xin/diffu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(weilite): make immich public

Browse source
This commit is contained in:
xinyangli 2024-07-30 11:01:07 +08:00
parent c4cb116514
commit 13ce7e87b0
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
3 changed files with 79 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -6,6 +6,7 @@ keys:
- &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
- &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
- &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
- &host-weilite age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml
creation_rules: creation_rules:
- path_regex: machines/calcite/secrets.yaml - path_regex: machines/calcite/secrets.yaml
key_groups: key_groups:
@ -37,6 +38,11 @@ creation_rules:
- age: - age:
- *xin - *xin
- *host-la-00 - *host-la-00
- path-regex: machines/weilite/secrets.yaml
key_groups:
- age:
- *xin
- *host-weilite
- path_regex: machines/secrets.yaml - path_regex: machines/secrets.yaml
key_groups: key_groups:
- age: - age:
@ -53,4 +59,3 @@ creation_rules:
- *xin - *xin
- *host-raspite - *host-raspite
- *host-calcite - *host-calcite

46
machines/weilite/default.nix
View file

@ -1,9 +1,10 @@
{ config, pkgs, lib, modulesPath, ... }: { inputs, config, pkgs, lib, modulesPath, ... }:
with lib; with lib;
{ {
imports = [ imports = [
inputs.sops-nix.nixosModules.sops
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];
@ -30,10 +31,28 @@ with lib;
pkgs.virtiofsd pkgs.virtiofsd
]; ];
sops = {
defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
cloudflare_dns_token = {
owner = "caddy";
mode = "400";
};
};
};
systemd.mounts = [ systemd.mounts = [
{ what = "XinPhotos"; { what = "immich";
where = "/mnt/XinPhotos"; where = "/mnt/XinPhotos/immich";
type = "virtiofs"; type = "virtiofs";
options = "rw";
wantedBy = [ "immich-server.service" ];
}
{ what = "originals";
where = "/mnt/XinPhotos/originals";
type = "virtiofs";
options = "ro,nodev,nosuid";
wantedBy = [ "immich-server.service" ]; wantedBy = [ "immich-server.service" ];
} }
]; ];
@ -65,9 +84,30 @@ with lib;
services.caddy = { services.caddy = {
enable = true; enable = true;
package = pkgs.caddy.withPlugins {
caddyModules = [
{ repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; }
];
vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk=";
};
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port} reverse_proxy 127.0.0.1:${toString config.services.immich.port}
''; '';
# API Token must be added in systemd environment file
virtualHosts."immich.xinyang.life:8000".extraConfig = ''
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
};
networking.firewall.allowedTCPPorts = [ 8000 ];
systemd.services.caddy = {
serviceConfig = {
EnvironmentFile = config.sops.secrets.cloudflare_dns_token.path;
};
}; };
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";

30
machines/weilite/secrets.yaml Normal file
View file

@ -0,0 +1,30 @@
cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYkRNYmtjUkpoOXhRY1Yz
UkxnSEJiSXRvMy9WQWx5R1VHYVlnL1R2Tm1jCk8yUi80MG9kTWtSRndXRThuVThv
bERaUGwzaVJDem9IeFFIb2hiT1ZjTzQKLS0tIHo4bDJQa2dVbTl1aWxyYVd6bkl0
c0g5TW03TU51L1hiSk95S05Eaks5TEEKBfA6XNAtcl7bKgDyVmuO6M45x9IJ7gqV
Nd+BvOK+iomEubZqsyMPLM3NfOL1dwSOnmwSdUZasUzuGCaw6IdlOA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZlVTY1hhcC95RExJL1Jn
blBncWxlWmxsQS8vQ3dhd1pXR1VCbXltUEQ4ClE0NEZweERYK3cyelpDRjkrNlBH
RHBIQTI0M2pnNm5qdnorNWFmMmd0ZFUKLS0tIEE4cFVteUZjT04wbk1RSWlmOU1P
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-29T09:05:41Z"
mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0