diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index ce39730..2d2ef8c 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -38,6 +38,8 @@ kernelModules = [ "kvm-intel" ]; }; + nixpkgs.config.allowUnfree = true; + environment.systemPackages = [ pkgs.virtiofsd ]; sops = { @@ -48,6 +50,10 @@ owner = "caddy"; mode = "400"; }; + dnspod_dns_token = { + owner = "caddy"; + mode = "400"; + }; "immich/oauth_client_secret" = { owner = "immich"; mode = "400"; @@ -64,16 +70,30 @@ what = "immich"; where = "/mnt/XinPhotos/immich"; type = "virtiofs"; - options = "rw"; + options = "rw,nodev,nosuid"; wantedBy = [ "immich-server.service" ]; } { what = "originals"; where = "/mnt/XinPhotos/originals"; type = "virtiofs"; - options = "ro,nodev,nosuid"; + options = "rw,nodev,nosuid"; wantedBy = [ "immich-server.service" ]; } + { + what = "restic"; + where = "/var/lib/restic"; + type = "virtiofs"; + options = "rw,nodev,nosuid"; + wantedBy = [ "restic-rest-server.service" ]; + } + { + what = "ocis"; + where = "/var/lib/ocis"; + type = "virtiofs"; + options = "rw,nodev,nosuid"; + wantedBy = [ "ocis.service" ]; + } ]; services.openssh.ports = [ @@ -137,26 +157,30 @@ repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; } +{ + repo = "github.com/caddy-dns/dnspod"; + version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af"; + } ]; - vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk="; + vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI="; }; virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.immich.port} ''; # API Token must be added in systemd environment file virtualHosts."immich.xinyang.life:8000".extraConfig = '' - tls { - dns cloudflare {env.CLOUDFLARE_API_TOKEN} - } reverse_proxy 127.0.0.1:${toString config.services.immich.port} ''; + globalConfig = '' + acme_dns dnspod {env.DNSPOD_API_TOKEN} + ''; }; networking.firewall.allowedTCPPorts = [ 8000 ]; systemd.services.caddy = { serviceConfig = { - EnvironmentFile = config.sops.secrets.cloudflare_dns_token.path; + EnvironmentFile = config.sops.secrets.dnspod_dns_token.path; }; }; diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index bb631bb..8446f0a 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -1,4 +1,5 @@ cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] +dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str] immich: oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] sops: @@ -25,8 +26,8 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-07T14:56:37Z" - mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str] + lastmodified: "2024-09-13T12:02:54Z" + mac: ENC[AES256_GCM,data:c5p+B2mPCDyS/Q4QH4MkzCww6jFDhP8RfHqrKLf4e/8XuNEGfNmPKaeliZG26j1YQWRvFHiGQX3AMnQ3Q+fSRUQCVi5KV+KW7fADNIB3TiTT5hAFuynhiWWQSmIrWP0GGek3GDGi7OJ1PrFbxWP9bwaf+zBegiaUcWoTorJg7No=,iv:6MohNgPpq80eTUlf3RvPKsxdx69V0jl+/hrMxAPpPQE=,tag:BtWp1FChP2hdclbGl5W+vQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/weilite/services/cloudflared.nix b/machines/weilite/services/cloudflared.nix new file mode 100644 index 0000000..30b748d --- /dev/null +++ b/machines/weilite/services/cloudflared.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + services.cloudflared = { + enable = true; + tunnels = + { + }; + }; +} diff --git a/machines/weilite/services/ocis.nix b/machines/weilite/services/ocis.nix index 26a6769..7438591 100644 --- a/machines/weilite/services/ocis.nix +++ b/machines/weilite/services/ocis.nix @@ -1,36 +1,35 @@ { config, pkgs, ... }: { - sops = { - secrets = { - "ocis/env" = { - sopsFile = ../secrets.yaml; - }; - }; - }; - services.ocis = { enable = true; - package = pkgs.ocis-bin; + package = pkgs.ocis; stateDir = "/var/lib/ocis"; url = "https://drive.xinyang.life:8443"; address = "127.0.0.1"; port = 9200; + configDir = "/var/lib/ocis/config"; environment = { OCIS_INSECURE = "false"; - OCIS_LOG_LEVEL = "trace"; + PROXY_TLS = "false"; + OCIS_LOG_LEVEL = "debug"; OCIS_LOG_PRETTY = "true"; - # For reverse proxy. Disable tls. - OCIS_PROXY_TLS = "false"; - WEB_OIDC_CLIENT_ID = "owncloud"; - WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud"; + PROXY_AUTOPROVISION_ACCOUNTS = "true"; + PROXY_USER_OIDC_CLAIM = "preferred_username"; + PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud"; + PROXY_OIDC_REWRITE_WELLKNOWN = "false"; + PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none"; OCIS_EXCLUDE_RUN_SERVICES = "idp"; - PROXY_OIDC_REWRITE_WELLKNOWN = "true"; + WEB_HTTP_ADDR = "127.0.0.1:12345"; + WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud/.well-known/openid-configuration"; + WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud"; + WEB_OIDC_CLIENT_ID = "owncloud"; }; + # environmentFile = config.sops.secrets."ocis/env".path; }; - networking.allowedTCPPorts = [ 8443 ]; - + networking.firewall.allowedTCPPorts = [ 8443 ]; services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = '' - reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address} + redir /.well-known/openid-configuration https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration permanent + reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port} ''; } diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix index e1fb489..4858590 100644 --- a/machines/weilite/services/restic.nix +++ b/machines/weilite/services/restic.nix @@ -1,16 +1,43 @@ { config, ... }: +let + mkPrune = user: host: { + name = "${user}-${host}-prune"; + value = { + user = "restic"; + repository = "/var/lib/restic/${user}/${host}"; + passwordFile = "/var/lib/restic/localpass"; + timerConfig = { + OnCalendar = "02:05"; + RandomizedDelaySec = "1h"; + }; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; + + }; +in { services.restic.server = { enable = true; dataDir = "/var/lib/restic"; listenAddress = "127.0.0.1:19573"; - privateRepos = "true"; + privateRepos = true; extraFlags = [ "--append-only" + "--prometheus-no-auth" ]; }; - networking.allowedTCPPorts = [ 8443 ]; + services.restic.backups = builtins.listToAttrs [ + (mkPrune "xin" "calcite") + (mkPrune "xin" "massicot") + ]; + + networking.firewall.allowedTCPPorts = [ 8443 ]; services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = '' reverse_proxy ${config.services.restic.server.listenAddress}