Merge branch 'main' of ssh://code.8bitbuddhism.com/aires/nix-configuration

2024-10-28 11:14:58 -04:00 · 2024-10-28 11:14:58 -04:00 · cc4ae86525
parent abd29996c4 548eb5bb84
commit cc4ae86525
13 changed files with 117 additions and 232 deletions
--- a/bin/nixos-operations-script.sh
+++ b/bin/nixos-operations-script.sh
@ -8,6 +8,7 @@ hostname=$(/run/current-system/sw/bin/hostname) # The name of the host to build
 flakeDir="${FLAKE_DIR}"                         # Path to the flake file (and optionally the hostname)
 update=false                                    # Whether to update and commmit flake.lock
 user=$(/run/current-system/sw/bin/whoami)       # Which user account to use for git commands
+buildHost=""                                    # Which host to use to generate the build (defaults to the local host)
 remainingArgs=""                                # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)

 function usage() {
@ -34,16 +35,21 @@ function usage() {
 POSITIONAL_ARGS=()
 while [[ $# -gt 0 ]]; do
  case "$1" in
+	--build-host)
+		buildHost="$2"
+		shift
+		shift
+		;;
 	--flake|-f)
 		flakeDir="$2"
 		shift
 		shift
 		;;
 	--hostname|-h)
-	    hostname="$2"
-	    shift
-	    shift
-	    ;;
+		hostname="$2"
+		shift
+		shift
+		;;
 	--update|--upgrade|-U)
 		update=true
 		shift
@ -89,6 +95,12 @@ fi

 options="--flake ${flakeDir}#${hostname} ${remainingArgs} --use-remote-sudo --log-format multiline-with-logs"

+if [[ -n "${buildHost}" && $operation != "build" && $operation != *"dry"* ]]; then
+	echo "Remote build detected, running this operation first: nixos-rebuild build ${options} --build-host $buildHost"
+	/run/current-system/sw/bin/nixos-rebuild build $options --build-host $buildHost
+	echo "Remote build complete!"
+fi
+
 echo "Running this operation: nixos-rebuild ${operation} ${options}"
 /run/current-system/sw/bin/nixos-rebuild $operation $options

--- a/flake.lock
+++ b/flake.lock
@ -267,11 +267,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1729802774,
-        "narHash": "sha256-pssdzH1vOnTWvoGwfy3OfqY2oA6tKAHLGJFm5FeXYCI=",
+        "lastModified": 1729804049,
+        "narHash": "sha256-3CBk8Ntrilw4ju41mIkW2q34zxBxQxJPqd8lcF5yvV8=",
        "owner": "8bitbuddhist",
        "repo": "nixos-hardware",
-        "rev": "52323ec811f4c94b2f32ba1c83d86f0594977dc8",
+        "rev": "097c476b076300e0f44e2a804ad472ca3da395d4",
        "type": "github"
      },
      "original": {
--- a/hosts/Hevana/default.nix
+++ b/hosts/Hevana/default.nix
@ -8,18 +8,19 @@ let
  # Where to store service files
  services-root = "/storage/services";

-  # Credentials for interacting with the Namecheap API
-  namecheapCredentials = {
-    "NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
-      ${config.secrets.networking.namecheap.api.user}
+  # Credentials for interacting with the Porkbun API
+  porkbunCredentials = {
+    "PORKBUN_API_KEY_FILE" = "${pkgs.writeText "porkbun-api-key" ''
+      ${config.secrets.networking.porkbun.api.apiKey}
    ''}";
-    "NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
-      ${config.secrets.networking.namecheap.api.key}
+    "PORKBUN_SECRET_API_KEY_FILE" = "${pkgs.writeText "porkbun-secret-api-key" ''
+      ${config.secrets.networking.porkbun.api.secretKey}
    ''}";
  };

  # List of subdomains to add to the TLS certificate
  subdomains = with config.secrets.services; [
+    dav.url
    forgejo.url
    gremlin-lab.url
    jellyfin.url
@ -75,15 +76,15 @@ in
        defaultEmail = config.secrets.users.aires.email;
        certs = {
          "${config.secrets.networking.domains.primary}" = {
-            dnsProvider = "namecheap";
+            dnsProvider = "porkbun";
            extraDomainNames = subdomains;
            webroot = null; # Required in order to prevent a failed assertion
-            credentialFiles = namecheapCredentials;
+            credentialFiles = porkbunCredentials;
          };
          "${config.secrets.networking.domains.blog}" = {
-            dnsProvider = "namecheap";
+            dnsProvider = "porkbun";
            webroot = null; # Required in order to prevent a failed assertion
-            credentialFiles = namecheapCredentials;
+            credentialFiles = porkbunCredentials;
          };
        };
      };
@ -111,11 +112,6 @@ in
        home = "${services-root}/forgejo";
        url = config.secrets.services.forgejo.url;
      };
-      home-assistant = {
-        enable = false;
-        home = "${services-root}/home-assistant";
-        url = config.secrets.services.home-assistant.url;
-      };
      jellyfin = {
        enable = true;
        home = "${services-root}/jellyfin";
@ -209,6 +205,12 @@ in
          ram = 4096;
        };
      };
+      webdav = {
+        enable = false;
+        home = "${services-root}/webdav";
+        url = config.secrets.services.webdav.url;
+        users = config.secrets.services.webdav.users;
+      };
    };

    users.aires = {
--- a/hosts/Khanda/default.nix
+++ b/hosts/Khanda/default.nix
@ -51,6 +51,7 @@ in
      autoUpgrade = {
        enable = true;
        configDir = config.secrets.nixConfigFolder;
+        extraFlags = "--build-host hevana";
        onCalendar = "weekly";
        user = config.users.users.aires.name;
      };
@ -71,6 +72,7 @@ in
          "com.github.tchx84.Flatseal"
          "com.github.wwmm.easyeffects"
          "md.obsidian.Obsidian"
+          "org.chromium.Chromium"
          "org.keepassxc.KeePassXC"
          "org.mozilla.firefox"
        ];
--- a/hosts/Shura/default.nix
+++ b/hosts/Shura/default.nix
@ -14,7 +14,7 @@ in
  system.stateVersion = stateVersion;
  networking.hostName = hostName;

-  custom-fonts.Freight-Pro.enable = true;
+  custom-fonts.Freight-Pro.enable = config.aux.system.users.gremlin.enable;

  aux.system = {
    apps = {
@ -42,7 +42,6 @@ in
    gpu.amd.enable = true;

    packages = with pkgs; [
-      boinc # Boinc client
      keepassxc # Use native instead of Flatpak due to weird performance issues
    ];

@ -90,6 +89,7 @@ in
          "com.github.tchx84.Flatseal"
          "com.github.wwmm.easyeffects"
          "md.obsidian.Obsidian"
+          "org.chromium.Chromium"
          "org.mozilla.firefox"
        ];

--- a/modules/common.nix
+++ b/modules/common.nix
@ -48,12 +48,6 @@
      # Install ZSH for all users
      zsh.enable = true;

-      # Enable NH, an alternative nixos-rebuild frontend.
-      # https://github.com/viperML/nh
-      nh = {
-        enable = true;
-        flake = "${config.secrets.nixConfigFolder}";
-      };
      # Configure nano
      nano.nanorc = ''
        set tabsize 4
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
--- a/modules/services/airsonic.nix
+++ b/modules/services/airsonic.nix
@ -1,71 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-let
-  cfg = config.aux.system.services.airsonic;
-in
-{
-  options = {
-    aux.system.services.airsonic = {
-      enable = lib.mkEnableOption "Enables Airsonic Advanced media streaming service.";
-      home = lib.mkOption {
-        default = "/var/lib/airsonic";
-        type = lib.types.str;
-        description = "Where to store Airsonic's files";
-      };
-      url = lib.mkOption {
-        default = "";
-        type = lib.types.str;
-        description = "The complete URL where Airsonic is hosted.";
-        example = "https://forgejo.example.com";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    aux.system.users.media.enable = true;
-    users.users.airsonic.extraGroups = [ "media" ];
-
-    services = {
-      nginx.virtualHosts."${cfg.url}" = {
-        useACMEHost = pkgs.util.getDomainFromURL cfg.url;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:4040";
-          proxyWebsockets = true;
-          extraConfig = ''
-            # Taken from https://airsonic.github.io/docs/proxy/nginx/
-            proxy_set_header X-Real-IP         $remote_addr;
-            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto https;
-            proxy_set_header X-Forwarded-Host  $host;
-            proxy_set_header Host              $host;
-            proxy_max_temp_file_size           0;
-            proxy_ssl_server_name on;
-          '';
-        };
-      };
-
-      airsonic = {
-        enable = true;
-        war = "${
-          (pkgs.callPackage ../../packages/airsonic-advanced.nix { inherit lib; })
-        }/webapps/airsonic.war";
-        port = 4040;
-        jre = pkgs.jdk17;
-        jvmOptions = [
-          "-Dserver.use-forward-headers=true"
-          "-Xmx4G" # Increase Java heap size to 4GB
-        ];
-      } // lib.optionalAttrs (cfg.home != "") { home = cfg.home; };
-    };
-
-    systemd.services = {
-      airsonic.unitConfig.RequiresMountsFor = cfg.home;
-      nginx.wants = [ config.systemd.services.airsonic.name ];
-    };
-  };
-}
--- a/modules/services/home-assistant.nix
+++ b/modules/services/home-assistant.nix
@ -1,83 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  cfg = config.aux.system.services.home-assistant;
-in
-{
-  options = {
-    aux.system.services.home-assistant = {
-      enable = lib.mkEnableOption "Enables Home Assistant.";
-      home = lib.mkOption {
-        default = "/etc/home-assistant";
-        type = lib.types.str;
-        description = "Where to store Home Assistant's files";
-        example = "/home/home-assistant";
-      };
-      url = lib.mkOption {
-        default = "";
-        type = lib.types.str;
-        description = "The complete URL where Home Assistant is hosted.";
-        example = "https://home-assistant.example.com";
-      };
-    };
-
-  };
-
-  config = lib.mkIf cfg.enable {
-    services = {
-      home-assistant = {
-        enable = true;
-        # opt-out from declarative configuration management
-        lovelaceConfig = null;
-        # configure the path to your config directory
-        configDir = cfg.home;
-        # specify list of components required by your configuration
-        extraComponents = [
-          "default_config"
-          "esphome"
-          "eufy"
-          "govee_light_local"
-          "met"
-          "radio_browser"
-          "tplink"
-        ];
-        extraPackages = python3Packages: with python3Packages; [ numpy ];
-        config.http = {
-          server_host = "::1";
-          trusted_proxies = [ "::1" ];
-          use_x_forwarded_for = true;
-        };
-      };
-      nginx.virtualHosts."${cfg.url}" = {
-        useACMEHost = pkgs.util.getDomainFromURL cfg.url;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://[::1]:8123";
-          proxyWebsockets = true;
-          extraConfig = ''
-            # Security / XSS Mitigation Headers
-            add_header X-Frame-Options "SAMEORIGIN";
-            add_header X-Content-Type-Options "nosniff";
-
-            proxy_ssl_server_name on;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Real-IP $remote_addr;
-
-            proxy_buffering off;
-          '';
-        };
-      };
-    };
-
-    systemd.services = {
-      home-assistant.unitConfig.RequiresMountsFor = cfg.home;
-      nginx.wants = [ config.systemd.services.home-assistant.name ];
-    };
-  };
-}
--- a/modules/services/webdav.nix
+++ b/modules/services/webdav.nix
@ -0,0 +1,68 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.aux.system.services.webdav;
+
+  port = 6065; # Internal port to run the server on
+in
+{
+  options = {
+    aux.system.services.webdav = {
+      enable = lib.mkEnableOption "Enables Webdav server.";
+      home = lib.mkOption {
+        default = "/var/lib/webdav";
+        type = lib.types.str;
+        description = "Where to store Webdav's files";
+        example = "/home/webdav";
+      };
+      url = lib.mkOption {
+        default = "";
+        type = lib.types.str;
+        description = "The complete URL where Webdav is hosted.";
+        example = "https://dav.example.com";
+      };
+      users = lib.mkOption {
+        default = [ ];
+        type = lib.types.listOf lib.types.attrs;
+        description = "List of user accounts to create.";
+        example = lib.literalExpression "[ { username = \"user\"; password = \"pass\"; } ]";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      webdav = {
+        enable = true;
+        settings = {
+          address = "127.0.0.1";
+          port = port;
+          scope = cfg.home;
+          users = cfg.users;
+        };
+      };
+
+      nginx.virtualHosts."${cfg.url}" = {
+        useACMEHost = pkgs.util.getDomainFromURL cfg.url;
+        forceSSL = true;
+        locations."/".extraConfig = ''
+          proxy_pass http://127.0.0.1:${builtins.toString port};
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header REMOTE-HOST $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header Host $host;
+          proxy_redirect off;
+        '';
+      };
+    };
+
+    systemd.services = {
+      webdav.unitConfig.RequiresMountsFor = cfg.home;
+      nginx.wants = [ config.systemd.services.webdav.name ];
+    };
+  };
+}
--- a/modules/users/aires/default.nix
+++ b/modules/users/aires/default.nix
@ -76,8 +76,12 @@ in
              userName = config.secrets.users.aires.firstName;
              userEmail = config.secrets.users.aires.email;
              extraConfig = {
-                safe.directory = "${config.secrets.nixConfigFolder}/.git";
+                core.editor = config.aux.system.editor;
+                merge.conflictStyle = "zdiff3";
+                pull.ff = "only";
                push.autoSetupRemote = "true";
+                safe.directory = "${config.secrets.nixConfigFolder}/.git";
+                submodule.recurse = true;
              };
            };

--- a/modules/users/root/default.nix
+++ b/modules/users/root/default.nix
@ -1,20 +1,10 @@
-{ config, lib, ... }:
+{ ... }:
 {
-  # Give root user access to run remote builds
  home-manager.users.root = {
    home.stateVersion = "24.05";
-    programs = {
-      git.extraConfig = {
-        safe.directory = "${config.secrets.nixConfigFolder}/.git";
-      };
-      ssh = {
-        enable = true;
-        matchBlocks = config.secrets.users.root.sshConfig;
-      };
-      zsh = {
-        oh-my-zsh.theme = "kardan";
-        shellAliases.nos = "nixos-operations-script";
-      };
+    programs.zsh = {
+      oh-my-zsh.theme = "kardan";
+      shellAliases.nos = "nixos-operations-script";
    };
  };
 }
--- a/packages/airsonic-advanced.nix
+++ b/packages/airsonic-advanced.nix
@ -1,33 +0,0 @@
-{
-  lib,
-  stdenv,
-  fetchurl,
-  nixosTests,
-}:
-
-stdenv.mkDerivation rec {
-  pname = "airsonic-advanced";
-  version = "11.1.4-SNAPSHOT.20240628143437";
-
-  src = fetchurl {
-    url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/${version}/airsonic.war";
-    sha256 = "fde2c921e26cf536405118c5114a2f42fe87ff0a019852f21c80f4c68a2431ee";
-  };
-
-  buildCommand = ''
-    mkdir -p "$out/webapps"
-    cp "$src" "$out/webapps/airsonic.war"
-  '';
-
-  passthru.tests = {
-    airsonic-starts = nixosTests.airsonic;
-  };
-
-  meta = {
-    description = "Free, web-based media streamer providing ubiquitous access to your music.";
-    homepage = "https://github.com/kagemomiji/airsonic-advanced/";
-    sourceProvenance = [ lib.sourceTypes.binaryBytecode ];
-    license = lib.licenses.gpl3;
-    platforms = lib.platforms.all;
-  };
-}