nixos-config/machines/weilite/default.nix

{
  inputs,
  config,
  pkgs,
  modulesPath,
  ...
}:

{
  imports = [
    inputs.sops-nix.nixosModules.sops
    (modulesPath + "/profiles/qemu-guest.nix")
    ./services
  ];

  config = {
    networking.hostName = "weilite";
    commonSettings = {
      auth.enable = true;
      autoupgrade.enable = true;
      nix = {
        enable = true;
        enableMirrors = true;
      };
    };

    boot = {
      loader = {
        systemd-boot.enable = true;
        efi.canTouchEfiVariables = true;
      };
      initrd.availableKernelModules = [
        "uhci_hcd"
        "ehci_pci"
        "ahci"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [ "kvm-intel" ];
    };

    nixpkgs.config.allowUnfree = true;

    environment.systemPackages = [ pkgs.virtiofsd ];

    sops = {
      defaultSopsFile = ./secrets.yaml;
      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      secrets = {
        cloudflare_dns_token = {
          owner = "caddy";
          mode = "400";
        };
        dnspod_dns_token = {
          owner = "caddy";
          mode = "400";
        };
        "immich/oauth_client_secret" = {
          owner = "immich";
          mode = "400";
        };
      };
    };

    custom.prometheus = {
      enable = true;
    };

    systemd.mounts = [
      {
        what = "immich";
        where = "/mnt/XinPhotos/immich";
        type = "virtiofs";
        options = "rw,nodev,nosuid";
        wantedBy = [ "immich-server.service" ];
      }
      {
        what = "originals";
        where = "/mnt/XinPhotos/originals";
        type = "virtiofs";
        options = "rw,nodev,nosuid";
        wantedBy = [ "immich-server.service" ];
      }
      {
        what = "restic";
        where = "/var/lib/restic";
        type = "virtiofs";
        options = "rw,nodev,nosuid";
        wantedBy = [ "restic-rest-server.service" ];
      }
      {
        what = "ocis";
        where = "/var/lib/ocis";
        type = "virtiofs";
        options = "rw,nodev,nosuid";
        wantedBy = [ "ocis.service" ];
      }
    ];

    services.openssh.ports = [
      22
      2222
    ];

    services.immich = {
      enable = true;
      mediaLocation = "/mnt/XinPhotos/immich";
      host = "127.0.0.1";
      port = 3001;
      openFirewall = true;
      machine-learning.enable = true;
      environment = {
        IMMICH_MACHINE_LEARNING_ENABLED = "true";
      };
      database.enable = true;
    };

    custom.immich.jsonSettings = {
      oauth = {
        enabled = true;
        issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
        clientId = "immich";
        clientSecret = {
          _secret = config.sops.secrets."immich/oauth_client_secret".path;
        };
        scope = "openid email profile";
        signingAlgorithm = "ES256";
        storageLabelClaim = "email";
        buttonText = "Login with Kanidm";
        autoLaunch = true;
        mobileOverrideEnabled = true;
        mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
      };
      passwordLogin = {
        enabled = false;
      };
      newVersionCheck = {
        enabled = false;
      };
    };

    services.dae = {
      enable = true;
      configFile = "/var/lib/dae/config.dae";
    };

    services.tailscale = {
      enable = true;
      openFirewall = true;
      permitCertUid = "caddy";
    };

    services.caddy = {
      enable = true;
      package = pkgs.caddy.withPlugins {
        caddyModules = [
          {
            repo = "github.com/caddy-dns/cloudflare";
            version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
          }
          {
            repo = "github.com/caddy-dns/dnspod";
            version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af";
          }
        ];
        vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
      };
      virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
      '';
      # API Token must be added in systemd environment file
      virtualHosts."immich.xinyang.life:8000".extraConfig = ''
        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
      '';
      globalConfig = ''
        acme_dns dnspod {env.DNSPOD_API_TOKEN}
      '';
    };

    networking.firewall.allowedTCPPorts = [ 8000 ];

    systemd.services.caddy = {
      serviceConfig = {
        EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
      };
    };

    time.timeZone = "Asia/Shanghai";

    fileSystems."/" = {
      device = "/dev/disk/by-label/nixos";
      fsType = "btrfs";
    };

    fileSystems."/boot" = {
      device = "/dev/sda1";
      fsType = "vfat";
      options = [
        "fmask=0022"
        "dmask=0022"
      ];
    };

    system.stateVersion = "24.11";
  };
}
treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00			`{`
			`inputs,`
			`config,`
			`pkgs,`
			`modulesPath,`
			`...`
			`}:`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00
			`{`
			`imports = [`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`inputs.sops-nix.nixosModules.sops`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`(modulesPath + "/profiles/qemu-guest.nix")`
massicot,fix: switch to fix drive 2024-09-14 08:33:01 +00:00			`./services`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`];`

			`config = {`
			`networking.hostName = "weilite";`
			`commonSettings = {`
			`auth.enable = true;`
modules/autoupgrade: init 2024-09-24 02:53:51 +00:00			`autoupgrade.enable = true;`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`nix = {`
			`enable = true;`
			`enableMirrors = true;`
			`};`
			`};`

			`boot = {`
treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00			`loader = {`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`systemd-boot.enable = true;`
			`efi.canTouchEfiVariables = true;`
			`};`
treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00			`initrd.availableKernelModules = [`
			`"uhci_hcd"`
			`"ehci_pci"`
			`"ahci"`
			`"usb_storage"`
			`"sd_mod"`
			`];`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`kernelModules = [ "kvm-intel" ];`
			`};`

weilite/{restic,ocis}: add 2024-09-23 12:17:26 +00:00			`nixpkgs.config.allowUnfree = true;`

treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00			`environment.systemPackages = [ pkgs.virtiofsd ];`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`sops = {`
			`defaultSopsFile = ./secrets.yaml;`
			`age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];`
			`secrets = {`
			`cloudflare_dns_token = {`
			`owner = "caddy";`
			`mode = "400";`
			`};`
weilite/{restic,ocis}: add 2024-09-23 12:17:26 +00:00			`dnspod_dns_token = {`
			`owner = "caddy";`
			`mode = "400";`
			`};`
massicot,fix: switch to fix drive 2024-09-14 08:33:01 +00:00			`"immich/oauth_client_secret" = {`
			`owner = "immich";`
			`mode = "400";`
			`};`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`};`
			`};`

prometheus: enable every where 2024-08-01 09:01:53 +00:00			`custom.prometheus = {`
			`enable = true;`
			`};`

feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`systemd.mounts = [`
treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00			`{`
			`what = "immich";`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`where = "/mnt/XinPhotos/immich";`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`type = "virtiofs";`
weilite/{restic,ocis}: add 2024-09-23 12:17:26 +00:00			`options = "rw,nodev,nosuid";`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`wantedBy = [ "immich-server.service" ];`
			`}`
treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00			`{`
			`what = "originals";`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`where = "/mnt/XinPhotos/originals";`
			`type = "virtiofs";`
weilite/{restic,ocis}: add 2024-09-23 12:17:26 +00:00			`options = "rw,nodev,nosuid";`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`wantedBy = [ "immich-server.service" ];`
			`}`
weilite/{restic,ocis}: add 2024-09-23 12:17:26 +00:00			`{`
			`what = "restic";`
			`where = "/var/lib/restic";`
			`type = "virtiofs";`
			`options = "rw,nodev,nosuid";`
			`wantedBy = [ "restic-rest-server.service" ];`
			`}`
			`{`
			`what = "ocis";`
			`where = "/var/lib/ocis";`
			`type = "virtiofs";`
			`options = "rw,nodev,nosuid";`
			`wantedBy = [ "ocis.service" ];`
			`}`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`];`

treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00			`services.openssh.ports = [`
			`22`
			`2222`
			`];`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00
			`services.immich = {`
			`enable = true;`
			`mediaLocation = "/mnt/XinPhotos/immich";`
			`host = "127.0.0.1";`
			`port = 3001;`
			`openFirewall = true;`
weilite/immich: enable machine learning 2024-10-16 09:05:21 +00:00			`machine-learning.enable = true;`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`environment = {`
weilite/immich: enable machine learning 2024-10-16 09:05:21 +00:00			`IMMICH_MACHINE_LEARNING_ENABLED = "true";`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`};`
massicot,fix: switch to fix drive 2024-09-14 08:33:01 +00:00			`database.enable = true;`
			`};`

			`custom.immich.jsonSettings = {`
			`oauth = {`
			`enabled = true;`
			`issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";`
			`clientId = "immich";`
			`clientSecret = {`
			`_secret = config.sops.secrets."immich/oauth_client_secret".path;`
			`};`
			`scope = "openid email profile";`
			`signingAlgorithm = "ES256";`
			`storageLabelClaim = "email";`
			`buttonText = "Login with Kanidm";`
			`autoLaunch = true;`
			`mobileOverrideEnabled = true;`
			`mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";`
			`};`
			`passwordLogin = {`
			`enabled = false;`
			`};`
			`newVersionCheck = {`
			`enabled = false;`
			`};`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`};`

			`services.dae = {`
			`enable = true;`
			`configFile = "/var/lib/dae/config.dae";`
			`};`

			`services.tailscale = {`
			`enable = true;`
			`openFirewall = true;`
			`permitCertUid = "caddy";`
			`};`

			`services.caddy = {`
			`enable = true;`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`package = pkgs.caddy.withPlugins {`
			`caddyModules = [`
treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00			`{`
			`repo = "github.com/caddy-dns/cloudflare";`
			`version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";`
			`}`
modules/autoupgrade: init 2024-09-24 02:53:51 +00:00			`{`
weilite/{restic,ocis}: add 2024-09-23 12:17:26 +00:00			`repo = "github.com/caddy-dns/dnspod";`
			`version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af";`
			`}`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`];`
weilite/{restic,ocis}: add 2024-09-23 12:17:26 +00:00			`vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`};`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''`
			`reverse_proxy 127.0.0.1:${toString config.services.immich.port}`
			`'';`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`# API Token must be added in systemd environment file`
			`virtualHosts."immich.xinyang.life:8000".extraConfig = ''`
			`reverse_proxy 127.0.0.1:${toString config.services.immich.port}`
			`'';`
weilite/{restic,ocis}: add 2024-09-23 12:17:26 +00:00			`globalConfig = ''`
			`acme_dns dnspod {env.DNSPOD_API_TOKEN}`
			`'';`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`};`

			`networking.firewall.allowedTCPPorts = [ 8000 ];`

			`systemd.services.caddy = {`
			`serviceConfig = {`
weilite/{restic,ocis}: add 2024-09-23 12:17:26 +00:00			`EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;`
feat(weilite): make immich public 2024-07-30 03:01:07 +00:00			`};`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`};`

			`time.timeZone = "Asia/Shanghai";`
treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`fileSystems."/" = {`
			`device = "/dev/disk/by-label/nixos";`
			`fsType = "btrfs";`
			`};`

			`fileSystems."/boot" = {`
			`device = "/dev/sda1";`
			`fsType = "vfat";`
treewide: apply the new rfc nixfmt 2024-08-25 09:45:58 +00:00			`options = [`
			`"fmask=0022"`
			`"dmask=0022"`
			`];`
feat(weilite): add a vm for running immich 2024-07-29 06:56:28 +00:00			`};`

			`system.stateVersion = "24.11";`
			`};`
			`}`