mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sf

Browse Source
This commit is contained in:
mjallen18
2026-03-16 16:41:46 -05:00
parent 742e1703d8
commit 7538f734f1
19 changed files with 259 additions and 851 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
systems/x86_64-linux/jallen-nas/apps.nix
View File

@@ -28,6 +28,10 @@ in
port = 9012;
listenAddress = "[::]";
environmentFile = "/run/secrets/jallen-nas/attic-key";
reverseProxy = {
enable = true;
subdomain = "cache";
};
};
authentik = {
enable = true;
@@ -73,6 +77,10 @@ in
collabora = {
enable = true;
port = 9980;
reverseProxy = {
enable = true;
subdomain = "office";
};
};
crowdsec = {
enable = true;
@@ -220,8 +228,8 @@ in
termix = {
enable = true;
port = 7777;
reverseProxy = enabled;
};
traefik = disabled;
unmanic = {
enable = true;
port = 8265;

62
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -36,6 +36,8 @@ in
# # Desktop # #
# ###################################################
# COSMIC is enabled for occasional local display access.
# headless.enable only disables watchdog/emergency mode, not the display server.
desktop.cosmic = enabled;
# ###################################################
@@ -69,7 +71,7 @@ in
};
};
headless.enable = true;
headless.enable = false;
# ###################################################
# # Impermanence # #
@@ -96,12 +98,7 @@ in
group = "nextcloud";
mode = "u=rwx,g=rwx,o=rx";
}
{
directory = "/plugins-storage";
user = "traefik";
group = "traefik";
mode = "u=rwx,g=rwx,o=rx";
}
];
};
@@ -135,22 +132,22 @@ in
allowPing = true;
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = [
80
443
8080
80 # http
443 # https
8080 # traefik dashboard
8008 # restic
9000 # authentik
2342 # grafana
51820 # wireguard
1025
1143
10200
1025 # smtp (protonmail bridge)
1143 # imap (protonmail bridge)
10200 # nebula
10300
8127
8127 # llama.cpp server
8280
9943 # onlyoffice
4000 # netbootxyz
4080 # netbootxyz
4000 # netbootxyz tftp/http
4080 # netbootxyz web
3000 # gitea
2222 # gitea ssh
3300
@@ -161,27 +158,31 @@ in
9012
9988
8192
3000
2222
8181
5432
8181 # crowdsec
3001
3333
5201 # iperf
8400
9200
9200 # elasticsearch / attic
9233
9980
47984
47989
47990
47998
47999
48000
48010
3493 # nut
47984 # sunshine (tcp: control)
47989 # sunshine (tcp: https)
47990 # sunshine (tcp: web)
47998 # sunshine (tcp: video)
47999 # sunshine (tcp: control)
48000 # sunshine (tcp: video)
48010 # sunshine (tcp: rtsp)
3493 # nut upsd
# removed: 5432 (postgres — internal only, not for external UDP/TCP)
];
allowedUDPPorts = [
51820 # wireguard
5201 # iperf
47998 # sunshine (udp: video)
47999 # sunshine (udp: control)
48000 # sunshine (udp: video)
];
allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts;
};
};
@@ -264,7 +265,6 @@ in
"nix-apps"
"jallen-nas"
"grafana"
"traefik"
"62900"
"1001"
];

1
systems/x86_64-linux/jallen-nas/disabled.nix
View File

@@ -57,7 +57,6 @@ in
restic = mkForce disabled;
sunshine = mkForce disabled;
tdarr = mkForce disabled;
traefik = mkForce disabled;
unmanic = mkForce disabled;
uptime-kuma = mkForce disabled;
wyoming = mkForce disabled;

18
systems/x86_64-linux/jallen-nas/sops.nix
View File

@@ -256,6 +256,16 @@ in
"jallen-nas/ntfy/auth-users" = {
sopsFile = defaultSops;
};
# ------------------------------
# authentik-rac
# NOTE: add to nas-secrets.yaml via `sops secrets/nas-secrets.yaml`:
# jallen-nas/authentik-rac/token: <authentik RAC outpost token>
# ------------------------------
"jallen-nas/authentik-rac/token" = {
sopsFile = defaultSops;
restartUnits = [ "podman-authenticRac.service" ];
};
};
# ------------------------------
@@ -278,6 +288,14 @@ in
restartUnits = [ "podman-free-games-claimer.service" ];
};
"authentik-rac.env" = {
content = ''
AUTHENTIK_TOKEN=${config.sops.placeholder."jallen-nas/authentik-rac/token"}
'';
mode = "0600";
restartUnits = [ "podman-authenticRac.service" ];
};
"paperless.env" = {
content = ''
PAPERLESS_ADMIN_USER = "mjallen"