mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mkModule various

Browse Source
This commit is contained in:
mjallen18
2025-12-17 14:11:49 -06:00
parent 96ce0001c5
commit 63bd725d64
16 changed files with 304 additions and 1136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
modules/nixos/services/manyfold/default.nix
View File

@@ -6,34 +6,40 @@
}: }:
with lib; with lib;
let let
cfg = config.${namespace}.services.manyfold; name = "manyfold";
in cfg = config.${namespace}.services.${name};
{
imports = [ ./options.nix ];
config = mkIf cfg.enable { manyfoldConfig = lib.${namespace}.mkModule {
virtualisation.oci-containers.containers."${cfg.name}" = { inherit config name;
autoStart = cfg.autoStart; description = "manyfold";
image = cfg.image; options = { };
ports = [ "${cfg.httpPort}:3214" ]; moduleConfig = {
extraOptions = [ virtualisation.oci-containers.containers."${name}" = {
"--cap-drop=ALL" autoStart = true;
"--cap-add=CHOWN" image = "ghcr.io/manyfold3d/manyfold-solo";
"--cap-add=DAC_OVERRIDE" ports = [ "${toString cfg.port}:3214" ];
"--cap-add=SETUID" extraOptions = [
"--cap-add=SETGID" "--cap-drop=ALL"
"--security-opt=no-new-privileges:true" "--cap-add=CHOWN"
]; "--cap-add=DAC_OVERRIDE"
volumes = [ "--cap-add=SETUID"
"${cfg.configPath}:/config" "--cap-add=SETGID"
"${cfg.dataPath}:/libraries" "--security-opt=no-new-privileges:true"
]; ];
environment = { volumes = [
PUID = cfg.puid; "${cfg.configDir}/manyfold:/config"
PGID = cfg.pgid; "${cfg.dataDir}/3d_printer:/libraries"
TZ = cfg.timeZone; ];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
environmentFiles = [ config.sops.secrets."jallen-nas/manyfold/secretkeybase".path ];
}; };
environmentFiles = [ config.sops.secrets."jallen-nas/manyfold/secretkeybase".path ];
}; };
}; };
in
{
imports = [ manyfoldConfig ];
} }

52
modules/nixos/services/manyfold/options.nix
View File

@@ -1,52 +0,0 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.manyfold = {
enable = mkEnableOption "manyfold docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
httpPort = mkOption {
type = types.str;
default = "3214";
};
name = mkOption {
type = types.str;
default = "manyfold";
};
image = mkOption {
type = types.str;
default = "ghcr.io/manyfold3d/manyfold-solo";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/main/nix-app-data/manyfold";
};
dataPath = mkOption {
type = types.str;
default = "/media/nas/main/3d_printer";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

224
modules/nixos/services/matrix/default.nix
View File

@@ -5,148 +5,118 @@
... ...
}: }:
let let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt; name = "matrix";
cfg = config.${namespace}.services.matrix; cfg = config.${namespace}.services.${name};
matrixConfig = { matrixConfig = lib.${namespace}.mkModule {
services.matrix-synapse = { inherit config name;
enable = true; description = "config";
dataDir = cfg.dataDir; options = { };
configureRedisLocally = true; moduleConfig = {
enableRegistrationScript = true; services.matrix-synapse = {
settings = { enable = true;
server_name = "mjallen.dev"; dataDir = "${cfg.configDir}/matrix-synapse";
public_baseurl = "https://matrix.mjallen.dev"; configureRedisLocally = true;
serve_server_wellknown = true; enableRegistrationScript = true;
settings = {
server_name = "mjallen.dev";
public_baseurl = "https://matrix.mjallen.dev";
serve_server_wellknown = true;
listeners = [ listeners = [
{ {
port = cfg.port; port = cfg.port;
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
bind_addresses = [ bind_addresses = [
"::1" "::1"
"0.0.0.0" cfg.listenAddress
]; ];
resources = [ resources = [
{ {
names = [ names = [
"client" "client"
"federation" "federation"
]; ];
compress = false; compress = false;
} }
]; ];
} }
]; ];
oidc_providers = [ oidc_providers = [
{ {
idp_id = "authentik"; idp_id = "authentik";
idp_name = "authentik"; idp_name = "authentik";
discover = true; discover = true;
issuer = "https://authentik.mjallen.dev/application/o/matrix/"; issuer = "https://authentik.mjallen.dev/application/o/matrix/";
client_id = "KiChwyQn2kMtXU6LU0x3dlCb0jO6VB6e9xsN9NPs"; # TO BE FILLED client_id = "KiChwyQn2kMtXU6LU0x3dlCb0jO6VB6e9xsN9NPs"; # TO BE FILLED
client_secret = "6XRfNCUayZqnyaMv0QSEeFz98x2y8BkXnDyylmvAbg71YkQVtpEybP6jmPzncpJsx4k5evtziicgu8p9dOa2oADHL6Ao13643VMTsI4BSel1sbIICA2TH755BpB9J39A"; # TO BE FILLED client_secret = "6XRfNCUayZqnyaMv0QSEeFz98x2y8BkXnDyylmvAbg71YkQVtpEybP6jmPzncpJsx4k5evtziicgu8p9dOa2oADHL6Ao13643VMTsI4BSel1sbIICA2TH755BpB9J39A"; # TO BE FILLED
scopes = [ scopes = [
"openid" "openid"
"profile" "profile"
"email" "email"
]; ];
user_mapping_provider = { user_mapping_provider = {
config = { config = {
localpart_template = "{{ user.preferred_username }}"; localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.preferred_username|capitalize }}"; # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize. display_name_template = "{{ user.preferred_username|capitalize }}"; # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize.
};
}; };
allow_existing_users = true;
}
];
# Database configuration
database = {
name = "psycopg2";
allow_unsafe_locale = true;
args = {
user = "synapse";
database = "synapse";
host = "localhost";
cp_min = 5;
cp_max = 10;
}; };
allow_existing_users = true;
}
];
# Database configuration
database = {
name = "psycopg2";
allow_unsafe_locale = true;
args = {
user = "synapse";
database = "synapse";
host = "localhost";
cp_min = 5;
cp_max = 10;
}; };
# Registration settings
enable_registration = false; # Set to true initially to create admin user
enable_registration_without_verification = false;
# registration_shared_secret = "BogieDudie1";
# Media settings
max_upload_size = "50M";
media_store_path = "${cfg.dataDir}/media";
# Logging
# log_config = "/var/lib/matrix-synapse/log_config.yaml";
trusted_key_servers = [
{
server_name = "matrix.org";
}
];
}; };
};
# Registration settings users.users.matrix-synapse = {
enable_registration = false; # Set to true initially to create admin user isSystemUser = true;
enable_registration_without_verification = false; group = "matrix-synapse";
# registration_shared_secret = "BogieDudie1"; };
users.groups.matrix-synapse = { };
# Media settings services.postgresql = {
max_upload_size = "50M"; ensureDatabases = [ "synapse" ];
media_store_path = "${cfg.dataDir}/media"; ensureUsers = [
# Logging
# log_config = "/var/lib/matrix-synapse/log_config.yaml";
trusted_key_servers = [
{ {
server_name = "matrix.org"; name = "synapse";
ensureDBOwnership = true;
} }
]; ];
}; };
}; };
users.users.matrix-synapse = {
isSystemUser = true;
group = "matrix-synapse";
};
users.groups.matrix-synapse = { };
services.postgresql = {
enable = lib.mkDefault true;
#authentication = lib.mkOverride 10 ''
# # TYPE DATABASE USER ADDRESS METHOD
# local all all peer
# host all all 127.0.0.1/32 trust
# host all all ::1/128 trust
#'';
ensureDatabases = [ "synapse" ];
ensureUsers = [
{
name = "synapse";
ensureDBOwnership = true;
}
];
};
}; };
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "matrix";
subdomain = cfg.reverseProxy.subdomain;
url = "http://${cfg.localAddress}:${toString cfg.port}";
middlewares = cfg.reverseProxy.middlewares;
};
fullConfig = {
${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ];
};
}
// matrixConfig;
in in
with lib;
{ {
options.${namespace}.services.matrix = { imports = [ matrixConfig ];
enable = mkEnableOption "matrix service";
port = mkOpt types.int 8008 "Port for matrix to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";
dataDir = mkOpt types.str "" "Path to the data dir";
reverseProxy = mkReverseProxyOpt;
};
config = lib.mkIf cfg.enable fullConfig;
} }

82
modules/nixos/services/matrix/default.nix.conduit
View File

@@ -1,82 +0,0 @@
{ config, lib, namespace, ... }:
let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
cfg = config.${namespace}.services.matrix;
matrixConfig = {
services = {
matrix-conduit = {
enable = true;
settings = {
global = {
server_name = "mjallen.dev";
address = "0.0.0.0";
port = cfg.port;
allow_registration = false;
well_known = {
client = "https://matrix.mjallen.dev";
server = "matrix.mjallen.dev:443";
};
};
};
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ cfg.port 8448 ];
allowedUDPPorts = [ cfg.port 8448 ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
bindMounts = {
"/var/lib" = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
};
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "matrix";
subdomain = cfg.reverseProxy.subdomain;
url = "http://${cfg.localAddress}:${toString cfg.port}";
middlewares = cfg.reverseProxy.middlewares;
};
matrixContainer = (lib.${namespace}.mkContainer {
name = "matrix-conduit";
localAddress = cfg.localAddress;
port = cfg.port;
bindMounts = bindMounts;
config = matrixConfig;
}) { inherit lib; };
fullConfig = {
${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ];
};
} // matrixContainer;
in
with lib;
{
options.${namespace}.services.matrix = {
enable = mkEnableOption "matrix service";
port = mkOpt types.int 8008 "Port for matrix to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";
dataDir = mkOpt types.str "" "Path to the data dir";
reverseProxy = mkReverseProxyOpt;
};
config = lib.mkIf cfg.enable fullConfig;
}

53
modules/nixos/services/minecraft/default.nix
View File

@@ -1,23 +1,36 @@
{ config, ... }: { config, lib, namespace, ... }:
{ let
services.minecraft-server = { name = "minecraft";
enable = false; cfg = config.${namespace}.services.${name};
eula = true;
declarative = true; mincraftConfig = lib.${namespace}.mkModule {
openFirewall = true; inherit config name;
dataDir = "/media/nas/main/ssd_app_data/minecraft"; description = "minecraft server";
serverProperties = { options = { };
enforce-whitelist = true; moduleConfig = {
white-list = true; services.minecraft-server = {
"enable-rcon" = true; enable = true;
"rcon.password" = config.sops.secrets."jallen-nas/admin_password".path; eula = true;
declarative = true;
openFirewall = cfg.openFirewall;
dataDir = "/media/nas/main/ssd_app_data/minecraft"; # todo
serverProperties = {
enforce-whitelist = true;
white-list = true;
"enable-rcon" = true;
"rcon.password" = config.sops.secrets."jallen-nas/admin_password".path;
};
whitelist = {
mjallen18 = "03d9fba9-4453-4ad1-afa6-c67738685189";
AlpineScent = "76ff084d-2e66-4877-aec2-d6b278431bda";
Fortltude = "61a01913-8b10-4d64-b7ce-7958088cd6d3";
SpicyNick = "8bb5976f-6fd9-4fa5-8697-6ecb4ee38427";
};
jvmOpts = "-Xms4092M -Xmx4092M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
};
}; };
whitelist = {
mjallen18 = "03d9fba9-4453-4ad1-afa6-c67738685189";
AlpineScent = "76ff084d-2e66-4877-aec2-d6b278431bda";
Fortltude = "61a01913-8b10-4d64-b7ce-7958088cd6d3";
SpicyNick = "8bb5976f-6fd9-4fa5-8697-6ecb4ee38427";
};
jvmOpts = "-Xms4092M -Xmx4092M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
}; };
in
{
imports = [ mincraftConfig ];
} }

42
modules/nixos/services/mongodb/default.nix
View File

@@ -6,26 +6,32 @@
}: }:
with lib; with lib;
let let
cfg = config.${namespace}.services.mongodb; name = "mongodb";
in cfg = config.${namespace}.services.${name};
{
imports = [ ./options.nix ];
config = mkIf cfg.enable { mongodbConfig = lib.${namespace}.mkModule {
virtualisation.oci-containers.containers."${cfg.name}" = { inherit config name;
autoStart = cfg.autoStart; description = "mongodb";
image = cfg.image; options = { };
ports = [ "${cfg.port}:27017" ]; moduleConfig = {
volumes = [ "${cfg.configPath}:/data/db" ]; virtualisation.oci-containers.containers."${cfg.name}" = {
extraOptions = [ "--network-alias=mongo" ]; autoStart = true;
# environmentFiles = cfg.environmentFiles; image = "mongo";
environment = { ports = [ "${cfg.port}:27017" ];
PUID = cfg.puid; volumes = [ "${cfg.configPath}/mongodb:/data/db" ];
PGID = cfg.pgid; extraOptions = [ "--network-alias=mongo" ];
TZ = cfg.timeZone; # environmentFiles = cfg.environmentFiles;
# MONGO_INITDB_ROOT_USERNAME = "";#cfg.databaseUser; environment = {
# MONGO_INITDB_ROOT_PASSWORD = "";#cfg.databasePassword; # get from env file PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
# MONGO_INITDB_ROOT_USERNAME = "";#cfg.databaseUser;
# MONGO_INITDB_ROOT_PASSWORD = "";#cfg.databasePassword; # get from env file
};
}; };
}; };
}; };
in
{
imports = [ mongodbConfig ];
} }

52
modules/nixos/services/mongodb/options.nix
View File

@@ -1,52 +0,0 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.mongodb = {
enable = mkEnableOption "mongodb docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "27017";
};
name = mkOption {
type = types.str;
default = "mongo";
};
image = mkOption {
type = types.str;
default = "mongo";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/main/mongodb";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
environmentFiles = mkOption {
type = with types; listOf path;
default = [ ];
};
};
}

69
modules/nixos/services/netbootxyz/default.nix
View File

@@ -6,40 +6,49 @@
}: }:
with lib; with lib;
let let
cfg = config.${namespace}.services.netbootxyz; inherit (lib.${namespace}) mkOpt;
in name = "netbootxyz";
{ cfg = config.${namespace}.services.${name};
imports = [ ./options.nix ];
config = mkIf cfg.enable { netbootxyzConfig = lib.${namespace}.mkModule {
# Open firewall for netbootxyz if enabled inherit config name;
networking.firewall = mkIf cfg.openFirewall { description = "netbootxyz";
allowedTCPPorts = [ options = {
cfg.webPort assetPort = mkOpt types.port 4001 "NGINX server for hosting assets.";
cfg.assetPort
cfg.tftpPort tftpPort = mkOpt types.port 69 "HTTPS port for netbootxyz";
];
allowedUDPPorts = [
cfg.webPort
cfg.assetPort
cfg.tftpPort
];
}; };
moduleConfig = {
# Open firewall for netbootxyz if enabled
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
cfg.assetPort
cfg.tftpPort
];
allowedUDPPorts = [
cfg.assetPort
cfg.tftpPort
];
};
virtualisation.oci-containers = { virtualisation.oci-containers = {
containers.netbootxyz = { containers.netbootxyz = {
autoStart = true; autoStart = true;
image = "ghcr.io/netbootxyz/netbootxyz:latest"; image = "ghcr.io/netbootxyz/netbootxyz:latest";
ports = [ ports = [
"${toString cfg.webPort}:3000" "${toString cfg.port}:3000"
"${toString cfg.assetPort}:80" "${toString cfg.assetPort}:80"
"${toString cfg.tftpPort}:69" "${toString cfg.tftpPort}:69"
]; ];
volumes = [ volumes = [
"${cfg.dataDir}:/config" "${cfg.configDir}/netbootxyz:/config"
"${cfg.assetDir}:/assets" "${cfg.dataDir}/isos:/assets"
]; ];
};
}; };
}; };
}; };
in
{
imports = [ netbootxyzConfig ];
} }

43
modules/nixos/services/netbootxyz/options.nix
View File

@@ -1,43 +0,0 @@
{ lib, namespace, ... }:
with lib;
{
options.${namespace}.services.netbootxyz = {
enable = mkEnableOption "netbootxyz network boot service";
webPort = mkOption {
type = types.port;
default = 4000;
description = "HTTP port for netbootxyz";
};
assetPort = mkOption {
type = types.port;
default = 4001;
description = "NGINX server for hosting assets.";
};
tftpPort = mkOption {
type = types.port;
default = 69;
description = "HTTPS port for netbootxyz";
};
openFirewall = mkOption {
type = types.bool;
default = true;
description = "Whether to open firewall for netbootxyz";
};
dataDir = mkOption {
type = types.str;
default = "/media/nas/main/nix-app-data/netbootxyz";
description = "Data directory for netbootxyz";
};
assetDir = mkOption {
type = types.str;
default = "/media/nas/main/isos";
description = "Asset directory for netbootxyz";
};
};
}

293
modules/nixos/services/nextcloud/container.nix
View File

@@ -1,293 +0,0 @@
{
config,
lib,
pkgs,
namespace,
...
}:
with lib;
let
cfg = config.${namespace}.services.nextcloud;
adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
nextcloudUserId = config.users.users.nix-apps.uid;
nextcloudGroupId = config.users.groups.jallen-nas.gid;
hostAddress = "10.0.1.3";
localAddress = "10.0.2.18";
nextcloudPortExtHttp = 9988;
nextcloudPortExtHttps = 9943;
onlyofficePortExt = 9943;
nextcloudPhotos = pkgs.${namespace}.nextcloud-app-photos;
nextcloudPdfViewer = pkgs.${namespace}.nextcloud-app-pdfviewer;
nextcloudAssist = pkgs.${namespace}.nextcloud-app-assistant;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
containers.nextcloud = {
autoStart = false;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
specialArgs = {
inherit namespace;
};
bindMounts = {
secrets = {
hostPath = "/run/secrets/jallen-nas/nextcloud";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/nextcloud";
};
secrets2 = {
hostPath = "/run/secrets/jallen-nas/onlyoffice-key";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/onlyoffice-key";
};
data = {
hostPath = "/media/nas/main/nextcloud";
isReadOnly = false;
mountPoint = "/data";
};
"/var/lib/nextcloud" = {
hostPath = "/media/nas/main/nix-app-data/nextcloud";
isReadOnly = false;
mountPoint = "/var/lib/nextcloud";
};
"/var/lib/onlyoffice" = {
hostPath = "/media/nas/main/nix-app-data/onlyoffice";
isReadOnly = false;
mountPoint = "/var/lib/onlyoffice";
};
};
config =
{
pkgs,
lib,
...
}:
{
nixpkgs.config.allowUnfree = true;
networking.extraHosts = ''
${hostAddress} host.containers protonmail-bridge
'';
# services.nginx.virtualHosts."cloud.mjallen.dev".listen = [
# {
# addr = "0.0.0.0";
# port = 8080;
# }
# ];
services = {
nextcloud = {
enable = false;
package = pkgs.nextcloud32;
# datadir = "/data";
database.createLocally = true;
hostName = "cloud.mjallen.dev";
appstoreEnable = false;
caching.redis = true;
configureRedis = true;
enableImagemagick = true;
https = true;
secretFile = secretsFile;
extraApps = {
inherit (pkgs.nextcloud31Packages.apps)
app_api
bookmarks
mail
calendar
contacts
integration_openai
integration_paperless
maps
oidc_login
onlyoffice
previewgenerator
recognize
richdocuments
user_oidc
;
inherit
nextcloudPhotos
nextcloudPdfViewer
nextcloudAssist
;
};
config = {
adminuser = "mjallen";
adminpassFile = adminpass;
dbhost = "localhost";
dbtype = "sqlite";
dbname = "nextcloud";
dbuser = "nextcloud";
};
settings = {
loglevel = 3;
allow_local_remote_servers = true;
upgrade.disable-web = false;
datadirectory = "/data";
trusted_domains = [
"${hostAddress}:${toString nextcloudPortExtHttp}"
"${hostAddress}:${toString nextcloudPortExtHttps}"
"${localAddress}:80"
"${localAddress}:8080"
"${localAddress}:443"
"cloud.mjallen.dev"
];
opcache.interned_strings_buffer = 16;
trusted_proxies = [ hostAddress ];
maintenance_window_start = 6;
default_phone_region = "US";
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\PNG"
"OC\\Preview\\JPEG"
"OC\\Preview\\GIF"
"OC\\Preview\\BMP"
"OC\\Preview\\XBitmap"
"OC\\Preview\\MP3"
"OC\\Preview\\TXT"
"OC\\Preview\\MarkDown"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\HEIC"
"OC\\Preview\\Movie"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
];
installed = true;
user_oidc = {
auto_provision = false;
soft_auto_provision = false;
allow_multiple_user_backends = false; # auto redirect to authentik for login
};
social_login_auto_redirect = true;
};
};
};
services.onlyoffice = {
enable = true;
port = onlyofficePortExt;
hostname = "office.mjallen.dev";
jwtSecretFile = jwtSecretFile;
};
# System packages
environment.systemPackages = with pkgs; [
ffmpeg
# libtensorflow-bin
nextcloud32
nodejs
onlyoffice-documentserver
sqlite
];
# Create required users and groups
users.users.nextcloud = {
isSystemUser = true;
uid = lib.mkForce nextcloudUserId;
group = "nextcloud";
};
users.users.onlyoffice = {
group = lib.mkForce "nextcloud";
};
users.groups = {
nextcloud = {
gid = lib.mkForce nextcloudGroupId;
};
downloads = { };
};
# Create and set permissions for required directories
system.activationScripts.nextcloud-dirs = ''
mkdir -p /data
chown -R nextcloud:nextcloud /data
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/onlyoffice-key
chmod -R 775 /data
chmod -R 750 /run/secrets/jallen-nas/nextcloud
chmod -R 750 /run/secrets/jallen-nas/onlyoffice-key
'';
hardware = {
graphics = {
enable = true;
# setLdLibraryPath = true;
};
};
programs = {
nix-ld.enable = true;
};
system.stateVersion = "23.11";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
8080
80
443
onlyofficePortExt
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${localAddress}:443";
sourcePort = nextcloudPortExtHttps;
}
# {
# destination = "${localAddress}:80";
# sourcePort = nextcloudPortExtHttp;
# }
{
destination = "${localAddress}:8080";
sourcePort = nextcloudPortExtHttp;
}
{
destination = "${localAddress}:8000";
sourcePort = 8000;
}
{
destination = "${localAddress}:${toString onlyofficePortExt}";
sourcePort = onlyofficePortExt;
}
];
};
};
};
}

48
modules/nixos/services/nextcloud/default.nix
View File

@@ -6,29 +6,35 @@
}: }:
with lib; with lib;
let let
cfg = config.${namespace}.services.nextcloud; name = "nextcloud";
in cfg = config.${namespace}.services.${name};
{
imports = [ ./options.nix ];
config = mkIf cfg.enable { nextcloudConfig = lib.${namespace}.mkModule {
virtualisation.oci-containers.containers."${cfg.name}" = { inherit config name;
autoStart = cfg.autoStart; description = "nextcloud";
image = cfg.image; options = { };
ports = [ moduleConfig = {
"${cfg.port}:443" virtualisation.oci-containers.containers."${name}" = {
]; autoStart = true;
volumes = [ image = "lscr.io/linuxserver/nextcloud";
"${cfg.configPath}:/config" ports = [
"${cfg.dataPath}:/data" "${toString cfg.port}:443"
"/run/postgresql:/run/postgresql" ];
]; volumes = [
environmentFiles = [ ]; "${cfg.configDir}/nextcloud:/config"
environment = { "${cfg.dataDir}/nextcloud:/data"
PUID = cfg.puid; "/run/postgresql:/run/postgresql"
PGID = cfg.pgid; ];
TZ = cfg.timeZone; environmentFiles = [ ];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
}; };
}; };
}; };
in
{
imports = [ nextcloudConfig ];
} }

167
modules/nixos/services/nextcloud/default.nix.bak
View File

@@ -1,167 +0,0 @@
{
config,
lib,
pkgs,
namespace,
...
}:
with lib;
let
cfg = config.${namespace}.services.nextcloud;
adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
nextcloudUserId = config.users.users.nix-apps.uid;
nextcloudGroupId = config.users.groups.jallen-nas.gid;
hostAddress = "10.0.1.3";
nextcloudPortExtHttp = 9988;
nextcloudPortExtHttps = 9943;
onlyofficePortExt = 9943;
nextcloudPhotos = pkgs.${namespace}.nextcloud-app-photos;
nextcloudPdfViewer = pkgs.${namespace}.nextcloud-app-pdfviewer;
nextcloudAssist = pkgs.${namespace}.nextcloud-app-assistant;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
services.nginx.virtualHosts."cloud.mjallen.dev".listen = [ { addr = "0.0.0.0"; port = nextcloudPortExtHttp; } ];
# Create required users and groups
users.users.nextcloud = {
isSystemUser = lib.mkForce true;
isNormalUser = lib.mkForce false;
group = "nextcloud";
};
users.groups = {
nextcloud = { };
downloads = { };
};
services = {
ocis = {
enable = false;
configDir = "/media/nas/main/nix-app-data/ocis";
address = "0.0.0.0";
port = 9988;
environment = {
OCIS_URL = "https://localhost:9200";
};
};
opencloud = {
enable = false;
url = "https://10.0.1.3:9988";
address = "0.0.0.0";
port = nextcloudPortExtHttp;
stateDir = "/media/nas/main/nix-app-data/opencloud";
};
onlyoffice = {
enable = false;
port = onlyofficePortExt;
hostname = "office.mjallen.dev";
jwtSecretFile = jwtSecretFile;
};
nextcloud = {
enable = true;
package = pkgs.nextcloud32;
home = "/media/nas/main/nix-app-data/nextcloud";
database.createLocally = true;
hostName = "cloud.mjallen.dev";
appstoreEnable = false;
caching.redis = true;
configureRedis = true;
enableImagemagick = true;
https = true;
secretFile = secretsFile;
extraApps = {
inherit (pkgs.nextcloud32Packages.apps)
# app_api
# bookmarks
mail
calendar
contacts
integration_openai
integration_paperless
# maps
# oidc_login
onlyoffice
previewgenerator
# recognize
# richdocuments
user_oidc
;
# inherit
# nextcloudPhotos
# nextcloudPdfViewer
# nextcloudAssist
# ;
};
config = {
adminuser = "mjallen";
adminpassFile = adminpass;
dbhost = "localhost";
dbtype = "pgsql";
dbname = "nextcloud";
dbuser = "nextcloud";
};
settings = {
log_type = "syslog";
syslog_tag = "nextcloud";
logfile = "";
loglevel = 3;
allow_local_remote_servers = true;
upgrade.disable-web = false;
datadirectory = "/media/nas/main/nextcloud";
trusted_domains = [
"${hostAddress}:${toString nextcloudPortExtHttp}"
"${hostAddress}:${toString nextcloudPortExtHttps}"
# "${localAddress}:80"
# "${localAddress}:8080"
# "${localAddress}:443"
"cloud.mjallen.dev"
];
opcache.interned_strings_buffer = 16;
trusted_proxies = [ hostAddress ];
maintenance_window_start = 6;
default_phone_region = "US";
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\PNG"
"OC\\Preview\\JPEG"
"OC\\Preview\\GIF"
"OC\\Preview\\BMP"
"OC\\Preview\\XBitmap"
"OC\\Preview\\MP3"
"OC\\Preview\\TXT"
"OC\\Preview\\MarkDown"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\HEIC"
"OC\\Preview\\Movie"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
];
installed = false;
user_oidc = {
auto_provision = false;
soft_auto_provision = false;
allow_multiple_user_backends = false; # auto redirect to authentik for login
};
social_login_auto_redirect = true;
};
};
};
};
}

28
modules/nixos/services/nextcloud/options.nix
View File

@@ -1,28 +0,0 @@
{ lib, namespace, ... }:
with lib;
let
inherit (lib.${namespace}) mkOpt mkBoolOpt;
in
{
options.${namespace}.services.nextcloud = {
enable = mkEnableOption "enable nextcloud";
autoStart = mkBoolOpt true "autostart container";
port = mkOpt types.str "9988" "https port";
name = mkOpt types.str "nextcloud" "container name";
image = mkOpt types.str "lscr.io/linuxserver/nextcloud" "";
configPath = mkOpt types.str "/media/nas/main/nix-app-data/nextcloud/config" "";
dataPath = mkOpt types.str "/media/nas/main/nextcloud" "";
puid = mkOpt types.str "911" "puid";
pgid = mkOpt types.str "1000" "pgid";
timeZone = mkOpt types.str "America/Chicago" "container tz";
};
}

101
modules/nixos/services/ntfy/default.nix
View File

@@ -6,77 +6,56 @@
}: }:
let let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt; inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
cfg = config.${namespace}.services.ntfy; name = "ntfy";
cfg = config.${namespace}.services.${name};
ntfyConfig = { ntfyConfig = lib.${namespace}.mkModule {
services = { inherit config name;
ntfy-sh = { description = "ntfy";
enable = true; options = { };
# environmentFile = "/run/.env"; moduleConfig = {
settings = { services = {
base-url = "https://${cfg.reverseProxy.subdomain}.mjallen.dev"; ntfy-sh = {
enable-login = true; enable = true;
listen-http = ":${toString cfg.port}"; # environmentFile = "/run/.env";
cache-file = "${cfg.dataDir}/cache.db"; settings = {
attachment-cache-dir = "/${cfg.dataDir}/attachments"; base-url = "https://${cfg.reverseProxy.subdomain}.mjallen.dev";
behind-proxy = true; enable-login = true;
auth-default-access = "deny-all"; listen-http = ":${toString cfg.port}";
auth-file = "${cfg.dataDir}/user.db"; cache-file = "${cfg.dataDir}/ntfy/cache.db";
auth-users = [ attachment-cache-dir = "${cfg.dataDir}/ntfy/attachments";
"mjallen:$2a$10$g4TqI8UiKKVaKTmrwnXIw.wtajiLBM6oc3UCfJ//lPZFilJnBirn.:admin" behind-proxy = true;
]; auth-default-access = "deny-all";
auth-file = "${cfg.dataDir}/ntfy/user.db";
auth-users = [
"mjallen:$2a$10$g4TqI8UiKKVaKTmrwnXIw.wtajiLBM6oc3UCfJ//lPZFilJnBirn.:admin"
];
};
}; };
}; };
};
systemd.services = { systemd.services = {
ntfy-sh = { ntfy-sh = {
serviceConfig = { serviceConfig = {
WorkingDirectory = lib.mkForce cfg.dataDir; WorkingDirectory = lib.mkForce cfg.dataDir;
StateDirectory = lib.mkForce cfg.dataDir; StateDirectory = lib.mkForce cfg.dataDir;
StateDirectoryMode = lib.mkForce 700; StateDirectoryMode = lib.mkForce 700;
DynamicUser = lib.mkForce false; DynamicUser = lib.mkForce false;
ProtectSystem = lib.mkForce null; ProtectSystem = lib.mkForce null;
};
}; };
}; };
};
users.users.ntfy-sh = { users.users.ntfy-sh = {
isSystemUser = true; isSystemUser = true;
group = "ntfy-sh"; group = "ntfy-sh";
home = cfg.dataDir; home = cfg.dataDir;
};
users.groups.ntfy-sh = { };
}; };
users.groups.ntfy-sh = { };
}; };
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "ntfy";
subdomain = cfg.reverseProxy.subdomain;
url = "http://10.0.1.3:${toString cfg.port}";
middlewares = cfg.reverseProxy.middlewares;
};
fullConfig = {
"${namespace}".services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ];
};
}
// ntfyConfig;
in in
with lib; with lib;
{ {
options.${namespace}.services.ntfy = { imports = [ ntfyConfig ];
enable = mkEnableOption "ntfy service";
port = mkOpt types.int 8008 "Port for ntfy to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";
dataDir = mkOpt types.str "" "Path to the data dir";
reverseProxy = mkReverseProxyOpt;
};
config = lib.mkIf cfg.enable fullConfig;
} }

94
modules/nixos/services/ntfy/default.nix.container
View File

@@ -1,94 +0,0 @@
{
config,
lib,
namespace,
...
}:
let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
cfg = config.${namespace}.services.ntfy;
ntfyEnvFile = config.sops.secrets."jallen-nas/ntfy/auth-users".path;
ntfyConfig = {
services = {
ntfy-sh = {
enable = true;
# environmentFile = "/run/.env";
settings = {
base-url = "https://${cfg.reverseProxy.subdomain}.mjallen.dev";
enable-login = true;
listen-http = ":${toString cfg.port}";
cache-file = "/var/lib/ntfy-sh/cache.db";
attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
behind-proxy = true;
auth-default-access = "deny-all";
auth-file = "/var/lib/ntfy-sh/user.db";
auth-users = [
"mjallen:$2a$10$g4TqI8UiKKVaKTmrwnXIw.wtajiLBM6oc3UCfJ//lPZFilJnBirn.:admin"
];
};
};
};
# Create and set permissions for required directories
system.activationScripts.ntfy-dirs = ''
mkdir -p /var/lib/ntfy-sh
chown -R ntfy-sh:ntfy-sh /var/lib/ntfy-sh
chmod -R 775 /var/lib/ntfy-sh
'';
};
bindMounts = {
"/var/lib/ntfy-sh" = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
"/run/.env" = {
hostPath = ntfyEnvFile;
isReadOnly = true;
};
};
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "ntfy";
subdomain = cfg.reverseProxy.subdomain;
url = "http://${cfg.localAddress}:${toString cfg.port}";
middlewares = cfg.reverseProxy.middlewares;
};
ntfyContainer =
(lib.${namespace}.mkContainer {
name = "ntfy";
localAddress = cfg.localAddress;
ports = [ cfg.port ];
bindMounts = bindMounts;
config = ntfyConfig;
})
{ inherit lib; };
fullConfig = {
${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ];
};
}
// ntfyContainer;
in
with lib;
{
options.${namespace}.services.ntfy = {
enable = mkEnableOption "ntfy service";
port = mkOpt types.int 8008 "Port for ntfy to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";
dataDir = mkOpt types.str "" "Path to the data dir";
reverseProxy = mkReverseProxyOpt;
};
config = lib.mkIf cfg.enable fullConfig;
}

34
systems/x86_64-linux/jallen-nas/apps.nix
View File

@@ -102,38 +102,28 @@ in
enable = true; enable = true;
port = 6754; port = 6754;
}; };
manyfold = enabled; manyfold = {
enable = true;
port = 3214;
};
matrix = { matrix = {
enable = true; enable = true;
port = 8448; port = 8448;
localAddress = "10.0.1.3"; reverseProxy.enable = true;
dataDir = "/media/nas/main/nix-app-data/matrix-synapse";
reverseProxy = {
enable = true;
subdomain = "matrix";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
};
}; };
minecraft = disabled;
mongodb = disabled;
netbootxyz = { netbootxyz = {
enable = true; enable = true;
}; };
nextcloud = enabled; nextcloud = {
enable = true;
port = 9988;
};
ntfy = { ntfy = {
enable = true; enable = true;
port = 2586; port = 2586;
localAddress = "10.0.1.3"; reverseProxy.enable = true;
dataDir = "/media/nas/main/nix-app-data/ntfy";
reverseProxy = {
enable = true;
subdomain = "ntfy";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
};
}; };
ocis = disabled; ocis = disabled;
onlyoffice = disabled; onlyoffice = disabled;