206 lines
4.8 KiB
Nix
206 lines
4.8 KiB
Nix
{
|
|
inputs,
|
|
config,
|
|
pkgs,
|
|
modulesPath,
|
|
...
|
|
}:
|
|
|
|
{
|
|
imports = [
|
|
inputs.sops-nix.nixosModules.sops
|
|
(modulesPath + "/profiles/qemu-guest.nix")
|
|
./services
|
|
];
|
|
|
|
config = {
|
|
networking.hostName = "weilite";
|
|
commonSettings = {
|
|
auth.enable = true;
|
|
autoupgrade.enable = true;
|
|
nix = {
|
|
enable = true;
|
|
enableMirrors = true;
|
|
};
|
|
};
|
|
|
|
boot = {
|
|
loader = {
|
|
systemd-boot.enable = true;
|
|
efi.canTouchEfiVariables = true;
|
|
};
|
|
initrd.availableKernelModules = [
|
|
"uhci_hcd"
|
|
"ehci_pci"
|
|
"ahci"
|
|
"usb_storage"
|
|
"sd_mod"
|
|
];
|
|
kernelModules = [ "kvm-intel" ];
|
|
};
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
environment.systemPackages = [ pkgs.virtiofsd ];
|
|
|
|
sops = {
|
|
defaultSopsFile = ./secrets.yaml;
|
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
secrets = {
|
|
cloudflare_dns_token = {
|
|
owner = "caddy";
|
|
mode = "400";
|
|
};
|
|
dnspod_dns_token = {
|
|
owner = "caddy";
|
|
mode = "400";
|
|
};
|
|
"immich/oauth_client_secret" = {
|
|
owner = "immich";
|
|
mode = "400";
|
|
};
|
|
};
|
|
};
|
|
|
|
custom.prometheus = {
|
|
enable = true;
|
|
};
|
|
|
|
systemd.mounts = [
|
|
{
|
|
what = "immich";
|
|
where = "/mnt/XinPhotos/immich";
|
|
type = "virtiofs";
|
|
options = "rw,nodev,nosuid";
|
|
wantedBy = [ "immich-server.service" ];
|
|
}
|
|
{
|
|
what = "originals";
|
|
where = "/mnt/XinPhotos/originals";
|
|
type = "virtiofs";
|
|
options = "rw,nodev,nosuid";
|
|
wantedBy = [ "immich-server.service" ];
|
|
}
|
|
{
|
|
what = "restic";
|
|
where = "/var/lib/restic";
|
|
type = "virtiofs";
|
|
options = "rw,nodev,nosuid";
|
|
wantedBy = [ "restic-rest-server.service" ];
|
|
}
|
|
{
|
|
what = "ocis";
|
|
where = "/var/lib/ocis";
|
|
type = "virtiofs";
|
|
options = "rw,nodev,nosuid";
|
|
wantedBy = [ "ocis.service" ];
|
|
}
|
|
];
|
|
|
|
services.openssh.ports = [
|
|
22
|
|
2222
|
|
];
|
|
|
|
services.immich = {
|
|
enable = true;
|
|
mediaLocation = "/mnt/XinPhotos/immich";
|
|
host = "127.0.0.1";
|
|
port = 3001;
|
|
openFirewall = true;
|
|
machine-learning.enable = false;
|
|
environment = {
|
|
IMMICH_MACHINE_LEARNING_ENABLED = "false";
|
|
};
|
|
database.enable = true;
|
|
};
|
|
|
|
custom.immich.jsonSettings = {
|
|
oauth = {
|
|
enabled = true;
|
|
issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
|
|
clientId = "immich";
|
|
clientSecret = {
|
|
_secret = config.sops.secrets."immich/oauth_client_secret".path;
|
|
};
|
|
scope = "openid email profile";
|
|
signingAlgorithm = "ES256";
|
|
storageLabelClaim = "email";
|
|
buttonText = "Login with Kanidm";
|
|
autoLaunch = true;
|
|
mobileOverrideEnabled = true;
|
|
mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
|
|
};
|
|
passwordLogin = {
|
|
enabled = false;
|
|
};
|
|
newVersionCheck = {
|
|
enabled = false;
|
|
};
|
|
};
|
|
|
|
services.dae = {
|
|
enable = true;
|
|
configFile = "/var/lib/dae/config.dae";
|
|
};
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
permitCertUid = "caddy";
|
|
};
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
package = pkgs.caddy.withPlugins {
|
|
caddyModules = [
|
|
{
|
|
repo = "github.com/caddy-dns/cloudflare";
|
|
version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
|
|
}
|
|
{
|
|
repo = "github.com/caddy-dns/dnspod";
|
|
version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af";
|
|
}
|
|
];
|
|
vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
|
|
};
|
|
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
|
|
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
|
|
'';
|
|
# API Token must be added in systemd environment file
|
|
virtualHosts."immich.xinyang.life:8000".extraConfig = ''
|
|
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
|
|
'';
|
|
globalConfig = ''
|
|
acme_dns dnspod {env.DNSPOD_API_TOKEN}
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 8000 ];
|
|
|
|
systemd.services.caddy = {
|
|
serviceConfig = {
|
|
EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
|
|
};
|
|
};
|
|
|
|
time.timeZone = "Asia/Shanghai";
|
|
|
|
fileSystems."/" = {
|
|
device = "/dev/disk/by-label/nixos";
|
|
fsType = "btrfs";
|
|
};
|
|
|
|
fileSystems."/boot" = {
|
|
device = "/dev/sda1";
|
|
fsType = "vfat";
|
|
options = [
|
|
"fmask=0022"
|
|
"dmask=0022"
|
|
];
|
|
};
|
|
|
|
system.stateVersion = "24.11";
|
|
};
|
|
}
|