mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updates and formatting

Browse Source
This commit is contained in:
mjallen18
2025-01-21 11:43:08 -06:00
parent a774f7eb41
commit c4133aef37
16 changed files with 355 additions and 462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.vscode/tasks.json vendored
View File

@@ -6,11 +6,28 @@
{ {
"label": "rebuild", "label": "rebuild",
"type": "shell", "type": "shell",
"command": "#!/usr/bin/env bash sudo nixos-rebuild boot",
"problemMatcher": [],
"group": {
"kind": "build",
}
},
{
"label": "switch",
"type": "shell",
"command": "#!/usr/bin/env bash sudo nixos-rebuild switch", "command": "#!/usr/bin/env bash sudo nixos-rebuild switch",
"problemMatcher": [], "problemMatcher": [],
"group": { "group": {
"kind": "build", "kind": "build",
"isDefault": true }
},
{
"label": "rebuild nas",
"type": "shell",
"command": "#!/usr/bin/env bash nixos-rebuild boot --use-remote-sudo --target-host admin@10.0.1.18 --build-host admin@10.0.1.18 --flake ~/nix-config#jallen-nas",
"problemMatcher": [],
"group": {
"kind": "build",
} }
} }
] ]

85
flake.lock generated
View File

@@ -14,16 +14,15 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1734115107, "lastModified": 1736445563,
"narHash": "sha256-0Rz8OZNMH1/a06Mw6TprwSw93PH6y3WyFTWJ2UJERvw=", "narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=",
"owner": "fpletz", "owner": "nix-community",
"repo": "authentik-nix", "repo": "authentik-nix",
"rev": "f6742fc5dd624ad3bfae2cf6daef24ce49e1432b", "rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "fpletz", "owner": "nix-community",
"ref": "24.11",
"repo": "authentik-nix", "repo": "authentik-nix",
"type": "github" "type": "github"
} }
@@ -31,16 +30,16 @@
"authentik-src": { "authentik-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1733849292, "lastModified": 1736440980,
"narHash": "sha256-gJYgrRxytoGHkjeEsiKY/tl06D8XOnZZ9SDpK1WSyUw=", "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=",
"owner": "goauthentik", "owner": "goauthentik",
"repo": "authentik", "repo": "authentik",
"rev": "0edd7531a152910e6bdd4f7d3d0cde3ed5fdd956", "rev": "9d81f0598c7735e2b4616ee865ab896056a67408",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "goauthentik", "owner": "goauthentik",
"ref": "version/2024.10.5", "ref": "version/2024.12.2",
"repo": "authentik", "repo": "authentik",
"type": "github" "type": "github"
} }
@@ -238,11 +237,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736785676, "lastModified": 1737478403,
"narHash": "sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m+Yq++C9AyE=", "narHash": "sha256-e6PJI4Bd+QdpukHyd5F/fQY8fRUiNfCwvCRU8WXMSk8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "fc52a210b60f2f52c74eac41a8647c1573d2071d", "rev": "96dee79b178d295b716052feca3ee46abc085abe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -364,11 +363,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1736631212, "lastModified": 1737423230,
"narHash": "sha256-mG9lRZBcPiAGiVJ9B97BJoIGQcSBWIVlBiN30QYCtG0=", "narHash": "sha256-WEOiNmkcmlaeXy2HGW1PYxYmCPiHdsI7a7SpjhBYxRg=",
"owner": "LnL7", "owner": "LnL7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "6ace2f2d12bdf74235d5cbf9fbd34a71c9716685", "rev": "46d0fa4ded0a7532f19870f9bbedaf62269fe3f7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -406,11 +405,11 @@
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1735172763, "lastModified": 1737392146,
"narHash": "sha256-a6n8RsiAolz6p24Fsr/gTndx9xr9USpKqKK6kzBeXQc=", "narHash": "sha256-fqDBMzFFZLYxNxnvM/9AABAsRgfgsLoDhdQXUvU0OnM=",
"owner": "tpwrules", "owner": "tpwrules",
"repo": "nixos-apple-silicon", "repo": "nixos-apple-silicon",
"rev": "3daf0637409689d7a1304cedc50d20542bc47905", "rev": "8adcb4b702511620bcaa4127f8f8af1ce7622d38",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -421,11 +420,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1736441705, "lastModified": 1737359802,
"narHash": "sha256-OL7leZ6KBhcDF3nEKe4aZVfIm6xQpb1Kb+mxySIP93o=", "narHash": "sha256-utplyRM6pqnN940gfaLFBb9oUCSzkan86IvmkhsVlN8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "8870dcaff63dfc6647fb10648b827e9d40b0a337", "rev": "61c79181e77ef774ab0468b28a24bc2647d498d6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -481,11 +480,11 @@
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1736684107, "lastModified": 1737299813,
"narHash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg=", "narHash": "sha256-Qw2PwmkXDK8sPQ5YQ/y/icbQ+TYgbxfjhgnkNJyT1X8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "635e887b48521e912a516625eee7df6cf0eba9c1", "rev": "107d5ef05c0b1119749e381451389eded30fb0d5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -497,11 +496,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1736701207, "lastModified": 1737062831,
"narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=", "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6", "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -513,25 +512,27 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1718149104, "lastModified": 1736241350,
"narHash": "sha256-Ds1QpobBX2yoUDx9ZruqVGJ/uQPgcXoYuobBguyKEh8=", "narHash": "sha256-CHd7yhaDigUuJyDeX0SADbTM9FXfiWaeNyY34FL1wQU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e913ae340076bbb73d9f4d3d065c2bca7caafb16", "rev": "8c9fd3e564728e90829ee7dbac6edc972971cd0f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"type": "indirect" "ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1734649271, "lastModified": 1737062831,
"narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=", "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507", "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -559,11 +560,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1730284601, "lastModified": 1735164664,
"narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=", "narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=",
"owner": "nix-community", "owner": "nix-community",
"repo": "poetry2nix", "repo": "poetry2nix",
"rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e", "rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -663,11 +664,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736777442, "lastModified": 1737411508,
"narHash": "sha256-eON7amRmBl59QH6K9uypewkKveaNbosY6CtUgRcv7YU=", "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "0f4744b5a95151a85c4f35010dd2d748228f7f53", "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
"type": "github" "type": "github"
}, },
"original": { "original": {

5
flake.nix
View File

@@ -7,14 +7,13 @@
# nixpkgs-unstable-small # nixpkgs-unstable-small
# nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; # nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small";
# nixpgs # nixpgs
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.11"; nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
# Authentik # Authentik
authentik-nix = { authentik-nix = {
# url = "github:nix-community/authentik-nix"; url = "github:nix-community/authentik-nix";
url = "github:fpletz/authentik-nix/24.11"; # for some reason this is broken in stable and unstable
inputs.nixpkgs.follows = "nixpkgs-stable"; inputs.nixpkgs.follows = "nixpkgs-stable";
}; };

2
hosts/desktop/home.nix
View File

@@ -90,7 +90,7 @@ in
morph morph
nextcloud-client nextcloud-client
nixfmt-rfc-style nixfmt-rfc-style
stable.orca-slicer orca-slicer
papirus-icon-theme papirus-icon-theme
piper piper
pop-gtk-theme pop-gtk-theme

214
hosts/nas/apps/arrs/default.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
radarrPort = 7878; radarrPort = 7878;
@@ -14,7 +19,8 @@ let
mediaDir = "/media"; mediaDir = "/media";
arrUserId = config.users.users.nix-apps.uid; arrUserId = config.users.users.nix-apps.uid;
arrGroupId = config.users.groups.jallen-nas.gid; arrGroupId = config.users.groups.jallen-nas.gid;
# sonarrPkg = pkgs.stable.sonarr; sonarrPkg = pkgs.stable.sonarr;
jackettPkg = pkgs.unstable.jackett;
in in
{ {
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
@@ -29,115 +35,129 @@ in
privateNetwork = true; privateNetwork = true;
hostAddress = "10.0.1.18"; hostAddress = "10.0.1.18";
localAddress = "10.0.1.51"; localAddress = "10.0.1.51";
config = { config, pkgs, lib, ... }: {
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [
"aspnetcore-runtime-6.0.36"
"aspnetcore-runtime-wrapped-6.0.36"
"dotnet-sdk-6.0.428"
"dotnet-sdk-wrapped-6.0.428"
];
# Enable radarr service
services.radarr = {
enable = true;
openFirewall = true;
user = "arrs";
group = "media";
dataDir = radarrDataDir;
};
# Enable Sonarr service config =
services.sonarr = { {
enable = true; config,
openFirewall = true; pkgs,
user = "arrs"; lib,
group = "media"; ...
dataDir = sonarrDataDir; }:
# package = sonarrPkg; {
}; nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [
"aspnetcore-runtime-6.0.36"
"aspnetcore-runtime-wrapped-6.0.36"
"dotnet-sdk-6.0.428"
"dotnet-sdk-wrapped-6.0.428"
];
# Enable Sabnzbd service # Enable radarr service
services.sabnzbd = { services.radarr = {
enable = true;
openFirewall = true;
user = "arrs";
group = "media";
configFile = "${sabnzbdConfig}/sabnzbd.ini";
};
services.deluge = {
enable = true;
user = "arrs";
group = "media";
openFirewall = true;
dataDir = "/media";
web = {
enable = true; enable = true;
port = 8112;
openFirewall = true; openFirewall = true;
user = "arrs";
group = "media";
dataDir = radarrDataDir;
}; };
};
services.jackett = { # Enable Sonarr service
enable = true; services.sonarr = {
user = "arrs"; enable = true;
group = "media"; openFirewall = true;
openFirewall = true; user = "arrs";
}; group = "media";
dataDir = sonarrDataDir;
# package = sonarrPkg;
};
# Create required users and groups # Enable Sabnzbd service
users.users.arrs = { services.sabnzbd = {
isSystemUser = true; enable = true;
uid = lib.mkForce arrUserId; openFirewall = true;
group = "media"; user = "arrs";
extraGroups = [ "downloads" ]; group = "media";
}; configFile = "${sabnzbdConfig}/sabnzbd.ini";
};
users.groups = { services.deluge = {
media = { gid = lib.mkForce arrGroupId; }; enable = true;
downloads = {}; user = "arrs";
}; group = "media";
openFirewall = true;
dataDir = "/media";
web = {
enable = true;
port = 8112;
openFirewall = true;
};
};
# System packages services.jackett = {
environment.systemPackages = with pkgs; [ enable = true;
glib user = "arrs";
sqlite group = "media";
mono openFirewall = true;
mediainfo package = jackettPkg;
protonvpn-cli_2 };
];
# Create and set permissions for required directories # Create required users and groups
system.activationScripts.radarr-dirs = '' users.users.arrs = {
mkdir -p ${radarrDataDir} isSystemUser = true;
mkdir -p ${sonarrDataDir} uid = lib.mkForce arrUserId;
mkdir -p ${sabnzbdConfig} group = "media";
mkdir -p ${downloadDir} extraGroups = [ "downloads" ];
mkdir -p ${incompleteDir} };
mkdir -p ${mediaDir}
chown -R arrs:media ${radarrDataDir} users.groups = {
chown -R arrs:media ${sonarrDataDir} media = {
chown -R arrs:media ${sabnzbdConfig} gid = lib.mkForce arrGroupId;
chown -R arrs:media ${downloadDir} };
chown -R arrs:media ${incompleteDir} downloads = { };
chown -R arrs:media ${mediaDir} };
chmod -R 775 ${radarrDataDir} # System packages
chmod -R 775 ${sonarrDataDir} environment.systemPackages = with pkgs; [
chmod -R 775 ${sabnzbdConfig} glib
chmod -R 775 ${downloadDir} sqlite
chmod -R 775 ${incompleteDir} mono
chmod -R 775 ${mediaDir} mediainfo
protonvpn-cli_2
''; ];
# Create and set permissions for required directories
system.activationScripts.radarr-dirs = ''
mkdir -p ${radarrDataDir}
mkdir -p ${sonarrDataDir}
mkdir -p ${sabnzbdConfig}
mkdir -p ${downloadDir}
mkdir -p ${incompleteDir}
mkdir -p ${mediaDir}
chown -R arrs:media ${radarrDataDir}
chown -R arrs:media ${sonarrDataDir}
chown -R arrs:media ${sabnzbdConfig}
chown -R arrs:media ${downloadDir}
chown -R arrs:media ${incompleteDir}
chown -R arrs:media ${mediaDir}
chmod -R 775 ${radarrDataDir}
chmod -R 775 ${sonarrDataDir}
chmod -R 775 ${sabnzbdConfig}
chmod -R 775 ${downloadDir}
chmod -R 775 ${incompleteDir}
chmod -R 775 ${mediaDir}
'';
networking = { networking = {
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ radarrPort sonarrPort sabnzbdPort ]; allowedTCPPorts = [
radarrPort
sonarrPort
sabnzbdPort
];
}; };
# Use systemd-resolved inside the container # Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
@@ -213,4 +233,4 @@ in
} }
]; ];
}; };
} }

2
hosts/nas/apps/collabora/default.nix
View File

@@ -4,4 +4,4 @@
enable = true; enable = true;
port = 9980; port = 9980;
}; };
} }

159
hosts/nas/apps/jellyfin/default.nix
View File

@@ -1,161 +1,4 @@
{ { ... }:
config,
pkgs,
lib,
...
}:
# let
# jellyfinPort = 8096;
# jellyfinUserId = config.users.users.nix-apps.uid;
# jellyfinGroupId = config.users.groups.jallen-nas.gid;
# package = pkgs.jellyfin;
# in {
# containers.jellyfin = {
# autoStart = true;
# privateNetwork = true;
# hostAddress = "10.0.1.18";
# localAddress = "10.0.2.25";
# config = { config, pkgs, lib, ... }: {
# # Enable jellyfin service
# nixpkgs.config.allowUnfree = true;
# hardware = {
# # Nvidia
# nvidia = {
# package = config.boot.kernelPackages.nvidiaPackages.latest;
# # Modesetting is required.
# modesetting.enable = true;
# # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# powerManagement.enable = true;
# # Fine-grained power management. Turns off GPU when not in use.
# # Experimental and only works on modern Nvidia GPUs (Turing or newer).
# powerManagement.finegrained = false;
# # Use the NVidia open source kernel module (not to be confused with the
# # independent third-party "nouveau" open source driver).
# # Support is limited to the Turing and later architectures. Full list of
# # supported GPUs is at:
# # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# # Only available from driver 515.43.04+
# # Currently alpha-quality/buggy, so false is currently the recommended setting.
# open = true;
# # Enable the Nvidia settings menu,
# # accessible via `nvidia-settings`.
# nvidiaSettings = true;
# };
# # Enable graphics
# graphics = {
# enable = true;
# enable32Bit = true;
# };
# };
# # Services configs
# services.xserver = {
# # Load nvidia driver for Xorg and Wayland
# videoDrivers = [ "nvidia" ];
# };
# services.jellyfin = {
# enable = true;
# openFirewall = true;
# user = "jellyfin";
# group = "media";
# dataDir = "/data";
# configDir = "/config";
# # cacheDir = "/cache";
# };
# # Create required users and groups
# users.users.jellyfin = {
# isSystemUser = true;
# uid = lib.mkForce jellyfinUserId;
# group = "media";
# extraGroups = [ "downloads" ];
# };
# users.groups = {
# media = { gid = lib.mkForce jellyfinGroupId; };
# downloads = { };
# };
# networking = {
# firewall = {
# enable = true;
# allowedTCPPorts = [ jellyfinPort ];
# };
# # Use systemd-resolved inside the container
# # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
# useHostResolvConf = lib.mkForce false;
# };
# # System packages
# environment.systemPackages = with pkgs; [
# sqlite
# mono
# mediainfo
# # ffmpeg
# # nvidiaPackages.gpu
# # nvidiaPackages.nvidia-settings
# # nvidiaPackages.nvidia-x11
# ];
# services.resolved.enable = true;
# system.stateVersion = "23.11";
# };
# # Bind mount directories from host
# bindMounts = {
# "/data" = {
# hostPath = "/media/nas/ssd/nix-app-data/jellyfin";
# isReadOnly = false;
# };
# "/tv" = {
# hostPath = "/media/nas/main/tv";
# isReadOnly = false;
# };
# "/movies" = {
# hostPath = "/media/nas/main/movies";
# isReadOnly = false;
# };
# "/dev/nvidia0" = { hostPath = "/dev/nvidia0"; }; # GPU device
# "/dev/nvidiactl" = { hostPath = "/dev/nvidiactl"; }; # NVIDIA control
# "/dev/nvidia-modeset" = { hostPath = "/dev/nvidia-modeset"; }; # modesetting
# };
# # allowedDevices = [
# # {
# # modifier = "rw";
# # node = "/dev/nvidia0";
# # }
# # {
# # modifier = "rw";
# # node = "/dev/nvidiactl";
# # }
# # {
# # modifier = "rw";
# # node = "/dev/nvidia-modeset";
# # }
# # {
# # modifier = "rw";
# # node = "/dev/nvidia-uvm";
# # }
# # {
# # modifier = "rw";
# # node = "/dev/nvidia-uvm-tools";
# # }
# # ];
# };
# networking.nat = {
# forwardPorts = [{
# destination = "10.0.2.25:8096";
# sourcePort = jellyfinPort;
# }];
# };
# }
{ {
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;

243
hosts/nas/apps/nextcloud/default.nix
View File

@@ -39,134 +39,139 @@ in
}; };
config = config =
{ pkgs, lib, ... }: { pkgs, lib, ... }:
{ {
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
services = { services = {
nextcloud = { nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud30; package = pkgs.nextcloud30;
# datadir = "/data"; # datadir = "/data";
database.createLocally = true; database.createLocally = true;
hostName = "cloud.mjallen.dev"; hostName = "cloud.mjallen.dev";
appstoreEnable = true; appstoreEnable = true;
caching.redis = true; caching.redis = true;
configureRedis = true; configureRedis = true;
enableImagemagick = true; enableImagemagick = true;
https = true; https = true;
config = { config = {
adminuser = "mjallen"; adminuser = "mjallen";
adminpassFile = adminpass; adminpassFile = adminpass;
dbhost = "localhost"; dbhost = "localhost";
dbtype = "sqlite"; dbtype = "sqlite";
dbname = "nextcloud"; dbname = "nextcloud";
dbuser = "nextcloud"; dbuser = "nextcloud";
}; };
settings = { settings = {
allow_local_remote_servers = true; allow_local_remote_servers = true;
upgrade.disable-web = false; upgrade.disable-web = false;
datadirectory = "/data"; datadirectory = "/data";
trusted_domains = [ trusted_domains = [
"10.0.1.18:9988" "10.0.1.18:9988"
"10.0.1.18:9943" "10.0.1.18:9943"
"10.0.2.18:80" "10.0.2.18:80"
"10.0.2.18:443" "10.0.2.18:443"
"cloud.mjallen.dev" "cloud.mjallen.dev"
]; ];
trusted_proxies = [ "10.0.1.18" ]; trusted_proxies = [ "10.0.1.18" ];
maintenance_window_start = 6; maintenance_window_start = 6;
default_phone_region = "US"; default_phone_region = "US";
mail_from_address = "matt.l.jallen"; mail_from_address = "matt.l.jallen";
mail_smtpmode = "smtp"; mail_smtpmode = "smtp";
mail_sendmailmode = "smtp"; mail_sendmailmode = "smtp";
mail_domain = "gmail.com"; mail_domain = "gmail.com";
mail_smtpauth = 1; mail_smtpauth = 1;
mail_smtpname = "matt.l.jallen"; mail_smtpname = "matt.l.jallen";
mail_smtppassword = "egzo mltu kkoc hrfe "; # TODO: smtppassword; mail_smtppassword = "egzo mltu kkoc hrfe "; # TODO: smtppassword;
mail_smtpsecure = "ssl"; mail_smtpsecure = "ssl";
mail_smtphost = "smtp.gmail.com"; mail_smtphost = "smtp.gmail.com";
mail_smtpport = 465; mail_smtpport = 465;
enable_previews = true; enable_previews = true;
enabledPreviewProviders = [ enabledPreviewProviders = [
"OC\\\\Preview\\\\PNG" "OC\\\\Preview\\\\PNG"
"OC\\\\Preview\\\\JPEG" "OC\\\\Preview\\\\JPEG"
"OC\\\\Preview\\\\GIF" "OC\\\\Preview\\\\GIF"
"OC\\\\Preview\\\\BMP" "OC\\\\Preview\\\\BMP"
"OC\\\\Preview\\\\XBitmap" "OC\\\\Preview\\\\XBitmap"
"OC\\\\Preview\\\\MP3" "OC\\\\Preview\\\\MP3"
"OC\\\\Preview\\\\TXT" "OC\\\\Preview\\\\TXT"
"OC\\\\Preview\\\\MarkDown" "OC\\\\Preview\\\\MarkDown"
"OC\\\\Preview\\\\OpenDocument" "OC\\\\Preview\\\\OpenDocument"
"OC\\\\Preview\\\\Krita" "OC\\\\Preview\\\\Krita"
"OC\\\\Preview\\\\HEIC" "OC\\\\Preview\\\\HEIC"
]; ];
installed = true; installed = true;
user_oidc = { user_oidc = {
auto_provision = false; auto_provision = false;
soft_auto_provision = false; soft_auto_provision = false;
};
}; };
}; };
onlyoffice = {
enable = true;
port = 8000;
hostname = "office.mjallen.dev";
};
}; };
onlyoffice = { # System packages
enable = true; environment.systemPackages = with pkgs; [
port = 8000; nextcloud30
hostname = "office.mjallen.dev"; onlyoffice-documentserver
sqlite
];
# Create required users and groups
users.users.nextcloud = {
isSystemUser = true;
uid = lib.mkForce nextcloudUserId;
group = "nextcloud";
}; };
};
# System packages users.users.onlyoffice = {
environment.systemPackages = with pkgs; [ group = lib.mkForce "nextcloud";
nextcloud30
onlyoffice-documentserver
sqlite
];
# Create required users and groups
users.users.nextcloud = {
isSystemUser = true;
uid = lib.mkForce nextcloudUserId;
group = "nextcloud";
};
users.users.onlyoffice = {
group = lib.mkForce "nextcloud";
};
users.groups = {
nextcloud = { gid = lib.mkForce nextcloudGroupId; };
downloads = {};
};
# Create and set permissions for required directories
system.activationScripts.nextcloud-dirs = ''
mkdir -p /data
chown -R nextcloud:nextcloud /data
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
chmod -R 775 /data
chmod -R 750 /run/secrets/jallen-nas/nextcloud
'';
system.stateVersion = "23.11";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
}; };
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
}; users.groups = {
nextcloud = {
gid = lib.mkForce nextcloudGroupId;
};
downloads = { };
};
# Create and set permissions for required directories
system.activationScripts.nextcloud-dirs = ''
mkdir -p /data
chown -R nextcloud:nextcloud /data
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
chmod -R 775 /data
chmod -R 750 /run/secrets/jallen-nas/nextcloud
'';
system.stateVersion = "23.11";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
}; };
networking.nat = { networking.nat = {

2
hosts/nas/apps/ollama/default.nix
View File

@@ -30,4 +30,4 @@
LOCAL_FILES_ONLY = "False"; LOCAL_FILES_ONLY = "False";
}; };
}; };
} }

6
hosts/nas/apps/paperless-ai/default.nix
View File

@@ -11,7 +11,11 @@ in
virtualisation.oci-containers.containers.${cfg.name} = { virtualisation.oci-containers.containers.${cfg.name} = {
autoStart = true; autoStart = true;
image = cfg.image; image = cfg.image;
extraOptions = [ "--device=nvidia.com/gpu=0" "--network=bridge" "--add-host=host.docker.internal:host-gateway" ]; extraOptions = [
"--device=nvidia.com/gpu=0"
"--network=bridge"
"--add-host=host.docker.internal:host-gateway"
];
volumes = [ "${cfg.configPath}:/app/data" ]; volumes = [ "${cfg.configPath}:/app/data" ];
ports = [ "${cfg.port}:3000" ]; ports = [ "${cfg.port}:3000" ];
environment = { environment = {

5
hosts/nas/apps/paperless/default.nix
View File

@@ -4,12 +4,12 @@
lib, lib,
... ...
}: }:
let let
paperlessPort = 28981; paperlessPort = 28981;
paperlessUserId = config.users.users.nix-apps.uid; paperlessUserId = config.users.users.nix-apps.uid;
paperlessGroupId = config.users.groups.jallen-nas.gid; paperlessGroupId = config.users.groups.jallen-nas.gid;
passwordFile = config.sops.secrets."jallen-nas/admin_password".path; passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
paperlessPkg = pkgs.stable.paperless-ngx;
in in
{ {
containers.paperless = { containers.paperless = {
@@ -31,6 +31,7 @@ in
# Enable paperless service # Enable paperless service
services.paperless = { services.paperless = {
enable = true; enable = true;
package = paperlessPkg;
port = paperlessPort; port = paperlessPort;
user = "paperless"; user = "paperless";
address = "0.0.0.0"; address = "0.0.0.0";
@@ -40,7 +41,7 @@ in
PAPERLESS_SECRET = "Luciferthecat03092024"; PAPERLESS_SECRET = "Luciferthecat03092024";
PAPERLESS_ENABLE_ALLAUTH = true; PAPERLESS_ENABLE_ALLAUTH = true;
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIALACCOUNT_PROVIDERS=''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"OZhMnBUxwJvpjkUhs4ISgA0iAWA7etgTXaohLCED","secret":"UrwdWObeyoEI1AogXcjV8SwYsJ585Wkh5YxDH5wFPXZxp8IVV9QNsn32PIAv6h9BdjaiiMrOFayaW3uXyZYg71olG5OQ1qGaD6WYn0EijYBwxoEuvp7LIdMJ4lImhVR1","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}''; PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"OZhMnBUxwJvpjkUhs4ISgA0iAWA7etgTXaohLCED","secret":"UrwdWObeyoEI1AogXcjV8SwYsJ585Wkh5YxDH5wFPXZxp8IVV9QNsn32PIAv6h9BdjaiiMrOFayaW3uXyZYg71olG5OQ1qGaD6WYn0EijYBwxoEuvp7LIdMJ4lImhVR1","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}'';
}; };
}; };

62
hosts/nas/apps/traefik/default.nix
View File

@@ -2,36 +2,36 @@
let let
domain = "mjallen.dev"; domain = "mjallen.dev";
authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io"; authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io";
authentikUrl = "http://10.0.1.18:9000"; authentikUrl = "http://10.0.1.18:9000";
collaboraUrl = "http://10.0.1.18:9980"; collaboraUrl = "http://10.0.1.18:9980";
cloudUrl = "http://10.0.2.18:80"; cloudUrl = "http://10.0.2.18:80";
jellyfinUrl = "http://10.0.1.18:8096"; jellyfinUrl = "http://10.0.1.18:8096";
jellyseerrUrl = "http://10.0.1.52:5055"; jellyseerrUrl = "http://10.0.1.52:5055";
hassUrl = "http://10.0.1.183:8123"; hassUrl = "http://10.0.1.183:8123";
openWebUIUrl = "http://10.0.1.18:8888"; openWebUIUrl = "http://10.0.1.18:8888";
paperlessUrl = "http://10.0.1.20:28981"; paperlessUrl = "http://10.0.1.20:28981";
in in
{ {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
80 80
443 443
8080 8080
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
80 80
443 443
8080 8080
]; ];
}; };
services.traefik = { services.traefik = {
enable = true; enable = true;
dataDir = "/media/nas/ssd/nix-app-data/traefik"; dataDir = "/media/nas/ssd/nix-app-data/traefik";
group = "jallen-nas"; group = "jallen-nas";
environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
staticConfigOptions = { staticConfigOptions = {
entryPoints = { entryPoints = {
web = { web = {
@@ -102,7 +102,7 @@ in
# "503" # "503"
# "505-599" # "505-599"
# ]; # ];
# service = # service =
# }; # };
# } # }
}; };
@@ -157,44 +157,44 @@ in
routers = { routers = {
auth = { auth = {
entryPoints = ["websecure"]; entryPoints = [ "websecure" ];
rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)"; rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
service = "auth"; service = "auth";
priority = 15; priority = 15;
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
authentik = { authentik = {
entryPoints = ["websecure"]; entryPoints = [ "websecure" ];
rule = "Host(`authentik.${domain}`)"; rule = "Host(`authentik.${domain}`)";
service = "authentik"; service = "authentik";
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
collabora = { collabora = {
entryPoints = ["websecure"]; entryPoints = [ "websecure" ];
rule = "Host(`office.${domain}`)"; rule = "Host(`office.${domain}`)";
service = "collabora"; service = "collabora";
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
cloud = { cloud = {
entryPoints = ["websecure"]; entryPoints = [ "websecure" ];
rule = "Host(`cloud.${domain}`)"; rule = "Host(`cloud.${domain}`)";
service = "cloud"; service = "cloud";
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
jellyfin = { jellyfin = {
entryPoints = ["websecure"]; entryPoints = [ "websecure" ];
rule = "Host(`jellyfin.${domain}`)"; rule = "Host(`jellyfin.${domain}`)";
service = "jellyfin"; service = "jellyfin";
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
jellyseerr = { jellyseerr = {
entryPoints = ["websecure"]; entryPoints = [ "websecure" ];
rule = "Host(`jellyseerr.${domain}`)"; rule = "Host(`jellyseerr.${domain}`)";
service = "jellyseerr"; service = "jellyseerr";
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
hass = { hass = {
entryPoints = ["websecure"]; entryPoints = [ "websecure" ];
rule = "Host(`hass.${domain}`)"; rule = "Host(`hass.${domain}`)";
service = "hass"; service = "hass";
middlewares = "authentik"; middlewares = "authentik";
@@ -202,7 +202,7 @@ in
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
open-webui = { open-webui = {
entryPoints = ["websecure"]; entryPoints = [ "websecure" ];
rule = "Host(`chat.${domain}`)"; rule = "Host(`chat.${domain}`)";
service = "chat"; service = "chat";
# middlewares = [ "authentik" ]; # middlewares = [ "authentik" ];
@@ -220,4 +220,4 @@ in
}; };
}; };
# todo: fail2ban/etc # todo: fail2ban/etc
} }

2
hosts/nas/boot.nix
View File

@@ -1,4 +1,4 @@
{ pkgs,... }: { pkgs, ... }:
let let
configLimit = 5; configLimit = 5;
kernel = pkgs.linuxPackages_latest; kernel = pkgs.linuxPackages_latest;

5
hosts/nas/configuration.nix
View File

@@ -139,7 +139,10 @@ in
# Configure nixpkgs # Configure nixpkgs
nixpkgs = { nixpkgs = {
overlays = [ outputs.overlays.nixpkgs-unstable ]; overlays = [
outputs.overlays.nixpkgs-unstable
outputs.overlays.nixpkgs-stable
];
config = { config = {
# Enable non free # Enable non free

4
hosts/nas/networking.nix
View File

@@ -24,10 +24,10 @@ in
# Disable Network Manager # Disable Network Manager
networkmanager.enable = true; networkmanager.enable = true;
nat = { nat = {
enable = true; enable = true;
internalInterfaces = ["ve-+"]; internalInterfaces = [ "ve-+" ];
externalInterface = "wlp7s0"; externalInterface = "wlp7s0";
# Lazy IPv6 connectivity for the container # Lazy IPv6 connectivity for the container
enableIPv6 = true; enableIPv6 = true;

2
hosts/nas/services.nix
View File

@@ -210,7 +210,7 @@ in
}; };
dataDir = "/media/nas/ssd/nix-app-data/grafana"; dataDir = "/media/nas/ssd/nix-app-data/grafana";
}; };
nix-serve = { nix-serve = {
enable = false; enable = false;
secretKeyFile = "/var/cache-priv-key.pem"; secretKeyFile = "/var/cache-priv-key.pem";