sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

Compare commits

base: sora:dev
Branches Tags
sora:main sora:dev
..
compare: sora:c7bec63eaaa9f740ac8887dff788b43f877b17c8
Branches Tags
sora:dev sora:main

6 Commits
dev ... c7bec63eaa

Author SHA1 Message Date
bot
c7bec63eaa Merge pull request 'Lock file maintenance' (#275) from renovate/lock-file-maintenance into main 2026-05-16 04:04:49 +02:00
Renovate Bot
e9c0a2827a Lock file maintenance 2026-05-16 02:04:47 +00:00
bot
7b620b260c Merge pull request 'Lock file maintenance' (#274) from renovate/lock-file-maintenance into main 2026-05-10 04:06:54 +02:00
Renovate Bot
1f8df0ca67 Lock file maintenance 2026-05-10 02:06:42 +00:00
bot
317b4fdbfa Merge pull request 'Lock file maintenance' (#273) from renovate/lock-file-maintenance into main 2026-05-09 04:04:40 +02:00
Renovate Bot
dea9bca8f3 Lock file maintenance 2026-05-09 02:04:36 +00:00
139 changed files with 1152 additions and 6209 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,4 +2,3 @@ result
age-key.txt age-key.txt
.decrypted~common.yaml .decrypted~common.yaml
.decrypted* .decrypted*
.tmp

27
.sops.yaml
View File

@@ -13,6 +13,31 @@ keys:
- &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3 - &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
creation_rules: creation_rules:
- path_regex: modules/shared/sops/private/iriy.[a-z]+
key_groups:
- age:
- *iriy
pgp:
- *sora
- path_regex: modules/shared/sops/private/avalon.[a-z]+
key_groups:
- age:
- *avalon
pgp:
- *sora
- path_regex: modules/shared/sops/private/valinor.[a-z]+
key_groups:
- age:
- *valinor
pgp:
- *sora
- path_regex: modules/shared/sops/private/asgard.[a-z]+
key_groups:
- age:
- *asgard
pgp:
- *sora
- path_regex: modules/shared/sops/common.[a-z]+ - path_regex: modules/shared/sops/common.[a-z]+
key_groups: key_groups:
- age: - age:
@@ -29,8 +54,6 @@ creation_rules:
- age: - age:
- *ci - *ci
- *sandbox - *sandbox
pgp:
- *sora
- path_regex: modules/server/sops/server.[a-z]+ - path_regex: modules/server/sops/server.[a-z]+
key_groups: key_groups:

207
flake.lock generated
View File

@@ -1,5 +1,27 @@
{ {
"nodes": { "nodes": {
"arion": {
"inputs": {
"flake-parts": "flake-parts",
"haskell-flake": "haskell-flake",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1770259557,
"narHash": "sha256-EvZ09k9+mzXAngPzU2K7oLLUDlKoT1numb4bDb3Gtl4=",
"owner": "hercules-ci",
"repo": "arion",
"rev": "9b24cf65c72cb0e9616e437d55e1ac8e5c6bc715",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "arion",
"type": "github"
}
},
"base16-schemes": { "base16-schemes": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -23,11 +45,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1779036909, "lastModified": 1777780666,
"narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=", "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "56c666e108467d87d13508936aade6d567f2a501", "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -37,23 +59,28 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": { "flake-parts": {
"flake": false, "inputs": {
"nixpkgs-lib": [
"arion",
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1767039857, "lastModified": 1769996383,
"narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
"owner": "edolstra", "owner": "hercules-ci",
"repo": "flake-compat", "repo": "flake-parts",
"rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "edolstra", "owner": "hercules-ci",
"repo": "flake-compat", "repo": "flake-parts",
"type": "github" "type": "github"
} }
}, },
"flake-parts": { "flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nur", "nur",
@@ -74,39 +101,34 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": { "hardware": {
"inputs": {
"systems": "systems"
},
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1778593042,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "narHash": "sha256-xYGrSg6354UK2K4WSQd4+TfyvfqmvFbSY+ZtGQUXK0c=",
"owner": "numtide", "owner": "nixos",
"repo": "flake-utils", "repo": "nixos-hardware",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401", "rev": "9bd7c80d43e258aaa607d83b43661df11444d808",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "numtide", "owner": "nixos",
"repo": "flake-utils", "repo": "nixos-hardware",
"type": "github" "type": "github"
} }
}, },
"hardware": { "haskell-flake": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": { "locked": {
"lastModified": 1780065812, "lastModified": 1675296942,
"narHash": "sha256-SCSLUKBmwlSLGQ8Xbr8PjRFtiHNk0l9ktqkcmqdBkfE=", "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
"owner": "nixos", "owner": "srid",
"repo": "nixos-hardware", "repo": "haskell-flake",
"rev": "b76b5639c0593e0aeb0b5879ad62d4b30596c144", "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "srid",
"repo": "nixos-hardware", "ref": "0.1.0",
"repo": "haskell-flake",
"type": "github" "type": "github"
} }
}, },
@@ -117,16 +139,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1779726825, "lastModified": 1778606796,
"narHash": "sha256-RUkMrREjKDQrA+dA9+xZviGAxM5W1aVdyOr/bSYpHrE=", "narHash": "sha256-P2krpSkFVYJ89bgsnAZ9RtQiGwiTW77sfSJp9SEDscM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "b179bde238977f7d4454fc770b1a727eaf55111c", "rev": "e1fd7350f4410972bcb8c42a697d8c924ffe642a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-26.05", "ref": "release-25.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@@ -152,11 +174,11 @@
}, },
"nixUnstable": { "nixUnstable": {
"locked": { "locked": {
"lastModified": 1780030872, "lastModified": 1778794387,
"narHash": "sha256-u6WU/yd/o8iYQrHX3RAwO1hYa3LkoSL+WNQD0rJfJZQ=", "narHash": "sha256-BL04pOS9453Awkeb9f90XBJXBSkWxN+vB7HIgnL0iMM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e9a7635a57597d9754eccebdfc7045e6c8600e6b", "rev": "8a1b0127302ea51e05bf4ea5a291743fac442406",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -166,38 +188,20 @@
"type": "github" "type": "github"
} }
}, },
"nixos-wsl": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1780169171,
"narHash": "sha256-3HBYDfBgZ+ph52HS6Ks/bMMwuh2uONIT72sZ1CtLE/s=",
"owner": "nix-community",
"repo": "nixos-wsl",
"rev": "998b2821c30b2938637230916904ceb8757c79e8",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-wsl",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1767892417, "lastModified": 1778737229,
"narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=", "narHash": "sha256-6xWoytx8jFW4PF1GjRm/i/53trbpKGfz6zjzQGBr4cI=",
"rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba", "owner": "nixos",
"type": "tarball", "repo": "nixpkgs",
"url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz" "rev": "d7a713c0b7e47c908258e71cba7a2d77cc8d71d5",
"type": "github"
}, },
"original": { "original": {
"type": "tarball", "owner": "nixos",
"url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" "ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
@@ -217,33 +221,31 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1780203844, "lastModified": 1778443072,
"narHash": "sha256-K5sT4jTpGs15ADhviMKNBH38REpPf5Q6mM1+N6cArVE=", "narHash": "sha256-zi7/fsqM/kFdNuED//4WOCUtezGtKKqRNORjMvfwjnA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b51242d7d43689db2f3be91bd05d5b24fbb469c4", "rev": "da5ad661ba4e5ef59ba743f0d112cbc30e474f32",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-26.05", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nur": { "nur": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"nixpkgs": [ "nixpkgs": "nixpkgs_2"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1780265777, "lastModified": 1778893947,
"narHash": "sha256-t/KORFHEv8Jn2vFmVfv4Zffekv+MUogI2KgtxuCcEmQ=", "narHash": "sha256-AcLdfsfMKuVnvXv4bqedRXV3fMBDuysuTe1B2KWPKzg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nur", "repo": "nur",
"rev": "39917b7f68263188707925ffe26c9df6ef4e7d64", "rev": "f535d7067e34bb74d20606a0c36180fc49b40b5b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -254,16 +256,15 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"arion": "arion",
"darwin": "darwin", "darwin": "darwin",
"hardware": "hardware", "hardware": "hardware",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-colors": "nix-colors", "nix-colors": "nix-colors",
"nixUnstable": "nixUnstable", "nixUnstable": "nixUnstable",
"nixos-wsl": "nixos-wsl", "nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"nur": "nur", "nur": "nur",
"sops-nix": "sops-nix", "sops-nix": "sops-nix"
"vscode-server": "vscode-server"
} }
}, },
"sops-nix": { "sops-nix": {
@@ -285,42 +286,6 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"vscode-server": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1770124655,
"narHash": "sha256-yHmd2B13EtBUPLJ+x0EaBwNkQr9LTne1arLVxT6hSnY=",
"owner": "nix-community",
"repo": "nixos-vscode-server",
"rev": "92ce71c3ba5a94f854e02d57b14af4997ab54ef0",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-vscode-server",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

56
flake.nix
View File

@@ -3,15 +3,12 @@
inputs = { inputs = {
# Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable" # Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable"
nixUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; nixUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-26.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
hardware.url = "github:nixos/nixos-hardware"; hardware.url = "github:nixos/nixos-hardware";
nur = { nur.url = "github:nix-community/nur";
url = "github:nix-community/nur";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-26.05"; url = "github:nix-community/home-manager/release-25.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
@@ -20,45 +17,40 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# hyprland = {
# url = "github:hyprwm/Hyprland";
# inputs.nixpkgs.follows = "nixpkgs";
# };
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nix-colors.url = "github:misterio77/nix-colors"; nix-colors.url = "github:misterio77/nix-colors";
nixos-wsl = {
url = "github:nix-community/nixos-wsl";
inputs.nixpkgs.follows = "nixpkgs";
};
vscode-server = { arion.url = "github:hercules-ci/arion";
url = "github:nix-community/nixos-vscode-server"; arion.inputs.nixpkgs.follows = "nixpkgs";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = inputs: outputs = inputs:
let let gen = import ./generator.nix { inherit inputs; };
lib = inputs.nixpkgs.lib;
gen = import ./generator.nix { inherit inputs; };
systemsDir = ./systems;
systemNames = lib.attrNames (lib.filterAttrs
(name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix"))
(builtins.readDir systemsDir));
hostsByType = systemType:
lib.filter
(host: (import (systemsDir + "/${host}/cfg.nix")).syscfg.type == systemType)
systemNames;
generateHosts = systemType:
builtins.listToAttrs (map
(host: lib.nameValuePair host (gen.generate { inherit host; }))
(hostsByType systemType));
in { in {
devShells = import ./shells { inherit inputs; }; devShells = import ./shells { inherit inputs; };
nixosConfigurations = generateHosts "nixos"; nixosConfigurations = {
darwinConfigurations = generateHosts "macos"; valinor = gen.generate { host = "valinor"; };
homeConfigurations = generateHosts "home"; iriy = gen.generate { host = "iriy"; };
efir = gen.generate { host = "efir"; };
avalon = gen.generate { host = "avalon"; };
ci = gen.generate { host = "ci"; };
sandbox = gen.generate { host = "sandbox"; };
gateway = gen.generate { host = "gateway"; };
};
darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
homeConfigurations = {
yomi = gen.generate { host = "example"; };
example = gen.generate { host = "example"; };
};
}; };
# ===== Unsupported/NotImplemented ====== # ===== Unsupported/NotImplemented ======

10
generator.nix
View File

@@ -5,7 +5,7 @@
nameValuePair = name: value: { inherit name value; }; nameValuePair = name: value: { inherit name value; };
in ({ in ({
"nixos" = inputs.nixpkgs.lib.nixosSystem { "nixos" = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = syscfg.syscfg.system;
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
modules = [ modules = [
./modules/shared/syscfg ./modules/shared/syscfg
@@ -13,12 +13,9 @@
./modules/nixos ./modules/nixos
syscfg syscfg
./systems/${host} ./systems/${host}
inputs.arion.nixosModules.arion
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.nixos-wsl.nixosModules.wsl
inputs.vscode-server.nixosModules.default
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@@ -32,6 +29,7 @@
syscfg syscfg
{ usercfg = userConfig; } { usercfg = userConfig; }
inputs.nix-colors.homeManagerModule inputs.nix-colors.homeManagerModule
# inputs.hyprland.homeManagerModules.default
inputs.sops-nix.homeManagerModules.sops inputs.sops-nix.homeManagerModules.sops
]; ];
}) syscfg.syscfg.users); }) syscfg.syscfg.users);
@@ -40,7 +38,7 @@
}; };
"macos" = inputs.darwin.lib.darwinSystem { "macos" = inputs.darwin.lib.darwinSystem {
system = "x86_64-darwin"; system = syscfg.system;
modules = [ modules = [
./modules/shared/syscfg ./modules/shared/syscfg
./modules/shared/sops ./modules/shared/sops

2
modules/home/base/default.nix
View File

@@ -8,7 +8,7 @@
username = "${config.usercfg.username}"; username = "${config.usercfg.username}";
homeDirectory = "/home/${config.usercfg.username}"; homeDirectory = "/home/${config.usercfg.username}";
stateVersion = "26.05"; stateVersion = "24.11";
}; };

147
modules/home/cli/neofetch/config.jsonc
View File

@@ -1,147 +0,0 @@
{
"$schema": "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json",
"logo": {
"type": "builtin", // Logo type: auto, builtin, small, file, etc.
// "source": "arch",
"width": 10,
"height": 10,
"padding": {
"top": 3,
"left": 2,
"right": 2
},
"color": {
"1": "blue",
"2": "white",
"3": "cyan"
}
},
"display": { /* Display settings */},
"modules": [
"break",
{
"type": "custom",
"format": "\u001b[90m┌──────────────────────Hardware──────────────────────┐"
},
{
"type": "host",
"key": "󰌢 PC",
"keyColor": "green",
"format": "{2}"
},
{
"type": "cpu",
"key": "│ ├󱛠 ",
"keyColor": "green",
"format": "{1} | {4} @{6}"
},
{
"type": "gpu",
"key": "│ ├󰍹 ",
"keyColor": "green",
"format": "{2} | {7}"
},
{
"type": "memory",
"key": "│ ├󰑭 ",
"keyColor": "green",
"format": "{2}"
},
// {
// "type": "disk",
// "key": "└ └󰋊 ",
// "keyColor": "green"
// },
{
"type": "custom",
"format": "\u001b[90m└────────────────────────────────────────────────────┘"
},
"break",
{
"type": "custom",
"format": "\u001b[90m┌──────────────────────Software──────────────────────┐"
},
{
"type": "os",
"key": " OS",
"keyColor": "yellow",
"format": " {2} {8}"
},
{
"type": "kernel",
"key": "│ ├󰌽 ",
"keyColor": "yellow",
"format": "{1} {2}"
},
{
"type": "bios",
"key": "│ ├󰖡 ",
"keyColor": "yellow"
},
{
"type": "packages",
"key": "│ ├󰏗 ",
"keyColor": "yellow"
},
{
"type": "de",
"key": "󰧨 DE",
"keyColor": "blue",
"format": "{2} | {3}"
},
{
"type": "lm",
"key": "│ ├󰍁 ",
"keyColor": "blue",
"format": "{1} {2} {3}"
},
{
"type": "wm",
"key": "│ ├󱂬 ",
"keyColor": "blue",
"format": "{2} {5}"
},
{
"type": "custom",
"format": "\u001b[90m└────────────────────────────────────────────────────┘"
},
"break",
{
"type": "custom",
"format": "\u001b[90m┌──────────────────────Age───────────────────────────┐"
},
{
"type": "command",
"key": " OS Age ",
"keyColor": "magenta",
"text": "birth_install=$(stat -c %W /); current=$(date +%s); time_progression=$((current - birth_install)); days_difference=$((time_progression / 86400)); echo $days_difference days"
},
{
"type": "command",
"key": " Update ",
"keyColor": "magenta",
"text": "nixos-rebuild list-generations | awk '$NF == \"True\" {print $2, $3}' | xargs -I {} date -d \"{}\" +\"%s\" | awk '{diff=systime()-$1; printf \"%d days, %d hours, %d mins\\n\", diff/86400, (diff%86400)/3600, (diff%3600)/60}'"
},
{
"type": "uptime",
"key": " Uptime ",
"keyColor": "magenta"
},
{
"type": "custom",
"format": "\u001b[90m└────────────────────────────────────────────────────┘"
},
{
"type": "colors",
"paddingLeft": 2,
"block": {
"width": 3,
"range": [
0,
15
]
} //,
//"symbol": "circle"
},
]
}

3
modules/home/cli/neofetch/default.nix
View File

@@ -1,5 +1,4 @@
{ pkgs, config, ... }: { { pkgs, config, ... }: {
home.packages = with pkgs; [ fastfetch ]; home.packages = with pkgs; [ neofetch ];
xdg.configFile."neofetch/config.conf".source = ./config.conf; xdg.configFile."neofetch/config.conf".source = ./config.conf;
xdg.configFile."fastfetch/config.jsonc".source = ./config.jsonc;
} }

8
modules/home/gui/base/default.nix
View File

@@ -4,10 +4,10 @@
services.nextcloud-client.enable = true; services.nextcloud-client.enable = true;
home.packages = with pkgs; [ home.packages = with pkgs; [
thunar xfce.thunar
thunar-volman xfce.thunar-volman
thunar-archive-plugin xfce.thunar-archive-plugin
tumbler xfce.tumbler
telegram-desktop telegram-desktop
discord-canary discord-canary

6
modules/home/gui/theme/default.nix
View File

@@ -1,5 +1,6 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
colorVariant = " black";
gtkThemeFromScheme = import ./gtk-theme-gen.nix { inherit pkgs config; }; gtkThemeFromScheme = import ./gtk-theme-gen.nix { inherit pkgs config; };
wallpaperGen = import ./wallpaper-gen.nix { inherit pkgs config; }; wallpaperGen = import ./wallpaper-gen.nix { inherit pkgs config; };
in { in {
@@ -19,7 +20,6 @@ in {
name = "${config.colorscheme.slug}-Dark"; name = "${config.colorscheme.slug}-Dark";
package = gtkThemeFromScheme; package = gtkThemeFromScheme;
}; };
gtk4.theme = config.gtk.theme;
iconTheme = { iconTheme = {
name = "tela-circle-icon-theme"; name = "tela-circle-icon-theme";
package = pkgs.tela-circle-icon-theme; package = pkgs.tela-circle-icon-theme;
@@ -31,7 +31,7 @@ in {
platformTheme.name = "gtk"; platformTheme.name = "gtk";
}; };
home.packages = [ wallpaperGen pkgs.awww ]; home.packages = [ wallpaperGen pkgs.swww ];
xdg.configFile."script/wallpaper.sh".text = '' xdg.configFile."script/wallpaper.sh".text = ''
#!/bin/sh #!/bin/sh
@@ -50,7 +50,7 @@ in {
IMG=$WPDIR/$(echo "$RES" | wofi --dmenu --allow-images show-icons true -theme-str '#window { width: 50%; }' -p "Choose wallpaper:") IMG=$WPDIR/$(echo "$RES" | wofi --dmenu --allow-images show-icons true -theme-str '#window { width: 50%; }' -p "Choose wallpaper:")
IMG=$(echo "$IMG" | awk -F ':' '{print $2}') IMG=$(echo "$IMG" | awk -F ':' '{print $2}')
awww img $IMG swww img $IMG
''; '';
}; };
} }

166
modules/home/gui/theme/wallpaper-gen.nix
View File

@@ -1,150 +1,40 @@
{ pkgs, config, lib ? pkgs.lib }: { pkgs, config }:
let let
colors = config.colorScheme.palette; scheme = config.colorScheme;
mediaImages = config.syscfg.media.main; colors = scheme.palette;
mediaNames = map (image: builtins.baseNameOf (toString image)) mediaImages; dither =
mediaSourceDir = pkgs.linkFarm "wallpaper-media" ( "atkinson"; # none | floyd-steinberg | atkinson | jjn | burkes | sierra | sierra-lite
map (image: { in pkgs.stdenv.mkDerivation rec {
name = builtins.baseNameOf (toString image);
path = image;
}) mediaImages
);
dither = "atkinson"; # none | floyd-steinberg | atkinson | jjn | burkes | sierra | sierra-lite
paletteSize = 0;
hexChars = "0123456789abcdef";
hexMap = {
"0" = 0; "1" = 1; "2" = 2; "3" = 3;
"4" = 4; "5" = 5; "6" = 6; "7" = 7;
"8" = 8; "9" = 9; "a" = 10; "b" = 11;
"c" = 12; "d" = 13; "e" = 14; "f" = 15;
};
baseColors = [
colors.base00
colors.base01
colors.base02
colors.base03
colors.base04
colors.base05
colors.base06
colors.base07
colors.base08
colors.base09
colors.base0A
colors.base0B
colors.base0C
colors.base0D
colors.base0E
colors.base0F
];
round = x: builtins.floor (x + 0.5);
clamp = x:
if x < 0 then 0 else if x > 255 then 255 else x;
parseHexByte = byte:
let
hi = hexMap.${builtins.substring 0 1 byte};
lo = hexMap.${builtins.substring 1 1 byte};
in
hi * 16 + lo;
hexToRgb = hex:
let
clean = lib.toLower (lib.removePrefix "#" hex);
in
{
r = parseHexByte (builtins.substring 0 2 clean);
g = parseHexByte (builtins.substring 2 2 clean);
b = parseHexByte (builtins.substring 4 2 clean);
};
componentToHex = value:
let
bounded = clamp value;
hi = builtins.div bounded 16;
lo = bounded - hi * 16;
in
"${builtins.substring hi 1 hexChars}${builtins.substring lo 1 hexChars}";
rgbToHex = color: "${componentToHex color.r}${componentToHex color.g}${componentToHex color.b}";
getTint = c: weight: round (c + (255 - c) * weight);
getShade = c: weight: round (c * weight);
tint = color: weight: {
r = getTint color.r weight;
g = getTint color.g weight;
b = getTint color.b weight;
};
shade = color: weight: {
r = getShade color.r weight;
g = getShade color.g weight;
b = getShade color.b weight;
};
genPalette = color:
let
tints =
if paletteSize == 0
then [ ]
else lib.genList (i: tint color ((i + 1.0) / paletteSize)) paletteSize;
shades =
if paletteSize == 0
then [ ]
else lib.genList (i: shade color (i * 1.0 / paletteSize)) paletteSize;
in
lib.reverseList tints ++ [ color ] ++ lib.reverseList shades;
keepColor = color:
let
sum = color.r + color.g + color.b;
in
sum > 0 && sum < 765;
paletteColors = lib.concatMap (hex: lib.filter keepColor (genPalette (hexToRgb hex))) baseColors;
paletteHex = lib.concatStringsSep "," (map rgbToHex paletteColors);
gifPaletteFile = pkgs.writeText "wallpaper-gifpalette.txt" (
lib.concatMapStringsSep "\n" (color: "${toString color.r} ${toString color.g} ${toString color.b}") paletteColors
);
buildCommands =
lib.concatMapStringsSep "\n" (name:
let
source = "${mediaSourceDir}/${name}";
target = "build/${name}";
in
if lib.hasSuffix ".gif" (lib.toLower name) then ''
gifsicle --use-colormap ${lib.escapeShellArg (toString gifPaletteFile)} < ${lib.escapeShellArg source} > ${lib.escapeShellArg target}
'' else ''
repalette ${lib.escapeShellArg source} ${lib.escapeShellArg target} -p ${lib.escapeShellArg paletteHex} --dither ${lib.escapeShellArg dither}
''
) mediaNames;
in
assert lib.assertMsg
(builtins.length mediaNames == builtins.length (lib.unique mediaNames))
"syscfg.media.main contains duplicate basenames, which would collide in generated wallpaper output.";
pkgs.stdenv.mkDerivation {
pname = "generated-wallpaper"; pname = "generated-wallpaper";
version = "local"; version = "a1676fc2a0e3dfb7bf95d8a89e592830";
dontUnpack = true; src = pkgs.fetchFromGitea {
domain = "git.helcel.net";
owner = "sora";
repo = "nixconfig-wallpaper";
rev = version;
sha256 = "sha256-ZhBjTaKzoiEq1ptMmNWWRPCjLJsvy9My/HuzRaDjX1c=";
};
nativeBuildInputs = with pkgs; [ buildInputs = with pkgs; [ custom.repalette nodejs imagemagick gifsicle ];
custom.repalette
gifsicle configurePhase = ''
]; echo "${colors.base00},${colors.base01},\
${colors.base02},${colors.base03},\
${colors.base04},${colors.base05},\
${colors.base06},${colors.base07},\
${colors.base08},${colors.base09},\
${colors.base0A},${colors.base0B},\
${colors.base0C},${colors.base0D},\
${colors.base0E},${colors.base0F}" > palette.in
'';
buildPhase = '' buildPhase = ''
runHook preBuild make DITHER=${dither} PALETTE_SIZE=0 all
mkdir -p build
${buildCommands}
runHook postBuild
''; '';
installPhase = '' installPhase = ''
runHook preInstall
mkdir -p $out/share/wallpaper mkdir -p $out/share/wallpaper
cp -r build/. $out/share/wallpaper/ cp -r build/* $out/share/wallpaper/
runHook postInstall
''; '';
} }

2
modules/home/wayland/apps/dunst/default.nix
View File

@@ -46,7 +46,7 @@
min_icon_size = 32; min_icon_size = 32;
max_icon_size = 64; max_icon_size = 64;
icon_path = lib.mkForce icon_path =
"${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/status:${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/device "; "${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/status:${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/device ";
icon_theme = "Tela-circle-dark"; icon_theme = "Tela-circle-dark";
enable_recursive_icon_lookup = "true"; enable_recursive_icon_lookup = "true";

2
modules/home/wayland/apps/eww/bar/eww.yuck
View File

@@ -48,7 +48,7 @@
(defwindow bar (defwindow bar
:monitor 0 :monitor 1
:geometry (geometry :geometry (geometry
:x "0%" :x "0%"
:y "0%" :y "0%"

4
modules/home/wayland/apps/eww/bar/modules/clock.yuck
View File

@@ -5,8 +5,8 @@
(eventbox (eventbox
:onhover "${EWW_CMD} update date_rev=true" :onhover "${EWW_CMD} update date_rev=true"
:onhoverlost "${EWW_CMD} update date_rev=false" :onhoverlost "${EWW_CMD} update date_rev=false"
:onclick "(sleep 0.1 && eww-open-on-current-screen calendar --toggle)" :onclick "(sleep 0.1 && ${EWW_CMD} open --toggle calendar)"
:onrightclick "(sleep 0.1 && eww-open-on-current-screen powermenu --toggle)" :onrightclick "(sleep 0.1 && ${EWW_CMD} open --toggle powermenu)"
(box (box
:class "datetime" :class "datetime"
(overlay (overlay

2
modules/home/wayland/apps/eww/bar/modules/sys.yuck
View File

@@ -7,7 +7,7 @@
(defwidget sys-mod [] (defwidget sys-mod []
(module (module
(eventbox (eventbox
:onclick "(sleep 0.1 && eww-open-on-current-screen sys --toggle)" :onclick "(sleep 0.1 && ${EWW_CMD} open --toggle sys)"
(box (box
:orientation "v" :orientation "v"
(circular-progress (circular-progress

5
modules/home/wayland/apps/eww/bar/modules/workspaces.yuck
View File

@@ -3,14 +3,13 @@
(defwidget workspace-mod [] (defwidget workspace-mod []
(module (module
(eventbox (eventbox
:onscroll "echo {} | sed -e 's/up/-1/' -e 's/down/+1/' | xargs -I % hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '%' }))\"" :onscroll "echo {} | sed -e \"s/up/-1/g\" -e \"s/down/+1/g\" | xargs hyprctl dispatch workspace"
(box (box
:class "module workspaces" :class "module workspaces"
:orientation "v" :orientation "v"
(for ws in workspace (for ws in workspace
(button (button
:onclick "hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '${ws.number}' }))\"" :onclick "hyprctl dispatch workspace ${ws.number}"
(label (label
:show-truncated false :show-truncated false
:class "icon-text ${ws.color}" :class "icon-text ${ws.color}"

18
modules/home/wayland/apps/eww/bar/scripts/net/net
View File

@@ -6,10 +6,6 @@ function get_time_ms {
icons=("󰤯" "󰤟" "󰤢" "󰤥" "󰤨") icons=("󰤯" "󰤟" "󰤢" "󰤥" "󰤨")
function get_wifi_interface() {
awk 'NR > 2 { gsub(":", "", $1); print $1; exit }' /proc/net/wireless
}
function toggle() { function toggle() {
status=$(rfkill | grep wlan | awk '{print $4}') status=$(rfkill | grep wlan | awk '{print $4}')
@@ -21,8 +17,7 @@ function toggle() {
} }
function gen_wifi() { function gen_wifi() {
wifi_iface=$(get_wifi_interface) signal=$(cat /proc/net/wireless | head -n3 | tail -n1 | awk '{print $3}')
signal=$(awk -v iface="$wifi_iface" '$1 == iface ":" { print $3; exit }' /proc/net/wireless)
level=$(awk -v n="$signal" 'BEGIN{print int((n-1)/20)}') level=$(awk -v n="$signal" 'BEGIN{print int((n-1)/20)}')
if [ "$level" -gt 4 ]; then if [ "$level" -gt 4 ]; then
level=4 level=4
@@ -31,8 +26,8 @@ function gen_wifi() {
icon=${icons[$level]} icon=${icons[$level]}
ip="-" ip="-"
class="net-connected" class="net-connected"
name_raw=$(wpa_cli -g "/run/wpa_supplicant/$wifi_iface" status | grep \^ssid= | sed 's/ssid=//g') name_raw=$(wpa_cli status | grep \^ssid= | sed 's/ssid=//g')
name=$(printf "%s" "$name_raw") name=$(printf "%s" $name_raw)
} }
function gen_ethernet() { function gen_ethernet() {
@@ -43,12 +38,9 @@ function gen_ethernet() {
} }
function make_content() { function make_content() {
local ethernet wifi wifi_iface local ethernet wifi
ethernet=$(ip link | rg "^[0-9]+: en[po]+" | head -n1 | sed 's/[a-zA-Z0-9_,><:\ -]*state //g' | sed 's/ mode [a-zA-Z0-9 ]*//g') ethernet=$(ip link | rg "^[0-9]+: en[po]+" | head -n1 | sed 's/[a-zA-Z0-9_,><:\ -]*state //g' | sed 's/ mode [a-zA-Z0-9 ]*//g')
wifi_iface=$(get_wifi_interface) wifi=$(wpa_cli status | rg "^wpa_state=" | sed 's/wpa_state=//g')
if [ -n "$wifi_iface" ]; then
wifi=$(wpa_cli -g "/run/wpa_supplicant/$wifi_iface" status | rg "^wpa_state=" | sed 's/wpa_state=//g')
fi
# test ethernet first # test ethernet first
if [[ $ethernet == "UP" ]]; then if [[ $ethernet == "UP" ]]; then

2
modules/home/wayland/apps/eww/bar/windows/calendar.yuck
View File

@@ -1,5 +1,5 @@
(defwindow calendar (defwindow calendar
:monitor 0 :monitor 1
:geometry (geometry :geometry (geometry
:x "0%" :x "0%"
:y "0%" :y "0%"

4
modules/home/wayland/apps/eww/bar/windows/powermenu.yuck
View File

@@ -25,7 +25,7 @@
(powermenu_entry :label "Sign out" (powermenu_entry :label "Sign out"
:icon "󰗼" :icon "󰗼"
:onclick "hyprctl eval \"hl.dispatch(hl.dsp.exit())\"") :onclick "hyprctl dispatch exit 0")
(powermenu_entry :label "Cancel" (powermenu_entry :label "Cancel"
:icon "󰅖" :icon "󰅖"
@@ -34,7 +34,7 @@
) )
(defwindow powermenu (defwindow powermenu
:monitor 0 :monitor 1
:stacking "overlay" :stacking "overlay"
:geometry (geometry :geometry (geometry
:anchor "center" :anchor "center"

4
modules/home/wayland/apps/eww/bar/windows/radio.yuck
View File

@@ -2,7 +2,7 @@
(defvar radio_rev false) (defvar radio_rev false)
(defwindow radio (defwindow radio
:monitor 0 :monitor 1
:geometry (geometry :geometry (geometry
:x "0%" :x "0%"
:y "0%" :y "0%"
@@ -100,7 +100,7 @@
(box (box
:orientation "v" :orientation "v"
(button (button
:onclick "(sleep 0.1 && eww-open-on-current-screen radio --toggle --no-daemonize)" :onclick "(sleep 0.1 && ${EWW_CMD} open --toggle --no-daemonize radio)"
(label (label
:show-truncated false :show-truncated false
:class "icon-text" :class "icon-text"

2
modules/home/wayland/apps/eww/bar/windows/sys.yuck
View File

@@ -129,7 +129,7 @@
) )
(defwindow sys (defwindow sys
:monitor 0 :monitor 1
:stacking "overlay" :stacking "overlay"
:geometry (geometry :geometry (geometry
:x "0%" :x "0%"

18
modules/home/wayland/apps/eww/default.nix
View File

@@ -1,21 +1,7 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }: {
let
openOnCurrentScreen = pkgs.writeShellScriptBin "eww-open-on-current-screen" ''
window="$1"
shift
screen="$(hyprctl monitors -j | ${lib.getExe pkgs.jq} -r '.[] | select(.focused == true) | .name' | head -n1)"
if [ -n "$screen" ]; then
exec ${lib.getExe pkgs.eww} open "$window" --screen "$screen" "$@"
fi
exec ${lib.getExe pkgs.eww} open "$window" "$@"
'';
in {
config = lib.mkIf (config.usercfg.wm == "Wayland") { config = lib.mkIf (config.usercfg.wm == "Wayland") {
home.packages = with pkgs; [ eww jq jaq custom.amdgpu_top openOnCurrentScreen ]; home.packages = with pkgs; [ eww jq jaq custom.amdgpu_top ];
xdg.configFile."eww" = { xdg.configFile."eww" = {
source = lib.cleanSourceWith { source = lib.cleanSourceWith {

15
modules/home/wayland/apps/kanshi/default.nix
View File

@@ -1,12 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, ... }: {
let
restartEwwBar = monitor: pkgs.writeShellScript "restart-eww-bar-after-kanshi-${toString monitor}" ''
sleep 1
${lib.getExe pkgs.eww} close bar || true
${lib.getExe pkgs.eww} open bar --screen ${toString monitor}
'';
in {
config = lib.mkIf (config.usercfg.wm == "Wayland") { config = lib.mkIf (config.usercfg.wm == "Wayland") {
services.kanshi = { services.kanshi = {
@@ -15,7 +7,6 @@ in {
settings = [ settings = [
{ {
profile.name = "tower_0"; profile.name = "tower_0";
profile.exec = [ "${restartEwwBar 1}" ];
profile.outputs = [ profile.outputs = [
{ {
criteria = "AOC 24E1W1 GNSKCHA086899"; criteria = "AOC 24E1W1 GNSKCHA086899";
@@ -37,7 +28,6 @@ in {
} }
{ {
profile.name = "tower_1"; profile.name = "tower_1";
profile.exec = [ "${restartEwwBar 1}" ];
profile.outputs = [ profile.outputs = [
{ {
criteria = "AOC 24E1W1 GNSKCHA086899"; criteria = "AOC 24E1W1 GNSKCHA086899";
@@ -67,7 +57,6 @@ in {
} }
{ {
profile.name = "laptop_0"; profile.name = "laptop_0";
profile.exec = [ "${restartEwwBar 0}" ];
profile.outputs = [{ profile.outputs = [{
criteria = "LG Display 0x060A Unknown"; criteria = "LG Display 0x060A Unknown";
mode = "1920x1080@60.020"; mode = "1920x1080@60.020";
@@ -78,7 +67,6 @@ in {
} }
{ {
profile.name = "laptop_1"; profile.name = "laptop_1";
profile.exec = [ "${restartEwwBar 1}" ];
profile.outputs = [ profile.outputs = [
{ {
criteria = "CEX CX133 0x00000001"; criteria = "CEX CX133 0x00000001";
@@ -98,7 +86,6 @@ in {
} }
{ {
profile.name = "laptop_2"; profile.name = "laptop_2";
profile.exec = [ "${restartEwwBar 1}" ];
profile.outputs = [ profile.outputs = [
{ {
criteria = "AOC 16G3 1DDP7HA000348"; criteria = "AOC 16G3 1DDP7HA000348";

6
modules/home/wayland/apps/waybar/default.nix
View File

@@ -146,8 +146,8 @@ in {
"9" = [ ]; "9" = [ ];
"10" = [ ]; "10" = [ ];
}; };
"on-scroll-up" = "hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '-1' }))\""; "on-scroll-up" = "hyprctl dispatch workspace r-1";
"on-scroll-down" = "hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '+1' }))\""; "on-scroll-down" = "hyprctl dispatch workspace r+1";
}; };
"backlight" = { "backlight" = {
@@ -232,7 +232,7 @@ in {
"custom/powermenu" = { "custom/powermenu" = {
"format" = "{icon}"; "format" = "{icon}";
"format-icons" = [ "󰐥" ]; "format-icons" = [ "󰐥" ];
"on-click" = "eww-open-on-current-screen powermenu"; "on-click" = "eww open powermenu";
"tooltip" = false; "tooltip" = false;
}; };
"tray" = { "tray" = {

2
modules/home/wayland/base/default.nix
View File

@@ -34,7 +34,7 @@ in {
glib glib
brightnessctl brightnessctl
awww swww
]; ];
xdg.mimeApps = { xdg.mimeApps = {

513
modules/home/wayland/hyprland/config.nix Normal file → Executable file
View File

@@ -1,332 +1,231 @@
{ lib, config, pkgs, ... }: let { lib, config, pkgs, ... }: {
lua = lib.generators.mkLuaInline;
bind = keys: dispatcher: { _args = [ keys dispatcher ]; };
bindOpts = keys: dispatcher: opts: { _args = [ keys dispatcher opts ]; };
dsp = {
exec = cmd: lua ''hl.dsp.exec_cmd("${cmd}")'';
close = lua "hl.dsp.window.close()";
exit = lua "hl.dsp.exit()";
float = lua ''hl.dsp.window.float({ action = "toggle" })'';
fullscreen = lua "hl.dsp.window.fullscreen()";
pseudo = lua "hl.dsp.window.pseudo()";
layout = msg: lua ''hl.dsp.layout("${msg}")'';
focus = dir: lua ''hl.dsp.focus({ direction = "${dir}" })'';
swap = dir: lua ''hl.dsp.window.swap({ direction = "${dir}" })'';
toggleSpecial = name: lua ''hl.dsp.workspace.toggle_special("${name}")'';
moveToSpecial = name: lua ''hl.dsp.window.move({ workspace = "special:${name}" })'';
focusWorkspace = ws: lua ''hl.dsp.focus({ workspace = "${toString ws}" })'';
moveToWorkspace = ws: lua ''hl.dsp.window.move({ workspace = "${toString ws}", follow = false})'';
drag = lua "hl.dsp.window.drag()";
resize = lua "hl.dsp.window.resize()";
};
startupScript = pkgs.writeShellScriptBin "hyprland-start" ''
eww-open-on-current-screen bar &
awww-daemon &
sleep 2
keepassxc &
firefox &
jellyfin-mpv-shim &
easyeffects --gapplication-service &
sleep 2
nextcloud &
# telegram-desktop &
# discord &
'';
in {
config = lib.mkIf (config.usercfg.wm == "Wayland") { config = lib.mkIf (config.usercfg.wm == "Wayland") {
wayland.windowManager.hyprland = { wayland.windowManager.hyprland = {
enable = true; enable = true;
xwayland.enable = true; xwayland.enable = true;
configType = "lua"; extraConfig = ''
settings = { monitor=,preferred,auto,auto
on = { env=bitdepth,10
_args = [ input {
"hyprland.start" kb_layout = us, ru
(lua '' kb_variant = intl, phonetic
function() kb_options = grp:ctrls_toggle
hl.exec_cmd("dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP")
hl.exec_cmd("${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1")
hl.exec_cmd("wl-paste --type text --watch cliphist store")
hl.exec_cmd("wl-paste --type image --watch cliphist store")
hl.exec_cmd("swayidle -w timeout 600 'swaylock' before-sleep 'swaylock'")
hl.exec_cmd("${lib.getExe startupScript}")
hl.exec_cmd("[workspace special:magic silent] kitty --title flying_kitty")
end'')
];
};
monitor = [{ follow_mouse = 1
output = "";
mode = "preferred";
position = "auto";
scale = "auto";
bitdepth = 10;
}];
#Fullscreen HDR is possible without the hdr cm setting if "render:cm_auto_hdr" is enabled.
config = { sensitivity = 0
input = {
kb_layout = "us";
kb_variant = "intl";#, phonetic";
kb_options = "grp:alt_shift_toggle";
follow_mouse = 1;
sensitivity = 0;
touchpad = { touchpad {
natural_scroll = false; natural_scroll=no
scroll_factor = 1; disable_while_typing=true
disable_while_typing = false; scroll_factor=1
tap_to_click = false; disable_while_typing=0
}; tap-to-click=0
};
misc = {
force_default_wallpaper = -1;
disable_hyprland_logo = true;
animate_mouse_windowdragging = false;
animate_manual_resizes = false;
vrr = 1;
};
general = {
gaps_in = config.colorScheme.palette.gaps-window;
gaps_out = config.colorScheme.palette.gaps-screen;
border_size = lib.toInt config.colorScheme.palette.border-width;
col = {
active_border = "rgb(${config.colorScheme.palette.base04})";
inactive_border = "rgb(${config.colorScheme.palette.base03})";
};
layout = "dwindle";
};
decoration = {
rounding = lib.toInt config.colorScheme.palette.border-radius;
inactive_opacity = 1.0;
active_opacity = 1.0;
fullscreen_opacity = 1.0;
blur = {
enabled = true;
size = 2;
passes = 1;
new_optimizations = true;
};
};
dwindle = {
#pseudotile = true;
preserve_split = true;
};
animations = {
enabled = true;
};
master = {
new_status = "master";
};
};
curve = [{
_args = [
"customcurve"
{
type = "bezier";
points = lua "{ {0.0, 0.9}, {0.1, 1.0} }";
} }
]; }
}];
animation = [ misc {
{ leaf = "windows"; enabled = true; speed = 4; bezier = "customcurve"; } disable_hyprland_logo=true
{ leaf = "windowsOut"; enabled = true; speed = 4; bezier = "customcurve"; style = "popin 80%"; } animate_mouse_windowdragging=false
{ leaf = "border"; enabled = true; speed = 10; bezier = "customcurve"; } animate_manual_resizes=false
{ leaf = "borderangle"; enabled = true; speed = 1; bezier = "customcurve"; }
{ leaf = "fade"; enabled = true; speed = 4; bezier = "customcurve"; }
{ leaf = "workspaces"; enabled = true; speed = 4; bezier = "customcurve"; }
];
vrr=1
}
gesture = { general {
fingers = 3; gaps_in = ${config.colorScheme.palette.gaps-window}
direction = "vertical"; gaps_out = ${config.colorScheme.palette.gaps-screen}
action = "workspace"; border_size = ${config.colorScheme.palette.border-width}
};
window_rule = [ col.active_border = rgb(${config.colorScheme.palette.base04})
{ match.title = "noshadow"; float= false;} col.inactive_border = rgb(${config.colorScheme.palette.base03})
{
match.title = "^(flying_kitty)$"; layout = dwindle
float = true; }
center = true;
size = "1100 600"; decoration {
move = "{0 600}"; rounding = ${config.colorScheme.palette.border-radius}
animation = "slide";
} blur {
{ match.title = "^(Volume Control)$"; float = true; } enabled = true
{ match.title = "^(Picture-in-Picture)$"; float = true; } size = 2
{ match.title = "^(Steam)$"; float = true; } passes = 1
# --- Chat & Workspace Assignments --- new_optimizations = true
{ match.class = "^(org.telegram.desktop)$"; workspace = "2 silent"; }
{ match.class = "^(discord)$"; workspace = "2 silent"; }
{ match.class = "^(org.keepassxc.KeePassXC)$"; workspace = "8 silent"; }
{ match.title = "^(Nextcloud)$"; workspace = "8 silent"; }
{ match.class = "^(org.telegram.desktop)$"; match.title = "^(Media viewer)$"; float = true; center = true; }
{
match.class = "^(Tk)$";
match.title = "^(Server Configuration)$";
workspace = "8 silent";
} }
# --- KeePassXC Dialogs --- #multisample_edges = true
{
match.class = "^(org.keepassxc.KeePassXC)$";
match.title = "^(KeePassXC - Access Request)$";
float = true;
pin = true;
}
{
match.class = "^(org.keepassxc.KeePassXC)$";
match.title = "^(Unlock Database - KeePassXC)$";
float = true;
pin = true;
}
# --- Generic System / File Dialogs ---
{ match.title = "^(Open)$"; float = true; }
{ match.title = "^(Choose Files)$"; float = true; }
{ match.title = "^(Save As)$"; float = true; }
{ match.title = "^(Confirm to replace files)$"; float = true; }
{ match.title = "^(File Operation Progress)$"; float = true; }
# --- Firefox Window Rules --- #opactity
{ inactive_opacity = 1.0
match.class = "^(firefox)$"; active_opacity = 1.0
match.title = "^(Picture-in-Picture)$"; fullscreen_opacity = 1.0
float = true;
pin = true;
suppress_event = "fullscreen";
}
{
match.class = "^(firefox)$";
match.title = "^(Firefox Sharing Indicator)$";
float = true;
suppress_event = "fullscreen";
}
{
match.class = "^(firefox)$";
match.title = "^(Extension:.* Mozilla Firefox)$";
float = true;
suppress_event = "fullscreen";
}
# --- Telegram Media Viewer --- # shadow
{ # drop_shadow = no
match.class = "^(org.telegram.desktop)$"; # shadow_range = 60
match.title = "^(Media viewer)$"; # shadow_offset = 0 5
float = true; # shadow_render_power = 4
center = true; #col.shadow = rgba(00000099)
} }
# --- Idle Inhibition --- animations {
{ match.class = "^(.*)$"; idle_inhibit = "fullscreen"; } enabled = true
{ match.class = "^(steam_app_.*)$"; idle_inhibit = "focus"; } bezier = customcurve, 0.0, 0.9, 0.1, 1.0
{ match.class = "^(mpv)$"; idle_inhibit = "focus"; }
]; animation = windows, 1, 4, customcurve
animation = windowsOut, 1, 4, customcurve, popin 50%
animation = border, 1, 10, customcurve
animation = borderangle, 0, 1, customcurve
animation = fade, 1, 4, customcurve
animation = workspaces, 1, 4, customcurve
}
# windowrule = [ "noshadow, floating:0" ]; dwindle {
pseudotile = yes
preserve_split = yes
}
# windowrulev2 = [ master {
# "workspace 2 silent, class:^(org.telegram.desktop)$" new_status = master
# "workspace 2 silent, class:^(discord)$" }
# "workspace 8 silent, class:^(org.keepassxc.KeePassXC)$"
# "workspace 8 silent, title:^(Nextcloud)$"
# "workspace 8 silent, class:^(Tk)$,title:^(Server Configuration)$"
# "float,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC - Access Request)$"
# "pin,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC - Access Request)$"
# "float,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$"
# "pin,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$"
# "float,title:^(Open)$"
# "float,title:^(Choose Files)$"
# "float,title:^(Save As)$"
# "float,title:^(Confirm to replace files)$"
# "float,title:^(File Operation Progress)$"
# "float,class:^(firefox)$,title:^(Picture-in-Picture)$"
# "pin,class:^(firefox)$,title:^(Picture-in-Picture)$"
# "suppressevent fullscreen,class:^(firefox)$,title:^(Picture-in-Picture)$"
# "float,class:^(firefox)$,title:^(Firefox — Sharing Indicator)$"
# "suppressevent fullscreen,class:^(firefox)$,title:^(Firefox — Sharing Indicator)$"
# "float,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$"
# "suppressevent fullscreen,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$"
# "float,class:^(org.telegram.desktop)$,title:^(Media viewer)$"
# "center,class:^(org.telegram.desktop)$,title:^(Media viewer)$"
# "idleinhibit fullscreen, class:^(.*)"
# "idleinhibit focus, class:^(steam_app_.*)$"
# "idleinhibit focus, class:^(mpv)$"
# ];
layer_rule = [ { gesture = 3, vertical, workspace
match.namespace = "^eww%-blur$";
blur = true;
ignore_alpha = 0.5;
}];
bind = [ exec-once = eww open bar
(bind "SUPER + RETURN" (dsp.exec "kitty")) #exec-once = waybar
(bind "SUPER + SHIFT + RETURN" (dsp.toggleSpecial "magic")) exec-once = dunst
(bind "SUPER + SHIFT + S" (dsp.moveToSpecial "magic"))
(bind "SUPER + Q" dsp.close)
(bind "SUPER + T" dsp.float)
(bind "SUPER + F" dsp.fullscreen)
(bind "SUPER + P" dsp.pseudo)
(bind "SUPER + J" (dsp.layout "togglesplit"))
(bind "SUPER + D" (dsp.exec "wofi -modi --show drun"))
(bind "SUPER + SHIFT + D" (dsp.exec "~/.config/hypr/themes/apatheia/eww/launch_bar"))
(bind "SUPER + V" (dsp.exec "cliphist list | wofi -dmenu | cliphist decode | wl-copy"))
(bind "PRINT" (dsp.exec "hyprshot -m region --raw | satty --filename - --early-exit --action-on-enter save-to-clipboard --copy-command 'wl-copy'"))
(bind "SUPER + L" (dsp.exec "swaylock"))
(bind "SUPER + left" (dsp.focus "left"))
(bind "SUPER + right" (dsp.focus "right"))
(bind "SUPER + up" (dsp.focus "up"))
(bind "SUPER + down" (dsp.focus "down"))
(bind "SUPER + mouse_down" (dsp.focusWorkspace "e+1"))
(bind "SUPER + mouse_up" (dsp.focusWorkspace "e-1"))
(bind "SUPER + 1" (dsp.focusWorkspace 1)) exec-once = swww init
(bind "SUPER + SHIFT + 1" (dsp.moveToWorkspace 1))
(bind "SUPER + 2" (dsp.focusWorkspace 2)) exec-once = dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP
(bind "SUPER + SHIFT + 2" (dsp.moveToWorkspace 2)) exec-once = /nix/store/$(ls -la /nix/store | grep 'polkit-gnome' | grep '4096' | awk '{print $9}' | sed -n '$p')/libexec/polkit-gnome-authentication-agent-1 &
(bind "SUPER + 3" (dsp.focusWorkspace 3))
(bind "SUPER + SHIFT + 3" (dsp.moveToWorkspace 3)) exec-once = wl-paste --type text --watch cliphist store #Stores only text data
(bind "SUPER + 4" (dsp.focusWorkspace 4)) exec-once = wl-paste --type image --watch cliphist store #Stores only image data
(bind "SUPER + SHIFT + 4" (dsp.moveToWorkspace 4))
(bind "SUPER + 5" (dsp.focusWorkspace 5)) exec-once = swayidle -w timeout 600 'swaylock' before-sleep 'swaylock'
(bind "SUPER + SHIFT + 5" (dsp.moveToWorkspace 5))
(bind "SUPER + 6" (dsp.focusWorkspace 6))
(bind "SUPER + SHIFT + 6" (dsp.moveToWorkspace 6)) #windowrules
(bind "SUPER + 7" (dsp.focusWorkspace 7)) windowrule = noshadow, floating:0
(bind "SUPER + SHIFT + 7" (dsp.moveToWorkspace 7))
(bind "SUPER + 8" (dsp.focusWorkspace 8)) windowrule = float, title:^(flying_kitty)$
(bind "SUPER + SHIFT + 8" (dsp.moveToWorkspace 8)) windowrule = size 1100 600, title:^(flying_kitty)$
(bind "SUPER + 9" (dsp.focusWorkspace 9)) windowrule = move center, title:^(flying_kitty)$
(bind "SUPER + SHIFT + 9" (dsp.moveToWorkspace 9)) windowrule = animation slide, title:^(flying_kitty)$
(bind "SUPER + 0" (dsp.focusWorkspace 0)) windowrule = float, title:^(Volume Control)$
(bind "SUPER + SHIFT + 0" (dsp.moveToWorkspace 0)) windowrule = float, title:^(Picture-in-Picture)$
(bind "XF86AudioPlay" (dsp.exec "playerctl play-pause")) windowrule = float, title:^(Steam)$
(bind "XF86AudioPrev" (dsp.exec "playerctl previous"))
(bind "XF86AudioNext" (dsp.exec "playerctl next")) windowrulev2 = workspace 2 silent, class:^(org.telegram.desktop)$
(bindOpts "XF86AudioRaiseVolume" (dsp.exec "amixer -q sset 'Master' 5%+") { locked = true; repeating = true; }) windowrulev2 = workspace 2 silent, class:^(discord)$
(bindOpts "XF86AudioLowerVolume" (dsp.exec "amixer -q sset 'Master' 5%-") { locked = true; repeating = true; })
(bindOpts "XF86AudioMute" (dsp.exec "amixer -q sset 'Master' toggle") { locked = true; }) windowrulev2 = workspace 8 silent, class:^(org.keepassxc.KeePassXC)$
(bindOpts "XF86MonBrightnessUp" (dsp.exec "brightnessctl s 5%+") { locked = true; repeating = true; }) windowrulev2 = workspace 8 silent, title:^(Nextcloud)$
(bindOpts "XF86MonBrightnessDown" (dsp.exec "brightnessctl s 5%-") { locked = true; repeating = true; }) windowrulev2 = workspace 8 silent, class:^(Tk)$,title:^(Server Configuration)$
(bindOpts "SUPER + mouse:272" dsp.drag { mouse = true; })
(bindOpts "SUPER + mouse:273" dsp.resize { mouse = true; }) #SPECIAL FLOATERS
]; windowrulev2 = float,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC - Access Request)$
}; windowrulev2 = pin,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC - Access Request)$
windowrulev2 = float,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$
windowrulev2 = pin,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$
windowrulev2 = float,title:^(Open)$
windowrulev2 = float,title:^(Choose Files)$
windowrulev2 = float,title:^(Save As)$
windowrulev2 = float,title:^(Confirm to replace files)$
windowrulev2 = float,title:^(File Operation Progress)$
windowrulev2 = float,class:^(firefox)$,title:^(Picture-in-Picture)$
windowrulev2 = pin,class:^(firefox)$,title:^(Picture-in-Picture)$
windowrulev2 = suppressevent fullscreen,class:^(firefox)$,title:^(Picture-in-Picture)$
windowrulev2 = float,class:^(firefox)$,title:^(Firefox Sharing Indicator)$
windowrulev2 = suppressevent fullscreen,class:^(firefox)$,title:^(Firefox Sharing Indicator)$
windowrulev2 = float,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$
windowrulev2 = suppressevent fullscreen,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$
windowrulev2 = float,class:^(org.telegram.desktop)$,title:^(Media viewer)$
windowrulev2 = center,class:^(org.telegram.desktop)$,title:^(Media viewer)$
#SPECIAL NO SLEEP
windowrulev2 = idleinhibit fullscreen, class:^(.*)
windowrulev2 = idleinhibit focus, class:^(steam_app_.*)$
windowrulev2 = idleinhibit focus, class:^(mpv)$
layerrule = blur,^(eww-blur)
#binds
bind = SUPER, RETURN, exec, kitty
bind = SUPER_SHIFT, RETURN,togglespecialworkspace,
# bind = SUPER_SHIFT, RETURN, exec, kitty --title flying_kitty --single-instance
bind = SUPER, Q, killactive,
bind = SUPER, T, togglefloating,
bind = SUPER, F, fullscreen,
bind = SUPER, D, exec, wofi -modi --show drun
bind = SUPER SHIFT,D,exec, ~/.config/hypr/themes/apatheia/eww/launch_bar
bind = SUPER, V, exec, cliphist list | wofi -dmenu | cliphist decode | wl-copy
bind = , PRINT, exec, hyprshot -m region --raw | satty --filename - --early-exit --action-on-enter save-to-clipboard --copy-command 'wl-copy'
bind = SUPER, L, exec, swaylock
bind = SUPER, left, movefocus, l
bind = SUPER, right, movefocus, r
bind = SUPER, up, movefocus, u
bind = SUPER, down, movefocus, d
bind = SUPER, 1, workspace, 1
bind = SUPER, 2, workspace, 2
bind = SUPER, 3, workspace, 3
bind = SUPER, 4, workspace, 4
bind = SUPER, 5, workspace, 5
bind = SUPER, 6, workspace, 6
bind = SUPER, 7, workspace, 7
bind = SUPER, 8, workspace, 8
bind = SUPER, 9, workspace, 9
bind = SUPER, 0, workspace, 10
bind = SUPER SHIFT, 1, movetoworkspacesilent, 1
bind = SUPER SHIFT, 2, movetoworkspacesilent, 2
bind = SUPER SHIFT, 3, movetoworkspacesilent, 3
bind = SUPER SHIFT, 4, movetoworkspacesilent, 4
bind = SUPER SHIFT, 5, movetoworkspacesilent, 5
bind = SUPER SHIFT, 6, movetoworkspacesilent, 6
bind = SUPER SHIFT, 7, movetoworkspacesilent, 7
bind = SUPER SHIFT, 8, movetoworkspacesilent, 8
bind = SUPER SHIFT, 9, movetoworkspacesilent, 9
bind = SUPER SHIFT, 0, movetoworkspacesilent, 10
bind = SUPER, mouse_down, workspace, e+1
bind = SUPER, mouse_up, workspace, e-1
bindm = SUPER, mouse:272, movewindow
bindm = SUPER, mouse:273, resizewindow
bind = , XF86AudioPlay, exec, playerctl play-pause
bind = , XF86AudioPrev, exec, playerctl previous
bind = , XF86AudioNext, exec, playerctl next
bind = , XF86AudioRaiseVolume, exec, amixer -q sset 'Master' 5%+
bind = , XF86AudioLowerVolume, exec, amixer -q sset 'Master' 5%-
bind = , XF86AudioMute, exec, amixer -q sset 'Master' toggle
bind = , XF86MonBrightnessUp, exec, brightnessctl s 5%+
bind = , XF86MonBrightnessDown, exec, brightnessctl s 5%-
exec-once = [workspace special silent] kitty --title flying_kitty
exec-once = sh ~/.config/startup.sh
'';
}; };
xdg.configFile."startup.sh".text = ''
#!/bin/sh
sleep 2
keepassxc &
firefox &
jellyfin-mpv-shim &
easyeffects --gapplication-service &
sleep 2
nextcloud &
#telegram-desktop&
#discord&
'';
}; };
} }

4
modules/home/xdg/default.nix
View File

@@ -7,7 +7,7 @@
xdg.userDirs.documents = "${config.home.homeDirectory}/desktop"; xdg.userDirs.documents = "${config.home.homeDirectory}/desktop";
xdg.userDirs.download = "${config.home.homeDirectory}/downloads"; xdg.userDirs.download = "${config.home.homeDirectory}/downloads";
xdg.userDirs.extraConfig = { xdg.userDirs.extraConfig = {
MISC = "${config.home.homeDirectory}/misc"; XDG_MISC_DIR = "${config.home.homeDirectory}/misc";
}; };
xdg.userDirs.music = "${config.home.homeDirectory}/media/music"; xdg.userDirs.music = "${config.home.homeDirectory}/media/music";
xdg.userDirs.pictures = "${config.home.homeDirectory}/media/photo"; xdg.userDirs.pictures = "${config.home.homeDirectory}/media/photo";
@@ -15,5 +15,5 @@
xdg.userDirs.templates = "${config.home.homeDirectory}/media/template"; xdg.userDirs.templates = "${config.home.homeDirectory}/media/template";
xdg.userDirs.videos = "${config.home.homeDirectory}/media/video"; xdg.userDirs.videos = "${config.home.homeDirectory}/media/video";
xdg.userDirs.createDirectories = true; xdg.userDirs.createDirectories = true;
xdg.userDirs.setSessionVariables = true;
} }

2
modules/nixos/gui/greet/default.nix
View File

@@ -5,7 +5,7 @@
enable = true; enable = true;
settings = rec { settings = rec {
initial_session = { initial_session = {
command = "start-hyprland"; command = "zsh";
user = "${config.syscfg.defaultUser}"; user = "${config.syscfg.defaultUser}";
}; };
default_session = initial_session; default_session = initial_session;

2
modules/nixos/gui/xserver/default.nix
View File

@@ -3,7 +3,7 @@
programs.xwayland.enable = true; programs.xwayland.enable = true;
services.xserver = { services.xserver = {
enable = true; enable = true;
videoDrivers = [ "amdgpu" ]; videoDrivers = [ "amd" ];
xkb = { xkb = {
layout = "us"; layout = "us";
variant = "intl"; variant = "intl";

22
modules/nixos/system/default.nix
View File

@@ -1,23 +1,3 @@
{ config, lib, ... }: { { ... }: {
imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ]; imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ];
services.journald.extraConfig = ''
SystemMaxUse=512M
SystemMaxFileSize=64M
MaxRetentionSec=1month
RateLimitIntervalSec=30s
RateLimitBurst=10000
'';
systemd.services.systemd-user-sessions = {
after = lib.mkForce ([
"system.slice"
"systemd-journald.socket"
"sysinit.target"
"remote-fs.target"
"nss-user-lookup.target"
"home.mount"
"basic.target"
] ++ map (user: "home-manager-${user.username}.service") config.syscfg.users);
};
} }

2
modules/nixos/system/hw/default.nix
View File

@@ -1 +1 @@
{ ... }: { imports = [ ./base ./boot ./fs ./graphics ./power ./udev ./virt ./wsl ]; } { ... }: { imports = [ ./base ./boot ./fs ./graphics ./power ./udev ./virt ]; }

8
modules/nixos/system/hw/power/default.nix
View File

@@ -15,10 +15,10 @@
# suspend to RAM (deep) rather than `s2idle` # suspend to RAM (deep) rather than `s2idle`
boot.kernelParams = [ "mem_sleep_default=deep" ]; boot.kernelParams = [ "mem_sleep_default=deep" ];
# suspend-then-hibernate # suspend-then-hibernate
systemd.sleep.settings.Sleep = { systemd.sleep.extraConfig = ''
HibernateDelaySec = "30m"; HibernateDelaySec=30m
SuspendState = "mem"; SuspendState=mem
}; '';
services.logind.settings.Login.HandleLidSwitch = "suspend-then-hibernate"; services.logind.settings.Login.HandleLidSwitch = "suspend-then-hibernate";
# Hibernate on power button pressed # Hibernate on power button pressed

4
modules/nixos/system/hw/udev/default.nix
View File

@@ -1,8 +1,8 @@
{ pkgs, ... }: { { ... }: {
systemd.services.systemd-udevd.restartIfChanged = false; systemd.services.systemd-udevd.restartIfChanged = false;
services.udev = { services.udev = {
packages = with pkgs; [ ]; packages = [ ];
extraRules = '' extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0127", GROUP="plugdev", TAG+="uaccess" SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0127", GROUP="plugdev", TAG+="uaccess"
SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0118", GROUP="plugdev", TAG+="uaccess" SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0118", GROUP="plugdev", TAG+="uaccess"

1
modules/nixos/system/hw/virt/default.nix
View File

@@ -18,6 +18,5 @@
}; };
}; };
}; };
virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
}; };
} }

13
modules/nixos/system/hw/wsl/default.nix
View File

@@ -1,13 +0,0 @@
{ lib, config, pkgs, ... }: {
config = lib.mkIf (config.syscfg.extra.wsl) {
wsl.enable = true;
wsl.defaultUser = config.syscfg.defaultUser;
wsl.extraBin = with pkgs; [
{ src = "${coreutils}/bin/uname"; }
{ src = "${coreutils}/bin/dirname"; }
{ src = "${coreutils}/bin/readlink"; }
];
wsl.wslConf.network.generateHosts = false;
};
}

18
modules/nixos/system/network/base/default.nix
View File

@@ -1,29 +1,17 @@
{ lib, config, ... }: { { config, ... }: {
networking = { networking = {
hostName = config.syscfg.hostname; hostName = config.syscfg.hostname;
useDHCP = true; useDHCP = true;
nameservers = [ "1.1.1.1" "9.9.9.9" ]; nameservers = [ "1.1.1.1" "9.9.9.9" ];
extraHosts = ''
${lib.concatStringsSep "\n" config.syscfg.extra.hosts}
'';
proxy = lib.mkIf (config.syscfg.extra.proxy.domain != "") {
default = "http://${config.syscfg.extra.proxy.domain}:${config.syscfg.extra.proxy.port or "8080"}";
noProxy = "${config.syscfg.extra.proxy.noProxy}";
};
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = allowedUDPPorts =
(if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++ (if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
[ ]; [ ];
allowedTCPPorts = allowedTCPPorts =
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++ (if config.syscfg.server ? web then [ 80 443 22 ] else [ ]) ++
(if (config.syscfg.server != false) then [ 5432 6379 8181 ] else [ ]) ++
[ ]; [ ];
}; };
}; };

1
modules/nixos/system/network/wifi/default.nix
View File

@@ -3,7 +3,6 @@
networking.supplicant = { networking.supplicant = {
"${config.syscfg.net.wlp.nif}" = { "${config.syscfg.net.wlp.nif}" = {
configFile.path = config.sops.secrets.wifi.path; configFile.path = config.sops.secrets.wifi.path;
userControlled.enable = true;
extraConf = '' extraConf = ''
network={ network={
ssid="test" ssid="test"

7
modules/nixos/system/nix/default.nix
View File

@@ -37,12 +37,5 @@
]; ];
}; };
}; };
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
libx11 libxcb libxi libxext libxkbfile xcbutilcursor
libpng libdrm libpulseaudio nss nspr expat libbsd
];
};
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

7
modules/nixos/tools/debug/default.nix
View File

@@ -1,9 +1,12 @@
{ pkgs, config, lib, ... }: { { pkgs, config, lib, ... }: {
config = lib.mkIf (config.syscfg.make.develop) { config = lib.mkIf (config.syscfg.make.develop) {
programs.adb.enable = true;
# services.udev.packages = [
# pkgs.android-udev-rules
# ];
programs.wireshark.enable = true; programs.wireshark.enable = true;
environment.systemPackages = with pkgs; [ wget dconf wireshark mtr android-tools ]; environment.systemPackages = with pkgs; [ wget dconf wireshark ];
}; };
} }

62
modules/nixos/tools/default.nix
View File

@@ -1,4 +1,64 @@
{ pkgs, ... }: { { pkgs, ... }: {
imports = [ ./debug ./develop ./telegraf ]; imports = [ ./debug ./develop ];
# services.telegraf = {
# enable = true;
# extraConfig = {
# agent = {
# interval = "10s";
# round_interval = true;
# metric_batch_size = 1000;
# metric_buffer_limit = 10000;
# collection_jitter = "0s";
# flush_interval = "10s";
# flush_jitter = "0s";
# precision = "";
# hostname = "valinor";
# omit_hostname = false;
# };
# inputs.cpu = {
# percpu = true;
# totalcpu = true;
# collect_cpu_time = false;
# report_active = false;
# };
# inputs.mem = {};
# inputs.swap = {};
# inputs.system = {};
# inputs.disk = {
# ignore_fs = ["tmpfs" "devtmpfs" "devfs"];
# };
# inputs.net = {};
# inputs.netstat = {};
# inputs.ping = {
# urls = ["8.8.8.8" "8.8.4.4"];
# count = 4;
# interval = "60s";
# binary = "${pkgs.iputils.out}/bin/ping";
# };
# inputs.internet_speed = {
# interval = "2m";
# };
# inputs.net_response = {
# protocol = "tcp";
# address = "google.com:80";
# timeout = "5s";
# read_timeout = "5s";
# interval = "30s";
# };
# outputs.influxdb_v2 = {
# urls = [""];
# token = "";
# organization = "";
# bucket = "";
# };
# };
# };
} }

6
modules/nixos/tools/develop/default.nix
View File

@@ -9,12 +9,6 @@ in {
imports = [ ./ollama ]; imports = [ ./ollama ];
config = lib.mkIf (config.syscfg.make.develop) { config = lib.mkIf (config.syscfg.make.develop) {
services.vscode-server = lib.mkIf (config.syscfg.extra.wsl) {
enable = true;
enableFHS = true;
};
environment.systemPackages = with pkgs; environment.systemPackages = with pkgs;
[ [
# android-tools # android-tools

5
modules/nixos/tools/develop/ollama/default.nix
View File

@@ -1,13 +1,14 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
ollamaPkg = pkgs.ollama-vulkan; ollamaPkg = pkgs.ollama-rocm;
in{ in{
config = lib.mkIf (config.syscfg.make.develop) { config = lib.mkIf (config.syscfg.make.develop) {
services.ollama = { services.ollama = {
enable = true; enable = true;
package = ollamaPkg; package = ollamaPkg;
loadModels = [ ]; acceleration = "rocm";
loadModels = [ "deepseek-v2:lite" "qwen2.5-coder:7b" "qwen2.5-coder:1.5b" ];
syncModels = true; syncModels = true;
}; };
environment.systemPackages = with pkgs; [ ollamaPkg ]; environment.systemPackages = with pkgs; [ ollamaPkg ];

363
modules/nixos/tools/telegraf/default.nix
View File

@@ -1,363 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.syscfg.monitoring.telegraf;
hasCollector = name: builtins.elem name cfg.collectors;
dockerGroups =
lib.optionals (cfg.enable && hasCollector "docker" && config.virtualisation.podman.enable) [ "podman" ]
++ lib.optionals (cfg.enable && hasCollector "docker" && config.virtualisation.docker.enable) [ "docker" ];
amdgpuMetricsScript = pkgs.writeShellScript "telegraf-amdgpu-metrics" ''
set -euo pipefail
${lib.getExe pkgs.custom.amdgpu_top} -J -n 1 | ${lib.getExe pkgs.jq} -r '
def maybe_int($name; $value):
if $value == null then empty else "\($name)=\(($value | floor))i" end;
def maybe_float($name; $value):
if $value == null then empty else "\($name)=\($value)" end;
.devices
| to_entries[]
| [
maybe_int("utilization_gpu"; (.value.gpu_activity.GFX.value // .value.GRBM2["Command Processor - Graphics"].value // 0)),
maybe_int("utilization_media"; .value.gpu_activity.MediaEngine.value),
maybe_int("utilization_memory"; .value.gpu_activity.Memory.value),
maybe_float("temperature_edge"; .value.Sensors["Edge Temperature"].value),
maybe_float("power_draw"; .value.gpu_metrics.average_socket_power.value)
] as $fields
| map(select(length > 0)) as $nonempty
| select(($nonempty | length) > 0)
| "amdgpu,card=\(.key) " + ($nonempty | join(","))
'
'';
baseConfig = {
agent = {
interval = cfg.interval;
round_interval = true;
metric_batch_size = 1000;
metric_buffer_limit = 10000;
flush_interval = cfg.interval;
hostname = config.syscfg.hostname;
omit_hostname = false;
};
global_tags = {
host = config.syscfg.hostname;
};
};
inputsConfig = lib.mkMerge [
(lib.mkIf (hasCollector "cpu") {
inputs.cpu = {
percpu = true;
totalcpu = true;
collect_cpu_time = false;
report_active = false;
fielddrop = [
"usage_guest"
"usage_guest_nice"
"usage_irq"
"usage_nice"
"usage_softirq"
"usage_steal"
];
};
})
(lib.mkIf (hasCollector "mem") {
inputs.mem = {
fielddrop = [
"available_percent"
"commit_limit"
"committed_as"
"high_free"
"high_total"
"huge_page_size"
"huge_pages_free"
"huge_pages_total"
"low_free"
"low_total"
"mapped"
"page_tables"
"slab"
"sreclaimable"
"sunreclaim"
"swap_cached"
"swap_free"
"swap_total"
"vmalloc_chunk"
"vmalloc_total"
"vmalloc_used"
"write_back"
"write_back_tmp"
];
};
})
(lib.mkIf (hasCollector "swap") {
inputs.swap = {
fielddrop = [
"free"
];
};
})
(lib.mkIf (hasCollector "system") {
inputs.system = {
fielddrop = [
"n_physical_cpus"
"n_unique_users"
"uptime_format"
];
};
})
(lib.mkIf (hasCollector "disk") {
inputs.disk = {
ignore_fs = [ "tmpfs" "devtmpfs" "devfs" "overlay" "squashfs" ];
fielddrop = [
"free"
"inodes_free"
"inodes_total"
"inodes_used"
"inodes_used_percent"
];
};
})
(lib.mkIf (hasCollector "diskio") {
inputs.diskio = {
skip_serial_number = true;
fielddrop = [
"io_svctm"
"iops_in_progress"
"merged_reads"
"merged_writes"
"weighted_io_time"
];
};
})
(lib.mkIf (hasCollector "kernel") {
inputs.kernel = {
fielddrop = [
"boot_time"
];
};
})
(lib.mkIf (hasCollector "net") {
inputs.net = {
fielddrop = [
"bytes_recv"
"bytes_sent"
"speed"
];
};
})
(lib.mkIf (hasCollector "netstat") {
inputs.netstat = {
fielddrop = [
"tcp_close"
"tcp_close_wait"
"tcp_closing"
"tcp_fin_wait1"
"tcp_fin_wait2"
"tcp_last_ack"
"tcp_none"
"tcp_syn_recv"
"tcp_syn_sent"
];
};
})
(lib.mkIf (hasCollector "processes") {
inputs.processes = {
fielddrop = [
"dead"
"idle"
"paging"
"stopped"
"unknown"
"zombies"
];
};
})
(lib.mkIf (hasCollector "temp") {
inputs.temp = { };
})
(lib.mkIf (hasCollector "mdstat") {
inputs.mdstat = { };
})
(lib.mkIf (hasCollector "smart") {
inputs.smart = {
use_sudo = true;
attributes = true;
};
})
(lib.mkIf (hasCollector "docker") {
inputs.docker = [
{
endpoint = "unix:///var/run/docker.sock";
timeout = "5s";
perdevice_include = [ ];
total_include = [ ];
docker_label_exclude = [ "*" ];
tagexclude = [
"container_image"
"container_status"
"container_version"
"engine_host"
"server_version"
];
namedrop = [
"docker_container_health"
"docker_container_mem"
"docker_container_status"
];
fielddrop = [
"memory_total"
"n_cpus"
"n_goroutines"
"n_listener_events"
"n_used_file_descriptors"
"server_version"
];
}
{
endpoint = "unix:///var/run/docker.sock";
timeout = "5s";
perdevice_include = [ ];
total_include = [ ];
docker_label_exclude = [ "*" ];
tagexclude = [
"container_image"
"container_status"
"container_version"
"engine_host"
"server_version"
];
namepass = [ "docker_container_mem" ];
fielddrop = [
"active_anon"
"active_file"
"container_id"
"hierarchical_memory_limit"
"inactive_anon"
"inactive_file"
"mapped_file"
"max_usage"
"pgfault"
"pgmajfault"
"pgpgin"
"pgpgout"
"rss_huge"
"total_active_anon"
"total_active_file"
"total_cache"
"total_inactive_anon"
"total_inactive_file"
"total_mapped_file"
"total_pgfault"
"total_pgmajfault"
"total_pgpgin"
"total_pgpgout"
"total_rss"
"total_rss_huge"
"total_unevictable"
"total_writeback"
"unevictable"
"writeback"
];
}
];
})
(lib.mkIf (hasCollector "systemd_units") {
inputs.systemd_units = {
pattern = "*";
unittype = "service";
details = true;
timeout = "5s";
};
})
(lib.mkIf (hasCollector "ping") {
inputs.ping = {
urls = [ "1.1.1.1" ];
count = 4;
interval = "60s";
timeout = 5.0;
binary = "${pkgs.iputils}/bin/ping";
fielddrop = [
"packets_received"
"packets_transmitted"
];
};
})
(lib.mkIf (hasCollector "internet_speed") {
inputs.internet_speed = {
interval = "30m";
cache = true;
memory_saving_mode = true;
};
})
(lib.mkIf (hasCollector "gpu" || hasCollector "nix") {
inputs.exec =
lib.optionals (hasCollector "gpu") [{
commands = [ amdgpuMetricsScript ];
timeout = "5s";
data_format = "influx";
}]
++ lib.optionals (hasCollector "nix") [{
commands = [
(pkgs.writeShellScript "telegraf-nix-metrics" ''
set -euo pipefail
current="$(${lib.getExe pkgs.nixos-rebuild} list-generations | ${lib.getExe pkgs.gawk} '$NF == "True" {print $1 "|" $2 " " $3; exit}')"
[ -n "$current" ]
generation="''${current%%|*}"
build_datetime="''${current#*|}"
build_timestamp="$(${lib.getExe' pkgs.coreutils "date"} -d "$build_datetime" +%s)"
now="$(${lib.getExe' pkgs.coreutils "date"} +%s)"
store_bytes="$(${lib.getExe' pkgs.coreutils "du"} -sb /nix/store | ${lib.getExe pkgs.gawk} '{print $1}')"
printf 'nix generation=%si,configured_packages=%si,store_bytes=%si,build_timestamp=%si,seconds_since_build=%si,build_datetime="%s"\n' \
"$generation" \
${toString (builtins.length config.environment.systemPackages)} \
"$store_bytes" \
"$build_timestamp" \
"$((now - build_timestamp))" \
"$build_datetime"
'')
];
interval = "1h";
timeout = "30s";
data_format = "influx";
}];
})
];
outputsConfig = lib.mkMerge [{
outputs.influxdb_v3 = {
urls = cfg.outputs;
token = "$INFLUX_TOKEN";#config.sops.secrets.telegraf.path;
database = "telegraf";
};
}
];
in {
config = lib.mkIf cfg.enable {
services.telegraf = {
enable = true;
environmentFiles = [ config.sops.secrets.telegraf.path ];
extraConfig = lib.mkMerge [
baseConfig
inputsConfig
outputsConfig
cfg.extraConfig
];
};
users.users.telegraf.extraGroups = dockerGroups;
systemd.services.telegraf = {
path =
lib.optionals (hasCollector "smart") [ pkgs.smartmontools pkgs.nvme-cli ]
++ lib.optionals (hasCollector "gpu") [ pkgs.custom.amdgpu_top pkgs.jq ];
serviceConfig.SupplementaryGroups = dockerGroups;
};
security.sudo.extraRules = lib.optionals (hasCollector "smart") [{
users = [ "telegraf" ];
commands = [{
command = "${pkgs.smartmontools}/bin/smartctl";
options = [ "NOPASSWD" ];
}];
}];
};
}

54
modules/server/containers/apps/.template.nix
View File

@@ -1,54 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "latest";
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = "EXAMPLE";
tag = "0.0.0";
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "echo 1" ];
ExposedPorts = { };
};
};
settings = pkgs.writeText "settings.yaml" ...;
templateData = builder.mkData { name = "template"; dir = "template"; vars = {
_ARGUMENT = "template";
};
};
in {
requires = {
secrets = [ ];
databases = [ ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/example/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
# imageStream = image;
image = "....:${version}";
port = 8080;
secret = name;
extraEnv = { };
overrides = {
cmd = [ ];
volumes = [ ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."EXAMPLE".path;
script = pkgs.writeShellScript "setup" ''
...
'';
};
};
}

8
modules/server/containers/apps/.todo.md
View File

@@ -1,8 +0,0 @@
# Missing
RSS: TTRSS / FreshRSS
Monitoring: Telegraf + InfluxDB
https://github.com/tarampampam/error-pages ?
kavita + mylar ? kapowarr ?
- Transmission Cfg and API/Token handling

139
modules/server/containers/apps/authentik.nix
View File

@@ -1,139 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "2026.2.2";
serverCfg = config.syscfg.server;
mediaCfg = config.syscfg.media;
authentikBackground = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
logoIcoFileName = builtins.baseNameOf (toString mediaCfg.logo.ico);
backgroundFileName = builtins.baseNameOf (toString authentikBackground);
logoSvgMount = "/data/media/public/branding/${logoSvgFileName}";
logoIcoMount = "/data/media/public/branding/${logoIcoFileName}";
backgroundMount = "/data/media/public/branding/${backgroundFileName}";
authentikData = builder.mkData {
name = "authentik"; dir = "authentik"; vars = {
AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
COOKIE_DOMAIN = "${serverCfg.domain}";
AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
AUTHENTIK_BRANDING_TITLE = if containerCfg.extra ? name then containerCfg.extra.name else "authentik";
AUTHENTIK_BRANDING_LOGO = "branding/${logoSvgFileName}";
AUTHENTIK_BRANDING_FAVICON = "branding/${logoIcoFileName}";
AUTHENTIK_BRANDING_BACKGROUND = "branding/${backgroundFileName}";
}
// (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?freshrss then { FRESHRSS_DOMAIN = "${serverCfg.containers.freshrss.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?homepage then { HOMEPAGE_DOMAIN = "${serverCfg.containers.homepage.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/authentik";
owner = "1000:1000";
dirs = ["media" "templates"];
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:${version}";
port = 9000;
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
} // lib.optionalAttrs (serverCfg.mail.server != null) {
AUTHENTIK_EMAIL__HOST = serverCfg.mail.server;
AUTHENTIK_EMAIL__PORT = "587";
AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
AUTHENTIK_EMAIL__USE_TLS = "true";
AUTHENTIK_EMAIL__USE_SSL = "false";
AUTHENTIK_EMAIL__TIMEOUT = "10";
AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
};
overrides = {
environmentFiles = [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
cmd = [ "server" ];
volumes = [
"${serverCfg.path.config.path}/authentik/media:/media"
"${serverCfg.path.config.path}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
"${mediaCfg.logo.svg}:${logoSvgMount}:ro"
"${mediaCfg.logo.ico}:${logoIcoMount}:ro"
"${authentikBackground}:${backgroundMount}:ro"
];
};
};
worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:${version}";
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.path.config.path}/authentik/media:/media"
"${serverCfg.path.config.path}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
"${mediaCfg.logo.svg}:${logoSvgMount}:ro"
"${mediaCfg.logo.ico}:${logoIcoMount}:ro"
"${authentikBackground}:${backgroundMount}:ro"
];
};
};
ldap = builder.mkContainer {
image = "ghcr.io/goauthentik/ldap:${version}";
secret = name;
extraEnv = {
AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}";
AUTHENTIK_INSECURE = "false";
};
};
};
setup = {
trigger = "worker";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
$AK apply_blueprint /blueprints/custom/authentik.yaml
$AK apply_blueprint /blueprints/custom/branding.yaml
$AK apply_blueprint /blueprints/custom/traefik.yaml
$AK apply_blueprint /blueprints/custom/ldap.yaml
${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
echo "Completed Authentik Setup"
'';
};
};
}

42
modules/server/containers/apps/calibre.nix
View File

@@ -1,42 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "crocodilestick/calibre-web-automated:${version}";
port = 8083;
# secret = name;
extraEnv = {
CWA_PORT_OVERRIDE = "8083";
PUID = "1000";
PGID = "1000";
#HARDCOVER_TOKEN= ....
TRUSTED_PROXY_COUNT= "1";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`)";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik) then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
overrides = {
volumes = [
"${serverCfg.path.book.path}:/calibre-library"
"${serverCfg.path.dlComplete.path}:/cwa-book-ingest"
];
};
};
};
};
# curl 'https://books.test.helcel.net/admin/ajaxconfig' \
# -X POST
# -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'
# --data-raw 'csrf_token=${CSRF_TOKEN}&config_certfile=&config_keyfile=&config_updatechannel=0&config_trustedhosts=&config_log_level=20&config_logfile=%2Fdev%2Fstdout&config_access_logfile=%2Fconfig%2Faccess.log&config_embed_metadata=on&config_uploading=on&config_upload_formats=m4b%2Cacsm%2Cdoc%2Cpdf%2Cmp3%2Codt%2Ccbr%2Crtf%2Clit%2Cprc%2Cm4a%2Cdjv%2Cfb2%2Copus%2Cdocx%2Cazw3%2Cepub%2Cdjvu%2Cwav%2Ccb7%2Ccbz%2Cmp4%2Ckfx-zip%2Cmobi%2Ccbt%2Cogg%2Ckfx%2Ckepub%2Ctxt%2Cazw%2Chtml%2Cflac&config_external_port=8083&config_goodreads_api_key=&config_hardcover_token=&config_use_https=on&config_reverse_proxy_login_header_name=&config_login_type=1&config_ldap_provider_url=sso.test.helcel.net&config_ldap_port=389&config_ldap_encryption=0&config_ldap_cacert_path=&config_ldap_cert_path=&config_ldap_key_path=&config_ldap_authentication=2&config_ldap_serv_username=cn%3Dldap-service%2Cou%3Dusers%2C%24%7BLDAP_DC_DOMAIN%7D&config_ldap_serv_password_e=%24DEFAULT_LDAP_PASSWORD&config_ldap_dn=%24%7BLDAP_DC_DOMAIN%7D&config_ldap_user_object=(memberOf%3Dcn%3Dcloud%2Cou%3Dgroups%2C%24%7BLDAP_DC_DOMAIN%7D)&config_ldap_openldap=on&config_ldap_auto_create_users=on&config_ldap_group_object_filter=(memberOf%3Dcn%3Dcloud%2Cou%3Dgroups%2C%24%7BLDAP_DC_DOMAIN%7D)&config_ldap_group_name=cloud&config_ldap_group_members_field=memberUid&ldap_import_user_filter=0&config_ldap_member_user_object=&config_generic_oauth_metadata_url=&config_generic_oauth_server_url=&config_generic_oauth_auth_url=&config_generic_oauth_token_url=&config_generic_oauth_userinfo_url=&config_generic_oauth_scope=email+openid+profile&config_oauth_redirect_host=&config_generic_oauth_client_id=&config_generic_oauth_client_secret=&config_generic_oauth_username_mapper=preferred_username&config_generic_oauth_email_mapper=email&config_generic_oauth_admin_group=admin&config_generic_oauth_login_button=OpenID+Connect&config_1_oauth_client_id=&config_1_oauth_client_secret=&config_2_oauth_client_id=&config_2_oauth_client_secret=&config_binariesdir=%2Fusr%2Fbin&config_calibre=&config_kepubifypath=%2Fusr%2Fbin%2Fkepubify&config_rarfile_location=%2Fusr%2Fbin%2Funrar&config_enable_oauth_group_admin_management=on&config_ratelimiter=on&config_limiter_uri=&config_limiter_options=&config_check_extensions=on&config_session=1&config_password_policy=on&config_password_min_length=8&config_password_number=on&config_password_lower=on&config_password_upper=on&config_password_character=on&config_password_special=on'
}

37
modules/server/containers/apps/collabora.nix
View File

@@ -1,37 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
requires.secrets = [ name ];
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "collabora/code:${version}";
port = 9980;
secret = name;
extraEnv = {
"aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
"server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
"username" = "collabora_user";
"VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
"VIRTUAL_PORT" = "9980";
"VIRTUAL_PROTO" = "http";
"DONT_GEN_SSL_CERT" = "true";
"RESOLVE_TO_PROXY_IP" = "true";
"extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
"dictionaries" = "en fr de jp no";
};
overrides = {
volumes = [
"${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
"${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
];
};
};
};
};
}

42
modules/server/containers/apps/ethercalc.nix
View File

@@ -1,42 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
ethercalc_exe = pkgs.ethercalc;
image = pkgs.dockerTools.streamLayeredImage {
name = "ethercalc";
tag = ethercalc_exe.version;
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
ExposedPorts = { "8080/tcp" = {}; };
};
};
in {
requires.secrets = [ name ];
runtime = {
paths = [{
path="${serverCfg.path.data.path}/ethercalc/";
mode = "0666";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = {
ETHERCALC_PORT = "8080";
#CONNECT TO REDIS
};
overrides = {
volumes = [
"${serverCfg.path.data.path}/ethercalc:/data"
];
};
};
};
};
}

129
modules/server/containers/apps/etherpad.nix
View File

@@ -1,129 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
etherpad_exe = pkgs.etherpad-lite;
settings = pkgs.writeText"settings.json" (builtins.toJSON {
title= "\${TITLE:Etherpad}";
showRecentPads = "\${SHOW_RECENT_PADS:true}";
favicon = "\${FAVICON:null}";
publicURL = "\${PUBLIC_URL:null}";
skinName = "\${SKIN_NAME:colibris}";
skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
ip = "\${IP:0.0.0.0}";
port = "\${PORT:9001}";
showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
enableMetrics = "\${ENABLE_METRICS:true}";
updates.tier = "off";
cleanup.enabled = false;
gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
enableDarkMode = "\${ENABLE_DARK_MODE:true}";
enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
dbType = "\${DB_TYPE:dirty}";
dbSettings = {
host = "\${DB_HOST:undefined}";
port = "\${DB_PORT:undefined}";
database = "\${DB_NAME:undefined}";
user = "\${DB_USER:undefined}";
password = "\${DB_PASS:undefined}";
charset = "\${DB_CHARSET:undefined}";
filename = "\${DB_FILENAME:var/dirty.db}";
collection = "\${DB_COLLECTION:undefined}";
url = "\${DB_URL:undefined}";
};
defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
padOptions = {
noColors = "\${PAD_OPTIONS_NO_COLORS:false}";
showControls = "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
showChat = "\${PAD_OPTIONS_SHOW_CHAT:true}";
showLineNumbers = "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
userName = "\${PAD_OPTIONS_USER_NAME:null}";
userColor = "\${PAD_OPTIONS_USER_COLOR:null}";
rtl = "\${PAD_OPTIONS_RTL:false}";
alwaysShowChat = "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
chatAndUsers = "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
lang = "\${PAD_OPTIONS_LANG:null}";
fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
};
requireSession = "\${REQUIRE_SESSION:false}";
editOnly = "\${EDIT_ONLY:false}";
minify = "\${MINIFY:true}";
requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
trustProxy = "\${TRUST_PROXY:true}";
ep_headerauth.username_header = "X-authentik-username";
users.admin = {
password = "\${ADMIN_PASSWORD:null}";
is_admin = true;
};
socketTransportProtocols = ["websocket" "polling"];
socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
indentationOnNewLine = true;
loglevel = "\${LOGLEVEL:INFO}";
lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
});
image = pkgs.dockerTools.streamLayeredImage {
name = "etherpad";
tag = etherpad_exe.version;
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
ExposedPorts = { "8080/tcp" = {}; };
};
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/etherpad/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = {
TITLE = "Pad";
PORT ="8080";
DB_TYPE = "postgres";
DB_HOST = builder.host;
DB_NAME = "etherpad_db";
DB_USER = "etherpad_user";
TRUST_PROXY = "true";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
overrides = {
cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
volumes = [
"${settings}:/etc/etherpad/settings.json"
"${serverCfg.path.config.path}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."ETHERPAD".path;
script = pkgs.writeShellScript "setup" ''
echo "$APIKEY" > ${serverCfg.path.config.path}/etherpad/APIKEY.txt
chmod 444 ${serverCfg.path.config.path}/etherpad/APIKEY.txt
'';
};
};
}

281
modules/server/containers/apps/favicon.nix
View File

@@ -1,281 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
mediaCfg = config.syscfg.media;
palette = serverCfg.colorScheme.palette or { };
port = 8080;
assetSize = 64;
cacheControl = containerCfg.extra.cacheControl or "public, max-age=86400";
priority = toString (containerCfg.extra.priority or 2147482647);
logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
logoSvgMount = "/assets/${logoSvgFileName}";
borderRadius = toString (containerCfg.extra.borderRadius or 32);
resolveColor = value:
if value == null then null
else if !builtins.isString value then
throw "favicon color values must be strings"
else if lib.hasPrefix "#" value then
value
else
lib.attrByPath [ value ] (throw "Unknown favicon color reference `${value}`") palette;
normalizeProfile = profile:
let
bg =
if profile ? bg then resolveColor profile.bg
else if profile ? background then resolveColor profile.background
else null;
fg =
if profile ? fg then resolveColor profile.fg
else if profile ? foreground then resolveColor profile.foreground
else null;
in
(lib.filterAttrs (name: _: !(builtins.elem name [ "bg" "background" "fg" "foreground" ])) profile)
// lib.optionalAttrs (bg != null) { bg = bg; }
// lib.optionalAttrs (fg != null) { fg = fg; };
hostMappings = lib.mapAttrs' (mapping: profile:
lib.nameValuePair mapping (normalizeProfile profile)
) (containerCfg.extra.mappings or {});
traefikAssetPathRegexp =
"^/(.*/)?"
+ "(fav(icon)?(-[0-9]+x[0-9]+)?\\.(ico|png|svg)"
+ "|(favicon|apple-icon)(-[0-9]+)?(\\.(ico|png))?"
+ "|logo\\.(ico)"
+ "|fav([0-9]+)?\\.(ico|png)"
+ "|apple-touch-icon(-precomposed)?\\.png"
+ "|android-chrome-[0-9]+x[0-9]+\\.png"
+ "|mstile-[0-9]+x[0-9]+\\.png)$";
configFile = pkgs.writeText "favicon-config.json" (builtins.toJSON {
inherit cacheControl;
borderRadius = borderRadius;
domain = serverCfg.domain;
mappings = hostMappings;
default =
if containerCfg.extra ? default then normalizeProfile containerCfg.extra.default
else null;
});
pythonEnv = pkgs.python3.withPackages (ps: with ps; [
cairosvg
pillow
]);
serverScript = pkgs.writeText "favicon-server.py" ''
import base64
import hashlib
from io import BytesIO
import json
import os
import re
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
from pathlib import Path
import cairosvg
from PIL import Image
CONFIG_PATH = os.environ.get("FAVICON_CONFIG", "/config/config.json")
LOGO_PATH = os.environ.get("FAVICON_LOGO", "/assets/logo.svg")
CACHE_DIR = Path(os.environ.get("FAVICON_CACHE_DIR", "/cache"))
LISTEN_HOST = os.environ.get("FAVICON_LISTEN_HOST", "0.0.0.0")
LISTEN_PORT = int(os.environ.get("FAVICON_PORT", "8080"))
ASSET_SIZE = int(os.environ.get("FAVICON_ASSET_SIZE", "${toString assetSize}"))
DEFAULT_CACHE_CONTROL = "public, max-age=86400"
with open(CONFIG_PATH, "r", encoding="utf-8") as fh:
APP_CONFIG = json.load(fh)
with open(LOGO_PATH, "rb") as fh:
LOGO_BYTES = fh.read()
MAPPINGS = APP_CONFIG.get("mappings", {})
DEFAULT_PROFILE = APP_CONFIG.get("default")
APP_DOMAIN = (APP_CONFIG.get("domain", "") or "").strip().lower()
CACHE_CONTROL = APP_CONFIG.get("cacheControl", DEFAULT_CACHE_CONTROL)
LOGO_HASH = hashlib.sha256(LOGO_BYTES).hexdigest()
def _normalize_host(host):
host = (host or "").split(",", 1)[0].split(":", 1)[0].strip().lower()
if APP_DOMAIN and host.endswith(f".{APP_DOMAIN}"):
return host[:-(len(APP_DOMAIN) + 1)]
return host
def _request_host(headers):
forwarded = headers.get("X-Forwarded-Host", "")
original = headers.get("X-Original-Host", "")
host = forwarded or original or headers.get("Host", "")
return _normalize_host(host)
def _pick_profile(host):
return MAPPINGS.get(host) or DEFAULT_PROFILE
def _color(value, fallback):
return value if isinstance(value, str) and value else fallback
def _resolved_profile(profile):
return {
"bg": _color(profile.get("bg") or profile.get("background"), "#111827"),
"fg": _color(profile.get("fg") or profile.get("foreground"), "#f8fafc"),
}
def _replace_svg_color(svg, attribute, color):
if attribute in {"fill", "stroke"}:
svg = re.sub(
rf'{attribute}="(?!none\\b)[^"]*"',
f'{attribute}="{color}"',
svg,
flags=re.IGNORECASE,
)
svg = re.sub(
rf"{attribute}='(?!none\\b)[^']*'",
f"{attribute}='{color}'",
svg,
flags=re.IGNORECASE,
)
return re.sub(
rf"{attribute}\\s*:\\s*(?!none\\b)[^;\"\\']+",
f"{attribute}:{color}",
svg,
flags=re.IGNORECASE,
)
def _tinted_logo_data_uri(color):
svg = LOGO_BYTES.decode("utf-8")
svg = _replace_svg_color(svg, "fill", color)
svg = _replace_svg_color(svg, "stroke", color)
return "data:image/svg+xml;base64," + base64.b64encode(svg.encode("utf-8")).decode("ascii")
border_radius = str(APP_CONFIG.get("borderRadius", "8")).strip()
if not border_radius.endswith("px"):
border_radius = f"{border_radius}px"
def _render_svg(colors):
logo_data_uri = _tinted_logo_data_uri(colors["fg"])
canvas = 256
return f"""<svg xmlns="http://www.w3.org/2000/svg" width="{canvas}" height="{canvas}" viewBox="0 0 {canvas} {canvas}">
<rect x="0" y="0" width="{canvas}" height="{canvas}" rx="{border_radius}" ry="{border_radius}" fill="{colors["bg"]}" />
<image href="{logo_data_uri}" x="0" y="0" width="{canvas}" height="{canvas}" preserveAspectRatio="xMidYMid meet" />
</svg>"""
def _cache_key(host, colors):
cache_inputs = {
"asset_size": ASSET_SIZE,
"bg": colors["bg"],
"border_radius": border_radius,
"fg": colors["fg"],
"host": host,
"logo_hash": LOGO_HASH,
}
payload = json.dumps(cache_inputs, sort_keys=True, separators=(",", ":"))
return hashlib.sha256(payload.encode("utf-8")).hexdigest()[:16]
def _cache_name(host, colors):
safe_host = re.sub(r"[^a-z0-9.-]+", "_", host or "default")
return f"{safe_host}-{_cache_key(host, colors)}.ico"
def _generate_asset(host, profile):
colors = _resolved_profile(profile)
cache_name = _cache_name(host, colors)
target = CACHE_DIR / cache_name
if target.exists():
return target
CACHE_DIR.mkdir(parents=True, exist_ok=True)
svg = _render_svg(colors).encode("utf-8")
png_bytes = cairosvg.svg2png(bytestring=svg, output_width=ASSET_SIZE, output_height=ASSET_SIZE)
image = Image.open(BytesIO(png_bytes))
image.save(target, format="ICO", sizes=[(ASSET_SIZE, ASSET_SIZE)])
image.close()
return target
class Handler(BaseHTTPRequestHandler):
server_version = "favicon-router/1.0"
def _serve(self, include_body):
host = _request_host(self.headers)
profile = _pick_profile(host)
if not profile:
self.send_error(404, "No favicon mapping for host")
return
asset_path = _generate_asset(host, profile)
etag = f'"{asset_path.stem.rsplit("-", 1)[-1]}"'
if self.headers.get("If-None-Match") == etag:
self.send_response(304)
self.send_header("ETag", etag)
self.send_header("Cache-Control", CACHE_CONTROL)
self.end_headers()
return
payload = asset_path.read_bytes()
self.send_response(200)
self.send_header("Content-Type", "image/x-icon")
self.send_header("Content-Length", str(len(payload)))
self.send_header("Cache-Control", CACHE_CONTROL)
self.send_header("ETag", etag)
self.end_headers()
if include_body:
self.wfile.write(payload)
def do_GET(self):
self._serve(include_body=True)
def do_HEAD(self):
self._serve(include_body=False)
def log_message(self, fmt, *args):
print("%s - - [%s] %s" % (self.address_string(), self.log_date_time_string(), fmt % args))
if __name__ == "__main__":
httpd = ThreadingHTTPServer((LISTEN_HOST, LISTEN_PORT), Handler)
httpd.serve_forever()
'';
image = pkgs.dockerTools.streamLayeredImage {
name = "favicon";
tag = "1";
contents = [
pythonEnv
pkgs.cacert
pkgs.tzdata
];
config = {
Entrypoint = [ "${pythonEnv}/bin/python3" serverScript ];
ExposedPorts = { "${toString port}/tcp" = { }; };
WorkingDir = "/";
};
};
in {
runtime = {
paths = [
{
path = "${serverCfg.path.config.path}/favicon";
mode = "0755";
dirs = [ "cache" ];
}
];
containers = {
server = builder.mkContainer {
imageStream = image;
port = port;
extraEnv = {
FAVICON_CONFIG = "/config/config.json";
FAVICON_LOGO = logoSvgMount;
FAVICON_CACHE_DIR = "/cache";
FAVICON_PORT = toString port;
FAVICON_ASSET_SIZE = toString assetSize;
};
extraLabels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "web-secure";
"traefik.http.routers.${name}.rule" = "PathRegexp(`${traefikAssetPathRegexp}`)";
"traefik.http.routers.${name}.priority" = priority;
"traefik.http.routers.${name}.tls" = "true";
"traefik.http.services.${name}.loadbalancer.server.port" = toString port;
};
overrides = {
volumes = [
"${configFile}:/config/config.json:ro"
"${serverCfg.path.config.path}/favicon/cache:/cache"
"${mediaCfg.logo.svg}:${logoSvgMount}:ro"
];
};
};
};
};
}

61
modules/server/containers/apps/freshrss.nix
View File

@@ -1,61 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [
{
path = "${serverCfg.path.config.path}/freshrss";
owner = "1000:1000";
mode = "0755";
}
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/freshrss/freshrss:${version}";
port = 80;
extraEnv = {
CRON_MIN = "5,35";
TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
LISTEN = "80";
OIDC_ENABLED = "1";
OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
OIDC_REMOTE_USER_CLAIM = "preferred_username";
OIDC_CLIENT_ID = "freshrss";
OIDC_SCOPES = "openid profile";
OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
};
overrides = {
environmentFiles = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path ];
volumes = ["${serverCfg.path.config.path}/freshrss:/var/www/FreshRSS/data"];
};
};
};
setup = {
trigger = "server"; # Triggers atomic environment verification on main controller
envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path];
script = pkgs.writeShellScript "setup-freshrss" ''
RSS="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data freshrss-server"
$RSS ./cli/prepare.php
$RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \
--title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss_user --db-password $DB_PASSWORD --db-base freshrss_db
$RSS ./cli/create-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL
$RSS ./cli/reconfigure.php
# $RSS ./cli/access-permissions.sh
'';
};
};
}

96
modules/server/containers/apps/frigate.nix
View File

@@ -1,96 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
# Ensure the package is available (Nixpkgs includes frigate)
frigatePkg = pkgs.frigate;
image = pkgs.dockerTools.streamLayeredImage {
name = "frigate";
tag = frigatePkg.version;
contents = [
pkgs.bashInteractive
frigatePkg
pkgs.ffmpeg # Explicitly included for video stream processing
];
config = {
Entrypoint = [ "${frigatePkg}/bin/frigate" ];
Cmd = [ "start" ];
ExposedPorts = {
"5000/tcp" = {}; # Web UI / API
"8554/tcp" = {}; # RTSP Feeds
"8555/tcp" = {}; # WebRTC
};
Env = [
"FRIGATE_RTSP_PASSWORD=secret" # Base fallback, overridden by envFile/sops
];
};
};
in {
requires.secrets = [ name ];
runtime = {
paths = [
{
path = "${serverCfg.path.config.path}/frigate/";
mode = "0755";
}
{
path = "/var/lib/frigate/storage/";
mode = "0755"; # Dedicated path for heavy video recordings and media
}
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 5000;
secret = name;
extraEnv = {
PLUS_API_KEY = ""; # Optional: For Frigate Plus users
};
overrides = {
cmd = [ ];
volumes = [
"${serverCfg.path.config.path}/frigate:/config"
"/var/lib/frigate/storage:/media/frigate"
"/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
"/dev/dri:/dev/dri" # Passes Intel/AMD GPU for hardware video decoding
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."FRIGATE_ENV".path;
script = pkgs.writeShellScript "setup-frigate" ''
mkdir -p "${serverCfg.path.config.path}/frigate"
mkdir -p "/var/lib/frigate/storage"
# Bootstrap a standard configuration layout if missing
if [ ! -f "${serverCfg.path.config.path}/frigate/config.yml" ]; then
cat <<EOF > "${serverCfg.path.config.path}/frigate/config.yml"
mqtt:
enabled: False # Set to True and define host if connecting to Home Assistant
database:
path: /config/frigate.db
cameras:
dummy_camera: # Replace with your actual RTSP stream details
enabled: false
ffmpeg:
inputs:
- path: rtsp://127.0.0.1:554/live
roles:
- detect
detect:
enabled: false
EOF
fi
'';
};
};
}

145
modules/server/containers/apps/gitea.nix
View File

@@ -1,145 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.data.path}/gitea";
owner = "1000:1000";
dirs = ["data" "runner"];
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "gitea/gitea:${version}";
port = 8080;
secret = name;
extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
GITEA__repository__DISABLE_STARS = "true";
GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
# GITEA__ui__THEMES = "";
# GITEA__ui__DEFAULT_THEME = "";
# GITEA__security__SECRET_KEY = "SECRET_ENV";
# GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
# GITEA__database__PASSWD = "SECRET_ENV";
# GITEA__mailer__PASSWD="SECRET_ENV";
GITEA__database__DB_TYPE = "postgres";
GITEA__database__HOST = builder.host;
GITEA__database__NAME = "gitea_db";
GITEA__database__USER = "gitea_user";
GITEA__mailer__ENABLED = "true";
GITEA__mailer__FROM = "";
GITEA__mailer__PROTOCOL = "smtps";
GITEA__mailer__SMTP_ADDR = "";
GITEA__mailer__SMTP_PORT = "";
GITEA__mailer__USER= "";
GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
GITEA__server__PROTOCOL = "http";
GITEA__server__HTTP_PORT = "8080";
GITEA__server__LFS_START_SERVER = "true";
GITEA__security__INSTALL_LOCK = "true";
} // ( if serverCfg.containers?authentik then {
GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
GITEA__security__RREVERSE_PROXY_LIMIT = "1";
GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
} else {});
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik && containerCfg.extra?proxyauth) then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
overrides = {
volumes = [
"${serverCfg.path.data.path}/gitea/data:/data"
];
ports = [ "2222:22" ];
};
};
runner = builder.mkContainer {
image = "gitea/act_runner:${version}";
secret = name;
extraEnv = {
#CONFIG_FILE="/data/config.yml";
GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
};
overrides = {
volumes = [
"${serverCfg.path.data.path}/gitea/runner:/data"
"/var/run/podman/podman.sock:/var/run/docker.sock"
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
$GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
touch ${serverCfg.path.data.path}/gitea/data-runner/config.yml
RUNNER_TOKEN=$($GT actions generate-runner-token)
$GTR register \
--instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
--token "$RUNNER_TOKEN" \
--name "Runner" \
--labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
--no-interactive
${lib.optionalString (serverCfg.containers ? authentik) ''
$GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
--bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
--user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
--user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
--admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
--username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
--synchronize-users
''}
echo "Completed Gitea Setup"
'';
};
};
}

48
modules/server/containers/apps/handbrake.nix
View File

@@ -1,48 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
version = "latest";
in {
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/handbrake";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
authentik = true;
tmpfs = true;
subdomain = containerCfg.subdomain;
subpath = containerCfg.subpath;
image = "ghcr.io/jlesage/handbrake:${version}";
port = 5800;
extraEnv = {
USER_ID = "1000";
GROUP_ID = "1000";
AUTOMATED_CONVERSION_PRESET = "Custom/AV1 MKV 1080p30";
AUTOMATED_CONVERSION_FORMAT = "mkv";
AUTOMATED_CONVERSION_OUTPUT_SUBDIR = "SAME_AS_SRC";
};
overrides = {
volumes = [
"${serverCfg.path.config.path}/handbrake:/config:rw"
"${serverCfg.path.dlComplete.path}:/watch:rw"
"${serverCfg.path.dlConverted.path}:/output:rw"
];
};
};
};
setup = {
trigger = "server";
script = pkgs.writeShellScript "setup" ''
mkdir -p ${serverCfg.path.data.path}/handbrake/{watch,output}
'';
};
};
}

102
modules/server/containers/apps/homeassistant.nix
View File

@@ -1,102 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
runtime = {
vm = {
portForward = [ 8123 ];
cfg = {cfg,...}: {
services.home-assistant = {
enable = true;
openFirewall = true;
extraComponents = [
"matter" "thread" "cast" "zha"
"default_config" "met" "esphome" "radio_browser"
"telegram_bot" "swiss_public_transport" "nextcloud" "jellyfin"
] ++ (if containerCfg.extra ? components then containerCfg.extra.components else []);
extraPackages = pp: with pp; [
python-telegram gtts
];
lovelaceConfig = {};
config = {
homeassistant = {
name = "Home";
latitude = "${if containerCfg.extra ? latitude then toString containerCfg.extra.latitude else toString 0}";
longitude = "${if containerCfg.extra ? longitude then toString containerCfg.extra.longitude else toString 0}";
elevation = "${if containerCfg.extra ? elevation then toString containerCfg.extra.elevation else toString 0}";
unit_system = "metric";
time_zone = config.time.timeZone;
};
lovelace = { mode = "yaml"; };
customLovelaceModules = [];
# default_config = {};
http = {
use_x_forwarded_for = true;
trusted_proxies = [ "10.0.0.0/8" "127.0.0.1" ];
};
};
};
};
};
containers = {
dummy = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "alpine:latest";
extraLabels = {
"traefik.http.services.${containerCfg.subdomain}.loadbalancer.server.url" = "http://${builder.hostIp}:8123";
};
overrides = {cmd = [ "sleep" "infinity" ];};
};
};
setup = {
trigger = "dummy";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
HASS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/manifest.json")" =~ (200|301|302) ]]; do
sleep 5
done
sleep 5
ONBOARDING_STATUS=$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/api/onboarding" 2>/dev/null || echo "000")
if [ "$ONBOARDING_STATUS" = "200" ]; then
AUTH_CODE=$( ${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/api/onboarding/users" \
-H "Content-Type: application/json" \
-d '{"client_id":"'"$HASS_URL"'","name":"'"$DEFAULT_ADMIN_USERNAME"'","username":"'"$DEFAULT_ADMIN_USERNAME"'","password":"'"$DEFAULT_ADMIN_PASSWORD"'","language":"en"}' \
| ${pkgs.jq}/bin/jq -r '.auth_code' )
ACCESS_TOKEN=$(${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/auth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&code=$AUTH_CODE&client_id=$HASS_URL" \
| ${pkgs.jq}/bin/jq -r '.access_token' )
${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/core_config" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"time_zone":"${config.time.timeZone}"}' > /dev/null 2>&1 || true
# We can configure many more things above !
${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/analytics" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" -d '{}' > /dev/null 2>&1 || true
${pkgs.curl} -s -X POST "$HA_URL/api/onboarding/integration" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"client_id":"'"$HASS_URL"'","redirect_uri":"'"$HASS_URL"'/?auth_callback=1"}' > /dev/null 2>&1 || true
fi
'';
};
};
}

293
modules/server/containers/apps/homepage.nix
View File

@@ -1,293 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "latest";
serverCfg = config.syscfg.server;
mediaCfg = config.syscfg.media;
backgroundImage = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
backgroundFileName = builtins.baseNameOf (toString backgroundImage);
backgroundMount = "/app/public/media/${backgroundFileName}";
settings = pkgs.writers.writeYAML "settings.yaml" {
title = "Home";
description = "";
startUrl = "https://${containerCfg.subdomain}.${serverCfg.domain}";
background = {
image = "/media/${backgroundFileName}";
blur = "xs"; # "", sm, md, xl,...
# saturate = "";
brightness = 50;
# opacity = 40;
};
cardBlur = "md";
# favicon = "";
theme = "dark";
color = "slate";
fullWidth = true;
useEqualHeights = true;
pwa = {
};
layout = {
Admin = {
style = "row";
columns = 4;
};
};
providers = {
finnhub = "{{HOMEPAGE_VAR_FINNHUB}}";
};
headerStyle = "clean";
hideVersion = true;
disableUpdateCheck = true;
showStats = false;
statusStyle = "dot";
hideErrors = true;
};
widgets = pkgs.writers.writeYAML "widgets.yaml" [
{openmeteo = {
latitude = "47.3769";
longitude = "8.5417";
timezone = "Europe/Zurich";
units = "metric";
cache = "15";
};}
{search = {
provider = "custom";
focus = true;
showSearchSuggestions = true;
target = "_blank";
} // (lib.optionalAttrs (serverCfg.containers?searxng) {
url = "https://${serverCfg.containers.searxng.subdomain}.${serverCfg.domain}/search?q=";
suggestionUrl = "https://${serverCfg.containers.searxng.subdomain}.${serverCfg.domain}/autocompleter?q=";
});
}
{stocks = {
provider = "finnhub";
color = true;
cache = 15;
watchlist = containerCfg.extra.stocks or [];
};}
];
bookmarks = pkgs.writers.writeYAML "bookmarks.yaml" [
];
services = pkgs.writers.writeYAML "services.yaml" [
{Media = lib.flatten [
(lib.optional (serverCfg.containers?jellyfin) {
Jellyfin={
icon = "jellyfin.png";
href = "https://${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";
widget = {
type="jellyfin";
url = "http://jellyfin-server:8096";
key = "{{HOMEPAGE_VAR_JELLYFIN_API}}";
};
};
})
(lib.optional (serverCfg.containers?invidious) {
Invidious={
icon = "invidious.png";
href = "https://${serverCfg.containers.invidious.subdomain}.${serverCfg.domain}";
};
})
(lib.optional (serverCfg.containers?miniflux) {
Miniflux={
icon = "miniflux.png";
href = "https://${serverCfg.containers.miniflux.subdomain}.${serverCfg.domain}";
widget = {
type="miniflux";
url = "http://miniflux-server";
key = "{{HOMEPAGE_VAR_MINIFLUX_API}}";
};
};
})
];}
{Cloud = lib.flatten [
(lib.optional (serverCfg.containers?nextcloud) {
Nextcloud={
icon = "nextcloud.png";
href = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
widget = {
type="nextcloud";
url = "http://nextcloud-server:80";
key = "{{HOMEPAGE_VAR_NEXTCLOUD_API}}";
};
};
})
(lib.optional (serverCfg.containers?ethercalc) {
Ethercalc={
icon = "ethercalc.png";
href = "https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}";
};
})
(lib.optional (serverCfg.containers?etherpad) {
Etherpad={
icon = "etherpad.png";
href = "https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}";
};
})
(lib.optional (serverCfg.containers?immich) {
immich={
icon = "immich.png";
href = "https://${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";
widget = {
type="immich";
url = "http://immich-server:80";
key = "{{HOMEPAGE_VAR_IMMICH_API}}";
version = "2";
};
};
})
];}
{Dev = lib.flatten [
(lib.optional (serverCfg.containers?gitea) {
Gitea={
icon = "gitea.png";
href = "https://${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";
# widget = {
# type="gitea";
# url = "http://gitea-server:8080";
# key = "{{HOMEPAGE_VAR_GITEA_API}}";
# };
};
})
];}
{Admin = #lib.flatten [
#({permissions.groups = ["admin"];})
#({services =
lib.flatten [
(lib.optional (serverCfg.containers?traefik) {
Traefik={
icon = "traefik.png";
href = "https://${serverCfg.containers.traefik.subdomain}.${serverCfg.domain}";
widget = {
type = "traefik";
url = "http://traefik-server:8080";
};
};
})
(lib.optional (serverCfg.containers?authentik) {
Authentik={
icon = "authentik.png";
href = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}";
widget = {
type = "authentik";
url = "http://authentik-server:9000";
key = "{{HOMEPAGE_VAR_AUTHENTIK_API}}";
version = "2";
};
};
})
(lib.optional (serverCfg.containers?umami) {
Umami={
icon = "umami.png";
href = "https://${serverCfg.containers.umami.subdomain}.${serverCfg.domain}";
};
})
(lib.optional (serverCfg.containers?influx) {
Influx={
icon = "grafana.png";
href = "https://${serverCfg.containers.influx.subdomain}.${serverCfg.domain}";
};
})
(lib.optional (serverCfg.containers?handbrake) {
Handbrake={
icon = "handbrake.png";
href = "https://${serverCfg.containers.handbrake.subdomain}.${serverCfg.domain}";
};
})
(lib.optional (serverCfg.containers?transmission) {
Transmission={
icon = "transmission.png";
href = "https://${serverCfg.containers.transmission.subdomain}.${serverCfg.domain}/transmission";
widget = {
type = "transmission";
url = "http://transmission-server:9091";
rpcUrl = "/transmission/";
};
};
})
(lib.optional (serverCfg.containers?servarr) (
let
modules = serverCfg.containers.servarr.extra.modules or ["prowlarr" "sonarr" "radarr" "flaresolverr" ];
in
(lib.optional (builtins.elem "sonarr" modules) {
Sonarr={
icon = "sonarr.png";
href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/sonarr";
widget = {
type = "sonarr";
url = "http://servarr-sonarr:8989";
key = "{{HOMEPAGE_VAR_SONARR_API}}";
};
};
}) ++ (lib.optional (builtins.elem "radarr" modules) {
Radarr={
icon = "radarr.png";
href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/radarr";
widget = {
type = "radarr";
url = "http://servarr-radarr:8989";
key = "{{HOMEPAGE_VAR_RADARR_API}}";
};
};
}) ++ (lib.optional (builtins.elem "lidarr" modules) {
Lidarr={
icon = "lidarr.png";
href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/lidarr";
widget = {
type = "lidarr";
url = "http://servarr-lidarr:8989";
key = "{{HOMEPAGE_VAR_LIDARR_API}}";
};
};
}) ++ (lib.optional (builtins.elem "prowlarr" modules) {
Prowlarr={
icon = "prowlarr.png";
href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/prowlarr";
widget = {
type = "prowlarr";
url = "http://servarr-prowlarr:8989";
key = "{{HOMEPAGE_VAR_PROWLARR_API}}";
};
};
})
# Bazarr
))
];}#)];}
];
in {
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/gethomepage/homepage:${version}";
port = 3000;
extraEnv = {
HOMEPAGE_VAR_TITLE="${serverCfg.domain}";
HOMEPAGE_ALLOWED_HOSTS = "${containerCfg.subdomain}.${serverCfg.domain},${builder.host}";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.service" = "${containerCfg.subdomain}";
};
overrides = {
environmentFiles = [ config.sops.secrets."CUSTOM".path ];
volumes = [
"${settings}:/app/config/settings.yaml:ro"
"${services}:/app/config/services.yaml:ro"
"${widgets}:/app/config/widgets.yaml:ro"
"${bookmarks}:/app/config/bookmarks.yaml:ro"
"${backgroundImage}:${backgroundMount}:ro"
];
};
};
};
};
}

106
modules/server/containers/apps/immich.nix
View File

@@ -1,106 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "v2";
serverCfg = config.syscfg.server;
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/immich";
dirs = ["cache" "thumbs" "encoded-video"];
mode = "0755";
}{
path = "${serverCfg.path.data.path}/immich/";
dirs = ["backups"];
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/immich-app/immich-server:${version}";
port = 2283;
secret = name;
extraEnv = {
DB_HOSTNAME = builder.host;
REDIS_HOSTNAME = builder.host;
DB_USERNAME = "immich_user";
DB_DATABASE_NAME = "immich_db";
IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
# IMMICH_ALLOW_SETUP = "false";
IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
};
overrides = {
volumes = [
"${serverCfg.path.photo.path}:/data/upload"
"${serverCfg.path.data.path}/immich/backups:/data/backups"
"${serverCfg.path.config.path}/immich/thumbs:/data/thumbs"
"${serverCfg.path.config.path}/immich/encoded-video:/data/encoded-video"
];
};
};
ml = builder.mkContainer {
image = "ghcr.io/immich-app/immich-machine-learning:${version}";
port = 3003;
overrides = {
volumes = [
"${serverCfg.path.config.path}/immich/cache:/cache"
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
PSQL="${pkgs.postgresql}/bin/psql -U postgres"
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
$PSQL -d "immich_db" -tAc "ALTER EXTENSION vchord UPDATE;"
$PSQL -d "immich_db" -tAc "ALTER EXTENSION earthdistance UPDATE;"
IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
sleep 5
done
${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
-H "Content-Type: application/json" -H "Accept: application/json" \
-d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
-H "Content-Type: application/json" \
-d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
| ${pkgs.jq}/bin/jq -r '.accessToken')
${lib.optionalString (serverCfg.containers ? authentik) ''
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
${pkgs.jq}/bin/jq '.oauth.enabled = true |
.oauth.autoRegister = true |
.oauth.autoLaunch = true |
.oauth.signingAlgorithm = "RS256" |
.oauth.profileSigningAlgorithm = "RS256" |
.oauth.clientId = "immich" |
.oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" |
.oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" |
.oauth.scope = "openid profile email" |
.oauth.buttonText = "Login with SSO"' | \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
''}
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
.storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
'';
};
};
}

147
modules/server/containers/apps/influx.nix
View File

@@ -1,147 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
version = "latest";
influxSource = pkgs.writers.writeYAML "influx.yaml" {
apiVersion = 1;
datasources = [
{
name = "Telegraf";
type = "influxdb";
access = "proxy";
url = "http://influx-db:8181";
jsonData = {
version = "SQL";
dbName = "telegraf";
httpMode = "POST";
insecureGrpc = true;
};
secureJsonData = {
token = "\${INFLUXDB_TOKEN}";
};
isDefault = true;
editable = true;
}
];
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/influxdb/";
owner = "1500:1500";
mode = "0755";
}{
path = "${serverCfg.path.data.path}/influxdb/";
dirs = ["data" "ui"];
owner = "1500:1500";
mode = "0755";
}];
containers = {
db = builder.mkContainer {
image = "influxdb:3-core";
secret = name;
extraEnv = {
INFLUXD_DB_PATH = "/db";
INFLUXD_CONFIG_PATH = "/config";
};
overrides = {
cmd = [ "influxdb3" "serve" "--node-id=node0" "--data-dir=/var/lib/influxdb3/data" "--admin-token-file=/var/lib/influxdb3/token.json" ];
ports = [ "8181:8181" ];
volumes = [
"${serverCfg.path.data.path}/influxdb/data:/var/lib/influxdb3/data:rw"
"${serverCfg.path.config.path}/influxdb/admin-token.json:/var/lib/influxdb3/token.json:ro"
];
};
};
ui = if(containerCfg.extra?explorer) then builder.mkContainer {
tmpfs = true;
authentik = true;
subdomain = containerCfg.subdomain;
image = "influxdata/influxdb3-ui:${version}";
port = 8080; # 8888 is something else
secret = name;
extraEnv = {
DATABASE_URL = "/db/sqlite.db";
DEFAULT_INFLUX_SERVER = "http://${builder.host}:8181";
};
overrides = {
cmd = [ "--mode=admin" ];
volumes = [
"${serverCfg.path.data.path}/influxdb/ui:/db:rw"
"${serverCfg.path.config.path}/influxdb/:/app-root/config:rw"
];
};
} else builder.mkContainer {
tmpfs = true;
authentik = true;
subdomain = containerCfg.subdomain;
image = "grafana/grafana:${version}";
port = 3000;
extraEnv = {
GF_DEFAULT_INSTANCE_NAME = serverCfg.domain;
GF_SECURITY_ADMIN_USER = "\${DEFAULT_ADMIN_USERNAME}";
GF_SECURITY_ADMIN_PASSWORD = "\${DEFAULT_ADMIN_PASSWORD}";
GF_SECURITY_ADMIN_EMAIL = "\${DEFAULT_ADMIN_EMAIL}";
GF_SECURITY_COOKIE_SECURE = "true";
GF_USERS_ALLOW_SIGN_UP = "false";
GF_USERS_AUTO_ASSIGN_ORG = "true";
GF_USERS_AUTO_ASSIGN_ORG_ROLE = "true";
GF_AUTH_PROXY_ENABLED = "true";
GF_AUTH_PROXY_HEADER_NAME = "X-authentik-username";
GF_AUTH_PROXY_HEADER_PROPERTY = "username";
GF_AUTH_PROXY_AUTO_SIGN_UP = "true";
GF_DATABASE_TYPE = "postgres";
GF_DATABASE_HOST = "${builder.host}";
GF_DATABASE_NAME = "influx_db";
GF_DATABASE_USER = "influx_user";
GF_ANALYTICS_REPORTING_ENABLED = "false";
GF_CHECK_FOR_UPDATED = "false";
GF_LIVE_HA_ENGINE = "redis";
GF_LIVE_HA_ENGINE_ADRESS = "${builder.host}:6379";
DEFAULT_INFLUX_SERVER = "http://${builder.host}:8181";
};
overrides = {
user = "1500:1500";
environmentFiles = [ config.sops.secrets."INFLUX".path config.sops.secrets."CUSTOM".path ] ;
volumes = [
"${serverCfg.path.data.path}/influxdb/ui:/var/lib/grafana:rw"
"${influxSource}:/etc/grafana/provisioning/datasources/influx.yaml:ro"
];
};
};
};
setup = {
trigger = "db";
envFile = config.sops.secrets."INFLUX".path;
script = pkgs.writeShellScript "setup" ''
cat > ${serverCfg.path.config.path}/influxdb/config.json << EOF
{
"DEFAULT_INFLUX_SERVER": "http://${builder.host}:8181",
"DEFAULT_INFLUX_DATABASE": "main",
"DEFAULT_API_TOKEN": "$INFLUXDB_TOKEN",
"DEFAULT_SERVER_NAME": "${serverCfg.domain}"
}
EOF
cat > ${serverCfg.path.config.path}/influxdb/admin-token.json << EOF
{
"token": "$INFLUXDB_TOKEN",
"name": "admin",
"description": "Admin token for automated deployment"
}
EOF
'';
};
};
}

83
modules/server/containers/apps/invidious.nix
View File

@@ -1,83 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
patchedInvidious = pkgs.invidious.overrideAttrs (oldAttrs: {
postPatch = (oldAttrs.postPatch or "") + ''
cp ${../data/invidious/login.cr} src/invidious/routes/login.cr
'';
});
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.invidious.name;
tag = pkgs.invidious.version;
contents = [ pkgs.cacert patchedInvidious ];
config = {
Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
ExposedPorts = { "3000/tcp" = {}; };
Env = [
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
];
};
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/invidious";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 3000;
secret = name;
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
extraEnv = {
INVIDIOUS_CONFIG_FILE = "/data/config.yml";
};
overrides = {
volumes = [
"${serverCfg.path.config.path}/invidious:/data:ro"
];
};
};
companion = builder.mkContainer {
image = "quay.io/invidious/invidious-companion:latest";
port = 8282;
secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
extraOptions = [
"--cap-drop=all"
"--security-opt=no-new-privileges"
];
};
};
setup = {
trigger = "server";
envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
export DB_HOST=${builder.host}
export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.path.config.path}/invidious/config.yml"
'';
};
};
}

175
modules/server/containers/apps/jellyfin.nix
View File

@@ -1,175 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
nss = pkgs.dockerTools.fakeNss.override {
extraPasswdLines = [
"jellyfin:x:1000:1000:Jellyfin Daemon:/config/data:/bin/false"
];
extraGroupLines = [
"jellyfin:x:1000:"
];
};
image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
name = pkgs.jellyfin.name;
tag = pkgs.jellyfin.version;
contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
config = {
User = "jellyfin:jellyfin";
Entrypoint = [ "${pkgs.jellyfin}/bin/jellyfin" ];
ExposedPorts = { "8096/tcp" = { }; };
Env = [
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
];
};
};
in {
runtime = {
paths = [
{
path = "${serverCfg.path.config.path}/jellyfin/";
owner = "1000:1000";
mode = "0755";
}
];
containers = {
server = builder.mkContainer {
tmpfs = true;
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8096;
extraEnv = {
HOME = "/config/data";
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
};
overrides = {
cmd = [
"--datadir" "/config/data"
"--cachedir" "/config/cache"
"--configdir" "/config/config"
"--logdir" "/config/log"
];
volumes = [
"${serverCfg.path.film.path}:/media:ro"
"${serverCfg.path.config.path}/jellyfin:/config"
];
# If you have an Intel/AMD GPU for transcoding, add the device:
devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
sleep 5
done
echo "Jellyfin is up. Sleeping for 20 seconds..."
sleep 20
WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
if [ "$WIZARD_COMPLETE" = "false" ]; then
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
-H "Content-Type: application/json" \
-d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
echo "ERROR: Failed to set startup configuration."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
echo "ERROR: Failed to get base user."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
-H 'accept: */*' -H "Content-Type: application/json" \
-d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
echo "ERROR: Failed to set admin user."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
-H "Content-Type: application/json" \
-d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
echo "ERROR: Failed to configure remote access."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
echo "ERROR: Failed to complete wizard."
exit 1
fi
echo "Jellyfin initialization successfully completed!"
fi
${lib.optionalString (serverCfg.containers ? authentik) ''
JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
-H "Content-Type: application/json" \
-H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
-d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
| ${pkgs.jq}/bin/jq -r '.AccessToken')
# Verify we got a token
if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
echo "ERROR: Authentication failed."
exit 1
fi
if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
"$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
echo "LDAP Plugin is already installed. Skipping setup."
else
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: Server failed to accept restart command."
exit 1
fi
sleep 1-
until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
sleep 5
done
echo "Jellyfin is up. Sleeping for 20 seconds..."
sleep 20
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Type: application/json" -H 'accept: */*' \
-d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
"LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
"LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
"LdapSearchAttributes":"uid, cn, mail, displayName",
"LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
"EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
"EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
"LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
"EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
''}
${pkgs.sqlite}/bin/sqlite3 ${serverCfg.path.config.path}/jellyfin/data/data/jellyfin.db <<EOF
INSERT OR IGNORE INTO ApiKeys (Id, AccessToken, Name, DateCreated, DateLastActivity)
VALUES ( 1, "$HOMEPAGE_VAR_JELLYFIN_API", 'Home', strftime('%Y-%m-%d %H:%M:%S', 'now'), strftime('%Y-%m-%d %H:%M:%S', 'now'));
EOF
echo "Completed Setup"
'';
};
};
}

0
modules/server/containers/apps/miniflux.nix
View File

232
modules/server/containers/apps/nextcloud.nix
View File

@@ -1,232 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "31";
serverCfg = config.syscfg.server;
mediaCfg = config.syscfg.media;
backgroundImage = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
backgroundFileName = builtins.baseNameOf (toString backgroundImage);
logoPngFileName = builtins.baseNameOf (toString mediaCfg.logo.png);
logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
logoIcoFileName = builtins.baseNameOf (toString mediaCfg.logo.ico);
logoPngMount = "/var/www/html/themes/hcl/${logoPngFileName}";
logoSvgMount = "/var/www/html/themes/hcl/${logoSvgFileName}";
logoIcoMount = "/var/www/html/themes/hcl/${logoIcoFileName}";
backgroundMount = "/var/www/html/themes/hcl/${backgroundFileName}";
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/nextcloud";
owner = "33:33";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
tmpfs = true;
subdomain = containerCfg.subdomain;
image = "nextcloud:${version}";
port = 80;
secret = name;
extraEnv = {
REDIS_HOST = builder.host;
POSTGRES_HOST = builder.host;
POSTGRES_USER = "nextcloud_user";
POSTGRES_DB = "nextcloud_db";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
NEXTCLOUD_TRUSTED_DOMAINS = "${containerCfg.subdomain}.${serverCfg.domain} nextcloud-server";
OVERWRITEPROTOCOL = "https";
NEXTCLOUD_CLI_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
# SMTP_HOST = serverCfg.mail.server;
# SMTP_NAME = "mail_user";
# SMTP_PASSWORD = "mail_password";
# MAIL_FROM_ADDRESS = "${containerCfg.subdomain}@${serverCfg.domain}";
# MAIL_DOMAIN = serverCfg.mail.domain;
TRUSTED_PROXIES = "10.10.0.0/16 192.168.0.0/16";
NEXTCLOUD_DATA_DIR = "/var/www/html/data";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "hsts-headers@docker,${containerCfg.subdomain}-caldav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
};
overrides = {
ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
volumes = [
"${serverCfg.path.config.path}/nextcloud:/var/www/html"
"${serverCfg.path.cloud.path}:/var/www/html/data"
"${mediaCfg.logo.png}:${logoPngMount}:ro"
"${mediaCfg.logo.svg}:${logoSvgMount}:ro"
"${mediaCfg.logo.ico}:${logoIcoMount}:ro"
"${backgroundImage}:${backgroundMount}:ro"
];
};
};
};
setup = {
trigger = "server";
envFile = [config.sops.secrets."CUSTOM".path config.sops.secrets."NEXTCLOUD".path ];
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e POSTGRES_PASSWORD=$POSTGRES_PASSWORD -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ"
echo "Waiting for Nextcloud container to start..."
until $OCC status > /dev/null 2>&1; do
sleep 2
done
INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
if [ -z "$INSTALLED" ]; then
echo "Running first-time setup..."
$OCC maintenance:install \
--admin-user "$DEFAULT_ADMIN_USERNAME" \
--admin-pass "$DEFAULT_ADMIN_PASSWORD" \
--database "pgsql" \
--database-host "${builder.host}" \
--database-name "nextcloud_db" \
--database-user "nextcloud_user" \
--database-pass "$POSTGRES_PASSWORD" \
--data-dir "/var/www/html/data"
fi
echo "Applying Settings..."
$OCC config:system:set dbhost --value="${builder.host}"
$OCC config:system:set dbuser --value="nextcloud_user"
$OCC config:system:set dbpassword --value="$POSTGRES_PASSWORD"
$OCC config:system:set dbname --value="nextcloud_db"
$OCC config:system:set memcache.local --value="\OC\Memcache\Redis"
$OCC config:system:set memcache.locking --value="\OC\Memcache\Redis"
$OCC config:system:set redis --value='{"host":"${builder.host}", "port":6379, "timeout":0.0}' --type=json
$OCC config:system:set trusted_domains 1 --value=${containerCfg.subdomain}.${serverCfg.domain}
$OCC config:system:set default_phone_region --value="CH"
$OCC config:system:set overwriteprotocol --value="https"
$OCC config:app:set core backgroundjobs_mode --value="cron"
$OCC config:system:set maintenance_window_start --type=integer --value=1
$OCC config:system:set default_language --value="en"
$OCC config:system:set default_locale --value="en_CH"
$OCC config:system:set overwriteprotocol --value="https"
$OCC config:system:set overwrite.cli.url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
echo "Applying Apps..."
$OCC app:disable activity || true
$OCC app:disable app_api || true
$OCC app:disable comments || true
$OCC app:disable firstrunwizard || true
$OCC config:system:set show_first_run_wizard --type=bool --value=false
$OCC app:disable nextcloud_announcements || true
$OCC app:disable oauth2 || true
$OCC app:disable recommendations || true
$OCC app:disable sharebymail || true
$OCC app:disable support || true
$OCC app:disable survey_client || true
$OCC app:disable updatenotification || true
$OCC app:disable user_status || true
$OCC app:install calendar || true
$OCC app:install contacts || true
$OCC app:install camerarawpreviews || true
$OCC app:install cospend || true
$OCC app:install deck || true
$OCC app:install files_markdown || true
$OCC app:install forms || true
$OCC app:install groupfolders || true
$OCC app:install ownpad || true
$OCC app:install previewgenerator || true
$OCC app:install richdocuments || true
${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
# $OCC app:install side_menu || true
$OCC app:install spreed || true
$OCC app:install teamfolders || true
${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
echo "Applying Apps Settings..."
$OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
$OCC config:app:set cospend allow_federation --value="yes"
${lib.optionalString (serverCfg.containers ? ethercalc) ''
$OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
$OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}"
''}
${lib.optionalString (serverCfg.containers ? etherpad) ''
$OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
$OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}"
''}
${lib.optionalString (serverCfg.containers ? collabora) ''
$OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}/"
$OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}"
$OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
''}
${lib.optionalString (serverCfg.containers ? authentik) ''
$OCC saml:config:set 1 --general-idp0_display_name="authentik"
$OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
$OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}"
$OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/sso/binding/redirect/"
$OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/slo/binding/redirect/"
AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
$OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT"
$OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
$OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
$OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
$OCC group:add cloud || true
$OCC group:adduser admin $DEFAULT_ADMIN_USERNAME
$OCC config:app:set user_saml general-group_provisioning --value="0"
$OCC config:app:set user_saml general-require_provisioning_groups --value="1"
''}
# configure side_menu ...
FOLDERS=$($OCC teamfolders:list --format=json)
${builtins.concatStringsSep "\n" (map (name: ''
if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
$OCC teamfolders:create "${name}"
fi
'') containerCfg.extra.teamFolders or [])}
SERVERS=$($OCC federation:list-servers --format=json)
${builtins.concatStringsSep "\n" (map (domain: ''
if ! echo "$SERVERS" | grep -q "${domain}"; then
$OCC federation:add-server "https://${domain}"
fi
'') containerCfg.extra.federatedServers or [])}
$OCC config:app:set systemtags allow_user_creating --value="no"
#else
# echo "Nextcloud is already installed. Skipping setup."
#fi
echo "Applying Theme..."
$OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
$OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
$OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
$OCC theming:config logo "${logoPngMount}"
$OCC theming:config logoheader "${logoSvgMount}"
$OCC theming:config favicon "${logoIcoMount}"
$OCC theming:config background "${backgroundMount}"
$OCC config:app:set serverinfo token --value="$HOMEPAGE_VAR_NEXTCLOUD_API"
echo "Maintenance..."
$OCC app:update --all
$OCC maintenance:repair --include-expensive --no-interaction
$OCC db:add-missing-indices --no-interaction
echo "Completed Setup"
'';
};
cron = [ "*/5 * * * * root ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
};
}

77
modules/server/containers/apps/openhab.nix
View File

@@ -1,77 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
version = "5.1.4";
in {
runtime = {
paths = [
{ path="${serverCfg.path.config.path}/openhab/conf"; owner="1000:1000"; mode = "0755"; }
{ path="${serverCfg.path.config.path}/openhab/userdata"; owner="1000:1000"; mode = "0755"; }
{ path="${serverCfg.path.config.path}/openhab/addons"; owner="1000:1000"; mode = "0755"; }
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "openhab/openhab:${version}";
port = 8080;
extraEnv = {
USER_ID = "1000";
GROUP_ID = "1000";
CRYPTO_POLICY = "unlimited";
OPENHAB_HTTP_PORT = "8080";
};
extraOptions = [
"--network=host"
"--cap-add=NET_ADMIN"
"--cap-add=NET_RAW"
"--no-healthcheck"
];
overrides = {
volumes = [
"${serverCfg.path.config.path}/openhab/conf:/openhab/conf"
"${serverCfg.path.config.path}/openhab/userdata:/openhab/userdata"
"${serverCfg.path.config.path}/openhab/addons:/opt/openhab/addons"
"/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro"
];
};
};
};
setup = {
trigger = "server";
envFile = [ config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
# Pre-generate openHAB directories on the host
OHAB="${pkgs.podman}/bin/podman --events-backend=none exec openhab-server /openhab/runtime/bin/client -u openhab -p habopen"
sleep 20
exit 0
$OHAB openhab:users add $DEFAULT_ADMIN_USERNAME $DEFAULT_ADMIN_PASSWORD administrator
$OHAB feature:list
$OHAB openhab:addons install persistance-mapdb
$OHAB openhab:addons install persistance-influxdb
$OHAB openhab:addons install ui-basic
$OHAB openhab:addons install automation-jsscripting
$OHAB openhab:addons install binding-telegram
$OHAB openhab:addons install binding-matter
$OHAB openhab:addons install binding-mqtt
$OHAB openhab:addons install binding-bluetooth
$OHAB openhab:addons install binding-zigbee
$OHAB openhab:addons install binding-chromecast
$OHAB openhab:addons install binding-astro
$OHAB openhab:addons install binding-meteoblue
$OHAB openhab:addons install binding-publictransportswitzerland
#IF APPLE DEVICE: HomeKit (siri/apple bridge)
#IF UBIQUITY NET: Unifi + UnifiProtect (net/cam bridge)
#IF YAMAHA+EPSON: EpsonProjector + Yamaha (projector and sound)
#IF BAMBULAB DEVICE: BambuLab (notify print state)
#IF GARDENA DEVICE: Gardena (smart watering)
#Extra: AndroidTV/Jellyfin (Bind with lights + more)
'';
};
};
}

87
modules/server/containers/apps/searxng.nix
View File

@@ -1,87 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "latest";
serverCfg = config.syscfg.server;
settings = pkgs.writeText"settings.yml" (pkgs.lib.generators.toYAML {}{
use_default_settings = true;
brand = {
issue_url = "";
docs_url = "";
public_instances = "";
wiki_url = "";
custom = {
links = {
"Home" = "https://${serverCfg.domain}";
# "Status" = "https://status.${serverCfg.domain}";
};
};
pwa_colors = {
theme_color_light = "${serverCfg.colorScheme.palette.base0C}";
background_color_light = "${serverCfg.colorScheme.palette.base07}";
theme_color_dark = "${serverCfg.colorScheme.palette.base0C}";
background_color_dark = "${serverCfg.colorScheme.palette.base02}";
theme_color_black = "${serverCfg.colorScheme.palette.base0C}";
background_color_black = "${serverCfg.colorScheme.palette.base01}";
};
};
general = {
debug = false;
instance_name = if containerCfg.extra ? instanceName then containerCfg.extra.instanceName else "SearXNG";
privacypolicy_url = false;
donation_url = false;
contact_url = false;
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = if containerCfg.extra ? autocomplete then containerCfg.extra.autocomplete else "";
languages = [ "all" "en" "en-US" "ja" "de-CH" "fr-CH" "nb" ];
};
server = {
# secret_key = ""; SET BY ENV VAR
};
ui = {
default_locale = if containerCfg.extra ? defaultLocale then containerCfg.extra.defaultLocale else "en";
# query_in_title = "true";
#default_theme = "custom";
custom_css = "footer { display: none !important; }";
};
# categories_as_tabs = {
# general = {};
# images ={};
# videos = {};
# news = {};
# files = {};
# };
plugins = {
"searx.plugins.infinite_scroll.SXNGPlugin".active = true;
"searx.plugins.tracker_url_remover.SXNGPlugin".active = true;
};
});
in {
requires.secrets = [ name ];
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "searxng/searxng:${version}";
port = 8080;
secret = name;
extraEnv = {
SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
SEARXNG_PORT = "8080";
SEARXNG_BIND_ADDRESS = "[::]";
SEARXNG_PUBLIC_INSTANCE = "false";
SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
#SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
};
overrides = {
volumes = [
"${settings}:/etc/searxng/settings.yml"
];
};
};
};
};
}

91
modules/server/containers/apps/selfmark.nix
View File

@@ -1,91 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/selfmark/";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
authentik = true;
subdomain = containerCfg.subdomain;
subpath = containerCfg.subpath;
image = "ghcr.io/calibrain/shelfmark:${version}";
port = 8080;
extraEnv = {
# HARDCOVER_API_KEY = ""; #FROM SOPS
# AA_DONATOR_KEY = ""; #FROM SOPS
# PROWLARR_API_KEY = ""; #FROM SOPS
FLASK_PORT = "8080";
PUID = "1000";
PGID = "1000";
USING_TOR = "false";
ONBOARDING = "false";
SUPPORTED_FORMATS = "epub,mobi,azw3,fb2,djvu,cbz,cbr,pdf";
SUPPORTED_AUDIOBOOK_FORMATS = "mp3, m4b";
BOOK_LANGUAGE = "en,fr"; # ,de,jp";
SEARCH_MODE = "universal";
AA_DEFAULT_SORT = "relevance";
METADATA_PROVIDER = "openlibrary";
INGEST_DIR = "/books";
BOOKS_OUTPUT_MODE = "/output";
FILE_ORGANIZATION = "organize";
TEMPLATE_RENAME = "{Author} - {Title} ({Year})";
TEMPLATE_ORGANIZE = "{Author}/{Title} ({Year})";
HARDLINK_TORRENTS = "false";
FILE_ORGANIZATION_AUDIOBOOK = "organize";
TEMPLATE_RENAME_AUDIOBOOK = "{Author} - {Title}";
TEMPLATE_ORGANIZE_AUDIOBOOK = "{Author}/{Title} ({Year})";
HARDCOVER_ENABLED = "true";
HARDCOVER_DEFAULT_SORT = "relevance";
OPENLIBRARY_ENABLED = "true";
OPENLIBRARY_DEFAULT_SORT = "relevance";
DIRECT_DOWNLOAD_ENABLED = "true";
USE_CF_BYPASS = "true";
AA_BASE_URL = "auto";
AA_MIRROR_URLS = "https://annas-archive.gl,https://annas-archive.pk,https://annas-archive.gd,";
LIBGEN_MIRROR_URLS = "https://libgen.li,https://libgen.vg,https://libgen.la,https://libgen.bz,https://libgen.gl";
ZLIB_MIRROR_URLS = "https://z-lib.sk,https://z-library.gs,https://z-lib.fm,https://z-lib.gd,https://z-lib.gl";
# WELIB_MIRROR_URLS = "https://welib.org"; #avoid
} // lib.optionalAttrs(containerCfg.subpath != null) {
BASE_PATH = "/${containerCfg.subpath}";
URL_BASE = "/${containerCfg.subpath}";
} // lib.optionalAttrs(serverCfg.containers?calibre) {
CALIBRE_WEB_URL = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}";
} // lib.optionalAttrs(serverCfg.containers?authentik) {
AUTH_METHOD = "proxy";
PROXY_AUTH_USER_HEADER = "X-authentik-username";
PROXY_AUTH_ADMIN_GROUP_HEADER = "X-authentik-groups";
PROXY_AUTH_ADMIN_GROUP_NAME = "admin";
} // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "prowlarr" serverCfg.containers.servarr.extra.modules) ({
PROWLARR_ENABLED = "true";
PROWLARR_URL = "http://servarr-prowlarr:8989";
} // lib.optionalAttrs(serverCfg.containers?transmission) {
PROWLARR_TORRENT_CLIENT = "transmission";
TRANSMISSION_URL = "http://transmission-server:9091";
}) // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "flaresolverr" serverCfg.containers.servarr.extra.modules) {
USING_EXTERNAL_BYPASSER = "true";
EXT_BYPASSER_URL = "http://servarr-flaresolverr:8191";
EXT_BYPASSER_PATH = "/v1";
EXT_BYPASSER_TIMEOUT = "60000";
};
overrides = {
volumes = [
"${serverCfg.path.dlIncomplete.path}:/books:rw"
"${serverCfg.path.dlComplete.path}:/output:rw"
"${serverCfg.path.config.path}/selfmark:/config:rw"
];
};
};
};
};
}

522
modules/server/containers/apps/servarr.nix
View File

File diff suppressed because one or more lines are too long

53
modules/server/containers/apps/suwayomi.nix
View File

@@ -1,53 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "stable";
serverCfg = config.syscfg.server;
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/suwayomi/suwayomi-server:${version}";
port = 4567;
secret = name;
extraEnv = {
BIND_PORT = "4567";
AUTH_MODE = "ui_login";
WEB_UI_ENABLED = "true";
WEB_UI_FLAVOR = "WebUI";
# AUTO_DOWNLOAD_CHAPTERS = true;
# AUTO_DOWNLOAD_EXCLUDE_UNREAD = true;
# AUTO_DOWNLOAD_NEW_CHAPTERS_LIMIT = 0;
# AUTO_DOWNLOAD_IGNORE_REUPLOADS = false;
# DOWNLOAD_CONVERSIONS = {};
# SERVE_CONVERSIONS = {};
# MAX_SOURCES_IN_PARALLEL = 6;
# UPDATE_EXCLUDE_UNREAD = true;
# UPDATE_EXCLUDE_STARTED = true;
# UPDATE_EXCLUDE_COMPLETED = true;
# UPDATE_INTERVAL = 12; #Hours
# UPDATE_MANGA_INFO = false;
DATABASE_TYPE = "POSTGRESQL";
DATABASE_URL = "postgresql://${builder.host}/suwayomi_db";
DATABASE_USERNAME = "suwayomi_user";
FLARESOLVERR_ENABLED = lib.boolToString (builtins.elem "flaresolverr" (((config.syscfg.server.containers.servarr or {}).extra or {}).modules or []));
FLARESOLVERR_URL = "http://servarr-flaresolverr:8191";
EXTENSION_REPOS = "[\"https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json\"]"; #https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json
};
overrides = {
volumes = [
"${serverCfg.path.manga.path}:/home/suwayomi/.local/share/Tachidesk/downloads"
# "${serverCfg.path.config.path}/suwayomi:/home/suwayomi/.local/share/Tachidesk"
];
};
};
};
};
}

88
modules/server/containers/apps/traefik.nix
View File

@@ -1,88 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = "traefik";
tag = pkgs.traefik.version;
contents = with pkgs;[ cacert tzdata ];
config = {
Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
WorkingDir = "/";
};
};
in {
requires.secrets = [ name ];
runtime = {
containers = {
server = builder.mkContainer {
imageStream = image;
subdomain = containerCfg.subdomain;
port = 8080;
secret = name;
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
"traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
"traefik.http.middlewares.hsts-headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.hsts-headers.headers.stsIncludeSubdomains" = "true";
"traefik.http.middlewares.hsts-headers.headers.stsPreload" = "true";
"traefik.http.middlewares.hsts-headers.headers.forceSTSHeader" = "true";
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
} // (if serverCfg.containers?authentik then {
"traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
"traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
} else {}) // (if serverCfg.containers?umami then {
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
} else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then {
"traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}";
} else {});
extraEnv = { };
overrides = {
cmd = [
"--api"
"--log.level=INFO"
"--providers.docker=true"
"--global.checknewversion=false"
"--global.sendanonymoususage=false"
"--api.insecure=true"
"--api.dashboard=true"
"--providers.docker.exposedByDefault=false"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
"--entrypoints.web.http.redirections.entrypoint.to=web-secure"
"--entrypoints.web.http.redirections.entrypoint.scheme=https"
"--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
"--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
] ++ (if serverCfg.containers ? umami then [
"--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
"--experimental.plugins.umami-feeder.version=v1.4.1"
"--entrypoints.web-secure.http.middlewares=umami-global@docker"
] else []) ++ (if containerCfg.extra ? provider then [
"--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}"
"--certificatesresolvers.default.acme.dnschallenge=true"
"--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
"--certificatesresolvers.default.acme.storage=/acme.json"
] else if serverCfg.domain != "localhost" then [
"--certificatesresolvers.default.acme.httpchallenge=false"
"--certificatesresolvers.default.acme.tlschallenge=true"
] else []);
ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
volumes = [
"/var/run/podman/podman.sock:/var/run/docker.sock"
];
};
};
};
};
}

59
modules/server/containers/apps/transmission.nix
View File

@@ -1,59 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.transmission_4.name;
tag = pkgs.transmission_4.version;
contents = [ pkgs.cacert ];
config = {
Cmd = [ "${pkgs.transmission_4}/bin/transmission-daemon" "--foreground" "--config-dir" "/config" ];
ExposedPorts = {
"9091/tcp" = {};
"51413/tcp" = {}; "51413/udp" = {};
};
};
};
in {
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/transmission";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
authentik = true;
subdomain = containerCfg.subdomain;
subpath = containerCfg.subpath;
imageStream = image;
port = 9091;
extraEnv = {
PUID = "1000";
PGID = "1000";
WHITELIST = "";# 127.0.0.1,::1,10.*";
# HOST_WHITELIST = "traefik-server,authentik-server,authentik-worker";
};
overrides = {
volumes = [
"${serverCfg.path.dlComplete.path}:/downloads/complete"
"${serverCfg.path.dlIncomplete.path}:/downloads/incomplete"
"${serverCfg.path.config.path}/transmission:/config"
];
};
};
};
setup = {
trigger = "server";
envFile = [ config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
${pkgs.gettext}/bin/envsubst < "${../data/transmission/settings.json}" > "${serverCfg.path.config.path}/transmission/config/settings.json"
'';
};
};
}

3
modules/server/containers/apps/trmnl.nix
View File

@@ -1,3 +0,0 @@
{...}:{
}

54
modules/server/containers/apps/umami.nix
View File

@@ -1,54 +0,0 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
# Umami image built from nixpkgs
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.umami.name;
tag = pkgs.umami.version;
contents = with pkgs; [ cacert openssl ];
config = {
# Umami in nixpkgs typically provides a binary or script to start the server
Entrypoint = [ "${pkgs.umami}/bin/umami-server" ];
ExposedPorts = { "3000/tcp" = {}; };
Env = [ "NODE_ENV=production" ];
};
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/umami/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
authentik = true;
tmpfs = true;
subdomain = containerCfg.subdomain;
image = "${pkgs.umami.name}:${pkgs.umami.version}";
imageStream = image;
port = 3000;
secret = name;
extraEnv = {
PORT = "3000";
# HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
DATABASE_TYPE = "postgresql";
REDIS_URL = "redis://${builder.host}";
CLIENT_IP_HEADER = "X-Forwarded-For";
BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
# DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
};
overrides = {
cmd = [ "start" ]; # Specific command for the umami binary
};
};
};
};
}

129
modules/server/containers/builder.nix
View File

@@ -1,129 +0,0 @@
{ config, lib, pkgs, serverCfg }:
let
mkRouterName = { subdomain, subpath ? null }:
if subpath != null
then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}"
else subdomain;
getOr = attrs: path: default: lib.attrByPath path default attrs;
mkTmpfsOption = size: "--tmpfs=/tmp:rw,noexec,nosuid,size=${size}";
mkAuthentikLabels =
{ subdomain
, subpath ? null
, routerName ? mkRouterName { inherit subdomain subpath; }
, middleware ? "authentik"
}:
lib.optionalAttrs (serverCfg.containers ? authentik) {
"traefik.http.routers.${routerName}.middlewares" = middleware;
};
contBuilder =
{ image ? null, imageStream ? null, imageFile ? null
, secret ? null
, subdomain ? null, subpath?null, port ? null
, authentik ? false
, tmpfs ? false
, tmpfsSize ? "512m"
, extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
, overrides ? { }
}:
let
routerName = mkRouterName { inherit subdomain subpath; };
base = {
image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}"
else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
imageStream = imageStream;
imageFile = imageFile;
environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
environment = {
TZ = config.time.timeZone;
} // extraEnv;
labels = (if subdomain!=null then ({
"traefik.enable" = "true";
"traefik.http.routers.${routerName}.entrypoints" = "web-secure";
"traefik.http.routers.${routerName}.rule" = if subpath != null
then "Host(`${subdomain}.${serverCfg.domain}`) && PathPrefix(`/${subpath}`)"
else "Host(`${subdomain}.${serverCfg.domain}`)";
"traefik.http.routers.${routerName}.tls" = "true";
} // lib.optionalAttrs (port!=null) {
"traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
}) else {
"traefik.enable" = "false";
})
// lib.optionalAttrs authentik (mkAuthentikLabels { inherit subdomain subpath routerName; })
// extraLabels;
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
]
++ lib.optional tmpfs (mkTmpfsOption tmpfsSize)
++ extraOptions;
};
in lib.recursiveUpdate base overrides;
vmBuilder = { name, vm }: ((import "${pkgs.path}/nixos/lib/eval-config.nix" {
system = "x86_64-linux";
modules = [ vm.cfg
({ config, lib, modulesPath, ... }: {
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
"${modulesPath}/virtualisation/qemu-vm.nix"
];
networking.hostName = name;
networking.useDHCP = true;
networking.firewall.enable = false;
services.qemuGuest.enable = true;
system.stateVersion = "26.05";
virtualisation = {
memorySize = vm.memory or 2048;
cores = vm.cores or 2;
forwardPorts = let
parsePortString = port: {
from = "host";
host.port = port;
guest.port = port;
};
in if (vm ? portForward && vm.portForward != null) then map parsePortString vm.portForward else [];
};})
];
}).config.system.build.vm);
in {
mkContainer = contBuilder;
mkVm = vmBuilder;
mkApp = name: app:
{
inherit name;
requires = {
secrets = getOr app [ "requires" "secrets" ] [ ];
databases = getOr app [ "requires" "databases" ] [ ];
};
exports = {
authentik = {
blueprints = getOr app [ "exports" "authentik" "blueprints" ] [ ];
};
};
runtime = {
paths = getOr app [ "runtime" "paths" ] [ ];
containers = getOr app [ "runtime" "containers" ] { };
vm = getOr app [ "runtime" "vm" ] null;
cron = getOr app [ "runtime" "cron" ] [ ];
setup = {
trigger = "";
script = null;
envFile = [ ];
} // getOr app [ "runtime" "setup" ] { };
};
};
mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
mkdir -p $out
cp -r ${./data + "/${dir}"}/. $out/
find $out -type f | while read file; do
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
substituteInPlace "$file" --replace "@${n}@" "${toString v}"
'') vars)}
done
'';
host = "host.containers.internal";
hostIp = if (config.virtualisation.podman.defaultNetwork.settings ? subnets)
then (builtins.elemAt config.virtualisation.podman.defaultNetwork.settings.subnets 0).gateway
else "10.88.0.1";
}

70
modules/server/containers/data/authentik/authentik.yaml
View File

@@ -1,70 +0,0 @@
version: 1
metadata:
name: "Initial User Setup"
labels:
blueprint-type: core
entries:
# Optionally, disable the default enrollment flow entirely
- model: authentik_flows.flow
identifiers:
slug: "default-source-enrollment"
attrs:
designation: "enrollment"
enabled: false
# --- GROUPS ---
- model: authentik_core.group
identifiers:
name: "admin"
attrs:
is_superuser: true
- model: authentik_core.group
identifiers:
name: "cloud"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "dev"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "flix"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "family"
attrs:
is_superuser: false
# --- ADMIN USERS ---
- model: authentik_core.user
identifiers:
username: !Env DEFAULT_ADMIN_USERNAME
attrs:
name: !Env DEFAULT_ADMIN_USERNAME
email: !Env DEFAULT_ADMIN_EMAIL
password: !Env DEFAULT_ADMIN_PASSWORD
path: "users"
groups:
- !Find [authentik_core.group, [name, "admin"]]
# Disable the Initial Setup Flow
- model: authentik_flows.flow
identifiers:
slug: "initial-setup"
attrs:
authentication: "require_superuser"
enabled: false
# Disable the default 'akadmin' if it exists
- model: authentik_core.user
identifiers:
username: "akadmin"
attrs:
is_active: false

13
modules/server/containers/data/authentik/branding.yaml
View File

@@ -1,13 +0,0 @@
version: 1
metadata:
name: "Branding Setup"
entries:
- model: authentik_brands.brand
identifiers:
domain: "@AUTHENTIK_DOMAIN@"
attrs:
domain: "@AUTHENTIK_DOMAIN@"
branding_title: "@AUTHENTIK_BRANDING_TITLE@"
branding_logo: "@AUTHENTIK_BRANDING_LOGO@"
branding_favicon: "@AUTHENTIK_BRANDING_FAVICON@"
branding_default_flow_background: "@AUTHENTIK_BRANDING_BACKGROUND@"

58
modules/server/containers/data/authentik/freshrss.yaml
View File

@@ -1,58 +0,0 @@
version: 1
metadata:
name: "FreshRSS OAuth2 Provisioning"
labels:
app: freshrss
entries:
- model: authentik_providers_oauth2.oauth2provider
identifiers:
name: "FreshRSS Provider"
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
authentication_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: "confidential"
client_id: "freshrss"
client_secret: !Env FRESHRSS_OAUTH_SECRET
access_code_validity: "minutes=5"
token_validity: "days=30"
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
redirect_uris:
- url: "https://@FRESHRSS_DOMAIN@.*"
matching_mode: "regex"
property_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'openid'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'email'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'profile'"],
]
- model: authentik_core.application
identifiers:
slug: "freshrss"
attrs:
name: "FreshRSS"
launch_url: "@FRESHRSS_DOMAIN@"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "FreshRSS Provider"],
]

11
modules/server/containers/data/authentik/gitea.yaml
View File

@@ -1,11 +0,0 @@
version: 1
metadata:
name: gitea-ldap-setup
entries:
- model: authentik_core.application
id: gitea-app
identifiers:
slug: gitea
attrs:
name: Gitea
launch_url: "@GITEA_DOMAIN@"

108
modules/server/containers/data/authentik/homepage.yaml
View File

@@ -1,108 +0,0 @@
version: 1
metadata:
name: "Homepage Dashboard - OIDC Provisioning"
labels:
app: homepage
entries:
- model: authentik_providers_oauth2.scopemapping
identifiers:
name: "Homepage Custom Scope: Groups"
attrs:
scope_name: "groups"
description: "Pass user groups array to Homepage for conditional element rendering"
expression: |
return {
"groups": [group.name for group in request.user.ak_groups.all()]
}
# 1. Create the OAuth2/OIDC Provider
- model: authentik_providers_oauth2.oauth2provider
identifiers:
name: "Homepage Provider"
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
authentication_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: "confidential"
client_id: "homepage"
client_secret: !Env HOMEPAGE_VAR_OAUTH_SECRET
access_code_validity: "minutes=5"
token_validity: "days=30"
redirect_uris:
- url: "https://@HOMEPAGE_DOMAIN@/login"
matching_mode: "regex"
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
property_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'openid'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'email'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'profile'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "Homepage Custom Scope: Groups"],
]
# 2. Create the Application and link it to the Provider
- model: authentik_core.application
identifiers:
slug: homepage
attrs:
name: "Homepage"
launch_url: "@HOMEPAGE_DOMAIN@"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, Homepage Provider],
]
open_in_new_tab: false
# 3. Provision the static API token linked to the user account
- model: authentik_rbac.role
state: present
identifiers:
name: homepage-viewer
attrs:
permissions:
- authentik_core.view_user
- authentik_events.view_event
- model: authentik_core.user
state: present
identifiers:
username: homepage-svc
attrs:
roles:
- !Find [authentik_rbac.role, [name, "homepage-viewer"]]
name: Homepage Service Account
path: goauthentik.io/service-accounts
is_active: true
attributes:
goauthentik.io/user/service-account: true
- model: authentik_core.token
state: present
identifiers:
identifier: homepage-token
attrs:
key: !Env HOMEPAGE_VAR_AUTHENTIK_API
user: !Find [authentik_core.user, [username, "homepage-svc"]]
intent: api
expiring: false

62
modules/server/containers/data/authentik/immich.yaml
View File

@@ -1,62 +0,0 @@
version: 1
metadata:
name: "Immich OAuth2 Provisioning"
labels:
app: immich
entries:
- model: authentik_providers_oauth2.oauth2provider
identifiers:
name: "Immich Provider"
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
authentication_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: "confidential"
client_id: "immich"
client_secret: !Env IMMICH_OAUTH_SECRET
access_code_validity: "minutes=5"
token_validity: "days=30"
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
redirect_uris:
- url: "app.immich:///oauth-callback"
matching_mode: "strict"
- url: "https://@IMMICH_DOMAIN@/auth/login"
matching_mode: "regex"
- url: "https://@IMMICH_DOMAIN@/user-settings"
matching_mode: "regex"
property_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'openid'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'email'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'profile'"],
]
- model: authentik_core.application
identifiers:
slug: "immich"
attrs:
name: "Immich"
launch_url: "@IMMICH_DOMAIN@"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "Immich Provider"],
]

11
modules/server/containers/data/authentik/jellyfin.yaml
View File

@@ -1,11 +0,0 @@
version: 1
metadata:
name: jellyfin-ldap-setup
entries:
- model: authentik_core.application
id: jellyfin-app
identifiers:
slug: jellyfin
attrs:
name: Jellyfin
launch_url: "@JELLYFIN_DOMAIN@"

79
modules/server/containers/data/authentik/ldap.yaml
View File

@@ -1,79 +0,0 @@
version: 1
metadata:
name: Pre-configured LDAP Outpost
entries:
- model: authentik_providers_ldap.ldapprovider
identifiers:
name: ldap-provider
attrs:
base_dn: "@AUTHENTIK_LDAP_DC_DOMAIN@"
search_group: null
authorization_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
- model: authentik_core.user
state: present
identifiers:
username: "ldap-service"
attrs:
name: "LDAP Bind Service Account"
type: "service_account"
path: "goauthentik.io"
is_active: true
password: !Env DEFAULT_LDAP_PASSWORD
attributes:
ak_recovery_immutable: true
- model: authentik_core.token
identifiers:
identifier: ldap-outpost-static-token
attrs:
intent: api
expiring: false
key: !Env AUTHENTIK_TOKEN
user: !Find [authentik_core.user, [username, "ldap-service"]]
- model: authentik_outposts.outpost
identifiers:
name: LDAP Outpost
attrs:
type: ldap
providers:
- !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
token:
!Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
config:
log_level: info
authentik_host: https://sso.test.helcel.net/
refresh_interval: minutes=5
authentik_host_insecure: false
- model: authentik_rbac.role
state: present
identifiers:
name: "LDAP Search Role"
attrs:
permissions:
- "authentik_providers_ldap.search_full_directory"
- model: authentik_core.group
state: present
identifiers:
name: "LDAP Search Group"
attrs:
users:
- !Find [authentik_core.user, [username, "ldap-service"]]
roles:
- !Find [authentik_rbac.role, [name, "LDAP Search Role"]]
- model: authentik_core.application
id: ldap-placeholder
identifiers:
slug: ldap
attrs:
name: ldap
group: _
provider:
!Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]

58
modules/server/containers/data/authentik/nextcloud.yaml
View File

@@ -1,58 +0,0 @@
version: 1
metadata:
name: nextcloud-saml-setup
entries:
- model: authentik_providers_saml.samlprovider
identifiers:
name: Nextcloud SAML
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-explicit-consent],
]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
issuer: https://@AUTHENTIK_DOMAIN@
sp_binding: post
property_mappings:
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Name"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Email"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Groups"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Username"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: User ID"],
]
signing_kp:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
sign_assertion: true
sign_response: false
- model: authentik_core.application
identifiers:
slug: nextcloud
attrs:
name: Nextcloud
provider:
!Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
launch_url: "@NEXTCLOUD_DOMAIN@"

46
modules/server/containers/data/authentik/traefik.yaml
View File

@@ -1,46 +0,0 @@
version: 1
metadata:
name: domain-wide-proxy-setup
entries:
# 1. The Provider
- model: authentik_providers_proxy.proxyprovider
identifiers:
name: Domain Wide Proxy
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
external_host: https://@AUTHENTIK_DOMAIN@
cookie_domain: "@COOKIE_DOMAIN@"
mode: forward_domain
intercept_header_auth: true
# 2. The Application (Required to link the provider)
- model: authentik_core.application
identifiers:
slug: authentik-proxy
attrs:
name: "Domain Auth Provider"
group: _
provider:
!Find [
authentik_providers_proxy.proxyprovider,
[name, Domain Wide Proxy],
]
# 3. Add to Outpost
- model: authentik_outposts.outpost
identifiers:
name: authentik Embedded Outpost
attrs:
providers:
- !Find [
authentik_providers_proxy.proxyprovider,
[name, Domain Wide Proxy],
]

137
modules/server/containers/data/invidious/config.yml
View File

@@ -1,137 +0,0 @@
db:
user: invidious_user
password: $DB_PASSWORD
host: $DB_HOST
port: 5432
dbname: invidious_db
check_tables: true
invidious_companion:
- private_url: "http://invidious-companion:8282/companion"
invidious_companion_key: $SERVER_SECRET_KEY
port: 3000
external_port: 443
host_binding: 0.0.0.0
domain: $INVIDIOUS_DOMAIN
https_only: false
#hsts: true
## Accepted values: true, false, dash, livestreams, downloads, local
#disable_proxy: false
# use_innertube_for_captions: false
# -----------------------------
# Features
# -----------------------------
popular_enabled: false
statistics_enabled: true
registration_enabled: true
login_enabled: true
captcha_enabled: false
admins: ["$DEFAULT_ADMIN_EMAIL"]
enable_user_notifications: false
# -----------------------------
# Background jobs
# -----------------------------
channel_threads: 1
#channel_refresh_interval: 30m
full_refresh: false
feed_threads: 1
jobs:
clear_expired_items:
enable: true
refresh_channels:
enable: true
refresh_feeds:
enable: true
# -----------------------------
# Miscellaneous
# -----------------------------
#banner:
# use_pubsub_feeds: true
hmac_key: $HMAC_KEY
#dmca_content:
#cache_annotations: false
#modified_source_code_url: ""
#playlist_length_limit: 500
#########################################
#
# Default user preferences
#
#########################################
default_user_preferences:
# -----------------------------
# Internationalization
# -----------------------------
#locale: en-US
#region: US
## Top 3 preferred languages for video captions.
#captions: ["", "", ""]
# -----------------------------
# Interface
# -----------------------------
dark_mode: "auto"
#thin_mode: false
feed_menu: ["Subscriptions", "Playlists"]
default_home: Subscriptions
#max_results: 40
#annotations: false
#annotations_subscribed: false
#comments: ["youtube", ""]
#player_style: invidious
#related_videos: true
# -----------------------------
# Video player behavior
# -----------------------------
#preload: true
#autoplay: false
#continue: false
#continue_autoplay: true
#listen: false
#video_loop: false
# -----------------------------
# Video playback settings
# -----------------------------
#quality: dash
#quality_dash: auto
#speed: 1.0
#volume: 100
#vr_mode: true
save_player_pos: true
# -----------------------------
# Subscription feed
# -----------------------------
#latest_only: false
#notifications_only: false
unseen_only: true
#sort: published
# -----------------------------
# Miscellaneous
# -----------------------------
#local: false
show_nick: false
#automatic_instance_redirect: false
#extend_desc: false

101
modules/server/containers/data/invidious/login.cr
View File

@@ -1,101 +0,0 @@
{% skip_file if flag?(:api_only) %}
module Invidious::Routes::Login
def self.login_page(env)
locale = env.get("preferences").as(Preferences).locale
user = env.get? "user"
referer = get_referer(env, "/feed/subscriptions")
return env.redirect referer if user
return error_template(400, "Login has been disabled by administrator.") if !CONFIG.login_enabled
if forwarded_user = env.request.headers["X-authentik-email"]?
begin
email = forwarded_user.try &.downcase.byte_slice(0, 254)
return error_template(401, "User ID is a required field") if email.nil? || email.empty?
user = Invidious::Database::Users.select(email: email)
if user
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
Invidious::Database::SessionIDs.insert(sid, email)
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
else
return error_template(400, "Registration has been disabled by administrator.") if !CONFIG.registration_enabled
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user, sid = create_user(sid, email, "")
if language_header = env.request.headers["Accept-Language"]?
if language = ANG.language_negotiator.best(language_header, LOCALES.keys)
user.preferences.locale = language.header
end
end
Invidious::Database::Users.insert(user)
Invidious::Database::SessionIDs.insert(sid, email)
view_name = "subscriptions_#{sha256(user.email)}"
PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}")
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
user.preferences = env.get("preferences").as(Preferences)
Invidious::Database::Users.update_preferences(user)
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
end
return env.redirect referer
rescue ex
return error_template(500, "Authentication error: #{ex.message}")
end
end
env.redirect referer
end
def self.login(env)
referer = get_referer(env, "/feed/subscriptions")
env.redirect referer
return error_template(403, "Login post is not supported.")
end
def self.signout(env)
locale = env.get("preferences").as(Preferences).locale
user = env.get? "user"
sid = env.get? "sid"
referer = get_referer(env)
return env.redirect referer if !user
user = user.as(User)
sid = sid.as(String)
token = env.params.body["csrf_token"]?
begin
validate_request(token, sid, env.request, HMAC_KEY, locale)
rescue ex
return error_template(400, ex)
end
Invidious::Database::SessionIDs.delete(sid: sid)
env.request.cookies.each do |cookie|
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
env.redirect referer
end
end

70
modules/server/containers/data/transmission/settings.json
View File

@@ -1,70 +0,0 @@
{
"alt-speed-down": 50,
"alt-speed-enabled": false,
"alt-speed-time-begin": 540,
"alt-speed-time-day": 127,
"alt-speed-time-enabled": false,
"alt-speed-time-end": 1020,
"alt-speed-up": 50,
"bind-address-ipv4": "0.0.0.0",
"bind-address-ipv6": "::",
"blocklist-enabled": false,
"blocklist-url": "http://www.example.com/blocklist",
"cache-size-mb": 4,
"dht-enabled": true,
"download-dir": "/downloads/complete",
"download-queue-enabled": true,
"download-queue-size": 5,
"encryption": 1,
"idle-seeding-limit": 30,
"idle-seeding-limit-enabled": false,
"incomplete-dir": "/downloads/incomplete",
"incomplete-dir-enabled": true,
"lpd-enabled": false,
"message-level": 2,
"peer-congestion-algorithm": "",
"peer-id-ttl-hours": 6,
"peer-limit-global": 200,
"peer-limit-per-torrent": 50,
"peer-port": 51413,
"peer-port-random-high": 65535,
"peer-port-random-low": 49152,
"peer-port-random-on-start": false,
"peer-socket-tos": "default",
"pex-enabled": true,
"port-forwarding-enabled": true,
"preallocation": 1,
"prefetch-enabled": 1,
"queue-stalled-enabled": true,
"queue-stalled-minutes": 30,
"ratio-limit": 2,
"ratio-limit-enabled": false,
"rename-partial-files": true,
"rpc-authentication-required": false,
"rpc-bind-address": "0.0.0.0",
"rpc-enabled": true,
"rpc-password": "$TRANSMISSION_RPC_PASSWORD",
"rpc-port": 9091,
"rpc-url": "/transmission/",
"rpc-username": "",
"rpc-host-whitelist": "127.0.0.1",
"rpc-host-whitelist-enabled": false,
"rpc-whitelist": "127.0.0.1",
"rpc-whitelist-enabled": false,
"scrape-paused-torrents-enabled": true,
"script-torrent-done-enabled": false,
"script-torrent-done-filename": "",
"seed-queue-enabled": false,
"seed-queue-size": 10,
"speed-limit-down": 100,
"speed-limit-down-enabled": false,
"speed-limit-up": 100,
"speed-limit-up-enabled": false,
"start-added-torrents": true,
"trash-original-torrent-files": false,
"umask": 2,
"upload-slots-per-torrent": 14,
"utp-enabled": false,
"watch-dir": "/watch",
"watch-dir-enabled": true
}

143
modules/server/containers/default.nix
View File

@@ -1,113 +1,40 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
serverCfg = config.syscfg.server; cfg = config.syscfg.server.containers;
builder = import ./builder.nix { inherit config lib pkgs serverCfg; }; enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
loadApp = name: containerCfg: containerSetsList = lib.mapAttrsToList (name: containerCfg:
builder.mkApp name ((import (./apps + "/${name}.nix")) { import (./defs + "/${name}.nix") {
inherit config pkgs lib containerCfg builder name; inherit config pkgs lib containerCfg;
}); }
loadedContainers = lib.mapAttrs loadApp serverCfg.containers; ) enabledConfigs;
appsList = builtins.attrValues loadedContainers; mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList);
concatRuntimeLists = field: lib.concatMap (app: app.runtime.${field}) appsList; allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
mkNamedUnits = mkUnit: items: lib.listToAttrs (map mkUnit items); in
mergedContainers = lib.concatMapAttrs (appName: app: {
lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.runtime.containers config = lib.mkIf ( enabledConfigs != {} ) {
) loadedContainers;
basePathConfigs =
lib.mapAttrsToList (_: cfg: cfg) (lib.filterAttrs (name: _: name != "config" && name != "data") serverCfg.path);
runtimePathConfigs = concatRuntimeLists "paths";
allSetupConfigs = map (app: ({ name = app.name; envFile = ""; } // app.runtime.setup)) appsList;
allCronsConfigs = concatRuntimeLists "cron";
allVMConfigs = builtins.filter (app: app.runtime.vm != null) appsList;
mkPathSetup = cfg:
let
effectiveCfg = {
owner = "root:root";
mode = "0755";
dirs = [];
} // cfg;
in ''
${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
${lib.concatMapStringsSep "\n" (dir: "${pkgs.coreutils}/bin/mkdir -p ${effectiveCfg.path}/${lib.escapeShellArg dir}") effectiveCfg.dirs}
${pkgs.coreutils}/bin/chown -R ${effectiveCfg.owner} "${effectiveCfg.path}"
${pkgs.coreutils}/bin/chmod -R ${effectiveCfg.mode} "${effectiveCfg.path}"
'';
in {
config = lib.mkMerge [{
syscfg.server.loadedContainers = loadedContainers;
} (lib.mkIf (loadedContainers != {}) {
virtualisation.oci-containers = {
backend = "podman";
containers = mergedContainers;
};
system.activationScripts.container-setup-base-dirs = {
deps = [ "users" "groups" ];
text = lib.concatStringsSep "\n" (map mkPathSetup basePathConfigs);
};
system.activationScripts.container-setup-runtime-dirs = {
deps = [ "container-setup-base-dirs" ];
text = lib.concatStringsSep "\n" (map mkPathSetup runtimePathConfigs);
};
systemd.services = { virtualisation.oci-containers = {
podman-gc = { backend = "podman";
description = "Podman garbage collection"; containers = mergedContainers;
serviceConfig.Type = "oneshot"; };
script = ''
${pkgs.podman}/bin/podman container prune -f
${pkgs.podman}/bin/podman image prune -f
${pkgs.podman}/bin/podman system prune -a --volumes -f
'';
startAt = "weekly";
};
}
// mkNamedUnits (e: {
name = "${e.name}-vm";
value = {
description = "Isolated NixOS Guest VM for ${e.name}";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
QEMU_VM_REG_SND = "0";
NIX_DISK_IMAGE = "/media/data/kvm/${e.name}-guest.qcw2";
};
serviceConfig = {
Type = "simple";
Restart = "always";
RestartSec = "10s";
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /media/data/kvm";
ExecStart = ''
${builder.mkVm { name = e.name; vm = e.runtime.vm; }}/bin/run-${e.name}-vm -nographic
'';
};
};
}) allVMConfigs
// mkNamedUnits (e: {
name = "${e.name}-setup";
value = {
description = "Run ${e.name} setup";
after = [ "podman-${e.name}-${e.trigger}.service" ];
wants = [ "podman-${e.name}-${e.trigger}.service" ];
partOf = [ "podman-${e.name}-${e.trigger}.service" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ e.script ];
serviceConfig = {
Type = "simple";
Restart = "on-failure";
RestartSec = "15s";
TimeoutStartSec = "360s";
EnvironmentFile = e.envFile;
ExecStart = e.script;
RemainAfterExit = true;
User = "root";
};
};
}) allSetupConfigs;
services.cron = { systemd.services.podman-gc = {
enable = true; description = "Podman garbage collection";
systemCronJobs = allCronsConfigs; serviceConfig.Type = "oneshot";
}; script = ''
})]; ${pkgs.podman}/bin/podman container prune -f
${pkgs.podman}/bin/podman image prune -f
'';
startAt = "weekly";
};
system.activationScripts.container-setup-dirs = {
deps = [ "users" "groups" ];
text = lib.concatStringsSep "\n" (map (cfg: ''
mkdir -p "${cfg.path}"
chown ${cfg.owner} "${cfg.path}"
chmod ${cfg.mode} "${cfg.path}"
'') allPathConfigs);
};
};
} }

84
modules/server/containers/defs/authentik.nix Normal file
View File

@@ -0,0 +1,84 @@
{ config, containerCfg, pkgs, lib, ... }:
let
serverCfg = config.syscfg.server;
in {
paths = [{
path="${serverCfg.dataPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.dataPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
auth_server = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_server";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.sso.entrypoints" = "web-secure";
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
"traefik.http.routers.sso.tls" = "true";
"traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
};
cmd = [ "server" ];
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
"--ip=${containerCfg.ip}"
];
ports = [
"9999:${toString containerCfg.port}"
];
};
auth_worker = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_worker";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
"/var/run/docker.sock:/var/run/docker.sock"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
};
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
];
cmd = [ "worker" ];
};
};
}

152
modules/server/containers/defs/cloud.nix Normal file
View File

@@ -0,0 +1,152 @@
{ config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
project.name = "cloud";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
cloud_nextcloud.service = {
image = "nextcloud:27";
container_name = "cloud";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"${serverCfg.configPath}/data/nextcloud:/var/www/html"
"${serverCfg.dataPath}/data/music:/media/music"
"${serverCfg.dataPath}/data/video:/media/video"
"${serverCfg.dataPath}/data/photo:/media/photo"
];
tmpfs = [ "/tmp" ];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.nextcloud.entrypoints" = "web-secure";
"traefik.http.routers.nextcloud.rule" =
"Host(`cloud.${serverCfg.hostDomain}`)";
"traefik.http.routers.nextcloud.tls" = "true";
"traefik.http.routers.nextcloud.middlewares" =
"sts_headers,nextcloud-caldav";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
"true";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
"^https://(.*)/.well-known/(card|cal)dav";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
"https://$\${1}/remote.php/dav/";
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
"true";
};
};
cloud_office.service = {
image = "collabora/code:latest";
container_name = "cloud_office";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ ];
environment = {
username = "COLLABORA_USER";
password = "COLLABORA_PASSWORD";
aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
server_name = "office.${serverCfg.hostDomain}";
VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
VIRTUAL_PORT = "9980";
VIRTUAL_PROTO = "http";
DONT_GEN_SSL_CERT = "true";
RESOLVE_TO_PROXY_IP = "true";
NETWORK_ACCESS = "internal";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
dictionaries = "en fr de jp";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.collabora.entrypoints" = "web-secure";
"traefik.http.routers.collabora.rule" =
"Host(`office.${serverCfg.hostDomain}`)";
"traefik.http.routers.collabora.tls" = "true";
};
};
cloud_etherpad.service = {
image = "etherpad/etherpad:latest";
container_name = "etherpad";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
];
environment = {
NODE_ENV = "production";
TITLE = "Helcel-Pad";
DB_TYPE = "mysql";
DB_HOST = serverCfg.dbHost;
DB_PORT = serverCfg.dbPort;
DB_NAME = "etherpad";
DB_USER = "ETHERPAD_DB_USER";
DB_PASS = "ETHERPAD_DB_PASSWORD";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "P A D";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.etherpad.entrypoints" = "web-secure";
"traefik.http.routers.etherpad.rule" =
"Host(`pad.${serverCfg.hostDomain}`)";
"traefik.http.routers.etherpad.tls" = "true";
};
};
cloud_ethercalc.service = {
image = "audreyt/ethercalc:latest";
container_name = "ethercalc";
restart = "unless-stopped";
networks = [ "external" "internal" ];
volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
];
environment = {
NODE_ENV = "production";
TITLE = "Helcel-Calc";
REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
REDIS_PORT_6379_TCP_PORT = "6379";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.ethercalc.entrypoints" = "web-secure";
"traefik.http.routers.ethercalc.rule" =
"Host(`calc.${serverCfg.hostDomain}`)";
"traefik.http.routers.ethercalc.tls" = "true";
};
};
cloud_redis.service = {
image = "redis:latest";
container_name = "ethercalc-redis";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
};
}

30
modules/server/containers/defs/sample.nix Normal file
View File

@@ -0,0 +1,30 @@
{ config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
project.name = "name";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
NAME.service = {
image = "NAME:latest";
container_name = "NAME";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
};
}

81
modules/server/containers/defs/traefik.nix Normal file
View File

@@ -0,0 +1,81 @@
{ config, pkgs, ... }: {
project.name = "traefik";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
traefik.service = {
image = "traefik:latest";
container_name = "traefik";
restart = "unless-stopped";
networks = [ "internal" "external" ];
command = [
"--api"
"--providers.docker=true"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
];
port = [ "443" "80" ];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
"${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
"${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.configPath}/traefik/acme.json:/acme.json"
];
environment = {
"INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
};
labels = { "traefik.enable" = "false"; };
};
matomo.service = {
image = "matomo:latest";
container_name = "matomo";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${serverCfg.configPath}/matomo:/var/www/html/config:rw"
"${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
];
environment = { };
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`matomo.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
searx.service = {
image = "searxng/searxng:latest";
container_name = "searx";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ "/etc/localtime:/etc/localtime:ro" ];
environment = {
"BASE_URL" = "https://searx.${serverCfg.hostDomain}";
"AUTOCOMPLETE" = "true";
"INSTANCE_NAME" = "searx${serverCfg.shortName}";
};
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`searx.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
};
}

17
modules/server/database/default.nix
View File

@@ -1,20 +1,21 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = lib.concatMap (app: app.requires.databases) (builtins.attrValues config.syscfg.server.loadedContainers);
containerNames = lib.mapAttrsToList
(name: cfg: name)
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in { in {
config = lib.mkIf ( builtins.length allApps > 0) { config = lib.mkIf ( builtins.length allApps > 0) {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; enableTCPIP = true; # Required to listen on network interfaces
extensions = ps: with ps; [ vectorchord pgvector ];
settings = { settings = {
listen_addresses = lib.mkForce "*"; listen_addresses = lib.mkForce "*";
shared_preload_libraries = "vchord";
}; };
authentication = pkgs.lib.mkOverride 10 '' authentication = pkgs.lib.mkOverride 10 ''
# TYPE DATABASE USER ADDRESS METHOD # TYPE DATABASE USER ADDRESS METHOD
@@ -41,6 +42,7 @@ in {
settings.protected-mode = "no"; settings.protected-mode = "no";
}; };
systemd.services.postgresql-init = { systemd.services.postgresql-init = {
description = "Custom Postgres Setup (Ownership & Passwords)"; description = "Custom Postgres Setup (Ownership & Passwords)";
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
@@ -53,15 +55,14 @@ in {
}; };
script = '' script = ''
${pkgs.coreutils}/bin/sleep 20 ${pkgs.coreutils}/bin/sleep 2
PSQL="${pkgs.postgresql}/bin/psql" PSQL="${pkgs.postgresql}/bin/psql"
${lib.concatMapStringsSep "\n" (name: '' ${lib.concatMapStringsSep "\n" (name: ''
$PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;" $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
$PSQL -d "${name}_db" -tAc "REINDEX DATABASE ${name}_db;"
$PSQL -d "${name}_db" -tAc "ALTER DATABASE ${name}_db REFRESH COLLATION VERSION;"
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-) PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
echo $PASS
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
echo " Successfully set password for ${name}_user" echo " Successfully set password for ${name}_user"
else else

20
modules/server/nftables/default.nix
View File

@@ -1,8 +1,7 @@
{ config, lib, ... }:
let
cfg = config.syscfg.server; { config, lib, ... }:{
in { config = lib.mkIf (config.syscfg.server.nftables.enable) {
config = lib.mkIf (cfg.ipfw.enable) {
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1;
@@ -10,6 +9,13 @@ in {
networking.nftables.enable = true; networking.nftables.enable = true;
networking.nftables.ruleset = '' networking.nftables.ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
}
}
table inet nat { table inet nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
@@ -28,12 +34,12 @@ in {
iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
'' ''
) cfg.ipfw.ports} ) config.syscfg.server.nftables.ports}
} }
chain postrouting { chain postrouting {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
} }
} }
''; '';

2
modules/server/openssh/default.nix
View File

@@ -9,8 +9,8 @@ in {
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = [ 422 ]; ports = [ 422 ];
banner = "";
settings = { settings = {
#Banner = "";
PasswordAuthentication = false; PasswordAuthentication = false;
PermitRootLogin = "no"; PermitRootLogin = "no";
ClientAliveInterval = 60; ClientAliveInterval = 60;

16
modules/server/sops/default.nix
View File

@@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = lib.concatMap (app: app.requires.secrets) (builtins.attrValues config.syscfg.server.loadedContainers); containerNames = lib.mapAttrsToList (name: cfg: name)
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in{ in{
config = lib.mkIf (config.syscfg.server.sops) {
sops.secrets = { sops.secrets = {
CUSTOM = { INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
mode = "0444"; } // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
sopsFile = ./server.yaml; owner = "postgres";
};
} // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
mode = "0444";
sopsFile = ./server.yaml; sopsFile = ./server.yaml;
})); }));
};
} }

48
modules/server/sops/example.server.yaml
View File

@@ -1,48 +0,0 @@
CUSTOM: |
DEFAULT_ADMIN_USERNAME=...
DEFAULT_ADMIN_PASSWORD=...
DEFAULT_ADMIN_EMAIL=...
DEFAULT_LDAP_PASSWORD=...
TRAEFIK: |
INFOMANIAK_ACCESS_TOKEN=...
AUTHENTIK: |
DB_PASSWORD=...
POSTGRES_PASSWORD=...
AUTHENTIK_SECRET_KEY=...
AUTHENTIK_EMAIL__PASSWORD=...
AUTHENTIK_TOKEN=...
NEXTCLOUD: |
DB_PASSWORD=...
POSTGRES_PASSWORD=...
COLLABORA: |
password=...
ETHERPAD: |
DB_PASSWORD=...
DB_PASS=...
ADMIN_PASSWORD=...
APIKEY=...
ETHERCALC: |
ETHERCALC_KEY=...
GITEA: |
DB_PASSWORD=...
GITEA__database__PASSWD=...
GITEA__security__SECRET_KEY=...
GITEA__security__INTERNAL_TOKEN=...
SEARXNG: |
SEARXNG_SECRET=...
UMAMI: |
DB_PASSWORD=...
DATABASE_URL=postgresql://username:mypassword@localhost:5432/mydb
APP_SECRET=...
IMMICH: |
DB_URL = "postgresql://immich_user:...@localhost:5432/immich_db";
SERVARR: |
SONARR__AUTH__APIKEY=...
RADARR__AUTH__APIKEY=...
FRESHRSS: |
DB_PASSWORD=...
SUWAYOMI: |
DATABASE_PASSWORD=...
DB_PASSWORD=...
CALIBRE: |
DB_PASSWORD=...

34
modules/server/sops/server.yaml
View File

@@ -1,24 +1,9 @@
CUSTOM: ENC[AES256_GCM,data:UdxcMBZVmWKoikP713KcpuiMH0OJbR+CFvJ9Os4lTfLkVb0PMOCftprLKIdVbb39Ov4O1F4cpWbVD5ypCj5PPBygQM8ce1bDNRa/M7E3VPPwZw5ZtXtkgGlPwPpuHeoVC1K8XxltxpuqdQtSNUPsDg4rYnsEaXTnpJ3YTWHliM7W1oU8okEgxdtQFvjcHFhNTTSNKHfMHd3CyOABf1J0FX55uqgXydCBbeHnge9Rbiue4FjIdewvpZatVy6mhi0ILGEEL6XAObkFrWrv9rLWM/ymd6Lb5I+xAkmYTJ7AaYfaokTey/NJ1cJ5KBftQBgQ5Wo11kfRuNrGGRZROT59vGIEaO/QUiiKndsSGE5XpRylAkHNV8SEHg2PWeI8fz/n2zVRT6Gmy+xXQTbvEhRm+LQ2hMNXVEzUq47tsPL2OXcWgNZKrhz95Ct2/OegPI7/HTdMmD3Wbqs3FlrkOMrL1W3GKCzUfV69cmXFy8llXBMyEk7Vf/+2CjOmeDuvjlFKF4Jkip/rVGB5rTB4xPToS5tCz2qksggaRXidd4lSCyI+CxZN9NdL8klMSJ0bhawxltt3xMBO7egF4KDHmxJTBvohp4HBHZXy3pJ9AXQX2aYzC+L9cjSkvto7qyuC5rD/HgX8n4YiHFR8ua72bickgZ2JKpNawVDRWdDFNyVBCQbhZfkZzyCECQ1AfNUn969TQsTzP91vEk+F2QzmoE6hYEVJ8PRg2p89TeevcTuH70qVBMT2TAtLAlkZ4gQegByo4vvjtSGlFzHy5idKTxjHM/HTLkRImCXRBj663PU7e/zse+bCzk6DfhM4JsNt8mZRRPU1cYqnzgfjz5O+IP50BUYYgmsoQhNKH22E3tUaXihvddNusfnxdq5RFgwcGTcfIVUSB3c98Q1yf2Ft896dzl9OLcRj6tsAUId2e3iJ13FhZEpm5Y+zc5CSAdOuEAya0j5FRYopMUkKJ8uC/CRXTFuSIAo4kw9/Dc05Td/IsLGVQKnL9oyWzj7p1V4J0hLc37ELF5/TShFmkCL99m50XXctupVoLOVP35O36QzFcduw8knNF9iNqrK42tTS8Jt1ZY3BR4L5Nm1TM9rMO6afGy18b1fag5Zk7pByTzGwLped7ST2qf3R3KtbK3CWXbojpnQhYHYnDVaXT0JCPhdqSRIXV+f7hFEH6AwvyCkoahBO19oL6/YizqJe51pKQqWudzVjqDhSt9Z9NsqLRfCIL+cl63LSjQjhyBXKTtxJbqqkYP6uGLULAE89WUzjP5D1oE8EspHmcpirfDyjLa6JJyLWBMGbFDAzHeOJT3AXmGXNvEYsHk28DrJ+LsWFH8MDUPFCXz2Acj8M0B1Kv8822/Xir4xw2AlnS2Y0mL6i8evQ7S2/wg0C9G/nscLZfNeFOvph+sZhQd3/5osgit38TwWPCvg6ulu9nzDjAjI8vAZ3PG/d1PgeJzoWLDmE1EDxqDlR/UFq,iv:0bnj/W2ys7bNJKfAfUmgsiXeyHdiqhRAeB3qDGU2Is0=,tag:oiZMxOk4ABhzguaZbRQZxg==,type:str] INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str] AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
COLLABORA: ENC[AES256_GCM,data:cLGEziks5dyxTF1jugfpQE0l0nSkDP7MpROzCxCM94jv49sguA+d/SnY1olE8ZP9iCBnlvbMZyNR7uYo88B92Pmv8wVWfeuhHiHFIXh5aaOxntpt80UMg3Jy,iv:gmFG7C893QPuZ4rEqllAlUpNIXMcGsf9+/QCPLhWLTM=,tag:WpKHCUk6zhQRfFX2d6OPbQ==,type:str]
ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWNWhDQlTc0ImJoK6efr2uyp3sVu3o+KlCNvUGhDOJ1you6socyTgRP0q7oLPC+Ln+bFP8gWG8v2nyEFY=,iv:YqvVjBFG/WZg1l4aMAiioOruWZ9zcTMr74DVW+1+2DQ=,tag:ePBXd4ddipJtxhFE1amfMg==,type:str]
GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str]
SEARXNG: ENC[AES256_GCM,data:gtKhEmMemzLRl4c3cYhMAQ+5vUth1IhWQeLvW1YtaG5TbhQHBR4PDREQOlGt+tlfGQrft+FeNhMSN/SKOp8gmScVWa+9qmltzxRGRpLm3m/VuBZvOlGdeUcKAX8zEH6A,iv:B2UEtjTRIjT6W+tH2gtcl6XMvZNgbvZUXTiBePGOu24=,tag:SHIF6eaWBLwy9RrEy1N9kg==,type:str]
UMAMI: ENC[AES256_GCM,data:onB/uXLajaRLmeQMGNHFsjREzPih9ha+cogGRw+nRomERSRrbBv+6gCqEr8F3Dcm818JB4jGRYKoIYG8Jl6gMDaz5QQiA4qAnbG19LuzVeVUgz4NGEgXBULoT/0sQacnyAPIfPEp+ESWRQH81nO6Qcs+rICpS2Xfeye5hb+8rSAxmLpY991AJ3+avGyMwPcpfNCkixWt68KuG5ZN/IGDksM/sSLGgyMisClbEdhigq4mwibOxpiWjcKk/17xYgY6Xz93h/yloHKZIZZpnyA+85YC6oNWgCPhkGIAVu3dGshp10a0nk1A2INm6vxNPbfUjYLkt3zDAPZtoBRCqUs+43Eh62hYgajgWCQJhjJkDgF4Y1ifGfDerIXs/cDpIKLt2+7VqM6/ouqIDPJ7khSAr+8bcHU4CKDtsDagob5PpCG4ABt44cg9cGw=,iv:HD450JZuWn2+V0pvOsDHy9oVAanFMf1el9LA1z0PULY=,tag:p7Vl7dtM8UdAUNgmdG+7cg==,type:str]
IMMICH: ENC[AES256_GCM,data:1y78yeawkRjUXLWPyFdMB5HCDQhb1PoxEMfHmKSZfv0CWloOrQWT735dlH+W9yC6ljZjqVD9Fwq/9GqqKQMTFMCpr8wVRwSHEuqmaG3UgKzbLA3aWZ1SIB0AiJi+eUunzHj2vikUJx9dMRjC+iNXrsVWh2HqMrOyFCWetZoIfxNiAgsgNKPgYYsHLv6OAZs9XT7V3veqe0zc0nyw7ghWSXne/yNhQESyyGlMAdagrJRNimvXIp/AoAUKl2WUJm2MBl7lb6K1YeJ1XW8OjAHzV8isBiUwU8ZD81VJog0fgTGjbUa+HO7jEo+9YwmDIMx3f5z9N4A=,iv:pboITW2rr7+w8VNZM6uYMMEFZ1S/JtqjNOVthpYJ2tQ=,tag:0dgrJ191sB4MLJHMoQBlCg==,type:str]
INVIDIOUS: ENC[AES256_GCM,data:ZfgU5UFMmG9Cx9UaR0xnKr9VPebG3kut0difTFZmoqOSs+stG6YJfV82OOhj1RQLVJlPr/scydYy1+3LytwvP1BT7tLe0jII7XupbkL0w3n79KBaiIzAPdicqLxeqjKH45I0NjHra4djdnO2Ff4T8CTiFDlPn1rMuiw=,iv:UaDmOKJ4bFPGCaIePLXkWot9E6sTu2nhaVs83sI38G0=,tag:spTjxWEmLfPc8BZl2GglBA==,type:str]
SERVARR: ENC[AES256_GCM,data:757WdthmToCGr2boph7iW1ycs3tQyGgD3lhYOcX/X3hjs9dLLPCWGI2zt5axp72IGJ/sVYEop2rqsRLxdPn3VIyQLvQ+3MYdo8Z/yOuMy7DAlnITQQQUI2ylZKHVmFAt39/xBpwsVjh3m/hBQvn/LbCDtR2s4qa+8fQDfeZXksTtnf7YZbVygTF7jWZ+0oVvkvNO1ZUejvP+uHL+jHwgMEwQnR22hOYWEKZ1s7PI+EZHujqyOhnwXB4jRG+XD7R4N6AhC5Z+nmkFpy3ffszCJ0/H,iv:NrNbkL6GWN4r+uzxNYrhoECD1APbRsRBcMBbVHD3DwM=,tag:YK1O50wV+lHAQa6TX9huUw==,type:str]
INFLUX: ENC[AES256_GCM,data:lLn/cSYWtjxeHafHUku9QnGV/pVPvx1WFSC6vgJP7w1XfL+7mk54M56cGr1VXGsM993ynjzrWDrxO8WtQPh1F9BOMH15ZY6B10rw0hLxsJyIapPrhp1/1HtryhmL8eNTU7N7UnPKdzeN/XFwjqqlktka4H9FcMg8A8STns8vNa6it4hx+IxKj3Dukdq2DSS7w9s1/+j08vZMwIULBRR+ZcGOGUppIS8umZ4/4yzPO03w4A9RNMIXhWdwbU64Xj49hOlxuqNoRcxw7dDp/GpHRXijsKdhPOegKo1tRQII,iv:Y9G/cXYzn3H91c/JLWglrtokUi7jjQxPgVgz4xUtoug=,tag:LvpuWeIzpHScnwjzz1J56A==,type:str]
FRESHRSS: ENC[AES256_GCM,data:M5C76yVyi0Uw28FWj+IvQJbP1hdxxBGWfp30egjlv8Eu4tSZjHyfni+OLwgziDeQQyvRbn2OHwKtztEu4N2C7iU0UaotB0jCOc2BKuwfSWrxWfmkTDrY1YBfbGgLWEKQ1ddafI/Dn99n4HFbGpMZ8Fbe+sRKKGgpAPj9bMkUjoP3eXw4HUWhu84b6LWu3x8DwArhNDOkHJnDL+Rlif7hILg7+eI/IUB0XakKCMIKHZn9djk4yjgXMQGF5EFRlPVWgQ==,iv:2Kb916TksnVhby/GORx9nzir6A7GiRNL9S0wrbc8yDQ=,tag:v2Nhj61qd4f/YV1HcF0v5Q==,type:str]
SUWAYOMI: ENC[AES256_GCM,data:xVzuIWdEZLeFtkVew/Jbt0U+ouOjA+U/flhSAsWHPQHWgp7+6uvdBYIxcyQ+firHAu9qcAO/HahDgnr0lhcQx/n5XgEhCchiGxCNBcAi/AD+FE9/PgSJf2DvjCp0ckCWvPChGsy+TD8uNi1bg0lqSrbDExRS28f3FVPrbrJJ1vj/V9Gk4PABg/UcdvycgCpf266aFMMzNuPJGyaRuQEnyFNvQgs53R7t9D9hC9GSc4MkEGt7g0GeX1MTRTzjjISgCdzZxjUiJGSuFTBemQggcWOAJNdYFq1vuh5X3zBvlF+zz75g3cin9S58CQ==,iv:/zlNBdu5SuzC8+t4zOYVga3hLWnxlNUALi6BS4MjNog=,tag:DfeC0X7uX9/qhltFl2D2hg==,type:str]
CALIBRE: ENC[AES256_GCM,data:Uxz/5H4q/ugmW49a6oIQsG450w+SS1H58gOMXDVX/JQ8OCGxWQ8DRNmSGBZLgGsJ9UA1rxYRS4+pDuDL+iQsNVOmZzFRAuWJwUhEiF72B/Ah0IyXpnPIups8S2Nq,iv:rK274zWuvguY/DPHXxG174j+Ne11SB7ZCQLxO6Tvvg4=,tag:7wJyt94jRvRCZxgHWotzVA==,type:str]
SELFMARK: ENC[AES256_GCM,data:YDCfMay/SxmJxQcVPvXJe7h/BGjOjVZLU4eJ3+t6z4EDqUueNzmBPWtF1hrNJCC2XlZFlD+PmCyoo8tzuPiig4Uxwf4Gos15Skddx8Jt4/PKjR3AW0z0U8kAtXmByBAAa/nLEVwTkyRybYTXcd36SlqyTrbVfDLkIQW0yiqp93Fh40gWTV3u/gz2ZeLit12o3LNnm7Zne7y8w7iAO2vm2L5h2W8R+9B8oW1MSweclKgDlMieNh+pmxexnNdvGX5jAgaOM2xSUC8Z/PcgSCAYwNVe0CYsHPypES/miS3XrVs4E/YIaMGaTi7lTS+zxy9x8F17O/MVHoy7yuzjQYBZ1w+PmMOYv+Wc1mVJswAHMfvZE6EUFL/P7Qy2T+c19cowphZTuuGZMaIqjeWfn4ZHPlVhWEdamk3dhyqA2I2g1X5cANP1FV73FJC/3gTqKXkkp9wcWqN59gAHmUzn2D5Mhmvx2UkTbyUyNxR71VdpSN4szYifmEdp56KQVpjrw4dSst97sWCzI6nrDn4P9J3TrTpCFJM2PSbyF23NIVuPCx2pdqTdjCr1IX+9v1qLKOcbIZq/S3ldQ6E2PZnvIA6faoE5SO5uy8qUwct54Jc+p6WTNFRMzfbFs31xVgiiR3Y5HsTc3Ee2ePhu1ggvCa8o4CW9zqO5jqFX38C8n0jYhc31AlVui0hswECHBgDqFQ3pZS10Fx4heYjnfJRTB8OrE0/lf0QYgMqLcWJyxJqwutoa5uaQxiq1QV3beyj8Yv0/kSEqrWvItvZaM2MCkmBjxDtfBqx1zIZ3Lm2xYJmOLB/SgYYWi+0d9yS2Dhe8mpOr2/xMsgdUUz2YbCX5YfA=,iv:nohcihzxdZORTKrrYnupqts4REcyioqlfFhQOM9K/H8=,tag:2sPes1v7LfvIj0hC/tKClw==,type:str]
sops: sops:
age: age:
- enc: | - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rzc3ak4vRVZiNWxNZEN3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rzc3ak4vRVZiNWxNZEN3
N21rSjZqUm9XVWF5TUxNTXVybEMzNCtod0NnClNjODB6VWhzU1VHeVdlZ3hEaE5D N21rSjZqUm9XVWF5TUxNTXVybEMzNCtod0NnClNjODB6VWhzU1VHeVdlZ3hEaE5D
@@ -26,8 +11,8 @@ sops:
clZnQXpPbWs5aXZJeUlxOWhJNmIrOFkKZfZ19Y4yfCJi1GrxLsv76JyBmuxW/glF clZnQXpPbWs5aXZJeUlxOWhJNmIrOFkKZfZ19Y4yfCJi1GrxLsv76JyBmuxW/glF
BCJCvmdSSOJx5JW26Y3Y3LwiIuL8yboKR+8ZAwU2fG5OQfs+2czFdQ== BCJCvmdSSOJx5JW26Y3Y3LwiIuL8yboKR+8ZAwU2fG5OQfs+2czFdQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg - recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
- enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cEpsb2gvbDJ0aG5BRWNS YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cEpsb2gvbDJ0aG5BRWNS
WXgydFo3ZkF3SmVIU1EvaHVjb3RvK3BxVDJrCis2ME9zUEVGQURFdmJXS2lTSklk WXgydFo3ZkF3SmVIU1EvaHVjb3RvK3BxVDJrCis2ME9zUEVGQURFdmJXS2lTSklk
@@ -35,9 +20,8 @@ sops:
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3 lastmodified: "2026-05-06T01:10:20Z"
lastmodified: "2026-06-06T19:05:55Z" mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str]
mac: ENC[AES256_GCM,data:Qi14yxgLfSqQrFgemT80pwBEfQde06/17DOhjUrUSkJbdMy278a+VXZrCrG61z0QSMXtZutAdQTIJ7KPGot7pmTY9mHNl6zRyDqzC2Jfy2HALG8hWmpOFQepq03RaYO36mwWaMHEB3u4AwhFlKi6OSxIj3RhS1N4xpOwAZxWaGM=,iv:73h8YUYDkCjTVD81VEfFLuby61PQaxz28dw4tcOvx4c=,tag:3eujXdrYqSXTDYbYqo6DSw==,type:str]
pgp: pgp:
- created_at: "2026-05-05T23:46:27Z" - created_at: "2026-05-05T23:46:27Z"
enc: |- enc: |-
@@ -60,4 +44,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0 fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.13.1 version: 3.12.1

2
modules/shared/colors/default.nix
View File

@@ -1,4 +1,4 @@
{ ... }: { { config, ... }: {
imports = [ ./sorahiro.nix ]; imports = [ ./sorahiro.nix ];
colorScheme.palette.border-radius = "#8"; colorScheme.palette.border-radius = "#8";

2
modules/shared/colors/sorahiro.nix
View File

@@ -1,4 +1,4 @@
{ ... }: { nix-colors, ... }:
let use_pastelle = true; let use_pastelle = true;
in{ in{
# usage: a = "#${config.colorScheme.palette.base00}"; # usage: a = "#${config.colorScheme.palette.base00}";

BIN
modules/shared/media/logo.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 17 KiB

Some files were not shown because too many files have changed in this diff Show More