updates and nixifying

2024-12-18 16:08:17 -06:00
parent c259cb91de
commit c80092f588
26 changed files with 203 additions and 807 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -8,21 +8,22 @@
        "flake-utils": "flake-utils",
        "napalm": "napalm",
        "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs-stable"
        ],
        "poetry2nix": "poetry2nix",
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1733851514,
+        "lastModified": 1734115107,
-        "narHash": "sha256-fQt/HzF+OBC8xLRYeHiYLSEzjrgOLNWhyd102aY2oLU=",
+        "narHash": "sha256-0Rz8OZNMH1/a06Mw6TprwSw93PH6y3WyFTWJ2UJERvw=",
-        "owner": "nix-community",
+        "owner": "fpletz",
        "repo": "authentik-nix",
-        "rev": "b059e1d6e7a94bbeabb4e87d47b5f5097fd61823",
+        "rev": "f6742fc5dd624ad3bfae2cf6daef24ce49e1432b",
        "type": "github"
      },
      "original": {
-        "owner": "nix-community",
+        "owner": "fpletz",
        "ref": "24.11",
        "repo": "authentik-nix",
        "type": "github"
      }
@@ -219,11 +220,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733951607,
+        "lastModified": 1734344598,
-        "narHash": "sha256-CN6q6iCzxI1gkNyk4xLdwaMKi10r7n+aJkRzWj8PXwQ=",
+        "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6e5b2d9e8014b5572e3367937a329e7053458d34",
+        "rev": "83ecd50915a09dca928971139d3a102377a8d242",
        "type": "github"
      },
      "original": {
@@ -234,11 +235,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1731242966,
+        "lastModified": 1734200366,
-        "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
+        "narHash": "sha256-0NursoP4BUdnc+wy+Mq3icHkXu/RgP1Sjo0MJxV2+Dw=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
+        "rev": "c6323585fa0035d780e3d8906eb1b24b65d19a48",
        "type": "github"
      },
      "original": {
@@ -362,11 +363,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1733861262,
+        "lastModified": 1734352517,
-        "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
+        "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
+        "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd",
        "type": "github"
      },
      "original": {
@@ -418,13 +419,29 @@
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1733759999,
+        "lastModified": 1734323986,
-        "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
+        "narHash": "sha256-m/lh6hYMIWDYHCAsn81CDAiXoT3gmxXI9J987W5tZrE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
+        "rev": "394571358ce82dff7411395829aa6a3aad45b907",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1734424634,
        "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33",
        "type": "github"
      },
      "original": {
@@ -533,6 +550,7 @@
        "nix-darwin": "nix-darwin",
        "nixos-apple-silicon": "nixos-apple-silicon",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs-stable": "nixpkgs-stable_2",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix"
      }
@@ -583,11 +601,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1733965552,
+        "lastModified": 1734546875,
-        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -9,12 +9,13 @@
    # nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small";
    # nixpgs
-    # nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
    # Authentik
    authentik-nix = {
-      url = "github:nix-community/authentik-nix";
+      # url = "github:nix-community/authentik-nix";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      url = "github:fpletz/authentik-nix/24.11"; # for some reason  this is broken in stable and unstable
      inputs.nixpkgs.follows = "nixpkgs-stable";
    };
    # Chaotic-nix
@@ -63,7 +64,7 @@
      self,
      nixpkgs-unstable,
      # nixpkgs-unstable-small,
-      # nixpkgs-stable,
+      nixpkgs-stable,
      # chaotic,
      lanzaboote,
      impermanence,
--- a/hosts/desktop/gnome/home.nix
+++ b/hosts/desktop/gnome/home.nix
@@ -21,7 +21,7 @@
      "org/gnome/tweaks".show-extensions-notice = false;
      "org/gnome/shell".enabled-extensions = [
        "appindicatorsupport@rgcjonas.gmail.com"
-        "arcmenu@arcmenu.com"
+        # "arcmenu@arcmenu.com"
        "user-theme@gnome-shell-extensions.gcampax.github.com"
        "tiling-assistant@leleat-on-github"
        "dash-to-dock@micxgx.gmail.com"
--- a/hosts/nas/apps.nix
+++ b/hosts/nas/apps.nix
@@ -1,11 +1,13 @@
 { config, ... }:
 {
  imports = [
    ./apps/arrs
    ./apps/jellyfin/jellyfin.nix
    ./apps/jellyseerr/jellyseerr.nix
    ./apps/paperless
    ../../modules
-    # ../../modules/apps/caddy
+
-    ../../modules/apps/jellyfin/jellyfin.nix
+    # ./apps/nextcloud
    ../../modules/apps/paperless
    ../../modules/apps/jellyseerr/jellyseerr.nix
  ];
  nas-apps = {
--- a/hosts/nas/apps/arrs/default.nix
+++ b/hosts/nas/apps/arrs/default.nix
--- a/hosts/nas/apps/collabora/default.nix
+++ b/hosts/nas/apps/collabora/default.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  services.collabora-online = {
    enable = true;
    port = 9980;
  };
 }
--- a/hosts/nas/apps/jellyfin/default.nix
+++ b/hosts/nas/apps/jellyfin/default.nix
--- a/hosts/nas/apps/jellyfin/jellyfin.nix
+++ b/hosts/nas/apps/jellyfin/jellyfin.nix
--- a/hosts/nas/apps/jellyfin/options.nix
+++ b/hosts/nas/apps/jellyfin/options.nix
--- a/hosts/nas/apps/jellyseerr/default.nix
+++ b/hosts/nas/apps/jellyseerr/default.nix
--- a/hosts/nas/apps/jellyseerr/jellyseerr.nix
+++ b/hosts/nas/apps/jellyseerr/jellyseerr.nix
--- a/hosts/nas/apps/jellyseerr/options.nix
+++ b/hosts/nas/apps/jellyseerr/options.nix
--- a/hosts/nas/apps/nextcloud/default.nix
+++ b/hosts/nas/apps/nextcloud/default.nix
@@ -0,0 +1,143 @@
 { config, ... }:
 let
  adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
  dbpass = config.sops.secrets."jallen-nas/nextcloud/dbpassword".path;
  smtppassword = config.sops.templates."nextcloud-smtp".content;
  nextcloudUserId = config.users.users.nix-apps.uid;
  nextcloudGroupId = config.users.groups.jallen-nas.gid;
 in
 {
  containers.nextcloud = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.0.1.18";
    localAddress = "10.0.2.18";
    bindMounts = {
      secrets = {
        hostPath = "/run/secrets/jallen-nas/nextcloud";
        isReadOnly = true;
        mountPoint = "/run/secrets/jallen-nas/nextcloud";
      };
      data = {
        hostPath = "/media/nas/main/nextcloud";
        isReadOnly = false;
        mountPoint = "/data";
      };
    };
    config =
    { pkgs, lib, ... }:
    {
      services = {
        nextcloud = {
          enable = true;
          package = pkgs.nextcloud30;
          # datadir = "/data";
          hostName = "localhost";
          appstoreEnable = true;
          caching.redis = true;
          configureRedis = true;
          config = {
            adminuser = "mjallen";
            adminpassFile = adminpass;
            dbhost = "10.0.1.18:3306";
            dbtype = "mysql";
            dbname = "jallen_nextcloud";
            dbuser = "nextcloud";
            dbpassFile = dbpass;
          };
          settings = {
            datadirectory = "/data";
            trusted_domains = [
              "10.0.1.18:9988"
              "10.0.1.18:9943"
              "10.0.2.18:80"
              "10.0.2.18:443"
              "cloud.mjallen.dev"
            ];
            trusted_proxies = [ "10.0.1.18" ];
            maintenance_window_start = 6;
            default_phone_region = "US";
            mail_from_address = "matt.l.jallen";
            mail_smtpmode = "smtp";
            mail_sendmailmode = "smtp";
            mail_domain = "gmail.com";
            mail_smtpauth = 1;
            mail_smtpname = "matt.l.jallen";
            mail_smtppassword = smtppassword;
            mail_smtpsecure = "ssl";
            mail_smtphost = "smtp.gmail.com";
            mail_smtpport = 465;
            enable_previews = true;
            enabledPreviewProviders = [
              "OC\\\\Preview\\\\PNG"
              "OC\\\\Preview\\\\JPEG"
              "OC\\\\Preview\\\\GIF"
              "OC\\\\Preview\\\\BMP"
              "OC\\\\Preview\\\\XBitmap"
              "OC\\\\Preview\\\\MP3"
              "OC\\\\Preview\\\\TXT"
              "OC\\\\Preview\\\\MarkDown"
              "OC\\\\Preview\\\\OpenDocument"
              "OC\\\\Preview\\\\Krita"
              "OC\\\\Preview\\\\HEIC"
            ];
            installed = true;
            # config_is_read_only = true;
          };
        };
      };
      # Create required users and groups
      users.users.nextcloud = {
        isSystemUser = true;
        uid = lib.mkForce nextcloudUserId;
        group = "nextcloud";
      };
      users.groups = {
        nextcloud = { gid = lib.mkForce nextcloudGroupId; };
        downloads = {};
      };
      # Create and set permissions for required directories
      system.activationScripts.radarr-dirs = ''
        mkdir -p /data
        chown -R nextcloud:nextcloud /data
        chmod -R 775 /data
      '';
      system.stateVersion = "23.11";
      networking = {
        firewall = {
          enable = true;
          allowedTCPPorts = [ 80 443 ];
        };
        # Use systemd-resolved inside the container
        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
        useHostResolvConf = lib.mkForce false;
      };
      services.resolved.enable = true;
    };
  };
  networking.nat = {
    forwardPorts = [
      {
        destination = "10.0.2.18:443";
        sourcePort = 9943;
      }
      {
        destination = "10.0.2.18:80";
        sourcePort = 9988;
      }
    ];
  };
 }
--- a/hosts/nas/apps/paperless/default.nix
+++ b/hosts/nas/apps/paperless/default.nix
--- a/hosts/nas/services.nix
+++ b/hosts/nas/services.nix
@@ -6,24 +6,6 @@ in
  # Services configs
  services = {
    caddy = {
      enable = false;
      email = "jalle008@proton.me";
      enableReload = true;
      user = "nix-apps";
      group = "jallen-nas";
      dataDir = "/media/nas/ssd/nix-app-data/caddy";
      virtualHosts = {
        "authentik.mjallen.dev".extraConfig = ''
          reverse_proxy http://10.0.1.18:9000
        '';
        "jellyfin.mjallen.dev".extraConfig = ''
          reverse_proxy http://10.0.1.18:8096
        '';
      };
    };
    minecraft-server = {
      enable = true;
      eula = true;
--- a/modules/apps/caddy/custom-caddy.nix
+++ b/modules/apps/caddy/custom-caddy.nix
@@ -1,43 +0,0 @@
 {
  pkgs,
  config,
  plugins,
  stdenv,
  lib,
  ...
 }:
 stdenv.mkDerivation rec {
  pname = "caddy";
  # https://github.com/NixOS/nixpkgs/issues/113520
  version = "2.7.6";
  dontUnpack = true;
  nativeBuildInputs = [
    pkgs.git
    pkgs.go
    pkgs.xcaddy
  ];
  configurePhase = ''
    export GOCACHE=$TMPDIR/go-cache
    export GOPATH="$TMPDIR/go"
  '';
  buildPhase =
    let
      pluginArgs = lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins;
    in
    ''
      runHook preBuild
      ${pkgs.xcaddy}/bin/xcaddy build "v${version}" ${pluginArgs}
      runHook postBuild
    '';
  installPhase = ''
    runHook preInstall
    mkdir -p $out/bin
    mv caddy $out/bin
    runHook postInstall
  '';
 }
--- a/modules/apps/caddy/default.nix
+++ b/modules/apps/caddy/default.nix
@@ -1,231 +0,0 @@
 { config, pkgs, ... }:
 {
  # Enable containers
  containers.caddy = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.0.1.18";
    localAddress = "10.0.2.1";
    config =
      { config, pkgs, ... }:
      {
        nixpkgs.overlays = [
          (
            _final: prev:
            let
              plugins = [ "github.com/caddy-dns/cloudflare" ];
              goImports = prev.lib.flip prev.lib.concatMapStrings plugins (pkg: "   _ \"${pkg}\"\n");
              goGets = prev.lib.flip prev.lib.concatMapStrings plugins (pkg: "go get ${pkg}\n      ");
              main = ''
                package main
                import (
                  caddycmd "github.com/caddyserver/caddy/v2/cmd"
                  _ "github.com/caddyserver/caddy/v2/modules/standard"
                ${goImports}
                )
                func main() {
                  caddycmd.Main()
                }
              '';
            in
            {
              caddy-cloudflare = prev.buildGoModule {
                pname = "caddy-cloudflare";
                version = prev.caddy.version;
                runVend = true;
                subPackages = [ "cmd/caddy" ];
                src = prev.caddy.src;
                vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk=";
                overrideModAttrs = (
                  _: {
                    preBuild = ''
                      echo '${main}' > cmd/caddy/main.go
                      ${goGets}
                    '';
                    postInstall = "cp go.sum go.mod $out/ && ls $out/";
                  }
                );
                postPatch = ''
                  echo '${main}' > cmd/caddy/main.go
                  cat cmd/caddy/main.go
                '';
                postConfigure = ''
                  cp vendor/go.sum ./
                  cp vendor/go.mod ./
                '';
                meta = with prev.lib; {
                  homepage = "https://caddyserver.com";
                  description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS";
                  license = licenses.asl20;
                  maintainers = with maintainers; [
                    Br1ght0ne
                    techknowlogick
                  ];
                };
              };
            }
          )
        ];
        systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";
        # Caddy web server
        services.caddy = {
          enable = true;
          email = "jalle008@proton.me";
          enableReload = true;
          package = pkgs.caddy-cloudflare;
          adapter = "''"; # Required to enable JSON
          # virtualHosts = {
          # }
          configFile = pkgs.writeText "Caddyfile" (
            builtins.toJSON {
              apps.http.servers.main = {
                listen = [ ":443" ];
                routes = [
                  {
                    match = [ { host = [ "authentik.mjallen.dev" ]; } ];
                    handle = [
                      {
                        handler = "reverse_proxy";
                        upstreams = [ { dial = "http://10.0.1.18:9000"; } ];
                      }
                    ];
                  }
                ];
              };
              apps.tls.automation.policies = [
                {
                  issuers = [
                    {
                      module = "acme";
                      challenges = {
                        dns = {
                          provider = {
                            name = "cloudflare";
                            api_token = "{env.CLOUDFLARE_API_TOKEN}";
                          };
                          resolvers = [ "1.1.1.1" ];
                        };
                      };
                    }
                  ];
                }
              ];
            }
          );
          #   configFile = pkgs.writeText "Caddyfile" ''
          #     apps.tls.automation.policies = [{
          #       issuers = [{
          #         module = "acme";
          #         challenges = {
          #           dns = {
          #             provider = {
          #               name = "cloudflare";
          #               api_token = "{env.CLOUDFLARE_API_TOKEN}";
          #             };
          #             resolvers = [ "1.1.1.1" ];
          #           };
          #         };
          #     }];
          #     # Wildcard certificate for all subdomains
          #     *.mjallen.dev {
          #       tls {
          #         dns cloudflare {env.CLOUDFLARE_API_TOKEN}
          #       }
          #     }
          #     :80 {
          #       respond "Hello from Caddy!"
          #     }
          #     :443 {
          #       respond "Hello from Caddy!"
          #     }
          #     authentik.mjallen.dev {
          #       reverse_proxy 10.0.1.18:9000
          #     }
          #   '';
        };
        # Environment variable for DNS challenge
        environment.etc."caddy/cloudflare.env" = {
          mode = "0600";
          text = ''
            CLOUDFLARE_API_TOKEN=HYhx7cN6e-O6QQJNKd9g7RpgvCzY-aegOPU2iQwB
          '';
        };
        # Fail2Ban configuration
        environment.etc."fail2ban/filter.d/caddy.local" = {
          mode = "0644";
          text = ''
            [Definition]
            failregex = ^<HOST> .* "(GET|POST|PUT|DELETE|HEAD|OPTIONS) .* HTTP/\d\.\d" (4\d{2}|5\d{2})
            ignoreregex =
          '';
        };
        services.fail2ban = {
          enable = true;
          jails = {
            caddy = {
              settings = {
                filter = "caddy";
                logpath = "/var/log/caddy/access.log";
                maxretry = 5;
                bantime = "30m";
              };
            };
          };
        };
        # Ensure logging for Caddy
        services.caddy.logDir = "/var/log/caddy";
        # Open necessary firewall ports
        networking.firewall = {
          enable = true;
          allowedTCPPorts = [
            80
            443
          ];
        };
        # Install additional packages if needed
        environment.systemPackages = with pkgs; [
          caddy
          fail2ban
        ];
        system.stateVersion = "23.11";
      };
  };
  networking.nat = {
    forwardPorts = [
      {
        destination = "10.0.2.1:80";
        sourcePort = 80;
      }
      {
        destination = "10.0.2.1:443";
        sourcePort = 443;
      }
    ];
  };
 }
--- a/modules/apps/sabnzbd/default.nix
+++ b/modules/apps/sabnzbd/default.nix
@@ -1,28 +0,0 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.nas-apps.sabnzbd;
 in
 {
  imports = [ ./options.nix ];
  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers."${cfg.name}" = {
      autoStart = cfg.autoStart;
      image = cfg.image;
      ports = [ "${cfg.port}:8080" ];
      volumes = [
        "${cfg.configPath}:/config"
        "${cfg.moviesPath}:/movies"
        "${cfg.tvPath}:/tv"
        "${cfg.downloadsPath}:/downloads"
        "${cfg.downloadsIncompletePath}:/downloads-incomplete"
      ];
      environment = {
        PUID = cfg.puid;
        PGID = cfg.pgid;
        TZ = cfg.timeZone;
      };
    };
  };
 }
--- a/modules/apps/sabnzbd/options.nix
+++ b/modules/apps/sabnzbd/options.nix
@@ -1,67 +0,0 @@
 { lib, ... }:
 with lib;
 {
  options.nas-apps.sabnzbd = {
    enable = mkEnableOption "sabnzbd docker service";
    autoStart = mkOption {
      type = types.bool;
      default = true;
    };
    port = mkOption {
      type = types.str;
      default = "8080";
    };
    name = mkOption {
      type = types.str;
      default = "sabnzbd";
    };
    image = mkOption {
      type = types.str;
      default = "linuxserver/sabnzbd";
    };
    configPath = mkOption {
      type = types.str;
      default = "/media/nas/ssd/ssd_app_data/sabnzbd";
    };
    moviesPath = mkOption {
      type = types.str;
      default = "/media/nas/main/movies";
    };
    tvPath = mkOption {
      type = types.str;
      default = "/media/nas/main/tv";
    };
    downloadsPath = mkOption {
      type = types.str;
      default = "/media/nas/ssd/ssd_app_data/downloads";
    };
    downloadsIncompletePath = mkOption {
      type = types.str;
      default = "/media/nas/ssd/ssd_app_data/downloads-incomplete";
    };
    puid = mkOption {
      type = types.str;
      default = "911";
    };
    pgid = mkOption {
      type = types.str;
      default = "1000";
    };
    timeZone = mkOption {
      type = types.str;
      default = "America/Chicago";
    };
  };
 }
--- a/modules/apps/sabnzbd/sabnzbd.nix
+++ b/modules/apps/sabnzbd/sabnzbd.nix
@@ -1,57 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  sabnzbdPort = 8080;
  dataDir = "/var/lib/sabnzbd";
  downloadDir = "/downloads";
  mediaDir = "/media";
  sabnzbdUserId = config.users.users.nix-apps.uid;
  sabnzbdGroupId = config.users.groups.jallen-nas.gid;
  package = pkgs.sabnzbd;
 in
 {
  containers.sabnzbd = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.0.1.18";
    localAddress = "10.0.2.20";
    config =
      {
        config,
        pkgs,
        lib,
        ...
      }:
      {
        # Enable sabnzbd service
        services.sabnzbd = {
          enable = true;
          openFirewall = true;
        };
        networking = {
          # Use systemd-resolved inside the container
          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
          useHostResolvConf = lib.mkForce false;
        };
        services.resolved.enable = true;
        system.stateVersion = "23.11";
      };
  };
  networking.nat = {
    forwardPorts = [
      {
        destination = "10.0.2.20:8080";
        sourcePort = sabnzbdPort;
      }
    ];
  };
 }
--- a/modules/apps/sonarr/default.nix
+++ b/modules/apps/sonarr/default.nix
@@ -1,26 +0,0 @@
 { lib, config, ... }:
 with lib;
 let
  cfg = config.nas-apps.sonarr;
 in
 {
  imports = [ ./options.nix ];
  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers."${cfg.name}" = {
      autoStart = cfg.autoStart;
      image = cfg.image;
      ports = [ "${cfg.port}:8989" ];
      volumes = [
        "${cfg.configPath}:/config"
        "${cfg.tvPath}:/tv"
        "${cfg.downloadsPath}:/downloads"
      ];
      environment = {
        PUID = cfg.puid;
        PGID = cfg.pgid;
        TZ = cfg.timeZone;
      };
    };
  };
 }
--- a/modules/apps/sonarr/options.nix
+++ b/modules/apps/sonarr/options.nix
@@ -1,57 +0,0 @@
 { lib, ... }:
 with lib;
 {
  options.nas-apps.sonarr = {
    enable = mkEnableOption "sonarr docker service";
    autoStart = mkOption {
      type = types.bool;
      default = true;
    };
    port = mkOption {
      type = types.str;
      default = "8989";
    };
    name = mkOption {
      type = types.str;
      default = "sonarr";
    };
    image = mkOption {
      type = types.str;
      default = "linuxserver/sonarr";
    };
    configPath = mkOption {
      type = types.str;
      default = "/media/nas/ssd/ssd_app_data/sonarr";
    };
    tvPath = mkOption {
      type = types.str;
      default = "/media/nas/main/tv";
    };
    downloadsPath = mkOption {
      type = types.str;
      default = "/media/nas/ssd/ssd_app_data/downloads";
    };
    puid = mkOption {
      type = types.str;
      default = "911";
    };
    pgid = mkOption {
      type = types.str;
      default = "1000";
    };
    timeZone = mkOption {
      type = types.str;
      default = "America/Chicago";
    };
  };
 }
--- a/modules/apps/sonarr/sonarr.nix
+++ b/modules/apps/sonarr/sonarr.nix
@@ -1,118 +0,0 @@
 # {
 #   config,
 #   pkgs,
 #   lib,
 #   ...
 # }:
 # let
 #   sonarrPort = 8989;
 #   dataDir = "/var/lib/sonarr";
 #   downloadDir = "/downloads";
 #   mediaDir = "/media";
 #   sonarrUserId = config.users.users.nix-apps.uid;
 #   sonarrGroupId = config.users.groups.jallen-nas.gid;
 # in
 # {
 #   containers.sonarr = {
 #     autoStart = true;
 #     privateNetwork = true;
 #     hostAddress = "10.0.1.18";
 #     localAddress = "10.0.1.50";
 #     hostAddress6 = "fc00::1";
 #     localAddress6 = "fc00::2";
 #     config =
 #       {
 #         config,
 #         pkgs,
 #         lib,
 #         ...
 #       }:
 #       {
 #         # Enable Sonarr service
 #         services.sonarr = {
 #           enable = true;
 #           user = "sonarr";
 #           group = "media";
 #           dataDir = dataDir;
 #         };
 #         # Create required users and groups
 #         users.users.sonarr = {
 #           isSystemUser = true;
 #           uid = lib.mkForce sonarrUserId;
 #           group = "media";
 #           extraGroups = [ "downloads" ];
 #         };
 #         users.groups = {
 #           media = {
 #             gid = lib.mkForce sonarrGroupId;
 #           };
 #           downloads = { };
 #         };
 #         # System packages
 #         environment.systemPackages = with pkgs; [
 #           sqlite
 #           mono
 #           mediainfo
 #         ];
 #         # Create and set permissions for required directories
 #         system.activationScripts.sonarr-dirs = ''
 #           mkdir -p ${dataDir}
 #           mkdir -p ${downloadDir}
 #           mkdir -p ${mediaDir}
 #           chown -R sonarr:media ${dataDir}
 #           chown -R sonarr:media ${downloadDir}
 #           chown -R sonarr:media ${mediaDir}
 #           chmod -R 775 ${dataDir}
 #           chmod -R 775 ${downloadDir}
 #           chmod -R 775 ${mediaDir}
 #         '';
 #         networking = {
 #           firewall = {
 #             enable = true;
 #             allowedTCPPorts = [ sonarrPort ];
 #           };
 #           # Use systemd-resolved inside the container
 #           # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
 #           useHostResolvConf = lib.mkForce false;
 #         };
 #         services.resolved.enable = true;
 #         system.stateVersion = "23.11";
 #       };
 #     # Bind mount directories from host
 #     bindMounts = {
 #       "/var/lib/sonarr" = {
 #         hostPath = "/media/nas/ssd/nix-app-data/sonarr";
 #         isReadOnly = false;
 #       };
 #       "/downloads" = {
 #         hostPath = "/media/nas/ssd/ssd_app_data/downloads";
 #         isReadOnly = false;
 #       };
 #       "/media" = {
 #         hostPath = "/media/nas/main/tv";
 #         isReadOnly = false;
 #       };
 #     };
 #   };
 #   networking.nat = {
 #     forwardPorts = [
 #       {
 #         destination = "10.0.1.50:8989";
 #         sourcePort = 8989;
 #       }
 #     ];
 #   };
 # }
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -2,14 +2,11 @@
 {
  imports = [
    ./samba
    ./apps/arrs
    ./apps/collabora
    ./apps/deluge
    ./apps/discover-wrapped
    ./apps/free-games-claimer
    ./apps/jackett
    ./apps/jellyfin
    ./apps/jellyseerr
    ./apps/manyfold
    ./apps/mariadb
    ./apps/mongodb
--- a/modules/services/nextcloud/default.nix
+++ b/modules/services/nextcloud/default.nix
@@ -1,128 +0,0 @@
 { config, ... }:
 let
  adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
  dbpass = config.sops.secrets."jallen-nas/nextcloud/dbpassword".path;
  smtppassword = config.sops.templates."nextcloud-smtp".content;
 in
 {
  containers.nextcloud = {
    autoStart = true;
    privateNetwork = true;
    # hostAddress = "127.0.0.1";
    # localAddress = "10.233.0.2";
    # hostAddress6 = "fc00::1";
    # localAddress6 = "fc00::2";
    # hostForward = [
    #   {
    #     hostPort = 9943;
    #     containerPort = 80;
    #   }
    # ];
    hostBridge = "br0";
    bindMounts = {
      secrets = {
        hostPath = "/run/secrets/jallen-nas/nextcloud";
        isReadOnly = true;
        mountPoint = "/run/secrets/jallen-nas/nextcloud";
      };
      data = {
        hostPath = "/media/nas/main/nextcloud";
        isReadOnly = false;
        mountPoint = "/data";
      };
    };
    config =
      { pkgs, lib, ... }:
      {
        services = {
          nextcloud = {
            enable = true;
            package = pkgs.nextcloud29;
            datadir = "/data";
            hostName = "localhost";
            appstoreEnable = true;
            caching.redis = true;
            configureRedis = true;
            config = {
              adminuser = "mjallen";
              adminpassFile = adminpass;
              dbhost = "10.0.1.18:3306";
              dbtype = "mysql";
              dbname = "jallen_nextcloud";
              dbuser = "nextcloud";
              dbpassFile = dbpass;
            };
            settings = {
              trusted_domains = [
                "10.0.1.18:9980"
                "10.0.1.18:9943"
                "cloud.mjallen.dev"
              ];
              trusted_proxies = [ "10.0.1.18" ];
              maintenance_window_start = 6;
              default_phone_region = "US";
              mail_from_address = "matt.l.jallen";
              mail_smtpmode = "smtp";
              mail_sendmailmode = "smtp";
              mail_domain = "gmail.com";
              mail_smtpauth = 1;
              mail_smtpname = "matt.l.jallen";
              mail_smtppassword = smtppassword;
              mail_smtpsecure = "ssl";
              mail_smtphost = "smtp.gmail.com";
              mail_smtpport = 465;
              enable_previews = true;
              enabledPreviewProviders = [
                "OC\\\\Preview\\\\PNG"
                "OC\\\\Preview\\\\JPEG"
                "OC\\\\Preview\\\\GIF"
                "OC\\\\Preview\\\\BMP"
                "OC\\\\Preview\\\\XBitmap"
                "OC\\\\Preview\\\\MP3"
                "OC\\\\Preview\\\\TXT"
                "OC\\\\Preview\\\\MarkDown"
                "OC\\\\Preview\\\\OpenDocument"
                "OC\\\\Preview\\\\Krita"
                "OC\\\\Preview\\\\HEIC"
              ];
            };
          };
          nginx = {
            enable = true;
            virtualHosts = {
              "nextcloud-container.local" = {
                # Change this to the desired port number
                listen = [
                  {
                    addr = "0.0.0.0";
                    port = 9943;
                  }
                ];
                root = "/var/www/nextcloud";
                # You may need to adjust other options for your specific setup
              };
            };
          };
        };
        system.stateVersion = "23.11";
        networking = {
          firewall = {
            enable = true;
            allowedTCPPorts = [ 9943 ];
          };
          # Use systemd-resolved inside the container
          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
          useHostResolvConf = lib.mkForce false;
        };
        services.resolved.enable = true;
      };
  };
 }
--- a/share/impermanence/default.nix
+++ b/share/impermanence/default.nix
@@ -8,6 +8,7 @@
    directories = [
      "/var/lib/bluetooth"
      "/var/lib/nixos"
      "/var/lib/libvirt"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
      "/etc/secureboot"