mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

caddy

Browse Source
This commit is contained in:
mjallen18
2026-02-11 22:23:00 -06:00
parent 89275509f3
commit 92b6e7a822
12 changed files with 702 additions and 529 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
modules/nixos/services/ai/default.nix
View File

@@ -7,13 +7,19 @@
}: }:
with lib; with lib;
let let
inherit (lib.${namespace}) mkOpt;
cfg = config.${namespace}.services.ai; cfg = config.${namespace}.services.ai;
aiConfig = lib.${namespace}.mkModule { aiConfig = lib.${namespace}.mkModule {
inherit config; inherit config;
name = "ai"; name = "ai";
description = "AI Services"; description = "AI Services";
options = { }; options = {
llama-cpp = {
model = mkOpt types.str "Qwen3-Coder-Next-UD-Q3_K_XL" "";
};
};
moduleConfig = { moduleConfig = {
services = { services = {
ollama = { ollama = {
@@ -34,7 +40,7 @@ let
port = 8127; port = 8127;
host = "0.0.0.0"; host = "0.0.0.0";
openFirewall = cfg.openFirewall; openFirewall = cfg.openFirewall;
model = "${cfg.configDir}/llama-cpp/models/Qwen3-Coder-Next-Q4_0.gguf"; model = "${cfg.configDir}/llama-cpp/models/${cfg.llama-cpp.model}.gguf";
package = pkgs.llama-cpp-rocm; package = pkgs.llama-cpp-rocm;
extraFlags = [ extraFlags = [
"--fit" "--fit"
@@ -105,7 +111,7 @@ let
set -euo pipefail set -euo pipefail
MODEL_DIR="${cfg.configDir}/llama-cpp/models" MODEL_DIR="${cfg.configDir}/llama-cpp/models"
MODEL_NAME="Qwen3-Coder-Next-Q4_0.gguf" MODEL_NAME="${cfg.llama-cpp.model}.gguf"
REPO_ID="unsloth/Qwen3-Coder-Next-GGUF" REPO_ID="unsloth/Qwen3-Coder-Next-GGUF"
# Create model directory if it doesn't exist # Create model directory if it doesn't exist

58
modules/nixos/services/caddy/default.nix
View File

@@ -11,10 +11,13 @@ let
cfg = config.${namespace}.services.${name}; cfg = config.${namespace}.services.${name};
caddyPackage = pkgs.caddy.withPlugins { caddyPackage = pkgs.caddy.withPlugins {
plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ]; plugins = [
"github.com/caddy-dns/cloudflare@v0.2.2"
];
hash = "sha256-dnhEjopeA0UiI+XVYHYpsjcEI6Y1Hacbi28hVKYQURg="; hash = "sha256-dnhEjopeA0UiI+XVYHYpsjcEI6Y1Hacbi28hVKYQURg=";
}; };
# "github.com/hslatman/caddy-crowdsec-bouncer/http@v0.9.2"
caddy = lib.${namespace}.mkModule { caddy = lib.${namespace}.mkModule {
inherit config name; inherit config name;
description = "caddy Service"; description = "caddy Service";
@@ -87,14 +90,14 @@ let
package = caddyPackage; package = caddyPackage;
environmentFile = config.sops.templates."caddy.env".path; environmentFile = config.sops.templates."caddy.env".path;
email = "jalle008@proton.me"; email = "jalle008@proton.me";
enableReload = false; enableReload = true;
dataDir = "${cfg.configDir}/caddy"; dataDir = "${cfg.configDir}/caddy";
globalConfig = '' globalConfig = ''
metrics metrics
http_port 80 http_port 80
https_port 443 https_port 443
default_bind 0.0.0.0 default_bind 0.0.0.0
''; # b710da1b0182eadcb1e569408de778f9f3c50 '';
virtualHosts = { virtualHosts = {
"*.mjallen.dev" = { "*.mjallen.dev" = {
extraConfig = '' extraConfig = ''
@@ -102,19 +105,54 @@ let
dns cloudflare {$CLOUDFLARE_DNS_API_TOKEN} dns cloudflare {$CLOUDFLARE_DNS_API_TOKEN}
} }
@gitea host gitea.mjallen.dev @authentik host authentik.mjallen.dev
handle @gitea { handle @authentik {
reverse_proxy http://10.0.1.3:3000 reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.authentik.port}
} }
@jellyfin host jellyfin.mjallen.dev @cache host cache.mjallen.dev
handle @jellyfin { handle @cache {
reverse_proxy http://10.0.1.3:8096 reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.attic.port}
}
@gitea host gitea.mjallen.dev
handle @gitea {
reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.gitea.port}
} }
@homeassistant host hass.mjallen.dev @homeassistant host hass.mjallen.dev
handle @homeassistant { handle @homeassistant {
reverse_proxy http://10.0.1.4:8123 reverse_proxy http://nuc-nixos.local:8123
}
@immich host immich.mjallen.dev
handle @immich {
reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.immich.port}
}
@jellyfin host jellyfin.mjallen.dev
handle @jellyfin {
reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.jellyfin.port}
}
@jellyseerr host jellyseerr.mjallen.dev
handle @jellyseerr {
reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.jellyseerr.port}
}
@lubelogger host lubelogger.mjallen.dev
handle @lubelogger {
reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.lubelogger.port}
}
@matrix host matrix.mjallen.dev
handle @matrix {
reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.matrix.port}
}
@ntfy host ntfy.mjallen.dev
handle @ntfy {
reverse_proxy http://10.0.1.3:${toString config.${namespace}.services.ntfy.port}
} }
''; '';
}; };

56
modules/nixos/services/coturn/default.nix
View File

@@ -14,38 +14,59 @@ let
description = "config"; description = "config";
options = { }; options = { };
moduleConfig = { moduleConfig = {
# Add ACME certificate configuration for TLS support
# security.acme.certs."turn.mjallen.dev" = {
# group = "turnserver";
# dnsProvider = "cloudflare";
# credentialsFile = config.sops.templates."traefik.env".path;
# dnsPropagationCheck = true;
# };
services.coturn = rec { services.coturn = rec {
enable = true; enable = true;
no-cli = true; no-cli = true;
no-tcp-relay = true; # Removed no-tcp-relay to enable TCP relay for better VoIP support
min-port = 49000; min-port = 49000;
max-port = 50000; max-port = 50000;
use-auth-secret = true; use-auth-secret = true;
static-auth-secret = "Lucifer008!"; static-auth-secret = "Lucifer008!";
listening-port = cfg.port; listening-port = cfg.port;
realm = "turn.mjallen.dev"; realm = "turn.mjallen.dev";
# cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; # Enable TLS support with ACME certificates
# cert = "${config.security.acme.certs.${realm}.directory}/fullchain.pem";
# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; # pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = '' extraConfig = ''
# for debugging # for debugging
verbose verbose
# ban private IP ranges
# Add public IP address for NAT traversal
external-ip=73.242.17.96
# Allow localhost for testing
allowed-peer-ip=127.0.0.0-127.255.255.255
allowed-peer-ip=::1
# ban private IP ranges - modified to allow local connections
no-multicast-peers no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255 # Allow internal networks for testing
# denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255 denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255 # Localhost now explicitly allowed above
# denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255 denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255 denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255 denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255 denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255 denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255 # Allow local network
# denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255 denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255 denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255 denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255 denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1 # Localhost now explicitly allowed above
# denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
@@ -53,9 +74,30 @@ let
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# Add better logging for debugging
log-file=/var/log/turnserver.log
syslog
''; '';
}; };
networking.firewall = { networking.firewall = {
# Open ports on all interfaces for better connectivity
allowedUDPPortRanges = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
allowedUDPPorts = [
3478 # STUN/TURN standard port
5349 # STUN/TURN TLS port
];
allowedTCPPorts = [
3478 # STUN/TURN standard port
5349 # STUN/TURN TLS port
];
# Keep the specific interface rules too for backward compatibility
interfaces.enp197s0 = interfaces.enp197s0 =
let let
range = with config.services.coturn; [ range = with config.services.coturn; [

9
modules/nixos/services/crowdsec/default.nix
View File

@@ -119,6 +119,15 @@ let
capi.credentialsFile = lib.mkDefault "${cfg.configDir}/crowdsec/capi.yaml"; capi.credentialsFile = lib.mkDefault "${cfg.configDir}/crowdsec/capi.yaml";
}; };
}; };
crowdsec-firewall-bouncer = {
enable = true;
registerBouncer = {
enable = true;
bouncerName = "nas-bouncer";
};
# secrets.apiKeyPath = config.sops.secrets."jallen-nas/crowdsec-firewall-bouncer-api-key".path;
};
}; };
}; };
}; };

2
modules/nixos/services/matrix/default.nix
View File

@@ -122,9 +122,11 @@ let
turn_uris = [ turn_uris = [
"turn:${config.services.coturn.realm}:3478?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:${config.services.coturn.realm}:3478?transport=tcp" "turn:${config.services.coturn.realm}:3478?transport=tcp"
"turns:${config.services.coturn.realm}:5349?transport=tcp" # TLS version for secure connections
]; ];
turn_shared_secret = config.services.coturn.static-auth-secret; turn_shared_secret = config.services.coturn.static-auth-secret;
turn_user_lifetime = "1h"; turn_user_lifetime = "1h";
turn_allow_guests = true; # Allow guest users to use TURN server
}; };
}; };

147
modules/nixos/services/traefik/default.nix
View File

@@ -58,70 +58,12 @@ let
configDir = "/media/nas/main/appdata"; configDir = "/media/nas/main/appdata";
in in
{ {
imports = [ ./options.nix ]; imports = [
./options.nix
./sops.nix
];
config = mkIf cfg.enable { config = mkIf cfg.enable {
sops = {
secrets = {
"jallen-nas/traefik/crowdsec/lapi-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/crowdsec/capi-machine-id" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/crowdsec/capi-password" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-dns-api-token" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-zone-api-token" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-api-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-email" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
};
templates = {
"traefik.env" = {
content = ''
CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
CLOUDFLARE_ZONE_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
CLOUDFLARE_API_KEY=${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
CLOUDFLARE_EMAIL=${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
'';
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
};
};
networking.firewall = { networking.firewall = {
allowedTCPPorts = forwardPorts; allowedTCPPorts = forwardPorts;
@@ -131,11 +73,12 @@ in
services.traefik = { services.traefik = {
enable = true; enable = true;
dataDir = "${configDir}/traefik"; dataDir = "${configDir}/traefik";
dynamic.dir = "${configDir}/traefik";
group = "jallen-nas"; # group; group = "jallen-nas"; # group;
environmentFiles = [ config.sops.templates."traefik.env".path ]; environmentFiles = [ config.sops.templates."traefik.env".path ];
staticConfigOptions = { static = {
# dir = "${configDir}/traefik";
settings = {
entryPoints = { entryPoints = {
web = { web = {
address = ":${toString httpPort}"; address = ":${toString httpPort}";
@@ -197,9 +140,12 @@ in
plugins = traefikPlugins; plugins = traefikPlugins;
}; };
}; };
};
dynamicConfigOptions = { dynamic = {
http = { dir = "/run/traefik";
files = {
"serversTransports".settings.http = {
serversTransports = { serversTransports = {
internal-https = { internal-https = {
insecureSkipVerify = true; insecureSkipVerify = true;
@@ -209,7 +155,9 @@ in
disableHTTP2 = true; disableHTTP2 = true;
}; };
}; };
};
"middlewares-authentik".settings.http = {
middlewares = { middlewares = {
authentik = { authentik = {
forwardAuth = { forwardAuth = {
@@ -231,6 +179,11 @@ in
]; ];
}; };
}; };
};
};
"middlewares-crowdsec".settings.http = {
middlewares = {
crowdsec = { crowdsec = {
plugin = { plugin = {
bouncer = { bouncer = {
@@ -246,6 +199,11 @@ in
}; };
}; };
}; };
};
};
"middlewares-geoblock".settings.http = {
middlewares = {
whitelist-geoblock = { whitelist-geoblock = {
plugin = { plugin = {
geoblock = { geoblock = {
@@ -268,6 +226,11 @@ in
}; };
}; };
}; };
};
};
"middlewares-ipallowlist".settings.http = {
middlewares = {
internal-ipallowlist = { internal-ipallowlist = {
ipAllowList = { ipAllowList = {
sourceRange = [ sourceRange = [
@@ -277,13 +240,20 @@ in
}; };
}; };
}; };
};
"services-auth".settings.http = {
services = { services = {
auth.loadBalancer.servers = [ auth.loadBalancer.servers = [
{ {
url = authUrl; url = authUrl;
} }
]; ];
};
};
"services-cache".settings.http = {
services = {
cache.loadBalancer = { cache.loadBalancer = {
servers = [ servers = [
{ {
@@ -292,19 +262,22 @@ in
]; ];
serversTransport = "http1"; serversTransport = "http1";
}; };
hass.loadBalancer.servers = [ };
{ };
url = hassUrl;
} "services-nginx".settings.http = {
]; services = {
nginx.loadBalancer.servers = [ nginx.loadBalancer.servers = [
{ {
url = "http://localhost:8188"; url = "http://localhost:8188";
} }
]; ];
} };
// reverseProxyServiceConfigs; };
"services-generated".settings.http = reverseProxyServiceConfigs;
"routers-auth".settings.http = {
routers = { routers = {
auth = { auth = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
@@ -317,7 +290,11 @@ in
priority = 15; priority = 15;
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
};
};
"routers-matrix2".settings.http = {
routers = {
matrix2 = { matrix2 = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`matrix.mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)"; rule = "Host(`matrix.mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
@@ -329,7 +306,11 @@ in
priority = 1; priority = 1;
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
};
};
"routers-matrix3".settings.http = {
routers = {
matrix3 = { matrix3 = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)"; rule = "Host(`mjallen.dev`) && PathPrefix(`/.well-known/matrix/`)";
@@ -341,7 +322,11 @@ in
priority = 1; priority = 1;
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
};
};
"routers-cache".settings.http = {
routers = {
cache = { cache = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`cache.${domain}`)"; rule = "Host(`cache.${domain}`)";
@@ -350,7 +335,18 @@ in
priority = 10; priority = 10;
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
};
};
"home-assistant".settings.http = {
services = {
hass.loadBalancer.servers = [
{
url = hassUrl;
}
];
};
routers = {
hass = { hass = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
rule = "Host(`hass.${domain}`)"; rule = "Host(`hass.${domain}`)";
@@ -363,8 +359,9 @@ in
priority = 10; priority = 10;
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
} };
// reverseProxyRouterConfigs; };
"routers-generated".settings.http = reverseProxyRouterConfigs;
}; };
}; };
}; };

76
modules/nixos/services/traefik/sops.nix Normal file
View File

@@ -0,0 +1,76 @@
{
config,
lib,
namespace,
...
}:
with lib;
let
cfg = config.${namespace}.services.traefik;
in
{
config = mkIf cfg.enable {
sops = {
secrets = {
"jallen-nas/traefik/crowdsec/lapi-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/crowdsec/capi-machine-id" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/crowdsec/capi-password" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-dns-api-token" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-zone-api-token" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-api-key" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-email" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
};
templates = {
"traefik.env" = {
content = ''
CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
CLOUDFLARE_ZONE_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
CLOUDFLARE_API_KEY=${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
CLOUDFLARE_EMAIL=${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
'';
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
};
};
};
}

5
modules/nixos/services/unmanic/default.nix
View File

@@ -19,10 +19,7 @@ let
autoStart = true; autoStart = true;
image = "josh5/unmanic"; image = "josh5/unmanic";
devices = [ devices = [
"/dev/dri/renderD128:/dev/dri/renderD128" "/dev/dri:/dev/dri"
"/dev/dri/card0:/dev/dri/card0"
"/dev/dri/renderD129:/dev/dri/renderD129"
"/dev/dri/card1:/dev/dri/card1"
]; ];
volumes = [ volumes = [
"${cfg.configDir}/unmanic:/config" "${cfg.configDir}/unmanic:/config"

5
secrets/nas-secrets.yaml
View File

@@ -13,6 +13,7 @@ jallen-nas:
cloudflare-api-key: ENC[AES256_GCM,data:SWCsa1YzUpl5aQmeVBzKjfkZdAfduX8pl5RKd+EP6pgyMCCc6Q==,iv:ccIzA1OzGyRnq8gxXAg4B3HHtKcvXhXKMWVuTs/PHLI=,tag:R9KrYDrAluTAyuv7DfYVWQ==,type:str] cloudflare-api-key: ENC[AES256_GCM,data:SWCsa1YzUpl5aQmeVBzKjfkZdAfduX8pl5RKd+EP6pgyMCCc6Q==,iv:ccIzA1OzGyRnq8gxXAg4B3HHtKcvXhXKMWVuTs/PHLI=,tag:R9KrYDrAluTAyuv7DfYVWQ==,type:str]
cloudflare-email: ENC[AES256_GCM,data:WCe6JlTQnv2PXYcySZNbZ5Lv,iv:qc+o+GEqdRm3U5qBqvH23HOah3Sa63QzqZyDXWozcqo=,tag:v8YY3jCoVC8h12wHTFjkIg==,type:str] cloudflare-email: ENC[AES256_GCM,data:WCe6JlTQnv2PXYcySZNbZ5Lv,iv:qc+o+GEqdRm3U5qBqvH23HOah3Sa63QzqZyDXWozcqo=,tag:v8YY3jCoVC8h12wHTFjkIg==,type:str]
crowdsec-capi: ENC[AES256_GCM,data:9T3e6CzJZOT1KAXlpG323oPmk9xsoVVWI/WYnhdmzyymj61LgNJKvA==,iv:NywJk/tkmIGR5jIgxpvheRBCrK64QytXAkr+40nn62M=,tag:XFeafjL/84r0fLa8UpjyjQ==,type:str] crowdsec-capi: ENC[AES256_GCM,data:9T3e6CzJZOT1KAXlpG323oPmk9xsoVVWI/WYnhdmzyymj61LgNJKvA==,iv:NywJk/tkmIGR5jIgxpvheRBCrK64QytXAkr+40nn62M=,tag:XFeafjL/84r0fLa8UpjyjQ==,type:str]
crowdsec-firewall-bouncer-api-key: ENC[AES256_GCM,data:aGWazfVmD/j6PEK+UD7P0KQ+ArfL/lNx5EiHg/v6hUnLM3GASy2624/6eg==,iv:TIczLd7Tzxriz5ADOmrp6YYP/IU2cs5GMabfMhMTTl8=,tag:X9MB3nIg70OLM8S8a6eBuQ==,type:str]
collabora: ENC[AES256_GCM,data:tFbbm16DFMsxT0I1ogXTRwyTgkE=,iv:yzembXvJ9+DroplBUDiMPa/jn9pjpAI7f5oHSTaZedA=,tag:yprIBtaRIjaHW6nplLYYzQ==,type:str] collabora: ENC[AES256_GCM,data:tFbbm16DFMsxT0I1ogXTRwyTgkE=,iv:yzembXvJ9+DroplBUDiMPa/jn9pjpAI7f5oHSTaZedA=,tag:yprIBtaRIjaHW6nplLYYzQ==,type:str]
mariadb: mariadb:
root_pass: ENC[AES256_GCM,data:AmZ3lU/GM9lMAjchF4kvjkIZlYX0KZV7ov0dxtnDmg==,iv:9JQuHWcb3/lCR3gw4PFtzMKxk85GXzFV35NguJydUkk=,tag:MEvmiYhAYa1LUGTN9wm/3w==,type:str] root_pass: ENC[AES256_GCM,data:AmZ3lU/GM9lMAjchF4kvjkIZlYX0KZV7ov0dxtnDmg==,iv:9JQuHWcb3/lCR3gw4PFtzMKxk85GXzFV35NguJydUkk=,tag:MEvmiYhAYa1LUGTN9wm/3w==,type:str]
@@ -221,8 +222,8 @@ sops:
L0gwQm5takNjMkVGNzVlSStJYlUwWDAKP8QA3rRUHYbyyhPC/k0Eq2EIKfjyc7Co L0gwQm5takNjMkVGNzVlSStJYlUwWDAKP8QA3rRUHYbyyhPC/k0Eq2EIKfjyc7Co
7BkHH3msC6h9g42BB5iIYe6KQ+UGxMQBFvp+qSB27jaIfajN5MP0BA== 7BkHH3msC6h9g42BB5iIYe6KQ+UGxMQBFvp+qSB27jaIfajN5MP0BA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-09T16:07:02Z" lastmodified: "2026-02-12T04:19:13Z"
mac: ENC[AES256_GCM,data:wObXRnXCkE5yfBpwtkuFnzlGaF2BugipRxnx0Z/pTwc6PENKHrCFqnuOdb4EDnlYBGXTGSCUzksWS1kZVc8SF0tiimzlPAB9suS31386I3ex+IJNlouv6MFkvBpeI5OnMo7y/eJVK9GBmC5bxoNhySMAQBRCuDGs9uCaTHdYkRI=,iv:kAInXG7UMeIN/ZJwmwY2cd6V/n3fxOUodvCP0sADvcc=,tag:oFa8zO9WNOGLQZKC7vTN+A==,type:str] mac: ENC[AES256_GCM,data:t3sxHQSeVb1agLpIuC4Mm/6hIvlhA4d4WWJu8y3vm3rHafhZK9HKQYDJ48fB/oMNpszy0IcgSP7j9WQPPKKAcsDRj7fHu67Z9lFyv+C12leBm1kCKmp5e4fl8aykQRSxT2Sy5eo4yt+8PTUOd8Cet3tYO/riSgvWtL6iCEjO9ik=,iv:7uLvDk7suunzx2kVoK8JV/bAFeHnJDDF+vInhiw2K6I=,tag:Dnov7AhsMzLaJT9p9f99Sg==,type:str]
pgp: pgp:
- created_at: "2026-02-06T15:34:30Z" - created_at: "2026-02-06T15:34:30Z"
enc: |- enc: |-

8
systems/x86_64-linux/jallen-nas/apps.nix
View File

@@ -11,13 +11,13 @@ in
${namespace} = { ${namespace} = {
services = { services = {
actual = { actual = {
enable = true; enable = false;
port = 3333; port = 3333;
createUser = true; createUser = true;
reverseProxy = enabled; reverseProxy = enabled;
}; };
ai = { ai = {
enable = true; enable = false;
}; };
arrs = { arrs = {
enable = true; enable = true;
@@ -49,7 +49,7 @@ in
enable = true; enable = true;
port = 6066; port = 6066;
}; };
caddy = disabled; caddy = enabled;
calibre = { calibre = {
enable = false; enable = false;
port = 8084; port = 8084;
@@ -197,7 +197,7 @@ in
port = 8265; port = 8265;
serverPort = 8266; serverPort = 8266;
}; };
traefik = enabled; traefik = disabled;
unmanic = { unmanic = {
enable = true; enable = true;
port = 8265; port = 8265;

1
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -137,6 +137,7 @@ in
allowedTCPPorts = [ allowedTCPPorts = [
80 80
443 443
8080
8008 # restic 8008 # restic
9000 # authentik 9000 # authentik
2342 # grafana 2342 # grafana

4
systems/x86_64-linux/jallen-nas/sops.nix
View File

@@ -98,6 +98,10 @@ in
# crowdsec # crowdsec
# ------------------------------ # ------------------------------
# "jallen-nas/crowdsec-firewall-bouncer-api-key" = {
# restartUnits = [ "crowdsec-firewall-bouncer.service" ];
# };
# "jallen-nas/crowdsec-capi" = { # "jallen-nas/crowdsec-capi" = {
# sopsFile = defaultSops; # sopsFile = defaultSops;
# owner = "crowdsec"; # owner = "crowdsec";