xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

massicot,fix: switch to fix drive

Browse source
This commit is contained in:
xinyangli 2024-09-14 16:33:01 +08:00
parent 37f59db944
commit 5104c5943e
Signed by: xin
SSH key fingerprint: SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
16 changed files with 512 additions and 248 deletions
Download patch file Download diff file Expand all files Collapse all files

33
machines/weilite/default.nix
View file

@ -2,17 +2,15 @@
inputs,
config,
pkgs,
lib,
modulesPath,
...
}:
with lib;
{
imports = [
inputs.sops-nix.nixosModules.sops
(modulesPath + "/profiles/qemu-guest.nix")
./services
];
config = {
@ -50,6 +48,10 @@ with lib;
owner = "caddy";
mode = "400";
};
"immich/oauth_client_secret" = {
owner = "immich";
mode = "400";
};
};
};
@ -89,6 +91,31 @@ with lib;
environment = {
IMMICH_MACHINE_LEARNING_ENABLED = "false";
};
database.enable = true;
};
custom.immich.jsonSettings = {
oauth = {
enabled = true;
issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
clientId = "immich";
clientSecret = {
_secret = config.sops.secrets."immich/oauth_client_secret".path;
};
scope = "openid email profile";
signingAlgorithm = "ES256";
storageLabelClaim = "email";
buttonText = "Login with Kanidm";
autoLaunch = true;
mobileOverrideEnabled = true;
mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
};
passwordLogin = {
enabled = false;
};
newVersionCheck = {
enabled = false;
};
};
services.dae = {

6
machines/weilite/secrets.yaml
View file

@ -1,4 +1,6 @@
cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
immich:
oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
sops:
kms: []
gcp_kms: []
@ -23,8 +25,8 @@ sops:
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-29T09:05:41Z"
mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str]
lastmodified: "2024-09-07T14:56:37Z"
mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

6
machines/weilite/services/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./ocis.nix
./restic.nix
];
}

36
machines/weilite/services/ocis.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, pkgs, ... }:
{
sops = {
secrets = {
"ocis/env" = {
sopsFile = ../secrets.yaml;
};
};
};
services.ocis = {
enable = true;
package = pkgs.ocis-bin;
stateDir = "/var/lib/ocis";
url = "https://drive.xinyang.life:8443";
address = "127.0.0.1";
port = 9200;
environment = {
OCIS_INSECURE = "false";
OCIS_LOG_LEVEL = "trace";
OCIS_LOG_PRETTY = "true";
# For reverse proxy. Disable tls.
OCIS_PROXY_TLS = "false";
WEB_OIDC_CLIENT_ID = "owncloud";
WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
OCIS_EXCLUDE_RUN_SERVICES = "idp";
PROXY_OIDC_REWRITE_WELLKNOWN = "true";
};
};
networking.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address}
'';
}

18
machines/weilite/services/restic.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, ... }:
{
services.restic.server = {
enable = true;
dataDir = "/var/lib/restic";
listenAddress = "127.0.0.1:19573";
privateRepos = "true";
extraFlags = [
"--append-only"
];
};
networking.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
reverse_proxy ${config.services.restic.server.listenAddress}
'';
}