xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

weilite/{restic,ocis}: add

Browse source
This commit is contained in:
xinyangli 2024-09-23 20:17:26 +08:00
parent 4822043a8b
commit bba16ea4da
Signed by: xin
SSH key fingerprint: SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
5 changed files with 89 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
machines/weilite/default.nix
View file

@ -38,6 +38,8 @@
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
}; };
nixpkgs.config.allowUnfree = true;
environment.systemPackages = [ pkgs.virtiofsd ]; environment.systemPackages = [ pkgs.virtiofsd ];
sops = { sops = {
@ -48,6 +50,10 @@
owner = "caddy"; owner = "caddy";
mode = "400"; mode = "400";
}; };
dnspod_dns_token = {
owner = "caddy";
mode = "400";
};
"immich/oauth_client_secret" = { "immich/oauth_client_secret" = {
owner = "immich"; owner = "immich";
mode = "400"; mode = "400";
@ -64,16 +70,30 @@
what = "immich"; what = "immich";
where = "/mnt/XinPhotos/immich"; where = "/mnt/XinPhotos/immich";
type = "virtiofs"; type = "virtiofs";
options = "rw"; options = "rw,nodev,nosuid";
wantedBy = [ "immich-server.service" ]; wantedBy = [ "immich-server.service" ];
} }
{ {
what = "originals"; what = "originals";
where = "/mnt/XinPhotos/originals"; where = "/mnt/XinPhotos/originals";
type = "virtiofs"; type = "virtiofs";
options = "ro,nodev,nosuid"; options = "rw,nodev,nosuid";
wantedBy = [ "immich-server.service" ]; wantedBy = [ "immich-server.service" ];
} }
{
what = "restic";
where = "/var/lib/restic";
type = "virtiofs";
options = "rw,nodev,nosuid";
wantedBy = [ "restic-rest-server.service" ];
}
{
what = "ocis";
where = "/var/lib/ocis";
type = "virtiofs";
options = "rw,nodev,nosuid";
wantedBy = [ "ocis.service" ];
}
]; ];
services.openssh.ports = [ services.openssh.ports = [
@ -137,26 +157,30 @@
repo = "github.com/caddy-dns/cloudflare"; repo = "github.com/caddy-dns/cloudflare";
version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
} }
{
repo = "github.com/caddy-dns/dnspod";
version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af";
}
]; ];
vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk="; vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
}; };
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port} reverse_proxy 127.0.0.1:${toString config.services.immich.port}
''; '';
# API Token must be added in systemd environment file # API Token must be added in systemd environment file
virtualHosts."immich.xinyang.life:8000".extraConfig = '' virtualHosts."immich.xinyang.life:8000".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
reverse_proxy 127.0.0.1:${toString config.services.immich.port} reverse_proxy 127.0.0.1:${toString config.services.immich.port}
''; '';
globalConfig = ''
acme_dns dnspod {env.DNSPOD_API_TOKEN}
'';
}; };
networking.firewall.allowedTCPPorts = [ 8000 ]; networking.firewall.allowedTCPPorts = [ 8000 ];
systemd.services.caddy = { systemd.services.caddy = {
serviceConfig = { serviceConfig = {
EnvironmentFile = config.sops.secrets.cloudflare_dns_token.path; EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
}; };
}; };

5
machines/weilite/secrets.yaml
View file

@ -1,4 +1,5 @@
cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str]
immich: immich:
oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
sops: sops:
@ -25,8 +26,8 @@ sops:
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-07T14:56:37Z" lastmodified: "2024-09-13T12:02:54Z"
mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str] mac: ENC[AES256_GCM,data:c5p+B2mPCDyS/Q4QH4MkzCww6jFDhP8RfHqrKLf4e/8XuNEGfNmPKaeliZG26j1YQWRvFHiGQX3AMnQ3Q+fSRUQCVi5KV+KW7fADNIB3TiTT5hAFuynhiWWQSmIrWP0GGek3GDGi7OJ1PrFbxWP9bwaf+zBegiaUcWoTorJg7No=,iv:6MohNgPpq80eTUlf3RvPKsxdx69V0jl+/hrMxAPpPQE=,tag:BtWp1FChP2hdclbGl5W+vQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

9
machines/weilite/services/cloudflared.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
services.cloudflared = {
enable = true;
tunnels =
{
};
};
}

35
machines/weilite/services/ocis.nix
View file

@ -1,36 +1,35 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
sops = {
secrets = {
"ocis/env" = {
sopsFile = ../secrets.yaml;
};
};
};
services.ocis = { services.ocis = {
enable = true; enable = true;
package = pkgs.ocis-bin; package = pkgs.ocis;
stateDir = "/var/lib/ocis"; stateDir = "/var/lib/ocis";
url = "https://drive.xinyang.life:8443"; url = "https://drive.xinyang.life:8443";
address = "127.0.0.1"; address = "127.0.0.1";
port = 9200; port = 9200;
configDir = "/var/lib/ocis/config";
environment = { environment = {
OCIS_INSECURE = "false"; OCIS_INSECURE = "false";
OCIS_LOG_LEVEL = "trace"; PROXY_TLS = "false";
OCIS_LOG_LEVEL = "debug";
OCIS_LOG_PRETTY = "true"; OCIS_LOG_PRETTY = "true";
# For reverse proxy. Disable tls. PROXY_AUTOPROVISION_ACCOUNTS = "true";
OCIS_PROXY_TLS = "false"; PROXY_USER_OIDC_CLAIM = "preferred_username";
WEB_OIDC_CLIENT_ID = "owncloud"; PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud"; PROXY_OIDC_REWRITE_WELLKNOWN = "false";
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
OCIS_EXCLUDE_RUN_SERVICES = "idp"; OCIS_EXCLUDE_RUN_SERVICES = "idp";
PROXY_OIDC_REWRITE_WELLKNOWN = "true"; WEB_HTTP_ADDR = "127.0.0.1:12345";
WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud/.well-known/openid-configuration";
WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud";
WEB_OIDC_CLIENT_ID = "owncloud";
}; };
# environmentFile = config.sops.secrets."ocis/env".path;
}; };
networking.allowedTCPPorts = [ 8443 ]; networking.firewall.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = '' services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address} redir /.well-known/openid-configuration https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration permanent
reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
''; '';
} }

31
machines/weilite/services/restic.nix
View file

@ -1,16 +1,43 @@
{ config, ... }: { config, ... }:
let
mkPrune = user: host: {
name = "${user}-${host}-prune";
value = {
user = "restic";
repository = "/var/lib/restic/${user}/${host}";
passwordFile = "/var/lib/restic/localpass";
timerConfig = {
OnCalendar = "02:05";
RandomizedDelaySec = "1h";
};
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
};
in
{ {
services.restic.server = { services.restic.server = {
enable = true; enable = true;
dataDir = "/var/lib/restic"; dataDir = "/var/lib/restic";
listenAddress = "127.0.0.1:19573"; listenAddress = "127.0.0.1:19573";
privateRepos = "true"; privateRepos = true;
extraFlags = [ extraFlags = [
"--append-only" "--append-only"
"--prometheus-no-auth"
]; ];
}; };
networking.allowedTCPPorts = [ 8443 ]; services.restic.backups = builtins.listToAttrs [
(mkPrune "xin" "calcite")
(mkPrune "xin" "massicot")
];
networking.firewall.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = '' services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
reverse_proxy ${config.services.restic.server.listenAddress} reverse_proxy ${config.services.restic.server.listenAddress}