diff --git a/flake.nix.ori b/flake.nix.ori deleted file mode 100755 index 4d6746a..0000000 --- a/flake.nix.ori +++ /dev/null @@ -1,938 +0,0 @@ -{ - description = "flake for matt-nixos"; - - inputs = { - - ##################################################### - # Desktop # - ##################################################### - - # nixpgs - desktop-nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-unstable"; - }; - - # Chaotic-nix - desktop-chaotic = { - url = "github:chaotic-cx/nyx/nyxpkgs-unstable"; - }; - - # Home Manager - desktop-home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "desktop-nixpkgs"; - }; - - # Impermenance - desktop-impermanence = { - url = "github:nix-community/impermanence"; - }; - - # Lanzaboote - desktop-lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.2"; - inputs.nixpkgs.follows = "desktop-nixpkgs"; - }; - - # Nix hardware - desktop-nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - - # Sops-nix - desktop-sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "desktop-nixpkgs"; - }; - - # steam rom manager - desktop-steam-rom-manager = { - url = "github:mjallen18/nix-steam-rom-manager"; - inputs.nixpkgs.follows = "desktop-nixpkgs"; - inputs.home-manager.follows = "desktop-home-manager"; - }; - - # cosmic launcher - desktop-cosmic = { - url = "github:lilyinstarlight/nixos-cosmic"; - inputs.nixpkgs.follows = "desktop-nixpkgs"; - }; - - desktop-nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; - - ##################################################### - # NAS # - ##################################################### - - # nixpgs - nas-nixpkgs = { - # url = "github:NixOS/nixpkgs/nixos-24.11"; - url = "github:NixOS/nixpkgs/nixos-unstable"; - }; - - nas-nixpkgs-stable = { - url = "github:NixOS/nixpkgs/nixos-24.11"; - }; - - # Authentik - nas-authentik-nix = { - url = "github:nix-community/authentik-nix"; - inputs.nixpkgs.follows = "nas-nixpkgs"; - }; - - # cosmic launcher - nas-cosmic = { - url = "github:lilyinstarlight/nixos-cosmic"; - inputs.nixpkgs.follows = "nas-nixpkgs-stable"; - }; - - # crowdsec - nas-crowdsec = { - url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git"; - inputs.nixpkgs.follows = "nas-nixpkgs"; - }; - - # Home Manager - nas-home-manager = { - # url = "github:nix-community/home-manager/release-24.11"; - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nas-nixpkgs"; - }; - - # Impermenance - nas-impermanence = { - url = "github:nix-community/impermanence"; - }; - - # Lanzaboote - nas-lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.2"; - inputs.nixpkgs.follows = "nas-nixpkgs"; - }; - - # Nix hardware - nas-nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - - # Sops-nix - nas-sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nas-nixpkgs"; - }; - - nas-nixai.url = "github:olafkfreund/nix-ai-help"; - - nas-nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; - - ##################################################### - # pi5 # - ##################################################### - - # nixpgs - pi5-nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-unstable"; - }; - - # Home Manager - pi5-home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "pi5-nixpkgs"; - }; - - # Impermenance - pi5-impermanence = { - url = "github:nix-community/impermanence"; - }; - - # Nix hardware - pi5-nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - - # Sops-nix - pi5-sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "pi5-nixpkgs"; - }; - - pi5-disko = { - # the fork is needed for partition attributes support - url = "github:nvmd/disko/gpt-attrs"; - # url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "pi5-nixpkgs"; - }; - - pi5-cosmic = { - url = "github:lilyinstarlight/nixos-cosmic"; - inputs.nixpkgs.follows = "pi5-nixpkgs"; - }; - - ##################################################### - # pi4 # - ##################################################### - - # nixpgs - pi4-nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-unstable"; - }; - - # Home Manager - pi4-home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "pi4-nixpkgs"; - }; - - # Impermenance - pi4-impermanence = { - url = "github:nix-community/impermanence"; - }; - - # Sops-nix - pi4-sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "pi4-nixpkgs"; - }; - - # Nix hardware - pi4-nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - - pi4-disko = { - # the fork is needed for partition attributes support - url = "github:nvmd/disko/gpt-attrs"; - # url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "pi4-nixpkgs"; - }; - - - nixos-raspberrypi.url = "github:nvmd/nixos-raspberrypi"; - - ##################################################### - # Steamdeck # - ##################################################### - - # nixpgs - steamdeck-nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-unstable"; - }; - - # Joviain for steamdeck - steamdeck-jovian = { - url = "github:Jovian-Experiments/Jovian-NixOS"; - inputs.nixpkgs.follows = "steamdeck-nixpkgs"; - }; - - # Chaotic-nix - steamdeck-chaotic = { - url = "github:chaotic-cx/nyx/nyxpkgs-unstable"; - }; - - # Impermenance - steamdeck-impermanence = { - url = "github:nix-community/impermanence"; - }; - - # Home Manager - steamdeck-home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "steamdeck-nixpkgs"; - }; - - # Lanzaboote - steamdeck-lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.2"; - inputs.nixpkgs.follows = "steamdeck-nixpkgs"; - }; - - # Sops-nix - steamdeck-sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "steamdeck-nixpkgs"; - }; - - # Nix hardware - steamdeck-nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - - # steam rom manager - steamdeck-steam-rom-manager = { - url = "github:mjallen18/nix-steam-rom-manager"; - inputs.nixpkgs.follows = "steamdeck-nixpkgs"; - inputs.home-manager.follows = "steamdeck-home-manager"; - }; - - steamdeck-disko = { - # the fork is needed for partition attributes support - url = "github:nvmd/disko/gpt-attrs"; - # url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "steamdeck-nixpkgs"; - }; - - ##################################################### - # MacBook # - ##################################################### - - #Apple - nix-darwin = { - url = "github:LnL7/nix-darwin"; - inputs.nixpkgs.follows = "desktop-nixpkgs"; - }; - - nix-homebrew.url = "github:zhaofengli/nix-homebrew"; - - homebrew-core = { - url = "github:homebrew/homebrew-core"; - flake = false; - }; - homebrew-cask = { - url = "github:homebrew/homebrew-cask"; - flake = false; - }; - - ##################################################### - # Macbook Nix # - ##################################################### - - # nixpgs - mac-nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-unstable"; - }; - - mac-nixos-apple-silicon = { - url = "github:nix-community/nixos-apple-silicon"; - }; - - # Home Manager - mac-home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "mac-nixpkgs"; - }; - - # Impermenance - mac-impermanence = { - url = "github:nix-community/impermanence"; - }; - - # Sops-nix - mac-sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "mac-nixpkgs"; - }; - - ##################################################### - # NUC # - ##################################################### - - # nixpgs - nuc-nixpkgs = { - # url = "github:NixOS/nixpkgs/nixos-24.11"; - url = "github:NixOS/nixpkgs/nixos-unstable"; - }; - - # Home Manager - nuc-home-manager = { - # url = "github:nix-community/home-manager/release-24.11"; - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nuc-nixpkgs"; - }; - - # Impermenance - nuc-impermanence = { - url = "github:nix-community/impermanence"; - }; - - # Lanzaboote - nuc-lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.2"; - inputs.nixpkgs.follows = "nuc-nixpkgs"; - }; - - # Sops-nix - nuc-sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nuc-nixpkgs"; - }; - - nuc-disko = { - # the fork is needed for partition attributes support - url = "github:nvmd/disko/gpt-attrs"; - # url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "nuc-nixpkgs"; - }; - - ##################################################### - # Common # - ##################################################### - - nixpkgs-unstable = { - url = "github:NixOS/nixpkgs/nixos-unstable"; - }; - - nixpkgs-stable = { - url = "github:NixOS/nixpkgs/nixos-25.05"; - }; - }; - - outputs = - { - self, - - # Desktop - desktop-nixpkgs, - desktop-chaotic, - desktop-home-manager, - desktop-impermanence, - desktop-lanzaboote, - desktop-nixos-hardware, - desktop-sops-nix, - desktop-steam-rom-manager, - desktop-cosmic, - desktop-nix-vscode-extensions, - - # NAS - nas-nixpkgs, - nas-nixpkgs-stable, - nas-authentik-nix, - nas-cosmic, - nas-crowdsec, - nas-home-manager, - nas-impermanence, - nas-lanzaboote, - nas-nixos-hardware, - nas-sops-nix, - nas-nixai, - nas-nix-vscode-extensions, - - # pi5 - pi5-nixpkgs, - pi5-home-manager, - pi5-impermanence, - pi5-nixos-hardware, - pi5-sops-nix, - pi5-disko, - pi5-cosmic, - - # pi4 - pi4-nixpkgs, - pi4-home-manager, - pi4-impermanence, - pi4-sops-nix, - pi4-nixos-hardware, - pi4-disko, - - nixos-raspberrypi, - - # Steamdeck - steamdeck-nixpkgs, - steamdeck-chaotic, - steamdeck-home-manager, - steamdeck-impermanence, - steamdeck-jovian, - steamdeck-lanzaboote, - steamdeck-nixos-hardware, - steamdeck-sops-nix, - steamdeck-steam-rom-manager, - steamdeck-disko, - - # MacBook - nix-darwin, - nix-homebrew, - homebrew-core, - homebrew-cask, - - # MacBook Nix - mac-nixpkgs, - mac-nixos-apple-silicon, - mac-home-manager, - mac-impermanence, - mac-sops-nix, - - nuc-nixpkgs, - nuc-home-manager, - nuc-impermanence, - nuc-lanzaboote, - nuc-sops-nix, - nuc-disko, - - # Common - nixpkgs-unstable, - nixpkgs-stable, - }@inputs: - let - inherit (self) outputs; - in - { - overlays = import ./overlays { inherit inputs; }; - - nixosConfigurations = { - # Desktop - "matt-nixos" = desktop-nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs outputs; - hyprlandSettings = import ./hosts/desktop/hyprland-settings.nix; - }; - modules = [ - ./hosts/base/base-nogui - ./hosts/base/base-gui - ./hosts/desktop/configuration.nix - - ./modules/desktop-environments/gnome - ./modules/desktop-environments/cosmic/specialisation.nix - ./modules/desktop-environments/hyprland/specialisation.nix - - ./modules/amd - ./modules/gaming - - # Lanzaboote - desktop-lanzaboote.nixosModules.lanzaboote - - # Chaotic Nyx - desktop-chaotic.nixosModules.default - - # Impermanence - desktop-impermanence.nixosModules.impermanence - ./modules/impermanence - - desktop-sops-nix.nixosModules.sops - - # Home Manager - desktop-home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.matt = - { ... }: - { - imports = [ - ./hosts/desktop/home.nix - ./modules/home/defaults.nix - ./modules/home/git.nix - ./modules/home/gnome.nix - ./modules/home/librewolf.nix - ./modules/home/office.nix - ./modules/home/shell.nix - ./modules/home/vscode.nix - desktop-steam-rom-manager.homeManagerModules.default - desktop-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.users.root = - { ... }: - { - imports = [ - ./modules/root-user - desktop-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.backupFileExtension = "backup"; - } - - # nixos hardware - desktop-nixos-hardware.nixosModules.common-cpu-amd - desktop-nixos-hardware.nixosModules.common-cpu-amd-pstate - desktop-nixos-hardware.nixosModules.common-cpu-amd-zenpower - desktop-nixos-hardware.nixosModules.common-gpu-amd - desktop-nixos-hardware.nixosModules.common-hidpi - desktop-nixos-hardware.nixosModules.common-pc - ]; - }; - - # NAS - "jallen-nas" = nas-nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs outputs; - }; - modules = [ - ./hosts/base/base-nogui - ./hosts/base/base-gui - ./hosts/nas/configuration.nix - ./modules/desktop-environments/cosmic - ./modules/nvidia - - nas-lanzaboote.nixosModules.lanzaboote - - nas-impermanence.nixosModules.impermanence - ./hosts/nas/impermanence.nix - - nas-cosmic.nixosModules.default - - # nas-nixai.nixosModules.x86_64-linux.default - - nas-home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = false; - home-manager.useUserPackages = true; - home-manager.users.admin = - { ... }: - { - imports = [ - ./hosts/nas/home.nix - ./modules/home/defaults.nix - ./modules/home/git.nix - ./modules/home/librewolf.nix - ./modules/home/shell.nix - ./modules/home/vscode.nix - nas-sops-nix.homeManagerModules.sops - # nas-nixai.homeManagerModules.x86_64-linux.default - ]; - }; - home-manager.users.root = - { ... }: - { - imports = [ - ./modules/root-user - nas-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.backupFileExtension = "backup"; - } - - nas-authentik-nix.nixosModules.default - - nas-sops-nix.nixosModules.sops - - nas-crowdsec.nixosModules.crowdsec - nas-crowdsec.nixosModules.crowdsec-firewall-bouncer - - ( - { ... }: - { - nixpkgs.overlays = [ - nas-crowdsec.overlays.default - nas-nix-vscode-extensions.overlays.default - ]; - } - ) - - nas-nixos-hardware.nixosModules.common-pc - nas-nixos-hardware.nixosModules.common-cpu-amd - nas-nixos-hardware.nixosModules.common-cpu-amd-pstate - nas-nixos-hardware.nixosModules.common-cpu-amd-zenpower - nas-nixos-hardware.nixosModules.common-hidpi - ]; - }; - - # pi5 - "pi5" = nixos-raspberrypi.lib.nixosSystem { - specialArgs = inputs // - { - inherit outputs; - }; - system = "aarch64-linux"; - modules = [ - ./hosts/base/base-nogui - ./hosts/base/base-gui - pi5-disko.nixosModules.disko - ./hosts/pi5/disko.nix - pi5-cosmic.nixosModules.default - pi5-impermanence.nixosModules.impermanence - pi5-sops-nix.nixosModules.sops - ./hosts/pi5/configuration.nix - pi5-nixos-hardware.nixosModules.raspberry-pi-5 - { - # Hardware specific configuration, see section below for a more complete - # list of modules - imports = with nixos-raspberrypi.nixosModules; [ - raspberry-pi-5.base - raspberry-pi-5.display-vc4 - raspberry-pi-5.bluetooth - ]; - } - pi5-home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.backupFileExtension = "backup"; - home-manager.users.matt = - { ... }: - { - imports = [ - ./hosts/pi5/home.nix - pi5-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.users.root = - { ... }: - { - imports = [ - ./modules/root-user - pi5-sops-nix.homeManagerModules.sops - ]; - }; - } - ]; - }; - - # pi4 - "pi4" = nixos-raspberrypi.lib.nixosSystem { - specialArgs = inputs // - { - inherit outputs; - }; - system = "aarch64-linux"; - modules = [ - ./hosts/base/base-nogui - pi4-disko.nixosModules.disko - ./modules/disko/pi-uefi-disko.nix - pi4-nixos-hardware.nixosModules.raspberry-pi-4 - { - # Hardware specific configuration, see section below for a more complete - # list of modules - imports = with nixos-raspberrypi.nixosModules; [ - raspberry-pi-4.base - raspberry-pi-4.display-vc4 - raspberry-pi-4.bluetooth - raspberry-pi-4.case-argonone - ]; - } - pi4-impermanence.nixosModules.impermanence - pi4-sops-nix.nixosModules.sops - ./hosts/pi4/configuration.nix - pi4-home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.backupFileExtension = "backup"; - home-manager.users.matt = - { ... }: - { - imports = [ - ./hosts/pi4/home.nix - pi4-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.users.root = - { ... }: - { - imports = [ - ./modules/root-user - pi4-sops-nix.homeManagerModules.sops - ]; - }; - } - ]; - }; - - "steamdeck" = steamdeck-nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs outputs; - }; - modules = [ - ./hosts/base/base-nogui - ./hosts/base/base-gui - ./hosts/deck/configuration.nix - ./modules/desktop-environments/gnome - - steamdeck-lanzaboote.nixosModules.lanzaboote - - steamdeck-disko.nixosModules.disko - ./modules/disko/disko.nix - - steamdeck-impermanence.nixosModules.impermanence - ./modules/impermanence - - steamdeck-home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.deck = - { ... }: - { - imports = [ - ./hosts/deck/home.nix - ./modules/home/defaults.nix - ./modules/home/git.nix - ./modules/home/gnome.nix - ./modules/home/librewolf.nix - ./modules/home/office.nix - ./modules/home/shell.nix - ./modules/home/vscode.nix - steamdeck-sops-nix.homeManagerModules.sops - steamdeck-steam-rom-manager.homeManagerModules.default - ]; - }; - home-manager.users.root = - { ... }: - { - imports = [ - ./modules/root-user - steamdeck-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.backupFileExtension = "backup"; - } - - steamdeck-nixos-hardware.nixosModules.common-cpu-amd - steamdeck-nixos-hardware.nixosModules.common-cpu-amd-pstate - steamdeck-nixos-hardware.nixosModules.common-cpu-amd-zenpower - steamdeck-nixos-hardware.nixosModules.common-gpu-amd - steamdeck-nixos-hardware.nixosModules.common-hidpi - steamdeck-nixos-hardware.nixosModules.common-pc - - steamdeck-sops-nix.nixosModules.sops - - steamdeck-jovian.nixosModules.jovian - - steamdeck-chaotic.nixosModules.default - ]; - }; - - # MacBook Nix - "macbook-pro-nixos" = mac-nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { - inherit inputs outputs; - hyprlandSettings = import ./hosts/mac-nixos/hyprland-settings.nix; - }; - modules = [ - ./hosts/base/base-nogui - ./hosts/base/base-gui - ./hosts/mac-nixos/configuration.nix - - ./modules/desktop-environments/hyprland - - # Apple Silicon Support - mac-nixos-apple-silicon.nixosModules.default - - # Impermanence - mac-impermanence.nixosModules.impermanence - ./modules/impermanence - - mac-sops-nix.nixosModules.sops - - # Home Manager - mac-home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.matt = - { ... }: - { - imports = [ - ./hosts/mac-nixos/home.nix - ./modules/home/defaults.nix - ./modules/home/git.nix -# ./modules/home/gnome.nix -# ./modules/home/librewolf.nix - ./modules/home/office.nix - ./modules/home/shell.nix -# ./modules/home/vscode.nix - mac-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.users.root = - { ... }: - { - imports = [ - ./modules/root-user - mac-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.backupFileExtension = "backup"; - } - ]; - }; - - # NUC - "nuc-nixos" = nuc-nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs outputs; - }; - modules = [ - ./hosts/base/base-nogui - ./hosts/nuc/configuration.nix - - nuc-lanzaboote.nixosModules.lanzaboote - - nuc-impermanence.nixosModules.impermanence - ./hosts/nuc/impermanence.nix - - nuc-disko.nixosModules.disko - ./modules/disko/disko.nix - - nuc-home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = false; - home-manager.useUserPackages = true; - home-manager.users.admin = - { ... }: - { - imports = [ - ./hosts/nuc/home.nix - ./modules/home/defaults.nix - ./modules/home/git.nix - ./modules/home/shell.nix - nuc-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.users.root = - { ... }: - { - imports = [ - ./modules/root-user - nuc-sops-nix.homeManagerModules.sops - ]; - }; - home-manager.backupFileExtension = "backup"; - } - - nuc-sops-nix.nixosModules.sops - ]; - }; - }; - - darwinConfigurations = { - "MacBook-Pro" = nix-darwin.lib.darwinSystem { - system = "aarch64-darwin"; - specialArgs = { - inherit inputs outputs; - }; - modules = [ - ./hosts/mac/configuration.nix - nix-homebrew.darwinModules.nix-homebrew - desktop-home-manager.darwinModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.mattjallen = import ./hosts/mac/home.nix; - home-manager.backupFileExtension = "backup"; - } - ( - { ... }: - { - nixpkgs.overlays = [ - desktop-nix-vscode-extensions.overlays.default - ]; - } - ) - ]; - }; - }; - - packages.aarch64-linux.vmware-horizon-fhs = - let - pkgs = import mac-nixpkgs { system = "aarch64-linux"; }; - x64 = import mac-nixpkgs { system = "x86_64-linux"; config.allowUnfree = true; }; - in - pkgs.buildFHSEnv { - name = "horizon-client-x64"; - targetPkgs = _pkgs: with x64; [ - vmware-horizon-client gtk3 xorg.libX11 libxml2 - ]; - runScript = "box64 vmware-view"; - }; - - # Expose the package set, including overlays, for convenience. - darwinPackages = self.darwinConfigurations."MacBook-Pro".pkgs; - - # Set Git commit hash for darwin-version. - system.configurationRevision = self.rev or self.dirtyRev or null; - }; -} diff --git a/systems/x86_64-linux/nas/apps/actual/default.nix b/modules/nixos/actual/default.nix similarity index 97% rename from systems/x86_64-linux/nas/apps/actual/default.nix rename to modules/nixos/actual/default.nix index 2bf6a01..23ad96b 100644 --- a/systems/x86_64-linux/nas/apps/actual/default.nix +++ b/modules/nixos/actual/default.nix @@ -2,9 +2,8 @@ with lib; let cfg = config.nas-apps.actual; - settings = import ../../settings.nix; dataDir = "/data"; - hostAddress = settings.hostAddress; + hostAddress = "10.0.1.3"; actualUserId = config.users.users.nix-apps.uid; actualGroupId = config.users.groups.jallen-nas.gid; in diff --git a/systems/x86_64-linux/nas/apps/actual/options.nix b/modules/nixos/actual/options.nix similarity index 100% rename from systems/x86_64-linux/nas/apps/actual/options.nix rename to modules/nixos/actual/options.nix diff --git a/systems/x86_64-linux/nas/apps/arrs/default.nix b/modules/nixos/arrs/default.nix similarity index 96% rename from systems/x86_64-linux/nas/apps/arrs/default.nix rename to modules/nixos/arrs/default.nix index c825add..d3340ba 100755 --- a/systems/x86_64-linux/nas/apps/arrs/default.nix +++ b/modules/nixos/arrs/default.nix @@ -7,7 +7,6 @@ with lib; let cfg = config.nas-apps.arrs; - settings = import ../../settings.nix; radarrDataDir = "/var/lib/radarr"; downloadDir = "/downloads"; incompleteDir = "/downloads-incomplete"; @@ -21,7 +20,6 @@ let sonarrPkg = pkgs.sonarr; delugePkg = pkgs.deluge; jackettPkg = pkgs.jackett; - sabnzbdPkg = pkgs.sabnzbd; in { imports = [ ./options.nix ]; @@ -30,7 +28,7 @@ in containers.arrs = { autoStart = true; privateNetwork = true; - hostAddress = settings.hostAddress; + hostAddress = "10.0.1.3"; localAddress = cfg.localAddress; config = @@ -40,7 +38,12 @@ in ... }: { - nixpkgs.config.allowUnfree = true; + nixpkgs.config = { + allowUnfree = lib.mkForce true; + allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "unrar" + ]; + }; # Enable radarr service services.radarr = { @@ -69,7 +72,7 @@ in user = "arrs"; group = "media"; configFile = "${sabnzbdConfig}/sabnzbd.ini"; - package = sabnzbdPkg; + package = pkgs.sabnzbd; }; services.deluge = { diff --git a/systems/x86_64-linux/nas/apps/arrs/options.nix b/modules/nixos/arrs/options.nix similarity index 100% rename from systems/x86_64-linux/nas/apps/arrs/options.nix rename to modules/nixos/arrs/options.nix diff --git a/systems/x86_64-linux/nas/apps/crowdsec/default.nix b/modules/nixos/crowdsec/default.nix similarity index 97% rename from systems/x86_64-linux/nas/apps/crowdsec/default.nix rename to modules/nixos/crowdsec/default.nix index 99a165e..2890097 100755 --- a/systems/x86_64-linux/nas/apps/crowdsec/default.nix +++ b/modules/nixos/crowdsec/default.nix @@ -1,4 +1,4 @@ -{ outputs, config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: with lib; let cfg = config.nas-apps.crowdsec; diff --git a/systems/x86_64-linux/nas/apps/crowdsec/options.nix b/modules/nixos/crowdsec/options.nix similarity index 100% rename from systems/x86_64-linux/nas/apps/crowdsec/options.nix rename to modules/nixos/crowdsec/options.nix diff --git a/systems/x86_64-linux/nas/apps/gitea/default.nix b/modules/nixos/gitea/default.nix similarity index 98% rename from systems/x86_64-linux/nas/apps/gitea/default.nix rename to modules/nixos/gitea/default.nix index a537d63..0e97053 100644 --- a/systems/x86_64-linux/nas/apps/gitea/default.nix +++ b/modules/nixos/gitea/default.nix @@ -2,8 +2,7 @@ with lib; let cfg = config.nas-apps.gitea; - settings = import ../../settings.nix; - hostAddress = settings.hostAddress; + hostAddress = "10.0.1.3"; # localAddress = "10.0.4.18"; # httpPort = 3000; # sshPort = 2222; diff --git a/systems/x86_64-linux/nas/apps/gitea/options.nix b/modules/nixos/gitea/options.nix similarity index 100% rename from systems/x86_64-linux/nas/apps/gitea/options.nix rename to modules/nixos/gitea/options.nix diff --git a/modules/nixos/immich/default.nix b/modules/nixos/immich/default.nix new file mode 100755 index 0000000..14316e0 --- /dev/null +++ b/modules/nixos/immich/default.nix @@ -0,0 +1,33 @@ +{ config, lib, namespace, ... }: +with lib; +let + cfg = config.${namespace}.services.immich; + + immichPort = 2283; + dataDir = "/media/nas/main/photos"; + dbPassword = config.sops.secrets."jallen-nas/immich/db-password".path; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + # Enable immich service + services.immich = { + enable = true; + port = immichPort; + openFirewall = true; + secretsFile = dbPassword; + mediaLocation = dataDir; + + environment = { + IMMICH_HOST = lib.mkForce "0.0.0.0"; + IMMICH_TRUSTED_PROXIES = "10.0.1.3"; + TZ = "America/Chicago"; + }; + + machine-learning = { + enable = true; + }; + }; + }; +} diff --git a/modules/nixos/immich/options.nix b/modules/nixos/immich/options.nix new file mode 100644 index 0000000..a003eae --- /dev/null +++ b/modules/nixos/immich/options.nix @@ -0,0 +1,7 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.immich = { + enable = mkEnableOption "enable immich"; + }; +} \ No newline at end of file diff --git a/modules/nixos/jellyfin/default.nix b/modules/nixos/jellyfin/default.nix new file mode 100755 index 0000000..3714d6c --- /dev/null +++ b/modules/nixos/jellyfin/default.nix @@ -0,0 +1,19 @@ +{ config, lib, namespace, ... }: +with lib; +let + cfg = config.${namespace}.services.jellyfin; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + services.jellyfin = { + enable = true; + openFirewall = true; + user = "nix-apps"; + group = "jallen-nas"; + dataDir = "/media/nas/ssd/nix-app-data/jellyfin"; + # cacheDir = "/cache"; + }; + }; +} diff --git a/modules/nixos/jellyfin/options.nix b/modules/nixos/jellyfin/options.nix new file mode 100644 index 0000000..6187c4d --- /dev/null +++ b/modules/nixos/jellyfin/options.nix @@ -0,0 +1,7 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.jellyfin = { + enable = mkEnableOption "enable jellyfin"; + }; +} \ No newline at end of file diff --git a/modules/nixos/jellyseerr/default.nix b/modules/nixos/jellyseerr/default.nix new file mode 100755 index 0000000..4d61a09 --- /dev/null +++ b/modules/nixos/jellyseerr/default.nix @@ -0,0 +1,78 @@ +{ config, lib, namespace, ... }: +with lib; +let + cfg = config.${namespace}.services.jellyseerr; + + jellyseerrPort = 5055; + dataDir = "/var/lib/private/jellyseerr"; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + containers.jellyseerr = { + autoStart = true; + privateNetwork = true; + hostAddress = "10.0.1.3"; + localAddress = "10.0.1.52"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::4"; + + bindMounts = { + ${dataDir} = { + hostPath = "/media/nas/ssd/nix-app-data/jellyseerr"; + isReadOnly = false; + }; + }; + + config = + { + lib, + ... + }: + { + # Enable jellyseerr service + services.jellyseerr = { + enable = true; + port = jellyseerrPort; + # package = package; + openFirewall = true; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ jellyseerrPort ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + # Create and set permissions for required directories + system.activationScripts.jellyseerr-dirs = '' + mkdir -p /var/lib/private/jellyseerr + + chown -R jellyseerr:jellyseerr /var/lib/private/jellyseerr + + chmod -R 775 /var/lib/private/jellyseerr + + ln -sf /var/lib/private/jellyseerr /var/lib/jellyfin + + ''; + + services.resolved.enable = true; + system.stateVersion = "23.11"; + }; + }; + + networking.nat = { + forwardPorts = [ + { + destination = "10.0.1.52:5055"; + sourcePort = jellyseerrPort; + } + ]; + }; + }; +} diff --git a/modules/nixos/jellyseerr/options.nix b/modules/nixos/jellyseerr/options.nix new file mode 100644 index 0000000..8960a13 --- /dev/null +++ b/modules/nixos/jellyseerr/options.nix @@ -0,0 +1,7 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.jellyseerr = { + enable = mkEnableOption "enable jellyseerr"; + }; +} \ No newline at end of file diff --git a/modules/nixos/lubelogger/default.nix b/modules/nixos/lubelogger/default.nix new file mode 100644 index 0000000..ea209d3 --- /dev/null +++ b/modules/nixos/lubelogger/default.nix @@ -0,0 +1,28 @@ +{ config, lib, namespace, ... }: +with lib; +let + cfg = config.${namespace}.services.lubelogger; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + virtualisation.oci-containers.containers.lubelogger = { + autoStart = true; + image = "ghcr.io/hargata/lubelogger"; + ports = [ "6754:8080" ]; + volumes = [ + "/media/nas/ssd/nix-app-data/lubelogger:/App/data" + "/media/nas/ssd/nix-app-data/lubelogger/keys:/root/.aspnet/DataProtection-Keys" + ]; + environmentFiles = [ + "/media/nas/ssd/nix-app-data/lubelogger/lubelogger.env" + ]; + environment = { + PUID = toString config.users.users.nix-apps.uid; + PGID = toString config.users.groups.jallen-nas.gid; + TZ = "America/Chicago"; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/lubelogger/options.nix b/modules/nixos/lubelogger/options.nix new file mode 100644 index 0000000..1b062f2 --- /dev/null +++ b/modules/nixos/lubelogger/options.nix @@ -0,0 +1,7 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.lubelogger = { + enable = mkEnableOption "enable lubelogger"; + }; +} \ No newline at end of file diff --git a/modules/nixos/nextcloud/default.nix b/modules/nixos/nextcloud/default.nix new file mode 100755 index 0000000..b37dae8 --- /dev/null +++ b/modules/nixos/nextcloud/default.nix @@ -0,0 +1,240 @@ +{ config, lib, pkgs, namespace, ... }: +with lib; +let + cfg = config.${namespace}.services.nextcloud; + + adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path; + secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path; + jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path; + nextcloudUserId = config.users.users.nix-apps.uid; + nextcloudGroupId = config.users.groups.jallen-nas.gid; + hostAddress = "10.0.1.3"; + localAddress = "10.0.2.18"; + nextcloudPortExtHttp = 9988; + nextcloudPortExtHttps = 9943; + onlyofficePortExt = 9943; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + containers.nextcloud = { + autoStart = true; + privateNetwork = true; + hostAddress = hostAddress; + localAddress = localAddress; + specialArgs = { + inherit namespace; + }; + + bindMounts = { + secrets = { + hostPath = "/run/secrets/jallen-nas/nextcloud"; + isReadOnly = true; + mountPoint = "/run/secrets/jallen-nas/nextcloud"; + }; + + secrets2 = { + hostPath = "/run/secrets/jallen-nas/onlyoffice-key"; + isReadOnly = true; + mountPoint = "/run/secrets/jallen-nas/onlyoffice-key"; + }; + + data = { + hostPath = "/media/nas/main/nextcloud"; + isReadOnly = false; + mountPoint = "/data"; + }; + + "/var/lib/nextcloud" = { + hostPath = "/media/nas/ssd/nix-app-data/nextcloud"; + isReadOnly = false; + mountPoint = "/var/lib/nextcloud"; + }; + + "/var/lib/onlyoffice" = { + hostPath = "/media/nas/ssd/nix-app-data/onlyoffice"; + isReadOnly = false; + mountPoint = "/var/lib/onlyoffice"; + }; + }; + + config = + { pkgs, lib, namespace, ... }: + { + nixpkgs.config.allowUnfree = true; + networking.extraHosts = '' + ${hostAddress} host.containers protonmail-bridge + ''; + + services = { + nextcloud = { + enable = true; + package = pkgs.nextcloud31; + # datadir = "/data"; + database.createLocally = true; + hostName = "cloud.mjallen.dev"; + appstoreEnable = true; + caching.redis = true; + configureRedis = true; + enableImagemagick = true; + https = true; + secretFile = secretsFile; + + config = { + adminuser = "mjallen"; + adminpassFile = adminpass; + dbhost = "localhost"; + dbtype = "sqlite"; + dbname = "nextcloud"; + dbuser = "nextcloud"; + }; + settings = { + loglevel = 3; + allow_local_remote_servers = true; + upgrade.disable-web = false; + datadirectory = "/data"; + trusted_domains = [ + "${hostAddress}:${toString nextcloudPortExtHttp}" + "${hostAddress}:${toString nextcloudPortExtHttps}" + "${localAddress}:80" + "${localAddress}:443" + "cloud.mjallen.dev" + ]; + opcache.interned_strings_buffer = 16; + trusted_proxies = [ hostAddress ]; + maintenance_window_start = 6; + default_phone_region = "US"; + enable_previews = true; + enabledPreviewProviders = [ + "OC\\Preview\\PNG" + "OC\\Preview\\JPEG" + "OC\\Preview\\GIF" + "OC\\Preview\\BMP" + "OC\\Preview\\XBitmap" + "OC\\Preview\\MP3" + "OC\\Preview\\TXT" + "OC\\Preview\\MarkDown" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\Krita" + "OC\\Preview\\HEIC" + "OC\\Preview\\Movie" + "OC\\Preview\\MSOffice2003" + "OC\\Preview\\MSOffice2007" + "OC\\Preview\\MSOfficeDoc" + ]; + installed = true; + user_oidc = { + auto_provision = false; + soft_auto_provision = false; + allow_multiple_user_backends = false; # auto redirect to authentik for login + }; + }; + }; + }; + + services.onlyoffice = { + enable = true; + port = onlyofficePortExt; + hostname = "office.mjallen.dev"; + jwtSecretFile = jwtSecretFile; + }; + + # System packages + environment.systemPackages = with pkgs; [ + cudaPackages.cudnn + cudatoolkit + ffmpeg + # libtensorflow-bin + nextcloud31 + nodejs + onlyoffice-documentserver + sqlite + ]; + + # Create required users and groups + users.users.nextcloud = { + isSystemUser = true; + uid = lib.mkForce nextcloudUserId; + group = "nextcloud"; + }; + + users.users.onlyoffice = { + group = lib.mkForce "nextcloud"; + }; + + users.groups = { + nextcloud = { + gid = lib.mkForce nextcloudGroupId; + }; + downloads = { }; + }; + + # Create and set permissions for required directories + system.activationScripts.nextcloud-dirs = '' + mkdir -p /data + + chown -R nextcloud:nextcloud /data + + chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud + + chmod -R 775 /data + + chmod -R 750 /run/secrets/jallen-nas/nextcloud + + ''; + + hardware = { + graphics = { + enable = true; + # setLdLibraryPath = true; + }; + }; + + programs = { + nix-ld.enable = true; + }; + + system.stateVersion = "23.11"; + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 80 + 443 + onlyofficePortExt + ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + + }; + }; + + networking = { + nat = { + forwardPorts = [ + { + destination = "${localAddress}:443"; + sourcePort = nextcloudPortExtHttps; + } + { + destination = "${localAddress}:80"; + sourcePort = nextcloudPortExtHttp; + } + { + destination = "${localAddress}:8000"; + sourcePort = 8000; + } + { + destination = "${localAddress}:${toString onlyofficePortExt}"; + sourcePort = onlyofficePortExt; + } + ]; + }; + }; + }; +} diff --git a/modules/nixos/nextcloud/options.nix b/modules/nixos/nextcloud/options.nix new file mode 100644 index 0000000..c34526e --- /dev/null +++ b/modules/nixos/nextcloud/options.nix @@ -0,0 +1,7 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.nextcloud = { + enable = mkEnableOption "enable nextcloud"; + }; +} \ No newline at end of file diff --git a/modules/nixos/ollama/default.nix b/modules/nixos/ollama/default.nix new file mode 100755 index 0000000..2bf84fa --- /dev/null +++ b/modules/nixos/ollama/default.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, namespace, ... }: +with lib; +let + cfg = config.${namespace}.services.ollama; + + llamaPackage = pkgs.llama-cpp.overrideAttrs (old: { + src = pkgs.fetchFromGitHub { + owner = "ggml-org"; + repo = "llama.cpp"; + rev = "b4920"; + sha256 = "sha256-SnQIeY74JpAPRMxWcpklDH5D4CQvAgi0GYx5+ECk2J4="; + }; + # Optionally override other attributes if you need to + # version = "my-fork-version"; + # pname = "llama-cpp-custom"; + }); +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + services.ollama = { + enable = true; + port = 11434; + host = "0.0.0.0"; + user = "nix-apps"; + group = "jallen-nas"; + openFirewall = true; + acceleration = "cuda"; + home = "/media/nas/ssd/nix-app-data/ollama"; + }; + + environment.systemPackages = [ llamaPackage ]; + + services.llama-cpp = { + enable = true; + port = 8127; + host = "0.0.0.0"; + openFirewall = true; + model = "/media/nas/ssd/nix-app-data/llama-cpp/models/functionary-small-v3.2-GGUF/functionary-small-v3.2.Q4_0.gguf"; + package = llamaPackage; # pkgs.unstable.llama-cpp; + extraFlags = [ + "--n_gpu-layers" + "500" + "-c" + "0" + "--numa" + "numactl" + "--jinja" + ]; + }; + + services.open-webui = { + enable = false; + host = "0.0.0.0"; + port = 8888; + openFirewall = true; + # stateDir = "/media/nas/ssd/nix-app-data/open-webui"; + environmentFile = config.sops.secrets."jallen-nas/open-webui".path; + environment = { + OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration"; + OAUTH_PROVIDER_NAME = "authentik"; + OPENID_REDIRECT_URI = "https://chat.mjallen.dev/oauth/oidc/callback"; + ENABLE_OAUTH_SIGNUP = "False"; + OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "True"; + ENABLE_SIGNUP = "False"; + ENABLE_LOGIN_FORM = "False"; + ANONYMIZED_TELEMETRY = "False"; + DO_NOT_TRACK = "True"; + SCARF_NO_ANALYTICS = "True"; + OLLAMA_API_BASE_URL = "http://127.0.0.1:11434"; + LOCAL_FILES_ONLY = "False"; + WEBUI_AUTH = "False"; + }; + }; + }; +} diff --git a/modules/nixos/ollama/options.nix b/modules/nixos/ollama/options.nix new file mode 100644 index 0000000..f0400f3 --- /dev/null +++ b/modules/nixos/ollama/options.nix @@ -0,0 +1,7 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.ollama = { + enable = mkEnableOption "enable ollama"; + }; +} \ No newline at end of file diff --git a/systems/x86_64-linux/nas/apps/orca/default.nix b/modules/nixos/orca/default.nix similarity index 100% rename from systems/x86_64-linux/nas/apps/orca/default.nix rename to modules/nixos/orca/default.nix diff --git a/systems/x86_64-linux/nas/apps/orca/options.nix b/modules/nixos/orca/options.nix similarity index 100% rename from systems/x86_64-linux/nas/apps/orca/options.nix rename to modules/nixos/orca/options.nix diff --git a/modules/nixos/paperless/default.nix b/modules/nixos/paperless/default.nix new file mode 100755 index 0000000..dd86340 --- /dev/null +++ b/modules/nixos/paperless/default.nix @@ -0,0 +1,106 @@ +{ config, lib, namespace, ... }: +with lib; +let + cfg = config.${namespace}.services.paperless; + + paperlessPort = 28981; + paperlessUserId = config.users.users.nix-apps.uid; + paperlessGroupId = config.users.groups.jallen-nas.gid; + paperlessEnv = config.sops.templates."paperless.env".path; + paperlessPkg = pkgs.paperless-ngx; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + containers.paperless = { + autoStart = true; + privateNetwork = true; + hostAddress = "10.0.1.3"; + localAddress = "10.0.1.20"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::20"; + + config = + { + lib, + ... + }: + { + # Enable paperless service + services.paperless = { + enable = false; + package = paperlessPkg; + port = paperlessPort; + user = "paperless"; + address = "0.0.0.0"; + passwordFile = "/var/lib/paperless/paperless-password"; + # environmentFile = paperlessEnv; # unstable is too unstable, but this doesnt exist in stable.... disabling altogether.... + }; + + # Create required users and groups + users.groups = { + documents = { + gid = lib.mkForce paperlessGroupId; + }; + }; + + users.users.paperless = { + isSystemUser = true; + uid = lib.mkForce paperlessUserId; + group = lib.mkForce "documents"; + }; + + # Create and set permissions for required directories + system.activationScripts.paperless-dirs = '' + mkdir -p /var/lib/paperless + + chown -R paperless:documents /var/lib/paperless + + chmod -R 775 /var/lib/paperless + + ''; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ paperlessPort ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + system.stateVersion = "23.11"; + }; + + # Bind mount directories from host + bindMounts = { + "/var/lib/paperless" = { + hostPath = "/media/nas/ssd/nix-app-data/paperless"; + isReadOnly = false; + }; + secrets = { + hostPath = "/run/secrets/jallen-nas/paperless"; + isReadOnly = true; + mountPoint = "/run/secrets/jallen-nas/paperless"; + }; + secret-env = { + hostPath = "/run/secrets/rendered/paperless.env"; + isReadOnly = true; + mountPoint = "/run/secrets/rendered/paperless.env"; + }; + }; + }; + + networking.nat = { + forwardPorts = [ + { + destination = "10.0.1.20:28981"; + sourcePort = paperlessPort; + } + ]; + }; + }; +} diff --git a/modules/nixos/paperless/options.nix b/modules/nixos/paperless/options.nix new file mode 100644 index 0000000..f3ce50e --- /dev/null +++ b/modules/nixos/paperless/options.nix @@ -0,0 +1,7 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.paperless = { + enable = mkEnableOption "enable paperless"; + }; +} \ No newline at end of file diff --git a/modules/nixos/traefik/default.nix b/modules/nixos/traefik/default.nix new file mode 100755 index 0000000..093631a --- /dev/null +++ b/modules/nixos/traefik/default.nix @@ -0,0 +1,397 @@ +{ config, lib, namespace, ... }: +with lib; +let + cfg = config.${namespace}.services.traefik; + + domain = "mjallen.dev"; + serverIp = "10.0.1.3"; + + # Forward services + authUrl = "http://${serverIp}:9000/outpost.goauthentik.io"; + + actualUrl = "http://${config.containers.actual.localAddress}:${toString config.containers.actual.config.services.actual.settings.port}"; + authentikUrl = "http://${serverIp}:9000"; + cacheUrl = "http://${serverIp}:9012"; + cloudUrl = "http://${config.containers.nextcloud.localAddress}:80"; + giteaUrl = "http://${config.containers.gitea.localAddress}:${toString config.containers.gitea.config.services.gitea.settings.server.HTTP_PORT}"; + hassUrl = "http://homeassistant.local:8123"; + immichUrl = "http://${serverIp}:${toString config.services.immich.port}"; + jellyfinUrl = "http://${serverIp}:8096"; + jellyseerrUrl = "http://${config.containers.jellyseerr.localAddress}:${toString config.containers.jellyseerr.config.services.jellyseerr.port}"; + lubeloggerUrl = "http://${serverIp}:6754"; + onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}"; + openWebUIUrl = "http://${serverIp}:8888"; + paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}"; + + # Plugins + traefikPlugins = { + bouncer = { + moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; + version = "v1.4.2"; + }; + geoblock = { + moduleName = "github.com/PascalMinder/geoblock"; + version = "v0.2.5"; + }; + }; + + crowdsecAppsecHost = "${serverIp}:7422"; + crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path; + + # Ports + httpPort = 80; + httpsPort = 443; + traefikPort = 8080; + metricsPort = 8082; + + forwardPorts = [ + httpPort + httpsPort + traefikPort + metricsPort + ]; + + # misc + letsEncryptEmail = "jalle008@proton.me"; + dataDir = "/media/nas/ssd/nix-app-data/traefik"; + authentikAddress = "http://${serverIp}:9000/outpost.goauthentik.io/auth/traefik"; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + sops = { + secrets = { + "jallen-nas/traefik/crowdsec-lapi-key" = { + owner = config.users.users.traefik.name; + group = config.users.users.traefik.group; + restartUnits = [ "traefik.service" ]; + }; + "jallen-nas/traefik/cloudflare-dns-api-token" = { }; + "jallen-nas/traefik/cloudflare-zone-api-token" = { }; + "jallen-nas/traefik/cloudflare-api-key" = { }; + "jallen-nas/traefik/cloudflare-email" = { }; + }; + templates = { + "traefik.env" = { + content = '' + CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"} + CLOUDFLARE_ZONE_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"} + CLOUDFLARE_API_KEY = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"} + CLOUDFLARE_EMAIL = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"} + ''; + owner = config.users.users.traefik.name; + group = config.users.users.traefik.group; + restartUnits = [ "traefik.service" ]; + }; + }; + }; + + networking.firewall = { + allowedTCPPorts = forwardPorts; + allowedUDPPorts = forwardPorts; + }; + + services.traefik = { + enable = true; + dataDir = dataDir; + group = "jallen-nas";#group; + environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops + + staticConfigOptions = { + entryPoints = { + web = { + address = ":${toString httpPort}"; + asDefault = true; + http.redirections.entrypoint = { + to = "websecure"; + scheme = "https"; + }; + }; + + websecure = { + address = ":${toString httpsPort}"; + asDefault = true; + http.tls.certResolver = "letsencrypt"; + }; + + metrics = { + address = ":${toString metricsPort}"; # Port for metrics + }; + }; + + log = { + level = "INFO"; + }; + + metrics = { + prometheus = { + entryPoint = "metrics"; + addEntryPointsLabels = true; + addServicesLabels = true; + buckets = [0.1 0.3 1.2 5.0]; # Response time buckets + }; + }; + + certificatesResolvers.letsencrypt.acme = { + email = letsEncryptEmail; + storage = "${config.services.traefik.dataDir}/acme.json"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = [ + "1.1.1.1:53" + "8.8.8.8:53" + ]; + }; + }; + + api.dashboard = true; + # Access the Traefik dashboard on :8080 of your server + api.insecure = true; + + experimental = { + plugins = traefikPlugins; + }; + }; + + dynamicConfigOptions = { + http = { + middlewares = { + authentik = { + forwardAuth = { + tls.insecureSkipVerify = true; + address = authentikAddress; + trustForwardHeader = true; + authResponseHeaders = [ + "X-authentik-username" + "X-authentik-groups" + "X-authentik-email" + "X-authentik-name" + "X-authentik-uid" + "X-authentik-jwt" + "X-authentik-meta-jwks" + "X-authentik-meta-outpost" + "X-authentik-meta-provider" + "X-authentik-meta-app" + "X-authentik-meta-version" + ]; + }; + }; + onlyoffice-websocket = { + headers.customrequestheaders = { + X-Forwarded-Proto = "https"; + }; + }; + crowdsec = { + plugin = { + bouncer = { + crowdsecAppsecEnabled = true; + crowdsecAppsecHost = crowdsecAppsecHost; + crowdsecAppsecFailureBlock = true; + crowdsecAppsecUnreachableBlock = true; + crowdsecLapiKeyFile = crowdsecLapiKeyFile; + }; + }; + }; + whitelist-geoblock = { + plugin = { + geoblock = { + silentStartUp = false; + allowLocalRequests = true; + logLocalRequests = false; + logAllowedRequests = false; + logApiRequests = false; + api = "https://get.geojs.io/v1/ip/country/{ip}"; + apiTimeoutMs = 500; + cacheSize = 25; + forceMonthlyUpdate = true; + allowUnknownCountries = false; + unknownCountryApiResponse = "nil"; + blackListMode = false; + countries = [ + "CA" + "US" + ]; + }; + }; + }; + internal-ipallowlist = + { + ipAllowList = { + sourceRange = [ + "127.0.0.1/32" + "10.0.1.0/24" + ]; + }; + }; + }; + + services = { + auth.loadBalancer.servers = [ + { + url = authUrl; + } + ]; + + actual.loadBalancer.servers = [ + { + url = actualUrl; + } + ]; + authentik.loadBalancer.servers = [ + { + url = authentikUrl; + } + ]; + cache.loadBalancer.servers = [ + { + url = cacheUrl; + } + ]; + chat.loadBalancer.servers = [ + { + url = openWebUIUrl; + } + ]; + cloud.loadBalancer.servers = [ + { + url = cloudUrl; + } + ]; + gitea.loadBalancer.servers = [ + { + url = giteaUrl; + } + ]; + hass.loadBalancer.servers = [ + { + url = hassUrl; + } + ]; + immich.loadBalancer.servers = [ + { + url = immichUrl; + } + ]; + jellyfin.loadBalancer.servers = [ + { + url = jellyfinUrl; + } + ]; + jellyseerr.loadBalancer.servers = [ + { + url = jellyseerrUrl; + } + ]; + lubelogger.loadBalancer.servers = [ + { + url = lubeloggerUrl; + } + ]; + onlyoffice.loadBalancer.servers = [ + { + url = onlyofficeUrl; + } + ]; + paperless.loadBalancer.servers = [ + { + url = paperlessUrl; + } + ]; + }; + + routers = { + auth = { + entryPoints = [ "websecure" ]; + rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)"; + service = "auth"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + priority = 15; + tls.certResolver = "letsencrypt"; + }; + + actual = { + entryPoints = [ "websecure" ]; + rule = "Host(`actual.${domain}`)"; + service = "actual"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + tls.certResolver = "letsencrypt"; + }; + authentik = { + entryPoints = [ "websecure" ]; + rule = "Host(`authentik.${domain}`)"; + service = "authentik"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + tls.certResolver = "letsencrypt"; + }; + cache = { + entryPoints = [ "websecure" ]; + rule = "Host(`cache.${domain}`)"; + service = "cache"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + priority = 10; + tls.certResolver = "letsencrypt"; + }; + cloud = { + entryPoints = [ "websecure" ]; + rule = "Host(`cloud.${domain}`)"; + service = "cloud"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + tls.certResolver = "letsencrypt"; + }; + gitea = { + entryPoints = [ "websecure" ]; + rule = "Host(`gitea.${domain}`)"; + service = "gitea"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + tls.certResolver = "letsencrypt"; + }; + hass = { + entryPoints = [ "websecure" ]; + rule = "Host(`hass.${domain}`)"; + service = "hass"; + middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ]; + priority = 10; + tls.certResolver = "letsencrypt"; + }; + immich = { + entryPoints = [ "websecure" ]; + rule = "Host(`immich.${domain}`)"; + service = "immich"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + tls.certResolver = "letsencrypt"; + }; + jellyfin = { + entryPoints = [ "websecure" ]; + rule = "Host(`jellyfin.${domain}`)"; + service = "jellyfin"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + tls.certResolver = "letsencrypt"; + }; + jellyseerr = { + entryPoints = [ "websecure" ]; + rule = "Host(`jellyseerr.${domain}`)"; + service = "jellyseerr"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + tls.certResolver = "letsencrypt"; + }; + lubelogger = { + entryPoints = [ "websecure" ]; + rule = "Host(`lubelogger.${domain}`)"; + service = "lubelogger"; + middlewares = [ "crowdsec" "whitelist-geoblock" ]; + tls.certResolver = "letsencrypt"; + }; + onlyoffice = { + entryPoints = [ "websecure" ]; + rule = "Host(`office.${domain}`)"; + service = "onlyoffice"; + middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ]; + tls.certResolver = "letsencrypt"; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/nixos/traefik/options.nix b/modules/nixos/traefik/options.nix new file mode 100644 index 0000000..bb19f87 --- /dev/null +++ b/modules/nixos/traefik/options.nix @@ -0,0 +1,7 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.traefik = { + enable = mkEnableOption "enable traefik"; + }; +} \ No newline at end of file diff --git a/modules/nixos/wyoming/default.nix b/modules/nixos/wyoming/default.nix new file mode 100755 index 0000000..4f58725 --- /dev/null +++ b/modules/nixos/wyoming/default.nix @@ -0,0 +1,27 @@ +{ config, lib, namespace, ... }: +with lib; +let + cfg = config.${namespace}.services.wyoming; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + services.wyoming = { + faster-whisper.servers.hass-whisper = { + enable = true; + useTransformers = false; + device = "cuda"; + language = "en"; + model = "distil-large-v3"; + uri = "tcp://0.0.0.0:10300"; + }; + + piper.servers.hass-piper = { + enable = true; + voice = "en-us-ryan-high"; + uri = "tcp://0.0.0.0:10200"; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/wyoming/options.nix b/modules/nixos/wyoming/options.nix new file mode 100644 index 0000000..46d7f0a --- /dev/null +++ b/modules/nixos/wyoming/options.nix @@ -0,0 +1,7 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.wyoming = { + enable = mkEnableOption "enable wyoming"; + }; +} \ No newline at end of file diff --git a/systems/x86_64-linux/nas/apps.nix b/systems/x86_64-linux/nas/apps.nix index 3e734a2..4dba496 100755 --- a/systems/x86_64-linux/nas/apps.nix +++ b/systems/x86_64-linux/nas/apps.nix @@ -1,25 +1,18 @@ -{ pkgs, lib, ... }: -let - settings = import ./settings.nix; -in +{ pkgs, lib, namespace, ... }: { - imports = [ - ./apps/actual - ./apps/arrs - ./apps/crowdsec - ./apps/excalidraw - ./apps/gitea - ./apps/immich - ./apps/jellyfin - ./apps/jellyseerr - ./apps/lubelogger - ./apps/nextcloud - ./apps/ollama - ./apps/orca - ./apps/paperless - ./apps/traefik - ./apps/wyoming - ]; + ${namespace} = { + services = { + immich.enable = true; + jellyfin.enable = true; + jellyseerr.enable = true; + lubelogger.enable = true; + nextcloud.enable = true; + ollama.enable = true; + paperless.enable = true; + traefik.enable = true; + wyoming.enable = true; + }; + }; nas-apps = { actual = { @@ -71,7 +64,7 @@ in crowdsec = { enable = true; port = 9898; - apiAddress = settings.hostAddress; + apiAddress = "10.0.1.3"; apiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"; dataDir = "/media/nas/ssd/nix-app-data/crowdsec"; }; diff --git a/systems/x86_64-linux/nas/apps/excalidraw/default.nix b/systems/x86_64-linux/nas/apps/excalidraw/default.nix deleted file mode 100644 index 04e5c1d..0000000 --- a/systems/x86_64-linux/nas/apps/excalidraw/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: -{ - virtualisation.oci-containers.containers.excalidraw = { - autoStart = true; - image = "excalidraw/excalidraw"; - ports = [ "8765:80" ]; - environment = { - PUID = toString config.users.users.nix-apps.uid; - PGID = toString config.users.groups.jallen-nas.gid; - TZ = "America/Chicago"; - }; - }; -} \ No newline at end of file diff --git a/systems/x86_64-linux/nas/apps/immich/default.nix b/systems/x86_64-linux/nas/apps/immich/default.nix deleted file mode 100755 index b33f20c..0000000 --- a/systems/x86_64-linux/nas/apps/immich/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, ... }: -let - settings = import ../../settings.nix; - immichPort = 2283; - dataDir = "/media/nas/main/photos"; - dbPassword = config.sops.secrets."jallen-nas/immich/db-password".path; -in -{ - # Enable immich service - services.immich = { - enable = true; - port = immichPort; - openFirewall = true; - secretsFile = dbPassword; - mediaLocation = dataDir; - - environment = { - IMMICH_HOST = lib.mkForce "0.0.0.0"; - IMMICH_TRUSTED_PROXIES = settings.hostAddress; - TZ = "America/Chicago"; - }; - - machine-learning = { - enable = true; - }; - }; -} diff --git a/systems/x86_64-linux/nas/apps/jellyfin/default.nix b/systems/x86_64-linux/nas/apps/jellyfin/default.nix deleted file mode 100755 index 90999ec..0000000 --- a/systems/x86_64-linux/nas/apps/jellyfin/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: -{ - services.jellyfin = { - enable = true; - openFirewall = true; - user = "nix-apps"; - group = "jallen-nas"; - dataDir = "/media/nas/ssd/nix-app-data/jellyfin"; - # cacheDir = "/cache"; - }; -} diff --git a/systems/x86_64-linux/nas/apps/jellyseerr/default.nix b/systems/x86_64-linux/nas/apps/jellyseerr/default.nix deleted file mode 100755 index 7188537..0000000 --- a/systems/x86_64-linux/nas/apps/jellyseerr/default.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ ... }: - -let - jellyseerrPort = 5055; - dataDir = "/var/lib/private/jellyseerr"; - settings = import ../../settings.nix; -in -{ - containers.jellyseerr = { - autoStart = true; - privateNetwork = true; - hostAddress = settings.hostAddress; - localAddress = "10.0.1.52"; - hostAddress6 = "fc00::1"; - localAddress6 = "fc00::4"; - - bindMounts = { - ${dataDir} = { - hostPath = "/media/nas/ssd/nix-app-data/jellyseerr"; - isReadOnly = false; - }; - }; - - config = - { - lib, - ... - }: - { - # Enable jellyseerr service - services.jellyseerr = { - enable = true; - port = jellyseerrPort; - # package = package; - openFirewall = true; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ jellyseerrPort ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - - # Create and set permissions for required directories - system.activationScripts.jellyseerr-dirs = '' - mkdir -p /var/lib/private/jellyseerr - - chown -R jellyseerr:jellyseerr /var/lib/private/jellyseerr - - chmod -R 775 /var/lib/private/jellyseerr - - ln -sf /var/lib/private/jellyseerr /var/lib/jellyfin - - ''; - - services.resolved.enable = true; - system.stateVersion = "23.11"; - }; - }; - - networking.nat = { - forwardPorts = [ - { - destination = "10.0.1.52:5055"; - sourcePort = jellyseerrPort; - } - ]; - }; -} diff --git a/systems/x86_64-linux/nas/apps/lubelogger/default.nix b/systems/x86_64-linux/nas/apps/lubelogger/default.nix deleted file mode 100644 index 5649c04..0000000 --- a/systems/x86_64-linux/nas/apps/lubelogger/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, ... }: -{ - virtualisation.oci-containers.containers.lubelogger = { - autoStart = true; - image = "ghcr.io/hargata/lubelogger"; - ports = [ "6754:8080" ]; - volumes = [ - "/media/nas/ssd/nix-app-data/lubelogger:/App/data" - "/media/nas/ssd/nix-app-data/lubelogger/keys:/root/.aspnet/DataProtection-Keys" - ]; - environmentFiles = [ - "/media/nas/ssd/nix-app-data/lubelogger/lubelogger.env" - ]; - environment = { - PUID = toString config.users.users.nix-apps.uid; - PGID = toString config.users.groups.jallen-nas.gid; - TZ = "America/Chicago"; - }; - }; -} \ No newline at end of file diff --git a/systems/x86_64-linux/nas/apps/nextcloud/default.nix b/systems/x86_64-linux/nas/apps/nextcloud/default.nix deleted file mode 100755 index 18affdc..0000000 --- a/systems/x86_64-linux/nas/apps/nextcloud/default.nix +++ /dev/null @@ -1,237 +0,0 @@ -{ config, pkgs, namespace, ... }: -let - settings = import ../../settings.nix; - adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path; - secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path; - jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path; - nextcloudUserId = config.users.users.nix-apps.uid; - nextcloudGroupId = config.users.groups.jallen-nas.gid; - nextcloudPackage = pkgs.nextcloud31; - hostAddress = settings.hostAddress; - localAddress = "10.0.2.18"; - nextcloudPortExtHttp = 9988; - nextcloudPortExtHttps = 9943; - onlyofficePortExt = 9943; - - systemPackages = with pkgs; [ - cudaPackages.cudnn - cudatoolkit - ffmpeg - # libtensorflow-bin - nextcloud31 - nodejs - onlyoffice-documentserver - sqlite - ]; -in -{ - containers.nextcloud = { - autoStart = true; - privateNetwork = true; - hostAddress = hostAddress; - localAddress = localAddress; - specialArgs = { - inherit namespace; - }; - - bindMounts = { - secrets = { - hostPath = "/run/secrets/jallen-nas/nextcloud"; - isReadOnly = true; - mountPoint = "/run/secrets/jallen-nas/nextcloud"; - }; - - secrets2 = { - hostPath = "/run/secrets/jallen-nas/onlyoffice-key"; - isReadOnly = true; - mountPoint = "/run/secrets/jallen-nas/onlyoffice-key"; - }; - - data = { - hostPath = "/media/nas/main/nextcloud"; - isReadOnly = false; - mountPoint = "/data"; - }; - - "/var/lib/nextcloud" = { - hostPath = "/media/nas/ssd/nix-app-data/nextcloud"; - isReadOnly = false; - mountPoint = "/var/lib/nextcloud"; - }; - - "/var/lib/onlyoffice" = { - hostPath = "/media/nas/ssd/nix-app-data/onlyoffice"; - isReadOnly = false; - mountPoint = "/var/lib/onlyoffice"; - }; - }; - - config = - { pkgs, lib, namespace, ... }: - { - nixpkgs.config.allowUnfree = true; - networking.extraHosts = '' - ${hostAddress} host.containers protonmail-bridge - ''; - - services = { - nextcloud = { - enable = true; - package = nextcloudPackage; - # datadir = "/data"; - database.createLocally = true; - hostName = "cloud.mjallen.dev"; - appstoreEnable = true; - caching.redis = true; - configureRedis = true; - enableImagemagick = true; - https = true; - secretFile = secretsFile; - - config = { - adminuser = "mjallen"; - adminpassFile = adminpass; - dbhost = "localhost"; - dbtype = "sqlite"; - dbname = "nextcloud"; - dbuser = "nextcloud"; - }; - settings = { - loglevel = 3; - allow_local_remote_servers = true; - upgrade.disable-web = false; - datadirectory = "/data"; - trusted_domains = [ - "${hostAddress}:${toString nextcloudPortExtHttp}" - "${hostAddress}:${toString nextcloudPortExtHttps}" - "${localAddress}:80" - "${localAddress}:443" - "cloud.mjallen.dev" - ]; - opcache.interned_strings_buffer = 16; - trusted_proxies = [ hostAddress ]; - maintenance_window_start = 6; - default_phone_region = "US"; - enable_previews = true; - enabledPreviewProviders = [ - "OC\\Preview\\PNG" - "OC\\Preview\\JPEG" - "OC\\Preview\\GIF" - "OC\\Preview\\BMP" - "OC\\Preview\\XBitmap" - "OC\\Preview\\MP3" - "OC\\Preview\\TXT" - "OC\\Preview\\MarkDown" - "OC\\Preview\\OpenDocument" - "OC\\Preview\\Krita" - "OC\\Preview\\HEIC" - "OC\\Preview\\Movie" - "OC\\Preview\\MSOffice2003" - "OC\\Preview\\MSOffice2007" - "OC\\Preview\\MSOfficeDoc" - ]; - installed = true; - user_oidc = { - auto_provision = false; - soft_auto_provision = false; - allow_multiple_user_backends = false; # auto redirect to authentik for login - }; - }; - }; - }; - - services.onlyoffice = { - enable = true; - port = onlyofficePortExt; - hostname = "office.mjallen.dev"; - jwtSecretFile = jwtSecretFile; - }; - - # System packages - environment.systemPackages = systemPackages; - - # Create required users and groups - users.users.nextcloud = { - isSystemUser = true; - uid = lib.mkForce nextcloudUserId; - group = "nextcloud"; - }; - - users.users.onlyoffice = { - group = lib.mkForce "nextcloud"; - }; - - users.groups = { - nextcloud = { - gid = lib.mkForce nextcloudGroupId; - }; - downloads = { }; - }; - - # Create and set permissions for required directories - system.activationScripts.nextcloud-dirs = '' - mkdir -p /data - - chown -R nextcloud:nextcloud /data - - chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud - - chmod -R 775 /data - - chmod -R 750 /run/secrets/jallen-nas/nextcloud - - ''; - - hardware = { - graphics = { - enable = true; - # setLdLibraryPath = true; - }; - }; - - programs = { - nix-ld.enable = true; - }; - - system.stateVersion = "23.11"; - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ - 80 - 443 - onlyofficePortExt - ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - services.resolved.enable = true; - - }; - }; - - networking = { - nat = { - forwardPorts = [ - { - destination = "${localAddress}:443"; - sourcePort = nextcloudPortExtHttps; - } - { - destination = "${localAddress}:80"; - sourcePort = nextcloudPortExtHttp; - } - { - destination = "${localAddress}:8000"; - sourcePort = 8000; - } - { - destination = "${localAddress}:${toString onlyofficePortExt}"; - sourcePort = onlyofficePortExt; - } - ]; - }; - }; -} diff --git a/systems/x86_64-linux/nas/apps/ollama/default.nix b/systems/x86_64-linux/nas/apps/ollama/default.nix deleted file mode 100755 index b4ef361..0000000 --- a/systems/x86_64-linux/nas/apps/ollama/default.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, pkgs, ... }: -let - llamaPackage = pkgs.llama-cpp.overrideAttrs (old: { - src = pkgs.fetchFromGitHub { - owner = "ggml-org"; - repo = "llama.cpp"; - rev = "b4920"; - sha256 = "sha256-SnQIeY74JpAPRMxWcpklDH5D4CQvAgi0GYx5+ECk2J4="; - }; - # Optionally override other attributes if you need to - # version = "my-fork-version"; - # pname = "llama-cpp-custom"; - }); -in -{ - services.ollama = { - enable = true; - port = 11434; - host = "0.0.0.0"; - user = "nix-apps"; - group = "jallen-nas"; - openFirewall = true; - acceleration = "cuda"; - home = "/media/nas/ssd/nix-app-data/ollama"; - }; - - environment.systemPackages = [ llamaPackage ]; - - services.llama-cpp = { - enable = true; - port = 8127; - host = "0.0.0.0"; - openFirewall = true; - model = "/media/nas/ssd/nix-app-data/llama-cpp/models/functionary-small-v3.2-GGUF/functionary-small-v3.2.Q4_0.gguf"; - package = llamaPackage; # pkgs.unstable.llama-cpp; - extraFlags = [ - "--n_gpu-layers" - "500" - "-c" - "0" - "--numa" - "numactl" - "--jinja" - ]; - }; - - services.open-webui = { - enable = false; - host = "0.0.0.0"; - port = 8888; - openFirewall = true; - # stateDir = "/media/nas/ssd/nix-app-data/open-webui"; - environmentFile = config.sops.secrets."jallen-nas/open-webui".path; - environment = { - OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration"; - OAUTH_PROVIDER_NAME = "authentik"; - OPENID_REDIRECT_URI = "https://chat.mjallen.dev/oauth/oidc/callback"; - ENABLE_OAUTH_SIGNUP = "False"; - OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "True"; - ENABLE_SIGNUP = "False"; - ENABLE_LOGIN_FORM = "False"; - ANONYMIZED_TELEMETRY = "False"; - DO_NOT_TRACK = "True"; - SCARF_NO_ANALYTICS = "True"; - OLLAMA_API_BASE_URL = "http://127.0.0.1:11434"; - LOCAL_FILES_ONLY = "False"; - WEBUI_AUTH = "False"; - }; - }; -} diff --git a/systems/x86_64-linux/nas/apps/paperless/default.nix b/systems/x86_64-linux/nas/apps/paperless/default.nix deleted file mode 100755 index b97ef06..0000000 --- a/systems/x86_64-linux/nas/apps/paperless/default.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ - config, - pkgs, - ... -}: -let - settings = import ../../settings.nix; - paperlessPort = 28981; - paperlessUserId = config.users.users.nix-apps.uid; - paperlessGroupId = config.users.groups.jallen-nas.gid; - paperlessEnv = config.sops.templates."paperless.env".path; - paperlessPkg = pkgs.paperless-ngx; -in -{ - containers.paperless = { - autoStart = true; - privateNetwork = true; - hostAddress = settings.hostAddress; - localAddress = "10.0.1.20"; - hostAddress6 = "fc00::1"; - localAddress6 = "fc00::20"; - - config = - { - lib, - ... - }: - { - # Enable paperless service - services.paperless = { - enable = false; - package = paperlessPkg; - port = paperlessPort; - user = "paperless"; - address = "0.0.0.0"; - passwordFile = "/var/lib/paperless/paperless-password"; - # environmentFile = paperlessEnv; # unstable is too unstable, but this doesnt exist in stable.... disabling altogether.... - }; - - # Create required users and groups - users.groups = { - documents = { - gid = lib.mkForce paperlessGroupId; - }; - }; - - users.users.paperless = { - isSystemUser = true; - uid = lib.mkForce paperlessUserId; - group = lib.mkForce "documents"; - }; - - # Create and set permissions for required directories - system.activationScripts.paperless-dirs = '' - mkdir -p /var/lib/paperless - - chown -R paperless:documents /var/lib/paperless - - chmod -R 775 /var/lib/paperless - - ''; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ paperlessPort ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - - services.resolved.enable = true; - system.stateVersion = "23.11"; - }; - - # Bind mount directories from host - bindMounts = { - "/var/lib/paperless" = { - hostPath = "/media/nas/ssd/nix-app-data/paperless"; - isReadOnly = false; - }; - secrets = { - hostPath = "/run/secrets/jallen-nas/paperless"; - isReadOnly = true; - mountPoint = "/run/secrets/jallen-nas/paperless"; - }; - secret-env = { - hostPath = "/run/secrets/rendered/paperless.env"; - isReadOnly = true; - mountPoint = "/run/secrets/rendered/paperless.env"; - }; - }; - }; - - networking.nat = { - forwardPorts = [ - { - destination = "10.0.1.20:28981"; - sourcePort = paperlessPort; - } - ]; - }; -} diff --git a/systems/x86_64-linux/nas/apps/traefik/default.nix b/systems/x86_64-linux/nas/apps/traefik/default.nix deleted file mode 100755 index 9f9b464..0000000 --- a/systems/x86_64-linux/nas/apps/traefik/default.nix +++ /dev/null @@ -1,391 +0,0 @@ -{ config, ... }: -let - settings = import ../../settings.nix; - domain = "mjallen.dev"; - serverIp = settings.hostAddress; - - # Forward services - authUrl = "http://${serverIp}:9000/outpost.goauthentik.io"; - - actualUrl = "http://${config.containers.actual.localAddress}:${toString config.containers.actual.config.services.actual.settings.port}"; - authentikUrl = "http://${serverIp}:9000"; - cacheUrl = "http://${serverIp}:9012"; - cloudUrl = "http://${config.containers.nextcloud.localAddress}:80"; - giteaUrl = "http://${config.containers.gitea.localAddress}:${toString config.containers.gitea.config.services.gitea.settings.server.HTTP_PORT}"; - hassUrl = "http://homeassistant.local:8123"; - immichUrl = "http://${serverIp}:${toString config.services.immich.port}"; - jellyfinUrl = "http://${serverIp}:8096"; - jellyseerrUrl = "http://${config.containers.jellyseerr.localAddress}:${toString config.containers.jellyseerr.config.services.jellyseerr.port}"; - lubeloggerUrl = "http://${serverIp}:6754"; - onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}"; - openWebUIUrl = "http://${serverIp}:8888"; - paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}"; - - # Plugins - traefikPlugins = { - bouncer = { - moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; - version = "v1.4.2"; - }; - geoblock = { - moduleName = "github.com/PascalMinder/geoblock"; - version = "v0.2.5"; - }; - }; - - crowdsecAppsecHost = "${serverIp}:7422"; - crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path; - - # Ports - httpPort = 80; - httpsPort = 443; - traefikPort = 8080; - metricsPort = 8082; - - forwardPorts = [ - httpPort - httpsPort - traefikPort - metricsPort - ]; - - # misc - letsEncryptEmail = "jalle008@proton.me"; - dataDir = "/media/nas/ssd/nix-app-data/traefik"; - authentikAddress = "http://${serverIp}:9000/outpost.goauthentik.io/auth/traefik"; -in -{ - sops = { - secrets = { - "jallen-nas/traefik/crowdsec-lapi-key" = { - owner = config.users.users.traefik.name; - group = config.users.users.traefik.group; - restartUnits = [ "traefik.service" ]; - }; - "jallen-nas/traefik/cloudflare-dns-api-token" = { }; - "jallen-nas/traefik/cloudflare-zone-api-token" = { }; - "jallen-nas/traefik/cloudflare-api-key" = { }; - "jallen-nas/traefik/cloudflare-email" = { }; - }; - templates = { - "traefik.env" = { - content = '' - CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"} - CLOUDFLARE_ZONE_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"} - CLOUDFLARE_API_KEY = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"} - CLOUDFLARE_EMAIL = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"} - ''; - owner = config.users.users.traefik.name; - group = config.users.users.traefik.group; - restartUnits = [ "traefik.service" ]; - }; - }; - }; - - networking.firewall = { - allowedTCPPorts = forwardPorts; - allowedUDPPorts = forwardPorts; - }; - - services.traefik = { - enable = true; - dataDir = dataDir; - group = "jallen-nas";#group; - environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops - - staticConfigOptions = { - entryPoints = { - web = { - address = ":${toString httpPort}"; - asDefault = true; - http.redirections.entrypoint = { - to = "websecure"; - scheme = "https"; - }; - }; - - websecure = { - address = ":${toString httpsPort}"; - asDefault = true; - http.tls.certResolver = "letsencrypt"; - }; - - metrics = { - address = ":${toString metricsPort}"; # Port for metrics - }; - }; - - log = { - level = "INFO"; - }; - - metrics = { - prometheus = { - entryPoint = "metrics"; - addEntryPointsLabels = true; - addServicesLabels = true; - buckets = [0.1 0.3 1.2 5.0]; # Response time buckets - }; - }; - - certificatesResolvers.letsencrypt.acme = { - email = letsEncryptEmail; - storage = "${config.services.traefik.dataDir}/acme.json"; - dnsChallenge = { - provider = "cloudflare"; - resolvers = [ - "1.1.1.1:53" - "8.8.8.8:53" - ]; - }; - }; - - api.dashboard = true; - # Access the Traefik dashboard on :8080 of your server - api.insecure = true; - - experimental = { - plugins = traefikPlugins; - }; - }; - - dynamicConfigOptions = { - http = { - middlewares = { - authentik = { - forwardAuth = { - tls.insecureSkipVerify = true; - address = authentikAddress; - trustForwardHeader = true; - authResponseHeaders = [ - "X-authentik-username" - "X-authentik-groups" - "X-authentik-email" - "X-authentik-name" - "X-authentik-uid" - "X-authentik-jwt" - "X-authentik-meta-jwks" - "X-authentik-meta-outpost" - "X-authentik-meta-provider" - "X-authentik-meta-app" - "X-authentik-meta-version" - ]; - }; - }; - onlyoffice-websocket = { - headers.customrequestheaders = { - X-Forwarded-Proto = "https"; - }; - }; - crowdsec = { - plugin = { - bouncer = { - crowdsecAppsecEnabled = true; - crowdsecAppsecHost = crowdsecAppsecHost; - crowdsecAppsecFailureBlock = true; - crowdsecAppsecUnreachableBlock = true; - crowdsecLapiKeyFile = crowdsecLapiKeyFile; - }; - }; - }; - whitelist-geoblock = { - plugin = { - geoblock = { - silentStartUp = false; - allowLocalRequests = true; - logLocalRequests = false; - logAllowedRequests = false; - logApiRequests = false; - api = "https://get.geojs.io/v1/ip/country/{ip}"; - apiTimeoutMs = 500; - cacheSize = 25; - forceMonthlyUpdate = true; - allowUnknownCountries = false; - unknownCountryApiResponse = "nil"; - blackListMode = false; - countries = [ - "CA" - "US" - ]; - }; - }; - }; - internal-ipallowlist = - { - ipAllowList = { - sourceRange = [ - "127.0.0.1/32" - "10.0.1.0/24" - ]; - }; - }; - }; - - services = { - auth.loadBalancer.servers = [ - { - url = authUrl; - } - ]; - - actual.loadBalancer.servers = [ - { - url = actualUrl; - } - ]; - authentik.loadBalancer.servers = [ - { - url = authentikUrl; - } - ]; - cache.loadBalancer.servers = [ - { - url = cacheUrl; - } - ]; - chat.loadBalancer.servers = [ - { - url = openWebUIUrl; - } - ]; - cloud.loadBalancer.servers = [ - { - url = cloudUrl; - } - ]; - gitea.loadBalancer.servers = [ - { - url = giteaUrl; - } - ]; - hass.loadBalancer.servers = [ - { - url = hassUrl; - } - ]; - immich.loadBalancer.servers = [ - { - url = immichUrl; - } - ]; - jellyfin.loadBalancer.servers = [ - { - url = jellyfinUrl; - } - ]; - jellyseerr.loadBalancer.servers = [ - { - url = jellyseerrUrl; - } - ]; - lubelogger.loadBalancer.servers = [ - { - url = lubeloggerUrl; - } - ]; - onlyoffice.loadBalancer.servers = [ - { - url = onlyofficeUrl; - } - ]; - paperless.loadBalancer.servers = [ - { - url = paperlessUrl; - } - ]; - }; - - routers = { - auth = { - entryPoints = [ "websecure" ]; - rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)"; - service = "auth"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - priority = 15; - tls.certResolver = "letsencrypt"; - }; - - actual = { - entryPoints = [ "websecure" ]; - rule = "Host(`actual.${domain}`)"; - service = "actual"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - tls.certResolver = "letsencrypt"; - }; - authentik = { - entryPoints = [ "websecure" ]; - rule = "Host(`authentik.${domain}`)"; - service = "authentik"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - tls.certResolver = "letsencrypt"; - }; - cache = { - entryPoints = [ "websecure" ]; - rule = "Host(`cache.${domain}`)"; - service = "cache"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - priority = 10; - tls.certResolver = "letsencrypt"; - }; - cloud = { - entryPoints = [ "websecure" ]; - rule = "Host(`cloud.${domain}`)"; - service = "cloud"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - tls.certResolver = "letsencrypt"; - }; - gitea = { - entryPoints = [ "websecure" ]; - rule = "Host(`gitea.${domain}`)"; - service = "gitea"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - tls.certResolver = "letsencrypt"; - }; - hass = { - entryPoints = [ "websecure" ]; - rule = "Host(`hass.${domain}`)"; - service = "hass"; - middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ]; - priority = 10; - tls.certResolver = "letsencrypt"; - }; - immich = { - entryPoints = [ "websecure" ]; - rule = "Host(`immich.${domain}`)"; - service = "immich"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - tls.certResolver = "letsencrypt"; - }; - jellyfin = { - entryPoints = [ "websecure" ]; - rule = "Host(`jellyfin.${domain}`)"; - service = "jellyfin"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - tls.certResolver = "letsencrypt"; - }; - jellyseerr = { - entryPoints = [ "websecure" ]; - rule = "Host(`jellyseerr.${domain}`)"; - service = "jellyseerr"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - tls.certResolver = "letsencrypt"; - }; - lubelogger = { - entryPoints = [ "websecure" ]; - rule = "Host(`lubelogger.${domain}`)"; - service = "lubelogger"; - middlewares = [ "crowdsec" "whitelist-geoblock" ]; - tls.certResolver = "letsencrypt"; - }; - onlyoffice = { - entryPoints = [ "websecure" ]; - rule = "Host(`office.${domain}`)"; - service = "onlyoffice"; - middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ]; - tls.certResolver = "letsencrypt"; - }; - }; - }; - }; - }; -} diff --git a/systems/x86_64-linux/nas/apps/wyoming/default.nix b/systems/x86_64-linux/nas/apps/wyoming/default.nix deleted file mode 100755 index f744531..0000000 --- a/systems/x86_64-linux/nas/apps/wyoming/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs, ... }: -{ - services.wyoming = { - faster-whisper.servers.hass-whisper = { - enable = true; - useTransformers = false; - device = "cuda"; - language = "en"; - model = "distil-large-v3"; - uri = "tcp://0.0.0.0:10300"; - }; - - piper.servers.hass-piper = { - enable = true; - voice = "en-us-ryan-high"; - uri = "tcp://0.0.0.0:10200"; - }; - }; -} \ No newline at end of file diff --git a/systems/x86_64-linux/nas/networking.nix b/systems/x86_64-linux/nas/networking.nix index d7dffc2..3d81abb 100755 --- a/systems/x86_64-linux/nas/networking.nix +++ b/systems/x86_64-linux/nas/networking.nix @@ -1,6 +1,5 @@ { config, lib, ... }: let - settings = import ./settings.nix; ports = [ 8008 # restic 9000 # authentik @@ -29,7 +28,7 @@ in { # Networking configs networking = { - hostName = lib.mkForce settings.hostName; + hostName = lib.mkForce "jallen-nas"; useNetworkd = true; @@ -50,7 +49,7 @@ in type = "wifi"; }; ipv4 = { - address1 = "${settings.hostAddress}/24"; + address1 = "10.0.1.3/24"; dns = "10.0.1.1"; gateway = "10.0.1.1"; method = "manual"; diff --git a/systems/x86_64-linux/nuc/networking.nix b/systems/x86_64-linux/nuc/networking.nix index eb7385c..4ed699c 100755 --- a/systems/x86_64-linux/nuc/networking.nix +++ b/systems/x86_64-linux/nuc/networking.nix @@ -1,6 +1,5 @@ { config, lib, ... }: let - # settings = import ./settings.nix; ports = [ 8192 ]; @@ -8,7 +7,7 @@ in { # Networking configs networking = { - hostName = lib.mkForce "nuc-nixos";#settings.hostName; + hostName = lib.mkForce "nuc-nixos"; useNetworkd = true;