nix). This is useful in case you
|
||||
# accidentally delete configuration.nix.
|
||||
# system.copySystemConfiguration = true;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It's perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
programs.zsh.enable = true;
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
|
||||
imports = [
|
||||
|
||||
./configuration.nix
|
||||
./private
|
||||
./services
|
||||
];
|
||||
|
||||
virtualisation.podman.autoPrune.enable = true;
|
||||
virtualisation.podman.autoPrune.dates = "daily";
|
||||
virtualisation.podman.defaultNetwork.settings = {
|
||||
default_subnet = "10.88.0.0/16";
|
||||
};
|
||||
virtualisation.oci-containers.backend = "podman";
|
||||
|
||||
}
|
||||
@@ -0,0 +1,52 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, materusArgs, ... }:
|
||||
let
|
||||
crossPkgs = import pkgs.path {
|
||||
localSystem = "x86_64-linux";
|
||||
crossSystem = pkgs.stdenv.hostPlatform.system;
|
||||
};
|
||||
rpi4-kernel =
|
||||
crossPkgs.callPackage (materusArgs.inputs.nixos-hardware.outPath + "/raspberry-pi/common/kernel.nix")
|
||||
{
|
||||
rpiVersion = 4;
|
||||
};
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
materusArgs.inputs.nixos-hardware.nixosModules.raspberry-pi-4
|
||||
];
|
||||
|
||||
#boot.kernelPackages = pkgs.linuxPackagesFor materusArgs.inputs.nixos-hardware.packages.aarch64-linux.rpi4-kernel;
|
||||
boot.kernelPackages = crossPkgs.linuxPackagesFor rpi4-kernel;
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.kernel.sysctl = {
|
||||
"vm.swappiness" = 10;
|
||||
};
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||
fsType = "ext4";
|
||||
};
|
||||
swapDevices = [{
|
||||
device = "/var/.swapfile";
|
||||
size = 8 * 1024;
|
||||
}];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = "aarch64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
home.stateVersion = "23.11";
|
||||
home.homeDirectory = "/home/materus";
|
||||
}
|
||||
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,80 @@
|
||||
{ config, pkgs, lib, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.auth.authelia.enable = mkk.lib.mkBoolOpt false "Enable authelia";
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.auth.authelia;
|
||||
port = 9091;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
sops.secrets."authelia-storagekey" = { owner = "authelia"; };
|
||||
sops.secrets."authelia-database" = { owner = "authelia"; };
|
||||
sops.secrets."ldap-master" = { owner = "authelia"; };
|
||||
users.users.authelia = {
|
||||
group = "lldap";
|
||||
isSystemUser = true;
|
||||
};
|
||||
services.authelia.instances.main = {
|
||||
enable = true;
|
||||
user = "authelia";
|
||||
environmentVariables = {
|
||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."ldap-master".path;
|
||||
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = config.sops.secrets."authelia-database".path;
|
||||
};
|
||||
secrets = {
|
||||
jwtSecretFile = config.sops.secrets.jwt.path;
|
||||
storageEncryptionKeyFile = config.sops.secrets."authelia-storagekey".path;
|
||||
};
|
||||
settings = {
|
||||
access_control = {
|
||||
default_policy = "one_factor";
|
||||
};
|
||||
authentication_backend = {
|
||||
ldap.url = "ldap://127.0.0.1:3890";
|
||||
ldap.implementation = "custom";
|
||||
ldap.base_dn = config.services.lldap.settings.ldap_base_dn;
|
||||
ldap.user = "CN=master,ou=people,DC=podkos,DC=pl";
|
||||
ldap.additional_users_dn = "OU=people";
|
||||
ldap.users_filter = "(&({username_attribute}={input})(objectClass=person))";
|
||||
ldap.additional_groups_dn = "OU=groups";
|
||||
ldap.groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
|
||||
};
|
||||
storage = {
|
||||
postgres.host = "/var/run/postgresql";
|
||||
postgres.port = "5432";
|
||||
postgres.database = "authelia";
|
||||
postgres.username = "authelia";
|
||||
|
||||
};
|
||||
notifier = {
|
||||
disable_startup_check = false;
|
||||
filesystem.filename = "/tmp/test_notification.txt";
|
||||
};
|
||||
session = {
|
||||
name = "materus-session";
|
||||
domain = "materus.pl";
|
||||
};
|
||||
|
||||
default_redirection_url = "https://materus.pl";
|
||||
server.port = port;
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."gatekeeper.materus.pl" = {
|
||||
forceSSL = true;
|
||||
http3 = true;
|
||||
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
|
||||
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
|
||||
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./lldap.nix
|
||||
./authelia.nix
|
||||
];
|
||||
config =
|
||||
{
|
||||
waffentragerService.auth.lldap.enable = true;
|
||||
waffentragerService.auth.authelia.enable = true;
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,87 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
mkk,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options.waffentragerService.auth.lldap.enable = mkk.lib.mkBoolOpt false "Enable lldap";
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.auth.lldap;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
waffentragerService.elements.enable = true;
|
||||
waffentragerService.nginx.enable = true;
|
||||
services.nginx.virtualHosts."mamba.podkos.pl" = {
|
||||
forceSSL = true;
|
||||
http3 = true;
|
||||
sslTrustedCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/chain.pem";
|
||||
sslCertificateKey = "/var/lib/mnt_acme/mamba.podkos.pl/key.pem";
|
||||
sslCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/fullchain.pem";
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:17170";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
|
||||
allow ${mkk.wireguard.ip-masks.main};
|
||||
allow 192.168.100.0/24;
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.lldap = {
|
||||
requires = [ "elements-mount.service" ];
|
||||
after = [ "elements-mount.service" ];
|
||||
serviceConfig = {
|
||||
DynamicUser = lib.mkForce false;
|
||||
WorkingDirectory = lib.mkForce config.waffentragerService.elements.lldapDir;
|
||||
};
|
||||
};
|
||||
users.groups.lldap = { };
|
||||
users.users.lldap = {
|
||||
group = "lldap";
|
||||
isSystemUser = true;
|
||||
};
|
||||
sops.secrets.jwt = {
|
||||
owner = "lldap";
|
||||
group = "lldap";
|
||||
mode = "0440";
|
||||
};
|
||||
sops.secrets."lldap-database" = {
|
||||
owner = "lldap";
|
||||
group = "lldap";
|
||||
};
|
||||
services.lldap.enable = true;
|
||||
services.lldap.environmentFile = config.sops.templates."lldap.env".path;
|
||||
sops.templates."lldap.env" = {
|
||||
content = ''
|
||||
LLDAP_JWT_SECRET_FILE="${config.sops.secrets.jwt.path}"
|
||||
LLDAP_DATABASE_URL="postgres://lldap:${
|
||||
config.sops.placeholder."lldap-database"
|
||||
}@%2Fvar%2Frun%2Fpostgresql/lldap"
|
||||
'';
|
||||
owner = "lldap";
|
||||
group = "lldap";
|
||||
};
|
||||
services.lldap.silenceForceUserPassResetWarning = true;
|
||||
services.lldap.settings = {
|
||||
ldap_base_dn = "dc=podkos,dc=pl";
|
||||
|
||||
ldap_host = "127.0.0.1";
|
||||
http_url = "https://mamba.podkos.pl";
|
||||
ldap_user_dn = "master";
|
||||
ldap_user_email = "materus@podkos.pl";
|
||||
ldap_port = 3890;
|
||||
key_seed = mkk.waffentrager.lldap.seed;
|
||||
ldap_user_pass_file = config.sops.secrets.LLDAP_LDAP_USER_PASS_FILE.path;
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,30 @@
|
||||
{ ... }:
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./storage/elements.nix
|
||||
./storage/mount-acme.nix
|
||||
./storage/gitea.nix
|
||||
./storage/nextcloud.nix
|
||||
./storage/samba.nix
|
||||
./storage/syncthing.nix
|
||||
./multimedia/jellyfin.nix
|
||||
./multimedia/scrobbling.nix
|
||||
./monitoring.nix
|
||||
./nginx.nix
|
||||
./postgresql.nix
|
||||
./auth
|
||||
];
|
||||
waffentragerService.elements.enable = true;
|
||||
waffentragerService.postgresql.enable = true;
|
||||
waffentragerService.mount-acme.enable = true;
|
||||
waffentragerService.gitea.enable = true;
|
||||
waffentragerService.nginx.enable = true;
|
||||
waffentragerService.nextcloud.enable = true;
|
||||
waffentragerService.samba.enable = true;
|
||||
waffentragerService.jellyfin.enable = true;
|
||||
waffentragerService.scrobbling.enable = true;
|
||||
|
||||
waffentragerService.syncthing.enable = true;
|
||||
waffentragerService.monitoring.enable = false;
|
||||
}
|
||||
@@ -0,0 +1,57 @@
|
||||
{ config, lib, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.monitoring.enable = mkk.lib.mkBoolOpt false "Enable monitoring";
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.monitoring;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
services.grafana = {
|
||||
dataDir = "${config.waffentragerService.elements.path}/services/grafana";
|
||||
enable = true;
|
||||
settings = {
|
||||
server = {
|
||||
http_addr = "127.0.0.1";
|
||||
http_port = 3232;
|
||||
|
||||
domain = "watchman.materus.pl";
|
||||
serve_from_sub_path = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
port = 3233;
|
||||
globalConfig.scrape_interval = "30s";
|
||||
stateDir = "elements/services/prometheus";
|
||||
scrapeConfigs = [
|
||||
{
|
||||
job_name = "node";
|
||||
static_configs = [{
|
||||
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
|
||||
}];
|
||||
}
|
||||
];
|
||||
};
|
||||
services.prometheus.exporters.node = {
|
||||
enable = true;
|
||||
port = 3234;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
|
||||
|
||||
};
|
||||
services.nginx.virtualHosts."watchman.materus.pl" = {
|
||||
addSSL = true;
|
||||
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
|
||||
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
|
||||
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
|
||||
http2 = false;
|
||||
http3 = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
|
||||
proxyWebsockets = true;
|
||||
recommendedProxySettings = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,150 @@
|
||||
{ lib, config, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.jellyfin.enable = mkk.lib.mkBoolOpt false "Enable jellyfin";
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.jellyfin;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
services.jellyfin = rec {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "materus";
|
||||
group = "nextcloud";
|
||||
dataDir = config.waffentragerService.elements.jellyfinDir;
|
||||
cacheDir = "${dataDir}/cache";
|
||||
};
|
||||
/*
|
||||
services.jellyseerr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};*/
|
||||
|
||||
services.nginx = {
|
||||
appendHttpConfig = ''
|
||||
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
|
||||
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
|
||||
'';
|
||||
proxyCachePath."jellyfin" = {
|
||||
enable = true;
|
||||
maxSize = "1g";
|
||||
levels = "1:2";
|
||||
keysZoneName = "jellyfin";
|
||||
keysZoneSize = "100m";
|
||||
inactive = "1d";
|
||||
useTempPath = false;
|
||||
|
||||
};
|
||||
virtualHosts = {
|
||||
"noot.materus.pl" = {
|
||||
extraConfig = ''
|
||||
client_max_body_size 20M;
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
|
||||
'';
|
||||
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
|
||||
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
|
||||
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
|
||||
addSSL = true;
|
||||
http2 = false;
|
||||
http3 = true;
|
||||
locations."~ /Items/(.*)/Images" = {
|
||||
proxyPass = "http://127.0.0.1:8096";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
|
||||
proxy_cache jellyfin;
|
||||
proxy_cache_revalidate on;
|
||||
proxy_cache_lock on;
|
||||
'';
|
||||
};
|
||||
locations."~ ^/web/htmlVideoPlayer-plugin.[0-9a-z]+.chunk.js$" = {
|
||||
proxyPass = "http://127.0.0.1:8096";
|
||||
extraConfig = ''
|
||||
proxy_set_header Accept-Encoding "";
|
||||
|
||||
sub_filter_types *;
|
||||
sub_filter 'return u=30' 'return u=600';
|
||||
sub_filter 'return u=6' 'return u=60';
|
||||
sub_filter 'maxBufferLength:u' 'maxBufferLength:u,maxBufferSize:180000000';
|
||||
sub_filter_once on;
|
||||
'';
|
||||
};
|
||||
locations."~* ^/Videos/(.*)/(?!live)" = {
|
||||
proxyPass = "http://127.0.0.1:8096";
|
||||
extraConfig = ''
|
||||
# Set size of a slice (this amount will be always requested from the backend by nginx)
|
||||
# Higher value means more latency, lower more overhead
|
||||
# This size is independent of the size clients/browsers can request
|
||||
slice 2m;
|
||||
|
||||
proxy_cache jellyfin;
|
||||
proxy_cache_valid 200 206 301 302 30d;
|
||||
proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
|
||||
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
|
||||
proxy_connect_timeout 15s;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Connection "";
|
||||
# Transmit slice range to the backend
|
||||
proxy_set_header Range $slice_range;
|
||||
|
||||
# This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time
|
||||
# The first client will trigger the download, the other clients will have to wait until the slice is cached
|
||||
# Esp. practical during SyncPlay
|
||||
proxy_cache_lock on;
|
||||
proxy_cache_lock_age 60s;
|
||||
|
||||
proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";
|
||||
|
||||
'';
|
||||
};
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:8096";
|
||||
extraConfig = ''
|
||||
proxy_pass_request_headers on;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
|
||||
|
||||
'';
|
||||
};
|
||||
locations."/socket" = {
|
||||
proxyPass = "http://127.0.0.1:8096";
|
||||
extraConfig = ''
|
||||
proxy_pass_request_headers on;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
|
||||
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,240 @@
|
||||
{ config, pkgs, lib, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.scrobbling.enable = mkk.lib.mkBoolOpt false "Enable scrobbling";
|
||||
|
||||
|
||||
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.scrobbling;
|
||||
in
|
||||
|
||||
|
||||
#### MALOJA --------------------------------------------------------------------
|
||||
lib.mkIf cfg.enable {
|
||||
sops.templates."maloja.env".content = ''
|
||||
MALOJA_DATA_DIRECTORY=/data
|
||||
MALOJA_DIRECTORY_STATE=/data/state
|
||||
MALOJA_DIRECTORY_CACHE=/data/cache
|
||||
|
||||
MALOJA_SKIP_SETUP=yes
|
||||
MALOJA_FORCE_PASSWORD=${config.sops.placeholder.maloja}
|
||||
MALOJA_SPOTIFY_API_ID=${config.sops.placeholder.spotify-client-id}
|
||||
MALOJA_SPOTIFY_API_SECRET=${config.sops.placeholder.spotify-client-secret}
|
||||
|
||||
MALOJA_NAME=Melody
|
||||
|
||||
MALOJA_WEEK_OFFSET=1
|
||||
|
||||
PUID=${builtins.toString config.users.users.scrobbler.uid}
|
||||
PGID=${builtins.toString config.users.groups.scrobbler.gid}
|
||||
TC=Europe/Warsaw
|
||||
TIMEZONE=Europe/Warsaw
|
||||
'';
|
||||
services.nginx.virtualHosts = {
|
||||
"melody.materus.pl" = {
|
||||
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
|
||||
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
|
||||
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
|
||||
addSSL = true;
|
||||
http2 = false;
|
||||
http3 = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:42010";
|
||||
extraConfig = ''
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
virtualisation.oci-containers.containers.maloja =
|
||||
{
|
||||
|
||||
image = "krateng/maloja:latest";
|
||||
ports = [
|
||||
"42010:42010"
|
||||
];
|
||||
volumes = [
|
||||
"${config.waffentragerService.elements.malojaDir}:/data"
|
||||
];
|
||||
environmentFiles = [
|
||||
config.sops.templates."maloja.env".path
|
||||
];
|
||||
};
|
||||
systemd.services."${config.virtualisation.oci-containers.backend}-maloja" =
|
||||
|
||||
let
|
||||
malojaCfg = pkgs.writeText "settings.ini" ''[MALOJA]
|
||||
directory_config = /data
|
||||
lastfm_api_key = False
|
||||
audiodb_api_key = False
|
||||
spotify_api_id = False
|
||||
spotify_api_secret = False
|
||||
delimiters_feat = ["ft.","ft","feat.","feat","featuring","Ft.","Ft","Feat.","Feat","Featuring"]
|
||||
delimiters_informal = ["vs.","vs","&","with"]
|
||||
delimiters_formal = ["; ",";"]
|
||||
metadata_providers = ["spotify","deezer","lastfm","audiodb","musicbrainz"]
|
||||
|
||||
'';
|
||||
in
|
||||
{
|
||||
requires = [ "elements-mount.service" ];
|
||||
after = [ "elements-mount.service" ];
|
||||
preStart = ''cp --update=none ${malojaCfg} ${config.waffentragerService.elements.malojaDir}/settings.ini'';
|
||||
|
||||
};
|
||||
|
||||
#### MULTI SCROBBLER --------------------------------------------------------------------
|
||||
users.groups.scrobbler = { gid = 3000; };
|
||||
users.users.scrobbler = {
|
||||
group = "scrobbler";
|
||||
uid = 3000;
|
||||
isSystemUser = true;
|
||||
};
|
||||
sops.templates."multi-scrobbler.env".content = ''
|
||||
TC=Europe/Warsaw
|
||||
CONFIG_DIR=/config
|
||||
PUID=${builtins.toString config.users.users.scrobbler.uid}
|
||||
PGID=${builtins.toString config.users.groups.scrobbler.gid}
|
||||
'';
|
||||
sops.templates."multi-scrobbler.json".owner = "scrobbler";
|
||||
sops.templates."multi-scrobbler.json".group = "scrobbler";
|
||||
sops.templates."multi-scrobbler.json".content = builtins.toJSON {
|
||||
baseUrl = "https://scrobbler.materus.pl";
|
||||
disableWeb = false;
|
||||
debugMode = false;
|
||||
sources = [
|
||||
{
|
||||
name = "materus-spotify";
|
||||
enable = true;
|
||||
clients = [ "maloja" ];
|
||||
data = {
|
||||
clientId = "${config.sops.placeholder.spotify-client-id}";
|
||||
clientSecret = "${config.sops.placeholder.spotify-client-secret}";
|
||||
redirectUri = "https://scrobbler.materus.pl/callback";
|
||||
interval = 30;
|
||||
};
|
||||
type = "spotify";
|
||||
}
|
||||
{
|
||||
name = "materus-jellyfin";
|
||||
enable = true;
|
||||
clients = [ "maloja" ];
|
||||
data = {
|
||||
users = [
|
||||
"materus"
|
||||
];
|
||||
servers = [
|
||||
"waffentrager"
|
||||
];
|
||||
};
|
||||
options = {
|
||||
logPayload = false;
|
||||
logFilterFailure = "warn";
|
||||
};
|
||||
type = "jellyfin";
|
||||
}
|
||||
];
|
||||
clients = [
|
||||
{
|
||||
name = "maloja";
|
||||
enable = true;
|
||||
data = {
|
||||
url = "https://melody.materus.pl/";
|
||||
apiKey = "${config.sops.placeholder.maloja-api}";
|
||||
};
|
||||
type = "maloja";
|
||||
}
|
||||
{
|
||||
name = "materus-brainz";
|
||||
enable = true;
|
||||
configureAs = "client";
|
||||
data = {
|
||||
token = "${config.sops.placeholder.listenbrainz-api}";
|
||||
username = "materus";
|
||||
};
|
||||
type = "listenbrainz";
|
||||
}
|
||||
{
|
||||
name = "materus-lastfm";
|
||||
enable = true;
|
||||
configureAs = "client";
|
||||
data = {
|
||||
apiKey = "${config.sops.placeholder.lastfm-api}";
|
||||
secret = "${config.sops.placeholder.lastfm-secret}";
|
||||
redirectUri = "https://scrobbler.materus.pl/lastfm/callback";
|
||||
};
|
||||
type = "lastfm";
|
||||
}
|
||||
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
|
||||
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"scrobbler.materus.pl" = {
|
||||
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
|
||||
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
|
||||
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
|
||||
addSSL = true;
|
||||
http2 = false;
|
||||
http3 = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:42011";
|
||||
extraConfig = ''
|
||||
allow ${mkk.wireguard.ip-masks.main};
|
||||
allow 192.168.100.0/24;
|
||||
deny all;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
systemd.services."${config.virtualisation.oci-containers.backend}-multi-scrobbler" =
|
||||
{
|
||||
preStart = ''cp -f ${config.sops.templates."multi-scrobbler.json".path} ${config.waffentragerService.elements.malojaDir}/multi-scrobbler/config.json'';
|
||||
requires = [ "elements-mount.service" ];
|
||||
after = [ "elements-mount.service" ];
|
||||
};
|
||||
virtualisation.oci-containers.containers.multi-scrobbler = {
|
||||
image = "foxxmd/multi-scrobbler:latest";
|
||||
ports = [
|
||||
"127.0.0.1:42011:9078"
|
||||
];
|
||||
volumes = [
|
||||
"${config.waffentragerService.elements.malojaDir}/multi-scrobbler:/config"
|
||||
];
|
||||
environmentFiles = [
|
||||
config.sops.templates."multi-scrobbler.env".path
|
||||
];
|
||||
};
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
{ config, lib, pkgs, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.nginx.enable = mkk.lib.mkBoolOpt false "Enable nginx";
|
||||
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.nginx;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
package = pkgs.tengine;
|
||||
virtualHosts."default" = {
|
||||
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
|
||||
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
|
||||
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
|
||||
forceSSL = true;
|
||||
http2 = false;
|
||||
default = true;
|
||||
locations."/" = { extraConfig = ''deny all;''; };
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.nginx = {
|
||||
requires = [ "var-lib-mnt_acme.mount" ];
|
||||
after = [ "var-lib-mnt_acme.mount" ];
|
||||
serviceConfig = {
|
||||
restart = "always";
|
||||
restartSec = 60;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
{ config, lib, pkgs, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.postgresql.enable = mkk.lib.mkBoolOpt false "Enable postgresql";
|
||||
options.waffentragerService.postgresql.version = lib.mkOption { default = "16"; };
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.postgresql;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
waffentragerService.elements.enable = true;
|
||||
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.package = pkgs."postgresql_${cfg.version}";
|
||||
services.postgresql.dataDir = "${config.waffentragerService.elements.postgresqlDir}/${cfg.version}";
|
||||
services.postgresql.enableJIT = true;
|
||||
services.postgresql.authentication = pkgs.lib.mkOverride 10 ''
|
||||
local all all trust
|
||||
host all all 127.0.0.1/32 scram-sha-256
|
||||
host all all ::1/128 scram-sha-256
|
||||
'';
|
||||
systemd.services.postgresql = {
|
||||
requires = [ "elements-mount.service" ];
|
||||
after = [ "elements-mount.service" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,65 @@
|
||||
{ mkk, config, lib, pkgs, ... }:
|
||||
{
|
||||
options.waffentragerService.elements.enable = mkk.lib.mkBoolOpt false "Enable elements drive";
|
||||
options.waffentragerService.elements.path = lib.mkOption { default = "/var/lib/elements"; };
|
||||
options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; };
|
||||
options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; };
|
||||
options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; };
|
||||
options.waffentragerService.elements.lldapDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/lldap"; };
|
||||
options.waffentragerService.elements.jellyfinDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/jellyfin"; };
|
||||
options.waffentragerService.elements.malojaDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/maloja"; };
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.elements;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
|
||||
systemd.services.elements-mount = {
|
||||
description = "Decrypt and mount elements drive";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.RemainAfterExit = true;
|
||||
script = ''
|
||||
mkdir -p ${cfg.path}
|
||||
cryptsetup luksOpen /dev/disk/by-uuid/${cfg.uuid} elements -d ${config.sops.secrets.elements.path}
|
||||
mount /dev/mapper/elements ${cfg.path}
|
||||
''
|
||||
|
||||
;
|
||||
preStop = ''
|
||||
umount ${cfg.path}
|
||||
cryptsetup luksClose elements
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.elements-dirmake = {
|
||||
description = "Create dirs in elements drive";
|
||||
path = [ pkgs.cryptsetup pkgs.coreutils pkgs.util-linux ];
|
||||
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.RemainAfterExit = false;
|
||||
script = lib.optionalString config.waffentragerService.postgresql.enable ''
|
||||
mkdir -p ${cfg.postgresqlDir}/${config.waffentragerService.postgresql.version}
|
||||
chown -R postgres:postgres ${cfg.postgresqlDir}
|
||||
'' + lib.optionalString config.waffentragerService.nextcloud.enable ''
|
||||
mkdir -p ${cfg.nextcloudDir}
|
||||
chown -R nextcloud:nextcloud ${cfg.nextcloudDir}
|
||||
'' + lib.optionalString config.waffentragerService.auth.lldap.enable ''
|
||||
mkdir -p ${cfg.lldapDir}
|
||||
chown -R lldap:lldap ${cfg.lldapDir}
|
||||
'' + lib.optionalString config.waffentragerService.jellyfin.enable ''
|
||||
mkdir -p ${cfg.jellyfinDir}
|
||||
chown -R materus:nextcloud ${cfg.jellyfinDir}
|
||||
'' + lib.optionalString config.waffentragerService.scrobbling.enable ''
|
||||
mkdir -p ${cfg.malojaDir}/multi-scrobbler
|
||||
chown -R scrobbler:scrobbler ${cfg.malojaDir}
|
||||
''
|
||||
|
||||
|
||||
;
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,62 @@
|
||||
{ config, lib, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.gitea.enable = mkk.lib.mkBoolOpt false "Enable gitea";
|
||||
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.gitea;
|
||||
in
|
||||
lib.mkMerge
|
||||
[
|
||||
(lib.mkIf cfg.enable {
|
||||
waffentragerService.postgresql.enable = true;
|
||||
waffentragerService.elements.enable = true;
|
||||
|
||||
services.gitea.enable = true;
|
||||
services.gitea.lfs.enable = true;
|
||||
services.gitea.stateDir = "${config.waffentragerService.elements.path}/services/gitea";
|
||||
services.gitea.settings.service.DISABLE_REGISTRATION = true;
|
||||
services.gitea.settings.server.DOMAIN = "baka.materus.pl";
|
||||
services.gitea.settings.server.ROOT_URL = lib.mkForce "https://baka.materus.pl/";
|
||||
services.gitea.settings.server.PROTOCOL = "fcgi+unix";
|
||||
services.gitea.settings.cors = {
|
||||
ENABLED = true;
|
||||
X_FRAME_OPTIONS = "ALLOW-FROM https://*.materus.pl/";
|
||||
};
|
||||
|
||||
services.gitea.database.type = "postgres";
|
||||
services.gitea.database.socket = "/var/run/postgresql/";
|
||||
|
||||
})
|
||||
(lib.mkIf (cfg.enable && config.waffentragerService.nginx.enable) {
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"baka.materus.pl" = {
|
||||
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
|
||||
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
|
||||
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
|
||||
addSSL = true;
|
||||
http2 = false;
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
client_max_body_size 2G;
|
||||
include ${config.services.nginx.package}/conf/fastcgi.conf;
|
||||
include ${config.services.nginx.package}/conf/fastcgi_params;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
fastcgi_pass unix:/var/run/gitea/gitea.sock;
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
];
|
||||
}
|
||||
@@ -0,0 +1,29 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
mkk,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options.waffentragerService.mount-acme.enable = mkk.lib.mkBoolOpt false "Enable mount-acme";
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.mount-acme;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [ sshfs ];
|
||||
systemd.mounts = [
|
||||
{
|
||||
description = "Mount remote acme dir from valkyrie";
|
||||
what = "acme@valkyrie:/var/lib/acme";
|
||||
where = "/var/lib/mnt_acme";
|
||||
type = "fuse.sshfs";
|
||||
options = "reconnect,gid=${toString config.ids.gids.nginx},_netdev,rw,nosuid,allow_other,default_permissions,follow_symlinks,idmap=user,compression=yes,identityfile=/materus/root/ssh_host_ed25519_key";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "wg-quick-wg0.service" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,100 @@
|
||||
{ config, lib, pkgs, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.nextcloud.enable = mkk.lib.mkBoolOpt false "Enable nextcloud";
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.nextcloud;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
waffentragerService.elements.enable = true;
|
||||
waffentragerService.postgresql.enable = true;
|
||||
waffentragerService.nginx.enable = true;
|
||||
environment.systemPackages = [ pkgs.samba pkgs.exiftool pkgs.ffmpeg-headless ];
|
||||
sops.secrets.nextcloud-adminpass.owner = config.users.users.nextcloud.name;
|
||||
sops.secrets.nextcloud-adminpass.group = config.users.users.nextcloud.group;
|
||||
|
||||
services.postgresql.ensureDatabases = [ "nextcloud" ];
|
||||
services.postgresql.ensureUsers = [{
|
||||
name = "nextcloud";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
package = pkgs.nextcloud33;
|
||||
hostName = "waffentrager.materus.pl";
|
||||
home = config.waffentragerService.elements.nextcloudDir;
|
||||
config.adminuser = "nextcloud-master";
|
||||
config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
|
||||
config.dbtype = "pgsql";
|
||||
extraAppsEnable = true;
|
||||
maxUploadSize = "8G";
|
||||
https = true;
|
||||
enableImagemagick = true;
|
||||
configureRedis = true;
|
||||
webfinger = true;
|
||||
appstoreEnable = true;
|
||||
database.createLocally = true;
|
||||
extraApps = with pkgs.nextcloud33Packages.apps; {
|
||||
inherit notify_push previewgenerator;
|
||||
};
|
||||
settings = {
|
||||
log_type = "file";
|
||||
"profile.enabled" = true;
|
||||
default_phone_region = "PL";
|
||||
trusted_proxies = [ mkk.network.valkyrie.ip mkk.wireguard.peers.valkyrie.ip mkk.wireguard.peers.waffentrager.ip ];
|
||||
mail_smtpmode = "sendmail";
|
||||
mail_sendmailmode = "pipe";
|
||||
enable_previews = true;
|
||||
preview_format = "webp";
|
||||
enabledPreviewProviders = [
|
||||
''OC\Preview\Movie''
|
||||
''OC\Preview\PNG''
|
||||
''OC\Preview\JPEG''
|
||||
''OC\Preview\GIF''
|
||||
''OC\Preview\BMP''
|
||||
''OC\Preview\XBitmap''
|
||||
''OC\Preview\MP3''
|
||||
''OC\Preview\OGG''
|
||||
''OC\Preview\OPUS''
|
||||
''OC\Preview\MP4''
|
||||
''OC\Preview\TXT''
|
||||
''OC\Preview\MarkDown''
|
||||
''OC\Preview\PDF''
|
||||
''OC\Preview\WebP''
|
||||
''OC\Preview\OpenDocument''
|
||||
''OC\Preview\Krita''
|
||||
''OC\Preview\AVIF''
|
||||
];
|
||||
"overwrite.cli.url" = "https://${config.services.nextcloud.hostName}";
|
||||
};
|
||||
|
||||
phpOptions = {
|
||||
"opcache.memory_consumption" = "512";
|
||||
"opcache.interned_strings_buffer" = "64";
|
||||
"opcache.max_accelerated_files"="50000";
|
||||
"opcache.jit" = "1255";
|
||||
"opcache.jit_buffer_size" = "128M";
|
||||
"opcache.validate_timestamps" = "0";
|
||||
"opcache.revalidate_freq" = "0";
|
||||
"opcache.fast_shutdown" = "1";
|
||||
"opcache.save_comments" = "1";
|
||||
};
|
||||
phpExtraExtensions = ex: [ ex.zip ex.zlib ex.tidy ex.smbclient ex.sodium ];
|
||||
};
|
||||
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
|
||||
forceSSL = true;
|
||||
http3 = true;
|
||||
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
|
||||
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
|
||||
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
dav_methods PUT DELETE MKCOL COPY MOVE;
|
||||
dav_ext_methods PROPFIND OPTIONS;
|
||||
create_full_put_path on;
|
||||
dav_access user:rw group:rw all:r;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,57 @@
|
||||
{ lib, pkgs, config, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.samba.enable = mkk.lib.mkBoolOpt false "Enable samba";
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.samba;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
waffentragerService.elements.enable = true;
|
||||
|
||||
systemd.services.samba-nmbd = {
|
||||
requires = [ "elements-mount.service" ];
|
||||
after = [ "elements-mount.service" ];
|
||||
};
|
||||
systemd.services.samba-wsdd = {
|
||||
requires = [ "elements-mount.service" ];
|
||||
after = [ "elements-mount.service" ];
|
||||
};
|
||||
services.samba-wsdd.enable = true;
|
||||
services.samba-wsdd.openFirewall = true;
|
||||
services.samba = {
|
||||
enable = true;
|
||||
package = pkgs.sambaFull;
|
||||
securityType = "user";
|
||||
openFirewall = true;
|
||||
settings =
|
||||
{
|
||||
global = {
|
||||
"workgroup" = "WORKGROUP";
|
||||
"server string" = "smbwaffentrager";
|
||||
"netbios name" = "smbwaffentrager";
|
||||
"security" = "user";
|
||||
"hosts allow" = "${mkk.wireguard.sambaIp} 192.168.100. 127.0.0.1 localhost";
|
||||
"hosts deny" = "0.0.0.0/0";
|
||||
"guest account" = "nobody";
|
||||
"map to guest" = "bad user";
|
||||
"mangled names" = "no";
|
||||
"dos charset" = "CP850";
|
||||
"unix charset" = "UTF-8";
|
||||
"display charset" = "UTF-8";
|
||||
"catia:mappings" = "0x22:0xa8,0x2a:0xa4,0x2f:0xf8,0x3a:0xf7,0x3c:0xab,0x3e:0xbb,0x3f:0xbf,0x5c:0xff,0x7c:0xa6";
|
||||
};
|
||||
materus = {
|
||||
"path" = "${config.waffentragerService.elements.path}/storage/materus";
|
||||
"browseable" = "yes";
|
||||
"read only" = "no";
|
||||
"guest ok" = "no";
|
||||
"create mask" = "0770";
|
||||
"directory mask" = "0770";
|
||||
"force user" = "materus";
|
||||
"force group" = "nextcloud";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,26 @@
|
||||
{ lib, config, mkk, ... }:
|
||||
{
|
||||
options.waffentragerService.syncthing.enable = mkk.lib.mkBoolOpt false "Enable syncthing";
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.syncthing;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
waffentragerService.elements.enable = true; networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
|
||||
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
|
||||
systemd.services.syncthing = {
|
||||
requires = [ "elements-mount.service" ];
|
||||
after = [ "elements-mount.service" ];
|
||||
};
|
||||
services = {
|
||||
syncthing = {
|
||||
enable = true;
|
||||
user = "materus";
|
||||
group = "nextcloud";
|
||||
dataDir = "${config.waffentragerService.elements.path}/storage/materus";
|
||||
configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -27,6 +27,7 @@ isHm:
|
||||
config._module.args.mkk = rec {
|
||||
nixerus.pkgs = materusArgs.inputs.nixerus.packages."${config.nixpkgs.hostPlatform.system}";
|
||||
lib = nixerus.pkgs.lib;
|
||||
|
||||
files = materusArgs.files;
|
||||
args = materusArgs;
|
||||
} // config.mkk.var;
|
||||
}
|
||||
|
||||
Binary file not shown.
Reference in New Issue
Block a user