From 5104c5943e0118e426319dabebcf64894170a8b1 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 14 Sep 2024 16:33:01 +0800 Subject: [PATCH] massicot,fix: switch to fix drive --- flake.lock | 93 +++-- flake.nix | 6 +- machines/massicot/default.nix | 15 +- machines/massicot/hardware-configuration.nix | 11 +- machines/massicot/kanidm-provision.nix | 351 ++++++++++--------- machines/massicot/networking.nix | 23 +- machines/massicot/secrets.yaml | 12 +- machines/massicot/services.nix | 37 +- machines/massicot/services/default.nix | 5 + machines/massicot/services/restic.nix | 51 +++ machines/weilite/default.nix | 33 +- machines/weilite/secrets.yaml | 6 +- machines/weilite/services/default.nix | 6 + machines/weilite/services/ocis.nix | 36 ++ machines/weilite/services/restic.nix | 18 + modules/nixos/immich.nix | 57 +++ 16 files changed, 512 insertions(+), 248 deletions(-) create mode 100644 machines/massicot/services/default.nix create mode 100644 machines/massicot/services/restic.nix create mode 100644 machines/weilite/services/default.nix create mode 100644 machines/weilite/services/ocis.nix create mode 100644 machines/weilite/services/restic.nix create mode 100644 modules/nixos/immich.nix diff --git a/flake.lock b/flake.lock index f15ebae..3744570 100644 --- a/flake.lock +++ b/flake.lock @@ -116,11 +116,11 @@ }, "catppuccin": { "locked": { - "lastModified": 1724469296, - "narHash": "sha256-p3R4LUNk6gC+fTKRUm9ByXaoRIocnQMwVuJSIxECQ8o=", + "lastModified": 1725509983, + "narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=", "owner": "catppuccin", "repo": "nix", - "rev": "874e668ddaf3687e8d38ccd0188a641ffefe1cfb", + "rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9", "type": "github" }, "original": { @@ -433,11 +433,11 @@ ] }, "locked": { - "lastModified": 1725180166, - "narHash": "sha256-fzssXuGR/mCeGbzM1ExaTqDz7QDGta3WA4jJsZyRruo=", + "lastModified": 1725694918, + "narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=", "owner": "nix-community", "repo": "home-manager", - "rev": "471e3eb0a114265bcd62d11d58ba8d3421ee68eb", + "rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda", "type": "github" }, "original": { @@ -468,6 +468,27 @@ "type": "github" } }, + "home-manager_3": { + "inputs": { + "nixpkgs": [ + "stylix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1726036828, + "narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "8a1671642826633586d12ac3158e463c7a50a112", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "my-nixvim": { "inputs": { "flake-parts": "flake-parts", @@ -543,11 +564,11 @@ ] }, "locked": { - "lastModified": 1725241396, - "narHash": "sha256-b4YfdCTuVLmrTGt8M44T+k0+rwRhBDXYKPhQR9o6LxU=", + "lastModified": 1725672853, + "narHash": "sha256-z1O6dzCJ27OZpF680tZL0mQphQETdg4DTryvhFOpZyA=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "36fbe64e2b1b879871d896e94d560691ec88c08b", + "rev": "efd33fc8e5a149dd48d86ca6003b51ab3ce4ae21", "type": "github" }, "original": { @@ -558,11 +579,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1724878143, - "narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=", + "lastModified": 1725477728, + "narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef", + "rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce", "type": "github" }, "original": { @@ -602,11 +623,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1725001927, - "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=", + "lastModified": 1725407940, + "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421", + "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3", "type": "github" }, "original": { @@ -634,11 +655,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1725246338, - "narHash": "sha256-a1niN+9XVfG5PjokF5n/yPv9PunUoQFMV2btjAjy/OI=", + "lastModified": 1726296585, + "narHash": "sha256-inm7AIEqfgF4wXkhWB2M5IfmdITSF90xpeDDSU3DfNc=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "1e6e46dcf84c3218120d7080c4eca68cf36fd629", + "rev": "8539edfb09c674994303141378df4ab33cd765ad", "type": "github" }, "original": { @@ -648,6 +669,22 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1726042813, + "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "159be5db480d1df880a0135ca0bfed84c2f88353", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixvim": { "inputs": { "devshell": "devshell", @@ -676,11 +713,11 @@ }, "nur": { "locked": { - "lastModified": 1725248798, - "narHash": "sha256-6VVKFwDGBq/waWWkEwQfA3u9smxOeFjzA/f+wKtph2M=", + "lastModified": 1725687722, + "narHash": "sha256-LPv282y5okYk8ebiBsEbDXy2WykwdBPpAthjKSmTfNI=", "owner": "nix-community", "repo": "NUR", - "rev": "6cac52982b36c11c5d447a5511d84b295783b94f", + "rev": "ff7f8143f33751c4f37caec678ed1eb63006c0d3", "type": "github" }, "original": { @@ -737,11 +774,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1725201042, - "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=", + "lastModified": 1725540166, + "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7", + "rev": "d9d781523a1463965cd1e1333a306e70d9feff07", "type": "github" }, "original": { @@ -762,12 +799,8 @@ "flake-compat": "flake-compat_4", "flake-utils": "flake-utils_3", "gnome-shell": "gnome-shell", - "home-manager": [ - "home-manager" - ], - "nixpkgs": [ - "nixpkgs" - ], + "home-manager": "home-manager_3", + "nixpkgs": "nixpkgs_3", "systems": "systems_3" }, "locked": { diff --git a/flake.nix b/flake.nix index b4ae9db..9a9ffc3 100644 --- a/flake.nix +++ b/flake.nix @@ -55,8 +55,8 @@ stylix = { url = "github:xinyangli/stylix"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.home-manager.follows = "home-manager"; + # inputs.nixpkgs.follows = "nixpkgs"; + # inputs.home-manager.follows = "home-manager"; }; }; @@ -83,7 +83,7 @@ ]; }; deploymentModule = { - deployment.targetUser = "xin"; + deployment.targetUser = "root"; }; sharedColmenaModules = [ self.nixosModules.default diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 4513a2b..f74f265 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -12,6 +12,7 @@ ./hardware-configuration.nix ./networking.nix ./services.nix + ./services ]; sops = { @@ -50,13 +51,13 @@ efiSupport = true; configurationLimit = 5; }; - - fileSystems."/mnt/storage" = { - device = "//u380335-sub1.your-storagebox.de/u380335-sub1"; - fsType = "cifs"; - options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ]; - }; - + # + # fileSystems."/mnt/storage" = { + # device = "//u380335-sub1.your-storagebox.de/u380335-sub1"; + # fsType = "cifs"; + # options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ]; + # }; + # environment.systemPackages = with pkgs; [ cifs-utils git diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix index c67deb1..36e673c 100644 --- a/machines/massicot/hardware-configuration.nix +++ b/machines/massicot/hardware-configuration.nix @@ -16,8 +16,17 @@ ]; boot.initrd.kernelModules = [ "nvme" ]; fileSystems."/" = { - device = "/dev/sda1"; + device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35068215-part1"; fsType = "ext4"; }; + fileSystems."/mnt/storage" = { + device = "/dev/disk/by-id/scsi-0HC_Volume_101302395"; + fsType = "btrfs"; + options = [ + "subvol=storage" + "compress=zstd" + "noatime" + ]; + }; } diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 95c75df..2439be6 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -1,175 +1,214 @@ +{ config, lib, ... }: { - enable = true; - autoRemove = true; - groups = { - forgejo-access = { - members = [ "xin" ]; - }; - forgejo-admin = { - members = [ "xin" ]; - }; - gts-users = { - members = [ "xin" ]; - }; - ocis-users = { - members = [ "xin" ]; - }; - linux_users = { - members = [ "xin" ]; - }; - hedgedoc-users = { - members = [ "xin" ]; - }; - immich-users = { - members = [ - "xin" - "zhuo" - "ycm" - ]; - }; - grafana-superadmins = { - members = [ "xin" ]; - }; - grafana-admins = { - members = [ "xin" ]; - }; - grafana-editors = { - members = [ "xin" ]; - }; - grafana-users = { - members = [ "xin" ]; - }; - miniflux-users = { - members = [ "xin" ]; - }; - idm_people_self_mail_write = { - members = [ ]; + sops.secrets = { + "kanidm/ocis_android_secret" = { + owner = "kanidm"; }; }; - persons = { - xin = { - displayName = "Xinyang Li"; - mailAddresses = [ "lixinyang411@gmail.com" ]; - }; - - zhuo = { - displayName = "Zhuo"; - mailAddresses = [ "13681104320@163.com" ]; - }; - - ycm = { - displayName = "Chunming"; - mailAddresses = [ "chunmingyou@gmail.com" ]; - }; + systemd.services.kanidm.serviceConfig = { + BindReadOnlyPaths = [ + config.sops.secrets."kanidm/ocis_android_secret".path + ]; }; - systems.oauth2 = { - forgejo = { - displayName = "ForgeJo"; - originUrl = "https://git.xinyang.life/"; - originLanding = "https://git.xinyang.life/user/oauth2/kandim"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - forgejo-access = [ - "openid" - "email" - "profile" - "groups" + services.kanidm.provision = { + enable = true; + autoRemove = true; + groups = { + forgejo-access = { + members = [ "xin" ]; + }; + forgejo-admin = { + members = [ "xin" ]; + }; + gts-users = { + members = [ "xin" ]; + }; + ocis-users = { + members = [ "xin" ]; + }; + linux_users = { + members = [ "xin" ]; + }; + hedgedoc-users = { + members = [ "xin" ]; + }; + immich-users = { + members = [ + "xin" + "zhuo" + "ycm" ]; }; - claimMaps = { - forgejo_role = { - joinType = "array"; - valuesByGroup = { - forgejo-access = [ "Access" ]; - forgejo-admin = [ "Admin" ]; + grafana-superadmins = { + members = [ "xin" ]; + }; + grafana-admins = { + members = [ "xin" ]; + }; + grafana-editors = { + members = [ "xin" ]; + }; + grafana-users = { + members = [ "xin" ]; + }; + miniflux-users = { + members = [ "xin" ]; + }; + idm_people_self_mail_write = { + members = [ ]; + }; + }; + persons = { + xin = { + displayName = "Xinyang Li"; + mailAddresses = [ "lixinyang411@gmail.com" ]; + }; + + zhuo = { + displayName = "Zhuo"; + mailAddresses = [ "13681104320@163.com" ]; + }; + + ycm = { + displayName = "Chunming"; + mailAddresses = [ "chunmingyou@gmail.com" ]; + }; + }; + systems.oauth2 = { + forgejo = { + displayName = "ForgeJo"; + originUrl = "https://git.xinyang.life/"; + originLanding = "https://git.xinyang.life/user/oauth2/kandim"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + forgejo-access = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + claimMaps = { + forgejo_role = { + joinType = "array"; + valuesByGroup = { + forgejo-access = [ "Access" ]; + forgejo-admin = [ "Admin" ]; + }; }; }; }; - }; - gts = { - displayName = "GoToSocial"; - originUrl = "https://xinyang.life/"; - originLanding = "https://xinyang.life/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - gts-users = [ - "openid" - "email" - "profile" - "groups" - ]; + gts = { + displayName = "GoToSocial"; + originUrl = "https://xinyang.life/"; + originLanding = "https://xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + gts-users = [ + "openid" + "email" + "profile" + "groups" + ]; + }; }; - }; - owncloud = { - displayName = "ownCloud"; - originUrl = "https://home.xinyang.life:9201/"; - originLanding = "https://home.xinyang.life:9201/"; - public = true; - scopeMaps = { - ocis-users = [ - "openid" - "email" - "profile" - ]; + owncloud = { + displayName = "ownCloud"; + originUrl = "https://drive.xinyang.life:8443/"; + originLanding = "https://drive.xinyang.life:8443/"; + public = true; + preferShortUsername = true; + scopeMaps = { + ocis-users = [ + "openid" + "email" + "profile" + ]; + }; }; - }; - hedgedoc = { - displayName = "HedgeDoc"; - originUrl = "https://docs.xinyang.life/"; - originLanding = "https://docs.xinyang.life/auth/oauth2"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - hedgedoc-users = [ - "openid" - "email" - "profile" + + owncloud-android = { + displayName = "ownCloud Apps"; + originLanding = "https://drive.xinyang.life:8443/"; + originUrl = [ + "http://localhost/" + "http://127.0.0.1/" + "oc://android.owncloud.com" ]; + basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path; + preferShortUsername = true; + scopeMaps = { + ocis-users = [ + "openid" + "email" + "profile" + "offline_access" + ]; + }; }; - }; - immich-mobile = { - displayName = "Immich"; - originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; - originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - immich-users = [ - "openid" - "email" - "profile" + + hedgedoc = { + displayName = "HedgeDoc"; + originUrl = "https://docs.xinyang.life/"; + originLanding = "https://docs.xinyang.life/auth/oauth2"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + hedgedoc-users = [ + "openid" + "email" + "profile" + ]; + }; + }; + immich = { + displayName = "Immich"; + originUrl = [ + "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/" + "https://immich.xinyang.life:8000/auth/login/" + "https://immich.xinyang.life:8000/user-settings/" ]; + originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + immich-users = [ + "openid" + "email" + "profile" + ]; + }; }; - }; - miniflux = { - displayName = "Miniflux"; - originUrl = "https://rss.xinyang.life/"; - originLanding = "https://rss.xinyang.life/"; - scopeMaps = { - miniflux-users = [ - "openid" - "email" - "profile" - ]; + miniflux = { + displayName = "Miniflux"; + originUrl = "https://rss.xinyang.life/"; + originLanding = "https://rss.xinyang.life/"; + scopeMaps = { + miniflux-users = [ + "openid" + "email" + "profile" + ]; + }; }; - }; - grafana = { - displayName = "Grafana"; - originUrl = "https://grafana.xinyang.life/"; - originLanding = "https://grafana.xinyang.life/"; - scopeMaps = { - grafana-users = [ - "openid" - "email" - "profile" - "groups" - ]; - }; - claimMaps = { - grafana_role = { - joinType = "array"; - valuesByGroup = { - grafana-superadmins = [ "GrafanaAdmin" ]; - grafana-admins = [ "Admin" ]; - grafana-editors = [ "Editor" ]; + grafana = { + displayName = "Grafana"; + originUrl = "https://grafana.xinyang.life/"; + originLanding = "https://grafana.xinyang.life/"; + scopeMaps = { + grafana-users = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + claimMaps = { + grafana_role = { + joinType = "array"; + valuesByGroup = { + grafana-superadmins = [ "GrafanaAdmin" ]; + grafana-admins = [ "Admin" ]; + grafana-editors = [ "Editor" ]; + }; }; }; }; diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index 94be559..7859b2e 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,19 +1,12 @@ { pkgs, ... }: { - networking = { - interfaces = { - eth0.useDHCP = true; - eth0.ipv6.addresses = [ - { - address = "2a01:4f8:c17:345f::1"; - prefixLength = 64; - } - ]; - }; - defaultGateway6 = { - address = "fe80::1"; - interface = "eth0"; - }; - nameservers = [ ]; + networking.useNetworkd = true; + systemd.network.networks."10-wan" = { + matchConfig.MACAddress = "96:00:02:68:7d:2d"; + networkConfig.DHCP = "ipv4"; + networkConfig.Gateway = "fe80::1"; + address = [ + "2a01:4f8:c17:345f::3/64" + ]; }; } diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index cc3fd7f..302df3b 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -1,11 +1,17 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str] -hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] +hedgedoc_env: ENC[AES256_GCM,data:+rjEctM6IJUpn7WcAnBS9TkQi2lCq4wKPxbaOApffH0tFyu56SpECrLpmM749I7th3N+UGb0pLM7+Ywr7fbuuMfUuIWom6Y+CKYw4yMlgjzTaaNqBmstvMxLaPnmA01G9ie1rQ==,iv:YBIyQQ6xiUyxSnR5epE5hV9OqETLKC5CFTEaRJdErGU=,tag:77kHYQ2i2APVyadhMhmvWA==,type:str] grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str] miniflux: oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str] forgejo: env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str] +restic: + repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str] + password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str] +kanidm: + ocis_android_secret: ENC[AES256_GCM,data:vuEIvBEhIME+C/s3xoskddtf5nogC9nPq+HUyyAl3u9nvH3bTzUkfE/1wolaCLeeupnD3pDokdRyKzjEmoZACQ==,iv:cmx/0i23p1uEI0oAiWdcvGRq4+075+VuAMkFSfXzfso=,tag:yVnqz16L5kyW9vAVng53pA==,type:str] + ocis_desktop_secret: ENC[AES256_GCM,data:WTfUQzTB9An9p9xof2nuIkD5mYzMaisS62Cv86zX05rkB/wXmTnZiY7ztUoN9OmhGoPgeZg0+d+Jo6bV1hoqlw==,iv:V4iqtYIOcyDXIijcD0IXqpaSs2rxyWiOSZGer/BFSe4=,tag:1nCU1KmWQcY5ZXjlzhxaQQ==,type:str] sops: kms: [] gcp_kms: [] @@ -30,8 +36,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-21T05:54:31Z" - mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str] + lastmodified: "2024-09-14T05:48:04Z" + mac: ENC[AES256_GCM,data:zdGdvk2pMaZYUsTI9XsSUpgtWrNmZNPg7KoV0zAt19h7Qccu3OGTSfXD+rhhhxhhWgBohGIhDVAVQcORnAw1Y/ykgqxERCANuzoBvvR1eKfPcRNiCEr2dmUAybDF7B2MWKlJ5Fsnpk/caK717Fe8XdAJDuplFwmMWi2c1c61/NQ=,iv:KPQTGzFQH+CQmLeXBzMSbU4lVH0/Wc6CeTp6w/pMMOY=,tag:UVA+sQwQa2bpy2/woBgAkQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 336a039..4be75c5 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -8,6 +8,9 @@ let kanidm_listen_port = 5324; in { + imports = [ + ./kanidm-provision.nix + ]; networking.firewall.allowedTCPPorts = [ 80 443 @@ -46,33 +49,6 @@ in exporters.miniflux.enable = true; }; - systemd.mounts = - map - (share: { - what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; - where = "/mnt/storage/${share}"; - type = "cifs"; - options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; - before = [ "${share}.service" ]; - after = [ "cachefilesd.service" ]; - wantedBy = [ "${share}.service" ]; - }) - [ - "forgejo" - "gotosocial" - "conduit" - "hedgedoc" - ]; - - services.cachefilesd.enable = true; - - system.activationScripts = { - conduit-media-link.text = '' - mkdir -m 700 -p /var/lib/private/matrix-conduit/media - chown conduit:conduit /var/lib/private/matrix-conduit/media - mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media - ''; - }; security.acme = { acceptTerms = true; certs."auth.xinyang.life" = { @@ -106,7 +82,6 @@ in online_backup.versions = 7; # db_path = "/var/lib/kanidm/kanidm.db"; }; - provision = import ./kanidm-provision.nix; }; custom.miniflux = { @@ -144,6 +119,12 @@ in }; }; + users.users.conduit = { + isSystemUser = true; + group = "conduit"; + }; + users.groups.conduit = { }; + services.gotosocial = { enable = true; settings = { diff --git a/machines/massicot/services/default.nix b/machines/massicot/services/default.nix new file mode 100644 index 0000000..fdf054b --- /dev/null +++ b/machines/massicot/services/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./restic.nix + ]; +} diff --git a/machines/massicot/services/restic.nix b/machines/massicot/services/restic.nix new file mode 100644 index 0000000..9a319bb --- /dev/null +++ b/machines/massicot/services/restic.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + pkgs, + ... +}: +let + sqliteBackup = path: '' + mkdir -p /backup${path} + ${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'" + ''; +in +{ + sops.secrets = { + "restic/repo" = { + sopsFile = ../secrets.yaml; + }; + "restic/password" = { + sopsFile = ../secrets.yaml; + }; + }; + + custom.restic = { + enable = true; + repositoryFile = config.sops.secrets."restic/repo".path; + passwordFile = config.sops.secrets."restic/password".path; + paths = [ + "/var/backup" + "/mnt/storage" + ]; + }; + + services.postgresqlBackup = { + enable = true; + compression = "zstd"; + compressionLevel = 9; + location = "/var/backup/postgresql"; + }; + + services.restic.backups.${config.networking.hostName} = { + backupPrepareCommand = builtins.concatStringsSep "\n" [ + (sqliteBackup "/var/lib/hedgedoc/db.sqlite") + (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3") + (sqliteBackup "/var/lib/gotosocial/database.sqlite") + (sqliteBackup "/var/lib/kanidm/kanidm.db") + ]; + extraBackupArgs = [ + "--limit-upload=1024" + ]; + }; +} diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 5718b56..ce39730 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -2,17 +2,15 @@ inputs, config, pkgs, - lib, modulesPath, ... }: -with lib; - { imports = [ inputs.sops-nix.nixosModules.sops (modulesPath + "/profiles/qemu-guest.nix") + ./services ]; config = { @@ -50,6 +48,10 @@ with lib; owner = "caddy"; mode = "400"; }; + "immich/oauth_client_secret" = { + owner = "immich"; + mode = "400"; + }; }; }; @@ -89,6 +91,31 @@ with lib; environment = { IMMICH_MACHINE_LEARNING_ENABLED = "false"; }; + database.enable = true; + }; + + custom.immich.jsonSettings = { + oauth = { + enabled = true; + issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/"; + clientId = "immich"; + clientSecret = { + _secret = config.sops.secrets."immich/oauth_client_secret".path; + }; + scope = "openid email profile"; + signingAlgorithm = "ES256"; + storageLabelClaim = "email"; + buttonText = "Login with Kanidm"; + autoLaunch = true; + mobileOverrideEnabled = true; + mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; + }; + passwordLogin = { + enabled = false; + }; + newVersionCheck = { + enabled = false; + }; }; services.dae = { diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index 02f78d6..bb631bb 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -1,4 +1,6 @@ cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] +immich: + oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-29T09:05:41Z" - mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str] + lastmodified: "2024-09-07T14:56:37Z" + mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix new file mode 100644 index 0000000..031018b --- /dev/null +++ b/machines/weilite/services/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./ocis.nix + ./restic.nix + ]; +} diff --git a/machines/weilite/services/ocis.nix b/machines/weilite/services/ocis.nix new file mode 100644 index 0000000..26a6769 --- /dev/null +++ b/machines/weilite/services/ocis.nix @@ -0,0 +1,36 @@ +{ config, pkgs, ... }: +{ + sops = { + secrets = { + "ocis/env" = { + sopsFile = ../secrets.yaml; + }; + }; + }; + + services.ocis = { + enable = true; + package = pkgs.ocis-bin; + stateDir = "/var/lib/ocis"; + url = "https://drive.xinyang.life:8443"; + address = "127.0.0.1"; + port = 9200; + environment = { + OCIS_INSECURE = "false"; + OCIS_LOG_LEVEL = "trace"; + OCIS_LOG_PRETTY = "true"; + # For reverse proxy. Disable tls. + OCIS_PROXY_TLS = "false"; + WEB_OIDC_CLIENT_ID = "owncloud"; + WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud"; + OCIS_EXCLUDE_RUN_SERVICES = "idp"; + PROXY_OIDC_REWRITE_WELLKNOWN = "true"; + }; + }; + + networking.allowedTCPPorts = [ 8443 ]; + + services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = '' + reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address} + ''; +} diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix new file mode 100644 index 0000000..e1fb489 --- /dev/null +++ b/machines/weilite/services/restic.nix @@ -0,0 +1,18 @@ +{ config, ... }: +{ + services.restic.server = { + enable = true; + dataDir = "/var/lib/restic"; + listenAddress = "127.0.0.1:19573"; + privateRepos = "true"; + extraFlags = [ + "--append-only" + ]; + }; + + networking.allowedTCPPorts = [ 8443 ]; + + services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = '' + reverse_proxy ${config.services.restic.server.listenAddress} + ''; +} diff --git a/modules/nixos/immich.nix b/modules/nixos/immich.nix new file mode 100644 index 0000000..a7c5ba9 --- /dev/null +++ b/modules/nixos/immich.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + utils, + ... +}: +let + cfg = config.custom.immich; + upstreamCfg = config.services.immich; + settingsFormat = pkgs.formats.json { }; + user = config.systemd.services.immich-server.serviceConfig.User; + group = config.systemd.services.immich-server.serviceConfig.Group; +in +{ + options = { + custom.immich.jsonSettings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + }; + default = { }; + }; + }; + config = { + /* + LoadCredential happens before preStart. We need to ensure the + configuration file exist, otherwise LoadCredential will fail. + */ + systemd.tmpfiles.settings = lib.mkIf upstreamCfg.enable { + "10-etc-immich" = { + "/etc/immich" = { + d = { + inherit user group; + mode = "0600"; + }; + }; + "/etc/immich/config.json" = { + "f+" = { + inherit user group; + mode = "0600"; + }; + }; + }; + }; + + systemd.services.immich-server = { + preStart = '' + umask 0077 + ${utils.genJqSecretsReplacementSnippet cfg.jsonSettings "/etc/immich/config.json"} + ''; + serviceConfig = { + LoadCredential = "config:/etc/immich/config.json"; + Environment = "IMMICH_CONFIG_FILE=%d/config"; + }; + }; + }; +}