mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

idk hard broken

Browse Source
This commit is contained in:
mjallen18
2025-10-08 15:43:51 -05:00
parent 02b5dd32a2
commit 8677ca747a
14 changed files with 740 additions and 574 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
flake.lock generated
View File

@@ -884,11 +884,11 @@
"nixpkgs": "nixpkgs_11" "nixpkgs": "nixpkgs_11"
}, },
"locked": { "locked": {
"lastModified": 1756774688, "lastModified": 1759767678,
"narHash": "sha256-st5xUV4Fj4Px5MOvQdF26TZRPzxz47wgRvDjSwiDDso=", "narHash": "sha256-+h+Go9D4tw1B9zRWmg84z8x+5p2maEfBwP9+XlzESBg=",
"owner": "mjallen18", "owner": "mjallen18",
"repo": "nixos-raspberrypi", "repo": "nixos-raspberrypi",
"rev": "aeb17b185bb65a3fa1ef6803ead393e9e10d1f46", "rev": "fcbfe3aa574abbaddb9aef972da162cbe30703f7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -994,11 +994,11 @@
}, },
"nixpkgs_11": { "nixpkgs_11": {
"locked": { "locked": {
"lastModified": 1756515621, "lastModified": 1758583444,
"narHash": "sha256-cYPwtXNlQ18FBuMVJ4RltuCym2Acy/6O+i/fJ4UnEn8=", "narHash": "sha256-OnYthHIsVIMrZDWtCEp6Zde8ZtMcEBnpyCIdtTKU7bo=",
"owner": "nvmd", "owner": "nvmd",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b143badd3dea297d6ba0dc93397c0ebc2838c508", "rev": "d8551a2038e21091fce8157e070bdb25dca0a94f",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
flake.nix
View File

@@ -213,6 +213,7 @@
nixos-raspberrypi.nixosModules.raspberry-pi-5.base nixos-raspberrypi.nixosModules.raspberry-pi-5.base
nixos-raspberrypi.nixosModules.raspberry-pi-5.display-vc4 nixos-raspberrypi.nixosModules.raspberry-pi-5.display-vc4
nixos-raspberrypi.nixosModules.raspberry-pi-5.bluetooth nixos-raspberrypi.nixosModules.raspberry-pi-5.bluetooth
nixos-raspberrypi.nixosModules.raspberry-pi-5.page-size-16k
nixos-raspberrypi.nixosModules.nixpkgs-rpi nixos-raspberrypi.nixosModules.nixpkgs-rpi
nixos-raspberrypi.nixosModules.trusted-nix-caches nixos-raspberrypi.nixosModules.trusted-nix-caches
nixos-raspberrypi.lib.inject-overlays nixos-raspberrypi.lib.inject-overlays

2
modules/nixos/programs/default.nix
View File

@@ -62,7 +62,7 @@
libgbm libgbm
]; ];
}; };
seahorse.enable = lib.mkDefault true; seahorse.enable = lib.mkDefault false;
}; };
environment = { environment = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [

99
modules/nixos/services/actual/default.nix
View File

@@ -13,62 +13,61 @@ let
actualUserId = config.users.users.nix-apps.uid; actualUserId = config.users.users.nix-apps.uid;
actualGroupId = config.users.groups.jallen-nas.gid; actualGroupId = config.users.groups.jallen-nas.gid;
actualConfig = actualConfig = {
{ lib, ... }: services.actual = {
{ enable = true;
services.actual = { openFirewall = true;
enable = true; settings = {
openFirewall = true; trustedProxies = [ hostAddress ];
settings = { port = cfg.port;
trustedProxies = [ hostAddress ]; dataDir = dataDir;
port = cfg.port; serverFiles = "${dataDir}/server-files";
dataDir = dataDir; userFiles = "${dataDir}/user-files";
serverFiles = "${dataDir}/server-files";
userFiles = "${dataDir}/user-files";
};
}; };
};
};
users.users.actual = { users.users.actual = {
isSystemUser = true; isSystemUser = true;
uid = lib.mkForce actualUserId; uid = lib.mkForce actualUserId;
group = "actual"; group = "actual";
}; };
users.groups = { users.groups = {
actual = { actual = {
gid = lib.mkForce actualGroupId; gid = lib.mkForce actualGroupId;
};
};
# System packages
environment.systemPackages = with pkgs; [
sqlite
];
# Create and set permissions for required directories
system.activationScripts.actual-dirs = ''
mkdir -p ${dataDir}
chown -R actual:actual ${dataDir}
chmod -R 0700 ${dataDir}
'';
systemd.services = {
actual = {
environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json";
serviceConfig = {
ExecStart = lib.mkForce "${lib.getExe pkgs.actual-server} --config ${dataDir}/config.json";
WorkingDirectory = lib.mkForce dataDir;
StateDirectory = lib.mkForce dataDir;
StateDirectoryMode = lib.mkForce 700;
DynamicUser = lib.mkForce false;
ProtectSystem = lib.mkForce null;
};
};
}; };
}; };
# System packages
environment.systemPackages = with pkgs; [
sqlite
];
# Create and set permissions for required directories
system.activationScripts.actual-dirs = ''
mkdir -p ${dataDir}
chown -R actual:actual ${dataDir}
chmod -R 0700 ${dataDir}
'';
systemd.services = {
actual = {
environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json";
serviceConfig = {
ExecStart = lib.mkForce "${lib.getExe pkgs.actual-server} --config ${dataDir}/config.json";
WorkingDirectory = lib.mkForce dataDir;
StateDirectory = lib.mkForce dataDir;
StateDirectoryMode = lib.mkForce 700;
DynamicUser = lib.mkForce false;
ProtectSystem = lib.mkForce null;
};
};
};
};
bindMounts = { bindMounts = {
${dataDir} = { "${dataDir}" = {
hostPath = cfg.dataDir; hostPath = cfg.dataDir;
isReadOnly = false; isReadOnly = false;
}; };
@@ -93,7 +92,7 @@ let
{ inherit lib; }; { inherit lib; };
fullConfig = { fullConfig = {
${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable { "${namespace}".services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ]; reverseProxies = [ reverseProxyConfig ];
}; };
} }

272
modules/nixos/services/arrs/default.nix Executable file → Normal file
View File

@@ -8,250 +8,56 @@
with lib; with lib;
let let
cfg = config.${namespace}.services.arrs; cfg = config.${namespace}.services.arrs;
radarrDataDir = "/var/lib/radarr";
downloadDir = "/downloads";
incompleteDir = "/downloads-incomplete";
sonarrDataDir = "/var/lib/sonarr";
sabnzbdConfig = "/var/lib/sabnzbd";
jackettDir = "/var/lib/jackett/.config/Jackett";
mediaDir = "/media";
arrUserId = config.users.users.nix-apps.uid;
arrGroupId = config.users.groups.jallen-nas.gid;
radarrPkg = pkgs.radarr;
sonarrPkg = pkgs.sonarr;
delugePkg = pkgs.deluge;
jackettPkg = pkgs.jackett;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf cfg.enable { config = mkIf cfg.enable {
containers.arrs = { # Enable radarr service
autoStart = true; services.radarr = {
privateNetwork = true; enable = cfg.radarr.enable;
hostAddress = "10.0.1.3"; openFirewall = true;
localAddress = cfg.localAddress; user = "nix-apps";
group = "jallen-nas";
dataDir = cfg.radarr.dataDir;
};
config = # Enable Sonarr service
{ services.sonarr = {
pkgs, enable = cfg.sonarr.enable;
lib, openFirewall = true;
... user = "nix-apps";
}: group = "jallen-nas";
{ dataDir = cfg.sonarr.dataDir;
nixpkgs.config = { };
allowUnfree = lib.mkForce true;
allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"unrar"
];
};
# Enable radarr service # Enable Sabnzbd service
services.radarr = { services.sabnzbd = {
enable = cfg.radarr.enable; enable = cfg.sabnzbd.enable;
openFirewall = true; # openFirewall = true;
user = "arrs"; user = "nix-apps";
group = "media"; group = "jallen-nas";
dataDir = radarrDataDir; configFile = "${cfg.sabnzbd.dataDir}/sabnzbd.ini";
package = radarrPkg; };
};
# Enable Sonarr service services.deluge = {
services.sonarr = { enable = cfg.deluge.enable;
enable = cfg.sonarr.enable; user = "nix-apps";
openFirewall = true; group = "jallen-nas";
user = "arrs"; openFirewall = true;
group = "media"; dataDir = "/media/nas/main";
dataDir = sonarrDataDir; web = {
package = sonarrPkg; enable = true;
}; port = cfg.deluge.port;
openFirewall = true;
# Enable Sabnzbd service
services.sabnzbd = {
enable = cfg.sabnzbd.enable;
openFirewall = true;
user = "arrs";
group = "media";
configFile = "${sabnzbdConfig}/sabnzbd.ini";
package = pkgs.sabnzbd;
};
services.deluge = {
enable = cfg.deluge.enable;
user = "arrs";
group = "media";
openFirewall = true;
dataDir = "/media";
package = delugePkg;
web = {
enable = true;
port = cfg.deluge.port;
openFirewall = true;
};
};
services.jackett = {
enable = cfg.jackett.enable;
user = "arrs";
group = "media";
openFirewall = true;
package = jackettPkg;
};
# Create required users and groups
users.users.arrs = {
isSystemUser = true;
uid = lib.mkForce arrUserId;
group = "media";
extraGroups = [ "downloads" ];
};
users.groups = {
media = {
gid = lib.mkForce arrGroupId;
};
downloads = { };
};
# System packages
environment.systemPackages = with pkgs; [
glib
sqlite
mono
mediainfo
protonvpn-cli_2
];
# Create and set permissions for required directories
system.activationScripts.arr-dirs = ''
mkdir -p ${radarrDataDir}
mkdir -p ${sonarrDataDir}
mkdir -p ${sabnzbdConfig}
mkdir -p ${downloadDir}
mkdir -p ${incompleteDir}
mkdir -p ${mediaDir}
chown -R arrs:media ${radarrDataDir}
chown -R arrs:media ${sonarrDataDir}
chown -R arrs:media ${sabnzbdConfig}
chown -R arrs:media ${downloadDir}
chown -R arrs:media ${incompleteDir}
chown -R arrs:media ${mediaDir}
chmod -R 775 ${radarrDataDir}
chmod -R 775 ${sonarrDataDir}
chmod -R 775 ${sabnzbdConfig}
chmod -R 775 ${downloadDir}
chmod -R 775 ${incompleteDir}
chmod -R 775 ${mediaDir}
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
cfg.radarr.port
cfg.sonarr.port
cfg.sabnzbd.port
8080
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# Bind mount directories from host
bindMounts = {
"${radarrDataDir}" = {
hostPath = cfg.radarr.dataDir;
isReadOnly = false;
};
"${sonarrDataDir}" = {
hostPath = cfg.sonarr.dataDir;
isReadOnly = false;
};
"${sabnzbdConfig}" = {
hostPath = cfg.sabnzbd.dataDir;
isReadOnly = false;
};
"${downloadDir}" = {
hostPath = cfg.downloadsDir;
isReadOnly = false;
};
"${incompleteDir}" = {
hostPath = cfg.incompleteDownloadsDir;
isReadOnly = false;
};
"${jackettDir}" = {
hostPath = cfg.jackett.dataDir;
isReadOnly = false;
};
"/media/movies" = {
hostPath = cfg.moviesDir;
isReadOnly = false;
};
"/media/tv" = {
hostPath = cfg.tvDir;
isReadOnly = false;
};
"/media/isos" = {
hostPath = cfg.isosDir;
isReadOnly = false;
};
}; };
}; };
networking = { services.jackett = {
nat = { enable = cfg.jackett.enable;
forwardPorts = [ user = "nix-apps";
{ group = "jallen-nas";
destination = "${cfg.localAddress}:${toString cfg.radarr.port}"; openFirewall = true;
sourcePort = cfg.radarr.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.sonarr.port}";
sourcePort = cfg.sonarr.port;
}
{
destination = "${cfg.localAddress}:8080";
sourcePort = cfg.sabnzbd.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.deluge.port}";
sourcePort = cfg.deluge.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.jackett.port}";
sourcePort = cfg.jackett.port;
}
];
};
firewall = {
allowedTCPPorts = [
cfg.radarr.port
cfg.sonarr.port
cfg.sabnzbd.port
8080
cfg.deluge.port
cfg.jackett.port
];
allowedUDPPorts = [
cfg.radarr.port
cfg.sonarr.port
cfg.sabnzbd.port
8080
cfg.deluge.port
cfg.jackett.port
];
};
}; };
}; };
} }

261
modules/nixos/services/arrs/default.nix.container Executable file
View File

@@ -0,0 +1,261 @@
{
config,
pkgs,
lib,
namespace,
...
}:
with lib;
let
cfg = config.${namespace}.services.arrs;
radarrDataDir = "/var/lib/radarr";
downloadDir = "/downloads";
incompleteDir = "/downloads-incomplete";
sonarrDataDir = "/var/lib/sonarr";
sabnzbdConfig = "/var/lib/sabnzbd";
jackettDir = "/var/lib/jackett/.config/Jackett";
mediaDir = "/media";
arrUserId = config.users.users.nix-apps.uid;
arrGroupId = config.users.groups.jallen-nas.gid;
radarrPkg = pkgs.radarr;
sonarrPkg = pkgs.sonarr;
delugePkg = pkgs.deluge;
jackettPkg = pkgs.jackett;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
containers.arrs = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.1.3";
localAddress = cfg.localAddress;
config =
{
pkgs,
lib,
...
}:
{
nixpkgs.config = {
allowUnfree = lib.mkForce true;
allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"unrar"
];
};
# Enable radarr service
services.radarr = {
enable = cfg.radarr.enable;
openFirewall = true;
user = "arrs";
group = "media";
dataDir = radarrDataDir;
package = radarrPkg;
};
# Enable Sonarr service
services.sonarr = {
enable = cfg.sonarr.enable;
openFirewall = true;
user = "arrs";
group = "media";
dataDir = sonarrDataDir;
package = sonarrPkg;
};
# Enable Sabnzbd service
services.sabnzbd = {
enable = cfg.sabnzbd.enable;
openFirewall = true;
user = "arrs";
group = "media";
configFile = "${sabnzbdConfig}/sabnzbd.ini";
package = pkgs.sabnzbd;
};
services.deluge = {
enable = cfg.deluge.enable;
user = "arrs";
group = "media";
openFirewall = true;
dataDir = "/media";
package = delugePkg;
web = {
enable = true;
port = cfg.deluge.port;
openFirewall = true;
};
};
services.jackett = {
enable = cfg.jackett.enable;
user = "arrs";
group = "media";
openFirewall = true;
package = jackettPkg;
};
# Create required users and groups
users.users.arrs = {
isSystemUser = true;
uid = lib.mkForce arrUserId;
group = "media";
extraGroups = [ "downloads" ];
};
users.groups = {
media = {
gid = lib.mkForce arrGroupId;
};
downloads = { };
};
# System packages
environment.systemPackages = with pkgs; [
glib
sqlite
mono
mediainfo
protonvpn-cli_2
];
# Create and set permissions for required directories
system.activationScripts.arr-dirs = ''
mkdir -p ${radarrDataDir}
mkdir -p ${sonarrDataDir}
mkdir -p ${sabnzbdConfig}
mkdir -p ${downloadDir}
mkdir -p ${incompleteDir}
mkdir -p ${mediaDir}
chown -R arrs:media ${radarrDataDir}
chown -R arrs:media ${sonarrDataDir}
chown -R arrs:media ${sabnzbdConfig}
chown -R arrs:media ${downloadDir}
chown -R arrs:media ${incompleteDir}
chown -R arrs:media ${mediaDir}
chmod -R 775 ${radarrDataDir}
chmod -R 775 ${sonarrDataDir}
chmod -R 775 ${sabnzbdConfig}
chmod -R 775 ${downloadDir}
chmod -R 775 ${incompleteDir}
chmod -R 775 ${mediaDir}
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
cfg.radarr.port
cfg.sonarr.port
cfg.sabnzbd.port
8080
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# Bind mount directories from host
bindMounts = {
"/etc/resolv.conf" = {
hostPath = "/etc/resolv.conf";
isReadOnly = true;
};
"${radarrDataDir}" = {
hostPath = cfg.radarr.dataDir;
isReadOnly = false;
};
"${sonarrDataDir}" = {
hostPath = cfg.sonarr.dataDir;
isReadOnly = false;
};
"${sabnzbdConfig}" = {
hostPath = cfg.sabnzbd.dataDir;
isReadOnly = false;
};
"${downloadDir}" = {
hostPath = cfg.downloadsDir;
isReadOnly = false;
};
"${incompleteDir}" = {
hostPath = cfg.incompleteDownloadsDir;
isReadOnly = false;
};
"${jackettDir}" = {
hostPath = cfg.jackett.dataDir;
isReadOnly = false;
};
"/media/movies" = {
hostPath = cfg.moviesDir;
isReadOnly = false;
};
"/media/tv" = {
hostPath = cfg.tvDir;
isReadOnly = false;
};
"/media/isos" = {
hostPath = cfg.isosDir;
isReadOnly = false;
};
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${cfg.localAddress}:${toString cfg.radarr.port}";
sourcePort = cfg.radarr.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.sonarr.port}";
sourcePort = cfg.sonarr.port;
}
{
destination = "${cfg.localAddress}:8080";
sourcePort = cfg.sabnzbd.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.deluge.port}";
sourcePort = cfg.deluge.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.jackett.port}";
sourcePort = cfg.jackett.port;
}
];
};
firewall = {
allowedTCPPorts = [
cfg.radarr.port
cfg.sonarr.port
cfg.sabnzbd.port
8080
cfg.deluge.port
cfg.jackett.port
];
allowedUDPPorts = [
cfg.radarr.port
cfg.sonarr.port
cfg.sabnzbd.port
8080
cfg.deluge.port
cfg.jackett.port
];
};
};
};
}

112
modules/nixos/services/gitea/default.nix
View File

@@ -8,69 +8,9 @@ with lib;
let let
cfg = config.${namespace}.services.gitea; cfg = config.${namespace}.services.gitea;
rootUrl = "https://gitea.mjallen.dev/"; rootUrl = "https://gitea.mjallen.dev/";
dataDir = "/var/lib/gitea";
secretsDir = "/run/secrets/jallen-nas/gitea";
mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path; mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path; metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
serviceConfig =
{ ... }:
{
services.gitea = {
enable = true;
stateDir = dataDir;
mailerPasswordFile = mailerPasswordFile;
metricsTokenFile = metricsTokenFile;
settings = {
server = {
DOMAIN = "jallen-nas";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = cfg.httpPort;
PROTOCOL = "http";
ROOT_URL = rootUrl;
START_SSH_SERVER = true;
SSH_PORT = cfg.sshPort;
};
service = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_CAPTCHA = false;
DISABLE_REGISTRATION = true;
ENABLE_OPENID_SIGNIN = false;
ENABLE_LDAP_SIGNIN = false;
ENABLE_SSH_SIGNIN = true;
ENABLE_BUILTIN_SSH_SERVER = true;
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
};
};
};
users.users.gitea = {
extraGroups = [ "keys" ];
};
# Create and set permissions for required directories
system.activationScripts.gitea-dirs = ''
mkdir -p /var/lib/gitea
chown -R gitea:gitea /var/lib/gitea
chmod -R 775 /var/lib/gitea
mkdir -p /run/secrets/jallen-nas
chown -R gitea:gitea /run/secrets/jallen-nas
chmod -R 775 /run/secrets/jallen-nas
'';
};
bindMounts = {
${dataDir} = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
secrets = {
hostPath = secretsDir;
isReadOnly = true;
mountPoint = secretsDir;
};
};
# Create reverse proxy configuration using mkReverseProxy # Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy { reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "gitea"; name = "gitea";
@@ -79,27 +19,43 @@ let
middlewares = cfg.reverseProxy.middlewares; middlewares = cfg.reverseProxy.middlewares;
}; };
containerConfig = traefik = {
(lib.${namespace}.mkContainer { "${namespace}".services.traefik = lib.mkIf cfg.reverseProxy.enable {
name = "gitea";
localAddress = cfg.localAddress;
ports = [
cfg.httpPort
cfg.sshPort
];
bindMounts = bindMounts;
config = serviceConfig;
})
{ inherit lib; };
giteaConfig = {
${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ]; reverseProxies = [ reverseProxyConfig ];
}; };
} };
// containerConfig;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf cfg.enable giteaConfig; config = mkIf cfg.enable {
services.gitea = {
enable = true;
stateDir = cfg.dataDir;
user = "nix-apps";
group = "jallen-nas";
mailerPasswordFile = mailerPasswordFile;
metricsTokenFile = metricsTokenFile;
settings = {
server = {
DOMAIN = "jallen-nas";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = cfg.httpPort;
PROTOCOL = "http";
ROOT_URL = rootUrl;
START_SSH_SERVER = true;
SSH_PORT = cfg.sshPort;
};
service = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_CAPTCHA = false;
DISABLE_REGISTRATION = true;
ENABLE_OPENID_SIGNIN = false;
ENABLE_LDAP_SIGNIN = false;
ENABLE_SSH_SIGNIN = true;
ENABLE_BUILTIN_SSH_SERVER = true;
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
};
};
};
} // traefik;
} }

116
modules/nixos/services/gitea/default.nix.container Normal file
View File

@@ -0,0 +1,116 @@
{
config,
lib,
namespace,
...
}:
with lib;
let
cfg = config.${namespace}.services.gitea;
rootUrl = "https://gitea.mjallen.dev/";
dataDir = "/var/lib/gitea";
secretsDir = "/run/secrets/jallen-nas/gitea";
mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
giteaUid = config.users.users.nix-apps.uid;
giteaGid = config.users.groups.jallen-nas.gid;
serviceConfig = {
services.gitea = {
enable = true;
stateDir = dataDir;
mailerPasswordFile = mailerPasswordFile;
metricsTokenFile = metricsTokenFile;
settings = {
server = {
DOMAIN = "jallen-nas";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = cfg.httpPort;
PROTOCOL = "http";
ROOT_URL = rootUrl;
START_SSH_SERVER = true;
SSH_PORT = cfg.sshPort;
};
service = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_CAPTCHA = false;
DISABLE_REGISTRATION = true;
ENABLE_OPENID_SIGNIN = false;
ENABLE_LDAP_SIGNIN = false;
ENABLE_SSH_SIGNIN = true;
ENABLE_BUILTIN_SSH_SERVER = true;
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
};
};
};
users = {
users.gitea = {
isSystemUser = true;
isNormalUser = false;
uid = lib.mkForce giteaUid;
group = "gitea";
extraGroups = [ "keys" ];
};
groups = {
gitea = {
gid = lib.mkForce giteaGid;
};
};
};
# Create and set permissions for required directories
system.activationScripts.gitea-dirs = ''
mkdir -p /var/lib/gitea
chown -R gitea:gitea /var/lib/gitea
chmod -R 775 /var/lib/gitea
mkdir -p /run/secrets/jallen-nas
chown -R gitea:gitea /run/secrets/jallen-nas
chmod -R 775 /run/secrets/jallen-nas
'';
};
bindMounts = {
"${dataDir}" = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
secrets = {
hostPath = secretsDir;
isReadOnly = true;
mountPoint = secretsDir;
};
};
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "gitea";
subdomain = cfg.reverseProxy.subdomain;
url = "http://${cfg.localAddress}:${toString cfg.httpPort}";
middlewares = cfg.reverseProxy.middlewares;
};
containerConfig =
(lib.${namespace}.mkContainer {
name = "gitea";
localAddress = cfg.localAddress;
ports = [
cfg.httpPort
cfg.sshPort
];
bindMounts = bindMounts;
config = serviceConfig;
})
{ inherit lib; };
giteaConfig = {
"${namespace}".services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ];
};
}
// containerConfig;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable giteaConfig;
}

17
modules/nixos/services/traefik/default.nix
View File

@@ -297,6 +297,12 @@ in
} }
]; ];
gitea.loadBalancer.servers = [
{
url = "http://10.0.1.3:3000";
}
];
authentik.loadBalancer.servers = [ authentik.loadBalancer.servers = [
{ {
url = authentikUrl; url = authentikUrl;
@@ -369,6 +375,17 @@ in
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`gitea.${domain}`)";
service = "gitea";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
authentik = { authentik = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`authentik.${domain}`)"; rule = "Host(`authentik.${domain}`)";

5
overlays/rcon/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{ inputs, ... }:
final: _prev: {
# rcon = inputs.nixpkgs-stable.legacyPackages."x86_64-linux".rcon;
# llama-cpp = inputs.nixpkgs-stable.legacyPackages."x86_64-linux".llama-cpp;
}

396
secrets/nas-secrets.yaml
View File

File diff suppressed because one or more lines are too long

4
systems/x86_64-linux/jallen-nas/boot.nix
View File

@@ -5,7 +5,7 @@
... ...
}: }:
let let
kernel = pkgs.linuxPackages; kernel = pkgs.linuxPackages_latest;
in in
{ {
# Configure bootloader with lanzaboot and secureboot # Configure bootloader with lanzaboot and secureboot
@@ -19,7 +19,7 @@ in
clevis = { clevis = {
enable = false; enable = false;
devices = { devices = {
"/dev/disk/by-label/nas_pool".secretFile = config.sops.secrets."jallen-nas/nas_pool".path; "/dev/disk/by-label/nas_pool".secretFile = "/etc/clevis/nas_pool.jwe";
}; };
}; };
}; };

16
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -21,7 +21,7 @@ in
./sops.nix ./sops.nix
]; ];
services.kmscon.enable = true; services.kmscon.enable = false;
powerManagement.cpuFreqGovernor = "powersave"; powerManagement.cpuFreqGovernor = "powersave";
@@ -36,7 +36,7 @@ in
# # Desktop # # # # Desktop # #
# ################################################### # ###################################################
desktop.cosmic = disabled; desktop.cosmic = enabled;
# ################################################### # ###################################################
# # Development # # # # Development # #
@@ -58,8 +58,8 @@ in
hardware = { hardware = {
disko = { disko = {
enable = true; enable = true;
enableSwap = true; enableSwap = false;
enableLuks = false; enableLuks = true;
}; };
amd = { amd = {
@@ -134,7 +134,7 @@ in
10200 10200
10300 10300
8127 8127
6060 8280
9943 # onlyoffice 9943 # onlyoffice
4000 # netbootxyz 4000 # netbootxyz
4080 # netbootxyz 4080 # netbootxyz
@@ -148,6 +148,8 @@ in
9012 9012
8192 8192
3000
2222
]; ];
allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts; allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts;
}; };
@@ -245,13 +247,15 @@ in
fsType = "bcachefs"; fsType = "bcachefs";
mountPoint = "/media/nas/main"; mountPoint = "/media/nas/main";
options = [ options = [
"noauto" # "noauto"
"nofail" "nofail"
# "x-systemd.mount-timeout=0" # "x-systemd.mount-timeout=0"
# "x-systemd.device-timeout=0" # "x-systemd.device-timeout=0"
]; ];
}; };
boot.initrd.luks.devices.cryptroot.device = "/dev/disk/by-partlabel/disk-main-jallen-nas-cryptroot";
boot.initrd.systemd.services."unlock-bcachefs-media-nas-main".enable = false; boot.initrd.systemd.services."unlock-bcachefs-media-nas-main".enable = false;
systemd.services."unlock-bcachefs-media-nas-main".enable = false; systemd.services."unlock-bcachefs-media-nas-main".enable = false;

1
systems/x86_64-linux/jallen-nas/users.nix
View File

@@ -21,6 +21,7 @@ in
"jallen-nas" "jallen-nas"
"docker" "docker"
"podman" "podman"
"keys"
]; ];
hashedPasswordFile = passwordFile; hashedPasswordFile = passwordFile;
}; };