mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move nas apps sorta

Browse Source
This commit is contained in:
mjallen18
2025-07-22 16:23:58 -05:00
parent c8ed7d74f8
commit 1d1f145b37
42 changed files with 1097 additions and 1940 deletions
Download Patch File Download Diff File Expand all files Collapse all files

938
flake.nix.ori
View File

@@ -1,938 +0,0 @@
{
description = "flake for matt-nixos";
inputs = {
#####################################################
# Desktop #
#####################################################
# nixpgs
desktop-nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
# Chaotic-nix
desktop-chaotic = {
url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
};
# Home Manager
desktop-home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "desktop-nixpkgs";
};
# Impermenance
desktop-impermanence = {
url = "github:nix-community/impermanence";
};
# Lanzaboote
desktop-lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "desktop-nixpkgs";
};
# Nix hardware
desktop-nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
};
# Sops-nix
desktop-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "desktop-nixpkgs";
};
# steam rom manager
desktop-steam-rom-manager = {
url = "github:mjallen18/nix-steam-rom-manager";
inputs.nixpkgs.follows = "desktop-nixpkgs";
inputs.home-manager.follows = "desktop-home-manager";
};
# cosmic launcher
desktop-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic";
inputs.nixpkgs.follows = "desktop-nixpkgs";
};
desktop-nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
#####################################################
# NAS #
#####################################################
# nixpgs
nas-nixpkgs = {
# url = "github:NixOS/nixpkgs/nixos-24.11";
url = "github:NixOS/nixpkgs/nixos-unstable";
};
nas-nixpkgs-stable = {
url = "github:NixOS/nixpkgs/nixos-24.11";
};
# Authentik
nas-authentik-nix = {
url = "github:nix-community/authentik-nix";
inputs.nixpkgs.follows = "nas-nixpkgs";
};
# cosmic launcher
nas-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic";
inputs.nixpkgs.follows = "nas-nixpkgs-stable";
};
# crowdsec
nas-crowdsec = {
url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
inputs.nixpkgs.follows = "nas-nixpkgs";
};
# Home Manager
nas-home-manager = {
# url = "github:nix-community/home-manager/release-24.11";
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nas-nixpkgs";
};
# Impermenance
nas-impermanence = {
url = "github:nix-community/impermanence";
};
# Lanzaboote
nas-lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nas-nixpkgs";
};
# Nix hardware
nas-nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
};
# Sops-nix
nas-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nas-nixpkgs";
};
nas-nixai.url = "github:olafkfreund/nix-ai-help";
nas-nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
#####################################################
# pi5 #
#####################################################
# nixpgs
pi5-nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
# Home Manager
pi5-home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "pi5-nixpkgs";
};
# Impermenance
pi5-impermanence = {
url = "github:nix-community/impermanence";
};
# Nix hardware
pi5-nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
};
# Sops-nix
pi5-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "pi5-nixpkgs";
};
pi5-disko = {
# the fork is needed for partition attributes support
url = "github:nvmd/disko/gpt-attrs";
# url = "github:nix-community/disko";
inputs.nixpkgs.follows = "pi5-nixpkgs";
};
pi5-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic";
inputs.nixpkgs.follows = "pi5-nixpkgs";
};
#####################################################
# pi4 #
#####################################################
# nixpgs
pi4-nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
# Home Manager
pi4-home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "pi4-nixpkgs";
};
# Impermenance
pi4-impermanence = {
url = "github:nix-community/impermanence";
};
# Sops-nix
pi4-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "pi4-nixpkgs";
};
# Nix hardware
pi4-nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
};
pi4-disko = {
# the fork is needed for partition attributes support
url = "github:nvmd/disko/gpt-attrs";
# url = "github:nix-community/disko";
inputs.nixpkgs.follows = "pi4-nixpkgs";
};
nixos-raspberrypi.url = "github:nvmd/nixos-raspberrypi";
#####################################################
# Steamdeck #
#####################################################
# nixpgs
steamdeck-nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
# Joviain for steamdeck
steamdeck-jovian = {
url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
};
# Chaotic-nix
steamdeck-chaotic = {
url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
};
# Impermenance
steamdeck-impermanence = {
url = "github:nix-community/impermanence";
};
# Home Manager
steamdeck-home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
};
# Lanzaboote
steamdeck-lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
};
# Sops-nix
steamdeck-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
};
# Nix hardware
steamdeck-nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
};
# steam rom manager
steamdeck-steam-rom-manager = {
url = "github:mjallen18/nix-steam-rom-manager";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
inputs.home-manager.follows = "steamdeck-home-manager";
};
steamdeck-disko = {
# the fork is needed for partition attributes support
url = "github:nvmd/disko/gpt-attrs";
# url = "github:nix-community/disko";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
};
#####################################################
# MacBook #
#####################################################
#Apple
nix-darwin = {
url = "github:LnL7/nix-darwin";
inputs.nixpkgs.follows = "desktop-nixpkgs";
};
nix-homebrew.url = "github:zhaofengli/nix-homebrew";
homebrew-core = {
url = "github:homebrew/homebrew-core";
flake = false;
};
homebrew-cask = {
url = "github:homebrew/homebrew-cask";
flake = false;
};
#####################################################
# Macbook Nix #
#####################################################
# nixpgs
mac-nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
mac-nixos-apple-silicon = {
url = "github:nix-community/nixos-apple-silicon";
};
# Home Manager
mac-home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "mac-nixpkgs";
};
# Impermenance
mac-impermanence = {
url = "github:nix-community/impermanence";
};
# Sops-nix
mac-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "mac-nixpkgs";
};
#####################################################
# NUC #
#####################################################
# nixpgs
nuc-nixpkgs = {
# url = "github:NixOS/nixpkgs/nixos-24.11";
url = "github:NixOS/nixpkgs/nixos-unstable";
};
# Home Manager
nuc-home-manager = {
# url = "github:nix-community/home-manager/release-24.11";
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nuc-nixpkgs";
};
# Impermenance
nuc-impermanence = {
url = "github:nix-community/impermanence";
};
# Lanzaboote
nuc-lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nuc-nixpkgs";
};
# Sops-nix
nuc-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nuc-nixpkgs";
};
nuc-disko = {
# the fork is needed for partition attributes support
url = "github:nvmd/disko/gpt-attrs";
# url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nuc-nixpkgs";
};
#####################################################
# Common #
#####################################################
nixpkgs-unstable = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
nixpkgs-stable = {
url = "github:NixOS/nixpkgs/nixos-25.05";
};
};
outputs =
{
self,
# Desktop
desktop-nixpkgs,
desktop-chaotic,
desktop-home-manager,
desktop-impermanence,
desktop-lanzaboote,
desktop-nixos-hardware,
desktop-sops-nix,
desktop-steam-rom-manager,
desktop-cosmic,
desktop-nix-vscode-extensions,
# NAS
nas-nixpkgs,
nas-nixpkgs-stable,
nas-authentik-nix,
nas-cosmic,
nas-crowdsec,
nas-home-manager,
nas-impermanence,
nas-lanzaboote,
nas-nixos-hardware,
nas-sops-nix,
nas-nixai,
nas-nix-vscode-extensions,
# pi5
pi5-nixpkgs,
pi5-home-manager,
pi5-impermanence,
pi5-nixos-hardware,
pi5-sops-nix,
pi5-disko,
pi5-cosmic,
# pi4
pi4-nixpkgs,
pi4-home-manager,
pi4-impermanence,
pi4-sops-nix,
pi4-nixos-hardware,
pi4-disko,
nixos-raspberrypi,
# Steamdeck
steamdeck-nixpkgs,
steamdeck-chaotic,
steamdeck-home-manager,
steamdeck-impermanence,
steamdeck-jovian,
steamdeck-lanzaboote,
steamdeck-nixos-hardware,
steamdeck-sops-nix,
steamdeck-steam-rom-manager,
steamdeck-disko,
# MacBook
nix-darwin,
nix-homebrew,
homebrew-core,
homebrew-cask,
# MacBook Nix
mac-nixpkgs,
mac-nixos-apple-silicon,
mac-home-manager,
mac-impermanence,
mac-sops-nix,
nuc-nixpkgs,
nuc-home-manager,
nuc-impermanence,
nuc-lanzaboote,
nuc-sops-nix,
nuc-disko,
# Common
nixpkgs-unstable,
nixpkgs-stable,
}@inputs:
let
inherit (self) outputs;
in
{
overlays = import ./overlays { inherit inputs; };
nixosConfigurations = {
# Desktop
"matt-nixos" = desktop-nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
hyprlandSettings = import ./hosts/desktop/hyprland-settings.nix;
};
modules = [
./hosts/base/base-nogui
./hosts/base/base-gui
./hosts/desktop/configuration.nix
./modules/desktop-environments/gnome
./modules/desktop-environments/cosmic/specialisation.nix
./modules/desktop-environments/hyprland/specialisation.nix
./modules/amd
./modules/gaming
# Lanzaboote
desktop-lanzaboote.nixosModules.lanzaboote
# Chaotic Nyx
desktop-chaotic.nixosModules.default
# Impermanence
desktop-impermanence.nixosModules.impermanence
./modules/impermanence
desktop-sops-nix.nixosModules.sops
# Home Manager
desktop-home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.matt =
{ ... }:
{
imports = [
./hosts/desktop/home.nix
./modules/home/defaults.nix
./modules/home/git.nix
./modules/home/gnome.nix
./modules/home/librewolf.nix
./modules/home/office.nix
./modules/home/shell.nix
./modules/home/vscode.nix
desktop-steam-rom-manager.homeManagerModules.default
desktop-sops-nix.homeManagerModules.sops
];
};
home-manager.users.root =
{ ... }:
{
imports = [
./modules/root-user
desktop-sops-nix.homeManagerModules.sops
];
};
home-manager.backupFileExtension = "backup";
}
# nixos hardware
desktop-nixos-hardware.nixosModules.common-cpu-amd
desktop-nixos-hardware.nixosModules.common-cpu-amd-pstate
desktop-nixos-hardware.nixosModules.common-cpu-amd-zenpower
desktop-nixos-hardware.nixosModules.common-gpu-amd
desktop-nixos-hardware.nixosModules.common-hidpi
desktop-nixos-hardware.nixosModules.common-pc
];
};
# NAS
"jallen-nas" = nas-nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
};
modules = [
./hosts/base/base-nogui
./hosts/base/base-gui
./hosts/nas/configuration.nix
./modules/desktop-environments/cosmic
./modules/nvidia
nas-lanzaboote.nixosModules.lanzaboote
nas-impermanence.nixosModules.impermanence
./hosts/nas/impermanence.nix
nas-cosmic.nixosModules.default
# nas-nixai.nixosModules.x86_64-linux.default
nas-home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = false;
home-manager.useUserPackages = true;
home-manager.users.admin =
{ ... }:
{
imports = [
./hosts/nas/home.nix
./modules/home/defaults.nix
./modules/home/git.nix
./modules/home/librewolf.nix
./modules/home/shell.nix
./modules/home/vscode.nix
nas-sops-nix.homeManagerModules.sops
# nas-nixai.homeManagerModules.x86_64-linux.default
];
};
home-manager.users.root =
{ ... }:
{
imports = [
./modules/root-user
nas-sops-nix.homeManagerModules.sops
];
};
home-manager.backupFileExtension = "backup";
}
nas-authentik-nix.nixosModules.default
nas-sops-nix.nixosModules.sops
nas-crowdsec.nixosModules.crowdsec
nas-crowdsec.nixosModules.crowdsec-firewall-bouncer
(
{ ... }:
{
nixpkgs.overlays = [
nas-crowdsec.overlays.default
nas-nix-vscode-extensions.overlays.default
];
}
)
nas-nixos-hardware.nixosModules.common-pc
nas-nixos-hardware.nixosModules.common-cpu-amd
nas-nixos-hardware.nixosModules.common-cpu-amd-pstate
nas-nixos-hardware.nixosModules.common-cpu-amd-zenpower
nas-nixos-hardware.nixosModules.common-hidpi
];
};
# pi5
"pi5" = nixos-raspberrypi.lib.nixosSystem {
specialArgs = inputs //
{
inherit outputs;
};
system = "aarch64-linux";
modules = [
./hosts/base/base-nogui
./hosts/base/base-gui
pi5-disko.nixosModules.disko
./hosts/pi5/disko.nix
pi5-cosmic.nixosModules.default
pi5-impermanence.nixosModules.impermanence
pi5-sops-nix.nixosModules.sops
./hosts/pi5/configuration.nix
pi5-nixos-hardware.nixosModules.raspberry-pi-5
{
# Hardware specific configuration, see section below for a more complete
# list of modules
imports = with nixos-raspberrypi.nixosModules; [
raspberry-pi-5.base
raspberry-pi-5.display-vc4
raspberry-pi-5.bluetooth
];
}
pi5-home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.backupFileExtension = "backup";
home-manager.users.matt =
{ ... }:
{
imports = [
./hosts/pi5/home.nix
pi5-sops-nix.homeManagerModules.sops
];
};
home-manager.users.root =
{ ... }:
{
imports = [
./modules/root-user
pi5-sops-nix.homeManagerModules.sops
];
};
}
];
};
# pi4
"pi4" = nixos-raspberrypi.lib.nixosSystem {
specialArgs = inputs //
{
inherit outputs;
};
system = "aarch64-linux";
modules = [
./hosts/base/base-nogui
pi4-disko.nixosModules.disko
./modules/disko/pi-uefi-disko.nix
pi4-nixos-hardware.nixosModules.raspberry-pi-4
{
# Hardware specific configuration, see section below for a more complete
# list of modules
imports = with nixos-raspberrypi.nixosModules; [
raspberry-pi-4.base
raspberry-pi-4.display-vc4
raspberry-pi-4.bluetooth
raspberry-pi-4.case-argonone
];
}
pi4-impermanence.nixosModules.impermanence
pi4-sops-nix.nixosModules.sops
./hosts/pi4/configuration.nix
pi4-home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.backupFileExtension = "backup";
home-manager.users.matt =
{ ... }:
{
imports = [
./hosts/pi4/home.nix
pi4-sops-nix.homeManagerModules.sops
];
};
home-manager.users.root =
{ ... }:
{
imports = [
./modules/root-user
pi4-sops-nix.homeManagerModules.sops
];
};
}
];
};
"steamdeck" = steamdeck-nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
};
modules = [
./hosts/base/base-nogui
./hosts/base/base-gui
./hosts/deck/configuration.nix
./modules/desktop-environments/gnome
steamdeck-lanzaboote.nixosModules.lanzaboote
steamdeck-disko.nixosModules.disko
./modules/disko/disko.nix
steamdeck-impermanence.nixosModules.impermanence
./modules/impermanence
steamdeck-home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.deck =
{ ... }:
{
imports = [
./hosts/deck/home.nix
./modules/home/defaults.nix
./modules/home/git.nix
./modules/home/gnome.nix
./modules/home/librewolf.nix
./modules/home/office.nix
./modules/home/shell.nix
./modules/home/vscode.nix
steamdeck-sops-nix.homeManagerModules.sops
steamdeck-steam-rom-manager.homeManagerModules.default
];
};
home-manager.users.root =
{ ... }:
{
imports = [
./modules/root-user
steamdeck-sops-nix.homeManagerModules.sops
];
};
home-manager.backupFileExtension = "backup";
}
steamdeck-nixos-hardware.nixosModules.common-cpu-amd
steamdeck-nixos-hardware.nixosModules.common-cpu-amd-pstate
steamdeck-nixos-hardware.nixosModules.common-cpu-amd-zenpower
steamdeck-nixos-hardware.nixosModules.common-gpu-amd
steamdeck-nixos-hardware.nixosModules.common-hidpi
steamdeck-nixos-hardware.nixosModules.common-pc
steamdeck-sops-nix.nixosModules.sops
steamdeck-jovian.nixosModules.jovian
steamdeck-chaotic.nixosModules.default
];
};
# MacBook Nix
"macbook-pro-nixos" = mac-nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = {
inherit inputs outputs;
hyprlandSettings = import ./hosts/mac-nixos/hyprland-settings.nix;
};
modules = [
./hosts/base/base-nogui
./hosts/base/base-gui
./hosts/mac-nixos/configuration.nix
./modules/desktop-environments/hyprland
# Apple Silicon Support
mac-nixos-apple-silicon.nixosModules.default
# Impermanence
mac-impermanence.nixosModules.impermanence
./modules/impermanence
mac-sops-nix.nixosModules.sops
# Home Manager
mac-home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.matt =
{ ... }:
{
imports = [
./hosts/mac-nixos/home.nix
./modules/home/defaults.nix
./modules/home/git.nix
# ./modules/home/gnome.nix
# ./modules/home/librewolf.nix
./modules/home/office.nix
./modules/home/shell.nix
# ./modules/home/vscode.nix
mac-sops-nix.homeManagerModules.sops
];
};
home-manager.users.root =
{ ... }:
{
imports = [
./modules/root-user
mac-sops-nix.homeManagerModules.sops
];
};
home-manager.backupFileExtension = "backup";
}
];
};
# NUC
"nuc-nixos" = nuc-nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
};
modules = [
./hosts/base/base-nogui
./hosts/nuc/configuration.nix
nuc-lanzaboote.nixosModules.lanzaboote
nuc-impermanence.nixosModules.impermanence
./hosts/nuc/impermanence.nix
nuc-disko.nixosModules.disko
./modules/disko/disko.nix
nuc-home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = false;
home-manager.useUserPackages = true;
home-manager.users.admin =
{ ... }:
{
imports = [
./hosts/nuc/home.nix
./modules/home/defaults.nix
./modules/home/git.nix
./modules/home/shell.nix
nuc-sops-nix.homeManagerModules.sops
];
};
home-manager.users.root =
{ ... }:
{
imports = [
./modules/root-user
nuc-sops-nix.homeManagerModules.sops
];
};
home-manager.backupFileExtension = "backup";
}
nuc-sops-nix.nixosModules.sops
];
};
};
darwinConfigurations = {
"MacBook-Pro" = nix-darwin.lib.darwinSystem {
system = "aarch64-darwin";
specialArgs = {
inherit inputs outputs;
};
modules = [
./hosts/mac/configuration.nix
nix-homebrew.darwinModules.nix-homebrew
desktop-home-manager.darwinModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.mattjallen = import ./hosts/mac/home.nix;
home-manager.backupFileExtension = "backup";
}
(
{ ... }:
{
nixpkgs.overlays = [
desktop-nix-vscode-extensions.overlays.default
];
}
)
];
};
};
packages.aarch64-linux.vmware-horizon-fhs =
let
pkgs = import mac-nixpkgs { system = "aarch64-linux"; };
x64 = import mac-nixpkgs { system = "x86_64-linux"; config.allowUnfree = true; };
in
pkgs.buildFHSEnv {
name = "horizon-client-x64";
targetPkgs = _pkgs: with x64; [
vmware-horizon-client gtk3 xorg.libX11 libxml2
];
runScript = "box64 vmware-view";
};
# Expose the package set, including overlays, for convenience.
darwinPackages = self.darwinConfigurations."MacBook-Pro".pkgs;
# Set Git commit hash for darwin-version.
system.configurationRevision = self.rev or self.dirtyRev or null;
};
}

3
systems/x86_64-linux/nas/apps/actual/default.nix → modules/nixos/actual/default.nix
View File

@@ -2,9 +2,8 @@
with lib;
let
cfg = config.nas-apps.actual;
settings = import ../../settings.nix;
dataDir = "/data";
hostAddress = settings.hostAddress;
hostAddress = "10.0.1.3";
actualUserId = config.users.users.nix-apps.uid;
actualGroupId = config.users.groups.jallen-nas.gid;
in

0
systems/x86_64-linux/nas/apps/actual/options.nix → modules/nixos/actual/options.nix
View File

13
systems/x86_64-linux/nas/apps/arrs/default.nix → modules/nixos/arrs/default.nix
View File

@@ -7,7 +7,6 @@
with lib;
let
cfg = config.nas-apps.arrs;
settings = import ../../settings.nix;
radarrDataDir = "/var/lib/radarr";
downloadDir = "/downloads";
incompleteDir = "/downloads-incomplete";
@@ -21,7 +20,6 @@ let
sonarrPkg = pkgs.sonarr;
delugePkg = pkgs.deluge;
jackettPkg = pkgs.jackett;
sabnzbdPkg = pkgs.sabnzbd;
in
{
imports = [ ./options.nix ];
@@ -30,7 +28,7 @@ in
containers.arrs = {
autoStart = true;
privateNetwork = true;
hostAddress = settings.hostAddress;
hostAddress = "10.0.1.3";
localAddress = cfg.localAddress;
config =
@@ -40,7 +38,12 @@ in
...
}:
{
nixpkgs.config.allowUnfree = true;
nixpkgs.config = {
allowUnfree = lib.mkForce true;
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"unrar"
];
};
# Enable radarr service
services.radarr = {
@@ -69,7 +72,7 @@ in
user = "arrs";
group = "media";
configFile = "${sabnzbdConfig}/sabnzbd.ini";
package = sabnzbdPkg;
package = pkgs.sabnzbd;
};
services.deluge = {

0
systems/x86_64-linux/nas/apps/arrs/options.nix → modules/nixos/arrs/options.nix
View File

2
systems/x86_64-linux/nas/apps/crowdsec/default.nix → modules/nixos/crowdsec/default.nix
View File

@@ -1,4 +1,4 @@
{ outputs, config, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.nas-apps.crowdsec;

0
systems/x86_64-linux/nas/apps/crowdsec/options.nix → modules/nixos/crowdsec/options.nix
View File

3
systems/x86_64-linux/nas/apps/gitea/default.nix → modules/nixos/gitea/default.nix
View File

@@ -2,8 +2,7 @@
with lib;
let
cfg = config.nas-apps.gitea;
settings = import ../../settings.nix;
hostAddress = settings.hostAddress;
hostAddress = "10.0.1.3";
# localAddress = "10.0.4.18";
# httpPort = 3000;
# sshPort = 2222;

0
systems/x86_64-linux/nas/apps/gitea/options.nix → modules/nixos/gitea/options.nix
View File

33
modules/nixos/immich/default.nix Executable file
View File

@@ -0,0 +1,33 @@
{ config, lib, namespace, ... }:
with lib;
let
cfg = config.${namespace}.services.immich;
immichPort = 2283;
dataDir = "/media/nas/main/photos";
dbPassword = config.sops.secrets."jallen-nas/immich/db-password".path;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
# Enable immich service
services.immich = {
enable = true;
port = immichPort;
openFirewall = true;
secretsFile = dbPassword;
mediaLocation = dataDir;
environment = {
IMMICH_HOST = lib.mkForce "0.0.0.0";
IMMICH_TRUSTED_PROXIES = "10.0.1.3";
TZ = "America/Chicago";
};
machine-learning = {
enable = true;
};
};
};
}

7
modules/nixos/immich/options.nix Normal file
View File

@@ -0,0 +1,7 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.immich = {
enable = mkEnableOption "enable immich";
};
}

19
modules/nixos/jellyfin/default.nix Executable file
View File

@@ -0,0 +1,19 @@
{ config, lib, namespace, ... }:
with lib;
let
cfg = config.${namespace}.services.jellyfin;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
services.jellyfin = {
enable = true;
openFirewall = true;
user = "nix-apps";
group = "jallen-nas";
dataDir = "/media/nas/ssd/nix-app-data/jellyfin";
# cacheDir = "/cache";
};
};
}

7
modules/nixos/jellyfin/options.nix Normal file
View File

@@ -0,0 +1,7 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.jellyfin = {
enable = mkEnableOption "enable jellyfin";
};
}

78
modules/nixos/jellyseerr/default.nix Executable file
View File

@@ -0,0 +1,78 @@
{ config, lib, namespace, ... }:
with lib;
let
cfg = config.${namespace}.services.jellyseerr;
jellyseerrPort = 5055;
dataDir = "/var/lib/private/jellyseerr";
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
containers.jellyseerr = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.1.3";
localAddress = "10.0.1.52";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::4";
bindMounts = {
${dataDir} = {
hostPath = "/media/nas/ssd/nix-app-data/jellyseerr";
isReadOnly = false;
};
};
config =
{
lib,
...
}:
{
# Enable jellyseerr service
services.jellyseerr = {
enable = true;
port = jellyseerrPort;
# package = package;
openFirewall = true;
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ jellyseerrPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
# Create and set permissions for required directories
system.activationScripts.jellyseerr-dirs = ''
mkdir -p /var/lib/private/jellyseerr
chown -R jellyseerr:jellyseerr /var/lib/private/jellyseerr
chmod -R 775 /var/lib/private/jellyseerr
ln -sf /var/lib/private/jellyseerr /var/lib/jellyfin
'';
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.52:5055";
sourcePort = jellyseerrPort;
}
];
};
};
}

7
modules/nixos/jellyseerr/options.nix Normal file
View File

@@ -0,0 +1,7 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.jellyseerr = {
enable = mkEnableOption "enable jellyseerr";
};
}

28
modules/nixos/lubelogger/default.nix Normal file
View File

@@ -0,0 +1,28 @@
{ config, lib, namespace, ... }:
with lib;
let
cfg = config.${namespace}.services.lubelogger;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers.lubelogger = {
autoStart = true;
image = "ghcr.io/hargata/lubelogger";
ports = [ "6754:8080" ];
volumes = [
"/media/nas/ssd/nix-app-data/lubelogger:/App/data"
"/media/nas/ssd/nix-app-data/lubelogger/keys:/root/.aspnet/DataProtection-Keys"
];
environmentFiles = [
"/media/nas/ssd/nix-app-data/lubelogger/lubelogger.env"
];
environment = {
PUID = toString config.users.users.nix-apps.uid;
PGID = toString config.users.groups.jallen-nas.gid;
TZ = "America/Chicago";
};
};
};
}

7
modules/nixos/lubelogger/options.nix Normal file
View File

@@ -0,0 +1,7 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.lubelogger = {
enable = mkEnableOption "enable lubelogger";
};
}

240
modules/nixos/nextcloud/default.nix Executable file
View File

@@ -0,0 +1,240 @@
{ config, lib, pkgs, namespace, ... }:
with lib;
let
cfg = config.${namespace}.services.nextcloud;
adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
nextcloudUserId = config.users.users.nix-apps.uid;
nextcloudGroupId = config.users.groups.jallen-nas.gid;
hostAddress = "10.0.1.3";
localAddress = "10.0.2.18";
nextcloudPortExtHttp = 9988;
nextcloudPortExtHttps = 9943;
onlyofficePortExt = 9943;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
specialArgs = {
inherit namespace;
};
bindMounts = {
secrets = {
hostPath = "/run/secrets/jallen-nas/nextcloud";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/nextcloud";
};
secrets2 = {
hostPath = "/run/secrets/jallen-nas/onlyoffice-key";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/onlyoffice-key";
};
data = {
hostPath = "/media/nas/main/nextcloud";
isReadOnly = false;
mountPoint = "/data";
};
"/var/lib/nextcloud" = {
hostPath = "/media/nas/ssd/nix-app-data/nextcloud";
isReadOnly = false;
mountPoint = "/var/lib/nextcloud";
};
"/var/lib/onlyoffice" = {
hostPath = "/media/nas/ssd/nix-app-data/onlyoffice";
isReadOnly = false;
mountPoint = "/var/lib/onlyoffice";
};
};
config =
{ pkgs, lib, namespace, ... }:
{
nixpkgs.config.allowUnfree = true;
networking.extraHosts = ''
${hostAddress} host.containers protonmail-bridge
'';
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud31;
# datadir = "/data";
database.createLocally = true;
hostName = "cloud.mjallen.dev";
appstoreEnable = true;
caching.redis = true;
configureRedis = true;
enableImagemagick = true;
https = true;
secretFile = secretsFile;
config = {
adminuser = "mjallen";
adminpassFile = adminpass;
dbhost = "localhost";
dbtype = "sqlite";
dbname = "nextcloud";
dbuser = "nextcloud";
};
settings = {
loglevel = 3;
allow_local_remote_servers = true;
upgrade.disable-web = false;
datadirectory = "/data";
trusted_domains = [
"${hostAddress}:${toString nextcloudPortExtHttp}"
"${hostAddress}:${toString nextcloudPortExtHttps}"
"${localAddress}:80"
"${localAddress}:443"
"cloud.mjallen.dev"
];
opcache.interned_strings_buffer = 16;
trusted_proxies = [ hostAddress ];
maintenance_window_start = 6;
default_phone_region = "US";
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\PNG"
"OC\\Preview\\JPEG"
"OC\\Preview\\GIF"
"OC\\Preview\\BMP"
"OC\\Preview\\XBitmap"
"OC\\Preview\\MP3"
"OC\\Preview\\TXT"
"OC\\Preview\\MarkDown"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\HEIC"
"OC\\Preview\\Movie"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
];
installed = true;
user_oidc = {
auto_provision = false;
soft_auto_provision = false;
allow_multiple_user_backends = false; # auto redirect to authentik for login
};
};
};
};
services.onlyoffice = {
enable = true;
port = onlyofficePortExt;
hostname = "office.mjallen.dev";
jwtSecretFile = jwtSecretFile;
};
# System packages
environment.systemPackages = with pkgs; [
cudaPackages.cudnn
cudatoolkit
ffmpeg
# libtensorflow-bin
nextcloud31
nodejs
onlyoffice-documentserver
sqlite
];
# Create required users and groups
users.users.nextcloud = {
isSystemUser = true;
uid = lib.mkForce nextcloudUserId;
group = "nextcloud";
};
users.users.onlyoffice = {
group = lib.mkForce "nextcloud";
};
users.groups = {
nextcloud = {
gid = lib.mkForce nextcloudGroupId;
};
downloads = { };
};
# Create and set permissions for required directories
system.activationScripts.nextcloud-dirs = ''
mkdir -p /data
chown -R nextcloud:nextcloud /data
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
chmod -R 775 /data
chmod -R 750 /run/secrets/jallen-nas/nextcloud
'';
hardware = {
graphics = {
enable = true;
# setLdLibraryPath = true;
};
};
programs = {
nix-ld.enable = true;
};
system.stateVersion = "23.11";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
80
443
onlyofficePortExt
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${localAddress}:443";
sourcePort = nextcloudPortExtHttps;
}
{
destination = "${localAddress}:80";
sourcePort = nextcloudPortExtHttp;
}
{
destination = "${localAddress}:8000";
sourcePort = 8000;
}
{
destination = "${localAddress}:${toString onlyofficePortExt}";
sourcePort = onlyofficePortExt;
}
];
};
};
};
}

7
modules/nixos/nextcloud/options.nix Normal file
View File

@@ -0,0 +1,7 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.nextcloud = {
enable = mkEnableOption "enable nextcloud";
};
}

77
modules/nixos/ollama/default.nix Executable file
View File

@@ -0,0 +1,77 @@
{ config, lib, pkgs, namespace, ... }:
with lib;
let
cfg = config.${namespace}.services.ollama;
llamaPackage = pkgs.llama-cpp.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "ggml-org";
repo = "llama.cpp";
rev = "b4920";
sha256 = "sha256-SnQIeY74JpAPRMxWcpklDH5D4CQvAgi0GYx5+ECk2J4=";
};
# Optionally override other attributes if you need to
# version = "my-fork-version";
# pname = "llama-cpp-custom";
});
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
services.ollama = {
enable = true;
port = 11434;
host = "0.0.0.0";
user = "nix-apps";
group = "jallen-nas";
openFirewall = true;
acceleration = "cuda";
home = "/media/nas/ssd/nix-app-data/ollama";
};
environment.systemPackages = [ llamaPackage ];
services.llama-cpp = {
enable = true;
port = 8127;
host = "0.0.0.0";
openFirewall = true;
model = "/media/nas/ssd/nix-app-data/llama-cpp/models/functionary-small-v3.2-GGUF/functionary-small-v3.2.Q4_0.gguf";
package = llamaPackage; # pkgs.unstable.llama-cpp;
extraFlags = [
"--n_gpu-layers"
"500"
"-c"
"0"
"--numa"
"numactl"
"--jinja"
];
};
services.open-webui = {
enable = false;
host = "0.0.0.0";
port = 8888;
openFirewall = true;
# stateDir = "/media/nas/ssd/nix-app-data/open-webui";
environmentFile = config.sops.secrets."jallen-nas/open-webui".path;
environment = {
OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
OAUTH_PROVIDER_NAME = "authentik";
OPENID_REDIRECT_URI = "https://chat.mjallen.dev/oauth/oidc/callback";
ENABLE_OAUTH_SIGNUP = "False";
OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "True";
ENABLE_SIGNUP = "False";
ENABLE_LOGIN_FORM = "False";
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
LOCAL_FILES_ONLY = "False";
WEBUI_AUTH = "False";
};
};
};
}

7
modules/nixos/ollama/options.nix Normal file
View File

@@ -0,0 +1,7 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.ollama = {
enable = mkEnableOption "enable ollama";
};
}

0
systems/x86_64-linux/nas/apps/orca/default.nix → modules/nixos/orca/default.nix
View File

0
systems/x86_64-linux/nas/apps/orca/options.nix → modules/nixos/orca/options.nix
View File

106
modules/nixos/paperless/default.nix Executable file
View File

@@ -0,0 +1,106 @@
{ config, lib, namespace, ... }:
with lib;
let
cfg = config.${namespace}.services.paperless;
paperlessPort = 28981;
paperlessUserId = config.users.users.nix-apps.uid;
paperlessGroupId = config.users.groups.jallen-nas.gid;
paperlessEnv = config.sops.templates."paperless.env".path;
paperlessPkg = pkgs.paperless-ngx;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
containers.paperless = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.1.3";
localAddress = "10.0.1.20";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::20";
config =
{
lib,
...
}:
{
# Enable paperless service
services.paperless = {
enable = false;
package = paperlessPkg;
port = paperlessPort;
user = "paperless";
address = "0.0.0.0";
passwordFile = "/var/lib/paperless/paperless-password";
# environmentFile = paperlessEnv; # unstable is too unstable, but this doesnt exist in stable.... disabling altogether....
};
# Create required users and groups
users.groups = {
documents = {
gid = lib.mkForce paperlessGroupId;
};
};
users.users.paperless = {
isSystemUser = true;
uid = lib.mkForce paperlessUserId;
group = lib.mkForce "documents";
};
# Create and set permissions for required directories
system.activationScripts.paperless-dirs = ''
mkdir -p /var/lib/paperless
chown -R paperless:documents /var/lib/paperless
chmod -R 775 /var/lib/paperless
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ paperlessPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# Bind mount directories from host
bindMounts = {
"/var/lib/paperless" = {
hostPath = "/media/nas/ssd/nix-app-data/paperless";
isReadOnly = false;
};
secrets = {
hostPath = "/run/secrets/jallen-nas/paperless";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/paperless";
};
secret-env = {
hostPath = "/run/secrets/rendered/paperless.env";
isReadOnly = true;
mountPoint = "/run/secrets/rendered/paperless.env";
};
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.20:28981";
sourcePort = paperlessPort;
}
];
};
};
}

7
modules/nixos/paperless/options.nix Normal file
View File

@@ -0,0 +1,7 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.paperless = {
enable = mkEnableOption "enable paperless";
};
}

397
modules/nixos/traefik/default.nix Executable file
View File

@@ -0,0 +1,397 @@
{ config, lib, namespace, ... }:
with lib;
let
cfg = config.${namespace}.services.traefik;
domain = "mjallen.dev";
serverIp = "10.0.1.3";
# Forward services
authUrl = "http://${serverIp}:9000/outpost.goauthentik.io";
actualUrl = "http://${config.containers.actual.localAddress}:${toString config.containers.actual.config.services.actual.settings.port}";
authentikUrl = "http://${serverIp}:9000";
cacheUrl = "http://${serverIp}:9012";
cloudUrl = "http://${config.containers.nextcloud.localAddress}:80";
giteaUrl = "http://${config.containers.gitea.localAddress}:${toString config.containers.gitea.config.services.gitea.settings.server.HTTP_PORT}";
hassUrl = "http://homeassistant.local:8123";
immichUrl = "http://${serverIp}:${toString config.services.immich.port}";
jellyfinUrl = "http://${serverIp}:8096";
jellyseerrUrl = "http://${config.containers.jellyseerr.localAddress}:${toString config.containers.jellyseerr.config.services.jellyseerr.port}";
lubeloggerUrl = "http://${serverIp}:6754";
onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
openWebUIUrl = "http://${serverIp}:8888";
paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";
# Plugins
traefikPlugins = {
bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = "v1.4.2";
};
geoblock = {
moduleName = "github.com/PascalMinder/geoblock";
version = "v0.2.5";
};
};
crowdsecAppsecHost = "${serverIp}:7422";
crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
# Ports
httpPort = 80;
httpsPort = 443;
traefikPort = 8080;
metricsPort = 8082;
forwardPorts = [
httpPort
httpsPort
traefikPort
metricsPort
];
# misc
letsEncryptEmail = "jalle008@proton.me";
dataDir = "/media/nas/ssd/nix-app-data/traefik";
authentikAddress = "http://${serverIp}:9000/outpost.goauthentik.io/auth/traefik";
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
sops = {
secrets = {
"jallen-nas/traefik/crowdsec-lapi-key" = {
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-dns-api-token" = { };
"jallen-nas/traefik/cloudflare-zone-api-token" = { };
"jallen-nas/traefik/cloudflare-api-key" = { };
"jallen-nas/traefik/cloudflare-email" = { };
};
templates = {
"traefik.env" = {
content = ''
CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
CLOUDFLARE_ZONE_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
CLOUDFLARE_API_KEY = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
CLOUDFLARE_EMAIL = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
'';
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
};
};
networking.firewall = {
allowedTCPPorts = forwardPorts;
allowedUDPPorts = forwardPorts;
};
services.traefik = {
enable = true;
dataDir = dataDir;
group = "jallen-nas";#group;
environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
staticConfigOptions = {
entryPoints = {
web = {
address = ":${toString httpPort}";
asDefault = true;
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":${toString httpsPort}";
asDefault = true;
http.tls.certResolver = "letsencrypt";
};
metrics = {
address = ":${toString metricsPort}"; # Port for metrics
};
};
log = {
level = "INFO";
};
metrics = {
prometheus = {
entryPoint = "metrics";
addEntryPointsLabels = true;
addServicesLabels = true;
buckets = [0.1 0.3 1.2 5.0]; # Response time buckets
};
};
certificatesResolvers.letsencrypt.acme = {
email = letsEncryptEmail;
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
api.dashboard = true;
# Access the Traefik dashboard on <Traefik IP>:8080 of your server
api.insecure = true;
experimental = {
plugins = traefikPlugins;
};
};
dynamicConfigOptions = {
http = {
middlewares = {
authentik = {
forwardAuth = {
tls.insecureSkipVerify = true;
address = authentikAddress;
trustForwardHeader = true;
authResponseHeaders = [
"X-authentik-username"
"X-authentik-groups"
"X-authentik-email"
"X-authentik-name"
"X-authentik-uid"
"X-authentik-jwt"
"X-authentik-meta-jwks"
"X-authentik-meta-outpost"
"X-authentik-meta-provider"
"X-authentik-meta-app"
"X-authentik-meta-version"
];
};
};
onlyoffice-websocket = {
headers.customrequestheaders = {
X-Forwarded-Proto = "https";
};
};
crowdsec = {
plugin = {
bouncer = {
crowdsecAppsecEnabled = true;
crowdsecAppsecHost = crowdsecAppsecHost;
crowdsecAppsecFailureBlock = true;
crowdsecAppsecUnreachableBlock = true;
crowdsecLapiKeyFile = crowdsecLapiKeyFile;
};
};
};
whitelist-geoblock = {
plugin = {
geoblock = {
silentStartUp = false;
allowLocalRequests = true;
logLocalRequests = false;
logAllowedRequests = false;
logApiRequests = false;
api = "https://get.geojs.io/v1/ip/country/{ip}";
apiTimeoutMs = 500;
cacheSize = 25;
forceMonthlyUpdate = true;
allowUnknownCountries = false;
unknownCountryApiResponse = "nil";
blackListMode = false;
countries = [
"CA"
"US"
];
};
};
};
internal-ipallowlist =
{
ipAllowList = {
sourceRange = [
"127.0.0.1/32"
"10.0.1.0/24"
];
};
};
};
services = {
auth.loadBalancer.servers = [
{
url = authUrl;
}
];
actual.loadBalancer.servers = [
{
url = actualUrl;
}
];
authentik.loadBalancer.servers = [
{
url = authentikUrl;
}
];
cache.loadBalancer.servers = [
{
url = cacheUrl;
}
];
chat.loadBalancer.servers = [
{
url = openWebUIUrl;
}
];
cloud.loadBalancer.servers = [
{
url = cloudUrl;
}
];
gitea.loadBalancer.servers = [
{
url = giteaUrl;
}
];
hass.loadBalancer.servers = [
{
url = hassUrl;
}
];
immich.loadBalancer.servers = [
{
url = immichUrl;
}
];
jellyfin.loadBalancer.servers = [
{
url = jellyfinUrl;
}
];
jellyseerr.loadBalancer.servers = [
{
url = jellyseerrUrl;
}
];
lubelogger.loadBalancer.servers = [
{
url = lubeloggerUrl;
}
];
onlyoffice.loadBalancer.servers = [
{
url = onlyofficeUrl;
}
];
paperless.loadBalancer.servers = [
{
url = paperlessUrl;
}
];
};
routers = {
auth = {
entryPoints = [ "websecure" ];
rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
service = "auth";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
priority = 15;
tls.certResolver = "letsencrypt";
};
actual = {
entryPoints = [ "websecure" ];
rule = "Host(`actual.${domain}`)";
service = "actual";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
authentik = {
entryPoints = [ "websecure" ];
rule = "Host(`authentik.${domain}`)";
service = "authentik";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
cache = {
entryPoints = [ "websecure" ];
rule = "Host(`cache.${domain}`)";
service = "cache";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
priority = 10;
tls.certResolver = "letsencrypt";
};
cloud = {
entryPoints = [ "websecure" ];
rule = "Host(`cloud.${domain}`)";
service = "cloud";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`gitea.${domain}`)";
service = "gitea";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
hass = {
entryPoints = [ "websecure" ];
rule = "Host(`hass.${domain}`)";
service = "hass";
middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
priority = 10;
tls.certResolver = "letsencrypt";
};
immich = {
entryPoints = [ "websecure" ];
rule = "Host(`immich.${domain}`)";
service = "immich";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
jellyfin = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyfin.${domain}`)";
service = "jellyfin";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
jellyseerr = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyseerr.${domain}`)";
service = "jellyseerr";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
lubelogger = {
entryPoints = [ "websecure" ];
rule = "Host(`lubelogger.${domain}`)";
service = "lubelogger";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
onlyoffice = {
entryPoints = [ "websecure" ];
rule = "Host(`office.${domain}`)";
service = "onlyoffice";
middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
tls.certResolver = "letsencrypt";
};
};
};
};
};
};
}

7
modules/nixos/traefik/options.nix Normal file
View File

@@ -0,0 +1,7 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.traefik = {
enable = mkEnableOption "enable traefik";
};
}

27
modules/nixos/wyoming/default.nix Executable file
View File

@@ -0,0 +1,27 @@
{ config, lib, namespace, ... }:
with lib;
let
cfg = config.${namespace}.services.wyoming;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
services.wyoming = {
faster-whisper.servers.hass-whisper = {
enable = true;
useTransformers = false;
device = "cuda";
language = "en";
model = "distil-large-v3";
uri = "tcp://0.0.0.0:10300";
};
piper.servers.hass-piper = {
enable = true;
voice = "en-us-ryan-high";
uri = "tcp://0.0.0.0:10200";
};
};
};
}

7
modules/nixos/wyoming/options.nix Normal file
View File

@@ -0,0 +1,7 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.wyoming = {
enable = mkEnableOption "enable wyoming";
};
}

37
systems/x86_64-linux/nas/apps.nix
View File

@@ -1,25 +1,18 @@
{ pkgs, lib, ... }:
let
settings = import ./settings.nix;
in
{ pkgs, lib, namespace, ... }:
{
imports = [
./apps/actual
./apps/arrs
./apps/crowdsec
./apps/excalidraw
./apps/gitea
./apps/immich
./apps/jellyfin
./apps/jellyseerr
./apps/lubelogger
./apps/nextcloud
./apps/ollama
./apps/orca
./apps/paperless
./apps/traefik
./apps/wyoming
];
${namespace} = {
services = {
immich.enable = true;
jellyfin.enable = true;
jellyseerr.enable = true;
lubelogger.enable = true;
nextcloud.enable = true;
ollama.enable = true;
paperless.enable = true;
traefik.enable = true;
wyoming.enable = true;
};
};
nas-apps = {
actual = {
@@ -71,7 +64,7 @@ in
crowdsec = {
enable = true;
port = 9898;
apiAddress = settings.hostAddress;
apiAddress = "10.0.1.3";
apiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
dataDir = "/media/nas/ssd/nix-app-data/crowdsec";
};

13
systems/x86_64-linux/nas/apps/excalidraw/default.nix
View File

@@ -1,13 +0,0 @@
{ config, ... }:
{
virtualisation.oci-containers.containers.excalidraw = {
autoStart = true;
image = "excalidraw/excalidraw";
ports = [ "8765:80" ];
environment = {
PUID = toString config.users.users.nix-apps.uid;
PGID = toString config.users.groups.jallen-nas.gid;
TZ = "America/Chicago";
};
};
}

27
systems/x86_64-linux/nas/apps/immich/default.nix
View File

@@ -1,27 +0,0 @@
{ config, lib, ... }:
let
settings = import ../../settings.nix;
immichPort = 2283;
dataDir = "/media/nas/main/photos";
dbPassword = config.sops.secrets."jallen-nas/immich/db-password".path;
in
{
# Enable immich service
services.immich = {
enable = true;
port = immichPort;
openFirewall = true;
secretsFile = dbPassword;
mediaLocation = dataDir;
environment = {
IMMICH_HOST = lib.mkForce "0.0.0.0";
IMMICH_TRUSTED_PROXIES = settings.hostAddress;
TZ = "America/Chicago";
};
machine-learning = {
enable = true;
};
};
}

11
systems/x86_64-linux/nas/apps/jellyfin/default.nix
View File

@@ -1,11 +0,0 @@
{ ... }:
{
services.jellyfin = {
enable = true;
openFirewall = true;
user = "nix-apps";
group = "jallen-nas";
dataDir = "/media/nas/ssd/nix-app-data/jellyfin";
# cacheDir = "/cache";
};
}

73
systems/x86_64-linux/nas/apps/jellyseerr/default.nix
View File

@@ -1,73 +0,0 @@
{ ... }:
let
jellyseerrPort = 5055;
dataDir = "/var/lib/private/jellyseerr";
settings = import ../../settings.nix;
in
{
containers.jellyseerr = {
autoStart = true;
privateNetwork = true;
hostAddress = settings.hostAddress;
localAddress = "10.0.1.52";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::4";
bindMounts = {
${dataDir} = {
hostPath = "/media/nas/ssd/nix-app-data/jellyseerr";
isReadOnly = false;
};
};
config =
{
lib,
...
}:
{
# Enable jellyseerr service
services.jellyseerr = {
enable = true;
port = jellyseerrPort;
# package = package;
openFirewall = true;
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ jellyseerrPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
# Create and set permissions for required directories
system.activationScripts.jellyseerr-dirs = ''
mkdir -p /var/lib/private/jellyseerr
chown -R jellyseerr:jellyseerr /var/lib/private/jellyseerr
chmod -R 775 /var/lib/private/jellyseerr
ln -sf /var/lib/private/jellyseerr /var/lib/jellyfin
'';
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.52:5055";
sourcePort = jellyseerrPort;
}
];
};
}

20
systems/x86_64-linux/nas/apps/lubelogger/default.nix
View File

@@ -1,20 +0,0 @@
{ config, ... }:
{
virtualisation.oci-containers.containers.lubelogger = {
autoStart = true;
image = "ghcr.io/hargata/lubelogger";
ports = [ "6754:8080" ];
volumes = [
"/media/nas/ssd/nix-app-data/lubelogger:/App/data"
"/media/nas/ssd/nix-app-data/lubelogger/keys:/root/.aspnet/DataProtection-Keys"
];
environmentFiles = [
"/media/nas/ssd/nix-app-data/lubelogger/lubelogger.env"
];
environment = {
PUID = toString config.users.users.nix-apps.uid;
PGID = toString config.users.groups.jallen-nas.gid;
TZ = "America/Chicago";
};
};
}

237
systems/x86_64-linux/nas/apps/nextcloud/default.nix
View File

@@ -1,237 +0,0 @@
{ config, pkgs, namespace, ... }:
let
settings = import ../../settings.nix;
adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
nextcloudUserId = config.users.users.nix-apps.uid;
nextcloudGroupId = config.users.groups.jallen-nas.gid;
nextcloudPackage = pkgs.nextcloud31;
hostAddress = settings.hostAddress;
localAddress = "10.0.2.18";
nextcloudPortExtHttp = 9988;
nextcloudPortExtHttps = 9943;
onlyofficePortExt = 9943;
systemPackages = with pkgs; [
cudaPackages.cudnn
cudatoolkit
ffmpeg
# libtensorflow-bin
nextcloud31
nodejs
onlyoffice-documentserver
sqlite
];
in
{
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
specialArgs = {
inherit namespace;
};
bindMounts = {
secrets = {
hostPath = "/run/secrets/jallen-nas/nextcloud";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/nextcloud";
};
secrets2 = {
hostPath = "/run/secrets/jallen-nas/onlyoffice-key";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/onlyoffice-key";
};
data = {
hostPath = "/media/nas/main/nextcloud";
isReadOnly = false;
mountPoint = "/data";
};
"/var/lib/nextcloud" = {
hostPath = "/media/nas/ssd/nix-app-data/nextcloud";
isReadOnly = false;
mountPoint = "/var/lib/nextcloud";
};
"/var/lib/onlyoffice" = {
hostPath = "/media/nas/ssd/nix-app-data/onlyoffice";
isReadOnly = false;
mountPoint = "/var/lib/onlyoffice";
};
};
config =
{ pkgs, lib, namespace, ... }:
{
nixpkgs.config.allowUnfree = true;
networking.extraHosts = ''
${hostAddress} host.containers protonmail-bridge
'';
services = {
nextcloud = {
enable = true;
package = nextcloudPackage;
# datadir = "/data";
database.createLocally = true;
hostName = "cloud.mjallen.dev";
appstoreEnable = true;
caching.redis = true;
configureRedis = true;
enableImagemagick = true;
https = true;
secretFile = secretsFile;
config = {
adminuser = "mjallen";
adminpassFile = adminpass;
dbhost = "localhost";
dbtype = "sqlite";
dbname = "nextcloud";
dbuser = "nextcloud";
};
settings = {
loglevel = 3;
allow_local_remote_servers = true;
upgrade.disable-web = false;
datadirectory = "/data";
trusted_domains = [
"${hostAddress}:${toString nextcloudPortExtHttp}"
"${hostAddress}:${toString nextcloudPortExtHttps}"
"${localAddress}:80"
"${localAddress}:443"
"cloud.mjallen.dev"
];
opcache.interned_strings_buffer = 16;
trusted_proxies = [ hostAddress ];
maintenance_window_start = 6;
default_phone_region = "US";
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\PNG"
"OC\\Preview\\JPEG"
"OC\\Preview\\GIF"
"OC\\Preview\\BMP"
"OC\\Preview\\XBitmap"
"OC\\Preview\\MP3"
"OC\\Preview\\TXT"
"OC\\Preview\\MarkDown"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\HEIC"
"OC\\Preview\\Movie"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
];
installed = true;
user_oidc = {
auto_provision = false;
soft_auto_provision = false;
allow_multiple_user_backends = false; # auto redirect to authentik for login
};
};
};
};
services.onlyoffice = {
enable = true;
port = onlyofficePortExt;
hostname = "office.mjallen.dev";
jwtSecretFile = jwtSecretFile;
};
# System packages
environment.systemPackages = systemPackages;
# Create required users and groups
users.users.nextcloud = {
isSystemUser = true;
uid = lib.mkForce nextcloudUserId;
group = "nextcloud";
};
users.users.onlyoffice = {
group = lib.mkForce "nextcloud";
};
users.groups = {
nextcloud = {
gid = lib.mkForce nextcloudGroupId;
};
downloads = { };
};
# Create and set permissions for required directories
system.activationScripts.nextcloud-dirs = ''
mkdir -p /data
chown -R nextcloud:nextcloud /data
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
chmod -R 775 /data
chmod -R 750 /run/secrets/jallen-nas/nextcloud
'';
hardware = {
graphics = {
enable = true;
# setLdLibraryPath = true;
};
};
programs = {
nix-ld.enable = true;
};
system.stateVersion = "23.11";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
80
443
onlyofficePortExt
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${localAddress}:443";
sourcePort = nextcloudPortExtHttps;
}
{
destination = "${localAddress}:80";
sourcePort = nextcloudPortExtHttp;
}
{
destination = "${localAddress}:8000";
sourcePort = 8000;
}
{
destination = "${localAddress}:${toString onlyofficePortExt}";
sourcePort = onlyofficePortExt;
}
];
};
};
}

70
systems/x86_64-linux/nas/apps/ollama/default.nix
View File

@@ -1,70 +0,0 @@
{ config, pkgs, ... }:
let
llamaPackage = pkgs.llama-cpp.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "ggml-org";
repo = "llama.cpp";
rev = "b4920";
sha256 = "sha256-SnQIeY74JpAPRMxWcpklDH5D4CQvAgi0GYx5+ECk2J4=";
};
# Optionally override other attributes if you need to
# version = "my-fork-version";
# pname = "llama-cpp-custom";
});
in
{
services.ollama = {
enable = true;
port = 11434;
host = "0.0.0.0";
user = "nix-apps";
group = "jallen-nas";
openFirewall = true;
acceleration = "cuda";
home = "/media/nas/ssd/nix-app-data/ollama";
};
environment.systemPackages = [ llamaPackage ];
services.llama-cpp = {
enable = true;
port = 8127;
host = "0.0.0.0";
openFirewall = true;
model = "/media/nas/ssd/nix-app-data/llama-cpp/models/functionary-small-v3.2-GGUF/functionary-small-v3.2.Q4_0.gguf";
package = llamaPackage; # pkgs.unstable.llama-cpp;
extraFlags = [
"--n_gpu-layers"
"500"
"-c"
"0"
"--numa"
"numactl"
"--jinja"
];
};
services.open-webui = {
enable = false;
host = "0.0.0.0";
port = 8888;
openFirewall = true;
# stateDir = "/media/nas/ssd/nix-app-data/open-webui";
environmentFile = config.sops.secrets."jallen-nas/open-webui".path;
environment = {
OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
OAUTH_PROVIDER_NAME = "authentik";
OPENID_REDIRECT_URI = "https://chat.mjallen.dev/oauth/oidc/callback";
ENABLE_OAUTH_SIGNUP = "False";
OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "True";
ENABLE_SIGNUP = "False";
ENABLE_LOGIN_FORM = "False";
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
LOCAL_FILES_ONLY = "False";
WEBUI_AUTH = "False";
};
};
}

104
systems/x86_64-linux/nas/apps/paperless/default.nix
View File

@@ -1,104 +0,0 @@
{
config,
pkgs,
...
}:
let
settings = import ../../settings.nix;
paperlessPort = 28981;
paperlessUserId = config.users.users.nix-apps.uid;
paperlessGroupId = config.users.groups.jallen-nas.gid;
paperlessEnv = config.sops.templates."paperless.env".path;
paperlessPkg = pkgs.paperless-ngx;
in
{
containers.paperless = {
autoStart = true;
privateNetwork = true;
hostAddress = settings.hostAddress;
localAddress = "10.0.1.20";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::20";
config =
{
lib,
...
}:
{
# Enable paperless service
services.paperless = {
enable = false;
package = paperlessPkg;
port = paperlessPort;
user = "paperless";
address = "0.0.0.0";
passwordFile = "/var/lib/paperless/paperless-password";
# environmentFile = paperlessEnv; # unstable is too unstable, but this doesnt exist in stable.... disabling altogether....
};
# Create required users and groups
users.groups = {
documents = {
gid = lib.mkForce paperlessGroupId;
};
};
users.users.paperless = {
isSystemUser = true;
uid = lib.mkForce paperlessUserId;
group = lib.mkForce "documents";
};
# Create and set permissions for required directories
system.activationScripts.paperless-dirs = ''
mkdir -p /var/lib/paperless
chown -R paperless:documents /var/lib/paperless
chmod -R 775 /var/lib/paperless
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ paperlessPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# Bind mount directories from host
bindMounts = {
"/var/lib/paperless" = {
hostPath = "/media/nas/ssd/nix-app-data/paperless";
isReadOnly = false;
};
secrets = {
hostPath = "/run/secrets/jallen-nas/paperless";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/paperless";
};
secret-env = {
hostPath = "/run/secrets/rendered/paperless.env";
isReadOnly = true;
mountPoint = "/run/secrets/rendered/paperless.env";
};
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.20:28981";
sourcePort = paperlessPort;
}
];
};
}

391
systems/x86_64-linux/nas/apps/traefik/default.nix
View File

@@ -1,391 +0,0 @@
{ config, ... }:
let
settings = import ../../settings.nix;
domain = "mjallen.dev";
serverIp = settings.hostAddress;
# Forward services
authUrl = "http://${serverIp}:9000/outpost.goauthentik.io";
actualUrl = "http://${config.containers.actual.localAddress}:${toString config.containers.actual.config.services.actual.settings.port}";
authentikUrl = "http://${serverIp}:9000";
cacheUrl = "http://${serverIp}:9012";
cloudUrl = "http://${config.containers.nextcloud.localAddress}:80";
giteaUrl = "http://${config.containers.gitea.localAddress}:${toString config.containers.gitea.config.services.gitea.settings.server.HTTP_PORT}";
hassUrl = "http://homeassistant.local:8123";
immichUrl = "http://${serverIp}:${toString config.services.immich.port}";
jellyfinUrl = "http://${serverIp}:8096";
jellyseerrUrl = "http://${config.containers.jellyseerr.localAddress}:${toString config.containers.jellyseerr.config.services.jellyseerr.port}";
lubeloggerUrl = "http://${serverIp}:6754";
onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
openWebUIUrl = "http://${serverIp}:8888";
paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";
# Plugins
traefikPlugins = {
bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = "v1.4.2";
};
geoblock = {
moduleName = "github.com/PascalMinder/geoblock";
version = "v0.2.5";
};
};
crowdsecAppsecHost = "${serverIp}:7422";
crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
# Ports
httpPort = 80;
httpsPort = 443;
traefikPort = 8080;
metricsPort = 8082;
forwardPorts = [
httpPort
httpsPort
traefikPort
metricsPort
];
# misc
letsEncryptEmail = "jalle008@proton.me";
dataDir = "/media/nas/ssd/nix-app-data/traefik";
authentikAddress = "http://${serverIp}:9000/outpost.goauthentik.io/auth/traefik";
in
{
sops = {
secrets = {
"jallen-nas/traefik/crowdsec-lapi-key" = {
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-dns-api-token" = { };
"jallen-nas/traefik/cloudflare-zone-api-token" = { };
"jallen-nas/traefik/cloudflare-api-key" = { };
"jallen-nas/traefik/cloudflare-email" = { };
};
templates = {
"traefik.env" = {
content = ''
CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
CLOUDFLARE_ZONE_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
CLOUDFLARE_API_KEY = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
CLOUDFLARE_EMAIL = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
'';
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
};
};
networking.firewall = {
allowedTCPPorts = forwardPorts;
allowedUDPPorts = forwardPorts;
};
services.traefik = {
enable = true;
dataDir = dataDir;
group = "jallen-nas";#group;
environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
staticConfigOptions = {
entryPoints = {
web = {
address = ":${toString httpPort}";
asDefault = true;
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":${toString httpsPort}";
asDefault = true;
http.tls.certResolver = "letsencrypt";
};
metrics = {
address = ":${toString metricsPort}"; # Port for metrics
};
};
log = {
level = "INFO";
};
metrics = {
prometheus = {
entryPoint = "metrics";
addEntryPointsLabels = true;
addServicesLabels = true;
buckets = [0.1 0.3 1.2 5.0]; # Response time buckets
};
};
certificatesResolvers.letsencrypt.acme = {
email = letsEncryptEmail;
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
api.dashboard = true;
# Access the Traefik dashboard on <Traefik IP>:8080 of your server
api.insecure = true;
experimental = {
plugins = traefikPlugins;
};
};
dynamicConfigOptions = {
http = {
middlewares = {
authentik = {
forwardAuth = {
tls.insecureSkipVerify = true;
address = authentikAddress;
trustForwardHeader = true;
authResponseHeaders = [
"X-authentik-username"
"X-authentik-groups"
"X-authentik-email"
"X-authentik-name"
"X-authentik-uid"
"X-authentik-jwt"
"X-authentik-meta-jwks"
"X-authentik-meta-outpost"
"X-authentik-meta-provider"
"X-authentik-meta-app"
"X-authentik-meta-version"
];
};
};
onlyoffice-websocket = {
headers.customrequestheaders = {
X-Forwarded-Proto = "https";
};
};
crowdsec = {
plugin = {
bouncer = {
crowdsecAppsecEnabled = true;
crowdsecAppsecHost = crowdsecAppsecHost;
crowdsecAppsecFailureBlock = true;
crowdsecAppsecUnreachableBlock = true;
crowdsecLapiKeyFile = crowdsecLapiKeyFile;
};
};
};
whitelist-geoblock = {
plugin = {
geoblock = {
silentStartUp = false;
allowLocalRequests = true;
logLocalRequests = false;
logAllowedRequests = false;
logApiRequests = false;
api = "https://get.geojs.io/v1/ip/country/{ip}";
apiTimeoutMs = 500;
cacheSize = 25;
forceMonthlyUpdate = true;
allowUnknownCountries = false;
unknownCountryApiResponse = "nil";
blackListMode = false;
countries = [
"CA"
"US"
];
};
};
};
internal-ipallowlist =
{
ipAllowList = {
sourceRange = [
"127.0.0.1/32"
"10.0.1.0/24"
];
};
};
};
services = {
auth.loadBalancer.servers = [
{
url = authUrl;
}
];
actual.loadBalancer.servers = [
{
url = actualUrl;
}
];
authentik.loadBalancer.servers = [
{
url = authentikUrl;
}
];
cache.loadBalancer.servers = [
{
url = cacheUrl;
}
];
chat.loadBalancer.servers = [
{
url = openWebUIUrl;
}
];
cloud.loadBalancer.servers = [
{
url = cloudUrl;
}
];
gitea.loadBalancer.servers = [
{
url = giteaUrl;
}
];
hass.loadBalancer.servers = [
{
url = hassUrl;
}
];
immich.loadBalancer.servers = [
{
url = immichUrl;
}
];
jellyfin.loadBalancer.servers = [
{
url = jellyfinUrl;
}
];
jellyseerr.loadBalancer.servers = [
{
url = jellyseerrUrl;
}
];
lubelogger.loadBalancer.servers = [
{
url = lubeloggerUrl;
}
];
onlyoffice.loadBalancer.servers = [
{
url = onlyofficeUrl;
}
];
paperless.loadBalancer.servers = [
{
url = paperlessUrl;
}
];
};
routers = {
auth = {
entryPoints = [ "websecure" ];
rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
service = "auth";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
priority = 15;
tls.certResolver = "letsencrypt";
};
actual = {
entryPoints = [ "websecure" ];
rule = "Host(`actual.${domain}`)";
service = "actual";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
authentik = {
entryPoints = [ "websecure" ];
rule = "Host(`authentik.${domain}`)";
service = "authentik";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
cache = {
entryPoints = [ "websecure" ];
rule = "Host(`cache.${domain}`)";
service = "cache";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
priority = 10;
tls.certResolver = "letsencrypt";
};
cloud = {
entryPoints = [ "websecure" ];
rule = "Host(`cloud.${domain}`)";
service = "cloud";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`gitea.${domain}`)";
service = "gitea";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
hass = {
entryPoints = [ "websecure" ];
rule = "Host(`hass.${domain}`)";
service = "hass";
middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
priority = 10;
tls.certResolver = "letsencrypt";
};
immich = {
entryPoints = [ "websecure" ];
rule = "Host(`immich.${domain}`)";
service = "immich";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
jellyfin = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyfin.${domain}`)";
service = "jellyfin";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
jellyseerr = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyseerr.${domain}`)";
service = "jellyseerr";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
lubelogger = {
entryPoints = [ "websecure" ];
rule = "Host(`lubelogger.${domain}`)";
service = "lubelogger";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
onlyoffice = {
entryPoints = [ "websecure" ];
rule = "Host(`office.${domain}`)";
service = "onlyoffice";
middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
tls.certResolver = "letsencrypt";
};
};
};
};
};
}

19
systems/x86_64-linux/nas/apps/wyoming/default.nix
View File

@@ -1,19 +0,0 @@
{ pkgs, ... }:
{
services.wyoming = {
faster-whisper.servers.hass-whisper = {
enable = true;
useTransformers = false;
device = "cuda";
language = "en";
model = "distil-large-v3";
uri = "tcp://0.0.0.0:10300";
};
piper.servers.hass-piper = {
enable = true;
voice = "en-us-ryan-high";
uri = "tcp://0.0.0.0:10200";
};
};
}

5
systems/x86_64-linux/nas/networking.nix
View File

@@ -1,6 +1,5 @@
{ config, lib, ... }:
let
settings = import ./settings.nix;
ports = [
8008 # restic
9000 # authentik
@@ -29,7 +28,7 @@ in
{
# Networking configs
networking = {
hostName = lib.mkForce settings.hostName;
hostName = lib.mkForce "jallen-nas";
useNetworkd = true;
@@ -50,7 +49,7 @@ in
type = "wifi";
};
ipv4 = {
address1 = "${settings.hostAddress}/24";
address1 = "10.0.1.3/24";
dns = "10.0.1.1";
gateway = "10.0.1.1";
method = "manual";

3
systems/x86_64-linux/nuc/networking.nix
View File

@@ -1,6 +1,5 @@
{ config, lib, ... }:
let
# settings = import ./settings.nix;
ports = [
8192
];
@@ -8,7 +7,7 @@ in
{
# Networking configs
networking = {
hostName = lib.mkForce "nuc-nixos";#settings.hostName;
hostName = lib.mkForce "nuc-nixos";
useNetworkd = true;