nixos-config/machines/weilite/default.nix

206 lines
4.8 KiB
Nix

{
inputs,
config,
pkgs,
modulesPath,
...
}:
{
imports = [
inputs.sops-nix.nixosModules.sops
(modulesPath + "/profiles/qemu-guest.nix")
./services
];
config = {
networking.hostName = "weilite";
commonSettings = {
auth.enable = true;
autoupgrade.enable = true;
nix = {
enable = true;
enableMirrors = true;
};
};
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"usb_storage"
"sd_mod"
];
kernelModules = [ "kvm-intel" ];
};
nixpkgs.config.allowUnfree = true;
environment.systemPackages = [ pkgs.virtiofsd ];
sops = {
defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
cloudflare_dns_token = {
owner = "caddy";
mode = "400";
};
dnspod_dns_token = {
owner = "caddy";
mode = "400";
};
"immich/oauth_client_secret" = {
owner = "immich";
mode = "400";
};
};
};
custom.prometheus = {
enable = true;
};
systemd.mounts = [
{
what = "immich";
where = "/mnt/XinPhotos/immich";
type = "virtiofs";
options = "rw,nodev,nosuid";
wantedBy = [ "immich-server.service" ];
}
{
what = "originals";
where = "/mnt/XinPhotos/originals";
type = "virtiofs";
options = "rw,nodev,nosuid";
wantedBy = [ "immich-server.service" ];
}
{
what = "restic";
where = "/var/lib/restic";
type = "virtiofs";
options = "rw,nodev,nosuid";
wantedBy = [ "restic-rest-server.service" ];
}
{
what = "ocis";
where = "/var/lib/ocis";
type = "virtiofs";
options = "rw,nodev,nosuid";
wantedBy = [ "ocis.service" ];
}
];
services.openssh.ports = [
22
2222
];
services.immich = {
enable = true;
mediaLocation = "/mnt/XinPhotos/immich";
host = "127.0.0.1";
port = 3001;
openFirewall = true;
machine-learning.enable = false;
environment = {
IMMICH_MACHINE_LEARNING_ENABLED = "false";
};
database.enable = true;
};
custom.immich.jsonSettings = {
oauth = {
enabled = true;
issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
clientId = "immich";
clientSecret = {
_secret = config.sops.secrets."immich/oauth_client_secret".path;
};
scope = "openid email profile";
signingAlgorithm = "ES256";
storageLabelClaim = "email";
buttonText = "Login with Kanidm";
autoLaunch = true;
mobileOverrideEnabled = true;
mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
};
passwordLogin = {
enabled = false;
};
newVersionCheck = {
enabled = false;
};
};
services.dae = {
enable = true;
configFile = "/var/lib/dae/config.dae";
};
services.tailscale = {
enable = true;
openFirewall = true;
permitCertUid = "caddy";
};
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
caddyModules = [
{
repo = "github.com/caddy-dns/cloudflare";
version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
}
{
repo = "github.com/caddy-dns/dnspod";
version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af";
}
];
vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
};
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
# API Token must be added in systemd environment file
virtualHosts."immich.xinyang.life:8000".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
globalConfig = ''
acme_dns dnspod {env.DNSPOD_API_TOKEN}
'';
};
networking.firewall.allowedTCPPorts = [ 8000 ];
systemd.services.caddy = {
serviceConfig = {
EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
};
};
time.timeZone = "Asia/Shanghai";
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/sda1";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
system.stateVersion = "24.11";
};
}