From 5104c5943e0118e426319dabebcf64894170a8b1 Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Sat, 14 Sep 2024 16:33:01 +0800
Subject: [PATCH] massicot,fix: switch to fix drive
---
flake.lock | 93 +++--
flake.nix | 6 +-
machines/massicot/default.nix | 15 +-
machines/massicot/hardware-configuration.nix | 11 +-
machines/massicot/kanidm-provision.nix | 351 ++++++++++---------
machines/massicot/networking.nix | 23 +-
machines/massicot/secrets.yaml | 12 +-
machines/massicot/services.nix | 37 +-
machines/massicot/services/default.nix | 5 +
machines/massicot/services/restic.nix | 51 +++
machines/weilite/default.nix | 33 +-
machines/weilite/secrets.yaml | 6 +-
machines/weilite/services/default.nix | 6 +
machines/weilite/services/ocis.nix | 36 ++
machines/weilite/services/restic.nix | 18 +
modules/nixos/immich.nix | 57 +++
16 files changed, 512 insertions(+), 248 deletions(-)
create mode 100644 machines/massicot/services/default.nix
create mode 100644 machines/massicot/services/restic.nix
create mode 100644 machines/weilite/services/default.nix
create mode 100644 machines/weilite/services/ocis.nix
create mode 100644 machines/weilite/services/restic.nix
create mode 100644 modules/nixos/immich.nix
diff --git a/flake.lock b/flake.lock
index f15ebae..3744570 100644
--- a/flake.lock
+++ b/flake.lock
@@ -116,11 +116,11 @@
},
"catppuccin": {
"locked": {
- "lastModified": 1724469296,
- "narHash": "sha256-p3R4LUNk6gC+fTKRUm9ByXaoRIocnQMwVuJSIxECQ8o=",
+ "lastModified": 1725509983,
+ "narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=",
"owner": "catppuccin",
"repo": "nix",
- "rev": "874e668ddaf3687e8d38ccd0188a641ffefe1cfb",
+ "rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9",
"type": "github"
},
"original": {
@@ -433,11 +433,11 @@
]
},
"locked": {
- "lastModified": 1725180166,
- "narHash": "sha256-fzssXuGR/mCeGbzM1ExaTqDz7QDGta3WA4jJsZyRruo=",
+ "lastModified": 1725694918,
+ "narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "471e3eb0a114265bcd62d11d58ba8d3421ee68eb",
+ "rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda",
"type": "github"
},
"original": {
@@ -468,6 +468,27 @@
"type": "github"
}
},
+ "home-manager_3": {
+ "inputs": {
+ "nixpkgs": [
+ "stylix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1726036828,
+ "narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=",
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "rev": "8a1671642826633586d12ac3158e463c7a50a112",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "type": "github"
+ }
+ },
"my-nixvim": {
"inputs": {
"flake-parts": "flake-parts",
@@ -543,11 +564,11 @@
]
},
"locked": {
- "lastModified": 1725241396,
- "narHash": "sha256-b4YfdCTuVLmrTGt8M44T+k0+rwRhBDXYKPhQR9o6LxU=",
+ "lastModified": 1725672853,
+ "narHash": "sha256-z1O6dzCJ27OZpF680tZL0mQphQETdg4DTryvhFOpZyA=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
- "rev": "36fbe64e2b1b879871d896e94d560691ec88c08b",
+ "rev": "efd33fc8e5a149dd48d86ca6003b51ab3ce4ae21",
"type": "github"
},
"original": {
@@ -558,11 +579,11 @@
},
"nixos-hardware": {
"locked": {
- "lastModified": 1724878143,
- "narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=",
+ "lastModified": 1725477728,
+ "narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=",
"owner": "NixOS",
"repo": "nixos-hardware",
- "rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef",
+ "rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce",
"type": "github"
},
"original": {
@@ -602,11 +623,11 @@
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1725001927,
- "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=",
+ "lastModified": 1725407940,
+ "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
+ "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
"type": "github"
},
"original": {
@@ -634,11 +655,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1725246338,
- "narHash": "sha256-a1niN+9XVfG5PjokF5n/yPv9PunUoQFMV2btjAjy/OI=",
+ "lastModified": 1726296585,
+ "narHash": "sha256-inm7AIEqfgF4wXkhWB2M5IfmdITSF90xpeDDSU3DfNc=",
"owner": "xinyangli",
"repo": "nixpkgs",
- "rev": "1e6e46dcf84c3218120d7080c4eca68cf36fd629",
+ "rev": "8539edfb09c674994303141378df4ab33cd765ad",
"type": "github"
},
"original": {
@@ -648,6 +669,22 @@
"type": "github"
}
},
+ "nixpkgs_3": {
+ "locked": {
+ "lastModified": 1726042813,
+ "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixpkgs-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
"nixvim": {
"inputs": {
"devshell": "devshell",
@@ -676,11 +713,11 @@
},
"nur": {
"locked": {
- "lastModified": 1725248798,
- "narHash": "sha256-6VVKFwDGBq/waWWkEwQfA3u9smxOeFjzA/f+wKtph2M=",
+ "lastModified": 1725687722,
+ "narHash": "sha256-LPv282y5okYk8ebiBsEbDXy2WykwdBPpAthjKSmTfNI=",
"owner": "nix-community",
"repo": "NUR",
- "rev": "6cac52982b36c11c5d447a5511d84b295783b94f",
+ "rev": "ff7f8143f33751c4f37caec678ed1eb63006c0d3",
"type": "github"
},
"original": {
@@ -737,11 +774,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
- "lastModified": 1725201042,
- "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
+ "lastModified": 1725540166,
+ "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
+ "rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
"type": "github"
},
"original": {
@@ -762,12 +799,8 @@
"flake-compat": "flake-compat_4",
"flake-utils": "flake-utils_3",
"gnome-shell": "gnome-shell",
- "home-manager": [
- "home-manager"
- ],
- "nixpkgs": [
- "nixpkgs"
- ],
+ "home-manager": "home-manager_3",
+ "nixpkgs": "nixpkgs_3",
"systems": "systems_3"
},
"locked": {
diff --git a/flake.nix b/flake.nix
index b4ae9db..9a9ffc3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -55,8 +55,8 @@
stylix = {
url = "github:xinyangli/stylix";
- inputs.nixpkgs.follows = "nixpkgs";
- inputs.home-manager.follows = "home-manager";
+ # inputs.nixpkgs.follows = "nixpkgs";
+ # inputs.home-manager.follows = "home-manager";
};
};
@@ -83,7 +83,7 @@
];
};
deploymentModule = {
- deployment.targetUser = "xin";
+ deployment.targetUser = "root";
};
sharedColmenaModules = [
self.nixosModules.default
diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix
index 4513a2b..f74f265 100644
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@@ -12,6 +12,7 @@
./hardware-configuration.nix
./networking.nix
./services.nix
+ ./services
];
sops = {
@@ -50,13 +51,13 @@
efiSupport = true;
configurationLimit = 5;
};
-
- fileSystems."/mnt/storage" = {
- device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
- fsType = "cifs";
- options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
- };
-
+ #
+ # fileSystems."/mnt/storage" = {
+ # device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
+ # fsType = "cifs";
+ # options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
+ # };
+ #
environment.systemPackages = with pkgs; [
cifs-utils
git
diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix
index c67deb1..36e673c 100644
--- a/machines/massicot/hardware-configuration.nix
+++ b/machines/massicot/hardware-configuration.nix
@@ -16,8 +16,17 @@
];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
- device = "/dev/sda1";
+ device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35068215-part1";
fsType = "ext4";
};
+ fileSystems."/mnt/storage" = {
+ device = "/dev/disk/by-id/scsi-0HC_Volume_101302395";
+ fsType = "btrfs";
+ options = [
+ "subvol=storage"
+ "compress=zstd"
+ "noatime"
+ ];
+ };
}
diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix
index 95c75df..2439be6 100644
--- a/machines/massicot/kanidm-provision.nix
+++ b/machines/massicot/kanidm-provision.nix
@@ -1,175 +1,214 @@
+{ config, lib, ... }:
{
- enable = true;
- autoRemove = true;
- groups = {
- forgejo-access = {
- members = [ "xin" ];
- };
- forgejo-admin = {
- members = [ "xin" ];
- };
- gts-users = {
- members = [ "xin" ];
- };
- ocis-users = {
- members = [ "xin" ];
- };
- linux_users = {
- members = [ "xin" ];
- };
- hedgedoc-users = {
- members = [ "xin" ];
- };
- immich-users = {
- members = [
- "xin"
- "zhuo"
- "ycm"
- ];
- };
- grafana-superadmins = {
- members = [ "xin" ];
- };
- grafana-admins = {
- members = [ "xin" ];
- };
- grafana-editors = {
- members = [ "xin" ];
- };
- grafana-users = {
- members = [ "xin" ];
- };
- miniflux-users = {
- members = [ "xin" ];
- };
- idm_people_self_mail_write = {
- members = [ ];
+ sops.secrets = {
+ "kanidm/ocis_android_secret" = {
+ owner = "kanidm";
};
};
- persons = {
- xin = {
- displayName = "Xinyang Li";
- mailAddresses = [ "lixinyang411@gmail.com" ];
- };
-
- zhuo = {
- displayName = "Zhuo";
- mailAddresses = [ "13681104320@163.com" ];
- };
-
- ycm = {
- displayName = "Chunming";
- mailAddresses = [ "chunmingyou@gmail.com" ];
- };
+ systemd.services.kanidm.serviceConfig = {
+ BindReadOnlyPaths = [
+ config.sops.secrets."kanidm/ocis_android_secret".path
+ ];
};
- systems.oauth2 = {
- forgejo = {
- displayName = "ForgeJo";
- originUrl = "https://git.xinyang.life/";
- originLanding = "https://git.xinyang.life/user/oauth2/kandim";
- allowInsecureClientDisablePkce = true;
- scopeMaps = {
- forgejo-access = [
- "openid"
- "email"
- "profile"
- "groups"
+ services.kanidm.provision = {
+ enable = true;
+ autoRemove = true;
+ groups = {
+ forgejo-access = {
+ members = [ "xin" ];
+ };
+ forgejo-admin = {
+ members = [ "xin" ];
+ };
+ gts-users = {
+ members = [ "xin" ];
+ };
+ ocis-users = {
+ members = [ "xin" ];
+ };
+ linux_users = {
+ members = [ "xin" ];
+ };
+ hedgedoc-users = {
+ members = [ "xin" ];
+ };
+ immich-users = {
+ members = [
+ "xin"
+ "zhuo"
+ "ycm"
];
};
- claimMaps = {
- forgejo_role = {
- joinType = "array";
- valuesByGroup = {
- forgejo-access = [ "Access" ];
- forgejo-admin = [ "Admin" ];
+ grafana-superadmins = {
+ members = [ "xin" ];
+ };
+ grafana-admins = {
+ members = [ "xin" ];
+ };
+ grafana-editors = {
+ members = [ "xin" ];
+ };
+ grafana-users = {
+ members = [ "xin" ];
+ };
+ miniflux-users = {
+ members = [ "xin" ];
+ };
+ idm_people_self_mail_write = {
+ members = [ ];
+ };
+ };
+ persons = {
+ xin = {
+ displayName = "Xinyang Li";
+ mailAddresses = [ "lixinyang411@gmail.com" ];
+ };
+
+ zhuo = {
+ displayName = "Zhuo";
+ mailAddresses = [ "13681104320@163.com" ];
+ };
+
+ ycm = {
+ displayName = "Chunming";
+ mailAddresses = [ "chunmingyou@gmail.com" ];
+ };
+ };
+ systems.oauth2 = {
+ forgejo = {
+ displayName = "ForgeJo";
+ originUrl = "https://git.xinyang.life/";
+ originLanding = "https://git.xinyang.life/user/oauth2/kandim";
+ allowInsecureClientDisablePkce = true;
+ scopeMaps = {
+ forgejo-access = [
+ "openid"
+ "email"
+ "profile"
+ "groups"
+ ];
+ };
+ claimMaps = {
+ forgejo_role = {
+ joinType = "array";
+ valuesByGroup = {
+ forgejo-access = [ "Access" ];
+ forgejo-admin = [ "Admin" ];
+ };
};
};
};
- };
- gts = {
- displayName = "GoToSocial";
- originUrl = "https://xinyang.life/";
- originLanding = "https://xinyang.life/";
- allowInsecureClientDisablePkce = true;
- scopeMaps = {
- gts-users = [
- "openid"
- "email"
- "profile"
- "groups"
- ];
+ gts = {
+ displayName = "GoToSocial";
+ originUrl = "https://xinyang.life/";
+ originLanding = "https://xinyang.life/";
+ allowInsecureClientDisablePkce = true;
+ scopeMaps = {
+ gts-users = [
+ "openid"
+ "email"
+ "profile"
+ "groups"
+ ];
+ };
};
- };
- owncloud = {
- displayName = "ownCloud";
- originUrl = "https://home.xinyang.life:9201/";
- originLanding = "https://home.xinyang.life:9201/";
- public = true;
- scopeMaps = {
- ocis-users = [
- "openid"
- "email"
- "profile"
- ];
+ owncloud = {
+ displayName = "ownCloud";
+ originUrl = "https://drive.xinyang.life:8443/";
+ originLanding = "https://drive.xinyang.life:8443/";
+ public = true;
+ preferShortUsername = true;
+ scopeMaps = {
+ ocis-users = [
+ "openid"
+ "email"
+ "profile"
+ ];
+ };
};
- };
- hedgedoc = {
- displayName = "HedgeDoc";
- originUrl = "https://docs.xinyang.life/";
- originLanding = "https://docs.xinyang.life/auth/oauth2";
- allowInsecureClientDisablePkce = true;
- scopeMaps = {
- hedgedoc-users = [
- "openid"
- "email"
- "profile"
+
+ owncloud-android = {
+ displayName = "ownCloud Apps";
+ originLanding = "https://drive.xinyang.life:8443/";
+ originUrl = [
+ "http://localhost/"
+ "http://127.0.0.1/"
+ "oc://android.owncloud.com"
];
+ basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path;
+ preferShortUsername = true;
+ scopeMaps = {
+ ocis-users = [
+ "openid"
+ "email"
+ "profile"
+ "offline_access"
+ ];
+ };
};
- };
- immich-mobile = {
- displayName = "Immich";
- originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
- originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
- allowInsecureClientDisablePkce = true;
- scopeMaps = {
- immich-users = [
- "openid"
- "email"
- "profile"
+
+ hedgedoc = {
+ displayName = "HedgeDoc";
+ originUrl = "https://docs.xinyang.life/";
+ originLanding = "https://docs.xinyang.life/auth/oauth2";
+ allowInsecureClientDisablePkce = true;
+ scopeMaps = {
+ hedgedoc-users = [
+ "openid"
+ "email"
+ "profile"
+ ];
+ };
+ };
+ immich = {
+ displayName = "Immich";
+ originUrl = [
+ "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"
+ "https://immich.xinyang.life:8000/auth/login/"
+ "https://immich.xinyang.life:8000/user-settings/"
];
+ originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0";
+ allowInsecureClientDisablePkce = true;
+ scopeMaps = {
+ immich-users = [
+ "openid"
+ "email"
+ "profile"
+ ];
+ };
};
- };
- miniflux = {
- displayName = "Miniflux";
- originUrl = "https://rss.xinyang.life/";
- originLanding = "https://rss.xinyang.life/";
- scopeMaps = {
- miniflux-users = [
- "openid"
- "email"
- "profile"
- ];
+ miniflux = {
+ displayName = "Miniflux";
+ originUrl = "https://rss.xinyang.life/";
+ originLanding = "https://rss.xinyang.life/";
+ scopeMaps = {
+ miniflux-users = [
+ "openid"
+ "email"
+ "profile"
+ ];
+ };
};
- };
- grafana = {
- displayName = "Grafana";
- originUrl = "https://grafana.xinyang.life/";
- originLanding = "https://grafana.xinyang.life/";
- scopeMaps = {
- grafana-users = [
- "openid"
- "email"
- "profile"
- "groups"
- ];
- };
- claimMaps = {
- grafana_role = {
- joinType = "array";
- valuesByGroup = {
- grafana-superadmins = [ "GrafanaAdmin" ];
- grafana-admins = [ "Admin" ];
- grafana-editors = [ "Editor" ];
+ grafana = {
+ displayName = "Grafana";
+ originUrl = "https://grafana.xinyang.life/";
+ originLanding = "https://grafana.xinyang.life/";
+ scopeMaps = {
+ grafana-users = [
+ "openid"
+ "email"
+ "profile"
+ "groups"
+ ];
+ };
+ claimMaps = {
+ grafana_role = {
+ joinType = "array";
+ valuesByGroup = {
+ grafana-superadmins = [ "GrafanaAdmin" ];
+ grafana-admins = [ "Admin" ];
+ grafana-editors = [ "Editor" ];
+ };
};
};
};
diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix
index 94be559..7859b2e 100644
--- a/machines/massicot/networking.nix
+++ b/machines/massicot/networking.nix
@@ -1,19 +1,12 @@
{ pkgs, ... }:
{
- networking = {
- interfaces = {
- eth0.useDHCP = true;
- eth0.ipv6.addresses = [
- {
- address = "2a01:4f8:c17:345f::1";
- prefixLength = 64;
- }
- ];
- };
- defaultGateway6 = {
- address = "fe80::1";
- interface = "eth0";
- };
- nameservers = [ ];
+ networking.useNetworkd = true;
+ systemd.network.networks."10-wan" = {
+ matchConfig.MACAddress = "96:00:02:68:7d:2d";
+ networkConfig.DHCP = "ipv4";
+ networkConfig.Gateway = "fe80::1";
+ address = [
+ "2a01:4f8:c17:345f::3/64"
+ ];
};
}
diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml
index cc3fd7f..302df3b 100644
--- a/machines/massicot/secrets.yaml
+++ b/machines/massicot/secrets.yaml
@@ -1,11 +1,17 @@
storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str]
-hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
+hedgedoc_env: ENC[AES256_GCM,data:+rjEctM6IJUpn7WcAnBS9TkQi2lCq4wKPxbaOApffH0tFyu56SpECrLpmM749I7th3N+UGb0pLM7+Ywr7fbuuMfUuIWom6Y+CKYw4yMlgjzTaaNqBmstvMxLaPnmA01G9ie1rQ==,iv:YBIyQQ6xiUyxSnR5epE5hV9OqETLKC5CFTEaRJdErGU=,tag:77kHYQ2i2APVyadhMhmvWA==,type:str]
grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str]
miniflux:
oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str]
forgejo:
env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
+restic:
+ repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str]
+ password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str]
+kanidm:
+ ocis_android_secret: ENC[AES256_GCM,data:vuEIvBEhIME+C/s3xoskddtf5nogC9nPq+HUyyAl3u9nvH3bTzUkfE/1wolaCLeeupnD3pDokdRyKzjEmoZACQ==,iv:cmx/0i23p1uEI0oAiWdcvGRq4+075+VuAMkFSfXzfso=,tag:yVnqz16L5kyW9vAVng53pA==,type:str]
+ ocis_desktop_secret: ENC[AES256_GCM,data:WTfUQzTB9An9p9xof2nuIkD5mYzMaisS62Cv86zX05rkB/wXmTnZiY7ztUoN9OmhGoPgeZg0+d+Jo6bV1hoqlw==,iv:V4iqtYIOcyDXIijcD0IXqpaSs2rxyWiOSZGer/BFSe4=,tag:1nCU1KmWQcY5ZXjlzhxaQQ==,type:str]
sops:
kms: []
gcp_kms: []
@@ -30,8 +36,8 @@ sops:
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-08-21T05:54:31Z"
- mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str]
+ lastmodified: "2024-09-14T05:48:04Z"
+ mac: ENC[AES256_GCM,data:zdGdvk2pMaZYUsTI9XsSUpgtWrNmZNPg7KoV0zAt19h7Qccu3OGTSfXD+rhhhxhhWgBohGIhDVAVQcORnAw1Y/ykgqxERCANuzoBvvR1eKfPcRNiCEr2dmUAybDF7B2MWKlJ5Fsnpk/caK717Fe8XdAJDuplFwmMWi2c1c61/NQ=,iv:KPQTGzFQH+CQmLeXBzMSbU4lVH0/Wc6CeTp6w/pMMOY=,tag:UVA+sQwQa2bpy2/woBgAkQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0
diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix
index 336a039..4be75c5 100644
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@@ -8,6 +8,9 @@ let
kanidm_listen_port = 5324;
in
{
+ imports = [
+ ./kanidm-provision.nix
+ ];
networking.firewall.allowedTCPPorts = [
80
443
@@ -46,33 +49,6 @@ in
exporters.miniflux.enable = true;
};
- systemd.mounts =
- map
- (share: {
- what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
- where = "/mnt/storage/${share}";
- type = "cifs";
- options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
- before = [ "${share}.service" ];
- after = [ "cachefilesd.service" ];
- wantedBy = [ "${share}.service" ];
- })
- [
- "forgejo"
- "gotosocial"
- "conduit"
- "hedgedoc"
- ];
-
- services.cachefilesd.enable = true;
-
- system.activationScripts = {
- conduit-media-link.text = ''
- mkdir -m 700 -p /var/lib/private/matrix-conduit/media
- chown conduit:conduit /var/lib/private/matrix-conduit/media
- mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
- '';
- };
security.acme = {
acceptTerms = true;
certs."auth.xinyang.life" = {
@@ -106,7 +82,6 @@ in
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db";
};
- provision = import ./kanidm-provision.nix;
};
custom.miniflux = {
@@ -144,6 +119,12 @@ in
};
};
+ users.users.conduit = {
+ isSystemUser = true;
+ group = "conduit";
+ };
+ users.groups.conduit = { };
+
services.gotosocial = {
enable = true;
settings = {
diff --git a/machines/massicot/services/default.nix b/machines/massicot/services/default.nix
new file mode 100644
index 0000000..fdf054b
--- /dev/null
+++ b/machines/massicot/services/default.nix
@@ -0,0 +1,5 @@
+{
+ imports = [
+ ./restic.nix
+ ];
+}
diff --git a/machines/massicot/services/restic.nix b/machines/massicot/services/restic.nix
new file mode 100644
index 0000000..9a319bb
--- /dev/null
+++ b/machines/massicot/services/restic.nix
@@ -0,0 +1,51 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+let
+ sqliteBackup = path: ''
+ mkdir -p /backup${path}
+ ${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'"
+ '';
+in
+{
+ sops.secrets = {
+ "restic/repo" = {
+ sopsFile = ../secrets.yaml;
+ };
+ "restic/password" = {
+ sopsFile = ../secrets.yaml;
+ };
+ };
+
+ custom.restic = {
+ enable = true;
+ repositoryFile = config.sops.secrets."restic/repo".path;
+ passwordFile = config.sops.secrets."restic/password".path;
+ paths = [
+ "/var/backup"
+ "/mnt/storage"
+ ];
+ };
+
+ services.postgresqlBackup = {
+ enable = true;
+ compression = "zstd";
+ compressionLevel = 9;
+ location = "/var/backup/postgresql";
+ };
+
+ services.restic.backups.${config.networking.hostName} = {
+ backupPrepareCommand = builtins.concatStringsSep "\n" [
+ (sqliteBackup "/var/lib/hedgedoc/db.sqlite")
+ (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3")
+ (sqliteBackup "/var/lib/gotosocial/database.sqlite")
+ (sqliteBackup "/var/lib/kanidm/kanidm.db")
+ ];
+ extraBackupArgs = [
+ "--limit-upload=1024"
+ ];
+ };
+}
diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix
index 5718b56..ce39730 100644
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@@ -2,17 +2,15 @@
inputs,
config,
pkgs,
- lib,
modulesPath,
...
}:
-with lib;
-
{
imports = [
inputs.sops-nix.nixosModules.sops
(modulesPath + "/profiles/qemu-guest.nix")
+ ./services
];
config = {
@@ -50,6 +48,10 @@ with lib;
owner = "caddy";
mode = "400";
};
+ "immich/oauth_client_secret" = {
+ owner = "immich";
+ mode = "400";
+ };
};
};
@@ -89,6 +91,31 @@ with lib;
environment = {
IMMICH_MACHINE_LEARNING_ENABLED = "false";
};
+ database.enable = true;
+ };
+
+ custom.immich.jsonSettings = {
+ oauth = {
+ enabled = true;
+ issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
+ clientId = "immich";
+ clientSecret = {
+ _secret = config.sops.secrets."immich/oauth_client_secret".path;
+ };
+ scope = "openid email profile";
+ signingAlgorithm = "ES256";
+ storageLabelClaim = "email";
+ buttonText = "Login with Kanidm";
+ autoLaunch = true;
+ mobileOverrideEnabled = true;
+ mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+ };
+ passwordLogin = {
+ enabled = false;
+ };
+ newVersionCheck = {
+ enabled = false;
+ };
};
services.dae = {
diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml
index 02f78d6..bb631bb 100644
--- a/machines/weilite/secrets.yaml
+++ b/machines/weilite/secrets.yaml
@@ -1,4 +1,6 @@
cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
+immich:
+ oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
sops:
kms: []
gcp_kms: []
@@ -23,8 +25,8 @@ sops:
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-07-29T09:05:41Z"
- mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str]
+ lastmodified: "2024-09-07T14:56:37Z"
+ mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0
diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix
new file mode 100644
index 0000000..031018b
--- /dev/null
+++ b/machines/weilite/services/default.nix
@@ -0,0 +1,6 @@
+{
+ imports = [
+ ./ocis.nix
+ ./restic.nix
+ ];
+}
diff --git a/machines/weilite/services/ocis.nix b/machines/weilite/services/ocis.nix
new file mode 100644
index 0000000..26a6769
--- /dev/null
+++ b/machines/weilite/services/ocis.nix
@@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+{
+ sops = {
+ secrets = {
+ "ocis/env" = {
+ sopsFile = ../secrets.yaml;
+ };
+ };
+ };
+
+ services.ocis = {
+ enable = true;
+ package = pkgs.ocis-bin;
+ stateDir = "/var/lib/ocis";
+ url = "https://drive.xinyang.life:8443";
+ address = "127.0.0.1";
+ port = 9200;
+ environment = {
+ OCIS_INSECURE = "false";
+ OCIS_LOG_LEVEL = "trace";
+ OCIS_LOG_PRETTY = "true";
+ # For reverse proxy. Disable tls.
+ OCIS_PROXY_TLS = "false";
+ WEB_OIDC_CLIENT_ID = "owncloud";
+ WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
+ OCIS_EXCLUDE_RUN_SERVICES = "idp";
+ PROXY_OIDC_REWRITE_WELLKNOWN = "true";
+ };
+ };
+
+ networking.allowedTCPPorts = [ 8443 ];
+
+ services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
+ reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address}
+ '';
+}
diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix
new file mode 100644
index 0000000..e1fb489
--- /dev/null
+++ b/machines/weilite/services/restic.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+ services.restic.server = {
+ enable = true;
+ dataDir = "/var/lib/restic";
+ listenAddress = "127.0.0.1:19573";
+ privateRepos = "true";
+ extraFlags = [
+ "--append-only"
+ ];
+ };
+
+ networking.allowedTCPPorts = [ 8443 ];
+
+ services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
+ reverse_proxy ${config.services.restic.server.listenAddress}
+ '';
+}
diff --git a/modules/nixos/immich.nix b/modules/nixos/immich.nix
new file mode 100644
index 0000000..a7c5ba9
--- /dev/null
+++ b/modules/nixos/immich.nix
@@ -0,0 +1,57 @@
+{
+ config,
+ lib,
+ pkgs,
+ utils,
+ ...
+}:
+let
+ cfg = config.custom.immich;
+ upstreamCfg = config.services.immich;
+ settingsFormat = pkgs.formats.json { };
+ user = config.systemd.services.immich-server.serviceConfig.User;
+ group = config.systemd.services.immich-server.serviceConfig.Group;
+in
+{
+ options = {
+ custom.immich.jsonSettings = lib.mkOption {
+ type = lib.types.submodule {
+ freeformType = settingsFormat.type;
+ };
+ default = { };
+ };
+ };
+ config = {
+ /*
+ LoadCredential happens before preStart. We need to ensure the
+ configuration file exist, otherwise LoadCredential will fail.
+ */
+ systemd.tmpfiles.settings = lib.mkIf upstreamCfg.enable {
+ "10-etc-immich" = {
+ "/etc/immich" = {
+ d = {
+ inherit user group;
+ mode = "0600";
+ };
+ };
+ "/etc/immich/config.json" = {
+ "f+" = {
+ inherit user group;
+ mode = "0600";
+ };
+ };
+ };
+ };
+
+ systemd.services.immich-server = {
+ preStart = ''
+ umask 0077
+ ${utils.genJqSecretsReplacementSnippet cfg.jsonSettings "/etc/immich/config.json"}
+ '';
+ serviceConfig = {
+ LoadCredential = "config:/etc/immich/config.json";
+ Environment = "IMMICH_CONFIG_FILE=%d/config";
+ };
+ };
+ };
+}