mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
mjallen18
2025-06-13 10:44:00 -05:00
parent ab2a1e000c
commit 888167afc2
18 changed files with 958 additions and 563 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
flake.lock generated
View File

@@ -19,16 +19,16 @@
"authentik-src": { "authentik-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1745954192, "lastModified": 1749043670,
"narHash": "sha256-QuIgeu3CN6S44/zSiaj+iIkDz2494mb1MWvD3eYYkVE=", "narHash": "sha256-gwHngqb23U8By7jhxFWQZOXy+vPQApJSkvr4gHI5ifQ=",
"owner": "goauthentik", "owner": "goauthentik",
"repo": "authentik", "repo": "authentik",
"rev": "22412729e2379d645da2ac0c0270a0ac6147945e", "rev": "bda30c5ad5838fea36dc0a06f8580cca437f0fc0",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "goauthentik", "owner": "goauthentik",
"ref": "version/2025.4.0", "ref": "version/2025.4.2",
"repo": "authentik", "repo": "authentik",
"type": "github" "type": "github"
} }
@@ -358,11 +358,11 @@
"flake-compat_3": { "flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1733328505, "lastModified": 1747046372,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -445,11 +445,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1743550720, "lastModified": 1748821116,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5", "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -796,11 +796,11 @@
"uv2nix": "uv2nix" "uv2nix": "uv2nix"
}, },
"locked": { "locked": {
"lastModified": 1746874492, "lastModified": 1749129962,
"narHash": "sha256-Gm2Eb5KBxAL6y9WJj7phRMXNAZzVkKlm9Dky9WDZHtQ=", "narHash": "sha256-gc1l5z5dWw9a9DWsrp0ZiD+SSMsNpEwMEiRi8K5sh5c=",
"owner": "nix-community", "owner": "nix-community",
"repo": "authentik-nix", "repo": "authentik-nix",
"rev": "2ef24fac993808a1a57f367ef58ac0f5254c3489", "rev": "271a38f7c4e2551f0674b894e2adf7cd1ddb8168",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -819,11 +819,11 @@
"rust-overlay": "rust-overlay_4" "rust-overlay": "rust-overlay_4"
}, },
"locked": { "locked": {
"lastModified": 1747308097, "lastModified": 1749770917,
"narHash": "sha256-indU9vouoMSHMuB9TTZMsXywj8N5UNOVnCwuA9xh9LM=", "narHash": "sha256-3jOhroFAAKg/vPmgmDnOKUGJp6GfLycUkhyMaJKZ7zg=",
"owner": "lilyinstarlight", "owner": "lilyinstarlight",
"repo": "nixos-cosmic", "repo": "nixos-cosmic",
"rev": "3c989494b1968ca066f5893401c9cb8e2202a8f2", "rev": "f5d076cdc61fe2f268d624a34a3df52573620396",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -860,11 +860,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747340209, "lastModified": 1749657191,
"narHash": "sha256-tUiXrwlJoG3dzJ+fSwv1S3VPU5ODSPZJHoBmlu4t344=", "narHash": "sha256-QLilaHuhGxiwhgceDWESj9gFcKIdEp7+9lRqNGpN8S4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "098e365dd83311cc8236f83ea6be42abb49a6c76", "rev": "faeab32528a9360e9577ff4082de2d35c6bbe1ce",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -954,11 +954,11 @@
}, },
"nas-nixos-hardware": { "nas-nixos-hardware": {
"locked": { "locked": {
"lastModified": 1747129300, "lastModified": 1749195551,
"narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=", "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "e81fd167b33121269149c57806599045fd33eeed", "rev": "4602f7e1d3f197b3cb540d5accf5669121629628",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -970,11 +970,11 @@
}, },
"nas-nixpkgs": { "nas-nixpkgs": {
"locked": { "locked": {
"lastModified": 1747179050, "lastModified": 1749285348,
"narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1007,11 +1007,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1746485181, "lastModified": 1749592509,
"narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=", "narHash": "sha256-VunQzfZFA+Y6x3wYi2UE4DEQ8qKoAZZCnZPUlSoqC+A=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e93ee1d900ad264d65e9701a5c6f895683433386", "rev": "50754dfaa0e24e313c626900d44ef431f3210138",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1172,11 +1172,11 @@
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1743296961, "lastModified": 1748740939,
"narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", "rev": "656a64127e9d791a334452c6b6606d17539476e2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1219,11 +1219,11 @@
}, },
"nixpkgs-stable_3": { "nixpkgs-stable_3": {
"locked": { "locked": {
"lastModified": 1747209494, "lastModified": 1749488106,
"narHash": "sha256-fLise+ys+bpyjuUUkbwqo5W/UyIELvRz9lPBPoB0fbM=", "narHash": "sha256-b9GIWdF/8jKpCC5JIMgDLZgwe8cEbty2fyTyo1eDFfI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5d736263df906c5da72ab0f372427814de2f52f8", "rev": "8fe3e32e7f210522377c3bcff80931a3284ace6a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1689,11 +1689,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1744599653, "lastModified": 1748562898,
"narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=", "narHash": "sha256-STk4QklrGpM3gliPKNJdBLSQvIrqRuwHI/rnYb/5rh8=",
"owner": "pyproject-nix", "owner": "pyproject-nix",
"repo": "build-system-pkgs", "repo": "build-system-pkgs",
"rev": "7dba6dbc73120e15b558754c26024f6c93015dd7", "rev": "33bd58351957bb52dd1700ea7eeefe34de06a892",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1710,11 +1710,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1746146146, "lastModified": 1746540146,
"narHash": "sha256-60+mzI2lbgn+G8F5mz+cmkDvHFn4s5oqcOna1SzYy74=", "narHash": "sha256-QxdHGNpbicIrw5t6U3x+ZxeY/7IEJ6lYbvsjXmcxFIM=",
"owner": "pyproject-nix", "owner": "pyproject-nix",
"repo": "pyproject.nix", "repo": "pyproject.nix",
"rev": "3e9623bdd86a3c545e82b7f97cfdba5f07232d9a", "rev": "e09c10c24ebb955125fda449939bfba664c467fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1880,11 +1880,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747190175, "lastModified": 1749695868,
"narHash": "sha256-s33mQ2s5L/2nyllhRTywgECNZyCqyF4MJeM3vG/GaRo=", "narHash": "sha256-debjTLOyqqsYOUuUGQsAHskFXH5+Kx2t3dOo/FCoNRA=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "58160be7abad81f6f8cb53120d5b88c16e01c06d", "rev": "55f914d5228b5c8120e9e0f9698ed5b7214d09cd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -2208,11 +2208,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1746048139, "lastModified": 1748916602,
"narHash": "sha256-LdCLyiihLg6P2/mjzP0+W7RtraDSIaJJPTy6SCtW5Ag=", "narHash": "sha256-GiwjjmPIISDFD0uQ1DqQ+/38hZ+2z1lTKVj/TkKaWwQ=",
"owner": "pyproject-nix", "owner": "pyproject-nix",
"repo": "uv2nix", "repo": "uv2nix",
"rev": "680e2f8e637bc79b84268949d2f2b2f5e5f1d81c", "rev": "a4dd471de62b27928191908f57bfcd702ec2bfc9",
"type": "github" "type": "github"
}, },
"original": { "original": {

67
hosts/nas/apps.nix
View File

@@ -20,6 +20,73 @@
]; ];
nas-apps = { nas-apps = {
actual = {
enable = true;
port = 3333;
localAddress = "10.0.3.18";
dataDir = "/media/nas/ssd/nix-app-data/actual";
reverseProxy = {
enable = true;
host = "actual.mjallen.dev";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
};
};
arrs = {
enable = true;
localAddress = "10.0.1.51";
downloadsDir = "/media/nas/ssd/ssd_app_data/downloads";
incompleteDownloadsDir = "/media/nas/ssd/ssd_app_data/downloads-incomplete";
moviesDir = "/media/nas/main/movies";
tvDir = "/media/nas/main/tv";
isosDir = "/media/nas/main/isos";
radarr = {
enable = true;
port = 7878;
dataDir = "/media/nas/ssd/nix-app-data/radarr";
};
sonarr = {
enable = true;
port = 8989;
dataDir = "/media/nas/ssd/nix-app-data/sonarr";
};
sabnzbd = {
enable = true;
port = 8280;
dataDir = "/media/nas/ssd/nix-app-data/sabnzbd";
};
deluge = {
enable = true;
port = 8112;
};
jackett = {
enable = true;
port = 9117;
dataDir = "/media/nas/ssd/nix-app-data/jackett";
};
};
crowdsec = {
enable = true;
port = 9898;
apiAddress = "10.0.1.18";
apiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
dataDir = "/media/nas/ssd/nix-app-data/crowdsec";
};
gitea = {
enable = true;
httpPort = 3000;
sshPort = 2222;
localAddress = "10.0.4.18";
dataDir = "/media/nas/ssd/nix-app-data/gitea";
reverseProxy = {
enable = true;
host = "gitea.mjallen.dev";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
};
};
free-games-claimer.enable = true; free-games-claimer.enable = true;
manyfold.enable = true; manyfold.enable = true;

192
hosts/nas/apps/actual/default.nix
View File

@@ -1,100 +1,124 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
with lib;
let let
actualPort = 3333; cfg = config.nas-apps.actual;
hostDataDir = "/media/nas/ssd/nix-app-data/actual";
dataDir = "/data"; dataDir = "/data";
hostAddress = "10.0.1.18"; hostAddress = "10.0.1.18";
localAddress = "10.0.3.18";
actualUserId = config.users.users.nix-apps.uid; actualUserId = config.users.users.nix-apps.uid;
actualGroupId = config.users.groups.jallen-nas.gid; actualGroupId = config.users.groups.jallen-nas.gid;
in in
{ {
containers.actual = { imports = [ ./options.nix ];
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
bindMounts = { config = mkIf cfg.enable {
${dataDir} = { containers.actual = {
hostPath = hostDataDir; autoStart = true;
isReadOnly = false; privateNetwork = true;
hostAddress = hostAddress;
localAddress = cfg.localAddress;
bindMounts = {
${dataDir} = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
};
config = { lib, ... }:
{
services.actual = {
enable = true;
openFirewall = true;
settings = {
trustedProxies = [ hostAddress ];
port = cfg.port;
dataDir = dataDir;
serverFiles = "${dataDir}/server-files";
userFiles = "${dataDir}/user-files";
};
};
users.users.actual = {
isSystemUser = true;
uid = lib.mkForce actualUserId;
group = "actual";
};
users.groups = {
actual = {
gid = lib.mkForce actualGroupId;
};
};
# System packages
environment.systemPackages = with pkgs; [
sqlite
];
# Create and set permissions for required directories
system.activationScripts.actual-dirs = ''
mkdir -p ${dataDir}
chown -R actual:actual ${dataDir}
chmod -R 0700 ${dataDir}
'';
systemd.services = {
actual = {
environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json";
serviceConfig = {
ExecStart = lib.mkForce "${pkgs.actual-server}/bin/actual-server --config ${dataDir}/config.json";
WorkingDirectory = lib.mkForce dataDir;
StateDirectory = lib.mkForce dataDir;
StateDirectoryMode = lib.mkForce 0700;
DynamicUser = lib.mkForce false;
ProtectSystem = lib.mkForce null;
};
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ cfg.port ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable {
services.actual.loadBalancer.servers = [
{
url = "http://${cfg.localAddress}:${toString cfg.port}";
}
];
routers.actual = {
entryPoints = [ "websecure" ];
rule = "Host(`${cfg.reverseProxy.host}`)";
service = "actual";
middlewares = cfg.reverseProxy.middlewares;
tls.certResolver = "letsencrypt";
}; };
}; };
config = { lib, ... }: networking = {
{ nat = {
services.actual = { forwardPorts = [
enable = true; {
openFirewall = true; destination = "${cfg.localAddress}:${toString cfg.port}";
settings = { sourcePort = cfg.port;
trustedProxies = [ hostAddress ]; }
port = actualPort;
dataDir = dataDir;
serverFiles = "${dataDir}/server-files";
userFiles = "${dataDir}/user-files";
};
};
users.users.actual = {
isSystemUser = true;
uid = lib.mkForce actualUserId;
group = "actual";
};
users.groups = {
actual = {
gid = lib.mkForce actualGroupId;
};
};
# System packages
environment.systemPackages = with pkgs; [
sqlite
]; ];
# Create and set permissions for required directories
system.activationScripts.actual-dirs = ''
mkdir -p ${dataDir}
chown -R actual:actual ${dataDir}
chmod -R 0700 ${dataDir}
'';
systemd.services = {
actual = {
environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json";
serviceConfig = {
ExecStart = lib.mkForce "${pkgs.actual-server}/bin/actual-server --config ${dataDir}/config.json";
WorkingDirectory = lib.mkForce dataDir;
StateDirectory = lib.mkForce dataDir;
StateDirectoryMode = lib.mkForce 0700;
DynamicUser = lib.mkForce false;
ProtectSystem = lib.mkForce null;
};
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ actualPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
}; };
}; firewall = {
allowedTCPPorts = [ cfg.port ];
networking.nat = { allowedUDPPorts = [ cfg.port ];
forwardPorts = [ };
{ };
destination = "${localAddress}:${toString actualPort}";
sourcePort = actualPort;
}
];
}; };
} }

37
hosts/nas/apps/actual/options.nix Normal file
View File

@@ -0,0 +1,37 @@
{ lib, ... }:
with lib;
{
options.nas-apps.actual = {
enable = mkEnableOption "actual service";
port = mkOption {
type = types.int;
default = 80;
};
localAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
dataDir = mkOption {
type = types.str;
default = "";
};
reverseProxy = {
enable = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
default = "";
};
middlewares = mkOption {
type = with types; listOf str;
default = [ ];
};
};
};
}

399
hosts/nas/apps/arrs/default.nix
View File

@@ -1,15 +1,12 @@
{ {
config, config,
pkgs, pkgs,
lib,
... ...
}: }:
with lib;
let let
radarrPort = 7878; cfg = config.nas-apps.arrs;
sonarrPort = 8989;
sabnzbdPort = 8280;
delugePort = 8112;
jackettPort = 9117;
radarrDataDir = "/var/lib/radarr"; radarrDataDir = "/var/lib/radarr";
downloadDir = "/downloads"; downloadDir = "/downloads";
incompleteDir = "/downloads-incomplete"; incompleteDir = "/downloads-incomplete";
@@ -19,210 +16,220 @@ let
mediaDir = "/media"; mediaDir = "/media";
arrUserId = config.users.users.nix-apps.uid; arrUserId = config.users.users.nix-apps.uid;
arrGroupId = config.users.groups.jallen-nas.gid; arrGroupId = config.users.groups.jallen-nas.gid;
radarrPkg = pkgs.unstable.radarr; radarrPkg = pkgs.radarr;
sonarrPkg = pkgs.unstable.sonarr; sonarrPkg = pkgs.sonarr;
delugePkg = pkgs.unstable.deluge; delugePkg = pkgs.deluge;
jackettPkg = pkgs.unstable.jackett; jackettPkg = pkgs.jackett;
sabnzbdPkg = pkgs.unstable.sabnzbd; sabnzbdPkg = pkgs.sabnzbd;
in in
{ {
containers.arrs = { imports = [ ./options.nix ];
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.1.18";
localAddress = "10.0.1.51";
config = config = mkIf cfg.enable {
{ containers.arrs = {
pkgs, autoStart = true;
lib, privateNetwork = true;
... hostAddress = "10.0.1.18";
}: localAddress = cfg.localAddress;
{
nixpkgs.config.allowUnfree = true;
# Enable radarr service config =
services.radarr = { {
enable = true; pkgs,
openFirewall = true; lib,
user = "arrs"; ...
group = "media"; }:
dataDir = radarrDataDir; {
package = radarrPkg; nixpkgs.config.allowUnfree = true;
};
# Enable Sonarr service # Enable radarr service
services.sonarr = { services.radarr = {
enable = true; enable = cfg.radarr.enable;
openFirewall = true;
user = "arrs";
group = "media";
dataDir = sonarrDataDir;
package = sonarrPkg;
};
# Enable Sabnzbd service
services.sabnzbd = {
enable = true;
openFirewall = true;
user = "arrs";
group = "media";
configFile = "${sabnzbdConfig}/sabnzbd.ini";
package = sabnzbdPkg;
};
services.deluge = {
enable = true;
user = "arrs";
group = "media";
openFirewall = true;
dataDir = "/media";
package = delugePkg;
web = {
enable = true;
port = 8112;
openFirewall = true; openFirewall = true;
user = "arrs";
group = "media";
dataDir = cfg.radarr.dataDir;
package = radarrPkg;
}; };
};
services.jackett = { # Enable Sonarr service
enable = true; services.sonarr = {
user = "arrs"; enable = cfg.sonarr.enable;
group = "media"; openFirewall = true;
openFirewall = true; user = "arrs";
package = jackettPkg; group = "media";
}; dataDir = cfg.sonarr.dataDir;
package = sonarrPkg;
# Create required users and groups
users.users.arrs = {
isSystemUser = true;
uid = lib.mkForce arrUserId;
group = "media";
extraGroups = [ "downloads" ];
};
users.groups = {
media = {
gid = lib.mkForce arrGroupId;
}; };
downloads = { };
# Enable Sabnzbd service
services.sabnzbd = {
enable = cfg.sabnzbd.enable;
openFirewall = true;
user = "arrs";
group = "media";
configFile = "${cfg.sabnzbd.dataDir}/sabnzbd.ini";
package = sabnzbdPkg;
};
services.deluge = {
enable = cfg.deluge.enable;
user = "arrs";
group = "media";
openFirewall = true;
dataDir = "/media";
package = delugePkg;
web = {
enable = true;
port = cfg.deluge.port;
openFirewall = true;
};
};
services.jackett = {
enable = cfg.jackett.enable;
user = "arrs";
group = "media";
openFirewall = true;
package = jackettPkg;
};
# Create required users and groups
users.users.arrs = {
isSystemUser = true;
uid = lib.mkForce arrUserId;
group = "media";
extraGroups = [ "downloads" ];
};
users.groups = {
media = {
gid = lib.mkForce arrGroupId;
};
downloads = { };
};
# System packages
environment.systemPackages = with pkgs; [
glib
sqlite
mono
mediainfo
protonvpn-cli_2
];
# Create and set permissions for required directories
system.activationScripts.arr-dirs = ''
mkdir -p ${radarrDataDir}
mkdir -p ${sonarrDataDir}
mkdir -p ${sabnzbdConfig}
mkdir -p ${downloadDir}
mkdir -p ${incompleteDir}
mkdir -p ${mediaDir}
chown -R arrs:media ${radarrDataDir}
chown -R arrs:media ${sonarrDataDir}
chown -R arrs:media ${sabnzbdConfig}
chown -R arrs:media ${downloadDir}
chown -R arrs:media ${incompleteDir}
chown -R arrs:media ${mediaDir}
chmod -R 775 ${radarrDataDir}
chmod -R 775 ${sonarrDataDir}
chmod -R 775 ${sabnzbdConfig}
chmod -R 775 ${downloadDir}
chmod -R 775 ${incompleteDir}
chmod -R 775 ${mediaDir}
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
cfg.radarr.port
cfg.sonarr.port
cfg.sabnzbd.port
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
}; };
# System packages # Bind mount directories from host
environment.systemPackages = with pkgs; [ bindMounts = {
glib "${radarrDataDir}" = {
sqlite hostPath = cfg.radarr.dataDir;
mono isReadOnly = false;
mediainfo };
protonvpn-cli_2 "${sonarrDataDir}" = {
hostPath = cfg.sonarr.dataDir;
isReadOnly = false;
};
"${sabnzbdConfig}" = {
hostPath = cfg.sabnzbd.dataDir;
isReadOnly = false;
};
"${downloadDir}" = {
hostPath = cfg.downloadsDir;
isReadOnly = false;
};
"${incompleteDir}" = {
hostPath = cfg.incompleteDownloadsDir;
isReadOnly = false;
};
"${jackettDir}" = {
hostPath = cfg.jackett.dataDir;
isReadOnly = false;
};
"/media/movies" = {
hostPath = cfg.moviesDir;
isReadOnly = false;
};
"/media/tv" = {
hostPath = cfg.tvDir;
isReadOnly = false;
};
"/media/isos" = {
hostPath = cfg.isosDir;
isReadOnly = false;
};
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${cfg.localAddress}:${toString cfg.radarr.port}";
sourcePort = cfg.radarr.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.sonarr.port}";
sourcePort = cfg.sonarr.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.sabnzbd.port}";
sourcePort = cfg.sabnzbd.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.deluge.port}";
sourcePort = cfg.deluge.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.jackett.port}";
sourcePort = cfg.jackett.port;
}
]; ];
# Create and set permissions for required directories
system.activationScripts.radarr-dirs = ''
mkdir -p ${radarrDataDir}
mkdir -p ${sonarrDataDir}
mkdir -p ${sabnzbdConfig}
mkdir -p ${downloadDir}
mkdir -p ${incompleteDir}
mkdir -p ${mediaDir}
chown -R arrs:media ${radarrDataDir}
chown -R arrs:media ${sonarrDataDir}
chown -R arrs:media ${sabnzbdConfig}
chown -R arrs:media ${downloadDir}
chown -R arrs:media ${incompleteDir}
chown -R arrs:media ${mediaDir}
chmod -R 775 ${radarrDataDir}
chmod -R 775 ${sonarrDataDir}
chmod -R 775 ${sabnzbdConfig}
chmod -R 775 ${downloadDir}
chmod -R 775 ${incompleteDir}
chmod -R 775 ${mediaDir}
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
radarrPort
sonarrPort
sabnzbdPort
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
}; };
firewall = {
# Bind mount directories from host allowedTCPPorts = [ cfg.radarr.port cfg.sonarr.port cfg.sabnzbd.port cfg.deluge.port cfg.jackett.port ];
bindMounts = { allowedUDPPorts = [ cfg.radarr.port cfg.sonarr.port cfg.sabnzbd.port cfg.deluge.port cfg.jackett.port ];
"${radarrDataDir}" = {
hostPath = "/media/nas/ssd/nix-app-data/radarr";
isReadOnly = false;
};
"${sonarrDataDir}" = {
hostPath = "/media/nas/ssd/nix-app-data/sonarr";
isReadOnly = false;
};
"${sabnzbdConfig}" = {
hostPath = "/media/nas/ssd/nix-app-data/sabnzbd";
isReadOnly = false;
};
"${downloadDir}" = {
hostPath = "/media/nas/ssd/ssd_app_data/downloads";
isReadOnly = false;
};
"${incompleteDir}" = {
hostPath = "/media/nas/ssd/ssd_app_data/downloads-incomplete";
isReadOnly = false;
};
"${jackettDir}" = {
hostPath = "/media/nas/ssd/nix-app-data/jackett";
isReadOnly = false;
};
"/media/movies" = {
hostPath = "/media/nas/main/movies";
isReadOnly = false;
};
"/media/tv" = {
hostPath = "/media/nas/main/tv";
isReadOnly = false;
};
"/media/isos" = {
hostPath = "/media/nas/main/isos";
isReadOnly = false;
}; };
}; };
}; };
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.51:7878";
sourcePort = radarrPort;
}
{
destination = "10.0.1.51:8989";
sourcePort = sonarrPort;
}
{
destination = "10.0.1.51:8080";
sourcePort = sabnzbdPort;
}
{
destination = "10.0.1.51:8112";
sourcePort = delugePort;
}
{
destination = "10.0.1.51:9117";
sourcePort = jackettPort;
}
];
};
} }

112
hosts/nas/apps/arrs/options.nix Normal file
View File

@@ -0,0 +1,112 @@
{ lib, ... }:
with lib;
{
options.nas-apps.arrs = {
enable = mkEnableOption "arrs services";
radarr = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 7878;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
sonarr = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 8989;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
sabnzbd = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 8280;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
deluge = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 8112;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
jackett = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 9117;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
localAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
downloadsDir = mkOption {
type = types.str;
default = "";
};
incompleteDownloadsDir = mkOption {
type = types.str;
default = "";
};
moviesDir = mkOption {
type = types.str;
default = "";
};
tvDir = mkOption {
type = types.str;
default = "";
};
isosDir = mkOption {
type = types.str;
default = "";
};
};
}

82
hosts/nas/apps/crowdsec/default.nix
View File

@@ -1,44 +1,58 @@
{ outputs, pkgs, ... }: { outputs, config, lib, pkgs, ... }:
with lib;
let
cfg = config.nas-apps.crowdsec;
in
{ {
services = { imports = [ ./options.nix ];
crowdsec = let config = lib.mkIf cfg.enable {
yaml = (pkgs.formats.yaml {}).generate; services = {
acquisitions_file = yaml "acquisitions.yaml" { crowdsec = let
source = "journalctl"; yaml = (pkgs.formats.yaml {}).generate;
journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"]; acquisitions_file = yaml "acquisitions.yaml" {
labels.type = "syslog"; source = "journalctl";
journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
labels.type = "syslog";
};
in {
enable = true;
enrollKeyFile = "${cfg.dataDir}/enroll.key";
settings = {
crowdsec_service.acquisition_path = acquisitions_file;
api.server = {
listen_uri = "0.0.0.0:${toString cfg.port}";
};
};
}; };
in {
enable = true; crowdsec-firewall-bouncer = {
enrollKeyFile = "/media/nas/ssd/nix-app-data/crowdsec/enroll.key"; enable = true;
settings = { settings = {
crowdsec_service.acquisition_path = acquisitions_file; api_key = cfg.apiKey;
api.server = { api_url = "http://${cfg.apiAddress}:${toString cfg.port}";
listen_uri = "0.0.0.0:9898";
}; };
}; };
}; };
crowdsec-firewall-bouncer = { systemd.services.crowdsec.serviceConfig = {
enable = true; ExecStartPre = let
settings = { script = pkgs.writeScriptBin "register-bouncer" ''
api_key = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"; #!${pkgs.runtimeShell}
api_url = "http://10.0.1.18:9898"; set -eu
set -o pipefail
if ! cscli bouncers list | grep -q "nas-bouncer"; then
cscli bouncers add "nas-bouncer" --key "${cfg.apiKey}"
fi
'';
in ["${script}/bin/register-bouncer"];
};
networking = {
firewall = {
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
}; };
}; };
}; };
systemd.services.crowdsec.serviceConfig = {
ExecStartPre = let
script = pkgs.writeScriptBin "register-bouncer" ''
#!${pkgs.runtimeShell}
set -eu
set -o pipefail
if ! cscli bouncers list | grep -q "nas-bouncer"; then
cscli bouncers add "nas-bouncer" --key "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"
fi
'';
in ["${script}/bin/register-bouncer"];
};
} }

27
hosts/nas/apps/crowdsec/options.nix Normal file
View File

@@ -0,0 +1,27 @@
{ lib, ... }:
with lib;
{
options.nas-apps.crowdsec = {
enable = mkEnableOption "crowdsec service";
port = mkOption {
type = types.int;
default = 9898;
};
apiAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
apiKey = mkOption {
type = types.str;
default = "";
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
}

207
hosts/nas/apps/gitea/default.nix
View File

@@ -1,109 +1,130 @@
{ config, ... }: { config, lib, ... }:
with lib;
let let
cfg = config.nas-apps.gitea;
hostAddress = "10.0.1.18"; hostAddress = "10.0.1.18";
localAddress = "10.0.4.18"; # localAddress = "10.0.4.18";
httpPort = 3000; # httpPort = 3000;
sshPort = 2222; # sshPort = 2222;
rootUrl = "https://gitea.mjallen.dev/"; rootUrl = "https://gitea.mjallen.dev/";
stateDir = "/media/nas/ssd/nix-app-data/gitea"; # stateDir = "/media/nas/ssd/nix-app-data/gitea";
dataDir = "/var/lib/gitea"; dataDir = "/var/lib/gitea";
secretsDir = "/run/secrets/jallen-nas/gitea"; secretsDir = "/run/secrets/jallen-nas/gitea";
mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path; mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path; metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
in in
{ {
containers.gitea = { imports = [ ./options.nix ];
autoStart = true; config = mkIf cfg.enable {
privateNetwork = true; containers.gitea = {
hostAddress = hostAddress; autoStart = true;
localAddress = localAddress; privateNetwork = true;
hostAddress = hostAddress;
localAddress = cfg.localAddress;
bindMounts = { bindMounts = {
${dataDir} = { ${dataDir} = {
hostPath = stateDir; hostPath = cfg.dataDir;
isReadOnly = false; isReadOnly = false;
};
secrets = {
hostPath = secretsDir;
isReadOnly = true;
mountPoint = secretsDir;
};
}; };
secrets = {
hostPath = secretsDir; config = { lib, ... }:
isReadOnly = true; {
mountPoint = secretsDir; services.gitea = {
enable = true;
stateDir = dataDir;
mailerPasswordFile = mailerPasswordFile;
metricsTokenFile = metricsTokenFile;
settings = {
server = {
DOMAIN = "jallen-nas";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = cfg.httpPort;
PROTOCOL = "http";
ROOT_URL = rootUrl;
START_SSH_SERVER = true;
SSH_PORT = cfg.sshPort;
};
service = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_CAPTCHA = false;
DISABLE_REGISTRATION = true;
ENABLE_OPENID_SIGNIN = false;
ENABLE_LDAP_SIGNIN = false;
ENABLE_SSH_SIGNIN = true;
ENABLE_BUILTIN_SSH_SERVER = true;
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
};
};
};
users.users.gitea = {
extraGroups = [ "keys" ];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ cfg.httpPort cfg.sshPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
# Create and set permissions for required directories
system.activationScripts.gitea-dirs = ''
mkdir -p /var/lib/gitea
chown -R gitea:gitea /var/lib/gitea
chmod -R 775 /var/lib/gitea
mkdir -p /run/secrets/jallen-nas
chown -R gitea:gitea /run/secrets/jallen-nas
chmod -R 775 /run/secrets/jallen-nas
'';
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable {
services.gitea.loadBalancer.servers = [
{
url = "http://${cfg.localAddress}:${toString cfg.httpPort}";
}
];
routers.gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`${cfg.reverseProxy.host}`)";
service = "gitea";
middlewares = cfg.reverseProxy.middlewares;
tls.certResolver = "letsencrypt";
}; };
}; };
config = { lib, ... }: networking = {
{ nat = {
services.gitea = { forwardPorts = [
enable = true; {
stateDir = dataDir; destination = "${cfg.localAddress}:${toString cfg.httpPort}";
useWizard = false; sourcePort = cfg.httpPort;
mailerPasswordFile = mailerPasswordFile; }
metricsTokenFile = metricsTokenFile; {
settings = { destination = "${cfg.localAddress}:${toString cfg.sshPort}";
server = { sourcePort = cfg.sshPort;
DOMAIN = "jallen-nas"; }
HTTP_ADDR = "0.0.0.0"; ];
HTTP_PORT = httpPort;
PROTOCOL = "http";
ROOT_URL = rootUrl;
START_SSH_SERVER = true;
SSH_PORT = sshPort;
};
service = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_CAPTCHA = false;
DISABLE_REGISTRATION = true;
ENABLE_OPENID_SIGNIN = false;
ENABLE_LDAP_SIGNIN = false;
ENABLE_SSH_SIGNIN = true;
ENABLE_BUILTIN_SSH_SERVER = true;
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
};
};
};
users.users.gitea = {
extraGroups = [ "keys" ];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ httpPort sshPort 22 ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
# Create and set permissions for required directories
system.activationScripts.gitea-dirs = ''
mkdir -p /var/lib/gitea
chown -R gitea:gitea /var/lib/gitea
chmod -R 775 /var/lib/gitea
mkdir -p /run/secrets/jallen-nas
chown -R gitea:gitea /run/secrets/jallen-nas
chmod -R 775 /run/secrets/jallen-nas
'';
services.resolved.enable = true;
system.stateVersion = "23.11";
}; };
firewall = {
allowedTCPPorts = [ cfg.httpPort cfg.sshPort ];
allowedUDPPorts = [ cfg.httpPort cfg.sshPort ];
};
};
}; };
}
networking.nat = {
forwardPorts = [
{
destination = "${localAddress}:${toString httpPort}";
sourcePort = httpPort;
}
{
destination = "${localAddress}:${toString 2222}";
sourcePort = sshPort;
}
# {
# destination = "${localAddress}:${toString 22}";
# sourcePort = 22;
# }
];
};
}

42
hosts/nas/apps/gitea/options.nix Normal file
View File

@@ -0,0 +1,42 @@
{ lib, ... }:
with lib;
{
options.nas-apps.gitea = {
enable = mkEnableOption "gitea service";
httpPort = mkOption {
type = types.int;
default = 80;
};
sshPort = mkOption {
type = types.int;
default = 22;
};
localAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
dataDir = mkOption {
type = types.str;
default = "";
};
reverseProxy = {
enable = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
default = "";
};
middlewares = mkOption {
type = with types; listOf str;
default = [ ];
};
};
};
}

46
hosts/nas/apps/options.nix Normal file
View File

@@ -0,0 +1,46 @@
{ lib, ... }:
let
inherit (lib) types mkOption;
in
{
options.nas-apps = mkOption {
type = types.attrsOf (types.submodule ({ config, name, ... }: {
options = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 80;
};
localAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
dataDir = mkOption {
type = types.str;
default = "";
};
reverseProxy = {
enable = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
default = "";
};
middlewares = mkOption {
type = with types; listOf str;
default = [ ];
};
};
};
}));
};
}

192
hosts/nas/apps/traefik/default.nix
View File

@@ -1,25 +1,24 @@
{ config, ... }: { config, ... }:
let let
domain = "mjallen.dev"; domain = "mjallen.dev";
serverIp = "10.0.1.18";
# Forward services # Forward services
authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io"; authUrl = "http://${serverIp}:9000/outpost.goauthentik.io";
authentikUrl = "http://10.0.1.18:9000";
onlyofficeUrl = "http://10.0.2.18:9980";
cloudUrl = "http://10.0.2.18:80";
jellyfinUrl = "http://10.0.1.18:8096";
jellyseerrUrl = "http://10.0.1.52:5055";
hassUrl = "http://homeassistant.local:8123";
openWebUIUrl = "http://10.0.1.18:8888";
paperlessUrl = "http://10.0.1.20:28981";
cacheUrl = "http://10.0.1.18:5000";
giteaUrl = "http://10.0.4.18:3000";
actualUrl = "http://10.0.3.18:3333";
lubeloggerUrl = "http://10.0.1.18:6754";
immichUrl = "http://10.0.1.18:2283";
# internal services actualUrl = "http://${config.containers.actual.localAddress}:${toString config.containers.actual.config.services.actual.settings.port}";
codeUrl = "http://10.0.1.18:4444"; authentikUrl = "http://${serverIp}:9000";
cacheUrl = "http://${serverIp}:${toString config.services.nix-serve.port}";
cloudUrl = "http://${config.containers.nextcloud.localAddress}:80";
giteaUrl = "http://${config.containers.gitea.localAddress}:${toString config.containers.gitea.config.services.gitea.settings.server.SSH_PORT}";
hassUrl = "http://homeassistant.local:8123";
immichUrl = "http://${serverIp}:${toString config.services.immich.port}";
jellyfinUrl = "http://${serverIp}:8096";
jellyseerrUrl = "http://${config.containers.jellyseerr.localAddress}:${toString config.containers.jellyseerr.config.services.jellyseerr.port}";
lubeloggerUrl = "http://${serverIp}:6754";
onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
openWebUIUrl = "http://${serverIp}:8888";
paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";
# Plugins # Plugins
traefikPlugins = { traefikPlugins = {
@@ -33,7 +32,7 @@ let
}; };
}; };
crowdsecAppsecHost = "10.0.1.18:7422"; crowdsecAppsecHost = "${serverIp}:7422";
crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path; crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
# Ports # Ports
@@ -52,8 +51,7 @@ let
# misc # misc
letsEncryptEmail = "jalle008@proton.me"; letsEncryptEmail = "jalle008@proton.me";
dataDir = "/media/nas/ssd/nix-app-data/traefik"; dataDir = "/media/nas/ssd/nix-app-data/traefik";
authentikAddress = "http://10.0.1.18:9000/outpost.goauthentik.io/auth/traefik"; authentikAddress = "http://${serverIp}:9000/outpost.goauthentik.io/auth/traefik";
group = [ config.users.users.nix-apps.group.name ];
in in
{ {
sops = { sops = {
@@ -228,14 +226,25 @@ in
url = authUrl; url = authUrl;
} }
]; ];
actual.loadBalancer.servers = [
{
url = actualUrl;
}
];
authentik.loadBalancer.servers = [ authentik.loadBalancer.servers = [
{ {
url = authentikUrl; url = authentikUrl;
} }
]; ];
onlyoffice.loadBalancer.servers = [ cache.loadBalancer.servers = [
{ {
url = onlyofficeUrl; url = cacheUrl;
}
];
chat.loadBalancer.servers = [
{
url = openWebUIUrl;
} }
]; ];
cloud.loadBalancer.servers = [ cloud.loadBalancer.servers = [
@@ -243,6 +252,21 @@ in
url = cloudUrl; url = cloudUrl;
} }
]; ];
gitea.loadBalancer.servers = [
{
url = giteaUrl;
}
];
hass.loadBalancer.servers = [
{
url = hassUrl;
}
];
immich.loadBalancer.servers = [
{
url = immichUrl;
}
];
jellyfin.loadBalancer.servers = [ jellyfin.loadBalancer.servers = [
{ {
url = jellyfinUrl; url = jellyfinUrl;
@@ -253,51 +277,19 @@ in
url = jellyseerrUrl; url = jellyseerrUrl;
} }
]; ];
hass.loadBalancer.servers = [
{
url = hassUrl;
}
];
chat.loadBalancer.servers = [
{
url = openWebUIUrl;
}
];
cache.loadBalancer.servers = [
{
url = cacheUrl;
}
];
paperless.loadBalancer.servers = [
{
url = paperlessUrl;
}
];
gitea.loadBalancer.servers = [
{
url = giteaUrl;
}
];
actual.loadBalancer.servers = [
{
url = actualUrl;
}
];
lubelogger.loadBalancer.servers = [ lubelogger.loadBalancer.servers = [
{ {
url = lubeloggerUrl; url = lubeloggerUrl;
} }
]; ];
immich.loadBalancer.servers = [ onlyoffice.loadBalancer.servers = [
{ {
url = immichUrl; url = onlyofficeUrl;
} }
]; ];
paperless.loadBalancer.servers = [
# internal services
code.loadBalancer.servers = [
{ {
url = codeUrl; url = paperlessUrl;
} }
]; ];
}; };
@@ -311,6 +303,14 @@ in
priority = 15; priority = 15;
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
actual = {
entryPoints = [ "websecure" ];
rule = "Host(`actual.${domain}`)";
service = "actual";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
authentik = { authentik = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`authentik.${domain}`)"; rule = "Host(`authentik.${domain}`)";
@@ -318,11 +318,12 @@ in
middlewares = [ "crowdsec" "whitelist-geoblock" ]; middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
onlyoffice = { cache = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`office.${domain}`)"; rule = "Host(`cache.${domain}`)";
service = "onlyoffice"; service = "cache";
middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ]; middlewares = [ "crowdsec" "whitelist-geoblock" ];
priority = 10;
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
cloud = { cloud = {
@@ -332,6 +333,28 @@ in
middlewares = [ "crowdsec" "whitelist-geoblock" ]; middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`gitea.${domain}`)";
service = "gitea";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
hass = {
entryPoints = [ "websecure" ];
rule = "Host(`hass.${domain}`)";
service = "hass";
middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
priority = 10;
tls.certResolver = "letsencrypt";
};
immich = {
entryPoints = [ "websecure" ];
rule = "Host(`immich.${domain}`)";
service = "immich";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
jellyfin = { jellyfin = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`jellyfin.${domain}`)"; rule = "Host(`jellyfin.${domain}`)";
@@ -346,36 +369,6 @@ in
middlewares = [ "crowdsec" "whitelist-geoblock" ]; middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`gitea.${domain}`)";
service = "gitea";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
actual = {
entryPoints = [ "websecure" ];
rule = "Host(`actual.${domain}`)";
service = "actual";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
hass = {
entryPoints = [ "websecure" ];
rule = "Host(`hass.${domain}`)";
service = "hass";
middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
priority = 10;
tls.certResolver = "letsencrypt";
};
cache = {
entryPoints = [ "websecure" ];
rule = "Host(`cache.${domain}`)";
service = "cache";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
priority = 10;
tls.certResolver = "letsencrypt";
};
lubelogger = { lubelogger = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`lubelogger.${domain}`)"; rule = "Host(`lubelogger.${domain}`)";
@@ -383,20 +376,11 @@ in
middlewares = [ "crowdsec" "whitelist-geoblock" ]; middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
immich = { onlyoffice = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`immich.${domain}`)"; rule = "Host(`office.${domain}`)";
service = "immich"; service = "onlyoffice";
middlewares = [ "crowdsec" "whitelist-geoblock" ]; middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
tls.certResolver = "letsencrypt";
};
# internal services
code = {
entryPoints = [ "websecure" ];
rule = "Host(`code.${domain}`)";
service = "code";
middlewares = [ "internal-ipallowlist" ];
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
}; };

1
hosts/nas/configuration.nix
View File

@@ -57,6 +57,7 @@
''; '';
systemPackages = with pkgs; [ systemPackages = with pkgs; [
attic-client
binutils binutils
cryptsetup cryptsetup
cmake cmake

2
hosts/nas/grafana.nix
View File

@@ -22,7 +22,7 @@ in
]; ];
}; };
libvirt = { libvirt = {
enable = true; enable = false;
openFirewall = true; openFirewall = true;
}; };
nut = { nut = {

1
hosts/nas/networking.nix
View File

@@ -21,6 +21,7 @@ let
6754 # lubelogger 6754 # lubelogger
2283 # immich 2283 # immich
4444 # code-server 4444 # code-server
9012
]; ];
in in
{ {

14
hosts/nas/nix-serve.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, ... }: { config, pkgs, ... }:
let let
nix-build-mail = pkgs.writeShellScript "echo -e \"Content-Type: text/plain\\r\\nSubject: NixOS cache rebuild failed\\r\\n\\r\\nThe nix-rebuild-cache service failed at $(date).\" | sendmail jalle008@proton.me"; nix-build-mail = pkgs.writeShellScript "echo -e \"Content-Type: text/plain\\r\\nSubject: NixOS cache rebuild failed\\r\\n\\r\\nThe nix-rebuild-cache service failed at $(date).\" | sendmail jalle008@proton.me";
in in
@@ -13,6 +13,14 @@ in
openFirewall = true; openFirewall = true;
}; };
services.atticd = {
enable = true;
environmentFile = config.sops.secrets."jallen-nas/attic-key".path;
settings = {
listen = "[::]:9012";
};
};
# Improved systemd service with better error handling # Improved systemd service with better error handling
systemd = { systemd = {
services = { services = {
@@ -299,8 +307,8 @@ in
}; };
}; };
# nix.settings.builders-use-substitutes = true; nix.settings.builders-use-substitutes = true;
# nix.distributedBuilds = true; nix.distributedBuilds = true;
nix.buildMachines = [ nix.buildMachines = [
{ {
hostName = "pi5.local"; hostName = "pi5.local";

3
hosts/nas/sops.nix
View File

@@ -233,6 +233,9 @@ in
path = "/etc/secureboot/keys/PK/PK.pem"; path = "/etc/secureboot/keys/PK/PK.pem";
mode = "0640"; mode = "0640";
}; };
"jallen-nas/attic-key" = {
# owner = "atticd";
};
}; };
# ------------------------------ # ------------------------------

5
secrets/nas-secrets.yaml
View File

File diff suppressed because one or more lines are too long