Compare commits

..

27 Commits

Author SHA1 Message Date
soraefir 9a89479f66 Refactor 2026-06-04 00:30:29 +02:00
soraefir b82393272c Refactor 2026-06-03 19:24:29 +02:00
sora-ext 1cb9e9b645 Update modules/server/containers/default.nix 2026-06-03 17:40:10 +02:00
sora-ext b8735803c4 Update flake.nix 2026-06-03 17:35:15 +02:00
sora-ext 14bf297897 Update modules/shared/syscfg/server.nix 2026-06-03 17:20:36 +02:00
sora-ext 1fad610dff Update modules/server/database/default.nix 2026-06-03 17:19:28 +02:00
sora-ext 2c00901b04 Update modules/server/containers/apps/umami.nix 2026-06-03 17:19:11 +02:00
sora-ext 2c0ac0db09 Update modules/server/containers/apps/transmission.nix 2026-06-03 17:19:02 +02:00
sora-ext 6be107374e Update modules/server/containers/apps/traefik.nix 2026-06-03 17:18:52 +02:00
sora-ext 9e4d8274b5 Update modules/server/containers/apps/suwayomi.nix 2026-06-03 17:18:42 +02:00
sora-ext f54dea8a13 Update modules/server/containers/apps/selfmark.nix 2026-06-03 17:17:45 +02:00
sora-ext a6788f13a8 Update modules/server/containers/apps/searxng.nix 2026-06-03 17:17:36 +02:00
sora-ext 5b4af162b9 Update modules/server/containers/apps/openhab.nix 2026-06-03 17:17:14 +02:00
sora-ext 4e5c956f78 Update modules/server/containers/apps/nextcloud.nix 2026-06-03 17:17:02 +02:00
sora-ext 083549e3c6 Update modules/server/containers/apps/jellyfin.nix 2026-06-03 17:16:53 +02:00
sora-ext fada3c79b3 Update modules/server/containers/apps/invidious.nix 2026-06-03 17:16:42 +02:00
sora-ext ce72e4421b Update modules/server/containers/apps/influx.nix 2026-06-03 17:16:30 +02:00
sora-ext ddc5c76a35 Update modules/server/containers/apps/immich.nix 2026-06-03 17:16:18 +02:00
sora-ext d0b6718254 Update modules/server/containers/apps/handbrake.nix 2026-06-03 17:16:06 +02:00
sora-ext c1c76ab3de Update modules/server/containers/apps/gitea.nix 2026-06-03 17:15:56 +02:00
sora-ext 558874731a Update modules/server/containers/apps/frigate.nix 2026-06-03 17:15:46 +02:00
sora-ext b14135274b Update modules/server/containers/apps/freshrss.nix 2026-06-03 17:15:37 +02:00
sora-ext 5df88ac25a Update modules/server/containers/apps/etherpad.nix 2026-06-03 17:15:29 +02:00
sora-ext 2d8e0da386 Update modules/server/containers/apps/ethercalc.nix 2026-06-03 17:15:20 +02:00
sora-ext 8f87c11cb5 Update modules/server/containers/apps/calibre.nix 2026-06-03 17:15:00 +02:00
sora-ext 7b8eeb917f Update modules/server/containers/apps/authentik.nix 2026-06-03 17:14:30 +02:00
sora-ext a2043cafe1 Update modules/server/containers/apps/.template.nix 2026-06-03 17:14:05 +02:00
32 changed files with 1515 additions and 1434 deletions
+18 -15
View File
@@ -38,24 +38,27 @@
}; };
outputs = inputs: outputs = inputs:
let gen = import ./generator.nix { inherit inputs; }; let
lib = inputs.nixpkgs.lib;
gen = import ./generator.nix { inherit inputs; };
systemsDir = ./systems;
systemNames = lib.attrNames (lib.filterAttrs
(name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix"))
(builtins.readDir systemsDir));
hostsByType = systemType:
lib.filter
(host: (import (systemsDir + "/${host}/cfg.nix")).syscfg.type == systemType)
systemNames;
generateHosts = systemType:
builtins.listToAttrs (map
(host: lib.nameValuePair host (gen.generate { inherit host; }))
(hostsByType systemType));
in { in {
devShells = import ./shells { inherit inputs; }; devShells = import ./shells { inherit inputs; };
nixosConfigurations = { nixosConfigurations = generateHosts "nixos";
valinor = gen.generate { host = "valinor"; }; darwinConfigurations = generateHosts "macos";
iriy = gen.generate { host = "iriy"; }; homeConfigurations = generateHosts "home";
efir = gen.generate { host = "efir"; };
avalon = gen.generate { host = "avalon"; };
ci = gen.generate { host = "ci"; };
sandbox = gen.generate { host = "sandbox"; };
gateway = gen.generate { host = "gateway"; };
};
darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
homeConfigurations = {
yomi = gen.generate { host = "example"; };
example = gen.generate { host = "example"; };
};
}; };
# ===== Unsupported/NotImplemented ====== # ===== Unsupported/NotImplemented ======
+31 -26
View File
@@ -17,33 +17,38 @@ let
}; };
}; };
in { in {
sops = false; requires = {
db = false; secrets = [ ];
paths = [{ databases = [ ];
path="${serverCfg.configPath}/example/"; };
mode = "0444";
}];
containers = { runtime = {
server = builder.mkContainer { paths = [{
subdomain = containerCfg.subdomain; path="${serverCfg.path.config}/example/";
# imageStream = image; mode = "0444";
image = "....:${version}"; }];
port = 8080;
secret = name; containers = {
extraEnv = { }; server = builder.mkContainer {
overrides = { subdomain = containerCfg.subdomain;
cmd = [ ]; # imageStream = image;
volumes = [ ]; image = "....:${version}";
}; port = 8080;
secret = name;
extraEnv = { };
overrides = {
cmd = [ ];
volumes = [ ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."EXAMPLE".path;
script = pkgs.writeShellScript "setup" ''
...
'';
}; };
}; };
setup = {
trigger = "server";
envFile = config.sops.secrets."EXAMPLE".path;
script = pkgs.writeShellScript "setup" ''
...
'';
};
} }
+93 -91
View File
@@ -16,102 +16,104 @@ let
// (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {}); // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
}; };
in { in {
sops = true; requires = {
db = true; secrets = [ name ];
paths = [{ databases = [ name ];
path="${serverCfg.configPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.configPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:${version}";
port = 9000;
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
AUTHENTIK_EMAIL__PORT = "587";
AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
AUTHENTIK_EMAIL__USE_TLS = "true";
AUTHENTIK_EMAIL__USE_SSL = "false";
AUTHENTIK_EMAIL__TIMEOUT = "10";
AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
environmentFiles = [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
cmd = [ "server" ];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:${version}";
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
ldap = builder.mkContainer {
image = "ghcr.io/goauthentik/ldap:${version}";
secret = name;
extraEnv = {
AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}";
AUTHENTIK_INSECURE = "false";
};
};
}; };
setup = { runtime = {
trigger = "worker"; paths = [{
script = pkgs.writeShellScript "setup" '' path="${serverCfg.path.config}/authentik";
# Define the command wrapper owner = "1000:1000";
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak" dirs = ["media" "templates"];
mode = "0755";
}];
$AK apply_blueprint /blueprints/custom/authentik.yaml containers = {
$AK apply_blueprint /blueprints/custom/traefik.yaml server = builder.mkContainer {
$AK apply_blueprint /blueprints/custom/ldap.yaml subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:${version}";
port = 9000;
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
AUTHENTIK_EMAIL__PORT = "587";
AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
AUTHENTIK_EMAIL__USE_TLS = "true";
AUTHENTIK_EMAIL__USE_SSL = "false";
AUTHENTIK_EMAIL__TIMEOUT = "10";
AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
environmentFiles = [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''} cmd = [ "server" ];
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''} volumes = [
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''} "${serverCfg.path.config}/authentik/media:/media"
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''} "${serverCfg.path.config}/authentik/templates:/templates"
${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''} "${authentikData}:/blueprints/custom:ro"
${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''} ];
};
};
echo "Completed Authentik Setup" worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:${version}";
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.path.config}/authentik/media:/media"
"${serverCfg.path.config}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
ldap = builder.mkContainer {
image = "ghcr.io/goauthentik/ldap:${version}";
secret = name;
extraEnv = {
AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}";
AUTHENTIK_INSECURE = "false";
};
};
};
setup = {
trigger = "worker";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
$AK apply_blueprint /blueprints/custom/authentik.yaml
$AK apply_blueprint /blueprints/custom/traefik.yaml
$AK apply_blueprint /blueprints/custom/ldap.yaml
${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
echo "Completed Authentik Setup"
''; '';
};
}; };
} }
+27 -36
View File
@@ -3,43 +3,34 @@ let
version = "latest"; version = "latest";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
in { in {
sops = false; runtime = {
db = false; containers = {
paths = [ server = builder.mkContainer {
{ subdomain = containerCfg.subdomain;
path = "${serverCfg.configPath}/calibre-web/"; image = "crocodilestick/calibre-web-automated:${version}";
mode = "0755"; port = 8083;
dirs = ["library" "ingest"]; # secret = name;
} extraEnv = {
]; CWA_PORT_OVERRIDE = "8083";
containers = { PUID = "1000";
server = builder.mkContainer { PGID = "1000";
subdomain = containerCfg.subdomain; #HARDCOVER_TOKEN= ....
image = "crocodilestick/calibre-web-automated:${version}"; TRUSTED_PROXY_COUNT= "1";
port = 8083; };
# secret = name; extraLabels = {
extraEnv = { "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`)";
CWA_PORT_OVERRIDE = "8083"; "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik) then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
PUID = "1000"; "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
PGID = "1000"; "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
#HARDCOVER_TOKEN= .... };
TRUSTED_PROXY_COUNT= "1"; overrides = {
}; volumes = [
extraLabels = { "${serverCfg.path.book}:/calibre-library"
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`)"; "${serverCfg.path.dlBook}:/cwa-book-ingest"
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik) then "authentik" else ""; ];
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100"; };
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
overrides = {
cmd = [ ];
volumes = [
"${serverCfg.configPath}/calibre-web/library/:/calibre-library"
"${serverCfg.configPath}/calibre-web/ingest/:/cwa-book-ingest"
];
}; };
}; };
}; };
+27 -24
View File
@@ -3,31 +3,34 @@ let
version = "latest"; version = "latest";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
in { in {
sops = true; requires.secrets = [ name ];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "collabora/code:${version}";
port = 9980;
secret = name;
extraEnv = {
"aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
"server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
"username" = "collabora_user";
"VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
"VIRTUAL_PORT" = "9980";
"VIRTUAL_PROTO" = "http";
"DONT_GEN_SSL_CERT" = "true";
"RESOLVE_TO_PROXY_IP" = "true";
"extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
"dictionaries" = "en fr de jp no";
};
overrides = { runtime = {
volumes = [ containers = {
"${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro" server = builder.mkContainer {
"${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro" subdomain = containerCfg.subdomain;
]; image = "collabora/code:${version}";
port = 9980;
secret = name;
extraEnv = {
"aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
"server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
"username" = "collabora_user";
"VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
"VIRTUAL_PORT" = "9980";
"VIRTUAL_PROTO" = "http";
"DONT_GEN_SSL_CERT" = "true";
"RESOLVE_TO_PROXY_IP" = "true";
"extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
"dictionaries" = "en fr de jp no";
};
overrides = {
volumes = [
"${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
"${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
];
};
}; };
}; };
}; };
+22 -19
View File
@@ -13,27 +13,30 @@ let
}; };
}; };
in { in {
sops = true; requires.secrets = [ name ];
paths = [{
path="${serverCfg.dataPath}/ethercalc/";
mode = "0666";
}];
containers = { runtime = {
server = builder.mkContainer { paths = [{
subdomain = containerCfg.subdomain; path="${serverCfg.path.data}/ethercalc/";
imageStream = image; mode = "0666";
port = 8080; }];
secret = name;
extraEnv = { containers = {
ETHERCALC_PORT = "8080"; server = builder.mkContainer {
#CONNECT TO REDIS subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = {
ETHERCALC_PORT = "8080";
#CONNECT TO REDIS
};
overrides = {
volumes = [
"${serverCfg.path.data}/ethercalc:/data"
];
};
}; };
overrides = {
volumes = [
"${serverCfg.dataPath}/ethercalc:/data"
];
};
}; };
}; };
} }
+46 -41
View File
@@ -76,49 +76,54 @@ let
}; };
}; };
in { in {
sops = true; requires = {
db = true; secrets = [ name ];
paths = [{ databases = [ name ];
path="${serverCfg.configPath}/etherpad/"; };
mode = "0444";
}];
containers = { runtime = {
server = builder.mkContainer { paths = [{
subdomain = containerCfg.subdomain; path="${serverCfg.path.config}/etherpad/";
imageStream = image; mode = "0444";
port = 8080; }];
secret = name;
extraEnv = { containers = {
TITLE = "Pad"; server = builder.mkContainer {
PORT ="8080"; subdomain = containerCfg.subdomain;
DB_TYPE = "postgres"; imageStream = image;
DB_HOST = builder.host; port = 8080;
DB_NAME = "etherpad_db"; secret = name;
DB_USER = "etherpad_user"; extraEnv = {
TRUST_PROXY = "true"; TITLE = "Pad";
DB_CHARSET = "utf8mb4"; PORT ="8080";
DEFAULT_PAD_TEXT = ""; DB_TYPE = "postgres";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true"; DB_HOST = builder.host;
PAD_OPTIONS_USE_MONOSPACE_FONT = "true"; DB_NAME = "etherpad_db";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background"; DB_USER = "etherpad_user";
TRUST_PROXY = "true";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
overrides = {
cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
volumes = [
"${settings}:/etc/etherpad/settings.json"
"${serverCfg.path.config}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
];
};
}; };
overrides = { };
cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
volumes = [ setup = {
"${settings}:/etc/etherpad/settings.json" trigger = "server";
"${serverCfg.configPath}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro" envFile = config.sops.secrets."ETHERPAD".path;
]; script = pkgs.writeShellScript "setup" ''
}; echo "$APIKEY" > ${serverCfg.path.config}/etherpad/APIKEY.txt
chmod 444 ${serverCfg.path.config}/etherpad/APIKEY.txt
'';
}; };
}; };
setup = {
trigger = "server";
envFile = config.sops.secrets."ETHERPAD".path;
script = pkgs.writeShellScript "setup" ''
echo "$APIKEY" > ${serverCfg.configPath}/etherpad/APIKEY.txt
chmod 444 ${serverCfg.configPath}/etherpad/APIKEY.txt
'';
};
} }
+46 -41
View File
@@ -3,54 +3,59 @@ let
version = "latest"; version = "latest";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
in { in {
sops = true; requires = {
db = true; secrets = [ name ];
paths = [ databases = [ name ];
{ };
path = "${serverCfg.configPath}/freshrss";
owner = "1000:1000";
mode = "0755";
}
];
containers = { runtime = {
server = builder.mkContainer { paths = [
subdomain = containerCfg.subdomain; {
image = "ghcr.io/freshrss/freshrss:${version}"; path = "${serverCfg.path.config}/freshrss";
port = 80; owner = "1000:1000";
mode = "0755";
}
];
extraEnv = { containers = {
CRON_MIN = "5,35"; server = builder.mkContainer {
TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16"; subdomain = containerCfg.subdomain;
LISTEN = "80"; image = "ghcr.io/freshrss/freshrss:${version}";
OIDC_ENABLED = "1"; port = 80;
OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
OIDC_REMOTE_USER_CLAIM = "preferred_username";
OIDC_CLIENT_ID = "freshrss";
OIDC_SCOPES = "openid profile";
OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
};
overrides = { extraEnv = {
environmentFiles = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path ]; CRON_MIN = "5,35";
volumes = []; TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
LISTEN = "80";
OIDC_ENABLED = "1";
OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
OIDC_REMOTE_USER_CLAIM = "preferred_username";
OIDC_CLIENT_ID = "freshrss";
OIDC_SCOPES = "openid profile";
OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
};
overrides = {
environmentFiles = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path ];
volumes = ["${serverCfg.path.config}/freshrss:/var/www/FreshRSS/data"];
};
}; };
}; };
};
setup = { setup = {
trigger = "server"; # Triggers atomic environment verification on main controller trigger = "server"; # Triggers atomic environment verification on main controller
envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path]; envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path];
script = pkgs.writeShellScript "setup-freshrss" '' script = pkgs.writeShellScript "setup-freshrss" ''
RSS="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data freshrss-server" RSS="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data freshrss-server"
$RSS ./cli/prepare.php $RSS ./cli/prepare.php
$RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \ $RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \
--title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss_user --db-password $DB_PASSWORD --db-base freshrss_db --title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss_user --db-password $DB_PASSWORD --db-base freshrss_db
$RSS ./cli/create-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL $RSS ./cli/create-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL
$RSS ./cli/reconfigure.php $RSS ./cli/reconfigure.php
# $RSS ./cli/access-permissions.sh # $RSS ./cli/access-permissions.sh
''; '';
};
}; };
} }
+42 -41
View File
@@ -27,51 +27,51 @@ let
}; };
}; };
in { in {
sops = true; # Enabled to safeguard sensitive camera RTSP stream credentials requires.secrets = [ name ];
db = false; # Internal SQLite is used by default in Frigate
paths = [ runtime = {
{ paths = [
path = "${serverCfg.configPath}/frigate/"; {
mode = "0755"; path = "${serverCfg.path.config}/frigate/";
} mode = "0755";
{ }
path = "/var/lib/frigate/storage/"; {
mode = "0755"; # Dedicated path for heavy video recordings and media path = "/var/lib/frigate/storage/";
} mode = "0755"; # Dedicated path for heavy video recordings and media
]; }
];
containers = { containers = {
server = builder.mkContainer { server = builder.mkContainer {
subdomain = containerCfg.subdomain; subdomain = containerCfg.subdomain;
imageStream = image; imageStream = image;
port = 5000; port = 5000;
secret = name; secret = name;
extraEnv = { extraEnv = {
PLUS_API_KEY = ""; # Optional: For Frigate Plus users PLUS_API_KEY = ""; # Optional: For Frigate Plus users
}; };
overrides = { overrides = {
cmd = [ ]; cmd = [ ];
volumes = [ volumes = [
"${serverCfg.configPath}/frigate:/config" "${serverCfg.path.config}/frigate:/config"
"/var/lib/frigate/storage:/media/frigate" "/var/lib/frigate/storage:/media/frigate"
"/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container "/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
"/dev/dri:/dev/dri" # Passes Intel/AMD GPU for hardware video decoding "/dev/dri:/dev/dri" # Passes Intel/AMD GPU for hardware video decoding
]; ];
};
}; };
}; };
};
setup = { setup = {
trigger = "server"; trigger = "server";
envFile = config.sops.secrets."FRIGATE_ENV".path; envFile = config.sops.secrets."FRIGATE_ENV".path;
script = pkgs.writeShellScript "setup-frigate" '' script = pkgs.writeShellScript "setup-frigate" ''
mkdir -p "${serverCfg.configPath}/frigate" mkdir -p "${serverCfg.path.config}/frigate"
mkdir -p "/var/lib/frigate/storage" mkdir -p "/var/lib/frigate/storage"
# Bootstrap a standard configuration layout if missing # Bootstrap a standard configuration layout if missing
if [ ! -f "${serverCfg.configPath}/frigate/config.yml" ]; then if [ ! -f "${serverCfg.path.config}/frigate/config.yml" ]; then
cat <<EOF > "${serverCfg.configPath}/frigate/config.yml" cat <<EOF > "${serverCfg.path.config}/frigate/config.yml"
mqtt: mqtt:
enabled: False # Set to True and define host if connecting to Home Assistant enabled: False # Set to True and define host if connecting to Home Assistant
@@ -89,7 +89,8 @@ cameras:
detect: detect:
enabled: false enabled: false
EOF EOF
fi fi
''; '';
};
}; };
} }
+128 -126
View File
@@ -5,140 +5,142 @@ let
LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain)); LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
in { in {
sops = true; requires = {
db = true; secrets = [ name ];
paths = [{ databases = [ name ];
path="${serverCfg.dataPath}/gitea/data";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.dataPath}/gitea/data-runner";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "gitea/gitea:${version}";
port = 8080;
secret = name;
extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
GITEA__repository__DISABLE_STARS = "true";
GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
# GITEA__ui__THEMES = "";
# GITEA__ui__DEFAULT_THEME = "";
# GITEA__security__SECRET_KEY = "SECRET_ENV";
# GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
# GITEA__database__PASSWD = "SECRET_ENV";
# GITEA__mailer__PASSWD="SECRET_ENV";
GITEA__database__DB_TYPE = "postgres";
GITEA__database__HOST = builder.host;
GITEA__database__NAME = "gitea_db";
GITEA__database__USER = "gitea_user";
GITEA__mailer__ENABLED = "true";
GITEA__mailer__FROM = "";
GITEA__mailer__PROTOCOL = "smtps";
GITEA__mailer__SMTP_ADDR = "";
GITEA__mailer__SMTP_PORT = "";
GITEA__mailer__USER= "";
GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
GITEA__server__PROTOCOL = "http";
GITEA__server__HTTP_PORT = "8080";
GITEA__server__LFS_START_SERVER = "true";
GITEA__security__INSTALL_LOCK = "true";
} // ( if serverCfg.containers?authentik then {
GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
GITEA__security__RREVERSE_PROXY_LIMIT = "1";
GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
} else {});
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik && false) then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
overrides = {
volumes = [
"${serverCfg.dataPath}/gitea/data:/data"
];
ports = [ "2222:22" ];
};
};
runner = builder.mkContainer {
image = "gitea/act_runner:${version}";
secret = name;
extraEnv = {
CONFIG_FILE="/data/config.yml";
GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
};
overrides = {
volumes = [
"${serverCfg.dataPath}/gitea/data-runner:/data"
"/var/run/podman/podman.sock:/var/run/docker.sock"
];
# ports = [ "8088:8088" ];
};
};
}; };
runtime = {
paths = [{
path="${serverCfg.path.data}/gitea";
owner = "1000:1000";
dirs = ["data" "runner"];
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "gitea/gitea:${version}";
port = 8080;
secret = name;
setup = { extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
trigger = "server"; GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
envFile = config.sops.secrets."CUSTOM".path; GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
script = pkgs.writeShellScript "setup" '' GITEA__repository__DISABLE_STARS = "true";
# Define the command wrapper GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea" # GITEA__ui__THEMES = "";
GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner" # GITEA__ui__DEFAULT_THEME = "";
$GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true # GITEA__security__SECRET_KEY = "SECRET_ENV";
# GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
# GITEA__database__PASSWD = "SECRET_ENV";
# GITEA__mailer__PASSWD="SECRET_ENV";
touch ${serverCfg.dataPath}/gitea/data-runner/config.yml GITEA__database__DB_TYPE = "postgres";
GITEA__database__HOST = builder.host;
RUNNER_TOKEN=$($GT actions generate-runner-token) GITEA__database__NAME = "gitea_db";
$GTR register \ GITEA__database__USER = "gitea_user";
--instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
--token "$RUNNER_TOKEN" \
--name "Runner" \
--labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
--no-interactive
${lib.optionalString (serverCfg.containers ? authentik) '' GITEA__mailer__ENABLED = "true";
$GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \ GITEA__mailer__FROM = "";
--bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \ GITEA__mailer__PROTOCOL = "smtps";
--user-search-base "ou=users,${LDAP_DC_DOMAIN}" \ GITEA__mailer__SMTP_ADDR = "";
--user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \ GITEA__mailer__SMTP_PORT = "";
--admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \ GITEA__mailer__USER= "";
--username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
--synchronize-users
''}
echo "Completed Gitea Setup" GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
GITEA__server__PROTOCOL = "http";
GITEA__server__HTTP_PORT = "8080";
GITEA__server__LFS_START_SERVER = "true";
GITEA__security__INSTALL_LOCK = "true";
} // ( if serverCfg.containers?authentik then {
GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
GITEA__security__RREVERSE_PROXY_LIMIT = "1";
GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
} else {});
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik && containerCg.extra?proxyauth) then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
overrides = {
volumes = [
"${serverCfg.path.data}/gitea/data:/data"
];
ports = [ "2222:22" ];
};
};
runner = builder.mkContainer {
image = "gitea/act_runner:${version}";
secret = name;
extraEnv = {
CONFIG_FILE="/data/config.yml";
GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
};
overrides = {
volumes = [
"${serverCfg.path.data}/gitea/runner:/data"
"/var/run/podman/podman.sock:/var/run/docker.sock"
];
# ports = [ "8088:8088" ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
$GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
touch ${serverCfg.path.data}/gitea/data-runner/config.yml
RUNNER_TOKEN=$($GT actions generate-runner-token)
$GTR register \
--instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
--token "$RUNNER_TOKEN" \
--name "Runner" \
--labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
--no-interactive
${lib.optionalString (serverCfg.containers ? authentik) ''
$GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
--bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
--user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
--user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
--admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
--username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
--synchronize-users
''}
echo "Completed Gitea Setup"
''; '';
};
}; };
} }
+35 -46
View File
@@ -2,58 +2,47 @@
let let
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
version = "latest"; version = "latest";
routerName = if containerCfg.subpath != null
then "${containerCfg.subdomain}-${lib.strings.sanitizeDerivationName containerCfg.subpath}"
else containerCfg.subdomain;
in { in {
runtime = {
paths = [{
path = "${serverCfg.path.config}/handbrake";
mode = "0755";
}];
paths = [{ containers = {
path = "${serverCfg.configPath}/handbrake/config"; server = builder.mkContainer {
mode = "0755"; authentik = true;
} { tmpfs = true;
path = "${serverCfg.dataPath}/handbrake/"; subdomain = containerCfg.subdomain;
mode = "0755"; subpath = containerCfg.subpath;
}]; image = "ghcr.io/jlesage/handbrake:${version}";
port = 5800;
containers = { extraEnv = {
server = builder.mkContainer { USER_ID = "1000";
subdomain = containerCfg.subdomain; GROUP_ID = "1000";
subpath = containerCfg.subpath; AUTOMATED_CONVERSION_PRESET = "Custom/AV1 MKV 1080p30";
image = "ghcr.io/jlesage/handbrake:${version}"; AUTOMATED_CONVERSION_FORMAT = "mkv";
port = 5800; AUTOMATED_CONVERSION_OUTPUT_SUBDIR = "SAME_AS_SRC";
};
extraEnv = { overrides = {
USER_ID = "1000"; volumes = [
GROUP_ID = "1000"; "${serverCfg.path.config}/handbrake:/config:rw"
AUTOMATED_CONVERSION_PRESET = "Custom/AV1 MKV 1080p30"; "${serverCfg.path.dlComplete}:/watch:rw"
AUTOMATED_CONVERSION_FORMAT = "mkv"; "${serverCfg.path.dlConverted}:/output:rw"
AUTOMATED_CONVERSION_OUTPUT_SUBDIR = "SAME_AS_SRC"; ];
};
}; };
extraLabels = { } // (if serverCfg.containers ? authentik then { };
"traefik.http.routers.${routerName}.middlewares" = "authentik";
} else {});
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
volumes = [ setup = {
"${serverCfg.configPath}/handbrake/config:/config:rw" trigger = "server";
"${serverCfg.dataPath}/handbrake/watch:/watch:rw" script = pkgs.writeShellScript "setup" ''
"${serverCfg.dataPath}/handbrake/output:/output:rw" mkdir -p ${serverCfg.path.data}/handbrake/{watch,output}
];
}; '';
}; };
}; };
setup = {
trigger = "server";
script = pkgs.writeShellScript "setup" ''
mkdir -p ${serverCfg.dataPath}/handbrake/{watch,output}
'';
};
} }
@@ -4,62 +4,63 @@ let
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
in { in {
vm = { runtime = {
portForward = [ 8123 ]; vm = {
cfg = {cfg,...}:{ portForward = [ 8123 ];
services.home-assistant = { cfg = {cfg,...}: {
enable = true; services.home-assistant = {
openFirewall = true; enable = true;
openFirewall = true;
extraComponents = [ extraComponents = [
"matter" "thread" "cast" "zha" "matter" "thread" "cast" "zha"
"default_config" "met" "esphome" "radio_browser" "default_config" "met" "esphome" "radio_browser"
"telegram_bot" "swiss_public_transport" "nextcloud" "jellyfin" "telegram_bot" "swiss_public_transport" "nextcloud" "jellyfin"
] ++ (if containerCfg.extra ? components then containerCfg.extra.components else []); ] ++ (if containerCfg.extra ? components then containerCfg.extra.components else []);
extraPackages = pp: with pp; [ extraPackages = pp: with pp; [
python-telegram gtts python-telegram gtts
]; ];
lovelaceConfig = {}; lovelaceConfig = {};
config = { config = {
homeassistant = { homeassistant = {
name = "Home"; name = "Home";
latitude = "${if containerCfg.extra ? latitude then toString containerCfg.extra.latitude else toString 0}"; latitude = "${if containerCfg.extra ? latitude then toString containerCfg.extra.latitude else toString 0}";
longitude = "${if containerCfg.extra ? longitude then toString containerCfg.extra.longitude else toString 0}"; longitude = "${if containerCfg.extra ? longitude then toString containerCfg.extra.longitude else toString 0}";
elevation = "${if containerCfg.extra ? elevation then toString containerCfg.extra.elevation else toString 0}"; elevation = "${if containerCfg.extra ? elevation then toString containerCfg.extra.elevation else toString 0}";
unit_system = "metric"; unit_system = "metric";
time_zone = config.time.timeZone; time_zone = config.time.timeZone;
}; };
lovelace = { mode = "yaml"; }; lovelace = { mode = "yaml"; };
customLovelaceModules = []; customLovelaceModules = [];
# default_config = {}; # default_config = {};
http = { http = {
use_x_forwarded_for = true; use_x_forwarded_for = true;
trusted_proxies = [ "10.0.0.0/8" "127.0.0.1" ]; trusted_proxies = [ "10.0.0.0/8" "127.0.0.1" ];
};
}; };
}; };
}; };
}; };
};
containers = { containers = {
dummy = builder.mkContainer { dummy = builder.mkContainer {
subdomain = containerCfg.subdomain; subdomain = containerCfg.subdomain;
image = "alpine:latest"; image = "alpine:latest";
extraLabels = { extraLabels = {
"traefik.http.services.${containerCfg.subdomain}.loadbalancer.server.url" = "http://${builder.hostIp}:8123"; "traefik.http.services.${containerCfg.subdomain}.loadbalancer.server.url" = "http://${builder.hostIp}:8123";
};
overrides = {cmd = [ "sleep" "infinity" ];};
}; };
overrides = {cmd = [ "sleep" "infinity" ];};
}; };
};
setup = { setup = {
trigger = "dummy"; trigger = "dummy";
envFile = config.sops.secrets."CUSTOM".path; envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" '' script = pkgs.writeShellScript "setup" ''
HASS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}" HASS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/manifest.json")" =~ (200|301|302) ]]; do until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/manifest.json")" =~ (200|301|302) ]]; do
@@ -95,7 +96,7 @@ in {
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d '{"client_id":"'"$HASS_URL"'","redirect_uri":"'"$HASS_URL"'/?auth_callback=1"}' > /dev/null 2>&1 || true -d '{"client_id":"'"$HASS_URL"'","redirect_uri":"'"$HASS_URL"'/?auth_callback=1"}' > /dev/null 2>&1 || true
fi fi
''; '';
};
}; };
} }
+24 -26
View File
@@ -258,31 +258,29 @@ let
];}#)];} ];}#)];}
]; ];
in { in {
sops = false; runtime = {
db = false; containers = {
server = builder.mkContainer {
containers = { subdomain = containerCfg.subdomain;
server = builder.mkContainer { image = "ghcr.io/gethomepage/homepage:${version}";
subdomain = containerCfg.subdomain; port = 3000;
image = "ghcr.io/gethomepage/homepage:${version}"; extraEnv = {
port = 3000; HOMEPAGE_VAR_TITLE="${serverCfg.domain}";
extraEnv = { HOMEPAGE_ALLOWED_HOSTS = "${containerCfg.subdomain}.${serverCfg.domain},${builder.host}";
HOMEPAGE_VAR_TITLE="${serverCfg.domain}"; };
HOMEPAGE_ALLOWED_HOSTS = "${containerCfg.subdomain}.${serverCfg.domain},${builder.host}"; extraLabels = {
}; "traefik.http.routers.${containerCfg.subdomain}.service" = "${containerCfg.subdomain}";
extraLabels = { };
"traefik.http.routers.${containerCfg.subdomain}.service" = "${containerCfg.subdomain}"; overrides = {
}; environmentFiles = [ config.sops.secrets."CUSTOM".path ];
overrides = { volumes = [
environmentFiles = [ config.sops.secrets."CUSTOM".path ]; "${settings}:/app/config/settings.yaml:ro"
volumes = [ "${services}:/app/config/services.yaml:ro"
"${settings}:/app/config/settings.yaml:ro" "${widgets}:/app/config/widgets.yaml:ro"
"${services}:/app/config/services.yaml:ro" "${bookmarks}:/app/config/bookmarks.yaml:ro"
"${widgets}:/app/config/widgets.yaml:ro" ];
"${bookmarks}:/app/config/bookmarks.yaml:ro" };
]; };
}; };
}; };
};
} }
+88 -81
View File
@@ -4,94 +4,101 @@ let
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
in { in {
sops = true; requires = {
db = true; secrets = [ name ];
databases = [ name ];
paths = [{
path = "${serverCfg.configPath}/immich/cache";
mode = "0750";
}{
path = "${serverCfg.dataPath}/immich/";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/immich-app/immich-server:${version}";
port = 2283;
secret = name;
extraEnv = {
DB_HOSTNAME = builder.host;
REDIS_HOSTNAME = builder.host;
DB_USERNAME = "immich_user";
DB_DATABASE_NAME = "immich_db";
IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
# IMMICH_ALLOW_SETUP = "false";
# IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
};
overrides = {
volumes = [
"${serverCfg.dataPath}/immich:/data"
];
};
};
ml = builder.mkContainer {
image = "ghcr.io/immich-app/immich-machine-learning:${version}";
port = 3003;
overrides = {
volumes = [
"${serverCfg.configPath}/immich/cache:/cache"
];
};
};
}; };
setup = { runtime = {
trigger = "server"; paths = [{
envFile = config.sops.secrets."CUSTOM".path; path = "${serverCfg.path.config}/immich";
script = pkgs.writeShellScript "setup" '' dirs = ["cache"];
PSQL="${pkgs.postgresql}/bin/psql -U postgres" mode = "0750";
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;" }{
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;" path = "${serverCfg.path.data}/immich/";
dirs = ["upload" "thumbs" "encoded-video" "backups"];
mode = "0755";
}];
mkdir -p ${serverCfg.dataPath}/immich/{upload,library,thumbs,encoded-video,profile,backups} containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/immich-app/immich-server:${version}";
port = 2283;
secret = name;
extraEnv = {
DB_HOSTNAME = builder.host;
REDIS_HOSTNAME = builder.host;
DB_USERNAME = "immich_user";
DB_DATABASE_NAME = "immich_db";
IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
# IMMICH_ALLOW_SETUP = "false";
# IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
};
overrides = {
volumes = [
"${serverCfg.path.photo}:/data/upload"
"${serverCfg.path.data}/immich/backups:/data/backups"
"${serverCfg.path.config}/immich/thumbs:/data/thumbs"
"${serverCfg.path.config}/immich/encoded-video:/data/encoded-video"
];
};
};
IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}" ml = builder.mkContainer {
until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do image = "ghcr.io/immich-app/immich-machine-learning:${version}";
sleep 5 port = 3003;
done overrides = {
${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \ volumes = [
-H "Content-Type: application/json" -H "Accept: application/json" \ "${serverCfg.path.config}/immich/cache:/cache"
-d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }' ];
};
};
};
IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \ setup = {
-H "Content-Type: application/json" \ trigger = "server";
-d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \ envFile = config.sops.secrets."CUSTOM".path;
| ${pkgs.jq}/bin/jq -r '.accessToken') script = pkgs.writeShellScript "setup" ''
PSQL="${pkgs.postgresql}/bin/psql -U postgres"
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
${lib.optionalString (serverCfg.containers ? authentik) '' IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \ until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
${pkgs.jq}/bin/jq '.oauth.enabled = true | sleep 5
.oauth.autoRegister = true | done
.oauth.autoLaunch = true | ${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
.oauth.signingAlgorithm = "RS256" | -H "Content-Type: application/json" -H "Accept: application/json" \
.oauth.profileSigningAlgorithm = "RS256" | -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
.oauth.clientId = "immich" |
.oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" |
.oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" |
.oauth.scope = "openid profile email" |
.oauth.buttonText = "Login with SSO"' | \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
''}
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \ IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
${pkgs.jq}/bin/jq '.storageTemplate.enable = true | -H "Content-Type: application/json" \
.storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \ -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @- | ${pkgs.jq}/bin/jq -r '.accessToken')
''; ${lib.optionalString (serverCfg.containers ? authentik) ''
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
${pkgs.jq}/bin/jq '.oauth.enabled = true |
.oauth.autoRegister = true |
.oauth.autoLaunch = true |
.oauth.signingAlgorithm = "RS256" |
.oauth.profileSigningAlgorithm = "RS256" |
.oauth.clientId = "immich" |
.oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" |
.oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" |
.oauth.scope = "openid profile email" |
.oauth.buttonText = "Login with SSO"' | \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
''}
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
.storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
'';
};
}; };
} }
+60 -57
View File
@@ -5,62 +5,65 @@ let
in { in {
sops = true; requires = {
db = true; secrets = [ name ];
databases = [ name ];
paths = [{
path = "${serverCfg.configPath}/influxdb/";
mode = "0700";
}{
path = "${serverCfg.dataPath}/influxdb/";
mode = "0700";
}];
containers = {
# db = builder.mkContainer {
# subdomain = containerCfg.subdomain;
# image = "influxdata/influxdb:3.0";
# port = 8181;
# secret = name;
# extraEnv = {
# INFLUXD_DB_PATH = "/db";
# INFLUXD_CONFIG_PATH = "/config";
# };
# overrides = {
# volumes = [
# "${serverCfg.dataPath}/influxdb:/db:rw"
# "${serverCfg.configPath}/influxdb:/config:ro"
# ];
# };
# };
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "influxdata/influxdb3-ui:${version}";
port = 8080;
secret = name;
extraEnv = {
SESSION_SECRET_KEY = "7b0024c13ae770000f797c201e2f210b9932a689c04d34de04379faa44e88e97";
DATABASE_URL = "/db/sqlite.db";
};
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
ports = [ "8080:8080" ];
cmd = [ "--mode=admin" ];
volumes = [
"${serverCfg.dataPath}/influxdb:/db:rw"
"${serverCfg.configPath}/influxdb/:/app-root/config:ro"
];
};
};
}; };
setup = { runtime = {
trigger = "server"; paths = [{
script = pkgs.writeShellScript "setup" '' path = "${serverCfg.path.config}/influxdb/";
cat > ${serverCfg.configPath}/influxdb/config.json << 'EOF' owner = "1500:1500";
mode = "0700";
}{
path = "${serverCfg.path.data}/influxdb/";
owner = "1500:1500";
mode = "0700";
}];
containers = {
# db = builder.mkContainer {
# subdomain = containerCfg.subdomain;
# image = "influxdata/influxdb:3.0";
# port = 8181;
# secret = name;
# extraEnv = {
# INFLUXD_DB_PATH = "/db";
# INFLUXD_CONFIG_PATH = "/config";
# };
# overrides = {
# volumes = [
# "${serverCfg.path.data}/influxdb:/db:rw"
# "${serverCfg.path.config}/influxdb:/config:ro"
# ];
# };
# };
server = builder.mkContainer {
tmpfs = true;
subdomain = containerCfg.subdomain;
image = "influxdata/influxdb3-ui:${version}";
port = 8080;
secret = name;
extraEnv = {
SESSION_SECRET_KEY = "7b0024c13ae770000f797c201e2f210b9932a689c04d34de04379faa44e88e97";
DATABASE_URL = "/db/sqlite.db";
};
overrides = {
ports = [ "8080:8080" ];
cmd = [ "--mode=admin" ];
volumes = [
"${serverCfg.path.data}/influxdb:/db:rw"
"${serverCfg.path.config}/influxdb/:/app-root/config:ro"
];
};
};
};
setup = {
trigger = "server";
script = pkgs.writeShellScript "setup" ''
cat > ${serverCfg.path.config}/influxdb/config.json << 'EOF'
{ {
"DEFAULT_INFLUX_SERVER": "http://${builder.host}:8181", "DEFAULT_INFLUX_SERVER": "http://${builder.host}:8181",
"DEFAULT_INFLUX_DATABASE": "main", "DEFAULT_INFLUX_DATABASE": "main",
@@ -68,8 +71,8 @@ in {
"DEFAULT_SERVER_NAME": "${serverCfg.domain}" "DEFAULT_SERVER_NAME": "${serverCfg.domain}"
} }
EOF EOF
chmod -R 755 ${serverCfg.configPath}/influxdb chmod -R 755 ${serverCfg.path.config}/influxdb
''; '';
};
}; };
} }
+48 -43
View File
@@ -24,55 +24,60 @@ let
}; };
in { in {
sops = true; requires = {
db = true; secrets = [ name ];
paths = [{ databases = [ name ];
path="${serverCfg.configPath}/invidious"; };
mode = "0755";
}];
containers = { runtime = {
server = builder.mkContainer { paths = [{
subdomain = containerCfg.subdomain; path="${serverCfg.path.config}/invidious";
imageStream = image; mode = "0755";
port = 3000; }];
secret = name;
extraLabels = { containers = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) "; server = builder.mkContainer {
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else ""; subdomain = containerCfg.subdomain;
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100"; imageStream = image;
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure"; port = 3000;
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true"; secret = name;
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
extraEnv = {
INVIDIOUS_CONFIG_FILE = "/data/config.yml";
};
overrides = {
volumes = [
"${serverCfg.path.config}/invidious:/data:ro"
];
};
}; };
extraEnv = {
INVIDIOUS_CONFIG_FILE = "/data/config.yml"; companion = builder.mkContainer {
}; image = "quay.io/invidious/invidious-companion:latest";
overrides = { port = 8282;
volumes = [ secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
"${serverCfg.configPath}/invidious:/data:ro" extraOptions = [
"--cap-drop=all"
"--security-opt=no-new-privileges"
]; ];
}; };
}; };
companion = builder.mkContainer { setup = {
image = "quay.io/invidious/invidious-companion:latest"; trigger = "server";
port = 8282; envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY script = pkgs.writeShellScript "setup" ''
extraOptions = [ export DB_HOST=${builder.host}
"--cap-drop=all" export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
"--security-opt=no-new-privileges"
]; ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.path.config}/invidious/config.yml"
'';
}; };
}; };
setup = {
trigger = "server";
envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
export DB_HOST=${builder.host}
export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.configPath}/invidious/config.yml"
'';
};
} }
+131 -137
View File
@@ -25,157 +25,151 @@ let
}; };
}; };
in { in {
paths = [ runtime = {
{ paths = [
path = "${serverCfg.dataPath}/media/"; {
owner = "1000:1000"; path = "${serverCfg.path.config}/jellyfin/";
mode = "0755"; owner = "1000:1000";
} mode = "0755";
{ }
path = "${serverCfg.configPath}/jellyfin/"; ];
owner = "1000:1000";
mode = "0755";
}
];
containers = { containers = {
server = builder.mkContainer { server = builder.mkContainer {
subdomain = containerCfg.subdomain; tmpfs = true;
imageStream = image; subdomain = containerCfg.subdomain;
port = 8096; imageStream = image;
extraEnv = { port = 8096;
HOME = "/config/data"; extraEnv = {
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1"; HOME = "/config/data";
JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix"; JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
}; JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
extraOptions = [ };
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m" overrides = {
]; cmd = [
overrides = { "--datadir" "/config/data"
cmd = [ "--cachedir" "/config/cache"
"--datadir" "/config/data" "--configdir" "/config/config"
"--cachedir" "/config/cache" "--logdir" "/config/log"
"--configdir" "/config/config" ];
"--logdir" "/config/log" volumes = [
]; "${serverCfg.path.film}:/media:ro"
volumes = [ "${serverCfg.path.config}/jellyfin:/config"
"${serverCfg.dataPath}/media:/media:ro" ];
"${serverCfg.configPath}/jellyfin:/config" # If you have an Intel/AMD GPU for transcoding, add the device:
]; devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
# If you have an Intel/AMD GPU for transcoding, add the device: };
devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
}; };
}; };
};
setup = { setup = {
trigger = "server"; trigger = "server";
envFile = config.sops.secrets."CUSTOM".path; envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" '' script = pkgs.writeShellScript "setup" ''
JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}" JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
sleep 5
done
echo "Jellyfin is up. Sleeping for 20 seconds..."
sleep 20
WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
if [ "$WIZARD_COMPLETE" = "false" ]; then
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
-H "Content-Type: application/json" \
-d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
echo "ERROR: Failed to set startup configuration."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
echo "ERROR: Failed to get base user."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
-H 'accept: */*' -H "Content-Type: application/json" \
-d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
echo "ERROR: Failed to set admin user."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
-H "Content-Type: application/json" \
-d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
echo "ERROR: Failed to configure remote access."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
echo "ERROR: Failed to complete wizard."
exit 1
fi
echo "Jellyfin initialization successfully completed!"
fi
${lib.optionalString (serverCfg.containers ? authentik) ''
JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
-H "Content-Type: application/json" \
-H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
-d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
| ${pkgs.jq}/bin/jq -r '.AccessToken')
# Verify we got a token
if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
echo "ERROR: Authentication failed."
exit 1
fi
if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
"$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
echo "LDAP Plugin is already installed. Skipping setup."
else
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: Server failed to accept restart command."
exit 1
fi
sleep 1-
until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
sleep 5 sleep 5
done done
echo "Jellyfin is up. Sleeping for 20 seconds..." echo "Jellyfin is up. Sleeping for 20 seconds..."
sleep 20 sleep 20
fi WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
if [ "$WIZARD_COMPLETE" = "false" ]; then
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
-H "Content-Type: application/json" \
-d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
echo "ERROR: Failed to set startup configuration."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \ if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \ echo "ERROR: Failed to get base user."
-H "Content-Type: application/json" -H 'accept: */*' \ exit 1
-d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true, fi
"LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
"LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
"LdapSearchAttributes":"uid, cn, mail, displayName",
"LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
"EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
"EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
"LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
"EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
''}
${pkgs.sqlite}/bin/sqlite3 ${serverCfg.configPath}/jellyfin/data/data/jellyfin.db <<EOF if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
-H 'accept: */*' -H "Content-Type: application/json" \
-d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
echo "ERROR: Failed to set admin user."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
-H "Content-Type: application/json" \
-d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
echo "ERROR: Failed to configure remote access."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
echo "ERROR: Failed to complete wizard."
exit 1
fi
echo "Jellyfin initialization successfully completed!"
fi
${lib.optionalString (serverCfg.containers ? authentik) ''
JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
-H "Content-Type: application/json" \
-H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
-d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
| ${pkgs.jq}/bin/jq -r '.AccessToken')
# Verify we got a token
if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
echo "ERROR: Authentication failed."
exit 1
fi
if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
"$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
echo "LDAP Plugin is already installed. Skipping setup."
else
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: Server failed to accept restart command."
exit 1
fi
sleep 1-
until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
sleep 5
done
echo "Jellyfin is up. Sleeping for 20 seconds..."
sleep 20
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Type: application/json" -H 'accept: */*' \
-d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
"LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
"LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
"LdapSearchAttributes":"uid, cn, mail, displayName",
"LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
"EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
"EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
"LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
"EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
''}
${pkgs.sqlite}/bin/sqlite3 ${serverCfg.path.config}/jellyfin/data/data/jellyfin.db <<EOF
INSERT OR IGNORE INTO ApiKeys (Id, AccessToken, Name, DateCreated, DateLastActivity) INSERT OR IGNORE INTO ApiKeys (Id, AccessToken, Name, DateCreated, DateLastActivity)
VALUES ( 1, "$HOMEPAGE_VAR_JELLYFIN_API", 'Home', strftime('%Y-%m-%d %H:%M:%S', 'now'), strftime('%Y-%m-%d %H:%M:%S', 'now')); VALUES ( 1, "$HOMEPAGE_VAR_JELLYFIN_API", 'Home', strftime('%Y-%m-%d %H:%M:%S', 'now'), strftime('%Y-%m-%d %H:%M:%S', 'now'));
EOF EOF
echo "Completed Setup" echo "Completed Setup"
''; '';
};
}; };
} }
+57 -58
View File
@@ -3,63 +3,61 @@ let
version = "31"; version = "31";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
in { in {
sops = true; requires = {
db = true; secrets = [ name ];
paths = [{ databases = [ name ];
path="${serverCfg.dataPath}/nextcloud/www";
owner = "33:33";
mode = "0755";
}{
path="${serverCfg.dataPath}/nextcloud/data";
owner = "33:33";
mode = "0755";
backup = true;
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "nextcloud:${version}";
port = 80;
secret = name;
extraEnv = {
REDIS_HOST = builder.host;
POSTGRES_HOST = builder.host;
POSTGRES_USER = "nextcloud_user";
POSTGRES_DB = "nextcloud_db";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
"NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.domain} nextcloud-server";
"SMTP_HOST" = serverCfg.mailServer;
"SMTP_NAME" = "mail_user";
"SMTP_PASSWORD" = "mail_password";
"MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.domain}";
"MAIL_DOMAIN" = serverCfg.mailDomain;
"TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
};
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
volumes = [
"${serverCfg.dataPath}/nextcloud/www:/var/www/html"
"${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
];
};
};
}; };
setup = { runtime = {
trigger = "server"; paths = [{
script = pkgs.writeShellScript "setup" '' path="${serverCfg.path.config}/nextcloud";
owner = "33:33";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
tmpfs = true;
subdomain = containerCfg.subdomain;
image = "nextcloud:${version}";
port = 80;
secret = name;
extraEnv = {
REDIS_HOST = builder.host;
POSTGRES_HOST = builder.host;
POSTGRES_USER = "nextcloud_user";
POSTGRES_DB = "nextcloud_db";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
NEXTCLOUD_TRUSTED_DOMAINS = "${containerCfg.subdomain}.${serverCfg.domain} nextcloud-server";
SMTP_HOST = serverCfg.mail.server;
SMTP_NAME = "mail_user";
SMTP_PASSWORD = "mail_password";
MAIL_FROM_ADDRESS = "${containerCfg.subdomain}@${serverCfg.domain}";
MAIL_DOMAIN = serverCfg.mail.domain;
TRUSTED_PROXIES = "10.10.0.0/16 192.168.0.0/16";
NEXTCLOUD_DATA_DIR = "/var/www/html/data";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
};
overrides = {
ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
volumes = [
"${serverCfg.path.config}/nextcloud:/var/www/html"
"${serverCfg.path.cloud}:/var/www/html/data"
];
};
};
};
setup = {
trigger = "server";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper # Define the command wrapper
OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ" OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ"
@@ -193,8 +191,9 @@ in {
$OCC db:add-missing-indices --no-interaction $OCC db:add-missing-indices --no-interaction
echo "Completed Setup" echo "Completed Setup"
''; '';
}; };
cron = [ "*/5 * * * * root ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ]; cron = [ "*/5 * * * * root ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
};
} }
+66 -66
View File
@@ -4,74 +4,74 @@ let
version = "5.1.4"; version = "5.1.4";
in { in {
sops = false; runtime = {
db = false; paths = [
paths = [ { path="${serverCfg.path.config}/openhab/conf"; owner="1000:1000"; mode = "0755"; }
{ path="${serverCfg.configPath}/openhab/conf"; owner="1000:1000"; mode = "0755"; } { path="${serverCfg.path.config}/openhab/userdata"; owner="1000:1000"; mode = "0755"; }
{ path="${serverCfg.configPath}/openhab/userdata"; owner="1000:1000"; mode = "0755"; } { path="${serverCfg.path.config}/openhab/addons"; owner="1000:1000"; mode = "0755"; }
{ path="${serverCfg.configPath}/openhab/addons"; owner="1000:1000"; mode = "0755"; } ];
];
containers = { containers = {
server = builder.mkContainer { server = builder.mkContainer {
subdomain = containerCfg.subdomain; subdomain = containerCfg.subdomain;
image = "openhab/openhab:${version}"; image = "openhab/openhab:${version}";
port = 8080; port = 8080;
extraEnv = { extraEnv = {
USER_ID = "1000"; USER_ID = "1000";
GROUP_ID = "1000"; GROUP_ID = "1000";
CRYPTO_POLICY = "unlimited"; CRYPTO_POLICY = "unlimited";
OPENHAB_HTTP_PORT = "8080"; OPENHAB_HTTP_PORT = "8080";
}; };
extraOptions = [ extraOptions = [
"--network=host" "--network=host"
"--cap-add=NET_ADMIN" "--cap-add=NET_ADMIN"
"--cap-add=NET_RAW" "--cap-add=NET_RAW"
"--no-healthcheck" "--no-healthcheck"
];
overrides = {
volumes = [
"${serverCfg.configPath}/openhab/conf:/openhab/conf"
"${serverCfg.configPath}/openhab/userdata:/openhab/userdata"
"${serverCfg.configPath}/openhab/addons:/opt/openhab/addons"
"/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro"
]; ];
}; overrides = {
volumes = [
"${serverCfg.path.config}/openhab/conf:/openhab/conf"
"${serverCfg.path.config}/openhab/userdata:/openhab/userdata"
"${serverCfg.path.config}/openhab/addons:/opt/openhab/addons"
"/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro"
];
};
};
};
setup = {
trigger = "server";
envFile = [ config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
# Pre-generate openHAB directories on the host
OHAB="${pkgs.podman}/bin/podman --events-backend=none exec openhab-server /openhab/runtime/bin/client -u openhab -p habopen"
sleep 20
exit 0
$OHAB openhab:users add $DEFAULT_ADMIN_USERNAME $DEFAULT_ADMIN_PASSWORD administrator
$OHAB feature:list
$OHAB openhab:addons install persistance-mapdb
$OHAB openhab:addons install persistance-influxdb
$OHAB openhab:addons install ui-basic
$OHAB openhab:addons install automation-jsscripting
$OHAB openhab:addons install binding-telegram
$OHAB openhab:addons install binding-matter
$OHAB openhab:addons install binding-mqtt
$OHAB openhab:addons install binding-bluetooth
$OHAB openhab:addons install binding-zigbee
$OHAB openhab:addons install binding-chromecast
$OHAB openhab:addons install binding-astro
$OHAB openhab:addons install binding-meteoblue
$OHAB openhab:addons install binding-publictransportswitzerland
#IF APPLE DEVICE: HomeKit (siri/apple bridge)
#IF UBIQUITY NET: Unifi + UnifiProtect (net/cam bridge)
#IF YAMAHA+EPSON: EpsonProjector + Yamaha (projector and sound)
#IF BAMBULAB DEVICE: BambuLab (notify print state)
#IF GARDENA DEVICE: Gardena (smart watering)
#Extra: AndroidTV/Jellyfin (Bind with lights + more)
'';
}; };
}; };
setup = {
trigger = "server";
envFile = [ config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
# Pre-generate openHAB directories on the host
OHAB="${pkgs.podman}/bin/podman --events-backend=none exec openhab-server /openhab/runtime/bin/client -u openhab -p habopen"
sleep 20
exit 0
$OHAB openhab:users add $DEFAULT_ADMIN_USERNAME $DEFAULT_ADMIN_PASSWORD administrator
$OHAB feature:list
$OHAB openhab:addons install persistance-mapdb
$OHAB openhab:addons install persistance-influxdb
$OHAB openhab:addons install ui-basic
$OHAB openhab:addons install automation-jsscripting
$OHAB openhab:addons install binding-telegram
$OHAB openhab:addons install binding-matter
$OHAB openhab:addons install binding-mqtt
$OHAB openhab:addons install binding-bluetooth
$OHAB openhab:addons install binding-zigbee
$OHAB openhab:addons install binding-chromecast
$OHAB openhab:addons install binding-astro
$OHAB openhab:addons install binding-meteoblue
$OHAB openhab:addons install binding-publictransportswitzerland
#IF APPLE DEVICE: HomeKit (siri/apple bridge)
#IF UBIQUITY NET: Unifi + UnifiProtect (net/cam bridge)
#IF YAMAHA+EPSON: EpsonProjector + Yamaha (projector and sound)
#IF BAMBULAB DEVICE: BambuLab (notify print state)
#IF GARDENA DEVICE: Gardena (smart watering)
#Extra: AndroidTV/Jellyfin (Bind with lights + more)
'';
};
} }
+21 -26
View File
@@ -59,34 +59,29 @@ let
}; };
}); });
in { in {
sops = true; requires.secrets = [ name ];
# paths = [{
# path="${serverCfg.dataPath}/searxng/";
# mode = "0444";
# }];
containers = { runtime = {
server = builder.mkContainer { containers = {
subdomain = containerCfg.subdomain; server = builder.mkContainer {
image = "searxng/searxng:${version}"; subdomain = containerCfg.subdomain;
port = 8080; image = "searxng/searxng:${version}";
secret = name; port = 8080;
extraEnv = { secret = name;
SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}"; extraEnv = {
SEARXNG_PORT = "8080"; SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
SEARXNG_BIND_ADDRESS = "[::]"; SEARXNG_PORT = "8080";
SEARXNG_PUBLIC_INSTANCE = "false"; SEARXNG_BIND_ADDRESS = "[::]";
SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml"; SEARXNG_PUBLIC_INSTANCE = "false";
#SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}"; SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
#SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
};
overrides = {
volumes = [
"${settings}:/etc/searxng/settings.yml"
];
};
}; };
overrides = {
cmd = [ ];
volumes = [
"${settings}:/etc/searxng/settings.yml"
# "/path/to/your/logo.png:/usr/local/searxng/searx/static/themes/simple/img/searxng.png
# "${serverCfg.dataPath}/searxng:/var/cache/searxng/"
];
};
}; };
}; };
} }
+76 -81
View File
@@ -2,94 +2,89 @@
let let
version = "latest"; version = "latest";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
routerName = if containerCfg.subpath != null
then "${containerCfg.subdomain}-${lib.strings.sanitizeDerivationName containerCfg.subpath}"
else containerCfg.subdomain;
in { in {
sops = false; runtime = {
db = false; paths = [{
paths = [{ path = "${serverCfg.path.config}/selfmark/";
path = "${serverCfg.configPath}/selfmark/"; mode = "0444";
mode = "0444"; }];
}];
containers = { containers = {
server = builder.mkContainer { server = builder.mkContainer {
subdomain = containerCfg.subdomain; authentik = true;
subpath = containerCfg.subpath; subdomain = containerCfg.subdomain;
image = "ghcr.io/calibrain/shelfmark:${version}"; subpath = containerCfg.subpath;
port = 8080; image = "ghcr.io/calibrain/shelfmark:${version}";
port = 8080;
extraEnv = { extraEnv = {
# HARDCOVER_API_KEY = ""; #FROM SOPS # HARDCOVER_API_KEY = ""; #FROM SOPS
# AA_DONATOR_KEY = ""; #FROM SOPS # AA_DONATOR_KEY = ""; #FROM SOPS
# PROWLARR_API_KEY = ""; #FROM SOPS # PROWLARR_API_KEY = ""; #FROM SOPS
FLASK_PORT = "8080"; FLASK_PORT = "8080";
PUID = "1000"; PUID = "1000";
PGID = "1000"; PGID = "1000";
USING_TOR = "false"; USING_TOR = "false";
ONBOARDING = "false"; ONBOARDING = "false";
SUPPORTED_FORMATS = "epub,mobi,azw3,fb2,djvu,cbz,cbr,pdf"; SUPPORTED_FORMATS = "epub,mobi,azw3,fb2,djvu,cbz,cbr,pdf";
SUPPORTED_AUDIOBOOK_FORMATS = "mp3, m4b"; SUPPORTED_AUDIOBOOK_FORMATS = "mp3, m4b";
BOOK_LANGUAGE = "en,fr"; # ,de,jp"; BOOK_LANGUAGE = "en,fr"; # ,de,jp";
SEARCH_MODE = "universal"; SEARCH_MODE = "universal";
AA_DEFAULT_SORT = "relevance"; AA_DEFAULT_SORT = "relevance";
METADATA_PROVIDER = "openlibrary"; METADATA_PROVIDER = "openlibrary";
INGEST_DIR = "/books"; INGEST_DIR = "/books";
BOOKS_OUTPUT_MODE = "/output"; BOOKS_OUTPUT_MODE = "/output";
FILE_ORGANIZATION = "organize"; FILE_ORGANIZATION = "organize";
TEMPLATE_RENAME = "{Author} - {Title} ({Year})"; TEMPLATE_RENAME = "{Author} - {Title} ({Year})";
TEMPLATE_ORGANIZE = "{Author}/{Title} ({Year})"; TEMPLATE_ORGANIZE = "{Author}/{Title} ({Year})";
HARDLINK_TORRENTS = "false"; HARDLINK_TORRENTS = "false";
FILE_ORGANIZATION_AUDIOBOOK = "organize"; FILE_ORGANIZATION_AUDIOBOOK = "organize";
TEMPLATE_RENAME_AUDIOBOOK = "{Author} - {Title}"; TEMPLATE_RENAME_AUDIOBOOK = "{Author} - {Title}";
TEMPLATE_ORGANIZE_AUDIOBOOK = "{Author}/{Title} ({Year})"; TEMPLATE_ORGANIZE_AUDIOBOOK = "{Author}/{Title} ({Year})";
HARDCOVER_ENABLED = "true"; HARDCOVER_ENABLED = "true";
HARDCOVER_DEFAULT_SORT = "relevance"; HARDCOVER_DEFAULT_SORT = "relevance";
OPENLIBRARY_ENABLED = "true"; OPENLIBRARY_ENABLED = "true";
OPENLIBRARY_DEFAULT_SORT = "relevance"; OPENLIBRARY_DEFAULT_SORT = "relevance";
DIRECT_DOWNLOAD_ENABLED = "true"; DIRECT_DOWNLOAD_ENABLED = "true";
USE_CF_BYPASS = "true"; USE_CF_BYPASS = "true";
AA_BASE_URL = "auto"; AA_BASE_URL = "auto";
AA_MIRROR_URLS = "https://annas-archive.gl,https://annas-archive.pk,https://annas-archive.gd,"; AA_MIRROR_URLS = "https://annas-archive.gl,https://annas-archive.pk,https://annas-archive.gd,";
LIBGEN_MIRROR_URLS = "https://libgen.li,https://libgen.vg,https://libgen.la,https://libgen.bz,https://libgen.gl"; LIBGEN_MIRROR_URLS = "https://libgen.li,https://libgen.vg,https://libgen.la,https://libgen.bz,https://libgen.gl";
ZLIB_MIRROR_URLS = "https://z-lib.sk,https://z-library.gs,https://z-lib.fm,https://z-lib.gd,https://z-lib.gl"; ZLIB_MIRROR_URLS = "https://z-lib.sk,https://z-library.gs,https://z-lib.fm,https://z-lib.gd,https://z-lib.gl";
# WELIB_MIRROR_URLS = "https://welib.org"; #avoid # WELIB_MIRROR_URLS = "https://welib.org"; #avoid
} // lib.optionalAttrs(containerCfg.subpath != null) { } // lib.optionalAttrs(containerCfg.subpath != null) {
BASE_PATH = "/${containerCfg.subpath}"; BASE_PATH = "/${containerCfg.subpath}";
URL_BASE = "/${containerCfg.subpath}"; URL_BASE = "/${containerCfg.subpath}";
} // lib.optionalAttrs(serverCfg.containers?calibre) { } // lib.optionalAttrs(serverCfg.containers?calibre) {
CALIBRE_WEB_URL = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}"; CALIBRE_WEB_URL = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}";
} // lib.optionalAttrs(serverCfg.containers?authentik) { } // lib.optionalAttrs(serverCfg.containers?authentik) {
AUTH_METHOD = "proxy"; AUTH_METHOD = "proxy";
PROXY_AUTH_USER_HEADER = "X-authentik-username"; PROXY_AUTH_USER_HEADER = "X-authentik-username";
PROXY_AUTH_ADMIN_GROUP_HEADER = "X-authentik-groups"; PROXY_AUTH_ADMIN_GROUP_HEADER = "X-authentik-groups";
PROXY_AUTH_ADMIN_GROUP_NAME = "admin"; PROXY_AUTH_ADMIN_GROUP_NAME = "admin";
} // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "prowlarr" serverCfg.containers.servarr.extra.modules) ({ } // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "prowlarr" serverCfg.containers.servarr.extra.modules) ({
PROWLARR_ENABLED = "true"; PROWLARR_ENABLED = "true";
PROWLARR_URL = "http://servarr-prowlarr:8989"; PROWLARR_URL = "http://servarr-prowlarr:8989";
} // lib.optionalAttrs(serverCfg.containers?transmission) { } // lib.optionalAttrs(serverCfg.containers?transmission) {
PROWLARR_TORRENT_CLIENT = "transmission"; PROWLARR_TORRENT_CLIENT = "transmission";
TRANSMISSION_URL = "http://transmission-server:9091"; TRANSMISSION_URL = "http://transmission-server:9091";
}) // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "flaresolverr" serverCfg.containers.servarr.extra.modules) { }) // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "flaresolverr" serverCfg.containers.servarr.extra.modules) {
USING_EXTERNAL_BYPASSER = "true"; USING_EXTERNAL_BYPASSER = "true";
EXT_BYPASSER_URL = "http://servarr-flaresolverr:8191"; EXT_BYPASSER_URL = "http://servarr-flaresolverr:8191";
EXT_BYPASSER_PATH = "/v1"; EXT_BYPASSER_PATH = "/v1";
EXT_BYPASSER_TIMEOUT = "60000"; EXT_BYPASSER_TIMEOUT = "60000";
};
overrides = {
volumes = [
"${serverCfg.path.dlComplete}:/books:rw"
"${serverCfg.path.books}:/output:rw"
"${serverCfg.path.config}/selfmark:/config:rw"
];
};
}; };
extraLabels = {
} // (if serverCfg.containers ? authentik then {
"traefik.http.routers.${routerName}.middlewares" = "authentik";
} else {});
overrides = {
volumes = [ ];
};
}; };
}; };
} }
+11 -17
View File
@@ -30,9 +30,10 @@ let
in in
assert containerCfg.subpath == null || throw "Error: Servarr does not support subpath."; assert containerCfg.subpath == null || throw "Error: Servarr does not support subpath.";
{ {
sops = true; requires.secrets = [ name ];
# db = [ "prowlarr" "sonarr" "radarr" ]; -> one db for each # db = [ "prowlarr" "sonarr" "radarr" ]; -> one db for each
runtime = {
paths = [ paths = [
{ path = "${serverCfg.dataPath}/media/"; mode = "0755"; } { path = "${serverCfg.dataPath}/media/"; mode = "0755"; }
{ path = "${serverCfg.configPath}/servarr/prowlarr"; mode = "0755"; } { path = "${serverCfg.configPath}/servarr/prowlarr"; mode = "0755"; }
@@ -44,6 +45,8 @@ in
containers = { containers = {
}// lib.optionalAttrs (builtins.elem "prowlarr" (containerCfg.extra.modules or defaultModules)) { }// lib.optionalAttrs (builtins.elem "prowlarr" (containerCfg.extra.modules or defaultModules)) {
prowlarr = builder.mkContainer { prowlarr = builder.mkContainer {
authentik = true;
tmpfs = true;
subdomain = containerCfg.subdomain; subdomain = containerCfg.subdomain;
subpath = "prowlarr"; subpath = "prowlarr";
imageStream = images.prowlarr; imageStream = images.prowlarr;
@@ -58,17 +61,15 @@ in
}; };
extraOptions = [ extraOptions = [
"--user=0:0" "--user=0:0"
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
"--passwd-entry=root:x:0:0:root:/root:/bin/sh" "--passwd-entry=root:x:0:0:root:/root:/bin/sh"
]; ];
extraLabels = { } // (if serverCfg.containers ? authentik then {
"traefik.http.routers.${containerCfg.subdomain}-prowlarr.middlewares" = "authentik";
} else {});
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/prowlarr:/config" ]; overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/prowlarr:/config" ];
}; };
}// lib.optionalAttrs (builtins.elem "radarr" (containerCfg.extra.modules or defaultModules)) { }// lib.optionalAttrs (builtins.elem "radarr" (containerCfg.extra.modules or defaultModules)) {
radarr = builder.mkContainer { radarr = builder.mkContainer {
authentik = true;
tmpfs = true;
subdomain = containerCfg.subdomain; subdomain = containerCfg.subdomain;
subpath = "radarr"; subpath = "radarr";
imageStream = images.radarr; imageStream = images.radarr;
@@ -83,17 +84,15 @@ in
}; };
extraOptions = [ extraOptions = [
"--user=0:0" "--user=0:0"
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
"--passwd-entry=root:x:0:0:root:/root:/bin/sh" "--passwd-entry=root:x:0:0:root:/root:/bin/sh"
]; ];
extraLabels = { } // (if serverCfg.containers ? authentik then {
"traefik.http.routers.${containerCfg.subdomain}-radarr.middlewares" = "authentik";
} else {});
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/radarr:/config" ]; overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/radarr:/config" ];
}; };
}// lib.optionalAttrs (builtins.elem "sonarr" (containerCfg.extra.modules or defaultModules)) { }// lib.optionalAttrs (builtins.elem "sonarr" (containerCfg.extra.modules or defaultModules)) {
sonarr = builder.mkContainer { sonarr = builder.mkContainer {
authentik = true;
tmpfs = true;
subdomain = containerCfg.subdomain; subdomain = containerCfg.subdomain;
subpath = "sonarr"; subpath = "sonarr";
imageStream = images.sonarr; imageStream = images.sonarr;
@@ -108,17 +107,15 @@ in
}; };
extraOptions = [ extraOptions = [
"--user=0:0" "--user=0:0"
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
"--passwd-entry=root:x:0:0:root:/root:/bin/sh" "--passwd-entry=root:x:0:0:root:/root:/bin/sh"
]; ];
extraLabels = { } // (if serverCfg.containers ? authentik then {
"traefik.http.routers.${containerCfg.subdomain}-sonarr.middlewares" = "authentik";
} else {});
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/sonarr:/config" ]; overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/sonarr:/config" ];
}; };
}// lib.optionalAttrs (builtins.elem "lidarr" (containerCfg.extra.modules or defaultModules)) { }// lib.optionalAttrs (builtins.elem "lidarr" (containerCfg.extra.modules or defaultModules)) {
lidarr = builder.mkContainer { lidarr = builder.mkContainer {
authentik = true;
tmpfs = true;
subdomain = containerCfg.subdomain; subdomain = containerCfg.subdomain;
subpath = "lidarr"; subpath = "lidarr";
imageStream = images.lidarr; imageStream = images.lidarr;
@@ -133,12 +130,8 @@ in
}; };
extraOptions = [ extraOptions = [
"--user=0:0" "--user=0:0"
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
"--passwd-entry=root:x:0:0:root:/root:/bin/sh" "--passwd-entry=root:x:0:0:root:/root:/bin/sh"
]; ];
extraLabels = { } // (if serverCfg.containers ? authentik then {
"traefik.http.routers.${containerCfg.subdomain}-lidarr.middlewares" = "authentik";
} else {});
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/lidarr:/config" ]; overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/lidarr:/config" ];
}; };
@@ -526,4 +519,5 @@ in
''; '';
}; };
};
} }
+41 -36
View File
@@ -3,46 +3,51 @@ let
version = "stable"; version = "stable";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
in { in {
sops = true; requires = {
db =true; secrets = [ name ];
containers = { databases = [ name ];
};
server = builder.mkContainer { runtime = {
subdomain = containerCfg.subdomain; containers = {
image = "ghcr.io/suwayomi/suwayomi-server:${version}"; server = builder.mkContainer {
port = 4567; subdomain = containerCfg.subdomain;
secret = name; image = "ghcr.io/suwayomi/suwayomi-server:${version}";
port = 4567;
secret = name;
extraEnv = { extraEnv = {
BIND_PORT = "4567"; BIND_PORT = "4567";
AUTH_MODE = "ui_login"; AUTH_MODE = "ui_login";
WEB_UI_ENABLED = "true"; WEB_UI_ENABLED = "true";
WEB_UI_FLAVOR = "WebUI"; WEB_UI_FLAVOR = "WebUI";
# AUTO_DOWNLOAD_CHAPTERS = true; # AUTO_DOWNLOAD_CHAPTERS = true;
# AUTO_DOWNLOAD_EXCLUDE_UNREAD = true; # AUTO_DOWNLOAD_EXCLUDE_UNREAD = true;
# AUTO_DOWNLOAD_NEW_CHAPTERS_LIMIT = 0; # AUTO_DOWNLOAD_NEW_CHAPTERS_LIMIT = 0;
# AUTO_DOWNLOAD_IGNORE_REUPLOADS = false; # AUTO_DOWNLOAD_IGNORE_REUPLOADS = false;
# DOWNLOAD_CONVERSIONS = {}; # DOWNLOAD_CONVERSIONS = {};
# SERVE_CONVERSIONS = {}; # SERVE_CONVERSIONS = {};
# MAX_SOURCES_IN_PARALLEL = 6; # MAX_SOURCES_IN_PARALLEL = 6;
# UPDATE_EXCLUDE_UNREAD = true; # UPDATE_EXCLUDE_UNREAD = true;
# UPDATE_EXCLUDE_STARTED = true; # UPDATE_EXCLUDE_STARTED = true;
# UPDATE_EXCLUDE_COMPLETED = true; # UPDATE_EXCLUDE_COMPLETED = true;
# UPDATE_INTERVAL = 12; #Hours # UPDATE_INTERVAL = 12; #Hours
# UPDATE_MANGA_INFO = false; # UPDATE_MANGA_INFO = false;
DATABASE_TYPE = "POSTGRESQL"; DATABASE_TYPE = "POSTGRESQL";
DATABASE_URL = "postgresql://${builder.host}/suwayomi_db"; DATABASE_URL = "postgresql://${builder.host}/suwayomi_db";
DATABASE_USERNAME = "suwayomi_user"; DATABASE_USERNAME = "suwayomi_user";
FLARESOLVERR_ENABLED = lib.boolToString (builtins.elem "flaresolverr" (((config.syscfg.server.containers.servarr or {}).extra or {}).modules or [])); FLARESOLVERR_ENABLED = lib.boolToString (builtins.elem "flaresolverr" (((config.syscfg.server.containers.servarr or {}).extra or {}).modules or []));
FLARESOLVERR_URL = "http://servarr-flaresolverr:8191"; FLARESOLVERR_URL = "http://servarr-flaresolverr:8191";
EXTENSION_REPOS = "[\"https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json\"]"; #https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json EXTENSION_REPOS = "[\"https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json\"]"; #https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json
}; };
overrides = { overrides = {
volumes = [ volumes = [
]; "${serverCfg.path.manga}:/home/suwayomi/.local/share/Tachidesk/downloads"
# "${serverCfg.path.config}/suwayomi:/home/suwayomi/.local/share/Tachidesk"
];
};
}; };
}; };
}; };
} }
+70 -68
View File
@@ -11,77 +11,79 @@ let
}; };
}; };
in { in {
sops = true; requires.secrets = [ name ];
paths = [{
path="${serverCfg.configPath}/traefik";
owner = "1000:1000";
mode = "0755";
}];
containers = { runtime = {
server = builder.mkContainer { paths = [{
imageStream = image; path="${serverCfg.path.config}/traefik";
subdomain = containerCfg.subdomain; owner = "1000:1000";
port = 8080; mode = "0755";
secret = name; }];
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
"traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else ""; containers = {
} // (if serverCfg.containers?authentik then { server = builder.mkContainer {
"traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760"; imageStream = image;
"traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"; subdomain = containerCfg.subdomain;
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true"; port = 8080;
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"; secret = name;
} else {}) // (if serverCfg.containers?umami then { extraLabels = {
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000"; "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin"; "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true"; "traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
} else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then { } // (if serverCfg.containers?authentik then {
"traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default"; "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}"; "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}"; "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
} else {}); "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
extraEnv = { }; } else {}) // (if serverCfg.containers?umami then {
overrides = { "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
cmd = [ "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
"--api" "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
"--log.level=INFO" "traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
"--providers.docker=true" } else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then {
"--global.checknewversion=false" "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
"--global.sendanonymoususage=false" "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}";
"--api.insecure=true" "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}";
"--api.dashboard=true" } else {});
"--providers.docker.exposedByDefault=false" extraEnv = { };
"--entrypoints.web.address=:80" overrides = {
"--entrypoints.web-secure.address=:443" cmd = [
"--entrypoints.web.http.redirections.entrypoint.to=web-secure" "--api"
"--entrypoints.web.http.redirections.entrypoint.scheme=https" "--log.level=INFO"
"--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s" "--providers.docker=true"
"--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16" "--global.checknewversion=false"
] ++ (if serverCfg.containers ? umami then [ "--global.sendanonymoususage=false"
"--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder" "--api.insecure=true"
"--experimental.plugins.umami-feeder.version=v1.4.1" "--api.dashboard=true"
"--entrypoints.web-secure.http.middlewares=umami-global@docker" "--providers.docker.exposedByDefault=false"
] else []) ++ (if containerCfg.extra ? provider then [ "--entrypoints.web.address=:80"
"--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}" "--entrypoints.web-secure.address=:443"
"--certificatesresolvers.default.acme.dnschallenge=true" "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
"--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}" "--entrypoints.web.http.redirections.entrypoint.scheme=https"
"--certificatesresolvers.default.acme.storage=/custom/acme.json" "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
] else []) ++ (if serverCfg.domain != "localhost" then [ "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
"--certificatesresolvers.default.acme.httpchallenge=false" ] ++ (if serverCfg.containers ? umami then [
"--certificatesresolvers.default.acme.tlschallenge=true" "--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
] else []); "--experimental.plugins.umami-feeder.version=v1.4.1"
ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []); "--entrypoints.web-secure.http.middlewares=umami-global@docker"
volumes = [ ] else []) ++ (if containerCfg.extra ? provider then [
"/var/run/podman/podman.sock:/var/run/docker.sock" "--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}"
# "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log" "--certificatesresolvers.default.acme.dnschallenge=true"
"${serverCfg.configPath}/traefik:/custom" "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
]; "--certificatesresolvers.default.acme.storage=/custom/acme.json"
] else []) ++ (if serverCfg.domain != "localhost" then [
"--certificatesresolvers.default.acme.httpchallenge=false"
"--certificatesresolvers.default.acme.tlschallenge=true"
] else []);
ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
volumes = [
"/var/run/podman/podman.sock:/var/run/docker.sock"
# "${serverCfg.path.config}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.path.config}/traefik:/custom"
];
};
}; };
}; };
}; };
} }
+36 -50
View File
@@ -13,61 +13,47 @@ let
}; };
}; };
}; };
routerName = if containerCfg.subpath != null
then "${containerCfg.subdomain}-${lib.strings.sanitizeDerivationName containerCfg.subpath}"
else containerCfg.subdomain;
in { in {
paths = [{ runtime = {
path = "${serverCfg.dataPath}/transmission/complete"; paths = [{
owner = "1000:1000"; path = "${serverCfg.path.config}/transmission";
mode = "0755"; owner = "1000:1000";
}{ mode = "0755";
path = "${serverCfg.dataPath}/transmission/incomplete"; }];
owner = "1000:1000";
mode = "0755";
}{
path = "${serverCfg.configPath}/transmission/config";
owner = "1000:1000";
mode = "0755";
}];
containers = { containers = {
server = builder.mkContainer { server = builder.mkContainer {
subdomain = containerCfg.subdomain; authentik = true;
subpath = containerCfg.subpath; subdomain = containerCfg.subdomain;
imageStream = image; subpath = containerCfg.subpath;
port = 9091; imageStream = image;
port = 9091;
extraEnv = { extraEnv = {
PUID = "1000"; PUID = "1000";
PGID = "1000"; PGID = "1000";
WHITELIST = "";# 127.0.0.1,::1,10.*"; WHITELIST = "";# 127.0.0.1,::1,10.*";
# HOST_WHITELIST = "traefik-server,authentik-server,authentik-worker"; # HOST_WHITELIST = "traefik-server,authentik-server,authentik-worker";
}; };
extraLabels = {
} // (if serverCfg.containers ? authentik then {
"traefik.http.routers.${routerName}.middlewares" = "authentik";
} else {});
overrides = { overrides = {
cmd = [ ]; volumes = [
volumes = [ "${serverCfg.path.dlComplete}:/downloads/complete"
"${serverCfg.dataPath}/transmission/complete:/downloads/complete" "${serverCfg.path.dlIncomplete}:/downloads/incomplete"
"${serverCfg.dataPath}/transmission/incomplete:/downloads/incomplete" "${serverCfg.path.config}/transmission:/config"
"${serverCfg.configPath}/transmission/config:/config" ];
]; };
}; };
}; };
setup = {
trigger = "server";
envFile = [ config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
${pkgs.gettext}/bin/envsubst < "${../data/transmission/settings.json}" > "${serverCfg.path.config}/transmission/config/settings.json"
'';
};
}; };
setup = {
trigger = "server";
envFile = [ config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
${pkgs.gettext}/bin/envsubst < "${../data/transmission/settings.json}" > "${serverCfg.configPath}/transmission/config/settings.json"
'';
};
} }
+34 -34
View File
@@ -15,40 +15,40 @@ let
}; };
}; };
in { in {
sops = true; requires = {
db = true; secrets = [ name ];
paths = [{ databases = [ name ];
path = "${serverCfg.configPath}/umami/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "${pkgs.umami.name}:${pkgs.umami.version}";
imageStream = image;
port = 3000;
secret = name;
extraEnv = {
PORT = "3000";
# HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
DATABASE_TYPE = "postgresql";
REDIS_URL = "redis://${builder.host}";
CLIENT_IP_HEADER = "X-Forwarded-For";
BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
# DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
};
extraLabels = { } // ( if serverCfg.containers?authentik then {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
} else {});
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
cmd = [ "start" ]; # Specific command for the umami binary
};
};
}; };
runtime = {
paths = [{
path = "${serverCfg.path.config}/umami/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
authentik = true;
tmpfs = true;
subdomain = containerCfg.subdomain;
image = "${pkgs.umami.name}:${pkgs.umami.version}";
imageStream = image;
port = 3000;
secret = name;
extraEnv = {
PORT = "3000";
# HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
DATABASE_TYPE = "postgresql";
REDIS_URL = "redis://${builder.host}";
CLIENT_IP_HEADER = "X-Forwarded-For";
BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
# DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
};
overrides = {
cmd = [ "start" ]; # Specific command for the umami binary
};
};
};
};
} }
+49 -5
View File
@@ -1,16 +1,32 @@
{ config, lib, pkgs, serverCfg }: { config, lib, pkgs, serverCfg }:
let let
mkRouterName = { subdomain, subpath ? null }:
if subpath != null
then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}"
else subdomain;
getOr = attrs: path: default: lib.attrByPath path default attrs;
mkTmpfsOption = size: "--tmpfs=/tmp:rw,noexec,nosuid,size=${size}";
mkAuthentikLabels =
{ subdomain
, subpath ? null
, routerName ? mkRouterName { inherit subdomain subpath; }
, middleware ? "authentik"
}:
lib.optionalAttrs (serverCfg.containers ? authentik) {
"traefik.http.routers.${routerName}.middlewares" = middleware;
};
contBuilder = contBuilder =
{ image ? null, imageStream ? null, imageFile ? null { image ? null, imageStream ? null, imageFile ? null
, secret ? null , secret ? null
, subdomain ? null, subpath?null, port ? null , subdomain ? null, subpath?null, port ? null
, authentik ? false
, tmpfs ? false
, tmpfsSize ? "512m"
, extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ] , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
, overrides ? { } , overrides ? { }
}: }:
let let
routerName = if subpath != null routerName = mkRouterName { inherit subdomain subpath; };
then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}"
else subdomain;
base = { base = {
image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}"
else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image; else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
@@ -33,11 +49,15 @@ let
"traefik.http.services.${routerName}.loadbalancer.server.port" = toString port; "traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
}) else { }) else {
"traefik.enable" = "false"; "traefik.enable" = "false";
}) // extraLabels; })
// lib.optionalAttrs authentik (mkAuthentikLabels { inherit subdomain subpath routerName; })
// extraLabels;
extraOptions = [ extraOptions = [
"--add-host=host.containers.internal:host-gateway" "--add-host=host.containers.internal:host-gateway"
] ++ extraOptions; ]
++ lib.optional tmpfs (mkTmpfsOption tmpfsSize)
++ extraOptions;
}; };
in lib.recursiveUpdate base overrides; in lib.recursiveUpdate base overrides;
vmBuilder = { name, vm }: ((import "${pkgs.path}/nixos/lib/eval-config.nix" { vmBuilder = { name, vm }: ((import "${pkgs.path}/nixos/lib/eval-config.nix" {
@@ -69,6 +89,30 @@ let
in { in {
mkContainer = contBuilder; mkContainer = contBuilder;
mkVm = vmBuilder; mkVm = vmBuilder;
mkApp = name: app:
{
inherit name;
requires = {
secrets = getOr app [ "requires" "secrets" ] [ ];
databases = getOr app [ "requires" "databases" ] [ ];
};
exports = {
authentik = {
blueprints = getOr app [ "exports" "authentik" "blueprints" ] [ ];
};
};
runtime = {
paths = getOr app [ "runtime" "paths" ] [ ];
containers = getOr app [ "runtime" "containers" ] { };
vm = getOr app [ "runtime" "vm" ] null;
cron = getOr app [ "runtime" "cron" ] [ ];
setup = {
trigger = "";
script = null;
envFile = [ ];
} // getOr app [ "runtime" "setup" ] { };
};
};
mkData = { name, dir, vars?{} }: pkgs.runCommand name vars '' mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
mkdir -p $out mkdir -p $out
cp -r ${./data + "/${dir}"}/. $out/ cp -r ${./data + "/${dir}"}/. $out/
+41 -38
View File
@@ -2,43 +2,48 @@
let let
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
builder = import ./builder.nix { inherit config lib pkgs serverCfg; }; builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
loadApp = name: containerCfg:
in{ builder.mkApp name ((import (./apps + "/${name}.nix")) {
config = lib.mkMerge [{ inherit config pkgs lib containerCfg builder name;
syscfg.server.loadedContainers = lib.mapAttrs (name: containerCfg: });
(import (./apps + "/${name}.nix")) { inherit config pkgs lib containerCfg builder name; } loadedContainers = lib.mapAttrs loadApp serverCfg.containers;
) config.syscfg.server.containers; appsList = builtins.attrValues loadedContainers;
} (lib.mkIf ( serverCfg.containers != {} ) ( concatRuntimeLists = field: lib.concatMap (app: app.runtime.${field}) appsList;
mkNamedUnits = mkUnit: items: lib.listToAttrs (map mkUnit items);
mergedContainers = lib.concatMapAttrs (appName: app:
lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.runtime.containers
) loadedContainers;
allPathConfigs = map (path: {
inherit path;
mode = "0755";
}) (lib.unique (builtins.attrValues serverCfg.path)) ++ concatRuntimeLists "paths";
allSetupConfigs = map (app: ({ name = app.name; envFile = ""; } // app.runtime.setup)) appsList;
allCronsConfigs = concatRuntimeLists "cron";
allVMConfigs = builtins.filter (app: app.runtime.vm != null) appsList;
mkPathSetup = cfg:
let let
appsList = builtins.attrValues config.syscfg.server.loadedContainers; effectiveCfg = {
mergedContainers = lib.concatMapAttrs (appName: app: owner = "root:root";
lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.containers mode = "0400";
) config.syscfg.server.loadedContainers; dirs = [];
allPathConfigs = lib.concatMap (app: app.paths) appsList; } // cfg;
allSetupConfigs = lib.concatMap (app: if app.setup?script then [({name = app.name; envFile="";} // app.setup)] else []) appsList; in ''
allCronsConfigs = lib.concatMap (app: app.cron) appsList; ${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
allVMConfigs = builtins.filter (app: app.vm != null) appsList; ${lib.concatMapStringsSep "\n" (dir: "${pkgs.coreutils}/bin/mkdir -p ${effectiveCfg.path}/${lib.escapeShellArg dir}") effectiveCfg.dirs}
in{ ${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
'';
in {
config = lib.mkMerge [{
syscfg.server.loadedContainers = loadedContainers;
} (lib.mkIf (loadedContainers != {}) {
virtualisation.oci-containers = { virtualisation.oci-containers = {
backend = "podman"; backend = "podman";
containers = mergedContainers; containers = mergedContainers;
}; };
system.activationScripts.container-setup-dirs = { system.activationScripts.container-setup-dirs = {
deps = [ "users" "groups" ]; deps = [ "users" "groups" ];
text = lib.concatStringsSep "\n" (map (cfg: text = lib.concatStringsSep "\n" (map mkPathSetup allPathConfigs);
let
effectiveCfg = {
owner = "root:root";
mode = "0400";
dirs = [];
} // cfg;
in ''
${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
${lib.concatMapStringsSep "\n" (dir: "${pkgs.coreutils}/bin/mkdir -p ${effectiveCfg.path}/${lib.escapeShellArg dir}") effectiveCfg.dirs}
${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
'') allPathConfigs);
}; };
systemd.services = { systemd.services = {
@@ -52,7 +57,7 @@ in{
startAt = "weekly"; startAt = "weekly";
}; };
} }
// lib.listToAttrs (lib.concatMap (e: [{ // mkNamedUnits (e: {
name = "${e.name}-vm"; name = "${e.name}-vm";
value = { value = {
description = "Isolated NixOS Guest VM for ${e.name}"; description = "Isolated NixOS Guest VM for ${e.name}";
@@ -69,12 +74,12 @@ in{
RestartSec = "10s"; RestartSec = "10s";
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /media/data/kvm"; ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /media/data/kvm";
ExecStart = '' ExecStart = ''
${builder.mkVm { name = e.name; vm = e.vm; }}/bin/run-${e.name}-vm -nographic ${builder.mkVm { name = e.name; vm = e.runtime.vm; }}/bin/run-${e.name}-vm -nographic
''; '';
}; };
}; };
}]) allVMConfigs) }) allVMConfigs
// lib.listToAttrs (lib.concatMap (e: [{ // mkNamedUnits (e: {
name = "${e.name}-setup"; name = "${e.name}-setup";
value = { value = {
description = "Run ${e.name} setup"; description = "Run ${e.name} setup";
@@ -90,13 +95,11 @@ in{
User = "root"; User = "root";
}; };
}; };
}]) allSetupConfigs ); }) allSetupConfigs;
services.cron = { services.cron = {
enable = true; enable = true;
systemCronJobs = allCronsConfigs; systemCronJobs = allCronsConfigs;
}; };
})];
}))];
} }
+4 -3
View File
@@ -3,7 +3,7 @@
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.db) config.syscfg.server.loadedContainers); containerNames = lib.concatMap (app: app.requires.databases) (builtins.attrValues config.syscfg.server.loadedContainers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in { in {
config = lib.mkIf ( builtins.length allApps > 0) { config = lib.mkIf ( builtins.length allApps > 0) {
@@ -47,9 +47,10 @@ in {
environment = { environment = {
INFLUXDB3_NODE_IDENTIFIER_PREFIX = "node0"; INFLUXDB3_NODE_IDENTIFIER_PREFIX = "node0";
INFLUXDB3_OBJECT_STORE = "file"; INFLUXDB3_OBJECT_STORE = "file";
INFLUXDB3_DATA_DIR = "${config.syscfg.server.dataPath}/influxdb"; INFLUXDB3_DATA_DIR = "${config.syscfg.server.path.data}/influxdb";
INFLUXDB3_DB_DIR = "${config.syscfg.server.dataPath}/influxdb"; INFLUXDB3_DB_DIR = "${config.syscfg.server.path.data}/influxdb";
INFLUXDB3_ENABLE_INTERNAL_DB = "true"; INFLUXDB3_ENABLE_INTERNAL_DB = "true";
INFLUXDB3_AUTH_TOKEN = "b27686e85a883437666f61586e084f7deb763958497739479ca48bc913ee90afd1a920332156133c89fb8674cb197ced17706074e6a42fc7ce6b2d54ac6119c9";
INFLUXDB3_INITIAL_ADMIN_TOKEN = "b27686e85a883437666f61586e084f7deb763958497739479ca48bc913ee90afd1a920332156133c89fb8674cb197ced17706074e6a42fc7ce6b2d54ac6119c9"; INFLUXDB3_INITIAL_ADMIN_TOKEN = "b27686e85a883437666f61586e084f7deb763958497739479ca48bc913ee90afd1a920332156133c89fb8674cb197ced17706074e6a42fc7ce6b2d54ac6119c9";
}; };
serviceConfig = { serviceConfig = {
+1 -1
View File
@@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.sops) config.syscfg.server.loadedContainers); containerNames = lib.concatMap (app: app.requires.secrets) (builtins.attrValues config.syscfg.server.loadedContainers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in{ in{
sops.secrets = { sops.secrets = {
+60 -18
View File
@@ -3,16 +3,32 @@ let
in with lib; { in with lib; {
domain = mkOption { type = types.str; }; domain = mkOption { type = types.str; };
mailDomain = mkOption { type = types.str; }; mail = {
mailServer = mkOption { type = types.str; }; domain = mkOption { type = types.str; default = null;};
server = mkOption { type = types.str; default = null;};
configPath = mkOption {
type = types.str;
default = "/media/config";
}; };
dataPath = mkOption {
type = types.str; path = mkOption {
default = "/media/data"; type = types.submodule {
freeformType = types.attrsOf types.str;
options = {
config = mkOption { type = types.str; default = "/media/config"; };
data = mkOption { type = types.str; default = "/media/data"; };
download = mkOption { type = types.str; default = "/media/data/download"; };
cloud = mkOption { type = types.str; default ="/media/media/cloud"; };
film = mkOption { type = types.str; default ="/media/media/film"; };
book = mkOption { type = types.str; default ="/media/media/book"; };
manga = mkOption { type = types.str; default ="/media/media/manga"; };
photo = mkOption { type = types.str; default ="/media/media/photo"; };
# music = mkOption { type = types.str; default ="/media/media/music"; };
dlComplete = mkOption { type = types.str; default ="/media/download/complete"; };
dlIncomplete = mkOption { type = types.str; default ="/media/download/incomplete"; };
dlConverted = mkOption { type = types.str; default ="/media/download/converted"; };
};
};
default = {};
}; };
colorScheme = mkOption { colorScheme = mkOption {
@@ -24,18 +40,44 @@ in with lib; {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = { options = {
name = lib.mkOption {type = lib.types.str; default = name;}; name = lib.mkOption {type = lib.types.str; default = name;};
sops = lib.mkOption {type = lib.types.bool; default = false;}; requires = {
db = lib.mkOption {type = lib.types.bool; default = false;}; secrets = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
databases = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
paths = lib.mkOption {type = lib.types.listOf lib.types.attrs; default = [ ];}; exports = {
containers = lib.mkOption {type = lib.types.attrsOf lib.types.attrs; default = { };}; authentik = {
vm = lib.mkOption {type = lib.types.nullOr lib.types.attrs; default = null;}; blueprints = lib.mkOption {
cron = lib.mkOption {type = lib.types.listOf lib.types.str; default = [ ];}; type = lib.types.listOf lib.types.str;
default = [ ];
};
};
};
setup = { runtime = {
trigger = lib.mkOption {type = lib.types.str; default = "";}; paths = lib.mkOption {type = lib.types.listOf lib.types.attrs; default = [ ];};
script = lib.mkOption {type = lib.types.nullOr lib.types.package; default = null;}; containers = lib.mkOption {type = lib.types.attrsOf lib.types.attrs; default = { };};
envFile = lib.mkOption {type = with lib.types; coercedTo str (x: [x]) (listOf str); default = [];}; vm = lib.mkOption {type = lib.types.nullOr lib.types.attrs; default = null;};
cron = lib.mkOption {type = lib.types.listOf lib.types.str; default = [ ];};
setup = lib.mkOption {
type = lib.types.submodule {
options = {
trigger = lib.mkOption {type = lib.types.str; default = "";};
script = lib.mkOption {type = lib.types.nullOr lib.types.package; default = null;};
envFile = lib.mkOption {
type = with lib.types; coercedTo str (x: [x]) (listOf str);
default = [ ];
};
};
};
default = { };
};
}; };
}; };
})); }));
-2
View File
@@ -27,8 +27,6 @@
# user = ... # user = ...
# ... # ...
# }; # };
mailDomain = "test@helcel";
mailServer = "infomaniak.ch";
containers = { containers = {
# ===== BASE ===== # ===== BASE =====