xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

modules: clean up

Browse source
This commit is contained in:
xinyangli 2024-12-04 19:15:19 +08:00
parent 241f7265d5
commit 7bc5db676d
Signed by: xin
SSH key fingerprint: SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
9 changed files with 108 additions and 129 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -85,7 +85,7 @@
{ ... }:
{
options.my-lib = nixpkgs.lib.mkOption {
type = nixpkgs.lib.types.freeformType;
type = nixpkgs.lib.types.attrs;
default = import ./overlays/my-lib;
};
config = {

2
machines/biotite/services/forgejo.nix
View file

@ -38,7 +38,7 @@ let
OPENID_CONNECT_SCOPES = "openid profile email groups";
};
metrics = {
ENABLED = true;
# ENABLED = true;
};
other = {
SHOW_FOOTER_VERSION = false;

20
machines/calcite/configuration.nix
View file

@ -334,16 +334,16 @@ in
];
};
custom.forgejo-actions-runner = {
enable = false;
tokenFile = config.sops.secrets."gitea/envfile".path;
settings = {
runner.capacity = 2;
runner.fetch_timeout = "120s";
runner.fetch_interval = "30s";
};
};
# custom.forgejo-actions-runner = {
# enable = false;
# tokenFile = config.sops.secrets."gitea/envfile".path;
# settings = {
# runner.capacity = 2;
# runner.fetch_timeout = "120s";
# runner.fetch_interval = "30s";
# };
# };
#
custom.prometheus = {
exporters.node.enable = true;
};

45
machines/weilite/default.nix
View file

@ -52,10 +52,6 @@
owner = "caddy";
mode = "400";
};
"immich/oauth_client_secret" = {
owner = "immich";
mode = "400";
};
"restic/localpass" = {
owner = "restic";
};
@ -72,6 +68,10 @@
};
};
custom.monitoring = {
loki.enable = true;
};
systemd.mounts = [
{
what = "immich";
@ -108,43 +108,6 @@
2222
];
services.immich = {
enable = true;
mediaLocation = "/mnt/XinPhotos/immich";
host = "127.0.0.1";
port = 3001;
openFirewall = true;
machine-learning.enable = true;
environment = {
IMMICH_MACHINE_LEARNING_ENABLED = "true";
};
database.enable = true;
};
custom.immich.jsonSettings = {
oauth = {
enabled = true;
issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
clientId = "immich";
clientSecret = {
_secret = config.sops.secrets."immich/oauth_client_secret".path;
};
scope = "openid email profile";
signingAlgorithm = "ES256";
storageLabelClaim = "email";
buttonText = "Login with Kanidm";
autoLaunch = true;
mobileOverrideEnabled = true;
mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
};
passwordLogin = {
enabled = false;
};
newVersionCheck = {
enabled = false;
};
};
services.dae = {
enable = true;
configFile = "/var/lib/dae/config.dae";

1
machines/weilite/services/default.nix
View file

@ -3,5 +3,6 @@
./ocis.nix
./restic.nix
./media-download.nix
./immich.nix
];
}

63
machines/weilite/services/immich.nix Normal file
View file

@ -0,0 +1,63 @@
{
config,
...
}:
let
user = config.systemd.services.immich-server.serviceConfig.User;
jsonSettings = {
oauth = {
enabled = true;
issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
clientId = "immich";
clientSecret = config.sops.placeholder."immich/oauth_client_secret";
scope = "openid email profile";
signingAlgorithm = "ES256";
storageLabelClaim = "email";
buttonText = "Login with Kanidm";
autoLaunch = true;
mobileOverrideEnabled = true;
mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
};
passwordLogin = {
enabled = false;
};
image = {
extractEmbedded = true;
};
newVersionCheck = {
enabled = false;
};
};
in
{
config = {
sops.secrets."immich/oauth_client_secret" = { };
sops.templates."immich/config.json" = {
owner = user; # Read when running
content = builtins.toJSON jsonSettings;
};
systemd.services.immich-server = {
serviceConfig = {
Environment = "IMMICH_CONFIG_FILE=${config.sops.templates."immich/config.json".path}";
};
};
services.immich = {
enable = true;
mediaLocation = "/mnt/XinPhotos/immich";
host = "127.0.0.1";
port = 3001;
openFirewall = true;
machine-learning.enable = true;
environment = {
IMMICH_MACHINE_LEARNING_ENABLED = "true";
};
database.enable = true;
};
# https://github.com/NixOS/nixpkgs/pull/324127/files#r1723763510
services.immich.redis.host = "/run/redis-immich/redis.sock";
};
}

40
modules/nixos/common-settings/auth.nix
View file

@ -9,8 +9,6 @@ let
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.auth;
@ -21,25 +19,43 @@ in
};
config = mkIf cfg.enable {
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
services.kanidm = {
enableClient = true;
clientSettings = {
uri = "https://auth.xinyang.life";
};
enablePam = true;
unixSettings = {
pam_allowed_login_groups = [ "linux_users" ];
default_shell = "/bin/sh";
};
sudoers = [ "xin@auth.xinyang.life" ];
};
services.openssh = {
enable = true;
authorizedKeysCommand = "/etc/ssh/auth %u";
authorizedKeysCommandUser = "kanidm-ssh-runner";
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
PermitRootLogin = lib.mkForce "no";
};
};
environment.etc."ssh/auth" = {
mode = "0555";
text = ''
#!${pkgs.stdenv.shell}
${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
'';
};
users.groups.wheel.members = [ "xin@auth.xinyang.life" ];
users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = {
isSystemUser = true;
group = "kanidm-ssh-runner";
};
services.fail2ban.enable = true;
security.sudo = {

4
modules/nixos/default.nix
View file

@ -8,9 +8,5 @@
./disk-partitions
./restic.nix
./monitor
./kanidm-client.nix
# ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
./forgejo-actions-runner.nix
./immich.nix
];
}

60
modules/nixos/immich.nix
View file

@ -1,60 +0,0 @@
{
config,
lib,
pkgs,
utils,
...
}:
let
cfg = config.custom.immich;
upstreamCfg = config.services.immich;
settingsFormat = pkgs.formats.json { };
user = config.systemd.services.immich-server.serviceConfig.User;
group = config.systemd.services.immich-server.serviceConfig.Group;
in
{
options = {
custom.immich.jsonSettings = lib.mkOption {
type = lib.types.submodule {
freeformType = settingsFormat.type;
};
default = { };
};
};
config = {
/*
LoadCredential happens before preStart. We need to ensure the
configuration file exist, otherwise LoadCredential will fail.
*/
systemd.tmpfiles.settings = lib.mkIf upstreamCfg.enable {
"10-etc-immich" = {
"/etc/immich" = {
d = {
inherit user group;
mode = "0700";
};
};
"/etc/immich/config.json" = {
"f+" = {
inherit user group;
mode = "0600";
};
};
};
};
systemd.services.immich-server = {
preStart = ''
umask 0077
${utils.genJqSecretsReplacementSnippet cfg.jsonSettings "/etc/immich/config.json"}
'';
serviceConfig = {
LoadCredential = "config:/etc/immich/config.json";
Environment = "IMMICH_CONFIG_FILE=%d/config";
};
};
# https://github.com/NixOS/nixpkgs/pull/324127/files#r1723763510
services.immich.redis.host = "/run/redis-immich/redis.sock";
};
}