mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

many cleanup, secrets, onlyoffice

Browse Source
This commit is contained in:
mjallen18
2025-03-25 17:29:04 -05:00
parent 629b3ee68f
commit dcab646449
29 changed files with 299 additions and 814 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -16,9 +16,6 @@
* [specialisations.hyprland](./hosts/desktop/hyprland)
* [specialisations.gnome](./hosts/desktop/gnome)
* [specialisations.cosmic](./hosts/desktop/cosmic)
* cachix
* [cachix.nix](./cachix/cachix.nix)
* [nix-community.nix](./cachix/nix-community.nix)
### NAS
* [boot.nix](./hosts/nas/boot.nix)
@@ -34,9 +31,6 @@
* [samba](./modules/samba)
* nas-apps
* [arrs](./hosts/nas/apps/arrs/default.nix)
* [collabora](./modules/apps/collabora)
* [deluge](./modules/apps/deluge)
* [discover-wrapped](./modules/apps/discover-wrapped)
* [free-games-claimer](./modules/apps/free-games-claimer)
* [jackett](./modules/apps/jackett)
* [jellyfin](./hosts/nas/apps/jellyfin/default.nix)
@@ -44,7 +38,7 @@
* [jackett](./modules/apps/manyfold)
* [mariadb](./modules/apps/mariadb)
* [mealie](./modules/apps/mealie)
* [nextcloud](./hosts/nas/apps/nextcloud/default.nix)
* [nextcloud+onlyoffice](./hosts/nas/apps/nextcloud/default.nix)
* [ollama](./hosts/nas/apps/ollama/default.nix)
* [paperless](./hosts/nas/apps/paperless/default.nix)
* [tdarr](./modules/apps/tdarr)

301
flake.lock generated
View File

@@ -47,6 +47,21 @@
"type": "github"
}
},
"crane_3": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"desktop-chaotic": {
"inputs": {
"fenix": "fenix",
@@ -70,28 +85,6 @@
"type": "github"
}
},
"desktop-cosmic": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"desktop-nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1742395601,
"narHash": "sha256-WSoI4R/pY/8AY5ulSn03nry9KFGBGFRFcXjhBYYRYtI=",
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"rev": "7f8e9de5c8494d209bd618dad4ad81e98b19fabc",
"type": "github"
},
"original": {
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"type": "github"
}
},
"desktop-home-manager": {
"inputs": {
"nixpkgs": [
@@ -130,7 +123,7 @@
"desktop-lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"desktop-nixpkgs"
@@ -273,22 +266,6 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1717312683,
"narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@@ -304,7 +281,7 @@
"type": "github"
}
},
"flake-compat_3": {
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1733328505,
@@ -320,6 +297,22 @@
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1717312683,
"narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
@@ -336,6 +329,22 @@
"type": "github"
}
},
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@@ -376,6 +385,27 @@
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"nas-lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": [
"steamdeck-lanzaboote",
@@ -485,6 +515,28 @@
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"nas-lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_3": {
"inputs": {
"nixpkgs": [
"steamdeck-lanzaboote",
@@ -621,7 +673,7 @@
"nas-authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2",
"flake-utils": "flake-utils",
"napalm": "napalm",
@@ -645,6 +697,29 @@
"type": "github"
}
},
"nas-cosmic": {
"inputs": {
"flake-compat": "flake-compat_3",
"nixpkgs": [
"nas-nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2",
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1742863891,
"narHash": "sha256-/mGCIxO7zlWCHOZLaOMRoJgSLpIav0PBKWG3BQddElw=",
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"rev": "366999efebcad2165f472ef93e9c996693bda75d",
"type": "github"
},
"original": {
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"type": "github"
}
},
"nas-crowdsec": {
"inputs": {
"flake-utils": "flake-utils_2",
@@ -701,6 +776,32 @@
"type": "github"
}
},
"nas-lanzaboote": {
"inputs": {
"crane": "crane_2",
"flake-compat": "flake-compat_4",
"flake-parts": "flake-parts_3",
"nixpkgs": [
"nas-nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix_2",
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1737639419,
"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.2",
"repo": "lanzaboote",
"type": "github"
}
},
"nas-nixos-hardware": {
"locked": {
"lastModified": 1742376361,
@@ -893,11 +994,27 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1742268799,
"narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=",
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "da044451c6a70518db5b730fe277b70f494188f1",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1742512142,
"narHash": "sha256-8XfURTDxOm6+33swQJu/hx6xw1Tznl8vJJN5HwVqckg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7105ae3957700a9646cc4b766f5815b23ed0c682",
"type": "github"
},
"original": {
@@ -907,7 +1024,7 @@
"type": "github"
}
},
"nixpkgs-stable_2": {
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
@@ -923,7 +1040,7 @@
"type": "github"
}
},
"nixpkgs-stable_3": {
"nixpkgs-stable_4": {
"locked": {
"lastModified": 1742268799,
"narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=",
@@ -939,7 +1056,7 @@
"type": "github"
}
},
"nixpkgs-stable_4": {
"nixpkgs-stable_5": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
@@ -1116,7 +1233,7 @@
"desktop-lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731363552,
@@ -1135,15 +1252,42 @@
"pre-commit-hooks-nix_2": {
"inputs": {
"flake-compat": [
"steamdeck-lanzaboote",
"nas-lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"nas-lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_3"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks-nix_3": {
"inputs": {
"flake-compat": [
"steamdeck-lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_3",
"nixpkgs": [
"steamdeck-lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_4"
"nixpkgs-stable": "nixpkgs-stable_5"
},
"locked": {
"lastModified": 1731363552,
@@ -1162,7 +1306,6 @@
"root": {
"inputs": {
"desktop-chaotic": "desktop-chaotic",
"desktop-cosmic": "desktop-cosmic",
"desktop-home-manager": "desktop-home-manager",
"desktop-impermanence": "desktop-impermanence",
"desktop-lanzaboote": "desktop-lanzaboote",
@@ -1171,14 +1314,16 @@
"desktop-sops-nix": "desktop-sops-nix",
"desktop-steam-rom-manager": "desktop-steam-rom-manager",
"nas-authentik-nix": "nas-authentik-nix",
"nas-cosmic": "nas-cosmic",
"nas-crowdsec": "nas-crowdsec",
"nas-home-manager": "nas-home-manager",
"nas-impermanence": "nas-impermanence",
"nas-lanzaboote": "nas-lanzaboote",
"nas-nixos-hardware": "nas-nixos-hardware",
"nas-nixpkgs": "nas-nixpkgs",
"nas-sops-nix": "nas-sops-nix",
"nix-darwin": "nix-darwin",
"nixpkgs-stable": "nixpkgs-stable_3",
"nixpkgs-stable": "nixpkgs-stable_4",
"nixpkgs-unstable": "nixpkgs-unstable",
"pi4-home-manager": "pi4-home-manager",
"pi4-impermanence": "pi4-impermanence",
@@ -1252,6 +1397,48 @@
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"nas-cosmic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1742437918,
"narHash": "sha256-Vflb6KJVDikFcM9E231mRN88uk4+jo7BWtaaQMifthI=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "f03085549609e49c7bcbbee86a1949057d087199",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_3": {
"inputs": {
"nixpkgs": [
"nas-lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_4": {
"inputs": {
"nixpkgs": [
"steamdeck-lanzaboote",
@@ -1353,14 +1540,14 @@
},
"steamdeck-lanzaboote": {
"inputs": {
"crane": "crane_2",
"flake-compat": "flake-compat_4",
"flake-parts": "flake-parts_3",
"crane": "crane_3",
"flake-compat": "flake-compat_5",
"flake-parts": "flake-parts_4",
"nixpkgs": [
"steamdeck-nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix_2",
"rust-overlay": "rust-overlay_2"
"pre-commit-hooks-nix": "pre-commit-hooks-nix_3",
"rust-overlay": "rust-overlay_4"
},
"locked": {
"lastModified": 1737639419,

2
hosts/mac-nixos/configuration.nix
View File

@@ -31,8 +31,6 @@ in
efi.canTouchEfiVariables = lib.mkForce false;
};
apps.discover-wrapped.enable = lib.mkDefault false;
boot.extraModprobeConfig = ''
options hid_apple iso_layout=0
'';

1
hosts/mac-nixos/gnome/default.nix
View File

@@ -4,7 +4,6 @@
home-manager.users.matt = import ./home.nix;
apps.discover-wrapped.enable = false;
services = {
xserver = {

23
hosts/nas/apps.nix
View File

@@ -14,31 +14,14 @@
../../modules
./apps/netdata
./apps/collabora
];
nas-apps = {
collabora = {
enable = false;
environmentFiles = [ config.sops.secrets."jallen-nas/collabora".path ];
};
free-games-claimer.enable = true;
jackett.enable = false;
manyfold.enable = true;
mariadb = {
enable = false;
environmentFiles = [
config.sops.secrets."jallen-nas/mariadb/db_pass".path
config.sops.secrets."jallen-nas/mariadb/root_pass".path
];
};
mongodb.enable = true;
netbootxyz = {
enable = true;
@@ -46,12 +29,12 @@
port2 = "4080";
};
open-webui.enable = false;
paperless-ai.enable = true;
tdarr.enable = true;
your_spotify.enable = true;
# spotify cancelled, data still in db
your_spotify.enable = false;
mongodb.enable = false;
};
}

26
hosts/nas/apps/collabora/default.nix
View File

@@ -1,26 +0,0 @@
{ config, ... }:
{
virtualisation.oci-containers.containers.onlyoffice = {
image = "onlyoffice/documentserver:latest";
ports = ["9980:80"];
environment = {
USE_UNAUTHORIZED_STORAGE = "true";
};
environmentFiles = [
config.sops.secrets."jallen-nas/onlyoffice-key".path
];
};
# services.collabora-online = {
# enable = false;
# port = 9980;
# };
# services.onlyoffice = {
# enable = true;
# port = 9980;
# hostname = "office.mjallen.dev";
# };
# users.users.onlyoffice.isSystemUser = true;
# users.users.onlyoffice.isNormalUser = false;
}

38
hosts/nas/apps/nextcloud/default.nix
View File

@@ -2,6 +2,7 @@
let
adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
nextcloudUserId = config.users.users.nix-apps.uid;
nextcloudGroupId = config.users.groups.jallen-nas.gid;
nextcloudPackage = pkgs.unstable.nextcloud31;
@@ -19,6 +20,12 @@ in
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/nextcloud";
};
secrets2 = {
hostPath = "/run/secrets/jallen-nas/onlyoffice-key";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/onlyoffice-key";
};
data = {
hostPath = "/media/nas/main/nextcloud";
@@ -32,11 +39,11 @@ in
mountPoint = "/var/lib/nextcloud";
};
# "/var/lib/onlyoffice" = {
# hostPath = "/media/nas/ssd/nix-app-data/onlyoffice";
# isReadOnly = false;
# mountPoint = "/var/lib/onlyoffice";
# };
"/var/lib/onlyoffice" = {
hostPath = "/media/nas/ssd/nix-app-data/onlyoffice";
isReadOnly = false;
mountPoint = "/var/lib/onlyoffice";
};
};
config =
@@ -108,11 +115,19 @@ in
user_oidc = {
auto_provision = false;
soft_auto_provision = false;
allow_multiple_user_backends = false; # auto redirect to authentik for login
};
};
};
};
services.onlyoffice = {
enable = true;
port = 9980;
hostname = "office.mjallen.dev";
jwtSecretFile = jwtSecretFile;
};
# System packages
environment.systemPackages = with pkgs; [
cudaPackages.cudnn
@@ -121,7 +136,7 @@ in
# libtensorflow-bin
nextcloud31
nodejs
# onlyoffice-documentserver
onlyoffice-documentserver
sqlite
];
@@ -132,9 +147,9 @@ in
group = "nextcloud";
};
# users.users.onlyoffice = {
# group = lib.mkForce "nextcloud";
# };
users.users.onlyoffice = {
group = lib.mkForce "nextcloud";
};
users.groups = {
nextcloud = {
@@ -183,6 +198,7 @@ in
allowedTCPPorts = [
80
443
9980
];
};
# Use systemd-resolved inside the container
@@ -209,6 +225,10 @@ in
destination = "10.0.2.18:8000";
sourcePort = 8000;
}
{
destination = "10.0.2.18:9980";
sourcePort = 9980;
}
];
};
};

10
hosts/nas/apps/traefik/default.nix
View File

@@ -4,7 +4,7 @@ let
authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io";
authentikUrl = "http://10.0.1.18:9000";
collaboraUrl = "http://10.0.1.18:9980";
onlyofficeUrl = "http://10.0.2.18:9980";
cloudUrl = "http://10.0.2.18:80";
jellyfinUrl = "http://10.0.1.18:8096";
jellyseerrUrl = "http://10.0.1.52:5055";
@@ -137,9 +137,9 @@ in
url = authentikUrl;
}
];
collabora.loadBalancer.servers = [
onlyoffice.loadBalancer.servers = [
{
url = collaboraUrl;
url = onlyofficeUrl;
}
];
cloud.loadBalancer.servers = [
@@ -193,10 +193,10 @@ in
service = "authentik";
tls.certResolver = "letsencrypt";
};
collabora = {
onlyoffice = {
entryPoints = [ "websecure" ];
rule = "Host(`office.${domain}`)";
service = "collabora";
service = "onlyoffice";
middlewares = "onlyoffice-websocket";
tls.certResolver = "letsencrypt";
};

3
hosts/nas/networking.nix
View File

@@ -11,7 +11,8 @@ let
1143
10200
10300
8127
8127
9980 # onlyoffice
];
in
{

4
hosts/nas/services.nix
View File

@@ -175,8 +175,8 @@ in
authentik = {
enable = true;
environmentFile = "/media/nas/ssd/nix-app-data/authentik/.env";
# environmentFile = "/media/nas/ssd/nix-app-data/authentik/.env";
environmentFile = config.sops.secrets."jallen-nas/authentik-env".path;
};
postgresql = {

12
hosts/nas/sops.nix
View File

@@ -41,6 +41,9 @@ in
"upsmon.service"
];
};
"jallen-nas/authentik-env" = {
restartUnits = [ "authentik.service" ];
};
"jallen-nas/collabora" = {
restartUnits = [ "podman-collabora.service" ];
};
@@ -68,6 +71,12 @@ in
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
"jallen-nas/onlyoffice-key" = {
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
"jallen-nas/manyfold/secretkeybase" = {
restartUnits = [ "podman-manyfold.service" ];
};
@@ -95,9 +104,6 @@ in
"jallen-nas/netdata-token" = {
restartUnits = [ "netdata.service" ];
};
"jallen-nas/onlyoffice-key" = {
restartUnits = [ "podman-onlyoffice.service" ];
};
"jallen-nas/paperless/secret" = {
restartUnits = [ "container@paperless.service" ];
};

38
modules/apps/collabora/default.nix
View File

@@ -1,38 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.collabora;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
extraOptions = [
"--cap-add=MKNOD"
"--privileged"
];
ports = [ "${cfg.port}:9980" ];
volumes = [
# ...
];
environmentFiles = cfg.environmentFiles;
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
username = cfg.username;
# password = cfg.password; # get from env file
domain = "office.mjallen.dev";
aliasgroup1 = "https://cloud.mjallen.dev:443";
aliasgroup2 = "https://cloud.mjallen.dev:443";
# DONT_GEN_SSL_CERT = cfg.dontGenSslCert;
server_name = cfg.serverName;
dictionaries = cfg.dictionaries;
extra_params = cfg.extraParams;
};
};
};
}

72
modules/apps/collabora/options.nix
View File

@@ -1,72 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.collabora = {
enable = mkEnableOption "collabora docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "9980";
};
name = mkOption {
type = types.str;
default = "collabora";
};
image = mkOption {
type = types.str;
default = "collabora/code:24.04.5.1.1";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
username = mkOption {
type = types.str;
default = "mjallen";
};
environmentFiles = mkOption {
type = with types; listOf path;
default = [ ];
};
dontGenSslCert = mkOption {
type = types.str;
default = "1";
};
serverName = mkOption {
type = types.str;
default = "office.mjallen.dev";
};
dictionaries = mkOption {
type = types.str;
default = "de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru";
};
extraParams = mkOption {
type = types.str;
default = "--o:ssl.enable=false --o:ssl.termination=true --o:net.post_allow.host[0]=.+ --o:storage.wopi.host[0]=.+ --o:net.proto=IPv4";
};
};
}

39
modules/apps/deluge/default.nix
View File

@@ -1,39 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.deluge;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [
"${toString cfg.port1}:8112"
"${toString cfg.port2}:8118"
"${toString cfg.port3}:58846"
"${toString cfg.port4}:58966"
];
extraOptions = [ "--cap-add=NET_ADMIN" ];
volumes = [
"${cfg.configPath}:/config"
"${cfg.moviesPath}:/data/downloads"
"${cfg.tvPath}:/data/downloads-icomplete"
"/etc/localtime:/etc/localtime:ro"
];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
VPN_ENABLED = "yes";
VPN_PROV = "custom";
VPN_CLIENT = "openvpn";
LAN_NETWORK = "10.0.1.0/24";
NAME_SERVERS = "1.1.1.1";
};
};
};
}

72
modules/apps/deluge/options.nix
View File

@@ -1,72 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.deluge = {
enable = mkEnableOption "deluge docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
name = mkOption {
type = types.str;
default = "deluge";
};
port1 = mkOption {
type = types.str;
default = "8112";
};
port2 = mkOption {
type = types.str;
default = "8118";
};
port3 = mkOption {
type = types.str;
default = "58846";
};
port4 = mkOption {
type = types.str;
default = "58966";
};
image = mkOption {
type = types.str;
default = "binhex/arch-delugevpn";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/nix-app-data/deluge";
};
moviesPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/downloads";
};
tvPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/downloads-incomplete";
};
puid = mkOption {
type = types.str;
default = "0";
};
pgid = mkOption {
type = types.str;
default = "0";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

28
modules/apps/discover-wrapped/default.nix
View File

@@ -1,28 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.apps.discover-wrapped;
# discover-wrapper is needed as of 1/24/24 since PackageKit does not work correctly so this removes error messages.
discover-wrapped = pkgs.symlinkJoin {
name = "discover-flatpak-backend";
paths = [ pkgs.libsForQt5.discover ];
buildInputs = [ pkgs.makeWrapper ];
postBuild = ''
wrapProgram $out/bin/plasma-discover --add-flags "--backends flatpak"
'';
};
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
# Configure environment
environment.systemPackages = [ discover-wrapped ];
};
}

7
modules/apps/discover-wrapped/options.nix
View File

@@ -1,7 +0,0 @@
{ lib, ... }:
with lib;
{
options.apps.discover-wrapped = {
enable = mkEnableOption "enable discover with flatpak";
};
}

25
modules/apps/jackett/default.nix
View File

@@ -1,25 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.jackett;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [ "${cfg.port}:9117" ];
volumes = [
"${cfg.configPath}:/config"
"${cfg.downloadsPath}:/downloads"
];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
};
};
}

52
modules/apps/jackett/options.nix
View File

@@ -1,52 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.jackett = {
enable = mkEnableOption "jackett docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "9117";
};
name = mkOption {
type = types.str;
default = "jackett";
};
image = mkOption {
type = types.str;
default = "linuxserver/jackett";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/nix-app-data/jackett";
};
downloadsPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/downloads";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

27
modules/apps/mariadb/default.nix
View File

@@ -1,27 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.mariadb;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [ "${cfg.port}:3306" ];
volumes = [ "${cfg.configPath}:/config" ];
environmentFiles = cfg.environmentFiles;
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
# MYSQL_ROOT_PASSWORD = cfg.rootPassword; # get from env file
MYSQL_DATABASE = cfg.databaseName;
MYSQL_USER = cfg.databaseUser;
# MYSQL_PASSWORD = cfg.databasePassword; # get from env file
};
};
};
}

62
modules/apps/mariadb/options.nix
View File

@@ -1,62 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.mariadb = {
enable = mkEnableOption "mariadb docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "3306";
};
name = mkOption {
type = types.str;
default = "mariadb";
};
image = mkOption {
type = types.str;
default = "linuxserver/mariadb";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/mariadb";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
databaseName = mkOption {
type = types.str;
default = "jallen_nextcloud";
};
databaseUser = mkOption {
type = types.str;
default = "nextcloud";
};
environmentFiles = mkOption {
type = with types; listOf path;
default = [ ];
};
};
}

26
modules/apps/ollama/default.nix
View File

@@ -1,26 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.ollama;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers.${cfg.name} = {
autoStart = true;
image = cfg.image;
extraOptions = [ "--device=nvidia.com/gpu=0" ];
volumes = [ "${cfg.configPath}:/root/.ollama" ];
ports = [ "${cfg.port}:11434" ];
environment = {
NVIDIA_VISIBLE_DEVICES = "all";
NVIDIA_DRIVER_CAPABILITIES = "all";
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
};
};
}

47
modules/apps/ollama/options.nix
View File

@@ -1,47 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.ollama = {
enable = mkEnableOption "ollama docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "11434";
};
name = mkOption {
type = types.str;
default = "ollama";
};
image = mkOption {
type = types.str;
default = "ollama/ollama";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/nix-app-data/ollama";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

35
modules/apps/open-webui/default.nix
View File

@@ -1,35 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.open-webui;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers.${cfg.name} = {
autoStart = true;
image = cfg.image;
extraOptions = [ "--device=nvidia.com/gpu=0" ];
volumes = [
"${cfg.configPath}:/app/backend/data"
"${cfg.ollamaPath}:/root/.ollama"
];
ports = [ "${cfg.port}:8080" ];
environment = {
NVIDIA_VISIBLE_DEVICES = "all";
NVIDIA_DRIVER_CAPABILITIES = "all";
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
OAUTH_CLIENT_ID = "P4YrtPrdwoQkwYs4e5AHQx7xiz4FV6OpT24rjqXa";
OAUTH_CLIENT_SECRET = "XpZ1Y9RUMD6FVxBSxg8evHkRYuSUJ3saN99uCFfeNo4Z8vrmnqZBHJQzSSCFig1fgqEYCr3SmcOvCHGHUsz9FJT2aZFlZxKv6bZZpuMQYASHiQtuX2pTVEspiNab3129";
OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
OPENID_PROVIDER_NAME = "authentik";
ENABLE_OAUTH_SIGNUP = "true";
OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "true";
};
};
};
}

52
modules/apps/open-webui/options.nix
View File

@@ -1,52 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.open-webui = {
enable = mkEnableOption "open-webui docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "8888";
};
name = mkOption {
type = types.str;
default = "open-webui";
};
image = mkOption {
type = types.str;
default = "ghcr.io/open-webui/open-webui:ollama";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/nix-app-data/open-webui";
};
ollamaPath = mkOption {
type = types.str;
default = "/media/nas/ssd/nix-app-data/ollama";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

5
modules/default.nix
View File

@@ -2,15 +2,10 @@
{
imports = [
./samba
./apps/collabora
./apps/discover-wrapped
./apps/free-games-claimer
./apps/jackett
./apps/manyfold
./apps/mariadb
./apps/mongodb
./apps/netbootxyz
./apps/open-webui
./apps/tdarr
./apps/your-spotify
];

73
modules/samba/default-unstable.nix
View File

@@ -1,73 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-samba;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
# make shares visible for Windows clients
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
services.netatalk = {
enable = cfg.enableTimeMachine;
settings = {
time-machine = {
path = cfg.timeMachinePath;
"valid users" = "whoever";
"time machine" = cfg.enableTimeMachine;
};
};
};
networking.firewall.enable = true;
networking.firewall.allowPing = true;
services.samba = {
enable = true;
openFirewall = true;
# settings = {
# create-mode = 664;
# force directory mode = 2770
# workgroup = WORKGROUP
# server string = jallen-nas
# netbios name = jallen-nas
# security = user
# #use sendfile = yes
# #max protocol = smb2
# # note: localhost is the ipv6 localhost ::1
# hosts allow = ${cfg.hostsAllow} 127.0.0.1 localhost
# hosts deny = 0.0.0.0/0
# guest account = nobody
# map to guest = bad user
# usershare allow guests = yes
# };
settings =
let
make =
name: share:
nameValuePair "${name}" {
path = share.sharePath;
public = if share.enableTimeMachine then "no" else "yes";
private = if !share.public || share.enableTimeMachine then "yes" else "no";
browseable = if share.browseable then "yes" else "no";
writable = "yes";
"force group" = "jallen-nas";
"read only" = if share.readOnly then "yes" else "no";
"guest ok" = if share.guestOk then "yes" else "no";
"create mask" = share.createMask;
"directory mask" = share.directoryMask;
"fruit:aapl" = if share.enableTimeMachine then "yes" else "no";
"fruit:time machine" = if share.enableTimeMachine then "yes" else "no";
"vfs objects" = "catia fruit streams_xattr";
"fruit:time machine max size" = share.timeMachineMaxSize;
};
in
mapAttrs' make cfg.shares;
};
};
}

18
modules/samba/default.nix
View File

@@ -30,22 +30,6 @@ in
services.samba = {
enable = true;
openFirewall = true;
# settings = {
# create-mode = 664;
# force directory mode = 2770
# workgroup = WORKGROUP
# server string = jallen-nas
# netbios name = jallen-nas
# security = user
# #use sendfile = yes
# #max protocol = smb2
# # note: localhost is the ipv6 localhost ::1
# hosts allow = ${cfg.hostsAllow} 127.0.0.1 localhost
# hosts deny = 0.0.0.0/0
# guest account = nobody
# map to guest = bad user
# usershare allow guests = yes
# };
settings =
let
make =
@@ -53,7 +37,6 @@ in
nameValuePair "${name}" {
path = share.sharePath;
public = if share.enableTimeMachine then "no" else "yes";
private = if !share.public || share.enableTimeMachine then "yes" else "no";
browseable = if share.browseable then "yes" else "no";
writable = "yes";
"force group" = "jallen-nas";
@@ -65,7 +48,6 @@ in
"fruit:time machine" = if share.enableTimeMachine then "yes" else "no";
"vfs objects" = "catia fruit streams_xattr";
"fruit:time machine max size" = share.timeMachineMaxSize;
# "smbd profiling level" = "on";
};
in
mapAttrs' make cfg.shares;

7
secrets/secrets.yaml
View File

@@ -3,6 +3,7 @@ wifi: ENC[AES256_GCM,data:Rs+4Km4DogO7XatA,iv:JUv9HkNWsv/l4Fli5sFeUeYuWG1Yju95G5
jallen-nas:
admin_password: ENC[AES256_GCM,data:RGb0UQkLhqfBWflIc5r8yWgYvc0EZuM49uhnXH1r6o9d7Ya7eAoTn2DHdWmYnd9/LpTXPmLF07Nf8s1+/odYx8RBmaji56yWbQ==,iv:dGlvZtZFB8jsI33Qkmmb3iHTXqpVWfbd0EfNK0uX3i4=,tag:z6THeY0UmG64VwOdwnL/AA==,type:str]
ups_password: ENC[AES256_GCM,data:yHCwM7XbbhQZwxE=,iv:m4dD6VlrplHbZB5hnV1fk5N8IOsc+fA5qhTcrqiTxDM=,tag:41EaB9z2jlNTfPw5wlWQ3g==,type:str]
authentik-env: ENC[AES256_GCM,data:5VLJg1RZM7L0uF97nVhhbp8kDFCFyaa0NdVb21lyn5J4NYN/BsoNXEiC0IR9pXjIVd5ogpm5BhKgtsQeSmXfOHAr+acbcwtJQ9U9Cvn4iaq4jJ4LcKMCMrLOiIe1zcqorPIiUXrQ2xX04k83m9KPKAEXyYiwIbmCQI7knd9f3S7q8cnTMT6oCcLenZFXL3fVgpAU+NOpbYeByXdZ/TLXN92qImcRTZ4lIaG6fkqhzzrgO2mp6DL8Tc+Y22k5EU+69GzWcMSENMhPhMXDZd87R6l0VZc77BRecV6X1qlhjYiCbAffgJrcjZWZvHJRtYazR+mGONXlmORiRGGUDhgXYIWeOkZnL6HESkvph3G9VLS4fU2J/v9kF3MrnSbWWFMvU8nca/JrDxxfcIschGcWQ9PM33MR+3ScY4hma8kro73qNhgaiutWa/txLxxMOuiTxKxU88PN2lfp5c3O8MIj4/mRnCnu7QwmTG99Iga1xzaoI5nTP9xqGevSidoJ61s2J6Nm6aFi7OjUW+sG4HUd4Bj9D6Yhatn8UtggMIBAcjo8kcluXTjtse2mfEheQnl+OvJYgYLT4m/+O9HALbdEIXdRvUR6QLIO3ADSFAfGNKr0qgNGN+8ixnWywsclnb+ZI4TYnB4gJVs3VV3wNP0UOnZLtEtK9luDZHVTU914uBuZxzh54cdcy+I99dfuIX7YOIu75gOy4yRnu9qygyXS9/xKldFjpVN+YZ2SWj06aTWXg5LghqRSW8oAURoJxqvEHQ8=,iv:u9e/8M5LuUxq9guYAotWiq5sUQvIFwHifHTyRvMqhoE=,tag:woEsW51e7LDQImLnQPjqAw==,type:str]
collabora: ENC[AES256_GCM,data:A01H7FzgSplAEn0dsENgllyWza4=,iv:L9bPHKdeIHn7caYn78XOkdmuSk1RIuSVcIW5HFQL8PY=,tag:h0kiClGAwGB6iP327flWew==,type:str]
mariadb:
root_pass: ENC[AES256_GCM,data:YLPfEG4/6FeCnrKdfXv9z4hHwtpM/KtBCYqlm4IUvA==,iv:pc9Ljasy76bfkmFRJ4M+wfEtjXBUD7Kb0S0WQZhCmOs=,tag:Wk/7gpKidirhRqw4+Pu96g==,type:str]
@@ -12,7 +13,7 @@ jallen-nas:
dbpassword: ENC[AES256_GCM,data:Xu92h2psR4jAJDM=,iv:UsJD1zq9Uy0Exxk58nkyPGyI8m2BOuvr2DK843h5pSk=,tag:k4MvHT8BoahCf9ZxQw8ovA==,type:str]
adminpassword: ENC[AES256_GCM,data:y4PXSbrAAw3A6cg=,iv:10Dm3IYqKJz2FNRteauuYSKXCHE2IKHv4ytidUvblXA=,tag:OAsZ69s4g2p0JEenLbkXdA==,type:str]
smtp_settings: ENC[AES256_GCM,data:JCbXCQwJtTFgHeLTIJ2ZNWwOreZV3uKWl9qNvE9uQcOULToZDWLQoOGyuGzl7Xlb2yyLiaYYlOFRV9bbbfjBljz+4I9b6cw0dNdhaKg3CpUzdFqRq3dvi4zCy/HEf1Rp/ccU92JelYkfP9S3yNdYq3i+52kr98g5F722ktDC79RiRtJJ44CRff5NBYnDJdGa5OWBf7yPW/5xsX7oqaDI/3yzYTbPGImnQkYfG0GUFP3tRVul0EM++0UoOTcKXEUvolAc0Ij672ONYm+ZqJp8wckouZu2Gae1AK0DficffiZfy4jI1obJPPkQYzoPBWSr7UU9s8PC7zsx2o8OklWZu2LqFxzd1J59qCfIhHrbz2N8OeJhwD+nySrKj1jPdz5amXJT1b4xHE4/YJg7LJmsAYmbEH6OH4928CqYLLwJcaZeVZ6EmeDT,iv:GLy1n7lun9OaOgQJw607moJQwWf4PuD9kUONJOjXuXQ=,tag:AqRJnISyoRkA6I/prZoQpg==,type:str]
onlyoffice-key: ENC[AES256_GCM,data:htJ+CEyeHgdxbOGKT5SFPaQeFYw0vw==,iv:J/yl1vYx4As8TwpgNYkeiZZixXzHMFeF0/D3zY+MmIc=,tag:wdc8hRLs+qWpVhwGsvSqZg==,type:str]
onlyoffice-key: ENC[AES256_GCM,data:KEX5GfFJgQJulSI=,iv:5yss7JSyyvf2I5Mdn7iJsMBQps59XSEUzWdfyZ7WyLg=,tag:7i1Y3cx4QQzB5LjrfuhCKw==,type:str]
manyfold:
secretkeybase: ENC[AES256_GCM,data:b+fgTrtnZcp34DOQ0dtKc6bX6/dm9j0o3QJr,iv:e4hOwgTFCXVokGqhwKsYHt5IQgtaKcMmEqvDoMly5aI=,tag:E8gFiOuozA4T1mmcgXfbDg==,type:str]
immich:
@@ -144,8 +145,8 @@ sops:
TWRvYVZ5eklJQU81SzBVZ1BBbENuTkEKwMTa1cAH3sNm2npVhQ/dDl5M7Q8T3vOx
9slEt5EVUgqaJVhVr9AM9aAhghWJa5i5+Eh628C6p53XFxrO+6zUYA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-21T02:08:05Z"
mac: ENC[AES256_GCM,data:SCRRxSx/vqoyCUz/ZqRkeukMBQGqkWbnXEqyRS755EQLUBoSOQl0wVb073VOHnX+DMBVljZUjYqvqG5Kunt88qR2bSMg3dc55lJZgDebvUzp1aKn6Xasf458qTvr9H7mUFFIioz/hTuNucwDlL4PaSDw3HItCifD+lvvhU6VGnI=,iv:6sVMivsXDSI9x8eo90v1VHNiV+qXAdwe3g+ZM/gDMRk=,tag:pVKG8caLQCCE46JRMxUv5w==,type:str]
lastmodified: "2025-03-25T22:09:20Z"
mac: ENC[AES256_GCM,data:H5gAX9yvLdIU26HvNLQ3TwZOEb/ZPII7Odl5R2Bm/UYZYr2Rsqwf9Rwqa1kvxwFBjgKkpepfb13Qr8rHyclCLqaf4sVyFnZiKyf3a5E88NS6LcVe9nBnwBH5U/ZuFBFT+5lKtd39nyOc/vMI45whnXxCx5kwHx6BEbXfk83ht7U=,iv:Onm6Rq16IWcU/0KA2++x+XFd7QSJbWnO6r+15ltKJIs=,tag:QGI4tbRVZpb9bKU35P5WQg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4