Compare commits

...

3 commits

Author SHA1 Message Date
6b375fea91
massicot,fix: fix missing module 2024-09-14 16:49:22 +08:00
5104c5943e
massicot,fix: switch to fix drive 2024-09-14 16:33:01 +08:00
37f59db944
fix after bump version 2024-09-05 09:29:54 +08:00
26 changed files with 555 additions and 292 deletions

View file

@ -116,11 +116,11 @@
},
"catppuccin": {
"locked": {
"lastModified": 1724156255,
"narHash": "sha256-rpUCeS/QZwQdJmDrvCm0hRi8bFvQNQKAnIMK5ZDBfpM=",
"lastModified": 1725509983,
"narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=",
"owner": "catppuccin",
"repo": "nix",
"rev": "8886a68edadb1d93c7101337f995ffce4b410ff2",
"rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9",
"type": "github"
},
"original": {
@ -433,11 +433,11 @@
]
},
"locked": {
"lastModified": 1723986931,
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=",
"lastModified": 1725694918,
"narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671",
"rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda",
"type": "github"
},
"original": {
@ -476,11 +476,11 @@
]
},
"locked": {
"lastModified": 1715930644,
"narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
"lastModified": 1726036828,
"narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
"rev": "8a1671642826633586d12ac3158e463c7a50a112",
"type": "github"
},
"original": {
@ -498,11 +498,11 @@
"nixvim": "nixvim"
},
"locked": {
"lastModified": 1724306750,
"narHash": "sha256-mT8DXzj0zHfGJ+zuxFAnqnk+0bDEFgEk7TvEk59WbWQ=",
"lastModified": 1725247757,
"narHash": "sha256-M++z1VvmSo18FRVI02mdF2210bCYn+t25Zgflrdn9Tc=",
"ref": "refs/heads/master",
"rev": "81990813485a580d69853d8429e3b8aece7f66a6",
"revCount": 11,
"rev": "7e0140a6a9eff2ab3292d8269bc99efeb3581835",
"revCount": 14,
"type": "git",
"url": "https://git.xinyang.life/xin/nixvim"
},
@ -540,11 +540,11 @@
]
},
"locked": {
"lastModified": 1723950649,
"narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=",
"lastModified": 1725161148,
"narHash": "sha256-WfAHq3Ag3vLNFfWxKHjFBFdPI6JIideWFJod9mx1eoo=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "392828aafbed62a6ea6ccab13728df2e67481805",
"rev": "32058e9138248874773630c846563b1a78ee7a5b",
"type": "github"
},
"original": {
@ -564,11 +564,11 @@
]
},
"locked": {
"lastModified": 1724117347,
"narHash": "sha256-/nfm6P0owPtCRjT8ktq/8OChtg2HpkrvNaDJGm9N1Lk=",
"lastModified": 1725672853,
"narHash": "sha256-z1O6dzCJ27OZpF680tZL0mQphQETdg4DTryvhFOpZyA=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "2ef60116ef361d988317cbe52a09acfeda7d3416",
"rev": "efd33fc8e5a149dd48d86ca6003b51ab3ce4ae21",
"type": "github"
},
"original": {
@ -579,11 +579,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1724067415,
"narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=",
"lastModified": 1725477728,
"narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2",
"rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce",
"type": "github"
},
"original": {
@ -623,11 +623,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1723938990,
"narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=",
"lastModified": 1725407940,
"narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890",
"rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
"type": "github"
},
"original": {
@ -655,11 +655,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1724160083,
"narHash": "sha256-ROiCJNYSbjO45ajyTfRxp+aqvX+R1M3xwlWOLtfD0iw=",
"lastModified": 1726296585,
"narHash": "sha256-inm7AIEqfgF4wXkhWB2M5IfmdITSF90xpeDDSU3DfNc=",
"owner": "xinyangli",
"repo": "nixpkgs",
"rev": "885d5117645517b70eb3922acfbb83226fc77dbb",
"rev": "8539edfb09c674994303141378df4ab33cd765ad",
"type": "github"
},
"original": {
@ -671,11 +671,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1714912032,
"narHash": "sha256-clkcOIkg8G4xuJh+1onLG4HPMpbtzdLv4rHxFzgsH9c=",
"lastModified": 1726042813,
"narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ee4a6e0f566fe5ec79968c57a9c2c3c25f2cf41d",
"rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
"type": "github"
},
"original": {
@ -713,11 +713,11 @@
},
"nur": {
"locked": {
"lastModified": 1724159175,
"narHash": "sha256-3z9wRL+h+gTVFtecCUGrRaW6nvPPAtBCIDE9KAmZj7c=",
"lastModified": 1725687722,
"narHash": "sha256-LPv282y5okYk8ebiBsEbDXy2WykwdBPpAthjKSmTfNI=",
"owner": "nix-community",
"repo": "NUR",
"rev": "0b86d5643d99e3982471f0d79e553871c6f35396",
"rev": "ff7f8143f33751c4f37caec678ed1eb63006c0d3",
"type": "github"
},
"original": {
@ -774,11 +774,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1723501126,
"narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
"lastModified": 1725540166,
"narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
"rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
"type": "github"
},
"original": {
@ -804,15 +804,15 @@
"systems": "systems_3"
},
"locked": {
"lastModified": 1724444244,
"narHash": "sha256-fH1lyJvJjUhZ8xMlmiI18EZNzodDSe74rFuwlZDL0aQ=",
"owner": "danth",
"lastModified": 1725416430,
"narHash": "sha256-DkF49DlcaZHV9v3m5ctQnC9qNqsEdfNhwjQArx5Q+Zw=",
"owner": "xinyangli",
"repo": "stylix",
"rev": "d042af478ce87e188139480922a3085218194106",
"rev": "7aad490478518af03367dabfb5811b3f87ea93a1",
"type": "github"
},
"original": {
"owner": "danth",
"owner": "xinyangli",
"repo": "stylix",
"type": "github"
}

View file

@ -49,8 +49,15 @@
inputs.nixpkgs.follows = "nixpkgs";
};
catppuccin.url = "github:catppuccin/nix";
stylix.url = "github:danth/stylix";
catppuccin = {
url = "github:catppuccin/nix";
};
stylix = {
url = "github:xinyangli/stylix";
# inputs.nixpkgs.follows = "nixpkgs";
# inputs.home-manager.follows = "home-manager";
};
};
outputs =
@ -76,7 +83,7 @@
];
};
deploymentModule = {
deployment.targetUser = "xin";
deployment.targetUser = "root";
};
sharedColmenaModules = [
self.nixosModules.default

View file

@ -27,7 +27,7 @@
};
home.packages = with pkgs; [
thunderbird
# betterbird
remmina
];

View file

@ -215,7 +215,7 @@
gnomeExtensions.pano
gnome-tweaks
gnome-themes-extra
gnome.gnome-remote-desktop
gnome-remote-desktop
bibata-cursors
gthumb
oculante
@ -357,4 +357,12 @@
};
services.nixseparatedebuginfod.enable = true;
services.bloop = {
install = true;
extraOptions = [
"-J-Xmx2G"
"-J-XX:MaxInlineLevel=20"
"-J-XX:+UseParallelGC"
];
};
}

View file

@ -19,8 +19,16 @@
"usbhid"
];
boot.initrd.kernelModules = [ ];
boot.initrd.luks.devices.cryptroot = {
boot.initrd = {
systemd.enable = true; # initrd uses systemd
luks = {
fido2Support = false; # because systemd
devices.cryptroot = {
device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d";
crypttabExtraOpts = [ "fido2-device=auto" ]; # cryptenroll
};
};
};
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
@ -69,5 +77,6 @@
hardware.nvidia = {
powerManagement.enable = true;
dynamicBoost.enable = lib.mkForce false;
open = true;
};
}

View file

@ -45,5 +45,7 @@ in
networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = true;
networking.interfaces.ens19.useDHCP = true;
services.sing-box.settings.dns.strategy = "ipv4_only";
};
}

View file

@ -12,6 +12,7 @@
./hardware-configuration.nix
./networking.nix
./services.nix
./services
];
sops = {
@ -50,13 +51,13 @@
efiSupport = true;
configurationLimit = 5;
};
fileSystems."/mnt/storage" = {
device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
fsType = "cifs";
options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
};
#
# fileSystems."/mnt/storage" = {
# device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
# fsType = "cifs";
# options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
# };
#
environment.systemPackages = with pkgs; [
cifs-utils
git

View file

@ -16,8 +16,17 @@
];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/sda1";
device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35068215-part1";
fsType = "ext4";
};
fileSystems."/mnt/storage" = {
device = "/dev/disk/by-id/scsi-0HC_Volume_101302395";
fsType = "btrfs";
options = [
"subvol=storage"
"compress=zstd"
"noatime"
];
};
}

View file

@ -1,4 +1,16 @@
{ config, lib, ... }:
{
sops.secrets = {
"kanidm/ocis_android_secret" = {
owner = "kanidm";
};
};
systemd.services.kanidm.serviceConfig = {
BindReadOnlyPaths = [
config.sops.secrets."kanidm/ocis_android_secret".path
];
};
services.kanidm.provision = {
enable = true;
autoRemove = true;
groups = {
@ -102,9 +114,10 @@
};
owncloud = {
displayName = "ownCloud";
originUrl = "https://home.xinyang.life:9201/";
originLanding = "https://home.xinyang.life:9201/";
originUrl = "https://drive.xinyang.life:8443/";
originLanding = "https://drive.xinyang.life:8443/";
public = true;
preferShortUsername = true;
scopeMaps = {
ocis-users = [
"openid"
@ -113,6 +126,27 @@
];
};
};
owncloud-android = {
displayName = "ownCloud Apps";
originLanding = "https://drive.xinyang.life:8443/";
originUrl = [
"http://localhost/"
"http://127.0.0.1/"
"oc://android.owncloud.com"
];
basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path;
preferShortUsername = true;
scopeMaps = {
ocis-users = [
"openid"
"email"
"profile"
"offline_access"
];
};
};
hedgedoc = {
displayName = "HedgeDoc";
originUrl = "https://docs.xinyang.life/";
@ -126,10 +160,14 @@
];
};
};
immich-mobile = {
immich = {
displayName = "Immich";
originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
originUrl = [
"https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"
"https://immich.xinyang.life:8000/auth/login/"
"https://immich.xinyang.life:8000/user-settings/"
];
originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0";
allowInsecureClientDisablePkce = true;
scopeMaps = {
immich-users = [
@ -175,4 +213,5 @@
};
};
};
};
}

View file

@ -1,19 +1,12 @@
{ pkgs, ... }:
{
networking = {
interfaces = {
eth0.useDHCP = true;
eth0.ipv6.addresses = [
{
address = "2a01:4f8:c17:345f::1";
prefixLength = 64;
}
networking.useNetworkd = true;
systemd.network.networks."10-wan" = {
matchConfig.MACAddress = "96:00:02:68:7d:2d";
networkConfig.DHCP = "ipv4";
networkConfig.Gateway = "fe80::1";
address = [
"2a01:4f8:c17:345f::3/64"
];
};
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
nameservers = [ ];
};
}

View file

@ -1,11 +1,17 @@
storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str]
hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
hedgedoc_env: ENC[AES256_GCM,data:+rjEctM6IJUpn7WcAnBS9TkQi2lCq4wKPxbaOApffH0tFyu56SpECrLpmM749I7th3N+UGb0pLM7+Ywr7fbuuMfUuIWom6Y+CKYw4yMlgjzTaaNqBmstvMxLaPnmA01G9ie1rQ==,iv:YBIyQQ6xiUyxSnR5epE5hV9OqETLKC5CFTEaRJdErGU=,tag:77kHYQ2i2APVyadhMhmvWA==,type:str]
grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str]
miniflux:
oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str]
forgejo:
env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
restic:
repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str]
password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str]
kanidm:
ocis_android_secret: ENC[AES256_GCM,data:vuEIvBEhIME+C/s3xoskddtf5nogC9nPq+HUyyAl3u9nvH3bTzUkfE/1wolaCLeeupnD3pDokdRyKzjEmoZACQ==,iv:cmx/0i23p1uEI0oAiWdcvGRq4+075+VuAMkFSfXzfso=,tag:yVnqz16L5kyW9vAVng53pA==,type:str]
ocis_desktop_secret: ENC[AES256_GCM,data:WTfUQzTB9An9p9xof2nuIkD5mYzMaisS62Cv86zX05rkB/wXmTnZiY7ztUoN9OmhGoPgeZg0+d+Jo6bV1hoqlw==,iv:V4iqtYIOcyDXIijcD0IXqpaSs2rxyWiOSZGer/BFSe4=,tag:1nCU1KmWQcY5ZXjlzhxaQQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -30,8 +36,8 @@ sops:
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-21T05:54:31Z"
mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str]
lastmodified: "2024-09-14T05:48:04Z"
mac: ENC[AES256_GCM,data:zdGdvk2pMaZYUsTI9XsSUpgtWrNmZNPg7KoV0zAt19h7Qccu3OGTSfXD+rhhhxhhWgBohGIhDVAVQcORnAw1Y/ykgqxERCANuzoBvvR1eKfPcRNiCEr2dmUAybDF7B2MWKlJ5Fsnpk/caK717Fe8XdAJDuplFwmMWi2c1c61/NQ=,iv:KPQTGzFQH+CQmLeXBzMSbU4lVH0/Wc6CeTp6w/pMMOY=,tag:UVA+sQwQa2bpy2/woBgAkQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

View file

@ -8,6 +8,9 @@ let
kanidm_listen_port = 5324;
in
{
imports = [
./kanidm-provision.nix
];
networking.firewall.allowedTCPPorts = [
80
443
@ -46,33 +49,6 @@ in
exporters.miniflux.enable = true;
};
systemd.mounts =
map
(share: {
what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
where = "/mnt/storage/${share}";
type = "cifs";
options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
before = [ "${share}.service" ];
after = [ "cachefilesd.service" ];
wantedBy = [ "${share}.service" ];
})
[
"forgejo"
"gotosocial"
"conduit"
"hedgedoc"
];
services.cachefilesd.enable = true;
system.activationScripts = {
conduit-media-link.text = ''
mkdir -m 700 -p /var/lib/private/matrix-conduit/media
chown conduit:conduit /var/lib/private/matrix-conduit/media
mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
'';
};
security.acme = {
acceptTerms = true;
certs."auth.xinyang.life" = {
@ -106,7 +82,6 @@ in
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db";
};
provision = import ./kanidm-provision.nix;
};
custom.miniflux = {
@ -144,6 +119,12 @@ in
};
};
users.users.conduit = {
isSystemUser = true;
group = "conduit";
};
users.groups.conduit = { };
services.gotosocial = {
enable = true;
settings = {

View file

@ -0,0 +1,5 @@
{
imports = [
./restic.nix
];
}

View file

@ -0,0 +1,51 @@
{
config,
lib,
pkgs,
...
}:
let
sqliteBackup = path: ''
mkdir -p /backup${path}
${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'"
'';
in
{
sops.secrets = {
"restic/repo" = {
sopsFile = ../secrets.yaml;
};
"restic/password" = {
sopsFile = ../secrets.yaml;
};
};
custom.restic = {
enable = true;
repositoryFile = config.sops.secrets."restic/repo".path;
passwordFile = config.sops.secrets."restic/password".path;
paths = [
"/var/backup"
"/mnt/storage"
];
};
services.postgresqlBackup = {
enable = true;
compression = "zstd";
compressionLevel = 9;
location = "/var/backup/postgresql";
};
services.restic.backups.${config.networking.hostName} = {
backupPrepareCommand = builtins.concatStringsSep "\n" [
(sqliteBackup "/var/lib/hedgedoc/db.sqlite")
(sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3")
(sqliteBackup "/var/lib/gotosocial/database.sqlite")
(sqliteBackup "/var/lib/kanidm/kanidm.db")
];
extraBackupArgs = [
"--limit-upload=1024"
];
};
}

View file

@ -2,17 +2,15 @@
inputs,
config,
pkgs,
lib,
modulesPath,
...
}:
with lib;
{
imports = [
inputs.sops-nix.nixosModules.sops
(modulesPath + "/profiles/qemu-guest.nix")
./services
];
config = {
@ -50,6 +48,10 @@ with lib;
owner = "caddy";
mode = "400";
};
"immich/oauth_client_secret" = {
owner = "immich";
mode = "400";
};
};
};
@ -89,6 +91,31 @@ with lib;
environment = {
IMMICH_MACHINE_LEARNING_ENABLED = "false";
};
database.enable = true;
};
custom.immich.jsonSettings = {
oauth = {
enabled = true;
issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
clientId = "immich";
clientSecret = {
_secret = config.sops.secrets."immich/oauth_client_secret".path;
};
scope = "openid email profile";
signingAlgorithm = "ES256";
storageLabelClaim = "email";
buttonText = "Login with Kanidm";
autoLaunch = true;
mobileOverrideEnabled = true;
mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
};
passwordLogin = {
enabled = false;
};
newVersionCheck = {
enabled = false;
};
};
services.dae = {

View file

@ -1,4 +1,6 @@
cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
immich:
oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
sops:
kms: []
gcp_kms: []
@ -23,8 +25,8 @@ sops:
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-29T09:05:41Z"
mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str]
lastmodified: "2024-09-07T14:56:37Z"
mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

View file

@ -0,0 +1,6 @@
{
imports = [
./ocis.nix
./restic.nix
];
}

View file

@ -0,0 +1,36 @@
{ config, pkgs, ... }:
{
sops = {
secrets = {
"ocis/env" = {
sopsFile = ../secrets.yaml;
};
};
};
services.ocis = {
enable = true;
package = pkgs.ocis-bin;
stateDir = "/var/lib/ocis";
url = "https://drive.xinyang.life:8443";
address = "127.0.0.1";
port = 9200;
environment = {
OCIS_INSECURE = "false";
OCIS_LOG_LEVEL = "trace";
OCIS_LOG_PRETTY = "true";
# For reverse proxy. Disable tls.
OCIS_PROXY_TLS = "false";
WEB_OIDC_CLIENT_ID = "owncloud";
WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
OCIS_EXCLUDE_RUN_SERVICES = "idp";
PROXY_OIDC_REWRITE_WELLKNOWN = "true";
};
};
networking.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address}
'';
}

View file

@ -0,0 +1,18 @@
{ config, ... }:
{
services.restic.server = {
enable = true;
dataDir = "/var/lib/restic";
listenAddress = "127.0.0.1:19573";
privateRepos = "true";
extraFlags = [
"--append-only"
];
};
networking.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
reverse_proxy ${config.services.restic.server.listenAddress}
'';
}

View file

@ -19,7 +19,7 @@ in
enable = mkEnableOption "Git ssh signing";
keyFile = mkOption {
type = types.str;
default = "~/.ssh/id_ecdsa.pub";
default = "~/.ssh/id_ed25519_sk.pub";
};
};
};

View file

@ -36,8 +36,7 @@ let
sourceRoot = "extension";
}))
twxs.cmake
ms-vscode.cpptools
];
] ++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]);
settings = {
"cmake.configureOnEdit" = false;
"cmake.showOptionsMovedNotification" = false;

View file

@ -13,5 +13,6 @@
./forgejo-actions-runner.nix
./oidc-agent.nix
./miniflux.nix
./immich.nix
];
}

60
modules/nixos/immich.nix Normal file
View file

@ -0,0 +1,60 @@
{
config,
lib,
pkgs,
utils,
...
}:
let
cfg = config.custom.immich;
upstreamCfg = config.services.immich;
settingsFormat = pkgs.formats.json { };
user = config.systemd.services.immich-server.serviceConfig.User;
group = config.systemd.services.immich-server.serviceConfig.Group;
in
{
options = {
custom.immich.jsonSettings = lib.mkOption {
type = lib.types.submodule {
freeformType = settingsFormat.type;
};
default = { };
};
};
config = {
/*
LoadCredential happens before preStart. We need to ensure the
configuration file exist, otherwise LoadCredential will fail.
*/
systemd.tmpfiles.settings = lib.mkIf upstreamCfg.enable {
"10-etc-immich" = {
"/etc/immich" = {
d = {
inherit user group;
mode = "0700";
};
};
"/etc/immich/config.json" = {
"f+" = {
inherit user group;
mode = "0600";
};
};
};
};
systemd.services.immich-server = {
preStart = ''
umask 0077
${utils.genJqSecretsReplacementSnippet cfg.jsonSettings "/etc/immich/config.json"}
'';
serviceConfig = {
LoadCredential = "config:/etc/immich/config.json";
Environment = "IMMICH_CONFIG_FILE=%d/config";
};
};
# https://github.com/NixOS/nixpkgs/pull/324127/files#r1723763510
services.immich.redis.host = "/run/redis-immich/redis.sock";
};
}

View file

@ -1,6 +1,6 @@
# TODO: https://github.com/lilyinstarlight/foosteros/blob/dfe1ab3eb68bfebfaa709482d52fa04ebdde81c8/config/restic.nix#L23 <- this is better
{
config,
pkgs,
lib,
...
}:
@ -11,6 +11,14 @@ in
options = {
custom.restic = {
enable = lib.mkEnableOption "restic";
paths = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [
"/home"
"/var/lib"
];
};
prune = lib.mkEnableOption "auto prune remote restic repo";
repositoryFile = lib.mkOption {
type = lib.types.str;
default = "";
@ -22,14 +30,10 @@ in
};
};
config = lib.mkIf cfg.enable {
services.restic.backups = {
remotebackup = {
services.restic.backups.${config.networking.hostName} = lib.mkMerge [
{
repositoryFile = cfg.repositoryFile;
passwordFile = cfg.passwordFile;
paths = [
"/home"
"/var/lib"
];
exclude = [
"/home/*/.cache"
"/home/*/.cargo"
@ -40,13 +44,24 @@ in
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
pruneOpts = [
pruneOpts = lib.mkIf cfg.prune [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
};
paths = lib.mkDefault cfg.paths;
initialize = true;
}
(lib.mkIf (config.fileSystems."/".fsType == "btrfs") {
backupPrepareCommand = ''
btrfs subvolume snapshot -r / backup
'';
backupCleanupCommand = ''
btrfs subvolume delete /backup
'';
paths = map (p: "/backup" + p) cfg.paths;
})
];
};
}

View file

@ -30,24 +30,11 @@ in
stylix.autoEnable = false;
stylix.homeManagerIntegration.autoImport = true;
stylix.homeManagerIntegration.followSystem = true;
stylix.fonts = {
monospace = {
name = "JetBrainsMono Nerd Font";
package = pkgs.nerdfonts.override { fonts = [ "JetBrainsMono" ]; };
};
serif = {
name = "Noto Serif CJK SC";
package = pkgs.noto-fonts;
};
sansSerif = {
name = "Noto Sans CJK SC";
package = pkgs.noto-fonts;
};
};
stylix.targets = {
console.enable = true;
gnome.enable = if config.services.xserver.desktopManager.gnome.enable then true else false;
# gnome.enable = if config.services.xserver.desktopManager.gnome.enable then true else false;
gnome.enable = false;
gtk.enable = true;
};
};

View file

@ -43,6 +43,7 @@ in
};
services.caddy = mkIf cfg.caddy {
enable = true;
virtualHosts."https://${cfg.domain}".extraConfig = ''
reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}
'';