Merge branch 'main' of ssh://code.8bitbuddhism.com/aires/nix-configuration
This commit is contained in:
commit
cc4ae86525
|
@ -8,6 +8,7 @@ hostname=$(/run/current-system/sw/bin/hostname) # The name of the host to build
|
|||
flakeDir="${FLAKE_DIR}" # Path to the flake file (and optionally the hostname)
|
||||
update=false # Whether to update and commmit flake.lock
|
||||
user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands
|
||||
buildHost="" # Which host to use to generate the build (defaults to the local host)
|
||||
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
|
||||
|
||||
function usage() {
|
||||
|
@ -34,16 +35,21 @@ function usage() {
|
|||
POSITIONAL_ARGS=()
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--build-host)
|
||||
buildHost="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--flake|-f)
|
||||
flakeDir="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--hostname|-h)
|
||||
hostname="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
hostname="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--update|--upgrade|-U)
|
||||
update=true
|
||||
shift
|
||||
|
@ -89,6 +95,12 @@ fi
|
|||
|
||||
options="--flake ${flakeDir}#${hostname} ${remainingArgs} --use-remote-sudo --log-format multiline-with-logs"
|
||||
|
||||
if [[ -n "${buildHost}" && $operation != "build" && $operation != *"dry"* ]]; then
|
||||
echo "Remote build detected, running this operation first: nixos-rebuild build ${options} --build-host $buildHost"
|
||||
/run/current-system/sw/bin/nixos-rebuild build $options --build-host $buildHost
|
||||
echo "Remote build complete!"
|
||||
fi
|
||||
|
||||
echo "Running this operation: nixos-rebuild ${operation} ${options}"
|
||||
/run/current-system/sw/bin/nixos-rebuild $operation $options
|
||||
|
||||
|
|
|
@ -267,11 +267,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1729802774,
|
||||
"narHash": "sha256-pssdzH1vOnTWvoGwfy3OfqY2oA6tKAHLGJFm5FeXYCI=",
|
||||
"lastModified": 1729804049,
|
||||
"narHash": "sha256-3CBk8Ntrilw4ju41mIkW2q34zxBxQxJPqd8lcF5yvV8=",
|
||||
"owner": "8bitbuddhist",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "52323ec811f4c94b2f32ba1c83d86f0594977dc8",
|
||||
"rev": "097c476b076300e0f44e2a804ad472ca3da395d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -8,18 +8,19 @@ let
|
|||
# Where to store service files
|
||||
services-root = "/storage/services";
|
||||
|
||||
# Credentials for interacting with the Namecheap API
|
||||
namecheapCredentials = {
|
||||
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
|
||||
${config.secrets.networking.namecheap.api.user}
|
||||
# Credentials for interacting with the Porkbun API
|
||||
porkbunCredentials = {
|
||||
"PORKBUN_API_KEY_FILE" = "${pkgs.writeText "porkbun-api-key" ''
|
||||
${config.secrets.networking.porkbun.api.apiKey}
|
||||
''}";
|
||||
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
|
||||
${config.secrets.networking.namecheap.api.key}
|
||||
"PORKBUN_SECRET_API_KEY_FILE" = "${pkgs.writeText "porkbun-secret-api-key" ''
|
||||
${config.secrets.networking.porkbun.api.secretKey}
|
||||
''}";
|
||||
};
|
||||
|
||||
# List of subdomains to add to the TLS certificate
|
||||
subdomains = with config.secrets.services; [
|
||||
dav.url
|
||||
forgejo.url
|
||||
gremlin-lab.url
|
||||
jellyfin.url
|
||||
|
@ -75,15 +76,15 @@ in
|
|||
defaultEmail = config.secrets.users.aires.email;
|
||||
certs = {
|
||||
"${config.secrets.networking.domains.primary}" = {
|
||||
dnsProvider = "namecheap";
|
||||
dnsProvider = "porkbun";
|
||||
extraDomainNames = subdomains;
|
||||
webroot = null; # Required in order to prevent a failed assertion
|
||||
credentialFiles = namecheapCredentials;
|
||||
credentialFiles = porkbunCredentials;
|
||||
};
|
||||
"${config.secrets.networking.domains.blog}" = {
|
||||
dnsProvider = "namecheap";
|
||||
dnsProvider = "porkbun";
|
||||
webroot = null; # Required in order to prevent a failed assertion
|
||||
credentialFiles = namecheapCredentials;
|
||||
credentialFiles = porkbunCredentials;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -111,11 +112,6 @@ in
|
|||
home = "${services-root}/forgejo";
|
||||
url = config.secrets.services.forgejo.url;
|
||||
};
|
||||
home-assistant = {
|
||||
enable = false;
|
||||
home = "${services-root}/home-assistant";
|
||||
url = config.secrets.services.home-assistant.url;
|
||||
};
|
||||
jellyfin = {
|
||||
enable = true;
|
||||
home = "${services-root}/jellyfin";
|
||||
|
@ -209,6 +205,12 @@ in
|
|||
ram = 4096;
|
||||
};
|
||||
};
|
||||
webdav = {
|
||||
enable = false;
|
||||
home = "${services-root}/webdav";
|
||||
url = config.secrets.services.webdav.url;
|
||||
users = config.secrets.services.webdav.users;
|
||||
};
|
||||
};
|
||||
|
||||
users.aires = {
|
||||
|
|
|
@ -51,6 +51,7 @@ in
|
|||
autoUpgrade = {
|
||||
enable = true;
|
||||
configDir = config.secrets.nixConfigFolder;
|
||||
extraFlags = "--build-host hevana";
|
||||
onCalendar = "weekly";
|
||||
user = config.users.users.aires.name;
|
||||
};
|
||||
|
@ -71,6 +72,7 @@ in
|
|||
"com.github.tchx84.Flatseal"
|
||||
"com.github.wwmm.easyeffects"
|
||||
"md.obsidian.Obsidian"
|
||||
"org.chromium.Chromium"
|
||||
"org.keepassxc.KeePassXC"
|
||||
"org.mozilla.firefox"
|
||||
];
|
||||
|
|
|
@ -14,7 +14,7 @@ in
|
|||
system.stateVersion = stateVersion;
|
||||
networking.hostName = hostName;
|
||||
|
||||
custom-fonts.Freight-Pro.enable = true;
|
||||
custom-fonts.Freight-Pro.enable = config.aux.system.users.gremlin.enable;
|
||||
|
||||
aux.system = {
|
||||
apps = {
|
||||
|
@ -42,7 +42,6 @@ in
|
|||
gpu.amd.enable = true;
|
||||
|
||||
packages = with pkgs; [
|
||||
boinc # Boinc client
|
||||
keepassxc # Use native instead of Flatpak due to weird performance issues
|
||||
];
|
||||
|
||||
|
@ -90,6 +89,7 @@ in
|
|||
"com.github.tchx84.Flatseal"
|
||||
"com.github.wwmm.easyeffects"
|
||||
"md.obsidian.Obsidian"
|
||||
"org.chromium.Chromium"
|
||||
"org.mozilla.firefox"
|
||||
];
|
||||
|
||||
|
|
|
@ -48,12 +48,6 @@
|
|||
# Install ZSH for all users
|
||||
zsh.enable = true;
|
||||
|
||||
# Enable NH, an alternative nixos-rebuild frontend.
|
||||
# https://github.com/viperML/nh
|
||||
nh = {
|
||||
enable = true;
|
||||
flake = "${config.secrets.nixConfigFolder}";
|
||||
};
|
||||
# Configure nano
|
||||
nano.nanorc = ''
|
||||
set tabsize 4
|
||||
|
|
Binary file not shown.
|
@ -1,71 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.aux.system.services.airsonic;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
aux.system.services.airsonic = {
|
||||
enable = lib.mkEnableOption "Enables Airsonic Advanced media streaming service.";
|
||||
home = lib.mkOption {
|
||||
default = "/var/lib/airsonic";
|
||||
type = lib.types.str;
|
||||
description = "Where to store Airsonic's files";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
default = "";
|
||||
type = lib.types.str;
|
||||
description = "The complete URL where Airsonic is hosted.";
|
||||
example = "https://forgejo.example.com";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
aux.system.users.media.enable = true;
|
||||
users.users.airsonic.extraGroups = [ "media" ];
|
||||
|
||||
services = {
|
||||
nginx.virtualHosts."${cfg.url}" = {
|
||||
useACMEHost = pkgs.util.getDomainFromURL cfg.url;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:4040";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
# Taken from https://airsonic.github.io/docs/proxy/nginx/
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header Host $host;
|
||||
proxy_max_temp_file_size 0;
|
||||
proxy_ssl_server_name on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
airsonic = {
|
||||
enable = true;
|
||||
war = "${
|
||||
(pkgs.callPackage ../../packages/airsonic-advanced.nix { inherit lib; })
|
||||
}/webapps/airsonic.war";
|
||||
port = 4040;
|
||||
jre = pkgs.jdk17;
|
||||
jvmOptions = [
|
||||
"-Dserver.use-forward-headers=true"
|
||||
"-Xmx4G" # Increase Java heap size to 4GB
|
||||
];
|
||||
} // lib.optionalAttrs (cfg.home != "") { home = cfg.home; };
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
airsonic.unitConfig.RequiresMountsFor = cfg.home;
|
||||
nginx.wants = [ config.systemd.services.airsonic.name ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,83 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.aux.system.services.home-assistant;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
aux.system.services.home-assistant = {
|
||||
enable = lib.mkEnableOption "Enables Home Assistant.";
|
||||
home = lib.mkOption {
|
||||
default = "/etc/home-assistant";
|
||||
type = lib.types.str;
|
||||
description = "Where to store Home Assistant's files";
|
||||
example = "/home/home-assistant";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
default = "";
|
||||
type = lib.types.str;
|
||||
description = "The complete URL where Home Assistant is hosted.";
|
||||
example = "https://home-assistant.example.com";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services = {
|
||||
home-assistant = {
|
||||
enable = true;
|
||||
# opt-out from declarative configuration management
|
||||
lovelaceConfig = null;
|
||||
# configure the path to your config directory
|
||||
configDir = cfg.home;
|
||||
# specify list of components required by your configuration
|
||||
extraComponents = [
|
||||
"default_config"
|
||||
"esphome"
|
||||
"eufy"
|
||||
"govee_light_local"
|
||||
"met"
|
||||
"radio_browser"
|
||||
"tplink"
|
||||
];
|
||||
extraPackages = python3Packages: with python3Packages; [ numpy ];
|
||||
config.http = {
|
||||
server_host = "::1";
|
||||
trusted_proxies = [ "::1" ];
|
||||
use_x_forwarded_for = true;
|
||||
};
|
||||
};
|
||||
nginx.virtualHosts."${cfg.url}" = {
|
||||
useACMEHost = pkgs.util.getDomainFromURL cfg.url;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://[::1]:8123";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
proxy_ssl_server_name on;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
home-assistant.unitConfig.RequiresMountsFor = cfg.home;
|
||||
nginx.wants = [ config.systemd.services.home-assistant.name ];
|
||||
};
|
||||
};
|
||||
}
|
68
modules/services/webdav.nix
Normal file
68
modules/services/webdav.nix
Normal file
|
@ -0,0 +1,68 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.aux.system.services.webdav;
|
||||
|
||||
port = 6065; # Internal port to run the server on
|
||||
in
|
||||
{
|
||||
options = {
|
||||
aux.system.services.webdav = {
|
||||
enable = lib.mkEnableOption "Enables Webdav server.";
|
||||
home = lib.mkOption {
|
||||
default = "/var/lib/webdav";
|
||||
type = lib.types.str;
|
||||
description = "Where to store Webdav's files";
|
||||
example = "/home/webdav";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
default = "";
|
||||
type = lib.types.str;
|
||||
description = "The complete URL where Webdav is hosted.";
|
||||
example = "https://dav.example.com";
|
||||
};
|
||||
users = lib.mkOption {
|
||||
default = [ ];
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "List of user accounts to create.";
|
||||
example = lib.literalExpression "[ { username = \"user\"; password = \"pass\"; } ]";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services = {
|
||||
webdav = {
|
||||
enable = true;
|
||||
settings = {
|
||||
address = "127.0.0.1";
|
||||
port = port;
|
||||
scope = cfg.home;
|
||||
users = cfg.users;
|
||||
};
|
||||
};
|
||||
|
||||
nginx.virtualHosts."${cfg.url}" = {
|
||||
useACMEHost = pkgs.util.getDomainFromURL cfg.url;
|
||||
forceSSL = true;
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header REMOTE-HOST $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
proxy_redirect off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
webdav.unitConfig.RequiresMountsFor = cfg.home;
|
||||
nginx.wants = [ config.systemd.services.webdav.name ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -76,8 +76,12 @@ in
|
|||
userName = config.secrets.users.aires.firstName;
|
||||
userEmail = config.secrets.users.aires.email;
|
||||
extraConfig = {
|
||||
safe.directory = "${config.secrets.nixConfigFolder}/.git";
|
||||
core.editor = config.aux.system.editor;
|
||||
merge.conflictStyle = "zdiff3";
|
||||
pull.ff = "only";
|
||||
push.autoSetupRemote = "true";
|
||||
safe.directory = "${config.secrets.nixConfigFolder}/.git";
|
||||
submodule.recurse = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,20 +1,10 @@
|
|||
{ config, lib, ... }:
|
||||
{ ... }:
|
||||
{
|
||||
# Give root user access to run remote builds
|
||||
home-manager.users.root = {
|
||||
home.stateVersion = "24.05";
|
||||
programs = {
|
||||
git.extraConfig = {
|
||||
safe.directory = "${config.secrets.nixConfigFolder}/.git";
|
||||
};
|
||||
ssh = {
|
||||
enable = true;
|
||||
matchBlocks = config.secrets.users.root.sshConfig;
|
||||
};
|
||||
zsh = {
|
||||
oh-my-zsh.theme = "kardan";
|
||||
shellAliases.nos = "nixos-operations-script";
|
||||
};
|
||||
programs.zsh = {
|
||||
oh-my-zsh.theme = "kardan";
|
||||
shellAliases.nos = "nixos-operations-script";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,33 +0,0 @@
|
|||
{
|
||||
lib,
|
||||
stdenv,
|
||||
fetchurl,
|
||||
nixosTests,
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "airsonic-advanced";
|
||||
version = "11.1.4-SNAPSHOT.20240628143437";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/${version}/airsonic.war";
|
||||
sha256 = "fde2c921e26cf536405118c5114a2f42fe87ff0a019852f21c80f4c68a2431ee";
|
||||
};
|
||||
|
||||
buildCommand = ''
|
||||
mkdir -p "$out/webapps"
|
||||
cp "$src" "$out/webapps/airsonic.war"
|
||||
'';
|
||||
|
||||
passthru.tests = {
|
||||
airsonic-starts = nixosTests.airsonic;
|
||||
};
|
||||
|
||||
meta = {
|
||||
description = "Free, web-based media streamer providing ubiquitous access to your music.";
|
||||
homepage = "https://github.com/kagemomiji/airsonic-advanced/";
|
||||
sourceProvenance = [ lib.sourceTypes.binaryBytecode ];
|
||||
license = lib.licenses.gpl3;
|
||||
platforms = lib.platforms.all;
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue