xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:74fe93e5d804ab2c6c5c8572a985431b383b5413
Branches Tags
xin:master
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
...
compare: xin:742e2d7e48373cfb2ba42bc4038eddf1298b322b
Branches Tags
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
xin:master

8 commits
74fe93e5d8 ... 742e2d7e48

Author SHA1 Message Date
xinyangli
742e2d7e48
modules/autoupgrade: init 2024-09-24 10:53:51 +08:00
xinyangli
3b5fc28ac6
bump flake 2024-09-24 10:29:14 +08:00
xinyangli
90788e61a2
colmena: switch deployUser back to xin 2024-09-23 20:20:56 +08:00
xinyangli
7d03d2904b
calcite: minor fix 2024-09-23 20:20:18 +08:00
xinyangli
52267e1ab6
modules/restic: fix btrfs not found 2024-09-23 20:19:27 +08:00
xinyangli
018044aa7d
dolomite/network: switch to networkd 2024-09-23 20:17:57 +08:00
xinyangli
bba16ea4da
weilite/{restic,ocis}: add 2024-09-23 20:17:26 +08:00
xinyangli
4822043a8b
massicot: switch to ssd 2024-09-23 20:16:19 +08:00
20 changed files with 247 additions and 145 deletions
Show stats Expand all files Collapse all files

78
flake.lock generated
View file

@ -116,11 +116,11 @@
},
"catppuccin": {
"locked": {
"lastModified": 1725509983,
"narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=",
"lastModified": 1726952185,
"narHash": "sha256-l/HbsQjJMT6tlf8KCooFYi3J6wjIips3n6/aWAoLY4g=",
"owner": "catppuccin",
"repo": "nix",
"rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9",
"rev": "630b559cc1cb4c0bdd525af506935323e4ccd5d1",
"type": "github"
},
"original": {
@ -285,11 +285,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
@ -433,11 +433,11 @@
]
},
"locked": {
"lastModified": 1725694918,
"narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=",
"lastModified": 1726985855,
"narHash": "sha256-NJPGK030Y3qETpWBhj9oobDQRbXdXOPxtu+YgGvZ84o=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda",
"rev": "04213d1ce4221f5d9b40bcee30706ce9a91d148d",
"type": "github"
},
"original": {
@ -476,11 +476,11 @@
]
},
"locked": {
"lastModified": 1726036828,
"narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=",
"lastModified": 1724435763,
"narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "8a1671642826633586d12ac3158e463c7a50a112",
"rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be",
"type": "github"
},
"original": {
@ -540,11 +540,11 @@
]
},
"locked": {
"lastModified": 1725161148,
"narHash": "sha256-WfAHq3Ag3vLNFfWxKHjFBFdPI6JIideWFJod9mx1eoo=",
"lastModified": 1726975622,
"narHash": "sha256-bPDZosnom0+02ywmMZAvmj7zvsQ6mVv/5kmvSgbTkaY=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "32058e9138248874773630c846563b1a78ee7a5b",
"rev": "c7515c2fdaf2e1f3f49856cef6cec95bb2138417",
"type": "github"
},
"original": {
@ -564,11 +564,11 @@
]
},
"locked": {
"lastModified": 1725672853,
"narHash": "sha256-z1O6dzCJ27OZpF680tZL0mQphQETdg4DTryvhFOpZyA=",
"lastModified": 1727055858,
"narHash": "sha256-JZldqP3uEzphER/63J8crL9O9uR7g+cNAkb+erRmN48=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "efd33fc8e5a149dd48d86ca6003b51ab3ce4ae21",
"rev": "de538d220bccc69ad940a53e2b50fef7e05501f2",
"type": "github"
},
"original": {
@ -579,11 +579,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1725477728,
"narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=",
"lastModified": 1727040444,
"narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce",
"rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
"type": "github"
},
"original": {
@ -623,11 +623,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1725407940,
"narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
"lastModified": 1726838390,
"narHash": "sha256-NmcVhGElxDbmEWzgXsyAjlRhUus/nEqPC5So7BOJLUM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
"rev": "944b2aea7f0a2d7c79f72468106bc5510cbf5101",
"type": "github"
},
"original": {
@ -639,11 +639,11 @@
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1721524707,
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
"lastModified": 1725762081,
"narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
"rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
"type": "github"
},
"original": {
@ -655,11 +655,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1726296585,
"narHash": "sha256-inm7AIEqfgF4wXkhWB2M5IfmdITSF90xpeDDSU3DfNc=",
"lastModified": 1727093669,
"narHash": "sha256-VUBuY1qGk0FBMBydHWyp85f/pypH6nlSXnnIJh3Z4XA=",
"owner": "xinyangli",
"repo": "nixpkgs",
"rev": "8539edfb09c674994303141378df4ab33cd765ad",
"rev": "67cce3820108e9ef3ecd69097089a13a2e3f5909",
"type": "github"
},
"original": {
@ -671,11 +671,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1726042813,
"narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
"lastModified": 1725194671,
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
"type": "github"
},
"original": {
@ -713,11 +713,11 @@
},
"nur": {
"locked": {
"lastModified": 1725687722,
"narHash": "sha256-LPv282y5okYk8ebiBsEbDXy2WykwdBPpAthjKSmTfNI=",
"lastModified": 1727091899,
"narHash": "sha256-ztA+/sTDdsba2c4JrxUcKA+RH8mKy5RO1ikCrEmcsH4=",
"owner": "nix-community",
"repo": "NUR",
"rev": "ff7f8143f33751c4f37caec678ed1eb63006c0d3",
"rev": "9134c128b0a9610bdf6771a561e185e6dfbdd05b",
"type": "github"
},
"original": {
@ -774,11 +774,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1725540166,
"narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
"lastModified": 1726524647,
"narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
"rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
"type": "github"
},
"original": {

2
flake.nix
View file

@ -83,7 +83,7 @@
];
};
deploymentModule = {
deployment.targetUser = "root";
deployment.targetUser = "xin";
};
sharedColmenaModules = [
self.nixosModules.default

2
home/xin/calcite.nix
View file

@ -27,7 +27,7 @@
};
home.packages = with pkgs; [
# betterbird
betterbird
remmina
];

19
machines/calcite/configuration.nix
View file

@ -182,12 +182,24 @@
environment.systemPackages = with pkgs; [
oidc-agent
# Filesystem
owncloud-client
(owncloud-client.overrideAttrs (
finalAttrs: previousAttrs: {
src = pkgs.fetchFromGitHub {
owner = "xinyangli";
repo = "client";
rev = "e5ec2d68077361f1597b137a944884dda5574487";
hash = "sha256-xs8g7DdL1VxArK3n1c/9k7nW2vwYRHRuz6zaeX7E3eM=";
};
}
))
nfs-utils
# tesseract5 # ocr
ocrmypdf # pdfocr
gtkwave
bubblewrap
# ==== Development ==== #
# Python
# reference: https://nixos.wiki/wiki/Python
@ -256,6 +268,9 @@
system.stateVersion = "22.05";
system.switch.enable = false;
system.switch.enableNg = true;
nix.extraOptions = ''
!include "${config.sops.secrets.github_public_token.path}"
'';
@ -282,7 +297,7 @@
custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path;
custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path;
custom.forgejo-actions-runner.enable = true;
custom.forgejo-actions-runner.enable = false;
custom.forgejo-actions-runner.tokenFile = config.sops.secrets."gitea/envfile".path;
custom.prometheus = {

6
machines/calcite/secrets.yaml
View file

@ -1,5 +1,5 @@
restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str]
restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str]
restic_repo_calcite: ENC[AES256_GCM,data:ELvSvoBfulbsoMvRMt2bVo9KiNQAuHomblZcAwJ+g0tHELkq65kaaGwMsNy1AttBfiD7RrQsKifX/YTUGmuz1mDg0WqkV/Mv,iv:HKz96YgVahxh+t3AEqe09mTE01uT+VrUYt04H6zyS9g=,tag:llFeeN7ryTZI9gLlYIRhCg==,type:str]
sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str]
gitea:
envfile: ENC[AES256_GCM,data:bO1aMYm0kPTBbyPD5cweVRzNjiDK2WlWDsxz52L3faFg5HSVmBoi5DZC17XBXYw=,iv:lo9XEcwY4FPD/rRbnuiUviioMIiiphS26UgPro56DIU=,tag:0eKfsS0pYw+FPW+Y5dgisg==,type:str]
@ -27,8 +27,8 @@ sops:
WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-14T01:46:18Z"
mac: ENC[AES256_GCM,data:+RuyHG1wLykJX792bkHvRXEiW7vDYj7i2tbR0MnZZUuFcr3xQDIuCW0/XnzxeX643k4iq+h/YUer/v7tIbCh75UXTG7oxQpfJhI8zMfaxKcCZBntD+wDhEmpWhgonOR/RwOAPMPz7FntJVvt9BHnpSLVjZC7KqVPohob0DRJs2Q=,iv:p6Lov35M8SN9RIV9I3D+3cO+wi3Kd2pVe08xgWYi/tM=,tag:aOMQauv2FFEsdwaS7WOraQ==,type:str]
lastmodified: "2024-09-12T16:48:39Z"
mac: ENC[AES256_GCM,data:sYY8N0HZ05sUV7m/w5L1pFWJb2V8wZNukyUXHH0V9LMO1JlJMwCUH2XuseLGz5kz0yggAF+fty/x16PBvI5ARcpaZ23pLmNFYHtpx2tWhWcyYg/yMAqjUf19o17IZ50GpLVkmRHQbowwZF9dcHr8mEicrftZbeORzg2eKVkx8+w=,iv:0fyqOrs2XQ363uX5Dr8zuoUzkHdtsQ/v3SZidFBeSr4=,tag:1Kw1jrruxfn9lxgtL0XEMA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

16
machines/dolomite/bandwagon.nix
View file

@ -42,9 +42,19 @@ in
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = true;
networking.interfaces.ens19.useDHCP = true;
networking.useNetworkd = true;
systemd.network.networks."10-wan" = {
matchConfig.MACAddress = "ens18";
networkConfig.DHCP = "ipv4";
dhcpV4Config = {
UseDNS = false;
};
};
systemd.network.networks."20-lan" = {
matchConfig.MACAddress = "ens19";
networkConfig.DHCP = "ipv4";
};
services.resolved.enable = true;
services.sing-box.settings.dns.strategy = "ipv4_only";
};

31
machines/dolomite/default.nix
View file

@ -101,29 +101,6 @@ in
{
enable = true;
settings = {
dns = {
servers = [
{
tag = "warp";
address = "1.1.1.1";
detour = "wg-out";
}
{
tag = "directdns";
address = "h3://8.8.8.8/dns-query";
}
];
rules = [
{
outbound = "wg-out";
server = "warp";
}
{
outbound = "direct";
server = "directdns";
}
];
};
inbounds =
[
{
@ -182,17 +159,9 @@ in
type = "direct";
tag = "direct";
}
{
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
{
outbound = "dns-out";
protocol = "dns";
}
{
inbound = "sg0";
outbound = "direct";

3
machines/dolomite/lightsail.nix
View file

@ -103,7 +103,8 @@ in
environment.systemPackages = [ pkgs.cryptsetup ];
# EC2 has its own NTP server provided by the hypervisor
networking.timeServers = [ "169.254.169.123" ];
services.timesyncd.enable = true;
services.timesyncd.servers = [ "169.254.169.123" ];
# udisks has become too bloated to have in a headless system
# (e.g. it depends on GTK).

18
machines/massicot/default.nix
View file

@ -1,7 +1,5 @@
{
inputs,
config,
libs,
pkgs,
...
}:
@ -51,13 +49,6 @@
efiSupport = true;
configurationLimit = 5;
};
#
# fileSystems."/mnt/storage" = {
# device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
# fsType = "cifs";
# options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
# };
#
environment.systemPackages = with pkgs; [
cifs-utils
git
@ -69,14 +60,11 @@
hostName = "massicot";
};
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life/";
asSSHAuth = {
commonSettings = {
auth.enable = true;
nix = {
enable = true;
allowedGroups = [ "linux_users" ];
};
sudoers = [ "xin@auth.xinyang.life" ];
};
security.sudo = {

9
machines/massicot/kanidm-provision.nix
View file

@ -37,6 +37,7 @@
"xin"
"zhuo"
"ycm"
"yzl"
];
};
grafana-superadmins = {
@ -73,6 +74,11 @@
displayName = "Chunming";
mailAddresses = [ "chunmingyou@gmail.com" ];
};
yzl = {
displayName = "Zhengli Yang";
mailAddresses = [ "13391935399@189.cn" ];
};
};
systems.oauth2 = {
forgejo = {
@ -133,7 +139,8 @@
originUrl = [
"http://localhost/"
"http://127.0.0.1/"
"oc://android.owncloud.com"
# TODO: Should allow mobile redirect url not ending with /
# "oc://android.owncloud.com"
];
basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path;
preferShortUsername = true;

34
machines/massicot/services.nix
View file

@ -268,15 +268,33 @@ in
virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
'';
virtualHosts."https://auth.xinyang.life".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
virtualHosts."https://auth.xinyang.life".extraConfig =
let
reverseProxyKanidm = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
}
'';
'';
in
''
reverse_proxy /oauth2/openid/owncloud/userinfo https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
@error status 400
handle_response @error {
rewrite /oauth2/openid/owncloud/userinfo /oauth2/openid/owncloud-android/userinfo
${reverseProxyKanidm}
}
}
${reverseProxyKanidm}
'';
virtualHosts."https://rss.xinyang.life".extraConfig = ''
reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR}

18
machines/massicot/services/restic.nix
View file

@ -5,9 +5,9 @@
...
}:
let
sqliteBackup = path: ''
mkdir -p /backup${path}
${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'"
sqliteBackup = fromPath: toPath: file: ''
mkdir -p ${toPath}
${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'"
'';
in
{
@ -25,7 +25,7 @@ in
repositoryFile = config.sops.secrets."restic/repo".path;
passwordFile = config.sops.secrets."restic/password".path;
paths = [
"/var/backup"
"/backup"
"/mnt/storage"
];
};
@ -34,15 +34,15 @@ in
enable = true;
compression = "zstd";
compressionLevel = 9;
location = "/var/backup/postgresql";
location = "/backup/postgresql";
};
services.restic.backups.${config.networking.hostName} = {
backupPrepareCommand = builtins.concatStringsSep "\n" [
(sqliteBackup "/var/lib/hedgedoc/db.sqlite")
(sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3")
(sqliteBackup "/var/lib/gotosocial/database.sqlite")
(sqliteBackup "/var/lib/kanidm/kanidm.db")
(sqliteBackup "/var/lib/hedgedoc/db.sqlite" "/backup/hedgedoc" "db.sqlite")
(sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3" "/backup/bitwarden_rs" "db.sqlite3")
(sqliteBackup "/var/lib/gotosocial/database.sqlite" "/backup/gotosocial" "database.sqlite")
(sqliteBackup "/var/lib/kanidm/kanidm.db" "/backup/kanidm" "kanidm.db")
];
extraBackupArgs = [
"--limit-upload=1024"

38
machines/weilite/default.nix
View file

@ -38,6 +38,8 @@
kernelModules = [ "kvm-intel" ];
};
nixpkgs.config.allowUnfree = true;
environment.systemPackages = [ pkgs.virtiofsd ];
sops = {
@ -48,6 +50,10 @@
owner = "caddy";
mode = "400";
};
dnspod_dns_token = {
owner = "caddy";
mode = "400";
};
"immich/oauth_client_secret" = {
owner = "immich";
mode = "400";
@ -64,16 +70,30 @@
what = "immich";
where = "/mnt/XinPhotos/immich";
type = "virtiofs";
options = "rw";
options = "rw,nodev,nosuid";
wantedBy = [ "immich-server.service" ];
}
{
what = "originals";
where = "/mnt/XinPhotos/originals";
type = "virtiofs";
options = "ro,nodev,nosuid";
options = "rw,nodev,nosuid";
wantedBy = [ "immich-server.service" ];
}
{
what = "restic";
where = "/var/lib/restic";
type = "virtiofs";
options = "rw,nodev,nosuid";
wantedBy = [ "restic-rest-server.service" ];
}
{
what = "ocis";
where = "/var/lib/ocis";
type = "virtiofs";
options = "rw,nodev,nosuid";
wantedBy = [ "ocis.service" ];
}
];
services.openssh.ports = [
@ -137,26 +157,30 @@
repo = "github.com/caddy-dns/cloudflare";
version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
}
{
repo = "github.com/caddy-dns/dnspod";
version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af";
}
];
vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk=";
vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
};
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
# API Token must be added in systemd environment file
virtualHosts."immich.xinyang.life:8000".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
globalConfig = ''
acme_dns dnspod {env.DNSPOD_API_TOKEN}
'';
};
networking.firewall.allowedTCPPorts = [ 8000 ];
systemd.services.caddy = {
serviceConfig = {
EnvironmentFile = config.sops.secrets.cloudflare_dns_token.path;
EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
};
};

5
machines/weilite/secrets.yaml
View file

@ -1,4 +1,5 @@
cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str]
immich:
oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
sops:
@ -25,8 +26,8 @@ sops:
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-07T14:56:37Z"
mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str]
lastmodified: "2024-09-13T12:02:54Z"
mac: ENC[AES256_GCM,data:c5p+B2mPCDyS/Q4QH4MkzCww6jFDhP8RfHqrKLf4e/8XuNEGfNmPKaeliZG26j1YQWRvFHiGQX3AMnQ3Q+fSRUQCVi5KV+KW7fADNIB3TiTT5hAFuynhiWWQSmIrWP0GGek3GDGi7OJ1PrFbxWP9bwaf+zBegiaUcWoTorJg7No=,iv:6MohNgPpq80eTUlf3RvPKsxdx69V0jl+/hrMxAPpPQE=,tag:BtWp1FChP2hdclbGl5W+vQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

9
machines/weilite/services/cloudflared.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
services.cloudflared = {
enable = true;
tunnels =
{
};
};
}

35
machines/weilite/services/ocis.nix
View file

@ -1,36 +1,35 @@
{ config, pkgs, ... }:
{
sops = {
secrets = {
"ocis/env" = {
sopsFile = ../secrets.yaml;
};
};
};
services.ocis = {
enable = true;
package = pkgs.ocis-bin;
package = pkgs.ocis;
stateDir = "/var/lib/ocis";
url = "https://drive.xinyang.life:8443";
address = "127.0.0.1";
port = 9200;
configDir = "/var/lib/ocis/config";
environment = {
OCIS_INSECURE = "false";
OCIS_LOG_LEVEL = "trace";
PROXY_TLS = "false";
OCIS_LOG_LEVEL = "debug";
OCIS_LOG_PRETTY = "true";
# For reverse proxy. Disable tls.
OCIS_PROXY_TLS = "false";
WEB_OIDC_CLIENT_ID = "owncloud";
WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
PROXY_AUTOPROVISION_ACCOUNTS = "true";
PROXY_USER_OIDC_CLAIM = "preferred_username";
PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
PROXY_OIDC_REWRITE_WELLKNOWN = "false";
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
OCIS_EXCLUDE_RUN_SERVICES = "idp";
PROXY_OIDC_REWRITE_WELLKNOWN = "true";
WEB_HTTP_ADDR = "127.0.0.1:12345";
WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud/.well-known/openid-configuration";
WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud";
WEB_OIDC_CLIENT_ID = "owncloud";
};
# environmentFile = config.sops.secrets."ocis/env".path;
};
networking.allowedTCPPorts = [ 8443 ];
networking.firewall.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address}
redir /.well-known/openid-configuration https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration permanent
reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
'';
}

31
machines/weilite/services/restic.nix
View file

@ -1,16 +1,43 @@
{ config, ... }:
let
mkPrune = user: host: {
name = "${user}-${host}-prune";
value = {
user = "restic";
repository = "/var/lib/restic/${user}/${host}";
passwordFile = "/var/lib/restic/localpass";
timerConfig = {
OnCalendar = "02:05";
RandomizedDelaySec = "1h";
};
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
};
in
{
services.restic.server = {
enable = true;
dataDir = "/var/lib/restic";
listenAddress = "127.0.0.1:19573";
privateRepos = "true";
privateRepos = true;
extraFlags = [
"--append-only"
"--prometheus-no-auth"
];
};
networking.allowedTCPPorts = [ 8443 ];
services.restic.backups = builtins.listToAttrs [
(mkPrune "xin" "calcite")
(mkPrune "xin" "massicot")
];
networking.firewall.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
reverse_proxy ${config.services.restic.server.listenAddress}

32
modules/nixos/common-settings/autoupgrade.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
lib,
...
}:
let
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.autoupgrade;
in
{
options.commonSettings.autoupgrade = {
enable = mkEnableOption "auto upgrade with nixos-rebuild";
flake = mkOption {
type = types.str;
default = "github:xinyangli/nixos-config/deploy";
};
};
config = mkIf cfg.enable {
system.autoUpgrade = {
enable = true;
flake = cfg.flake;
};
};
}

1
modules/nixos/default.nix
View file

@ -1,6 +1,7 @@
{
imports = [
./common-settings/auth.nix
./common-settings/autoupgrade.nix
./common-settings/nix-conf.nix
./restic.nix
./vaultwarden.nix

5
modules/nixos/restic.nix
View file

@ -1,6 +1,7 @@
# TODO: https://github.com/lilyinstarlight/foosteros/blob/dfe1ab3eb68bfebfaa709482d52fa04ebdde81c8/config/restic.nix#L23 <- this is better
{
config,
pkgs,
lib,
...
}:
@ -55,10 +56,10 @@ in
}
(lib.mkIf (config.fileSystems."/".fsType == "btrfs") {
backupPrepareCommand = ''
btrfs subvolume snapshot -r / backup
${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r / backup
'';
backupCleanupCommand = ''
btrfs subvolume delete /backup
${pkgs.btrfs-progs}/bin/btrfs subvolume delete /backup
'';
paths = map (p: "/backup" + p) cfg.paths;
})