diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 2631528..6c551a1 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -6,11 +6,28 @@ { "label": "rebuild", "type": "shell", + "command": "#!/usr/bin/env bash sudo nixos-rebuild boot", + "problemMatcher": [], + "group": { + "kind": "build", + } + }, + { + "label": "switch", + "type": "shell", "command": "#!/usr/bin/env bash sudo nixos-rebuild switch", "problemMatcher": [], "group": { "kind": "build", - "isDefault": true + } + }, + { + "label": "rebuild nas", + "type": "shell", + "command": "#!/usr/bin/env bash nixos-rebuild boot --use-remote-sudo --target-host admin@10.0.1.18 --build-host admin@10.0.1.18 --flake ~/nix-config#jallen-nas", + "problemMatcher": [], + "group": { + "kind": "build", } } ] diff --git a/flake.lock b/flake.lock index 947f516..2cc5f76 100644 --- a/flake.lock +++ b/flake.lock @@ -14,16 +14,15 @@ "systems": "systems" }, "locked": { - "lastModified": 1734115107, - "narHash": "sha256-0Rz8OZNMH1/a06Mw6TprwSw93PH6y3WyFTWJ2UJERvw=", - "owner": "fpletz", + "lastModified": 1736445563, + "narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=", + "owner": "nix-community", "repo": "authentik-nix", - "rev": "f6742fc5dd624ad3bfae2cf6daef24ce49e1432b", + "rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c", "type": "github" }, "original": { - "owner": "fpletz", - "ref": "24.11", + "owner": "nix-community", "repo": "authentik-nix", "type": "github" } @@ -31,16 +30,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1733849292, - "narHash": "sha256-gJYgrRxytoGHkjeEsiKY/tl06D8XOnZZ9SDpK1WSyUw=", + "lastModified": 1736440980, + "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=", "owner": "goauthentik", "repo": "authentik", - "rev": "0edd7531a152910e6bdd4f7d3d0cde3ed5fdd956", + "rev": "9d81f0598c7735e2b4616ee865ab896056a67408", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2024.10.5", + "ref": "version/2024.12.2", "repo": "authentik", "type": "github" } @@ -238,11 +237,11 @@ ] }, "locked": { - "lastModified": 1736785676, - "narHash": "sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m+Yq++C9AyE=", + "lastModified": 1737478403, + "narHash": "sha256-e6PJI4Bd+QdpukHyd5F/fQY8fRUiNfCwvCRU8WXMSk8=", "owner": "nix-community", "repo": "home-manager", - "rev": "fc52a210b60f2f52c74eac41a8647c1573d2071d", + "rev": "96dee79b178d295b716052feca3ee46abc085abe", "type": "github" }, "original": { @@ -364,11 +363,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1736631212, - "narHash": "sha256-mG9lRZBcPiAGiVJ9B97BJoIGQcSBWIVlBiN30QYCtG0=", + "lastModified": 1737423230, + "narHash": "sha256-WEOiNmkcmlaeXy2HGW1PYxYmCPiHdsI7a7SpjhBYxRg=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "6ace2f2d12bdf74235d5cbf9fbd34a71c9716685", + "rev": "46d0fa4ded0a7532f19870f9bbedaf62269fe3f7", "type": "github" }, "original": { @@ -406,11 +405,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1735172763, - "narHash": "sha256-a6n8RsiAolz6p24Fsr/gTndx9xr9USpKqKK6kzBeXQc=", + "lastModified": 1737392146, + "narHash": "sha256-fqDBMzFFZLYxNxnvM/9AABAsRgfgsLoDhdQXUvU0OnM=", "owner": "tpwrules", "repo": "nixos-apple-silicon", - "rev": "3daf0637409689d7a1304cedc50d20542bc47905", + "rev": "8adcb4b702511620bcaa4127f8f8af1ce7622d38", "type": "github" }, "original": { @@ -421,11 +420,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1736441705, - "narHash": "sha256-OL7leZ6KBhcDF3nEKe4aZVfIm6xQpb1Kb+mxySIP93o=", + "lastModified": 1737359802, + "narHash": "sha256-utplyRM6pqnN940gfaLFBb9oUCSzkan86IvmkhsVlN8=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "8870dcaff63dfc6647fb10648b827e9d40b0a337", + "rev": "61c79181e77ef774ab0468b28a24bc2647d498d6", "type": "github" }, "original": { @@ -481,11 +480,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1736684107, - "narHash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg=", + "lastModified": 1737299813, + "narHash": "sha256-Qw2PwmkXDK8sPQ5YQ/y/icbQ+TYgbxfjhgnkNJyT1X8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "635e887b48521e912a516625eee7df6cf0eba9c1", + "rev": "107d5ef05c0b1119749e381451389eded30fb0d5", "type": "github" }, "original": { @@ -497,11 +496,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1736701207, - "narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=", + "lastModified": 1737062831, + "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6", + "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", "type": "github" }, "original": { @@ -513,25 +512,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1718149104, - "narHash": "sha256-Ds1QpobBX2yoUDx9ZruqVGJ/uQPgcXoYuobBguyKEh8=", + "lastModified": 1736241350, + "narHash": "sha256-CHd7yhaDigUuJyDeX0SADbTM9FXfiWaeNyY34FL1wQU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e913ae340076bbb73d9f4d3d065c2bca7caafb16", + "rev": "8c9fd3e564728e90829ee7dbac6edc972971cd0f", "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs_3": { "locked": { - "lastModified": 1734649271, - "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=", + "lastModified": 1737062831, + "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507", + "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", "type": "github" }, "original": { @@ -559,11 +560,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1730284601, - "narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=", + "lastModified": 1735164664, + "narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e", + "rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e", "type": "github" }, "original": { @@ -663,11 +664,11 @@ ] }, "locked": { - "lastModified": 1736777442, - "narHash": "sha256-eON7amRmBl59QH6K9uypewkKveaNbosY6CtUgRcv7YU=", + "lastModified": 1737411508, + "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "0f4744b5a95151a85c4f35010dd2d748228f7f53", + "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b7436d5..922b9d5 100644 --- a/flake.nix +++ b/flake.nix @@ -7,14 +7,13 @@ # nixpkgs-unstable-small # nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; - + # nixpgs nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.11"; # Authentik authentik-nix = { - # url = "github:nix-community/authentik-nix"; - url = "github:fpletz/authentik-nix/24.11"; # for some reason this is broken in stable and unstable + url = "github:nix-community/authentik-nix"; inputs.nixpkgs.follows = "nixpkgs-stable"; }; diff --git a/hosts/desktop/home.nix b/hosts/desktop/home.nix index d5ad4b0..1e023ba 100644 --- a/hosts/desktop/home.nix +++ b/hosts/desktop/home.nix @@ -90,7 +90,7 @@ in morph nextcloud-client nixfmt-rfc-style - stable.orca-slicer + orca-slicer papirus-icon-theme piper pop-gtk-theme diff --git a/hosts/nas/apps/arrs/default.nix b/hosts/nas/apps/arrs/default.nix index 3a41231..729c661 100644 --- a/hosts/nas/apps/arrs/default.nix +++ b/hosts/nas/apps/arrs/default.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let radarrPort = 7878; @@ -14,7 +19,8 @@ let mediaDir = "/media"; arrUserId = config.users.users.nix-apps.uid; arrGroupId = config.users.groups.jallen-nas.gid; - # sonarrPkg = pkgs.stable.sonarr; + sonarrPkg = pkgs.stable.sonarr; + jackettPkg = pkgs.unstable.jackett; in { nixpkgs.config.permittedInsecurePackages = [ @@ -29,115 +35,129 @@ in privateNetwork = true; hostAddress = "10.0.1.18"; localAddress = "10.0.1.51"; - - config = { config, pkgs, lib, ... }: { - nixpkgs.config.allowUnfree = true; - nixpkgs.config.permittedInsecurePackages = [ - "aspnetcore-runtime-6.0.36" - "aspnetcore-runtime-wrapped-6.0.36" - "dotnet-sdk-6.0.428" - "dotnet-sdk-wrapped-6.0.428" - ]; - - # Enable radarr service - services.radarr = { - enable = true; - openFirewall = true; - user = "arrs"; - group = "media"; - dataDir = radarrDataDir; - }; - # Enable Sonarr service - services.sonarr = { - enable = true; - openFirewall = true; - user = "arrs"; - group = "media"; - dataDir = sonarrDataDir; - # package = sonarrPkg; - }; + config = + { + config, + pkgs, + lib, + ... + }: + { + nixpkgs.config.allowUnfree = true; + nixpkgs.config.permittedInsecurePackages = [ + "aspnetcore-runtime-6.0.36" + "aspnetcore-runtime-wrapped-6.0.36" + "dotnet-sdk-6.0.428" + "dotnet-sdk-wrapped-6.0.428" + ]; - # Enable Sabnzbd service - services.sabnzbd = { - enable = true; - openFirewall = true; - user = "arrs"; - group = "media"; - configFile = "${sabnzbdConfig}/sabnzbd.ini"; - }; - - services.deluge = { - enable = true; - user = "arrs"; - group = "media"; - openFirewall = true; - dataDir = "/media"; - web = { + # Enable radarr service + services.radarr = { enable = true; - port = 8112; openFirewall = true; + user = "arrs"; + group = "media"; + dataDir = radarrDataDir; }; - }; - services.jackett = { - enable = true; - user = "arrs"; - group = "media"; - openFirewall = true; - }; + # Enable Sonarr service + services.sonarr = { + enable = true; + openFirewall = true; + user = "arrs"; + group = "media"; + dataDir = sonarrDataDir; + # package = sonarrPkg; + }; - # Create required users and groups - users.users.arrs = { - isSystemUser = true; - uid = lib.mkForce arrUserId; - group = "media"; - extraGroups = [ "downloads" ]; - }; + # Enable Sabnzbd service + services.sabnzbd = { + enable = true; + openFirewall = true; + user = "arrs"; + group = "media"; + configFile = "${sabnzbdConfig}/sabnzbd.ini"; + }; - users.groups = { - media = { gid = lib.mkForce arrGroupId; }; - downloads = {}; - }; + services.deluge = { + enable = true; + user = "arrs"; + group = "media"; + openFirewall = true; + dataDir = "/media"; + web = { + enable = true; + port = 8112; + openFirewall = true; + }; + }; - # System packages - environment.systemPackages = with pkgs; [ - glib - sqlite - mono - mediainfo - protonvpn-cli_2 - ]; + services.jackett = { + enable = true; + user = "arrs"; + group = "media"; + openFirewall = true; + package = jackettPkg; + }; - # Create and set permissions for required directories - system.activationScripts.radarr-dirs = '' - mkdir -p ${radarrDataDir} - mkdir -p ${sonarrDataDir} - mkdir -p ${sabnzbdConfig} - mkdir -p ${downloadDir} - mkdir -p ${incompleteDir} - mkdir -p ${mediaDir} + # Create required users and groups + users.users.arrs = { + isSystemUser = true; + uid = lib.mkForce arrUserId; + group = "media"; + extraGroups = [ "downloads" ]; + }; - chown -R arrs:media ${radarrDataDir} - chown -R arrs:media ${sonarrDataDir} - chown -R arrs:media ${sabnzbdConfig} - chown -R arrs:media ${downloadDir} - chown -R arrs:media ${incompleteDir} - chown -R arrs:media ${mediaDir} - - chmod -R 775 ${radarrDataDir} - chmod -R 775 ${sonarrDataDir} - chmod -R 775 ${sabnzbdConfig} - chmod -R 775 ${downloadDir} - chmod -R 775 ${incompleteDir} - chmod -R 775 ${mediaDir} - - ''; + users.groups = { + media = { + gid = lib.mkForce arrGroupId; + }; + downloads = { }; + }; + + # System packages + environment.systemPackages = with pkgs; [ + glib + sqlite + mono + mediainfo + protonvpn-cli_2 + ]; + + # Create and set permissions for required directories + system.activationScripts.radarr-dirs = '' + mkdir -p ${radarrDataDir} + mkdir -p ${sonarrDataDir} + mkdir -p ${sabnzbdConfig} + mkdir -p ${downloadDir} + mkdir -p ${incompleteDir} + mkdir -p ${mediaDir} + + chown -R arrs:media ${radarrDataDir} + chown -R arrs:media ${sonarrDataDir} + chown -R arrs:media ${sabnzbdConfig} + chown -R arrs:media ${downloadDir} + chown -R arrs:media ${incompleteDir} + chown -R arrs:media ${mediaDir} + + chmod -R 775 ${radarrDataDir} + chmod -R 775 ${sonarrDataDir} + chmod -R 775 ${sabnzbdConfig} + chmod -R 775 ${downloadDir} + chmod -R 775 ${incompleteDir} + chmod -R 775 ${mediaDir} + + ''; networking = { firewall = { enable = true; - allowedTCPPorts = [ radarrPort sonarrPort sabnzbdPort ]; + allowedTCPPorts = [ + radarrPort + sonarrPort + sabnzbdPort + ]; }; # Use systemd-resolved inside the container # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 @@ -213,4 +233,4 @@ in } ]; }; -} \ No newline at end of file +} diff --git a/hosts/nas/apps/collabora/default.nix b/hosts/nas/apps/collabora/default.nix index 83793b8..35f87df 100644 --- a/hosts/nas/apps/collabora/default.nix +++ b/hosts/nas/apps/collabora/default.nix @@ -4,4 +4,4 @@ enable = true; port = 9980; }; -} \ No newline at end of file +} diff --git a/hosts/nas/apps/jellyfin/default.nix b/hosts/nas/apps/jellyfin/default.nix index d0ca07f..90999ec 100644 --- a/hosts/nas/apps/jellyfin/default.nix +++ b/hosts/nas/apps/jellyfin/default.nix @@ -1,161 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: - -# let -# jellyfinPort = 8096; -# jellyfinUserId = config.users.users.nix-apps.uid; -# jellyfinGroupId = config.users.groups.jallen-nas.gid; -# package = pkgs.jellyfin; -# in { -# containers.jellyfin = { -# autoStart = true; -# privateNetwork = true; -# hostAddress = "10.0.1.18"; -# localAddress = "10.0.2.25"; - -# config = { config, pkgs, lib, ... }: { -# # Enable jellyfin service -# nixpkgs.config.allowUnfree = true; -# hardware = { -# # Nvidia -# nvidia = { -# package = config.boot.kernelPackages.nvidiaPackages.latest; -# # Modesetting is required. -# modesetting.enable = true; -# # Nvidia power management. Experimental, and can cause sleep/suspend to fail. -# powerManagement.enable = true; -# # Fine-grained power management. Turns off GPU when not in use. -# # Experimental and only works on modern Nvidia GPUs (Turing or newer). -# powerManagement.finegrained = false; -# # Use the NVidia open source kernel module (not to be confused with the -# # independent third-party "nouveau" open source driver). -# # Support is limited to the Turing and later architectures. Full list of -# # supported GPUs is at: -# # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus -# # Only available from driver 515.43.04+ -# # Currently alpha-quality/buggy, so false is currently the recommended setting. -# open = true; - -# # Enable the Nvidia settings menu, -# # accessible via `nvidia-settings`. -# nvidiaSettings = true; -# }; - -# # Enable graphics -# graphics = { -# enable = true; -# enable32Bit = true; -# }; -# }; - -# # Services configs -# services.xserver = { -# # Load nvidia driver for Xorg and Wayland -# videoDrivers = [ "nvidia" ]; -# }; - -# services.jellyfin = { -# enable = true; -# openFirewall = true; -# user = "jellyfin"; -# group = "media"; -# dataDir = "/data"; -# configDir = "/config"; -# # cacheDir = "/cache"; -# }; - -# # Create required users and groups -# users.users.jellyfin = { -# isSystemUser = true; -# uid = lib.mkForce jellyfinUserId; -# group = "media"; -# extraGroups = [ "downloads" ]; -# }; - -# users.groups = { -# media = { gid = lib.mkForce jellyfinGroupId; }; -# downloads = { }; -# }; - -# networking = { -# firewall = { -# enable = true; -# allowedTCPPorts = [ jellyfinPort ]; -# }; -# # Use systemd-resolved inside the container -# # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 -# useHostResolvConf = lib.mkForce false; -# }; - -# # System packages -# environment.systemPackages = with pkgs; [ -# sqlite -# mono -# mediainfo -# # ffmpeg -# # nvidiaPackages.gpu -# # nvidiaPackages.nvidia-settings -# # nvidiaPackages.nvidia-x11 -# ]; - -# services.resolved.enable = true; -# system.stateVersion = "23.11"; -# }; - -# # Bind mount directories from host -# bindMounts = { -# "/data" = { -# hostPath = "/media/nas/ssd/nix-app-data/jellyfin"; -# isReadOnly = false; -# }; -# "/tv" = { -# hostPath = "/media/nas/main/tv"; -# isReadOnly = false; -# }; -# "/movies" = { -# hostPath = "/media/nas/main/movies"; -# isReadOnly = false; -# }; -# "/dev/nvidia0" = { hostPath = "/dev/nvidia0"; }; # GPU device -# "/dev/nvidiactl" = { hostPath = "/dev/nvidiactl"; }; # NVIDIA control -# "/dev/nvidia-modeset" = { hostPath = "/dev/nvidia-modeset"; }; # modesetting -# }; - -# # allowedDevices = [ -# # { -# # modifier = "rw"; -# # node = "/dev/nvidia0"; -# # } -# # { -# # modifier = "rw"; -# # node = "/dev/nvidiactl"; -# # } -# # { -# # modifier = "rw"; -# # node = "/dev/nvidia-modeset"; -# # } -# # { -# # modifier = "rw"; -# # node = "/dev/nvidia-uvm"; -# # } -# # { -# # modifier = "rw"; -# # node = "/dev/nvidia-uvm-tools"; -# # } -# # ]; -# }; - -# networking.nat = { -# forwardPorts = [{ -# destination = "10.0.2.25:8096"; -# sourcePort = jellyfinPort; -# }]; -# }; -# } +{ ... }: { services.jellyfin = { enable = true; diff --git a/hosts/nas/apps/nextcloud/default.nix b/hosts/nas/apps/nextcloud/default.nix index c127865..e07b850 100644 --- a/hosts/nas/apps/nextcloud/default.nix +++ b/hosts/nas/apps/nextcloud/default.nix @@ -39,134 +39,139 @@ in }; config = - { pkgs, lib, ... }: - { - nixpkgs.config.allowUnfree = true; + { pkgs, lib, ... }: + { + nixpkgs.config.allowUnfree = true; - services = { - nextcloud = { - enable = true; - package = pkgs.nextcloud30; - # datadir = "/data"; - database.createLocally = true; - hostName = "cloud.mjallen.dev"; - appstoreEnable = true; - caching.redis = true; - configureRedis = true; - enableImagemagick = true; - https = true; - - config = { - adminuser = "mjallen"; - adminpassFile = adminpass; - dbhost = "localhost"; - dbtype = "sqlite"; - dbname = "nextcloud"; - dbuser = "nextcloud"; - }; - settings = { - allow_local_remote_servers = true; - upgrade.disable-web = false; - datadirectory = "/data"; - trusted_domains = [ - "10.0.1.18:9988" - "10.0.1.18:9943" - "10.0.2.18:80" - "10.0.2.18:443" - "cloud.mjallen.dev" - ]; - trusted_proxies = [ "10.0.1.18" ]; - maintenance_window_start = 6; - default_phone_region = "US"; - mail_from_address = "matt.l.jallen"; - mail_smtpmode = "smtp"; - mail_sendmailmode = "smtp"; - mail_domain = "gmail.com"; - mail_smtpauth = 1; - mail_smtpname = "matt.l.jallen"; - mail_smtppassword = "egzo mltu kkoc hrfe "; # TODO: smtppassword; - mail_smtpsecure = "ssl"; - mail_smtphost = "smtp.gmail.com"; - mail_smtpport = 465; - enable_previews = true; - enabledPreviewProviders = [ - "OC\\\\Preview\\\\PNG" - "OC\\\\Preview\\\\JPEG" - "OC\\\\Preview\\\\GIF" - "OC\\\\Preview\\\\BMP" - "OC\\\\Preview\\\\XBitmap" - "OC\\\\Preview\\\\MP3" - "OC\\\\Preview\\\\TXT" - "OC\\\\Preview\\\\MarkDown" - "OC\\\\Preview\\\\OpenDocument" - "OC\\\\Preview\\\\Krita" - "OC\\\\Preview\\\\HEIC" - ]; - installed = true; - user_oidc = { - auto_provision = false; - soft_auto_provision = false; + services = { + nextcloud = { + enable = true; + package = pkgs.nextcloud30; + # datadir = "/data"; + database.createLocally = true; + hostName = "cloud.mjallen.dev"; + appstoreEnable = true; + caching.redis = true; + configureRedis = true; + enableImagemagick = true; + https = true; + + config = { + adminuser = "mjallen"; + adminpassFile = adminpass; + dbhost = "localhost"; + dbtype = "sqlite"; + dbname = "nextcloud"; + dbuser = "nextcloud"; + }; + settings = { + allow_local_remote_servers = true; + upgrade.disable-web = false; + datadirectory = "/data"; + trusted_domains = [ + "10.0.1.18:9988" + "10.0.1.18:9943" + "10.0.2.18:80" + "10.0.2.18:443" + "cloud.mjallen.dev" + ]; + trusted_proxies = [ "10.0.1.18" ]; + maintenance_window_start = 6; + default_phone_region = "US"; + mail_from_address = "matt.l.jallen"; + mail_smtpmode = "smtp"; + mail_sendmailmode = "smtp"; + mail_domain = "gmail.com"; + mail_smtpauth = 1; + mail_smtpname = "matt.l.jallen"; + mail_smtppassword = "egzo mltu kkoc hrfe "; # TODO: smtppassword; + mail_smtpsecure = "ssl"; + mail_smtphost = "smtp.gmail.com"; + mail_smtpport = 465; + enable_previews = true; + enabledPreviewProviders = [ + "OC\\\\Preview\\\\PNG" + "OC\\\\Preview\\\\JPEG" + "OC\\\\Preview\\\\GIF" + "OC\\\\Preview\\\\BMP" + "OC\\\\Preview\\\\XBitmap" + "OC\\\\Preview\\\\MP3" + "OC\\\\Preview\\\\TXT" + "OC\\\\Preview\\\\MarkDown" + "OC\\\\Preview\\\\OpenDocument" + "OC\\\\Preview\\\\Krita" + "OC\\\\Preview\\\\HEIC" + ]; + installed = true; + user_oidc = { + auto_provision = false; + soft_auto_provision = false; + }; }; }; + + onlyoffice = { + enable = true; + port = 8000; + hostname = "office.mjallen.dev"; + }; }; - onlyoffice = { - enable = true; - port = 8000; - hostname = "office.mjallen.dev"; + # System packages + environment.systemPackages = with pkgs; [ + nextcloud30 + onlyoffice-documentserver + sqlite + ]; + + # Create required users and groups + users.users.nextcloud = { + isSystemUser = true; + uid = lib.mkForce nextcloudUserId; + group = "nextcloud"; }; - }; - # System packages - environment.systemPackages = with pkgs; [ - nextcloud30 - onlyoffice-documentserver - sqlite - ]; - - # Create required users and groups - users.users.nextcloud = { - isSystemUser = true; - uid = lib.mkForce nextcloudUserId; - group = "nextcloud"; - }; - - users.users.onlyoffice = { - group = lib.mkForce "nextcloud"; - }; - - users.groups = { - nextcloud = { gid = lib.mkForce nextcloudGroupId; }; - downloads = {}; - }; - - # Create and set permissions for required directories - system.activationScripts.nextcloud-dirs = '' - mkdir -p /data - - chown -R nextcloud:nextcloud /data - - chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud - - chmod -R 775 /data - - chmod -R 750 /run/secrets/jallen-nas/nextcloud - - ''; - - system.stateVersion = "23.11"; - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; + users.users.onlyoffice = { + group = lib.mkForce "nextcloud"; }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - services.resolved.enable = true; - }; + users.groups = { + nextcloud = { + gid = lib.mkForce nextcloudGroupId; + }; + downloads = { }; + }; + + # Create and set permissions for required directories + system.activationScripts.nextcloud-dirs = '' + mkdir -p /data + + chown -R nextcloud:nextcloud /data + + chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud + + chmod -R 775 /data + + chmod -R 750 /run/secrets/jallen-nas/nextcloud + + ''; + + system.stateVersion = "23.11"; + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 80 + 443 + ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + + }; }; networking.nat = { diff --git a/hosts/nas/apps/ollama/default.nix b/hosts/nas/apps/ollama/default.nix index a52cadf..d8a4872 100644 --- a/hosts/nas/apps/ollama/default.nix +++ b/hosts/nas/apps/ollama/default.nix @@ -30,4 +30,4 @@ LOCAL_FILES_ONLY = "False"; }; }; -} \ No newline at end of file +} diff --git a/hosts/nas/apps/paperless-ai/default.nix b/hosts/nas/apps/paperless-ai/default.nix index 8cc69e2..eb5dabb 100644 --- a/hosts/nas/apps/paperless-ai/default.nix +++ b/hosts/nas/apps/paperless-ai/default.nix @@ -11,7 +11,11 @@ in virtualisation.oci-containers.containers.${cfg.name} = { autoStart = true; image = cfg.image; - extraOptions = [ "--device=nvidia.com/gpu=0" "--network=bridge" "--add-host=host.docker.internal:host-gateway" ]; + extraOptions = [ + "--device=nvidia.com/gpu=0" + "--network=bridge" + "--add-host=host.docker.internal:host-gateway" + ]; volumes = [ "${cfg.configPath}:/app/data" ]; ports = [ "${cfg.port}:3000" ]; environment = { diff --git a/hosts/nas/apps/paperless/default.nix b/hosts/nas/apps/paperless/default.nix index 53520f5..068b554 100644 --- a/hosts/nas/apps/paperless/default.nix +++ b/hosts/nas/apps/paperless/default.nix @@ -4,12 +4,12 @@ lib, ... }: - let paperlessPort = 28981; paperlessUserId = config.users.users.nix-apps.uid; paperlessGroupId = config.users.groups.jallen-nas.gid; passwordFile = config.sops.secrets."jallen-nas/admin_password".path; + paperlessPkg = pkgs.stable.paperless-ngx; in { containers.paperless = { @@ -31,6 +31,7 @@ in # Enable paperless service services.paperless = { enable = true; + package = paperlessPkg; port = paperlessPort; user = "paperless"; address = "0.0.0.0"; @@ -40,7 +41,7 @@ in PAPERLESS_SECRET = "Luciferthecat03092024"; PAPERLESS_ENABLE_ALLAUTH = true; PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; - PAPERLESS_SOCIALACCOUNT_PROVIDERS=''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"OZhMnBUxwJvpjkUhs4ISgA0iAWA7etgTXaohLCED","secret":"UrwdWObeyoEI1AogXcjV8SwYsJ585Wkh5YxDH5wFPXZxp8IVV9QNsn32PIAv6h9BdjaiiMrOFayaW3uXyZYg71olG5OQ1qGaD6WYn0EijYBwxoEuvp7LIdMJ4lImhVR1","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}''; + PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"OZhMnBUxwJvpjkUhs4ISgA0iAWA7etgTXaohLCED","secret":"UrwdWObeyoEI1AogXcjV8SwYsJ585Wkh5YxDH5wFPXZxp8IVV9QNsn32PIAv6h9BdjaiiMrOFayaW3uXyZYg71olG5OQ1qGaD6WYn0EijYBwxoEuvp7LIdMJ4lImhVR1","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}''; }; }; diff --git a/hosts/nas/apps/traefik/default.nix b/hosts/nas/apps/traefik/default.nix index 57d1b77..0bb785c 100644 --- a/hosts/nas/apps/traefik/default.nix +++ b/hosts/nas/apps/traefik/default.nix @@ -2,36 +2,36 @@ let domain = "mjallen.dev"; - authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io"; - authentikUrl = "http://10.0.1.18:9000"; - collaboraUrl = "http://10.0.1.18:9980"; - cloudUrl = "http://10.0.2.18:80"; - jellyfinUrl = "http://10.0.1.18:8096"; + authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io"; + authentikUrl = "http://10.0.1.18:9000"; + collaboraUrl = "http://10.0.1.18:9980"; + cloudUrl = "http://10.0.2.18:80"; + jellyfinUrl = "http://10.0.1.18:8096"; jellyseerrUrl = "http://10.0.1.52:5055"; - hassUrl = "http://10.0.1.183:8123"; - openWebUIUrl = "http://10.0.1.18:8888"; - paperlessUrl = "http://10.0.1.20:28981"; + hassUrl = "http://10.0.1.183:8123"; + openWebUIUrl = "http://10.0.1.18:8888"; + paperlessUrl = "http://10.0.1.20:28981"; in { networking.firewall = { - allowedTCPPorts = [ - 80 - 443 - 8080 - ]; - allowedUDPPorts = [ - 80 - 443 - 8080 - ]; - }; - + allowedTCPPorts = [ + 80 + 443 + 8080 + ]; + allowedUDPPorts = [ + 80 + 443 + 8080 + ]; + }; + services.traefik = { enable = true; dataDir = "/media/nas/ssd/nix-app-data/traefik"; group = "jallen-nas"; environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops - + staticConfigOptions = { entryPoints = { web = { @@ -102,7 +102,7 @@ in # "503" # "505-599" # ]; - # service = + # service = # }; # } }; @@ -157,44 +157,44 @@ in routers = { auth = { - entryPoints = ["websecure"]; + entryPoints = [ "websecure" ]; rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)"; service = "auth"; priority = 15; tls.certResolver = "letsencrypt"; }; authentik = { - entryPoints = ["websecure"]; + entryPoints = [ "websecure" ]; rule = "Host(`authentik.${domain}`)"; service = "authentik"; tls.certResolver = "letsencrypt"; }; collabora = { - entryPoints = ["websecure"]; + entryPoints = [ "websecure" ]; rule = "Host(`office.${domain}`)"; service = "collabora"; tls.certResolver = "letsencrypt"; }; cloud = { - entryPoints = ["websecure"]; + entryPoints = [ "websecure" ]; rule = "Host(`cloud.${domain}`)"; service = "cloud"; tls.certResolver = "letsencrypt"; }; jellyfin = { - entryPoints = ["websecure"]; + entryPoints = [ "websecure" ]; rule = "Host(`jellyfin.${domain}`)"; service = "jellyfin"; tls.certResolver = "letsencrypt"; }; jellyseerr = { - entryPoints = ["websecure"]; + entryPoints = [ "websecure" ]; rule = "Host(`jellyseerr.${domain}`)"; service = "jellyseerr"; tls.certResolver = "letsencrypt"; }; hass = { - entryPoints = ["websecure"]; + entryPoints = [ "websecure" ]; rule = "Host(`hass.${domain}`)"; service = "hass"; middlewares = "authentik"; @@ -202,7 +202,7 @@ in tls.certResolver = "letsencrypt"; }; open-webui = { - entryPoints = ["websecure"]; + entryPoints = [ "websecure" ]; rule = "Host(`chat.${domain}`)"; service = "chat"; # middlewares = [ "authentik" ]; @@ -220,4 +220,4 @@ in }; }; # todo: fail2ban/etc -} \ No newline at end of file +} diff --git a/hosts/nas/boot.nix b/hosts/nas/boot.nix index 613f04e..60f2368 100644 --- a/hosts/nas/boot.nix +++ b/hosts/nas/boot.nix @@ -1,4 +1,4 @@ -{ pkgs,... }: +{ pkgs, ... }: let configLimit = 5; kernel = pkgs.linuxPackages_latest; diff --git a/hosts/nas/configuration.nix b/hosts/nas/configuration.nix index e01e1b5..273e4eb 100755 --- a/hosts/nas/configuration.nix +++ b/hosts/nas/configuration.nix @@ -139,7 +139,10 @@ in # Configure nixpkgs nixpkgs = { - overlays = [ outputs.overlays.nixpkgs-unstable ]; + overlays = [ + outputs.overlays.nixpkgs-unstable + outputs.overlays.nixpkgs-stable + ]; config = { # Enable non free diff --git a/hosts/nas/networking.nix b/hosts/nas/networking.nix index d2f25d4..d1dd9b2 100644 --- a/hosts/nas/networking.nix +++ b/hosts/nas/networking.nix @@ -24,10 +24,10 @@ in # Disable Network Manager networkmanager.enable = true; - + nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "wlp7s0"; # Lazy IPv6 connectivity for the container enableIPv6 = true; diff --git a/hosts/nas/services.nix b/hosts/nas/services.nix index d1f41ba..f7471ae 100644 --- a/hosts/nas/services.nix +++ b/hosts/nas/services.nix @@ -210,7 +210,7 @@ in }; dataDir = "/media/nas/ssd/nix-app-data/grafana"; }; - + nix-serve = { enable = false; secretKeyFile = "/var/cache-priv-key.pem";