cleanup

2025-04-24 15:11:05 -05:00
parent ebf15f5582
commit a11bd8c149
10 changed files with 9 additions and 191 deletions
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -1,34 +0,0 @@
 {
    // See https://go.microsoft.com/fwlink/?LinkId=733558
    // for the documentation about the tasks.json format
    "version": "2.0.0",
    "tasks": [
        {
            "label": "rebuild",
            "type": "shell",
            "command": "#!/usr/bin/env bash sudo nixos-rebuild boot",
            "problemMatcher": [],
            "group": {
                "kind": "build",
            }
        },
        {
            "label": "switch",
            "type": "shell",
            "command": "#!/usr/bin/env bash sudo nixos-rebuild switch",
            "problemMatcher": [],
            "group": {
                "kind": "build",
            }
        },
        {
            "label": "rebuild nas",
            "type": "shell",
            "command": "#!/usr/bin/env bash nixos-rebuild boot --use-remote-sudo --target-host admin@10.0.1.18 --build-host admin@10.0.1.18 --flake ~/nix-config#jallen-nas",
            "problemMatcher": [],
            "group": {
                "kind": "build",
            }
        }
    ]
 }
--- a/hosts/nas/apps.nix
+++ b/hosts/nas/apps.nix
@@ -8,37 +8,21 @@
    ./apps/jellyfin
    ./apps/jellyseerr
    ./apps/lubelogger
    ./apps/netbootxyz
    ./apps/nextcloud
    ./apps/ollama
    ./apps/paperless
    ./apps/paperless-ai
    ./apps/traefik
    ./apps/vert
    ./apps/wyoming
    ../../modules
    ./apps/netdata
  ];
  nas-apps = {
    free-games-claimer.enable = true;
    manyfold.enable = true;
    netbootxyz = {
      enable = true;
      port = "4000";
      port2 = "4080";
    };
    paperless-ai.enable = false;
    tdarr.enable = true;
    # spotify cancelled, data still in db
    your_spotify.enable = false;
    mongodb.enable = false;
  };
 }
--- a/hosts/nas/apps/gitea/default.nix
+++ b/hosts/nas/apps/gitea/default.nix
@@ -46,6 +46,7 @@ in
              PROTOCOL = "http";
              ROOT_URL = rootUrl;
              SSH_PORT = sshPort;
              # SSH_LISTEN_PORT = sshPort;
            };
            service = {
              REGISTER_EMAIL_CONFIRM = false;
@@ -96,9 +97,13 @@ in
        sourcePort = httpPort;
      }
      {
-        destination = "${localAddress}:${toString sshPort}";
+        destination = "${localAddress}:${toString 22}";
        sourcePort = sshPort;
      }
      # {
      #   destination = "${localAddress}:${toString 22}";
      #   sourcePort = 22;
      # }
    ];
  };
 }
--- a/hosts/nas/apps/netdata/default.nix
+++ b/hosts/nas/apps/netdata/default.nix
@@ -1,41 +0,0 @@
 { config, pkgs, ... }:
 {
  services.netdata = {
    enable = true;
    # package = pkgs.netdataCloud;
    package = pkgs.netdata.override {
      withCloudUi = true;
    };
    configDir."python.d.conf" = pkgs.writeText "python.d.conf" ''
      samba: yes
    '';
    # claimTokenFile = config.sops.secrets."jallen-nas/netdata-token".path;
    config = {
      # enable machine learning plugin
      ml = {
        "enabled" = "yes";
      };
      # enable samba plugin
      plugins = {
        "enable running new plugins" = "yes";
        "ioping.plugin" = "yes";
        "freeipmi.plugin" = "yes";
        "perf.plugin" = "yes";
      };
    };
  };
  # add samba and sudo to path of python plugin
  systemd.services.netdata.path = [  pkgs.samba "/run/wrappers" ];
  # permit to run sudo smbstatus -P
  security.sudo.extraConfig = ''
    netdata ALL=(root) NOPASSWD: ${pkgs.samba}/bin/smbstatus
  '';
  # as documented here : https://github.com/netdata/netdata/blob/master/system/netdata.service.in
  # review capabilityset above if other plugins are non functional
  systemd.services.netdata.serviceConfig.CapabilityBoundingSet = ["CAP_SETGID"];
 }
--- a/hosts/nas/apps/paperless-ai/default.nix
+++ b/hosts/nas/apps/paperless-ai/default.nix
@@ -1,32 +0,0 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.nas-apps.paperless-ai;
 in
 {
  imports = [ ./options.nix ];
  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers.${cfg.name} = {
      autoStart = true;
      image = cfg.image;
      extraOptions = [
        "--device=nvidia.com/gpu=0"
        "--network=bridge"
        "--add-host=host.docker.internal:host-gateway"
      ];
      volumes = [ "${cfg.configPath}:/app/data" ];
      ports = [ "${cfg.port}:3000" ];
      environment = {
        NVIDIA_VISIBLE_DEVICES = "all";
        NVIDIA_DRIVER_CAPABILITIES = "all";
        PAPERLESS_API_URL = "http://10.0.1.20:28981";
        PAPERLESS_API_TOKEN = "6f26e1a4632f23bc2da5b74c799ccbda18fa8022";
        PUID = cfg.puid;
        PGID = cfg.pgid;
        TZ = cfg.timeZone;
      };
    };
  };
 }
--- a/hosts/nas/apps/paperless-ai/options.nix
+++ b/hosts/nas/apps/paperless-ai/options.nix
@@ -1,47 +0,0 @@
 { lib, ... }:
 with lib;
 {
  options.nas-apps.paperless-ai = {
    enable = mkEnableOption "paperless-ai docker service";
    autoStart = mkOption {
      type = types.bool;
      default = true;
    };
    port = mkOption {
      type = types.str;
      default = "3023";
    };
    name = mkOption {
      type = types.str;
      default = "paperless-ai";
    };
    image = mkOption {
      type = types.str;
      default = "clusterzx/paperless-ai";
    };
    configPath = mkOption {
      type = types.str;
      default = "/media/nas/ssd/nix-app-data/paperless-ai";
    };
    puid = mkOption {
      type = types.str;
      default = "911";
    };
    pgid = mkOption {
      type = types.str;
      default = "1000";
    };
    timeZone = mkOption {
      type = types.str;
      default = "America/Chicago";
    };
  };
 }
--- a/hosts/nas/apps/vert/default.nix
+++ b/hosts/nas/apps/vert/default.nix
@@ -1,13 +0,0 @@
 { config, ... }:
 {
  virtualisation.oci-containers.containers.vert = {
    autoStart = true;
    image = "ghcr.io/vert-sh/vert";
    ports = [ "9876:80" ];
    environment = {
      PUID = toString config.users.users.nix-apps.uid;
      PGID = toString config.users.groups.jallen-nas.gid;
      TZ = "America/Chicago";
    };
  };
 }
--- a/hosts/nas/networking.nix
+++ b/hosts/nas/networking.nix
@@ -6,7 +6,6 @@ let
    9000 # authentik
    2342 # grafana
    51820 # wireguard
    19999 # netdata
    1025
    1143
    10200
@@ -16,6 +15,7 @@ let
    4000 # netbootxyz
    4080 # netbootxyz
    3000 # gitea
    2222 # gitea ssh
    3300
    9898
    6754 # lubelogger
--- a/hosts/nas/sops.nix
+++ b/hosts/nas/sops.nix
@@ -101,9 +101,6 @@ in
      "jallen-nas/open-webui" = {
        restartUnits = [ "open-webui.service" ];
      };
      "jallen-nas/netdata-token" = {
        restartUnits = [ "netdata.service" ];
      };
      "jallen-nas/paperless/secret" = {
        restartUnits = [ "container@paperless.service" ];
      };
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -38,7 +38,6 @@ jallen-nas:
        secret: ENC[AES256_GCM,data:qrwi13OLSM1Oww4pttfblrjvsdPR,iv:IITw2M6YfoSP3nECeUPWlhr56n7u03ivp8+fx5MDd54=,tag:4thPUaa2ueO95LOB5SiL6w==,type:str]
        authentik-client-id: ENC[AES256_GCM,data:8kHTmnT4kbxrN7Kyet1eu1KB+jA7bBx1Zs64cn5VZm0VjdSfYOwxxA==,iv:iTgsd9XWnRCQoBxj0QVjbIrSjPoYdnXv4lmn3qfllUA=,tag:CDAWMAOQ6X2sbu8RD8oiBw==,type:str]
        authentik-client-secret: ENC[AES256_GCM,data:WROqpqGQrZ8+Xy6v4dxABfqWs4lPDnl/OdsD2xvw5nqZ8mD66IJMx5eoS9UJ1aIOAr0bvQCUyMtC+xzSMcEORCmMoxT7qfg2rV6KZgRzDtRGt1loYdHECXpz1hGAc87YwiD8fVrEsuTAmlK8N6tmmfie5o6QakcFeoTpZSlAUJ0=,iv:fQg5itx52OIZeqBSylSbwtR7FD/8kF0YiDZ0jguIKus=,tag:yIm8q0PJQVDt7F4IIljbdg==,type:str]
    netdata-token: ENC[AES256_GCM,data:kQiSTLxIztDoka5aa4/ymdp6Xyhc9VC2hwmr/afelGifjN7V7MgzhlMT6xfKoIQ+6RboH6kq50pS5A0AmY/ojog8QEP3k6zGjEsvlV3kNCGWvBU97L+7PH4okIApSYu+Hq996121rSOof+Pgk5mbG7Of5DZGeAJPXe9Dc9Z0cSLJrO6s6zCd,iv:0csCFa1XshbuGp0O3Kxs/NvQsJmadB091ZPSPAnuBL4=,tag:roTlcbeRwA/26G2GkhaaqA==,type:str]
    wireguard:
        private: ENC[AES256_GCM,data:/nOkn5nMrEEeKi1ySo9fAp+r1lQL02k0FZA99hUIKq7THvVWNaQ/Z6paoJU=,iv:iCTfGSdjJ0wMwv/34dv2ygKSm3qAJq6czOErMaFqHtg=,tag:EJZzBlVB5FSvveo5MWtC1g==,type:str]
        public: ENC[AES256_GCM,data:rOmyhwpolxNV2JroLdh90gYAuCGNZu/gY5NBxkHHNJ+qEblmDsom9alNHMQ=,iv:bF+XCO9lPHopLCEILTT4gA349d/Sa5qReSKN70EA3d4=,tag:Yx2TL/37n5Uohlwnlx97vg==,type:str]
@@ -150,7 +149,7 @@ sops:
            TWRvYVZ5eklJQU81SzBVZ1BBbENuTkEKwMTa1cAH3sNm2npVhQ/dDl5M7Q8T3vOx
            9slEt5EVUgqaJVhVr9AM9aAhghWJa5i5+Eh628C6p53XFxrO+6zUYA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-24T19:31:51Z"
+    lastmodified: "2025-04-24T20:09:26Z"
-    mac: ENC[AES256_GCM,data:uUlq9fHcjs1UsPBYSnpRq2OOH3AH24bq7QnIjaS1HsIoqxqJiUD6vmljQYUHUQoFV7w8yq8tD6z2yhzfrTUiZ18EOcW5GUC+k1eYXaJhUSPPm94TnkjWs7b5B9ldk2LM9CISWSo2hwBLJAhuI1Cw7Pr1TwMePqf5AhQYeZQiIFg=,iv:vTDGkvL/cJ4gMY4Cz3P/xLwhx3+C1lPUesX1KzXIXnc=,tag:sJE3+O3Et9JH0E3Zkoyc4w==,type:str]
+    mac: ENC[AES256_GCM,data:IpZwdqqGM9I7To1N/J/PTq/d7fXtmpYN5cK3l4SIjDlAtR2zlTEWxKYDWZauDATNSLEuZ8ssuohzfwaa+hVxkQLjqvKhvdlSlODVL5wdVZGP17E0uJPPQn6hoYmivslZ//91+/zD1TgcTPzEdm7F0q/NrvJVg4zgnWjOKrMhJVY=,iv:q52RCURJSZ+J4ZrebboM6YihuZrBSMIqomgI3aRRmBc=,tag:7ETvaLMs3JqcdNQvil1bqg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.1