mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

temp

Browse Source
This commit is contained in:
mjallen18
2025-09-17 10:18:57 -05:00
parent 6c9d4ccc86
commit 208aaf3f27
6 changed files with 501 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/nixos/homeassistant/services/homeassistant/default.nix
View File

@@ -143,6 +143,7 @@ in
"mobile_app" "mobile_app"
"mqtt" "mqtt"
"music_assistant" "music_assistant"
"ntfy"
"nut" "nut"
"nextcloud" "nextcloud"
"notify" "notify"

167
modules/nixos/services/matrix/default.nix Normal file
View File

@@ -0,0 +1,167 @@
{ config, lib, namespace, ... }:
let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
cfg = config.${namespace}.services.matrix;
matrixConfig = {
services.matrix-synapse = {
enable = true;
dataDir = "/var/lib/matrix-synapse";
configureRedisLocally = true;
enableRegistrationScript = true;
settings = {
server_name = "mjallen.dev";
public_baseurl = "https://matrix.mjallen.dev";
serve_server_wellknown = true;
listeners = [
{
port = cfg.port;
tls = false;
x_forwarded = true;
bind_addresses = [ "::1" "0.0.0.0" ];
resources = [
{
names = [ "client" "federation" ];
compress = false;
}
];
}
];
oidc_providers = [
{
idp_id = "authentik";
idp_name = "authentik";
discover = true;
issuer = "https://authentik.mjallen.dev/application/o/matrix/";
client_id = "KiChwyQn2kMtXU6LU0x3dlCb0jO6VB6e9xsN9NPs"; # TO BE FILLED
client_secret = "6XRfNCUayZqnyaMv0QSEeFz98x2y8BkXnDyylmvAbg71YkQVtpEybP6jmPzncpJsx4k5evtziicgu8p9dOa2oADHL6Ao13643VMTsI4BSel1sbIICA2TH755BpB9J39A"; # TO BE FILLED
scopes =[
"openid"
"profile"
"email"
];
user_mapping_provider = {
config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.preferred_username|capitalize }}"; # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize.
};
};
allow_existing_users = true;
}
];
# Database configuration
database = {
name = "psycopg2";
allow_unsafe_locale = true;
args = {
user = "synapse";
database = "synapse";
host = "localhost";
cp_min = 5;
cp_max = 10;
};
};
# Registration settings
enable_registration = false; # Set to true initially to create admin user
enable_registration_without_verification = false;
# registration_shared_secret = "BogieDudie1";
# Media settings
max_upload_size = "50M";
media_store_path = "/var/lib/matrix-synapse/media";
# Logging
# log_config = "/var/lib/matrix-synapse/log_config.yaml";
trusted_key_servers = [
{
server_name = "matrix.org";
}
];
};
};
users.users.matrix-synapse = {
isSystemUser = true;
group = "matrix-synapse";
};
users.groups.matrix-synapse = {};
services.postgresql = {
enable = lib.mkDefault true;
authentication = lib.mkOverride 10 ''
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
ensureDatabases = [ "synapse" ];
ensureUsers = [
{
name = "synapse";
ensureDBOwnership = true;
}
];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
bindMounts = {
"/var/lib/matrix-synapse" = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
};
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "actual";
subdomain = cfg.reverseProxy.subdomain;
url = "http://${cfg.localAddress}:${toString cfg.port}";
middlewares = cfg.reverseProxy.middlewares;
};
matrixContainer = (lib.${namespace}.mkContainer {
name = "matrix-synapse";
localAddress = cfg.localAddress;
port = cfg.port;
bindMounts = bindMounts;
config = matrixConfig;
}) { inherit lib; };
fullConfig = {
${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ];
};
} // matrixContainer;
in
with lib;
{
options.${namespace}.services.matrix = {
enable = mkEnableOption "matrix service";
port = mkOpt types.int 8008 "Port for Actual to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";
dataDir = mkOpt types.str "" "Path to the data dir";
reverseProxy = mkReverseProxyOpt;
};
config = lib.mkIf cfg.enable fullConfig;
}

98
modules/nixos/services/ntfy/default.nix Normal file
View File

@@ -0,0 +1,98 @@
{ config, lib, namespace, ... }:
let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
cfg = config.${namespace}.services.ntfy;
ntfyEnvFile = config.sops.secrets."jallen-nas/ntfy/auth-users".path;
ntfyConfig = {
services = {
ntfy-sh = {
enable = true;
# environmentFile = "/run/.env";
settings = {
base-url = "https://${cfg.reverseProxy.subdomain}.mjallen.dev";
enable-login = true;
listen-http = ":${toString cfg.port}";
cache-file = "/var/lib/ntfy-sh/cache.db";
attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
behind-proxy = true;
auth-default-access = "deny-all";
auth-file = "/var/lib/ntfy-sh/user.db";
auth-users = [
"mjallen:$2a$10$g4TqI8UiKKVaKTmrwnXIw.wtajiLBM6oc3UCfJ//lPZFilJnBirn.:admin"
];
};
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
# Create and set permissions for required directories
system.activationScripts.ntfy-dirs = ''
mkdir -p /var/lib/ntfy-sh
chown -R ntfy-sh:ntfy-sh /var/lib/ntfy-sh
chmod -R 775 /var/lib/ntfy-sh
'';
};
bindMounts = {
"/var/lib/ntfy-sh" = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
"/run/.env" = {
hostPath = ntfyEnvFile;
isReadOnly = true;
};
};
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "ntfy";
subdomain = cfg.reverseProxy.subdomain;
url = "http://${cfg.localAddress}:${toString cfg.port}";
middlewares = cfg.reverseProxy.middlewares;
};
ntfyContainer = (lib.${namespace}.mkContainer {
name = "ntfy";
localAddress = cfg.localAddress;
port = cfg.port;
bindMounts = bindMounts;
config = ntfyConfig;
}) { inherit lib; };
fullConfig = {
${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ];
};
} // ntfyContainer;
in
with lib;
{
options.${namespace}.services.ntfy = {
enable = mkEnableOption "ntfy service";
port = mkOpt types.int 8008 "Port for ntfy to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";
dataDir = mkOpt types.str "" "Path to the data dir";
reverseProxy = mkReverseProxyOpt;
};
config = lib.mkIf cfg.enable fullConfig;
}

392
secrets/nas-secrets.yaml
View File

File diff suppressed because one or more lines are too long

32
systems/x86_64-linux/jallen-nas/apps.nix
View File

@@ -123,6 +123,36 @@
enable = true; enable = true;
}; };
ntfy = {
enable = true;
port = 2586;
localAddress = "10.1.0.3";
dataDir = "/media/nas/main/nix-app-data/ntfy";
reverseProxy = {
enable = true;
subdomain = "ntfy";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
};
};
matrix = {
enable = true;
port = 8448;
localAddress = "10.1.0.3";
dataDir = "/media/nas/main/nix-app-data/matrix-synapse";
reverseProxy = {
enable = true;
subdomain = "matrix";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
};
};
glances = { glances = {
enable = true; enable = true;
port = 61208; port = 61208;
@@ -153,7 +183,7 @@
}; };
tabby-web = { tabby-web = {
enable = true; enable = false;
port = 8050; port = 8050;
openFirewall = true; openFirewall = true;
}; };

7
systems/x86_64-linux/jallen-nas/sops.nix
View File

@@ -234,6 +234,13 @@ in
"jallen-nas/free-games/gog-pass" = { "jallen-nas/free-games/gog-pass" = {
sopsFile = defaultSops; sopsFile = defaultSops;
}; };
# ------------------------------
# ntfy
# ------------------------------
"jallen-nas/ntfy/auth-users" = {
sopsFile = defaultSops;
};
}; };
# ------------------------------ # ------------------------------