Compare commits

...

746 Commits

Author SHA1 Message Date
sora-ext 3135fad27e Update systems/ci/cfg.nix 2026-06-09 15:21:05 +02:00
sora-ext 1dfe40c3f2 Update systems/_avalon/hardware.nix 2026-06-09 15:20:47 +02:00
sora-ext ab2f95d240 Update systems/_avalon/default.nix 2026-06-09 15:20:37 +02:00
sora-ext a3723be554 Update systems/_avalon/cfg.nix 2026-06-09 15:20:24 +02:00
sora-ext 7086fb70f6 Update shells/devsh/default.nix 2026-06-09 15:20:03 +02:00
sora-ext 37ffd00d0b Update modules/server/containers/apps/homepage.nix 2026-06-09 15:19:08 +02:00
sora-ext 93d7a9d08e Update modules/server/containers/apps/homeassistant.nix 2026-06-09 15:19:00 +02:00
sora-ext 65d68895a6 Update modules/home/xdg/default.nix 2026-06-09 15:18:42 +02:00
sora-ext 0b90003532 Update modules/home/gui/apps/develop/vscodium/default.nix 2026-06-09 15:18:17 +02:00
sora-ext 7fce37895e Update modules/home/gui/apps/develop/vscodium/default.nix 2026-06-09 15:18:07 +02:00
sora-ext 03f27c3189 Update flake.nix 2026-06-09 15:17:43 +02:00
soraefir bfbbabaf06 fix icon 2026-06-09 00:29:34 +02:00
soraefir 44b7c5858c fixed 2026-06-09 00:18:17 +02:00
soraefir 1ce2a94786 dbg 2026-06-08 23:41:23 +02:00
soraefir 0bff91bb07 test fix 2026-06-08 23:26:23 +02:00
soraefir 8166ef1bd1 debug print 2026-06-08 23:10:13 +02:00
soraefir 240453849f fixes 2026-06-08 22:35:30 +02:00
soraefir 5c5f2dd3de fix favicon 2026-06-08 22:11:17 +02:00
soraefir 9f4fc933cf fix color 2026-06-08 21:09:51 +02:00
soraefir 94aa518fe7 fix 2026-06-08 20:41:51 +02:00
soraefir c5d16b282d fix path 2026-06-08 20:03:32 +02:00
soraefir 3c3245b450 fix favicon 2026-06-08 19:18:39 +02:00
sora-ext 59dd62b9c9 Update modules/server/containers/apps/homepage.nix 2026-06-08 12:02:27 +02:00
sora-ext a899fe4c6f Update modules/shared/sops/default.nix 2026-06-08 11:45:29 +02:00
sora-ext 75914fb975 Update modules/server/containers/apps/favicon.nix 2026-06-08 11:45:11 +02:00
soraefir e855ea26c0 More nix stats 2026-06-08 03:09:40 +02:00
soraefir df537a338b telegraf nix 2026-06-08 02:47:57 +02:00
soraefir e618f396c0 fix paths 2026-06-08 01:12:40 +02:00
soraefir b3c5e4f651 fix config perm 2026-06-08 01:03:05 +02:00
soraefir 1f8b7c6183 fix 2026-06-07 23:58:07 +02:00
soraefir 161b372566 fix immich 2026-06-07 23:50:25 +02:00
soraefir 63af33cc08 fix mode 2026-06-07 23:14:53 +02:00
soraefir 39693c4918 2step setup 2026-06-07 22:16:41 +02:00
soraefir 6d94b3875c fix paths 2026-06-07 22:08:35 +02:00
soraefir 45338a43f9 immich fix 2026-06-07 21:04:06 +02:00
soraefir 0df635666f fix path 2026-06-07 20:55:10 +02:00
soraefir a33f2b2c98 fix 2026-06-07 20:49:53 +02:00
soraefir f79b57855a fix immich dir 2026-06-07 20:40:53 +02:00
soraefir a1c9185090 update logo 2026-06-07 19:29:35 +02:00
soraefir 163b3e2a48 fix cloud 2026-06-07 19:08:15 +02:00
soraefir 9ed7bad996 fix 2026-06-07 19:01:53 +02:00
soraefir 1f46977159 fix 2026-06-07 18:55:51 +02:00
soraefir 25e3cabe49 fix nextcloud 2026-06-07 18:44:07 +02:00
soraefir 38cea9e932 improve traefik 2026-06-07 18:35:26 +02:00
soraefir 59cf3a8507 fix boot 2026-06-07 18:30:30 +02:00
soraefir da037f476f fix 2026-06-07 18:14:03 +02:00
soraefir 532876f1a9 faster boot 2026-06-07 18:12:40 +02:00
soraefir 844199aed1 fix stuff 2026-06-07 18:03:02 +02:00
soraefir 9cf7da5a73 always apply settings 2026-06-07 17:56:30 +02:00
soraefir d8f3142b4e fix img 2026-06-07 17:20:12 +02:00
soraefir 8afa30e3cc fix icon 2026-06-07 16:56:34 +02:00
soraefir 82f34804ad nexcloud domain fix 2026-06-07 16:46:57 +02:00
soraefir f10dbe4ea7 mode fix 2026-06-07 16:22:45 +02:00
soraefir 8569c40183 fix 2026-06-07 16:21:21 +02:00
soraefir 649b7cc032 fix 2026-06-07 15:55:18 +02:00
soraefir 1f490d87c2 fix perm 2026-06-07 15:44:02 +02:00
soraefir 4b2cbbff36 fix nexcloud script 2026-06-07 15:33:50 +02:00
soraefir 7e5d777fc6 fix script setup 2026-06-07 15:25:58 +02:00
soraefir 0000b02d5d fix cloud logo 2026-06-07 15:20:28 +02:00
soraefir 4218bb8344 fix 2026-06-07 14:43:00 +02:00
soraefir 6b2fd299e0 colors 2026-06-07 14:40:46 +02:00
soraefir d147f53ef1 more telegraf 2026-06-07 14:10:36 +02:00
soraefir dcf7b0dbe6 Fixes 2026-06-07 02:45:11 +02:00
soraefir 34677df2e3 fix favicon 2026-06-06 22:47:39 +02:00
soraefir 678eb5aec1 fix cert 2026-06-06 22:40:37 +02:00
soraefir 1ebd395ba9 fix db connect 2026-06-06 22:32:20 +02:00
soraefir 2073475a37 favicon fix 2026-06-06 22:22:05 +02:00
soraefir c874ed5334 fix user 2026-06-06 21:37:54 +02:00
soraefir d30812f388 fix 2026-06-06 21:33:02 +02:00
soraefir 004de03308 grafana setup 2026-06-06 21:31:33 +02:00
soraefir e24c9fd66a better docker and speedtest 2026-06-06 13:57:16 +02:00
soraefir ce3ac9f06a cleanup 2026-06-06 13:38:13 +02:00
soraefir 98ba27e541 sops 2026-06-06 01:50:18 +02:00
soraefir 70fdf33f07 monitoring 2026-06-06 01:45:59 +02:00
soraefir f2a68f34cb typo 2026-06-06 00:56:58 +02:00
soraefir 80fe64b34f fixes 2026-06-06 00:56:06 +02:00
soraefir 4217cac3d5 fix 2026-06-06 00:53:06 +02:00
soraefir 9b4021a3df fix 2026-06-06 00:49:26 +02:00
soraefir 9573be2232 cleanup 2026-06-06 00:48:56 +02:00
soraefir 7b1802b492 update sops 2026-06-06 00:46:50 +02:00
soraefir baa72df617 fix 2026-06-06 00:39:27 +02:00
soraefir 8f3a4cbd56 fix 2026-06-06 00:38:07 +02:00
soraefir f6db599099 fix 2026-06-06 00:37:42 +02:00
soraefir 2066940c77 add telegraf 2026-06-06 00:34:26 +02:00
soraefir dddbd8309f auth 2026-06-05 22:33:46 +02:00
soraefir 866ee00690 fix 2026-06-05 22:32:49 +02:00
soraefir f47562a622 disable auth 2026-06-05 22:31:03 +02:00
soraefir 5e5c8f4d9b fix 2026-06-05 22:28:32 +02:00
soraefir a7c34ebe3d test 2026-06-05 22:25:52 +02:00
soraefir af269dfe32 fix 2026-06-05 22:24:31 +02:00
soraefir 0cab235aa8 influx fix 2026-06-05 22:14:34 +02:00
soraefir a3e22b8b69 fix port 2026-06-05 22:09:46 +02:00
soraefir 8667b22bc7 secure ui 2026-06-05 22:05:30 +02:00
soraefir c31ff9c879 recursive perm 2026-06-05 22:04:14 +02:00
soraefir b5f7d921c9 fix 2026-06-05 22:02:26 +02:00
soraefir 9fdf586c80 fix 2026-06-05 22:00:08 +02:00
soraefir 42164ed5d5 fix files 2026-06-05 21:56:27 +02:00
soraefir d3ecf03db2 secret 2026-06-05 21:51:39 +02:00
soraefir adb79a68c5 fix 2026-06-05 21:48:53 +02:00
soraefir 87d648485e influx to docker 2026-06-05 21:42:46 +02:00
soraefir 126f2f0c69 fix 2026-06-05 19:57:20 +02:00
soraefir aa1e17dd64 fix 2026-06-05 19:50:11 +02:00
soraefir 880ae2be67 fix 2026-06-05 19:39:07 +02:00
soraefir 1145407283 fix 2026-06-05 19:33:50 +02:00
soraefir 0531cfb361 db reindex 2026-06-05 19:31:45 +02:00
soraefir 5ee625cc89 rm cfg 2026-06-05 19:27:48 +02:00
sora-ext a28bcd7775 Update modules/server/containers/apps/influx.nix 2026-06-05 12:35:03 +02:00
sora-ext 5c6a46df2f Update modules/server/database/default.nix 2026-06-05 12:34:50 +02:00
soraefir 057a11abad fixes 2026-06-05 05:33:57 +02:00
soraefir 1bf88a2406 Fix? 2026-06-05 04:47:29 +02:00
soraefir c2cd4e42c1 fixes 2026-06-05 04:27:45 +02:00
soraefir 1590a1cf31 fix ui 2026-06-05 01:57:27 +02:00
soraefir aab910d3a6 fix theme 2026-06-05 01:16:39 +02:00
soraefir a1e6aef20a fix 2026-06-05 00:28:05 +02:00
soraefir e521c481f7 cleanup 2026-06-05 00:16:05 +02:00
soraefir be5582c79b fix 2026-06-04 23:28:00 +02:00
soraefir 04501a9d7c fix 2026-06-04 23:23:55 +02:00
soraefir a918d0c51e fix 2026-06-04 23:19:03 +02:00
soraefir 6d6867cfe1 fix logo 2026-06-04 23:12:26 +02:00
soraefir 4e02042ea9 improve 2026-06-04 23:09:29 +02:00
soraefir 32f20fb0ba fix 2026-06-04 22:30:19 +02:00
soraefir 5fd4be9053 colorScheme is user domain 2026-06-04 22:28:22 +02:00
soraefir c357111c17 fix 2026-06-04 22:27:31 +02:00
soraefir 286a7b9f2a fix 2026-06-04 22:26:30 +02:00
soraefir b86e719cc4 fix 2026-06-04 22:15:51 +02:00
soraefir f82d25eb84 fix 2026-06-04 22:11:13 +02:00
soraefir 1898c015fe fix 2026-06-04 21:58:48 +02:00
soraefir 0800f47913 fix authentik branding 2026-06-04 21:47:55 +02:00
soraefir f37c02f9c9 rm android udev (builtin) 2026-06-04 21:37:05 +02:00
soraefir 8c11389449 disable unused 2026-06-04 21:34:33 +02:00
soraefir d3f549751f media and cfg 2026-06-04 21:33:55 +02:00
sora-ext edb48ace8a Update systems/sandbox/cfg.nix 2026-06-04 17:59:24 +02:00
sora-ext 215b546128 Add modules/server/containers/apps/favicon.nix 2026-06-04 17:58:00 +02:00
sora-ext 35e41fa630 Update modules/server/containers/apps/homepage.nix 2026-06-04 17:29:52 +02:00
sora-ext 210cf2dc9a Add modules/shared/syscfg/media.nix 2026-06-04 17:29:20 +02:00
sora-ext 809dd65eb0 Update modules/shared/syscfg/default.nix 2026-06-04 17:29:06 +02:00
sora-ext a8f730b4af Update modules/server/containers/default.nix 2026-06-04 17:28:40 +02:00
sora-ext 023620de83 Add modules/server/containers/data/authentik/branding.yaml 2026-06-04 17:28:23 +02:00
sora-ext eb2258a850 Update modules/server/containers/apps/nextcloud.nix 2026-06-04 17:28:04 +02:00
sora-ext 720d8bf154 Update modules/server/containers/apps/authentik.nix 2026-06-04 17:27:53 +02:00
sora-ext 6da8823f85 Add systems/avalon/hardware.nix 2026-06-04 10:55:49 +02:00
sora-ext 4d8fc16bbc Delete systems/avalon/server/docker/secrets.txt 2026-06-04 10:55:24 +02:00
sora-ext f2f9e95198 Update systems/asgard/default.nix 2026-06-04 10:55:09 +02:00
sora-ext 07c748071e Update systems/asgard/cfg.nix 2026-06-04 10:54:59 +02:00
sora-ext b489d719da Update shells/default.nix 2026-06-04 10:54:44 +02:00
sora-ext 9e042ebeaf Update modules/nixos/tools/develop/ollama/default.nix 2026-06-04 10:54:10 +02:00
sora-ext d4887fbd64 Update modules/nixos/tools/debug/default.nix 2026-06-04 10:54:00 +02:00
sora-ext 3642b2f41b Update modules/nixos/tools/debug/default.nix 2026-06-04 10:53:24 +02:00
sora-ext d9f7c63b8a Update modules/nixos/system/hw/udev/default.nix 2026-06-04 10:53:04 +02:00
sora-ext 0b5fd3ac41 Update modules/nixos/system/hw/power/default.nix 2026-06-04 10:52:44 +02:00
sora-ext e9f5942202 Update modules/home/gui/theme/default.nix 2026-06-04 10:46:24 +02:00
soraefir c25e75a1b6 fix influx 2026-06-04 02:16:10 +02:00
soraefir d46785a4ef disable for test 2026-06-04 01:41:36 +02:00
soraefir 200dbb9ed1 fix servarr 2026-06-04 01:10:15 +02:00
soraefir 054d097e0d no mail 2026-06-04 01:07:49 +02:00
soraefir 3db1c98a08 no calc 2026-06-04 01:06:22 +02:00
soraefir 7305fdd7c0 trest 2026-06-04 01:02:28 +02:00
soraefir d2a402f724 Fix 2026-06-04 00:52:50 +02:00
soraefir 9a89479f66 Refactor 2026-06-04 00:30:29 +02:00
soraefir b82393272c Refactor 2026-06-03 19:24:29 +02:00
sora-ext 1cb9e9b645 Update modules/server/containers/default.nix 2026-06-03 17:40:10 +02:00
sora-ext b8735803c4 Update flake.nix 2026-06-03 17:35:15 +02:00
sora-ext 14bf297897 Update modules/shared/syscfg/server.nix 2026-06-03 17:20:36 +02:00
sora-ext 1fad610dff Update modules/server/database/default.nix 2026-06-03 17:19:28 +02:00
sora-ext 2c00901b04 Update modules/server/containers/apps/umami.nix 2026-06-03 17:19:11 +02:00
sora-ext 2c0ac0db09 Update modules/server/containers/apps/transmission.nix 2026-06-03 17:19:02 +02:00
sora-ext 6be107374e Update modules/server/containers/apps/traefik.nix 2026-06-03 17:18:52 +02:00
sora-ext 9e4d8274b5 Update modules/server/containers/apps/suwayomi.nix 2026-06-03 17:18:42 +02:00
sora-ext f54dea8a13 Update modules/server/containers/apps/selfmark.nix 2026-06-03 17:17:45 +02:00
sora-ext a6788f13a8 Update modules/server/containers/apps/searxng.nix 2026-06-03 17:17:36 +02:00
sora-ext 5b4af162b9 Update modules/server/containers/apps/openhab.nix 2026-06-03 17:17:14 +02:00
sora-ext 4e5c956f78 Update modules/server/containers/apps/nextcloud.nix 2026-06-03 17:17:02 +02:00
sora-ext 083549e3c6 Update modules/server/containers/apps/jellyfin.nix 2026-06-03 17:16:53 +02:00
sora-ext fada3c79b3 Update modules/server/containers/apps/invidious.nix 2026-06-03 17:16:42 +02:00
sora-ext ce72e4421b Update modules/server/containers/apps/influx.nix 2026-06-03 17:16:30 +02:00
sora-ext ddc5c76a35 Update modules/server/containers/apps/immich.nix 2026-06-03 17:16:18 +02:00
sora-ext d0b6718254 Update modules/server/containers/apps/handbrake.nix 2026-06-03 17:16:06 +02:00
sora-ext c1c76ab3de Update modules/server/containers/apps/gitea.nix 2026-06-03 17:15:56 +02:00
sora-ext 558874731a Update modules/server/containers/apps/frigate.nix 2026-06-03 17:15:46 +02:00
sora-ext b14135274b Update modules/server/containers/apps/freshrss.nix 2026-06-03 17:15:37 +02:00
sora-ext 5df88ac25a Update modules/server/containers/apps/etherpad.nix 2026-06-03 17:15:29 +02:00
sora-ext 2d8e0da386 Update modules/server/containers/apps/ethercalc.nix 2026-06-03 17:15:20 +02:00
sora-ext 8f87c11cb5 Update modules/server/containers/apps/calibre.nix 2026-06-03 17:15:00 +02:00
sora-ext 7b8eeb917f Update modules/server/containers/apps/authentik.nix 2026-06-03 17:14:30 +02:00
sora-ext a2043cafe1 Update modules/server/containers/apps/.template.nix 2026-06-03 17:14:05 +02:00
soraefir 4866426271 fix 2026-06-02 23:57:04 +02:00
soraefir 7f27a61af7 fix db 2026-06-02 23:54:44 +02:00
soraefir 834fd34b54 fix env 2026-06-02 23:52:14 +02:00
soraefir 43df774914 hardcover and secrets 2026-06-02 19:29:15 +02:00
soraefir 6e9c0ff87c fix basepath 2026-06-02 19:23:19 +02:00
soraefir 84ec32c985 fix 2026-06-02 19:20:36 +02:00
soraefir 50a1092fcf fix mark 2026-06-02 19:07:30 +02:00
soraefir 495b210e9a auth selfmark 2026-06-02 18:59:49 +02:00
soraefir 14df99f7af rm perm freshrss 2026-06-02 18:56:40 +02:00
soraefir ab9aabdddf fix 2026-06-02 18:54:28 +02:00
sora-ext 9b15f5fa16 Update modules/server/containers/apps/selfmark.nix 2026-06-02 18:00:50 +02:00
sora-ext f2986239d5 Update modules/server/containers/apps/influx.nix 2026-06-02 18:00:27 +02:00
soraefir d733ef6a2a calibre config cmd 2026-06-02 01:01:25 +02:00
soraefir 01c7278d51 fix env 2026-06-02 00:35:30 +02:00
soraefir 649d15ce0a fix url 2026-06-01 23:06:35 +02:00
soraefir d257687629 fix oidc 2026-06-01 22:57:52 +02:00
soraefir c1e9dfc42a fix perm 2026-06-01 22:53:44 +02:00
soraefir f40e5be25a fix 2026-06-01 22:49:50 +02:00
soraefir b98e9d3f16 fix 2026-06-01 22:41:42 +02:00
soraefir aa5ec8003f fix 2026-06-01 22:36:41 +02:00
soraefir 33500059b7 fix 2026-06-01 22:35:01 +02:00
soraefir a08be8d4e1 fix typo 2026-06-01 22:31:35 +02:00
soraefir b1e6b2151b fix env 2026-06-01 22:28:50 +02:00
soraefir 70eb9f8664 freshrss oidc 2026-06-01 22:27:12 +02:00
soraefir 7805758114 hardcoded swap for sandbox 2026-06-01 22:06:28 +02:00
soraefir 584859d47c fox stock 2026-06-01 22:05:18 +02:00
soraefir a808ba2741 fix 2026-06-01 21:06:02 +02:00
soraefir bdf0352691 fix home ? 2026-06-01 21:04:59 +02:00
soraefir 14862f7de3 wip 2026-06-01 18:51:40 +02:00
sora-ext cd0e1214cf Update modules/server/sops/example.server.yaml 2026-06-01 17:20:54 +02:00
sora-ext dca2fb09b7 Update systems/sandbox/cfg.nix 2026-06-01 17:19:32 +02:00
sora-ext d487ad0c0f Add modules/server/containers/apps/suwayomi.nix 2026-06-01 17:18:06 +02:00
sora-ext bf0e460163 Add modules/server/containers/apps/selfmark.nix 2026-06-01 17:17:41 +02:00
sora-ext ee4e003ccf Update modules/server/containers/apps/homepage.nix 2026-06-01 17:17:18 +02:00
sora-ext bd8c9210c9 Add modules/server/containers/apps/freshrss.nix 2026-06-01 17:16:50 +02:00
sora-ext 036cd1a5de Add modules/server/containers/apps/calibre.nix 2026-06-01 17:16:29 +02:00
sora-ext 3f67ae6bba Update modules/server/containers/default.nix 2026-06-01 17:15:31 +02:00
sora-ext 060cbf3b31 Update modules/home/cli/neofetch/default.nix 2026-06-01 17:14:18 +02:00
sora-ext f2ca3e2f1a Add modules/home/cli/neofetch/config.jsonc 2026-06-01 17:13:56 +02:00
soraefir 3a182533a6 fix 2026-06-01 01:05:27 +02:00
soraefir d457e6869b fix warnings 2026-06-01 00:43:20 +02:00
soraefir 3f4e965154 fix 2026-06-01 00:39:34 +02:00
soraefir 501fbf32a2 fix 2026-06-01 00:37:31 +02:00
soraefir 22879d8897 fix 2026-06-01 00:36:34 +02:00
soraefir d2ccb0b485 bump 26.05 2026-06-01 00:22:01 +02:00
soraefir 7db880b46a bump version 2026-06-01 00:18:26 +02:00
soraefir 1bbbb74553 fix test 2026-06-01 00:07:03 +02:00
soraefir a9d3cbd89a fix 2026-05-31 22:54:10 +02:00
soraefir c2aa7e22d1 better logs 2026-05-31 21:43:51 +02:00
soraefir 4322d315b2 add widget 2026-05-31 21:29:12 +02:00
soraefir 5d979d0720 add services 2026-05-31 20:09:56 +02:00
soraefir ef09e18cd2 Fix blueprint 2026-05-31 19:20:11 +02:00
soraefir 735f1255c1 service account homepage 2026-05-31 19:07:46 +02:00
soraefir 57726f85bd fix 2026-05-31 18:12:36 +02:00
soraefir 0ed4b93fdc disabled for testing 2026-05-31 18:05:42 +02:00
soraefir 8804722960 fix token ldap 2026-05-31 17:40:14 +02:00
soraefir 262a11b6ff fix token 2026-05-31 17:38:32 +02:00
soraefir d551091e40 fix 2026-05-31 17:25:31 +02:00
soraefir 1956285128 home token 2026-05-31 17:10:06 +02:00
soraefir 42f8b17139 fix 2026-05-31 16:46:36 +02:00
soraefir 52aeaf4e51 fix 2026-05-31 16:32:13 +02:00
soraefir 476b79bf34 fix 2026-05-31 16:05:58 +02:00
soraefir eef8730851 fix 2026-05-31 15:45:57 +02:00
soraefir de61030066 fix 2026-05-31 15:32:04 +02:00
soraefir e53bda295b fix 2026-05-31 15:25:48 +02:00
soraefir a762db5310 fox 2026-05-31 15:10:09 +02:00
soraefir 5640687004 fix blueprint 2026-05-31 15:03:13 +02:00
soraefir 97eeb129f5 fix 2026-05-31 14:24:45 +02:00
soraefir d6d4f11d78 test 2026-05-31 14:22:47 +02:00
soraefir fcf923f068 fix 2026-05-31 14:21:50 +02:00
soraefir cdfdb24910 test 2026-05-31 14:16:02 +02:00
soraefir 9b69e153be fix 2026-05-31 13:40:46 +02:00
soraefir 80801837ba fix 2026-05-31 13:33:43 +02:00
soraefir e8ed71264e manually add modules 2026-05-31 13:22:17 +02:00
soraefir 099593e513 fix 2026-05-31 13:21:13 +02:00
soraefir 292e688323 fix attr build 2026-05-31 13:20:06 +02:00
soraefir 0570a0d278 more api 2026-05-31 13:05:20 +02:00
soraefir deafe70bea escape 2026-05-31 12:35:53 +02:00
soraefir 41317e0f33 escape 2026-05-31 12:34:55 +02:00
soraefir 865cbbec7e pkgs 2026-05-31 12:33:56 +02:00
soraefir 6d356b56c5 gitea token 2026-05-31 12:32:37 +02:00
soraefir 50c96de851 Fix sqlite cmd 2026-05-31 12:19:57 +02:00
soraefir f8c696dc57 sqlite fix 2026-05-31 12:05:34 +02:00
soraefir 41d77a5876 fix api key gen 2026-05-31 12:03:44 +02:00
soraefir 7bae85db98 fix env 2026-05-31 11:37:55 +02:00
soraefir 30dd87c42f test 2026-05-31 11:12:39 +02:00
soraefir 39209ca827 env 2026-05-31 10:11:24 +02:00
soraefir c84b97ad8f fix 2026-05-31 01:35:19 +02:00
soraefir 1a13e9855d Fix 2026-05-31 01:32:39 +02:00
soraefir fecaa28ab0 add ports 2026-05-31 01:29:29 +02:00
soraefir 480f7910a6 fix 2026-05-31 01:20:35 +02:00
soraefir 5928479a4e test env 2026-05-31 01:14:46 +02:00
soraefir ca8f1aa222 custom 2026-05-31 01:09:48 +02:00
soraefir d013b4ae88 test 2026-05-31 01:07:52 +02:00
soraefir cebd969445 Fix 2026-05-31 00:06:58 +02:00
soraefir b46d9139df more services 2026-05-31 00:01:45 +02:00
soraefir d6daa605f8 fix 2026-05-30 23:47:45 +02:00
soraefir 5dffd74661 fix 2026-05-30 23:40:09 +02:00
soraefir 94a8aac8a6 fix 2026-05-30 23:37:55 +02:00
soraefir a3c14208c3 fix 2026-05-30 23:33:23 +02:00
soraefir 00990b49e4 fix? 2026-05-30 23:26:50 +02:00
soraefir b13ead5290 fix 2026-05-30 23:24:23 +02:00
soraefir 1a57074033 fix 2026-05-30 23:09:25 +02:00
soraefir 2c6ce74437 WIP 2026-05-30 22:52:19 +02:00
soraefir 45ec8896f8 fix 2026-05-30 22:48:44 +02:00
soraefir 5d6a419a90 typo 2026-05-30 22:47:41 +02:00
soraefir 7cbfecb5f5 homepage cfg 2026-05-30 22:46:26 +02:00
soraefir 7657f711b5 typo 2026-05-30 18:18:17 +02:00
soraefir 1b78eee17e Allowed Hosts Homepage 2026-05-30 18:15:57 +02:00
soraefir 97e1c456d4 Follow main nixpkgs 2026-05-30 18:09:31 +02:00
soraefir 509f55db30 fix build 2026-05-30 18:03:38 +02:00
soraefir 4217227070 Update Cfg and add proxy/wsl 2026-05-30 17:48:18 +02:00
soraefir d9e7775afc fix internal 2026-05-22 01:04:33 +02:00
soraefir 424f12f5f7 test 2026-05-22 00:59:46 +02:00
soraefir 7ca8362d39 auth token 2026-05-22 00:53:29 +02:00
soraefir f54977fe42 perm 2026-05-22 00:48:05 +02:00
soraefir 1b05194939 openport 2026-05-22 00:42:42 +02:00
soraefir 4e31a9f54a stable db 2026-05-22 00:33:52 +02:00
soraefir 7cd78511e7 influx port 2026-05-22 00:33:05 +02:00
soraefir 88d100dd77 update influx 2026-05-22 00:25:59 +02:00
soraefir 775e3e93bb tmpfs 2026-05-22 00:17:12 +02:00
soraefir bfec529d88 lock update 2026-05-22 00:00:59 +02:00
soraefir 2afcbf6d99 fix metrum 2026-05-21 23:55:42 +02:00
soraefir 2cd45ef7de influx secret 2026-05-21 23:43:02 +02:00
soraefir 4d743836ca add influx, disable gitea login proxy 2026-05-21 23:39:36 +02:00
soraefir 9a6dda390b FIX 2026-05-21 22:17:36 +02:00
soraefir dcd998830c more openhab features 2026-05-21 22:15:47 +02:00
soraefir 57bcf4d33c openhab setup 2026-05-21 03:18:36 +02:00
soraefir 7cc516a0be fix auth midleware 2026-05-21 02:28:42 +02:00
soraefir 37143eff2d openhab 2026-05-21 02:16:30 +02:00
soraefir c3edd3c9fa setup 2026-05-21 02:15:48 +02:00
soraefir 775b0b4823 Radarr Naming 2026-05-21 02:14:33 +02:00
soraefir ce0797b73b disable openhab 2026-05-21 02:08:58 +02:00
soraefir a8bbbdc518 fix? 2026-05-21 02:06:43 +02:00
soraefir 742760afa7 fix openhab 2026-05-21 02:00:42 +02:00
soraefir 8b9187b17a Fix stuff 2026-05-21 01:56:13 +02:00
soraefir 8d50d4ecaf Add Radarr setup 2026-05-21 01:51:07 +02:00
soraefir 7ee341ee06 flip size 2026-05-21 01:43:12 +02:00
soraefir 5288f83c2e Fix 2026-05-21 01:39:16 +02:00
soraefir dd70ef6499 Remove linebreak 2026-05-21 01:23:47 +02:00
soraefir beaed878f8 Fix rm 2026-05-21 01:18:32 +02:00
soraefir 09ca162eed Fix 2026-05-21 01:14:46 +02:00
soraefir 4f5e6f210d Fix 2026-05-21 01:10:32 +02:00
soraefir 4a61f43eb9 fix 2026-05-21 01:09:52 +02:00
soraefir a257a3153d Setup Script 2026-05-21 01:08:59 +02:00
soraefir 7da9acfcdc fix 2026-05-21 00:24:57 +02:00
soraefir f838eb9850 fix 2026-05-21 00:23:01 +02:00
soraefir 302f9ae51b fix 2026-05-21 00:20:42 +02:00
soraefir 90b5828663 Add indexers 2026-05-21 00:16:37 +02:00
soraefir 1d9c5cdcd2 fix setup 2026-05-20 22:57:29 +02:00
soraefir b59eecd26a add stuff 2026-05-20 20:43:06 +02:00
soraefir 6f8c8c92f1 fix 2026-05-20 20:05:52 +02:00
soraefir f24102d752 fix url 2026-05-20 19:39:11 +02:00
soraefir 23147ca625 disable for testing 2026-05-20 19:29:18 +02:00
soraefir 40cf001ffa update servarr setup 2026-05-20 19:21:41 +02:00
soraefir 46fae29477 wip 2026-05-20 19:04:51 +02:00
soraefir deea98b2de url envar 2026-05-20 18:45:43 +02:00
soraefir b7aa160baa new stuff 2026-05-20 18:39:11 +02:00
soraefir b91e9cacfd temp 2026-05-20 01:06:30 +02:00
soraefir 46b6b4db4f root 2026-05-20 00:56:23 +02:00
soraefir 5dcb3a7d4a add usr 2026-05-20 00:48:40 +02:00
soraefir 43780f80aa fix 2026-05-20 00:43:56 +02:00
soraefir 23cd521445 test 2026-05-20 00:36:30 +02:00
soraefir 51b6d88c64 test 2026-05-20 00:24:37 +02:00
soraefir bc9b06f3ae fix 2026-05-20 00:06:38 +02:00
soraefir 220aee72ef key length 2026-05-20 00:03:23 +02:00
soraefir 5dac3d02ce root user 2026-05-19 23:58:38 +02:00
soraefir 58825913e0 fixed 2026-05-19 23:56:45 +02:00
soraefir 20103fe83c arr secrets 2026-05-19 23:48:24 +02:00
soraefir 271502f1c9 temp 2026-05-19 23:46:10 +02:00
soraefir 33da5d9f1b enable arr 2026-05-19 23:14:38 +02:00
soraefir 771e6029b6 fix subpath 2026-05-19 22:32:18 +02:00
soraefir 2cf5dcedbd alt path (as we need rpc) 2026-05-19 22:29:33 +02:00
soraefir f27ec01b2f fix 2026-05-19 22:14:40 +02:00
soraefir 9b6359fe86 fix 2026-05-19 22:13:52 +02:00
soraefir 31b23ae4a6 fix 2026-05-19 22:13:05 +02:00
soraefir af36497035 wip 2026-05-19 22:10:22 +02:00
soraefir 3f57b606a0 subpath 2026-05-18 23:17:33 +02:00
soraefir f6498b3177 fixes 2026-05-18 21:50:52 +02:00
soraefir 44d9ae0faf add hass & handbrake 2026-05-18 21:30:32 +02:00
soraefir d5cedb017e fix 2026-05-17 21:52:26 +02:00
soraefir 3e3a108707 Add settings for transmission 2026-05-17 21:38:46 +02:00
soraefir 2b555b1a78 fix 2026-05-17 21:21:51 +02:00
soraefir 04ac376ea9 fix whitelist 2026-05-17 09:43:00 +02:00
soraefir b20763fa86 whitelist fix 2026-05-17 09:40:13 +02:00
soraefir de92ad0f12 fix whitelist 2026-05-17 09:37:48 +02:00
soraefir c3b2468ff3 cleanup and whitelist 2026-05-17 09:30:19 +02:00
soraefir 6ed1514f31 fix invidious companion 2026-05-17 09:07:50 +02:00
soraefir 94a27bb403 fix ssl ? 2026-05-15 16:37:40 +02:00
soraefir 1d656dc4ae add db creation 2026-05-15 16:31:14 +02:00
soraefir b3014bce85 Fix keys 2026-05-15 16:26:27 +02:00
soraefir ef845edd12 typo 2026-05-15 16:22:52 +02:00
soraefir c456e4cad8 Fix env config path 2026-05-15 16:19:18 +02:00
soraefir 39b12966f1 Login rule 2026-05-15 16:06:25 +02:00
soraefir cbef43ae83 missing end 2026-05-15 16:03:34 +02:00
soraefir 765f18d5a0 Add missing func 2026-05-15 16:02:31 +02:00
soraefir 76302840d0 fix typos 2026-05-15 15:59:52 +02:00
soraefir e02aca85bd fix cr code 2026-05-15 15:55:17 +02:00
soraefir 0378ce7dff fix cr code 2026-05-15 15:51:34 +02:00
soraefir 0fd8286331 type fix 2026-05-15 15:47:30 +02:00
soraefir e4aac05b6a fix 2026-05-15 15:44:50 +02:00
soraefir fd7b95e12e Fix 2026-05-15 15:42:49 +02:00
soraefir a94e8beb37 Fix invidious env 2026-05-15 15:41:37 +02:00
soraefir 3e05dfbc07 Override login page 2026-05-15 14:51:32 +02:00
soraefir a94574a53d wip 2026-05-15 13:51:23 +02:00
soraefir 03bec133ba fix 2026-05-15 02:46:04 +02:00
soraefir b6de2d2ccf fix scope 2026-05-15 02:39:27 +02:00
soraefir 334a484ad4 fix scope 2026-05-15 02:35:00 +02:00
soraefir 11f7e95d95 Authentik immich 2026-05-15 02:26:48 +02:00
soraefir 24a0fb6a93 disable IMMICH_IGNORE_MOUNT_CHECK_ERRORS 2026-05-15 02:15:05 +02:00
soraefir 892e271719 Fix typo 2026-05-15 02:12:49 +02:00
soraefir 8769b6da9d Fix immich setup 2026-05-15 02:12:14 +02:00
soraefir 00bdef4307 Fix 2026-05-15 01:31:57 +02:00
soraefir 6ed72c00ff mkdir missings 2026-05-15 01:22:43 +02:00
soraefir 6d5cd82e72 fix 2026-05-15 01:15:59 +02:00
soraefir 3e921ef2ab fix setup 2026-05-15 01:10:34 +02:00
soraefir 09cc16bc40 fix 2026-05-15 00:59:20 +02:00
soraefir 425722e2c6 Disable Setup 2026-05-15 00:55:53 +02:00
soraefir 0fb6aa0047 Fix env 2026-05-15 00:45:59 +02:00
soraefir 07283e1f26 Fix temp 2026-05-15 00:41:21 +02:00
soraefir 362afd3d4e temp override 2026-05-15 00:40:14 +02:00
soraefir 1154cbb3bd Fix dirs 2026-05-15 00:33:48 +02:00
soraefir 25c7823f38 add vchord 2026-05-15 00:26:32 +02:00
soraefir d57fb32f67 Add missing extensions 2026-05-15 00:22:56 +02:00
soraefir 08a7ed2469 fix user 2026-05-15 00:15:40 +02:00
soraefir 45e375168e db setup immich 2026-05-15 00:12:30 +02:00
soraefir 56252474d9 add vector to dbs 2026-05-15 00:04:02 +02:00
soraefir 0ee26c817c add vector pgsql 2026-05-14 23:51:31 +02:00
soraefir 51bd495981 Fix immich 2026-05-14 23:34:32 +02:00
soraefir d9a59e9593 fix image 2026-05-14 23:20:41 +02:00
soraefir 8557df0199 fix image 2026-05-14 23:14:12 +02:00
soraefir 84d9b0ade0 immich db setup 2026-05-14 23:12:56 +02:00
soraefir 7e3d86e37e Simplify 2026-05-14 23:10:11 +02:00
soraefir f5c16775c4 sops immich 2026-05-14 23:07:38 +02:00
soraefir 83dec697d1 cleanup 2026-05-14 23:05:27 +02:00
soraefir dd47977cbd ldap default app 2026-05-14 22:53:12 +02:00
soraefir 601999180b Fix token 2026-05-14 21:30:11 +02:00
soraefir 97004b4b75 Fix ldap 2026-05-14 21:11:19 +02:00
soraefir d15895d8e3 fix ldap role 2026-05-14 20:59:07 +02:00
soraefir 983c19eaa5 Fix 2026-05-14 20:54:43 +02:00
soraefir 4e7a348461 Fix ldap 2026-05-14 20:41:28 +02:00
soraefir 4ccb941766 Fix 2026-05-14 20:31:14 +02:00
soraefir e19fe6a973 remove usuported blueprint 2026-05-14 20:27:24 +02:00
soraefir d9e07543ba fix ldap authentik 2026-05-14 20:19:25 +02:00
soraefir 5d4aaeb49f Fix escaping 2026-05-14 17:51:30 +02:00
soraefir 14540f043d fix script errors 2026-05-14 17:40:57 +02:00
soraefir 2c29f8a41b grep fix 2026-05-14 17:33:45 +02:00
soraefir cd994d6359 check installed plugins 2026-05-14 17:32:48 +02:00
soraefir a1da14f9fb Fix script health check 2026-05-14 17:27:04 +02:00
soraefir 143ea35dc1 Ldap setup jellyfin 2026-05-14 17:18:39 +02:00
soraefir c23ad28f85 fix 2026-05-14 16:34:59 +02:00
soraefir c60123ca3c fix 2026-05-14 16:29:30 +02:00
soraefir c069079a3a fix setup gitea 2026-05-14 16:01:52 +02:00
soraefir e777a56816 fix ldap 2026-05-14 15:57:01 +02:00
soraefir 9933d12183 Fix ldap password 2026-05-14 15:46:51 +02:00
soraefir 2e6c044b89 Ldap WIP 2026-05-14 15:43:52 +02:00
soraefir 252373f956 Fix 2026-05-14 14:46:55 +02:00
soraefir 511837f0a5 Fix JQ 2026-05-14 14:45:11 +02:00
soraefir 2882889eae Add LDAP 2026-05-14 14:43:59 +02:00
soraefir c174fe20ae Fix script 2026-05-14 14:34:39 +02:00
soraefir 31a972d55b Fix 2026-05-14 13:37:41 +02:00
soraefir 9de6cedf33 Jellyfin nss 2026-05-14 13:00:30 +02:00
soraefir f80107efab nss 2026-05-14 12:32:10 +02:00
soraefir ea21907e5d add nss 2026-05-14 11:52:38 +02:00
soraefir d86c3b76b5 perms 2026-05-14 01:35:26 +02:00
soraefir 66e878b902 user 2026-05-14 01:25:44 +02:00
soraefir 6a3327386f home&script 2026-05-14 00:59:26 +02:00
soraefir 860955f555 fix curl 2026-05-14 00:33:01 +02:00
soraefir f5fd711636 fix ssl 2026-05-14 00:26:20 +02:00
soraefir 677c9bc7d4 fixes 2026-05-14 00:21:53 +02:00
soraefir 2cb8d6c24e test 2026-05-14 00:12:18 +02:00
soraefir 3b4e7d07a4 jellyfin setup script 2026-05-14 00:10:38 +02:00
soraefir 8ecef91c92 Authentik apps 2026-05-13 23:27:09 +02:00
soraefir 95c1bb126e typo 2026-05-13 22:48:10 +02:00
soraefir de18ad8127 Try secure 2026-05-13 22:45:44 +02:00
soraefir 8e57822c10 Fix host 2026-05-13 22:45:28 +02:00
soraefir f2883aa33d Fix ldap env 2026-05-13 22:43:17 +02:00
soraefir 7bd5ceacd9 fix name 2026-05-13 22:33:28 +02:00
soraefir e940bd0ec1 Fix ldap 2026-05-13 22:28:55 +02:00
soraefir 44813226c2 ldap insecure 2026-05-13 22:26:34 +02:00
soraefir 7381a17f87 fix ldap 2026-05-13 22:26:18 +02:00
soraefir 19cec13a43 fix authentik token 2026-05-13 22:23:26 +02:00
soraefir 9117530393 Fix authentik 2026-05-13 22:18:16 +02:00
soraefir 868ba53208 move traefik rule 2026-05-13 22:00:34 +02:00
soraefir f7c55f3a5a Fix Authentik LDAP 2026-05-13 21:48:57 +02:00
sora-ext 7cfd1bb245 Update modules/server/sops/example.server.yaml 2026-05-13 17:32:12 +02:00
sora-ext 85a6517609 Add modules/server/containers/data/authentik/ldap.yaml 2026-05-13 17:31:46 +02:00
sora-ext d55756f8f8 Update modules/server/containers/apps/servarr.nix 2026-05-13 17:31:29 +02:00
sora-ext 18beb41cd8 Update modules/server/containers/apps/jellyfin.nix 2026-05-13 17:31:19 +02:00
sora-ext 78f01cf111 Update modules/server/containers/apps/invidious.nix 2026-05-13 17:31:07 +02:00
sora-ext c582d89715 Add modules/server/containers/apps/influx.nix 2026-05-13 17:30:57 +02:00
sora-ext 4270b15f9d Update modules/server/containers/apps/immich.nix 2026-05-13 17:30:43 +02:00
sora-ext a62bc660c5 Update modules/server/containers/apps/homeassistant.nix 2026-05-13 17:30:33 +02:00
sora-ext 973fd78c1b Update modules/server/containers/apps/frigate.nix 2026-05-13 17:30:24 +02:00
sora-ext 7e62883e66 Update modules/server/containers/apps/authentik.nix 2026-05-13 17:30:10 +02:00
sora-ext feccc2c3e0 Update modules/server/containers/apps/.template.nix 2026-05-13 17:30:00 +02:00
sora-ext 0b02de0957 Update modules/server/containers/default.nix 2026-05-13 17:29:49 +02:00
sora-ext 721838df2b Update modules/server/containers/builder.nix 2026-05-13 17:29:33 +02:00
soraefir 8c800ad0d3 Jellyfin LDAP 2026-05-13 01:56:45 +02:00
soraefir f7af832d8e fix jellyfin media path 2026-05-13 01:31:15 +02:00
soraefir 6ddf4a07cc fix umami db 2026-05-13 01:00:14 +02:00
soraefir 0df674647c sops 2026-05-13 00:50:22 +02:00
soraefir 7bead6b3ac fix umami 2026-05-13 00:41:36 +02:00
soraefir f0befa87be test 2026-05-12 22:52:25 +02:00
soraefir 6d665ee59c add sops to servarr 2026-05-12 21:28:24 +02:00
soraefir befe46c085 sops 2026-05-12 21:26:46 +02:00
soraefir ba6d057600 Fix 2026-05-12 21:26:07 +02:00
soraefir db5230bd69 typo 2026-05-12 21:25:01 +02:00
soraefir e1a80bb7ce Add new modules 2026-05-12 21:24:02 +02:00
sora-ext 7d95ba04a9 Add modules/shared/syscfg/user.nix 2026-05-12 18:02:13 +02:00
sora-ext 9169205357 Add modules/shared/syscfg/make.nix 2026-05-12 18:02:01 +02:00
sora-ext 74721f6b09 Add modules/shared/syscfg/net.nix 2026-05-12 18:01:52 +02:00
sora-ext 668c0107f9 Add modules/shared/syscfg/server.nix 2026-05-12 18:01:44 +02:00
sora-ext 331291c54d Update modules/shared/syscfg/default.nix 2026-05-12 18:01:33 +02:00
sora-ext d10f53e485 Add modules/server/containers/apps/immich.nix 2026-05-12 17:47:01 +02:00
sora-ext 82aea8268f Update modules/shared/syscfg/default.nix 2026-05-12 17:46:23 +02:00
sora-ext 050eaedca2 Update modules/server/sops/example.server.yaml 2026-05-12 17:46:11 +02:00
sora-ext be9cb270aa Update modules/server/sops/default.nix 2026-05-12 17:45:59 +02:00
sora-ext a5e0e96b52 Update modules/server/database/default.nix 2026-05-12 17:45:49 +02:00
sora-ext 4366232f18 Update modules/server/containers/apps/umami.nix 2026-05-12 17:45:34 +02:00
sora-ext 4398b1d888 Update modules/server/containers/apps/transmission.nix 2026-05-12 17:45:25 +02:00
sora-ext c4b5c47aa4 Update modules/server/containers/apps/traefik.nix 2026-05-12 17:45:16 +02:00
sora-ext ff64e6c231 Update modules/server/containers/apps/servarr.nix 2026-05-12 17:45:07 +02:00
sora-ext e7d656141a Update modules/server/containers/apps/searxng.nix 2026-05-12 17:44:59 +02:00
sora-ext cf3c2428fb Update modules/server/containers/apps/nextcloud.nix 2026-05-12 17:44:50 +02:00
sora-ext a2dc050b1c Update modules/server/containers/apps/jellyfin.nix 2026-05-12 17:44:41 +02:00
sora-ext 8bf332caf2 Update modules/server/containers/apps/gitea.nix 2026-05-12 17:44:25 +02:00
sora-ext 20d3786547 Update modules/server/containers/apps/etherpad.nix 2026-05-12 17:44:18 +02:00
sora-ext 79422c180a Update modules/server/containers/apps/ethercalc.nix 2026-05-12 17:44:11 +02:00
sora-ext 65fc9c6df2 Update modules/server/containers/apps/collabora.nix 2026-05-12 17:44:03 +02:00
sora-ext a59cbd13a3 Update modules/server/containers/apps/authentik.nix 2026-05-12 17:43:55 +02:00
sora-ext 5f04ef7ae5 Update modules/server/containers/apps/.todo.md 2026-05-12 17:43:48 +02:00
sora-ext 0aff508cda Add modules/server/containers/apps/.template.nix 2026-05-12 17:43:40 +02:00
sora-ext 30df106b94 Update modules/server/containers/default.nix 2026-05-12 17:43:28 +02:00
sora-ext 3abdb6d637 Update modules/server/containers/builder.nix 2026-05-12 17:43:18 +02:00
soraefir cd4c727255 gitea runner 2026-05-12 01:06:14 +02:00
soraefir 26cb095014 Fix 2026-05-12 00:55:55 +02:00
soraefir 2a9113e07d fix calc 2026-05-12 00:50:25 +02:00
soraefir 42a170283d add sops 2026-05-12 00:45:07 +02:00
soraefir 3d4cdaf6e9 new stuff 2026-05-12 00:42:09 +02:00
soraefir 21d959b592 fix script admin 2026-05-11 23:00:07 +02:00
soraefir 0895d67489 fix gitea script 2026-05-11 22:57:43 +02:00
soraefir 86f1fc116c Fix gitea script 2026-05-11 22:55:03 +02:00
soraefir b82033f857 gitea adminify 2026-05-11 22:45:34 +02:00
soraefir fbe8399886 Fix 2026-05-11 22:11:26 +02:00
soraefir 036f1117be fix mkdir 2026-05-11 22:05:38 +02:00
soraefir b3eb1de9e6 fix 2026-05-11 22:02:16 +02:00
soraefir 91c2928a56 Fix 2026-05-11 21:53:49 +02:00
soraefir 89ffc75db2 Fix sops APIKEY 2026-05-11 21:49:20 +02:00
soraefir 63fc0bde6e Fix port 2026-05-11 21:29:16 +02:00
soraefir bc765ea0c6 Fix cloud port 2026-05-11 20:35:14 +02:00
soraefir df236d4ec7 sh 2026-05-11 20:18:14 +02:00
soraefir 2f24725df4 add sh 2026-05-11 20:16:37 +02:00
soraefir 4708753085 Gitea 2026-05-11 19:22:06 +02:00
soraefir 370416edba Fix sops 2026-05-11 19:04:16 +02:00
soraefir ee1dec3d44 rm port 2026-05-11 18:50:36 +02:00
sora-ext b748db9550 Add modules/server/containers/apps/.todo.md 2026-05-11 18:47:46 +02:00
sora-ext 78381d15ff Update modules/server/containers/apps/authentik.nix 2026-05-11 18:47:46 +02:00
sora-ext 037d75af2a Update modules/server/containers/apps/collabora.nix 2026-05-11 18:47:46 +02:00
sora-ext 9e9338d136 Add modules/server/containers/apps/ethercalc.nix 2026-05-11 18:47:46 +02:00
sora-ext cd19d8ac06 Update modules/server/containers/apps/etherpad.nix 2026-05-11 18:47:46 +02:00
sora-ext 6dda5f6bd5 Add modules/server/containers/apps/frigate.nix 2026-05-11 18:47:46 +02:00
sora-ext 836b890fab Add modules/server/containers/apps/gitea.nix 2026-05-11 18:47:46 +02:00
sora-ext 40ed44aa52 Add modules/server/containers/apps/handbrake.nix 2026-05-11 18:47:46 +02:00
sora-ext 2fcbf6adb3 Add modules/server/containers/apps/homeassistant.nix 2026-05-11 18:47:46 +02:00
sora-ext f3fbf159b4 Add modules/server/containers/apps/invidious.nix 2026-05-11 18:47:46 +02:00
sora-ext f3b8feb50d Update modules/server/containers/apps/nextcloud.nix 2026-05-11 18:47:46 +02:00
sora-ext f6f51597cd Add modules/server/containers/apps/jellyfin.nix 2026-05-11 18:47:46 +02:00
sora-ext 5c7b5fcbfe Add modules/server/containers/apps/searxng.nix 2026-05-11 18:47:46 +02:00
sora-ext 07b6868d27 Add modules/server/containers/apps/servarr.nix 2026-05-11 18:47:46 +02:00
sora-ext 870b13ef36 Update modules/server/containers/apps/traefik.nix 2026-05-11 18:47:46 +02:00
sora-ext 4b8c8bdc51 Add modules/server/containers/apps/transmission.nix 2026-05-11 18:47:46 +02:00
sora-ext c24628b574 Add modules/server/containers/apps/trmnl.nix 2026-05-11 18:47:46 +02:00
sora-ext c1fb77a89f Add modules/server/containers/apps/umami.nix 2026-05-11 18:47:46 +02:00
sora-ext 94012aa44c Update modules/shared/sops/default.nix 2026-05-11 18:47:46 +02:00
sora-ext 5ff282e65c Update modules/shared/syscfg/default.nix 2026-05-11 18:47:46 +02:00
Renovate Bot 0bedb71d07 Lock file maintenance 2026-05-11 18:47:46 +02:00
Renovate Bot 47cbbc56cb Lock file maintenance 2026-05-11 18:47:46 +02:00
sora e116efd45c Update modules/server/containers/apps/etherpad.nix 2026-05-11 03:03:52 +02:00
soraefir ff498d15a3 fix 2026-05-11 02:51:27 +02:00
soraefir 90c596270f Fix 2026-05-11 02:49:57 +02:00
soraefir 458a9091d4 fix 2026-05-11 02:32:08 +02:00
soraefir 123d18d1e8 fix 2026-05-11 02:29:11 +02:00
soraefir f05f7b0147 fix 2026-05-11 02:23:54 +02:00
soraefir a41390dcee Fix key 2026-05-11 02:19:31 +02:00
soraefir 29478e2aed Fix api 2026-05-11 02:11:15 +02:00
soraefir 82b422883e Fix api 2026-05-11 01:56:11 +02:00
soraefir 4151e50a42 fix 2026-05-11 01:36:08 +02:00
soraefir 5afaf859b9 fix 2026-05-11 00:55:20 +02:00
soraefir 0cd20319fe fix script 2026-05-11 00:54:02 +02:00
soraefir 468cd34fca fix 2026-05-11 00:46:52 +02:00
soraefir 882d36ff83 typo 2026-05-11 00:45:43 +02:00
soraefir dc2682c829 fix 2026-05-11 00:44:26 +02:00
soraefir f354a99d56 test new setup script 2026-05-11 00:42:34 +02:00
soraefir bf1fbea959 chmod and fix 2026-05-11 00:38:02 +02:00
soraefir 31addeda66 Opt dir 2026-05-11 00:33:38 +02:00
soraefir d0ca9761d7 fix 2026-05-11 00:24:31 +02:00
soraefir bbbb5831a8 etherpad api 2026-05-11 00:15:54 +02:00
soraefir 46f4b5288b Admin 2026-05-10 22:39:33 +02:00
soraefir 8293df4974 Fix 2026-05-10 22:36:43 +02:00
soraefir 08866273cc fix 2026-05-10 22:31:31 +02:00
soraefir e2772e51d9 Fix group 2026-05-10 22:27:29 +02:00
soraefir 6bf856b702 WIP 2026-05-10 22:21:02 +02:00
soraefir 93199b4359 tmp fix 2026-05-10 22:11:53 +02:00
soraefir d3ffacf4ca Fix admin 2026-05-10 22:08:03 +02:00
soraefir ac0e28b5ab fix authentic flow 2026-05-10 22:02:11 +02:00
soraefir e76f53d887 test template 2026-05-10 21:47:49 +02:00
soraefir f67e142f53 fix envfile 2026-05-10 21:43:48 +02:00
soraefir 8165bf6935 Add force exec 2026-05-10 21:40:49 +02:00
soraefir 09539b5866 Add user setup script 2026-05-10 21:39:12 +02:00
soraefir 1b2a724a26 Fix idp & co, add base ak setup 2026-05-10 20:42:19 +02:00
soraefir e6e6e4af49 Fix saml url 2026-05-10 19:56:05 +02:00
soraefir e999a5bf2c Fix 2026-05-10 19:49:32 +02:00
soraefir a57818e37e Fix db 2026-05-10 19:43:19 +02:00
soraefir 0e61b2fad4 saml name 2026-05-10 19:41:58 +02:00
soraefir 9016657699 import cert 2026-05-10 19:34:46 +02:00
soraefir 5462434558 Fix 2026-05-10 19:19:15 +02:00
soraefir aa36fa812c Foix blueprint 2026-05-10 19:14:37 +02:00
soraefir f5f28968c6 test blueprint fix 2026-05-10 18:58:13 +02:00
soraefir 4c2ef6e264 Fix blueprints 2026-05-10 18:51:58 +02:00
soraefir fa808f3eb2 Fix nix mkdata 2026-05-10 18:44:58 +02:00
soraefir 7bc9ae1f2d Fix mkData 2026-05-10 18:42:03 +02:00
soraefir e53be27e96 Fix 2026-05-10 18:36:20 +02:00
soraefir 88ab6e2007 typo 2026-05-10 18:34:23 +02:00
soraefir 864e698272 fix 2026-05-10 18:33:22 +02:00
soraefir 8961706503 fix 2026-05-10 18:31:56 +02:00
soraefir c637fea0d0 Add authentik blueprints 2026-05-10 18:29:53 +02:00
soraefir 9813e7d49a Longer timeout 2026-05-10 12:29:46 +02:00
soraefir ea6db4b9bf fix 2026-05-10 12:26:34 +02:00
soraefir 2eff0969e0 fix 2026-05-10 12:21:46 +02:00
soraefir cf5648122d fix 2026-05-10 12:21:01 +02:00
soraefir b10e7a5a93 fix 2026-05-10 12:04:03 +02:00
soraefir 882a43b705 cfg 2026-05-10 12:03:05 +02:00
soraefir e9868a2513 fix 2026-05-10 12:02:02 +02:00
soraefir 43a0f903b0 Fix 2026-05-10 12:01:28 +02:00
soraefir 1b76ec20b4 fix 2026-05-10 11:59:37 +02:00
soraefir 6a7fcf6152 fix 2026-05-10 11:58:29 +02:00
soraefir b6bc6dd138 dbg 2026-05-10 11:57:59 +02:00
soraefir 90f8387192 tmp ignore 2026-05-10 11:56:13 +02:00
soraefir 25604d6c14 test 2026-05-10 11:55:53 +02:00
soraefir 51d60de5c0 fix 2026-05-10 11:54:37 +02:00
soraefir 5e8cd65785 fix 2026-05-10 11:52:32 +02:00
soraefir fa5845808b fix 2026-05-10 11:50:34 +02:00
soraefir 28c17d9bb6 colors 2026-05-10 11:49:18 +02:00
soraefir 89d2f9a48e typo2 2026-05-10 11:42:53 +02:00
soraefir e58d323ea0 typo 2026-05-10 11:41:59 +02:00
soraefir 7465b6b24c script omprovement 2026-05-10 11:38:19 +02:00
soraefir 59c6b68501 Add cron 2026-05-09 19:40:22 +02:00
soraefir 9273387170 Script improvements 2026-05-09 19:35:05 +02:00
soraefir 55a08673f0 fix caldav 2026-05-09 19:25:06 +02:00
soraefir 5dbb95603d silence script verbosity 2026-05-09 19:20:35 +02:00
soraefir d60f8dd56f improve script 2026-05-09 19:18:27 +02:00
soraefir 7d35cb319f Fix 2026-05-09 19:12:36 +02:00
soraefir 8d4caac83b group for nextcloud 2026-05-09 18:47:38 +02:00
soraefir ad2b492b51 Fix service 2026-05-09 18:42:22 +02:00
soraefir 4b68accf2f fix nextcloud 2026-05-09 17:52:39 +02:00
soraefir 0d9c8a2974 fix 2026-05-09 17:51:06 +02:00
soraefir 63d2dddd1e setup scripts 2026-05-09 17:50:23 +02:00
soraefir 55d678df19 bump nextcloud 2026-05-09 13:33:56 +02:00
soraefir 88a4ab069e registries 2026-05-09 13:28:48 +02:00
soraefir c54ed4a712 Admin user 2026-05-09 12:54:13 +02:00
soraefir 3db4517a3b temps 2026-05-09 12:43:16 +02:00
soraefir f3dfe561ad add plugin 2026-05-09 12:38:04 +02:00
soraefir b58da2b2e1 port fix 2026-05-09 12:12:42 +02:00
soraefir 28fa63919f Fix env 2026-05-09 12:09:27 +02:00
soraefir cb7e29bfe0 container settings 2026-05-09 11:58:38 +02:00
soraefir ea58be6fdc fix typo 2026-05-09 11:57:21 +02:00
soraefir da51e61c05 escape 2026-05-09 11:56:42 +02:00
soraefir 1ca61b70d2 fix env 2026-05-09 11:53:29 +02:00
soraefir eafafe876f postgres 2026-05-09 11:03:58 +02:00
soraefir 21adca1fbc tmp perm 2026-05-09 10:50:25 +02:00
soraefir 57efc58bc2 Fix user etherpad 2026-05-09 10:46:04 +02:00
soraefir cd5deea849 etherpad 2026-05-09 10:45:16 +02:00
soraefir 9f5f8751e5 fix ddos 2026-05-09 10:32:18 +02:00
soraefir f02adc6d93 fix 2026-05-09 10:24:13 +02:00
soraefir b2f6d8cc9e Fix 2026-05-09 10:19:21 +02:00
soraefir c18ac097fa test 2026-05-09 10:17:27 +02:00
soraefir 1fc9017e7e fix 2026-05-09 10:12:01 +02:00
soraefir 8ff90e54b8 fix 2026-05-09 10:11:21 +02:00
soraefir fba3a24f16 custom image 2026-05-09 10:09:51 +02:00
soraefir fcb97828f4 test custom img 2026-05-09 10:04:47 +02:00
soraefir e04382742f cleanup traefik 2026-05-09 10:03:09 +02:00
soraefir 48b40d819b fix typo 2026-05-09 09:56:28 +02:00
soraefir 8b75968f11 fix tls 2026-05-09 09:55:30 +02:00
soraefir dda8409329 cert 2026-05-09 09:46:18 +02:00
soraefir 9a0b5171b1 fix dns 2026-05-09 09:42:33 +02:00
soraefir 9abb5b2f26 logs 2026-05-09 09:35:41 +02:00
soraefir 8362599b54 traefik 2026-05-09 09:34:07 +02:00
soraefir c1b9c12281 fix 2026-05-09 09:26:40 +02:00
soraefir e4dcb0bd39 api port 2026-05-09 00:20:27 +02:00
soraefir a31991c507 typo 2026-05-08 23:58:53 +02:00
soraefir e1651cba2a traefik docker 2026-05-08 23:57:19 +02:00
soraefir bb5ecbba73 acme 2026-05-08 23:54:20 +02:00
soraefir 0c79617647 test acme 2026-05-08 23:48:37 +02:00
soraefir a3bc8b80c5 fix acme 2026-05-08 23:39:48 +02:00
soraefir 55fcf8b71a fix 2026-05-08 23:32:25 +02:00
soraefir 5aabd9acce Fix 2026-05-08 23:31:56 +02:00
soraefir e652c12bf2 fix traefik 2026-05-08 23:30:04 +02:00
soraefir 4c684cf9b1 Fix portfw traefik 2026-05-08 23:18:43 +02:00
soraefir 0c60bbbaa8 rm deprecated 2026-05-08 23:14:51 +02:00
soraefir 097334b483 fix statfs 2026-05-08 23:10:52 +02:00
soraefir bfd099d201 container registry 2026-05-08 23:05:25 +02:00
soraefir 1fe6e43046 sops 2026-05-08 22:56:05 +02:00
soraefir 23b8ad480e fix subdomain 2026-05-08 22:55:21 +02:00
soraefir 3d1fc2a2c9 traefik 2026-05-08 22:53:41 +02:00
soraefir aacca16eb2 fix tmpfs 2026-05-08 21:05:08 +02:00
soraefir 5de459c347 fix nulls 2026-05-08 21:01:46 +02:00
soraefir d898116ff4 fix nulls 2026-05-08 20:59:40 +02:00
soraefir e2b688c836 fix sops 2026-05-08 20:54:54 +02:00
soraefir b5d57bf9c8 test 2026-05-08 20:52:08 +02:00
soraefir 236f9dbdc3 Sops 2026-05-08 20:50:13 +02:00
soraefir 9696ca9a6d ipfw 2026-05-08 20:47:00 +02:00
soraefir df523c48e5 rename and fix 2026-05-08 20:46:23 +02:00
soraefir 4d398d5596 sops 2026-05-08 20:36:26 +02:00
soraefir 5045291097 sops 2026-05-08 20:35:43 +02:00
soraefir 2dc1632a40 sops 2026-05-08 20:32:37 +02:00
soraefir 744a2b8563 Secrets 2026-05-08 20:31:12 +02:00
soraefir b722d349af fix cloud 2026-05-08 20:28:22 +02:00
soraefir 7438905618 WIP 2026-05-08 20:25:51 +02:00
soraefir 908c144c73 add cloud 2026-05-08 20:25:14 +02:00
soraefir 6d353df19f fix collabora 2026-05-08 20:23:40 +02:00
soraefir 7194d91b1c WIP 2026-05-08 20:22:04 +02:00
soraefir d3c301db36 Fix 2026-05-08 02:52:56 +02:00
soraefir 135d48d78c test 2026-05-08 02:47:19 +02:00
soraefir d4292cd46d test 2026-05-08 02:45:33 +02:00
soraefir 4a4d3e3604 typo 2026-05-08 02:37:06 +02:00
soraefir d076538901 test 2026-05-08 02:35:32 +02:00
soraefir 8fedaf18cd firewall? 2026-05-08 02:20:28 +02:00
soraefir 4c1f9f0e78 nft 2026-05-08 02:17:10 +02:00
soraefir 1a8eb085df fix db ? 2026-05-08 02:13:44 +02:00
soraefir 8a619d9fc6 env 2026-05-08 02:00:10 +02:00
soraefir a76f920297 Fix 2026-05-08 01:58:37 +02:00
soraefir fe93cb708e accept podman traffic 2026-05-08 01:49:31 +02:00
soraefir cb29056296 Sops 2026-05-08 01:37:57 +02:00
soraefir 4bc68eeeaf more fix 2026-05-08 01:34:17 +02:00
soraefir 9cf9937cb7 wg nft 2026-05-08 01:26:53 +02:00
soraefir 593514c100 fix ssh 2026-05-08 01:21:56 +02:00
soraefir 6ad9a0b34c Env 2026-05-08 01:19:04 +02:00
soraefir 65e3568072 Db 2026-05-08 01:18:02 +02:00
soraefir c55b06cca9 fix nft 2026-05-08 01:15:56 +02:00
soraefir 40dba4b959 Fix nftable 2026-05-08 01:15:27 +02:00
soraefir bc8a9d42f9 Fix nftable 2026-05-08 01:09:51 +02:00
soraefir cd5a1aeed4 temp fix 2026-05-08 01:08:59 +02:00
soraefir 0f2081486d Wops 2026-05-08 01:08:07 +02:00
soraefir 1c022d7642 Fix secret 2026-05-08 00:53:00 +02:00
soraefir 379f6befb3 fix 2026-05-08 00:44:13 +02:00
soraefir 868d2ce116 fix 2026-05-08 00:29:12 +02:00
soraefir 94fdfa2b33 Test acme 2026-05-08 00:17:46 +02:00
soraefir a73ad174ea Fix 2026-05-08 00:14:41 +02:00
soraefir fba5a79ce6 Fix parenthesis 2026-05-08 00:12:17 +02:00
soraefir e8c9fc52fb Update 2026-05-08 00:06:21 +02:00
soraefir 8092bac6b7 nginx 2026-05-07 00:03:43 +02:00
soraefir 7d80478e83 more fixes authentik 2026-05-06 23:47:09 +02:00
soraefir 2cab462db5 Fix authentik worker 2026-05-06 23:45:21 +02:00
soraefir 0bb796fbe8 Fix cfg 2026-05-06 23:42:29 +02:00
soraefir 1f2cc94a0a Fix builder 2026-05-06 23:39:28 +02:00
soraefir 3caf507905 Fix attempt 2026-05-06 23:35:03 +02:00
soraefir 27a5566ac6 Rename file 2026-05-06 23:31:12 +02:00
soraefir b439888fa8 Fix naming 2026-05-06 23:30:08 +02:00
soraefir 093497367a container builder 2026-05-06 23:28:49 +02:00
soraefir 1c0cfd1afe change podman building 2026-05-06 22:59:11 +02:00
142 changed files with 6349 additions and 1164 deletions
+1
View File
@@ -2,3 +2,4 @@ result
age-key.txt age-key.txt
.decrypted~common.yaml .decrypted~common.yaml
.decrypted* .decrypted*
.tmp
+2 -25
View File
@@ -13,31 +13,6 @@ keys:
- &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3 - &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
creation_rules: creation_rules:
- path_regex: modules/shared/sops/private/iriy.[a-z]+
key_groups:
- age:
- *iriy
pgp:
- *sora
- path_regex: modules/shared/sops/private/avalon.[a-z]+
key_groups:
- age:
- *avalon
pgp:
- *sora
- path_regex: modules/shared/sops/private/valinor.[a-z]+
key_groups:
- age:
- *valinor
pgp:
- *sora
- path_regex: modules/shared/sops/private/asgard.[a-z]+
key_groups:
- age:
- *asgard
pgp:
- *sora
- path_regex: modules/shared/sops/common.[a-z]+ - path_regex: modules/shared/sops/common.[a-z]+
key_groups: key_groups:
- age: - age:
@@ -54,6 +29,8 @@ creation_rules:
- age: - age:
- *ci - *ci
- *sandbox - *sandbox
pgp:
- *sora
- path_regex: modules/server/sops/server.[a-z]+ - path_regex: modules/server/sops/server.[a-z]+
key_groups: key_groups:
Generated
+123 -88
View File
@@ -1,27 +1,5 @@
{ {
"nodes": { "nodes": {
"arion": {
"inputs": {
"flake-parts": "flake-parts",
"haskell-flake": "haskell-flake",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1770259557,
"narHash": "sha256-EvZ09k9+mzXAngPzU2K7oLLUDlKoT1numb4bDb3Gtl4=",
"owner": "hercules-ci",
"repo": "arion",
"rev": "9b24cf65c72cb0e9616e437d55e1ac8e5c6bc715",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "arion",
"type": "github"
}
},
"base16-schemes": { "base16-schemes": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -45,11 +23,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775037210, "lastModified": 1779036909,
"narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=", "narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "06648f4902343228ce2de79f291dd5a58ee12146", "rev": "56c666e108467d87d13508936aade6d567f2a501",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -59,28 +37,23 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": { "flake-compat": {
"inputs": { "flake": false,
"nixpkgs-lib": [
"arion",
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1769996383, "lastModified": 1767039857,
"narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
"owner": "hercules-ci", "owner": "edolstra",
"repo": "flake-parts", "repo": "flake-compat",
"rev": "57928607ea566b5db3ad13af0e57e921e6b12381", "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "hercules-ci", "owner": "edolstra",
"repo": "flake-parts", "repo": "flake-compat",
"type": "github" "type": "github"
} }
}, },
"flake-parts_2": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nur", "nur",
@@ -101,34 +74,39 @@
"type": "github" "type": "github"
} }
}, },
"hardware": { "flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": { "locked": {
"lastModified": 1776983936, "lastModified": 1681202837,
"narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=", "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "nixos", "owner": "numtide",
"repo": "nixos-hardware", "repo": "flake-utils",
"rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61", "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "numtide",
"repo": "nixos-hardware", "repo": "flake-utils",
"type": "github" "type": "github"
} }
}, },
"haskell-flake": { "hardware": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": { "locked": {
"lastModified": 1675296942, "lastModified": 1780065812,
"narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=", "narHash": "sha256-SCSLUKBmwlSLGQ8Xbr8PjRFtiHNk0l9ktqkcmqdBkfE=",
"owner": "srid", "owner": "nixos",
"repo": "haskell-flake", "repo": "nixos-hardware",
"rev": "c2cafce9d57bfca41794dc3b99c593155006c71e", "rev": "b76b5639c0593e0aeb0b5879ad62d4b30596c144",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "srid", "owner": "nixos",
"ref": "0.1.0", "repo": "nixos-hardware",
"repo": "haskell-flake",
"type": "github" "type": "github"
} }
}, },
@@ -139,16 +117,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777771528, "lastModified": 1779726825,
"narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=", "narHash": "sha256-RUkMrREjKDQrA+dA9+xZviGAxM5W1aVdyOr/bSYpHrE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51", "rev": "b179bde238977f7d4454fc770b1a727eaf55111c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.11", "ref": "release-26.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@@ -174,11 +152,11 @@
}, },
"nixUnstable": { "nixUnstable": {
"locked": { "locked": {
"lastModified": 1777641297, "lastModified": 1780030872,
"narHash": "sha256-WNGcmeOZ8Tr9dq6ztCspYbzWFswr2mPebM9LpsfGxPk=", "narHash": "sha256-u6WU/yd/o8iYQrHX3RAwO1hYa3LkoSL+WNQD0rJfJZQ=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0", "rev": "e9a7635a57597d9754eccebdfc7045e6c8600e6b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -188,22 +166,40 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixos-wsl": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1777428379, "lastModified": 1780169171,
"narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=", "narHash": "sha256-3HBYDfBgZ+ph52HS6Ks/bMMwuh2uONIT72sZ1CtLE/s=",
"owner": "nixos", "owner": "nix-community",
"repo": "nixpkgs", "repo": "nixos-wsl",
"rev": "755f5aa91337890c432639c60b6064bb7fe67769", "rev": "998b2821c30b2938637230916904ceb8757c79e8",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nix-community",
"ref": "nixos-25.11", "repo": "nixos-wsl",
"repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": {
"locked": {
"lastModified": 1767892417,
"narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
"rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
"url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
}
},
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1697935651, "lastModified": 1697935651,
@@ -221,31 +217,33 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1777578337, "lastModified": 1780203844,
"narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=", "narHash": "sha256-K5sT4jTpGs15ADhviMKNBH38REpPf5Q6mM1+N6cArVE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "15f4ee454b1dce334612fa6843b3e05cf546efab", "rev": "b51242d7d43689db2f3be91bd05d5b24fbb469c4",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-unstable", "ref": "nixos-26.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nur": { "nur": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts",
"nixpkgs": "nixpkgs_2" "nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1777763626, "lastModified": 1780265777,
"narHash": "sha256-UFwZDbdMezNnxZwikhDR4EWiCPUiEmPXHmqLOrcG34g=", "narHash": "sha256-t/KORFHEv8Jn2vFmVfv4Zffekv+MUogI2KgtxuCcEmQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nur", "repo": "nur",
"rev": "3873764e5896bd6da6cf0df17172849ea51ac5eb", "rev": "39917b7f68263188707925ffe26c9df6ef4e7d64",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -256,15 +254,16 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"arion": "arion",
"darwin": "darwin", "darwin": "darwin",
"hardware": "hardware", "hardware": "hardware",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-colors": "nix-colors", "nix-colors": "nix-colors",
"nixUnstable": "nixUnstable", "nixUnstable": "nixUnstable",
"nixpkgs": "nixpkgs", "nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs_2",
"nur": "nur", "nur": "nur",
"sops-nix": "sops-nix" "sops-nix": "sops-nix",
"vscode-server": "vscode-server"
} }
}, },
"sops-nix": { "sops-nix": {
@@ -274,11 +273,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777338324, "lastModified": 1777944972,
"narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=", "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5", "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -286,6 +285,42 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"vscode-server": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1770124655,
"narHash": "sha256-yHmd2B13EtBUPLJ+x0EaBwNkQr9LTne1arLVxT6hSnY=",
"owner": "nix-community",
"repo": "nixos-vscode-server",
"rev": "92ce71c3ba5a94f854e02d57b14af4997ab54ef0",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-vscode-server",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",
+36 -24
View File
@@ -3,12 +3,15 @@
inputs = { inputs = {
# Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable" # Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable"
nixUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; nixUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-26.05";
hardware.url = "github:nixos/nixos-hardware"; hardware.url = "github:nixos/nixos-hardware";
nur.url = "github:nix-community/nur"; nur = {
url = "github:nix-community/nur";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-25.11"; url = "github:nix-community/home-manager/release-26.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
@@ -17,40 +20,49 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# hyprland = {
# url = "github:hyprwm/Hyprland";
# inputs.nixpkgs.follows = "nixpkgs";
# };
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nix-colors.url = "github:misterio77/nix-colors"; nix-colors.url = "github:misterio77/nix-colors";
nixos-wsl = {
url = "github:nix-community/nixos-wsl";
inputs.nixpkgs.follows = "nixpkgs";
};
arion.url = "github:hercules-ci/arion"; vscode-server = {
arion.inputs.nixpkgs.follows = "nixpkgs"; url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = inputs: outputs = inputs:
let gen = import ./generator.nix { inherit inputs; }; let
lib = inputs.nixpkgs.lib;
gen = import ./generator.nix { inherit inputs; };
systemsDir = ./systems;
isIgnoredSystemDir = name: lib.hasPrefix "_" name || lib.hasPrefix "." name;
systemNames = lib.attrNames (lib.filterAttrs
(name: type:
type == "directory"
&& !isIgnoredSystemDir name
&& builtins.pathExists (systemsDir + "/${name}/cfg.nix"))
(builtins.readDir systemsDir));
hostsByType = systemType:
lib.filter
(host: (import (systemsDir + "/${host}/cfg.nix")).syscfg.type == systemType)
systemNames;
generateHosts = systemType:
lib.genAttrs
(hostsByType systemType)
(host: gen.generate { inherit host; });
in { in {
devShells = import ./shells { inherit inputs; }; devShells = import ./shells { inherit inputs; };
nixosConfigurations = { nixosConfigurations = generateHosts "nixos";
valinor = gen.generate { host = "valinor"; }; darwinConfigurations = generateHosts "macos";
iriy = gen.generate { host = "iriy"; }; homeConfigurations = generateHosts "home";
efir = gen.generate { host = "efir"; };
avalon = gen.generate { host = "avalon"; };
ci = gen.generate { host = "ci"; };
sandbox = gen.generate { host = "sandbox"; };
gateway = gen.generate { host = "gateway"; };
};
darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
homeConfigurations = {
yomi = gen.generate { host = "example"; };
example = gen.generate { host = "example"; };
};
}; };
# ===== Unsupported/NotImplemented ====== # ===== Unsupported/NotImplemented ======
+6 -4
View File
@@ -5,7 +5,7 @@
nameValuePair = name: value: { inherit name value; }; nameValuePair = name: value: { inherit name value; };
in ({ in ({
"nixos" = inputs.nixpkgs.lib.nixosSystem { "nixos" = inputs.nixpkgs.lib.nixosSystem {
system = syscfg.syscfg.system; system = "x86_64-linux";
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
modules = [ modules = [
./modules/shared/syscfg ./modules/shared/syscfg
@@ -13,9 +13,12 @@
./modules/nixos ./modules/nixos
syscfg syscfg
./systems/${host} ./systems/${host}
inputs.arion.nixosModules.arion
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.nixos-wsl.nixosModules.wsl
inputs.vscode-server.nixosModules.default
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@@ -29,7 +32,6 @@
syscfg syscfg
{ usercfg = userConfig; } { usercfg = userConfig; }
inputs.nix-colors.homeManagerModule inputs.nix-colors.homeManagerModule
# inputs.hyprland.homeManagerModules.default
inputs.sops-nix.homeManagerModules.sops inputs.sops-nix.homeManagerModules.sops
]; ];
}) syscfg.syscfg.users); }) syscfg.syscfg.users);
@@ -38,7 +40,7 @@
}; };
"macos" = inputs.darwin.lib.darwinSystem { "macos" = inputs.darwin.lib.darwinSystem {
system = syscfg.system; system = "x86_64-darwin";
modules = [ modules = [
./modules/shared/syscfg ./modules/shared/syscfg
./modules/shared/sops ./modules/shared/sops
+1 -1
View File
@@ -8,7 +8,7 @@
username = "${config.usercfg.username}"; username = "${config.usercfg.username}";
homeDirectory = "/home/${config.usercfg.username}"; homeDirectory = "/home/${config.usercfg.username}";
stateVersion = "24.11"; stateVersion = "26.05";
}; };
+147
View File
@@ -0,0 +1,147 @@
{
"$schema": "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json",
"logo": {
"type": "builtin", // Logo type: auto, builtin, small, file, etc.
// "source": "arch",
"width": 10,
"height": 10,
"padding": {
"top": 3,
"left": 2,
"right": 2
},
"color": {
"1": "blue",
"2": "white",
"3": "cyan"
}
},
"display": { /* Display settings */},
"modules": [
"break",
{
"type": "custom",
"format": "\u001b[90m┌──────────────────────Hardware──────────────────────┐"
},
{
"type": "host",
"key": "󰌢 PC",
"keyColor": "green",
"format": "{2}"
},
{
"type": "cpu",
"key": "│ ├󱛠 ",
"keyColor": "green",
"format": "{1} | {4} @{6}"
},
{
"type": "gpu",
"key": "│ ├󰍹 ",
"keyColor": "green",
"format": "{2} | {7}"
},
{
"type": "memory",
"key": "│ ├󰑭 ",
"keyColor": "green",
"format": "{2}"
},
// {
// "type": "disk",
// "key": "└ └󰋊 ",
// "keyColor": "green"
// },
{
"type": "custom",
"format": "\u001b[90m└────────────────────────────────────────────────────┘"
},
"break",
{
"type": "custom",
"format": "\u001b[90m┌──────────────────────Software──────────────────────┐"
},
{
"type": "os",
"key": " OS",
"keyColor": "yellow",
"format": " {2} {8}"
},
{
"type": "kernel",
"key": "│ ├󰌽 ",
"keyColor": "yellow",
"format": "{1} {2}"
},
{
"type": "bios",
"key": "│ ├󰖡 ",
"keyColor": "yellow"
},
{
"type": "packages",
"key": "│ ├󰏗 ",
"keyColor": "yellow"
},
{
"type": "de",
"key": "󰧨 DE",
"keyColor": "blue",
"format": "{2} | {3}"
},
{
"type": "lm",
"key": "│ ├󰍁 ",
"keyColor": "blue",
"format": "{1} {2} {3}"
},
{
"type": "wm",
"key": "│ ├󱂬 ",
"keyColor": "blue",
"format": "{2} {5}"
},
{
"type": "custom",
"format": "\u001b[90m└────────────────────────────────────────────────────┘"
},
"break",
{
"type": "custom",
"format": "\u001b[90m┌──────────────────────Age───────────────────────────┐"
},
{
"type": "command",
"key": " OS Age ",
"keyColor": "magenta",
"text": "birth_install=$(stat -c %W /); current=$(date +%s); time_progression=$((current - birth_install)); days_difference=$((time_progression / 86400)); echo $days_difference days"
},
{
"type": "command",
"key": " Update ",
"keyColor": "magenta",
"text": "nixos-rebuild list-generations | awk '$NF == \"True\" {print $2, $3}' | xargs -I {} date -d \"{}\" +\"%s\" | awk '{diff=systime()-$1; printf \"%d days, %d hours, %d mins\\n\", diff/86400, (diff%86400)/3600, (diff%3600)/60}'"
},
{
"type": "uptime",
"key": " Uptime ",
"keyColor": "magenta"
},
{
"type": "custom",
"format": "\u001b[90m└────────────────────────────────────────────────────┘"
},
{
"type": "colors",
"paddingLeft": 2,
"block": {
"width": 3,
"range": [
0,
15
]
} //,
//"symbol": "circle"
},
]
}
+2 -1
View File
@@ -1,4 +1,5 @@
{ pkgs, config, ... }: { { pkgs, config, ... }: {
home.packages = with pkgs; [ neofetch ]; home.packages = with pkgs; [ fastfetch ];
xdg.configFile."neofetch/config.conf".source = ./config.conf; xdg.configFile."neofetch/config.conf".source = ./config.conf;
xdg.configFile."fastfetch/config.jsonc".source = ./config.jsonc;
} }
@@ -1,9 +1,8 @@
{ lib, config, pkgs, ... }: { { lib, config, pkgs, ... }: {
config = lib.mkIf (config.syscfg.make.develop) { config = lib.mkIf (config.syscfg.make.develop) {
programs.vscode = { programs.vscodium = {
enable = true; enable = true;
package = pkgs.vscodium;
#profiles.default = { #profiles.default = {
profiles.default.extensions = with pkgs.vscode-extensions; [ profiles.default.extensions = with pkgs.vscode-extensions; [
bbenoist.nix bbenoist.nix
@@ -12,7 +11,6 @@
ms-python.vscode-pylance ms-python.vscode-pylance
ms-vscode.cpptools ms-vscode.cpptools
dbaeumer.vscode-eslint dbaeumer.vscode-eslint
continue.continue
]; ];
#}; #};
}; };
+4 -4
View File
@@ -4,10 +4,10 @@
services.nextcloud-client.enable = true; services.nextcloud-client.enable = true;
home.packages = with pkgs; [ home.packages = with pkgs; [
xfce.thunar thunar
xfce.thunar-volman thunar-volman
xfce.thunar-archive-plugin thunar-archive-plugin
xfce.tumbler tumbler
telegram-desktop telegram-desktop
discord-canary discord-canary
+3 -3
View File
@@ -1,6 +1,5 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
colorVariant = " black";
gtkThemeFromScheme = import ./gtk-theme-gen.nix { inherit pkgs config; }; gtkThemeFromScheme = import ./gtk-theme-gen.nix { inherit pkgs config; };
wallpaperGen = import ./wallpaper-gen.nix { inherit pkgs config; }; wallpaperGen = import ./wallpaper-gen.nix { inherit pkgs config; };
in { in {
@@ -20,6 +19,7 @@ in {
name = "${config.colorscheme.slug}-Dark"; name = "${config.colorscheme.slug}-Dark";
package = gtkThemeFromScheme; package = gtkThemeFromScheme;
}; };
gtk4.theme = config.gtk.theme;
iconTheme = { iconTheme = {
name = "tela-circle-icon-theme"; name = "tela-circle-icon-theme";
package = pkgs.tela-circle-icon-theme; package = pkgs.tela-circle-icon-theme;
@@ -31,7 +31,7 @@ in {
platformTheme.name = "gtk"; platformTheme.name = "gtk";
}; };
home.packages = [ wallpaperGen pkgs.swww ]; home.packages = [ wallpaperGen pkgs.awww ];
xdg.configFile."script/wallpaper.sh".text = '' xdg.configFile."script/wallpaper.sh".text = ''
#!/bin/sh #!/bin/sh
@@ -50,7 +50,7 @@ in {
IMG=$WPDIR/$(echo "$RES" | wofi --dmenu --allow-images show-icons true -theme-str '#window { width: 50%; }' -p "Choose wallpaper:") IMG=$WPDIR/$(echo "$RES" | wofi --dmenu --allow-images show-icons true -theme-str '#window { width: 50%; }' -p "Choose wallpaper:")
IMG=$(echo "$IMG" | awk -F ':' '{print $2}') IMG=$(echo "$IMG" | awk -F ':' '{print $2}')
swww img $IMG awww img $IMG
''; '';
}; };
} }
+137 -27
View File
@@ -1,40 +1,150 @@
{ pkgs, config }: { pkgs, config, lib ? pkgs.lib }:
let let
scheme = config.colorScheme; colors = config.colorScheme.palette;
colors = scheme.palette; mediaImages = config.syscfg.media.main;
dither = mediaNames = map (image: builtins.baseNameOf (toString image)) mediaImages;
"atkinson"; # none | floyd-steinberg | atkinson | jjn | burkes | sierra | sierra-lite mediaSourceDir = pkgs.linkFarm "wallpaper-media" (
in pkgs.stdenv.mkDerivation rec { map (image: {
pname = "generated-wallpaper"; name = builtins.baseNameOf (toString image);
version = "a1676fc2a0e3dfb7bf95d8a89e592830"; path = image;
src = pkgs.fetchFromGitea { }) mediaImages
domain = "git.helcel.net"; );
owner = "sora";
repo = "nixconfig-wallpaper"; dither = "atkinson"; # none | floyd-steinberg | atkinson | jjn | burkes | sierra | sierra-lite
rev = version; paletteSize = 0;
sha256 = "sha256-ZhBjTaKzoiEq1ptMmNWWRPCjLJsvy9My/HuzRaDjX1c=";
hexChars = "0123456789abcdef";
hexMap = {
"0" = 0; "1" = 1; "2" = 2; "3" = 3;
"4" = 4; "5" = 5; "6" = 6; "7" = 7;
"8" = 8; "9" = 9; "a" = 10; "b" = 11;
"c" = 12; "d" = 13; "e" = 14; "f" = 15;
}; };
buildInputs = with pkgs; [ custom.repalette nodejs imagemagick gifsicle ]; baseColors = [
colors.base00
colors.base01
colors.base02
colors.base03
colors.base04
colors.base05
colors.base06
colors.base07
colors.base08
colors.base09
colors.base0A
colors.base0B
colors.base0C
colors.base0D
colors.base0E
colors.base0F
];
configurePhase = '' round = x: builtins.floor (x + 0.5);
echo "${colors.base00},${colors.base01},\ clamp = x:
${colors.base02},${colors.base03},\ if x < 0 then 0 else if x > 255 then 255 else x;
${colors.base04},${colors.base05},\ parseHexByte = byte:
${colors.base06},${colors.base07},\ let
${colors.base08},${colors.base09},\ hi = hexMap.${builtins.substring 0 1 byte};
${colors.base0A},${colors.base0B},\ lo = hexMap.${builtins.substring 1 1 byte};
${colors.base0C},${colors.base0D},\ in
${colors.base0E},${colors.base0F}" > palette.in hi * 16 + lo;
''; hexToRgb = hex:
let
clean = lib.toLower (lib.removePrefix "#" hex);
in
{
r = parseHexByte (builtins.substring 0 2 clean);
g = parseHexByte (builtins.substring 2 2 clean);
b = parseHexByte (builtins.substring 4 2 clean);
};
componentToHex = value:
let
bounded = clamp value;
hi = builtins.div bounded 16;
lo = bounded - hi * 16;
in
"${builtins.substring hi 1 hexChars}${builtins.substring lo 1 hexChars}";
rgbToHex = color: "${componentToHex color.r}${componentToHex color.g}${componentToHex color.b}";
getTint = c: weight: round (c + (255 - c) * weight);
getShade = c: weight: round (c * weight);
tint = color: weight: {
r = getTint color.r weight;
g = getTint color.g weight;
b = getTint color.b weight;
};
shade = color: weight: {
r = getShade color.r weight;
g = getShade color.g weight;
b = getShade color.b weight;
};
genPalette = color:
let
tints =
if paletteSize == 0
then [ ]
else lib.genList (i: tint color ((i + 1.0) / paletteSize)) paletteSize;
shades =
if paletteSize == 0
then [ ]
else lib.genList (i: shade color (i * 1.0 / paletteSize)) paletteSize;
in
lib.reverseList tints ++ [ color ] ++ lib.reverseList shades;
keepColor = color:
let
sum = color.r + color.g + color.b;
in
sum > 0 && sum < 765;
paletteColors = lib.concatMap (hex: lib.filter keepColor (genPalette (hexToRgb hex))) baseColors;
paletteHex = lib.concatStringsSep "," (map rgbToHex paletteColors);
gifPaletteFile = pkgs.writeText "wallpaper-gifpalette.txt" (
lib.concatMapStringsSep "\n" (color: "${toString color.r} ${toString color.g} ${toString color.b}") paletteColors
);
buildCommands =
lib.concatMapStringsSep "\n" (name:
let
source = "${mediaSourceDir}/${name}";
target = "build/${name}";
in
if lib.hasSuffix ".gif" (lib.toLower name) then ''
gifsicle --use-colormap ${lib.escapeShellArg (toString gifPaletteFile)} < ${lib.escapeShellArg source} > ${lib.escapeShellArg target}
'' else ''
repalette ${lib.escapeShellArg source} ${lib.escapeShellArg target} -p ${lib.escapeShellArg paletteHex} --dither ${lib.escapeShellArg dither}
''
) mediaNames;
in
assert lib.assertMsg
(builtins.length mediaNames == builtins.length (lib.unique mediaNames))
"syscfg.media.main contains duplicate basenames, which would collide in generated wallpaper output.";
pkgs.stdenv.mkDerivation {
pname = "generated-wallpaper";
version = "local";
dontUnpack = true;
nativeBuildInputs = with pkgs; [
custom.repalette
gifsicle
];
buildPhase = '' buildPhase = ''
make DITHER=${dither} PALETTE_SIZE=0 all runHook preBuild
mkdir -p build
${buildCommands}
runHook postBuild
''; '';
installPhase = '' installPhase = ''
runHook preInstall
mkdir -p $out/share/wallpaper mkdir -p $out/share/wallpaper
cp -r build/* $out/share/wallpaper/ cp -r build/. $out/share/wallpaper/
runHook postInstall
''; '';
} }
+1 -1
View File
@@ -46,7 +46,7 @@
min_icon_size = 32; min_icon_size = 32;
max_icon_size = 64; max_icon_size = 64;
icon_path = icon_path = lib.mkForce
"${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/status:${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/device "; "${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/status:${pkgs.tela-circle-icon-theme}/share/icons/Tela-circle-dark/32/device ";
icon_theme = "Tela-circle-dark"; icon_theme = "Tela-circle-dark";
enable_recursive_icon_lookup = "true"; enable_recursive_icon_lookup = "true";
+1 -1
View File
@@ -48,7 +48,7 @@
(defwindow bar (defwindow bar
:monitor 1 :monitor 0
:geometry (geometry :geometry (geometry
:x "0%" :x "0%"
:y "0%" :y "0%"
@@ -5,8 +5,8 @@
(eventbox (eventbox
:onhover "${EWW_CMD} update date_rev=true" :onhover "${EWW_CMD} update date_rev=true"
:onhoverlost "${EWW_CMD} update date_rev=false" :onhoverlost "${EWW_CMD} update date_rev=false"
:onclick "(sleep 0.1 && ${EWW_CMD} open --toggle calendar)" :onclick "(sleep 0.1 && eww-open-on-current-screen calendar --toggle)"
:onrightclick "(sleep 0.1 && ${EWW_CMD} open --toggle powermenu)" :onrightclick "(sleep 0.1 && eww-open-on-current-screen powermenu --toggle)"
(box (box
:class "datetime" :class "datetime"
(overlay (overlay
@@ -39,4 +39,4 @@
(defpoll hour :interval "15s" "date '+%H'") (defpoll hour :interval "15s" "date '+%H'")
(defpoll minute :interval "15s" "date '+%M'") (defpoll minute :interval "15s" "date '+%M'")
(defpoll day :interval "15s" "date '+%d'") (defpoll day :interval "15s" "date '+%d'")
(defpoll month :interval "15s" "date '+%m'") (defpoll month :interval "15s" "date '+%m'")
@@ -7,7 +7,7 @@
(defwidget sys-mod [] (defwidget sys-mod []
(module (module
(eventbox (eventbox
:onclick "(sleep 0.1 && ${EWW_CMD} open --toggle sys)" :onclick "(sleep 0.1 && eww-open-on-current-screen sys --toggle)"
(box (box
:orientation "v" :orientation "v"
(circular-progress (circular-progress
@@ -3,13 +3,14 @@
(defwidget workspace-mod [] (defwidget workspace-mod []
(module (module
(eventbox (eventbox
:onscroll "echo {} | sed -e \"s/up/-1/g\" -e \"s/down/+1/g\" | xargs hyprctl dispatch workspace" :onscroll "echo {} | sed -e 's/up/-1/' -e 's/down/+1/' | xargs -I % hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '%' }))\""
(box (box
:class "module workspaces" :class "module workspaces"
:orientation "v" :orientation "v"
(for ws in workspace (for ws in workspace
(button (button
:onclick "hyprctl dispatch workspace ${ws.number}" :onclick "hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '${ws.number}' }))\""
(label (label
:show-truncated false :show-truncated false
:class "icon-text ${ws.color}" :class "icon-text ${ws.color}"
@@ -6,6 +6,10 @@ function get_time_ms {
icons=("󰤯" "󰤟" "󰤢" "󰤥" "󰤨") icons=("󰤯" "󰤟" "󰤢" "󰤥" "󰤨")
function get_wifi_interface() {
awk 'NR > 2 { gsub(":", "", $1); print $1; exit }' /proc/net/wireless
}
function toggle() { function toggle() {
status=$(rfkill | grep wlan | awk '{print $4}') status=$(rfkill | grep wlan | awk '{print $4}')
@@ -17,7 +21,8 @@ function toggle() {
} }
function gen_wifi() { function gen_wifi() {
signal=$(cat /proc/net/wireless | head -n3 | tail -n1 | awk '{print $3}') wifi_iface=$(get_wifi_interface)
signal=$(awk -v iface="$wifi_iface" '$1 == iface ":" { print $3; exit }' /proc/net/wireless)
level=$(awk -v n="$signal" 'BEGIN{print int((n-1)/20)}') level=$(awk -v n="$signal" 'BEGIN{print int((n-1)/20)}')
if [ "$level" -gt 4 ]; then if [ "$level" -gt 4 ]; then
level=4 level=4
@@ -26,8 +31,8 @@ function gen_wifi() {
icon=${icons[$level]} icon=${icons[$level]}
ip="-" ip="-"
class="net-connected" class="net-connected"
name_raw=$(wpa_cli status | grep \^ssid= | sed 's/ssid=//g') name_raw=$(wpa_cli -g "/run/wpa_supplicant/$wifi_iface" status | grep \^ssid= | sed 's/ssid=//g')
name=$(printf "%s" $name_raw) name=$(printf "%s" "$name_raw")
} }
function gen_ethernet() { function gen_ethernet() {
@@ -38,9 +43,12 @@ function gen_ethernet() {
} }
function make_content() { function make_content() {
local ethernet wifi local ethernet wifi wifi_iface
ethernet=$(ip link | rg "^[0-9]+: en[po]+" | head -n1 | sed 's/[a-zA-Z0-9_,><:\ -]*state //g' | sed 's/ mode [a-zA-Z0-9 ]*//g') ethernet=$(ip link | rg "^[0-9]+: en[po]+" | head -n1 | sed 's/[a-zA-Z0-9_,><:\ -]*state //g' | sed 's/ mode [a-zA-Z0-9 ]*//g')
wifi=$(wpa_cli status | rg "^wpa_state=" | sed 's/wpa_state=//g') wifi_iface=$(get_wifi_interface)
if [ -n "$wifi_iface" ]; then
wifi=$(wpa_cli -g "/run/wpa_supplicant/$wifi_iface" status | rg "^wpa_state=" | sed 's/wpa_state=//g')
fi
# test ethernet first # test ethernet first
if [[ $ethernet == "UP" ]]; then if [[ $ethernet == "UP" ]]; then
@@ -1,9 +1,9 @@
(defwindow calendar (defwindow calendar
:monitor 1 :monitor 0
:geometry (geometry :geometry (geometry
:x "0%" :x "0%"
:y "0%" :y "0%"
:anchor "bottom right" :anchor "bottom right"
:width "0px" :width "0px"
:height "0px") :height "0px")
(window (calendar))) (window (calendar)))
@@ -25,7 +25,7 @@
(powermenu_entry :label "Sign out" (powermenu_entry :label "Sign out"
:icon "󰗼" :icon "󰗼"
:onclick "hyprctl dispatch exit 0") :onclick "hyprctl eval \"hl.dispatch(hl.dsp.exit())\"")
(powermenu_entry :label "Cancel" (powermenu_entry :label "Cancel"
:icon "󰅖" :icon "󰅖"
@@ -34,7 +34,7 @@
) )
(defwindow powermenu (defwindow powermenu
:monitor 1 :monitor 0
:stacking "overlay" :stacking "overlay"
:geometry (geometry :geometry (geometry
:anchor "center" :anchor "center"
@@ -42,4 +42,4 @@
:height "120%") :height "120%")
:namespace "eww-blur" :namespace "eww-blur"
(powermenu) (powermenu)
) )
@@ -2,7 +2,7 @@
(defvar radio_rev false) (defvar radio_rev false)
(defwindow radio (defwindow radio
:monitor 1 :monitor 0
:geometry (geometry :geometry (geometry
:x "0%" :x "0%"
:y "0%" :y "0%"
@@ -100,7 +100,7 @@
(box (box
:orientation "v" :orientation "v"
(button (button
:onclick "(sleep 0.1 && ${EWW_CMD} open --toggle --no-daemonize radio)" :onclick "(sleep 0.1 && eww-open-on-current-screen radio --toggle --no-daemonize)"
(label (label
:show-truncated false :show-truncated false
:class "icon-text" :class "icon-text"
@@ -108,4 +108,4 @@
) )
) )
) )
) )
@@ -129,7 +129,7 @@
) )
(defwindow sys (defwindow sys
:monitor 1 :monitor 0
:stacking "overlay" :stacking "overlay"
:geometry (geometry :geometry (geometry
:x "0%" :x "0%"
@@ -137,4 +137,4 @@
:anchor "bottom right" :anchor "bottom right"
:width "0px" :width "0px"
:height "0px") :height "0px")
(window (sys-win))) (window (sys-win)))
+16 -2
View File
@@ -1,7 +1,21 @@
{ lib, config, pkgs, ... }: { { lib, config, pkgs, ... }:
let
openOnCurrentScreen = pkgs.writeShellScriptBin "eww-open-on-current-screen" ''
window="$1"
shift
screen="$(hyprctl monitors -j | ${lib.getExe pkgs.jq} -r '.[] | select(.focused == true) | .name' | head -n1)"
if [ -n "$screen" ]; then
exec ${lib.getExe pkgs.eww} open "$window" --screen "$screen" "$@"
fi
exec ${lib.getExe pkgs.eww} open "$window" "$@"
'';
in {
config = lib.mkIf (config.usercfg.wm == "Wayland") { config = lib.mkIf (config.usercfg.wm == "Wayland") {
home.packages = with pkgs; [ eww jq jaq custom.amdgpu_top ]; home.packages = with pkgs; [ eww jq jaq custom.amdgpu_top openOnCurrentScreen ];
xdg.configFile."eww" = { xdg.configFile."eww" = {
source = lib.cleanSourceWith { source = lib.cleanSourceWith {
+14 -1
View File
@@ -1,4 +1,12 @@
{ config, lib, ... }: { { config, lib, pkgs, ... }:
let
restartEwwBar = monitor: pkgs.writeShellScript "restart-eww-bar-after-kanshi-${toString monitor}" ''
sleep 1
${lib.getExe pkgs.eww} close bar || true
${lib.getExe pkgs.eww} open bar --screen ${toString monitor}
'';
in {
config = lib.mkIf (config.usercfg.wm == "Wayland") { config = lib.mkIf (config.usercfg.wm == "Wayland") {
services.kanshi = { services.kanshi = {
@@ -7,6 +15,7 @@
settings = [ settings = [
{ {
profile.name = "tower_0"; profile.name = "tower_0";
profile.exec = [ "${restartEwwBar 1}" ];
profile.outputs = [ profile.outputs = [
{ {
criteria = "AOC 24E1W1 GNSKCHA086899"; criteria = "AOC 24E1W1 GNSKCHA086899";
@@ -28,6 +37,7 @@
} }
{ {
profile.name = "tower_1"; profile.name = "tower_1";
profile.exec = [ "${restartEwwBar 1}" ];
profile.outputs = [ profile.outputs = [
{ {
criteria = "AOC 24E1W1 GNSKCHA086899"; criteria = "AOC 24E1W1 GNSKCHA086899";
@@ -57,6 +67,7 @@
} }
{ {
profile.name = "laptop_0"; profile.name = "laptop_0";
profile.exec = [ "${restartEwwBar 0}" ];
profile.outputs = [{ profile.outputs = [{
criteria = "LG Display 0x060A Unknown"; criteria = "LG Display 0x060A Unknown";
mode = "1920x1080@60.020"; mode = "1920x1080@60.020";
@@ -67,6 +78,7 @@
} }
{ {
profile.name = "laptop_1"; profile.name = "laptop_1";
profile.exec = [ "${restartEwwBar 1}" ];
profile.outputs = [ profile.outputs = [
{ {
criteria = "CEX CX133 0x00000001"; criteria = "CEX CX133 0x00000001";
@@ -86,6 +98,7 @@
} }
{ {
profile.name = "laptop_2"; profile.name = "laptop_2";
profile.exec = [ "${restartEwwBar 1}" ];
profile.outputs = [ profile.outputs = [
{ {
criteria = "AOC 16G3 1DDP7HA000348"; criteria = "AOC 16G3 1DDP7HA000348";
+3 -3
View File
@@ -146,8 +146,8 @@ in {
"9" = [ ]; "9" = [ ];
"10" = [ ]; "10" = [ ];
}; };
"on-scroll-up" = "hyprctl dispatch workspace r-1"; "on-scroll-up" = "hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '-1' }))\"";
"on-scroll-down" = "hyprctl dispatch workspace r+1"; "on-scroll-down" = "hyprctl eval \"hl.dispatch(hl.dsp.focus({ workspace = '+1' }))\"";
}; };
"backlight" = { "backlight" = {
@@ -232,7 +232,7 @@ in {
"custom/powermenu" = { "custom/powermenu" = {
"format" = "{icon}"; "format" = "{icon}";
"format-icons" = [ "󰐥" ]; "format-icons" = [ "󰐥" ];
"on-click" = "eww open powermenu"; "on-click" = "eww-open-on-current-screen powermenu";
"tooltip" = false; "tooltip" = false;
}; };
"tray" = { "tray" = {
+1 -1
View File
@@ -34,7 +34,7 @@ in {
glib glib
brightnessctl brightnessctl
swww awww
]; ];
xdg.mimeApps = { xdg.mimeApps = {
+312 -211
View File
@@ -1,231 +1,332 @@
{ lib, config, pkgs, ... }: { { lib, config, pkgs, ... }: let
config = lib.mkIf (config.usercfg.wm == "Wayland") { lua = lib.generators.mkLuaInline;
bind = keys: dispatcher: { _args = [ keys dispatcher ]; };
bindOpts = keys: dispatcher: opts: { _args = [ keys dispatcher opts ]; };
dsp = {
exec = cmd: lua ''hl.dsp.exec_cmd("${cmd}")'';
close = lua "hl.dsp.window.close()";
exit = lua "hl.dsp.exit()";
float = lua ''hl.dsp.window.float({ action = "toggle" })'';
fullscreen = lua "hl.dsp.window.fullscreen()";
pseudo = lua "hl.dsp.window.pseudo()";
layout = msg: lua ''hl.dsp.layout("${msg}")'';
focus = dir: lua ''hl.dsp.focus({ direction = "${dir}" })'';
swap = dir: lua ''hl.dsp.window.swap({ direction = "${dir}" })'';
toggleSpecial = name: lua ''hl.dsp.workspace.toggle_special("${name}")'';
moveToSpecial = name: lua ''hl.dsp.window.move({ workspace = "special:${name}" })'';
focusWorkspace = ws: lua ''hl.dsp.focus({ workspace = "${toString ws}" })'';
moveToWorkspace = ws: lua ''hl.dsp.window.move({ workspace = "${toString ws}", follow = false})'';
drag = lua "hl.dsp.window.drag()";
resize = lua "hl.dsp.window.resize()";
};
startupScript = pkgs.writeShellScriptBin "hyprland-start" ''
eww-open-on-current-screen bar &
awww-daemon &
sleep 2
keepassxc &
firefox &
jellyfin-mpv-shim &
easyeffects --gapplication-service &
sleep 2
nextcloud &
# telegram-desktop &
# discord &
'';
in {
config = lib.mkIf (config.usercfg.wm == "Wayland") {
wayland.windowManager.hyprland = { wayland.windowManager.hyprland = {
enable = true; enable = true;
xwayland.enable = true; xwayland.enable = true;
extraConfig = '' configType = "lua";
monitor=,preferred,auto,auto settings = {
env=bitdepth,10 on = {
input { _args = [
kb_layout = us, ru "hyprland.start"
kb_variant = intl, phonetic (lua ''
kb_options = grp:ctrls_toggle function()
hl.exec_cmd("dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP")
hl.exec_cmd("${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1")
hl.exec_cmd("wl-paste --type text --watch cliphist store")
hl.exec_cmd("wl-paste --type image --watch cliphist store")
hl.exec_cmd("swayidle -w timeout 600 'swaylock' before-sleep 'swaylock'")
hl.exec_cmd("${lib.getExe startupScript}")
hl.exec_cmd("[workspace special:magic silent] kitty --title flying_kitty")
end'')
];
};
follow_mouse = 1 monitor = [{
output = "";
mode = "preferred";
position = "auto";
scale = "auto";
bitdepth = 10;
}];
#Fullscreen HDR is possible without the hdr cm setting if "render:cm_auto_hdr" is enabled.
sensitivity = 0 config = {
input = {
touchpad { kb_layout = "us";
natural_scroll=no kb_variant = "intl";#, phonetic";
disable_while_typing=true kb_options = "grp:alt_shift_toggle";
scroll_factor=1 follow_mouse = 1;
disable_while_typing=0 sensitivity = 0;
tap-to-click=0
touchpad = {
natural_scroll = false;
scroll_factor = 1;
disable_while_typing = false;
tap_to_click = false;
};
};
misc = {
force_default_wallpaper = -1;
disable_hyprland_logo = true;
animate_mouse_windowdragging = false;
animate_manual_resizes = false;
vrr = 1;
};
general = {
gaps_in = config.colorScheme.palette.gaps-window;
gaps_out = config.colorScheme.palette.gaps-screen;
border_size = lib.toInt config.colorScheme.palette.border-width;
col = {
active_border = "rgb(${config.colorScheme.palette.base04})";
inactive_border = "rgb(${config.colorScheme.palette.base03})";
};
layout = "dwindle";
};
decoration = {
rounding = lib.toInt config.colorScheme.palette.border-radius;
inactive_opacity = 1.0;
active_opacity = 1.0;
fullscreen_opacity = 1.0;
blur = {
enabled = true;
size = 2;
passes = 1;
new_optimizations = true;
};
};
dwindle = {
#pseudotile = true;
preserve_split = true;
};
animations = {
enabled = true;
};
master = {
new_status = "master";
};
};
curve = [{
_args = [
"customcurve"
{
type = "bezier";
points = lua "{ {0.0, 0.9}, {0.1, 1.0} }";
} }
} ];
}];
misc {
disable_hyprland_logo=true animation = [
animate_mouse_windowdragging=false { leaf = "windows"; enabled = true; speed = 4; bezier = "customcurve"; }
animate_manual_resizes=false { leaf = "windowsOut"; enabled = true; speed = 4; bezier = "customcurve"; style = "popin 80%"; }
{ leaf = "border"; enabled = true; speed = 10; bezier = "customcurve"; }
vrr=1 { leaf = "borderangle"; enabled = true; speed = 1; bezier = "customcurve"; }
} { leaf = "fade"; enabled = true; speed = 4; bezier = "customcurve"; }
{ leaf = "workspaces"; enabled = true; speed = 4; bezier = "customcurve"; }
general { ];
gaps_in = ${config.colorScheme.palette.gaps-window}
gaps_out = ${config.colorScheme.palette.gaps-screen}
border_size = ${config.colorScheme.palette.border-width} gesture = {
fingers = 3;
col.active_border = rgb(${config.colorScheme.palette.base04}) direction = "vertical";
col.inactive_border = rgb(${config.colorScheme.palette.base03}) action = "workspace";
};
layout = dwindle
} window_rule = [
{ match.title = "noshadow"; float= false;}
decoration { {
rounding = ${config.colorScheme.palette.border-radius} match.title = "^(flying_kitty)$";
float = true;
blur { center = true;
enabled = true size = "1100 600";
size = 2 move = "{0 600}";
passes = 1 animation = "slide";
new_optimizations = true }
{ match.title = "^(Volume Control)$"; float = true; }
{ match.title = "^(Picture-in-Picture)$"; float = true; }
{ match.title = "^(Steam)$"; float = true; }
# --- Chat & Workspace Assignments ---
{ match.class = "^(org.telegram.desktop)$"; workspace = "2 silent"; }
{ match.class = "^(discord)$"; workspace = "2 silent"; }
{ match.class = "^(org.keepassxc.KeePassXC)$"; workspace = "8 silent"; }
{ match.title = "^(Nextcloud)$"; workspace = "8 silent"; }
{ match.class = "^(org.telegram.desktop)$"; match.title = "^(Media viewer)$"; float = true; center = true; }
{
match.class = "^(Tk)$";
match.title = "^(Server Configuration)$";
workspace = "8 silent";
} }
#multisample_edges = true # --- KeePassXC Dialogs ---
{
match.class = "^(org.keepassxc.KeePassXC)$";
match.title = "^(KeePassXC - Access Request)$";
float = true;
pin = true;
}
{
match.class = "^(org.keepassxc.KeePassXC)$";
match.title = "^(Unlock Database - KeePassXC)$";
float = true;
pin = true;
}
# --- Generic System / File Dialogs ---
{ match.title = "^(Open)$"; float = true; }
{ match.title = "^(Choose Files)$"; float = true; }
{ match.title = "^(Save As)$"; float = true; }
{ match.title = "^(Confirm to replace files)$"; float = true; }
{ match.title = "^(File Operation Progress)$"; float = true; }
#opactity # --- Firefox Window Rules ---
inactive_opacity = 1.0 {
active_opacity = 1.0 match.class = "^(firefox)$";
fullscreen_opacity = 1.0 match.title = "^(Picture-in-Picture)$";
float = true;
# shadow pin = true;
# drop_shadow = no suppress_event = "fullscreen";
# shadow_range = 60 }
# shadow_offset = 0 5 {
# shadow_render_power = 4 match.class = "^(firefox)$";
#col.shadow = rgba(00000099) match.title = "^(Firefox Sharing Indicator)$";
} float = true;
suppress_event = "fullscreen";
animations { }
enabled = true {
bezier = customcurve, 0.0, 0.9, 0.1, 1.0 match.class = "^(firefox)$";
match.title = "^(Extension:.* Mozilla Firefox)$";
float = true;
suppress_event = "fullscreen";
}
animation = windows, 1, 4, customcurve # --- Telegram Media Viewer ---
animation = windowsOut, 1, 4, customcurve, popin 50% {
animation = border, 1, 10, customcurve match.class = "^(org.telegram.desktop)$";
animation = borderangle, 0, 1, customcurve match.title = "^(Media viewer)$";
animation = fade, 1, 4, customcurve float = true;
animation = workspaces, 1, 4, customcurve center = true;
} }
dwindle {
pseudotile = yes
preserve_split = yes
}
master { # --- Idle Inhibition ---
new_status = master { match.class = "^(.*)$"; idle_inhibit = "fullscreen"; }
} { match.class = "^(steam_app_.*)$"; idle_inhibit = "focus"; }
{ match.class = "^(mpv)$"; idle_inhibit = "focus"; }
gesture = 3, vertical, workspace ];
exec-once = eww open bar
#exec-once = waybar
exec-once = dunst
exec-once = swww init # windowrule = [ "noshadow, floating:0" ];
exec-once = dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP # windowrulev2 = [
exec-once = /nix/store/$(ls -la /nix/store | grep 'polkit-gnome' | grep '4096' | awk '{print $9}' | sed -n '$p')/libexec/polkit-gnome-authentication-agent-1 & # "workspace 2 silent, class:^(org.telegram.desktop)$"
# "workspace 2 silent, class:^(discord)$"
# "workspace 8 silent, class:^(org.keepassxc.KeePassXC)$"
# "workspace 8 silent, title:^(Nextcloud)$"
# "workspace 8 silent, class:^(Tk)$,title:^(Server Configuration)$"
# "float,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC - Access Request)$"
# "pin,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC - Access Request)$"
# "float,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$"
# "pin,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$"
# "float,title:^(Open)$"
# "float,title:^(Choose Files)$"
# "float,title:^(Save As)$"
# "float,title:^(Confirm to replace files)$"
# "float,title:^(File Operation Progress)$"
# "float,class:^(firefox)$,title:^(Picture-in-Picture)$"
# "pin,class:^(firefox)$,title:^(Picture-in-Picture)$"
# "suppressevent fullscreen,class:^(firefox)$,title:^(Picture-in-Picture)$"
# "float,class:^(firefox)$,title:^(Firefox — Sharing Indicator)$"
# "suppressevent fullscreen,class:^(firefox)$,title:^(Firefox — Sharing Indicator)$"
# "float,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$"
# "suppressevent fullscreen,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$"
# "float,class:^(org.telegram.desktop)$,title:^(Media viewer)$"
# "center,class:^(org.telegram.desktop)$,title:^(Media viewer)$"
# "idleinhibit fullscreen, class:^(.*)"
# "idleinhibit focus, class:^(steam_app_.*)$"
# "idleinhibit focus, class:^(mpv)$"
# ];
exec-once = wl-paste --type text --watch cliphist store #Stores only text data layer_rule = [ {
exec-once = wl-paste --type image --watch cliphist store #Stores only image data match.namespace = "^eww%-blur$";
blur = true;
ignore_alpha = 0.5;
}];
exec-once = swayidle -w timeout 600 'swaylock' before-sleep 'swaylock' bind = [
(bind "SUPER + RETURN" (dsp.exec "kitty"))
(bind "SUPER + SHIFT + RETURN" (dsp.toggleSpecial "magic"))
(bind "SUPER + SHIFT + S" (dsp.moveToSpecial "magic"))
(bind "SUPER + Q" dsp.close)
(bind "SUPER + T" dsp.float)
(bind "SUPER + F" dsp.fullscreen)
(bind "SUPER + P" dsp.pseudo)
(bind "SUPER + J" (dsp.layout "togglesplit"))
(bind "SUPER + D" (dsp.exec "wofi -modi --show drun"))
(bind "SUPER + SHIFT + D" (dsp.exec "~/.config/hypr/themes/apatheia/eww/launch_bar"))
(bind "SUPER + V" (dsp.exec "cliphist list | wofi -dmenu | cliphist decode | wl-copy"))
(bind "PRINT" (dsp.exec "hyprshot -m region --raw | satty --filename - --early-exit --action-on-enter save-to-clipboard --copy-command 'wl-copy'"))
(bind "SUPER + L" (dsp.exec "swaylock"))
(bind "SUPER + left" (dsp.focus "left"))
(bind "SUPER + right" (dsp.focus "right"))
(bind "SUPER + up" (dsp.focus "up"))
(bind "SUPER + down" (dsp.focus "down"))
(bind "SUPER + mouse_down" (dsp.focusWorkspace "e+1"))
(bind "SUPER + mouse_up" (dsp.focusWorkspace "e-1"))
(bind "SUPER + 1" (dsp.focusWorkspace 1))
#windowrules (bind "SUPER + SHIFT + 1" (dsp.moveToWorkspace 1))
windowrule = noshadow, floating:0 (bind "SUPER + 2" (dsp.focusWorkspace 2))
(bind "SUPER + SHIFT + 2" (dsp.moveToWorkspace 2))
windowrule = float, title:^(flying_kitty)$ (bind "SUPER + 3" (dsp.focusWorkspace 3))
windowrule = size 1100 600, title:^(flying_kitty)$ (bind "SUPER + SHIFT + 3" (dsp.moveToWorkspace 3))
windowrule = move center, title:^(flying_kitty)$ (bind "SUPER + 4" (dsp.focusWorkspace 4))
windowrule = animation slide, title:^(flying_kitty)$ (bind "SUPER + SHIFT + 4" (dsp.moveToWorkspace 4))
windowrule = float, title:^(Volume Control)$ (bind "SUPER + 5" (dsp.focusWorkspace 5))
windowrule = float, title:^(Picture-in-Picture)$ (bind "SUPER + SHIFT + 5" (dsp.moveToWorkspace 5))
windowrule = float, title:^(Steam)$ (bind "SUPER + 6" (dsp.focusWorkspace 6))
(bind "SUPER + SHIFT + 6" (dsp.moveToWorkspace 6))
windowrulev2 = workspace 2 silent, class:^(org.telegram.desktop)$ (bind "SUPER + 7" (dsp.focusWorkspace 7))
windowrulev2 = workspace 2 silent, class:^(discord)$ (bind "SUPER + SHIFT + 7" (dsp.moveToWorkspace 7))
(bind "SUPER + 8" (dsp.focusWorkspace 8))
windowrulev2 = workspace 8 silent, class:^(org.keepassxc.KeePassXC)$ (bind "SUPER + SHIFT + 8" (dsp.moveToWorkspace 8))
windowrulev2 = workspace 8 silent, title:^(Nextcloud)$ (bind "SUPER + 9" (dsp.focusWorkspace 9))
windowrulev2 = workspace 8 silent, class:^(Tk)$,title:^(Server Configuration)$ (bind "SUPER + SHIFT + 9" (dsp.moveToWorkspace 9))
(bind "SUPER + 0" (dsp.focusWorkspace 0))
#SPECIAL FLOATERS (bind "SUPER + SHIFT + 0" (dsp.moveToWorkspace 0))
windowrulev2 = float,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC - Access Request)$ (bind "XF86AudioPlay" (dsp.exec "playerctl play-pause"))
windowrulev2 = pin,class:^(org.keepassxc.KeePassXC)$,title:^(KeePassXC - Access Request)$ (bind "XF86AudioPrev" (dsp.exec "playerctl previous"))
windowrulev2 = float,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$ (bind "XF86AudioNext" (dsp.exec "playerctl next"))
windowrulev2 = pin,class:^(org.keepassxc.KeePassXC)$,title:^(Unlock Database - KeePassXC)$ (bindOpts "XF86AudioRaiseVolume" (dsp.exec "amixer -q sset 'Master' 5%+") { locked = true; repeating = true; })
windowrulev2 = float,title:^(Open)$ (bindOpts "XF86AudioLowerVolume" (dsp.exec "amixer -q sset 'Master' 5%-") { locked = true; repeating = true; })
windowrulev2 = float,title:^(Choose Files)$ (bindOpts "XF86AudioMute" (dsp.exec "amixer -q sset 'Master' toggle") { locked = true; })
windowrulev2 = float,title:^(Save As)$ (bindOpts "XF86MonBrightnessUp" (dsp.exec "brightnessctl s 5%+") { locked = true; repeating = true; })
windowrulev2 = float,title:^(Confirm to replace files)$ (bindOpts "XF86MonBrightnessDown" (dsp.exec "brightnessctl s 5%-") { locked = true; repeating = true; })
windowrulev2 = float,title:^(File Operation Progress)$ (bindOpts "SUPER + mouse:272" dsp.drag { mouse = true; })
windowrulev2 = float,class:^(firefox)$,title:^(Picture-in-Picture)$ (bindOpts "SUPER + mouse:273" dsp.resize { mouse = true; })
windowrulev2 = pin,class:^(firefox)$,title:^(Picture-in-Picture)$ ];
windowrulev2 = suppressevent fullscreen,class:^(firefox)$,title:^(Picture-in-Picture)$ };
windowrulev2 = float,class:^(firefox)$,title:^(Firefox Sharing Indicator)$
windowrulev2 = suppressevent fullscreen,class:^(firefox)$,title:^(Firefox Sharing Indicator)$
windowrulev2 = float,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$
windowrulev2 = suppressevent fullscreen,class:^(firefox)$,title:^(Extension:.* Mozilla Firefox)$
windowrulev2 = float,class:^(org.telegram.desktop)$,title:^(Media viewer)$
windowrulev2 = center,class:^(org.telegram.desktop)$,title:^(Media viewer)$
#SPECIAL NO SLEEP
windowrulev2 = idleinhibit fullscreen, class:^(.*)
windowrulev2 = idleinhibit focus, class:^(steam_app_.*)$
windowrulev2 = idleinhibit focus, class:^(mpv)$
layerrule = blur,^(eww-blur)
#binds
bind = SUPER, RETURN, exec, kitty
bind = SUPER_SHIFT, RETURN,togglespecialworkspace,
# bind = SUPER_SHIFT, RETURN, exec, kitty --title flying_kitty --single-instance
bind = SUPER, Q, killactive,
bind = SUPER, T, togglefloating,
bind = SUPER, F, fullscreen,
bind = SUPER, D, exec, wofi -modi --show drun
bind = SUPER SHIFT,D,exec, ~/.config/hypr/themes/apatheia/eww/launch_bar
bind = SUPER, V, exec, cliphist list | wofi -dmenu | cliphist decode | wl-copy
bind = , PRINT, exec, hyprshot -m region --raw | satty --filename - --early-exit --action-on-enter save-to-clipboard --copy-command 'wl-copy'
bind = SUPER, L, exec, swaylock
bind = SUPER, left, movefocus, l
bind = SUPER, right, movefocus, r
bind = SUPER, up, movefocus, u
bind = SUPER, down, movefocus, d
bind = SUPER, 1, workspace, 1
bind = SUPER, 2, workspace, 2
bind = SUPER, 3, workspace, 3
bind = SUPER, 4, workspace, 4
bind = SUPER, 5, workspace, 5
bind = SUPER, 6, workspace, 6
bind = SUPER, 7, workspace, 7
bind = SUPER, 8, workspace, 8
bind = SUPER, 9, workspace, 9
bind = SUPER, 0, workspace, 10
bind = SUPER SHIFT, 1, movetoworkspacesilent, 1
bind = SUPER SHIFT, 2, movetoworkspacesilent, 2
bind = SUPER SHIFT, 3, movetoworkspacesilent, 3
bind = SUPER SHIFT, 4, movetoworkspacesilent, 4
bind = SUPER SHIFT, 5, movetoworkspacesilent, 5
bind = SUPER SHIFT, 6, movetoworkspacesilent, 6
bind = SUPER SHIFT, 7, movetoworkspacesilent, 7
bind = SUPER SHIFT, 8, movetoworkspacesilent, 8
bind = SUPER SHIFT, 9, movetoworkspacesilent, 9
bind = SUPER SHIFT, 0, movetoworkspacesilent, 10
bind = SUPER, mouse_down, workspace, e+1
bind = SUPER, mouse_up, workspace, e-1
bindm = SUPER, mouse:272, movewindow
bindm = SUPER, mouse:273, resizewindow
bind = , XF86AudioPlay, exec, playerctl play-pause
bind = , XF86AudioPrev, exec, playerctl previous
bind = , XF86AudioNext, exec, playerctl next
bind = , XF86AudioRaiseVolume, exec, amixer -q sset 'Master' 5%+
bind = , XF86AudioLowerVolume, exec, amixer -q sset 'Master' 5%-
bind = , XF86AudioMute, exec, amixer -q sset 'Master' toggle
bind = , XF86MonBrightnessUp, exec, brightnessctl s 5%+
bind = , XF86MonBrightnessDown, exec, brightnessctl s 5%-
exec-once = [workspace special silent] kitty --title flying_kitty
exec-once = sh ~/.config/startup.sh
'';
}; };
xdg.configFile."startup.sh".text = ''
#!/bin/sh
sleep 2
keepassxc &
firefox &
jellyfin-mpv-shim &
easyeffects --gapplication-service &
sleep 2
nextcloud &
#telegram-desktop&
#discord&
'';
}; };
} }
+3 -2
View File
@@ -2,12 +2,13 @@
home.packages = with pkgs; [ xdg-user-dirs ]; home.packages = with pkgs; [ xdg-user-dirs ];
xdg.enable = true;
xdg.userDirs.enable = true; xdg.userDirs.enable = true;
xdg.userDirs.desktop = "${config.home.homeDirectory}/desktop"; xdg.userDirs.desktop = "${config.home.homeDirectory}/desktop";
xdg.userDirs.documents = "${config.home.homeDirectory}/desktop"; xdg.userDirs.documents = "${config.home.homeDirectory}/desktop";
xdg.userDirs.download = "${config.home.homeDirectory}/downloads"; xdg.userDirs.download = "${config.home.homeDirectory}/downloads";
xdg.userDirs.extraConfig = { xdg.userDirs.extraConfig = {
XDG_MISC_DIR = "${config.home.homeDirectory}/misc"; MISC = "${config.home.homeDirectory}/misc";
}; };
xdg.userDirs.music = "${config.home.homeDirectory}/media/music"; xdg.userDirs.music = "${config.home.homeDirectory}/media/music";
xdg.userDirs.pictures = "${config.home.homeDirectory}/media/photo"; xdg.userDirs.pictures = "${config.home.homeDirectory}/media/photo";
@@ -15,5 +16,5 @@
xdg.userDirs.templates = "${config.home.homeDirectory}/media/template"; xdg.userDirs.templates = "${config.home.homeDirectory}/media/template";
xdg.userDirs.videos = "${config.home.homeDirectory}/media/video"; xdg.userDirs.videos = "${config.home.homeDirectory}/media/video";
xdg.userDirs.createDirectories = true; xdg.userDirs.createDirectories = true;
xdg.userDirs.setSessionVariables = true;
} }
+1 -1
View File
@@ -5,7 +5,7 @@
enable = true; enable = true;
settings = rec { settings = rec {
initial_session = { initial_session = {
command = "zsh"; command = "start-hyprland";
user = "${config.syscfg.defaultUser}"; user = "${config.syscfg.defaultUser}";
}; };
default_session = initial_session; default_session = initial_session;
+1 -1
View File
@@ -3,7 +3,7 @@
programs.xwayland.enable = true; programs.xwayland.enable = true;
services.xserver = { services.xserver = {
enable = true; enable = true;
videoDrivers = [ "amd" ]; videoDrivers = [ "amdgpu" ];
xkb = { xkb = {
layout = "us"; layout = "us";
variant = "intl"; variant = "intl";
+21 -1
View File
@@ -1,3 +1,23 @@
{ ... }: { { config, lib, ... }: {
imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ]; imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ];
services.journald.extraConfig = ''
SystemMaxUse=512M
SystemMaxFileSize=64M
MaxRetentionSec=1month
RateLimitIntervalSec=30s
RateLimitBurst=10000
'';
systemd.services.systemd-user-sessions = {
after = lib.mkForce ([
"system.slice"
"systemd-journald.socket"
"sysinit.target"
"remote-fs.target"
"nss-user-lookup.target"
"home.mount"
"basic.target"
] ++ map (user: "home-manager-${user.username}.service") config.syscfg.users);
};
} }
+1 -1
View File
@@ -1 +1 @@
{ ... }: { imports = [ ./base ./boot ./fs ./graphics ./power ./udev ./virt ]; } { ... }: { imports = [ ./base ./boot ./fs ./graphics ./power ./udev ./virt ./wsl ]; }
+4 -4
View File
@@ -15,10 +15,10 @@
# suspend to RAM (deep) rather than `s2idle` # suspend to RAM (deep) rather than `s2idle`
boot.kernelParams = [ "mem_sleep_default=deep" ]; boot.kernelParams = [ "mem_sleep_default=deep" ];
# suspend-then-hibernate # suspend-then-hibernate
systemd.sleep.extraConfig = '' systemd.sleep.settings.Sleep = {
HibernateDelaySec=30m HibernateDelaySec = "30m";
SuspendState=mem SuspendState = "mem";
''; };
services.logind.settings.Login.HandleLidSwitch = "suspend-then-hibernate"; services.logind.settings.Login.HandleLidSwitch = "suspend-then-hibernate";
# Hibernate on power button pressed # Hibernate on power button pressed
+2 -2
View File
@@ -1,8 +1,8 @@
{ ... }: { { pkgs, ... }: {
systemd.services.systemd-udevd.restartIfChanged = false; systemd.services.systemd-udevd.restartIfChanged = false;
services.udev = { services.udev = {
packages = [ ]; packages = with pkgs; [ ];
extraRules = '' extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0127", GROUP="plugdev", TAG+="uaccess" SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0127", GROUP="plugdev", TAG+="uaccess"
SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0118", GROUP="plugdev", TAG+="uaccess" SUBSYSTEM=="usb", ATTRS{idVendor}=="2104", ATTRS{idProduct}=="0118", GROUP="plugdev", TAG+="uaccess"
+1
View File
@@ -18,5 +18,6 @@
}; };
}; };
}; };
virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
}; };
} }
+13
View File
@@ -0,0 +1,13 @@
{ lib, config, pkgs, ... }: {
config = lib.mkIf (config.syscfg.extra.wsl) {
wsl.enable = true;
wsl.defaultUser = config.syscfg.defaultUser;
wsl.extraBin = with pkgs; [
{ src = "${coreutils}/bin/uname"; }
{ src = "${coreutils}/bin/dirname"; }
{ src = "${coreutils}/bin/readlink"; }
];
wsl.wslConf.network.generateHosts = false;
};
}
+15 -3
View File
@@ -1,17 +1,29 @@
{ config, ... }: { { lib, config, ... }: {
networking = { networking = {
hostName = config.syscfg.hostname; hostName = config.syscfg.hostname;
useDHCP = true; useDHCP = true;
nameservers = [ "1.1.1.1" "9.9.9.9" ]; nameservers = [ "1.1.1.1" "9.9.9.9" ];
extraHosts = ''
${lib.concatStringsSep "\n" config.syscfg.extra.hosts}
'';
proxy = lib.mkIf (config.syscfg.extra.proxy.domain != "") {
default = "http://${config.syscfg.extra.proxy.domain}:${config.syscfg.extra.proxy.port or "8080"}";
noProxy = "${config.syscfg.extra.proxy.noProxy}";
};
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = allowedUDPPorts =
(if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
[ ]; [ ];
allowedTCPPorts = allowedTCPPorts =
(if config.syscfg.server ? web then [ 80 443 22 ] else [ ]) ++ (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
(if (config.syscfg.server != false) then [ 5432 6379 8181 ] else [ ]) ++
[ ]; [ ];
}; };
}; };
@@ -3,6 +3,7 @@
networking.supplicant = { networking.supplicant = {
"${config.syscfg.net.wlp.nif}" = { "${config.syscfg.net.wlp.nif}" = {
configFile.path = config.sops.secrets.wifi.path; configFile.path = config.sops.secrets.wifi.path;
userControlled.enable = true;
extraConf = '' extraConf = ''
network={ network={
ssid="test" ssid="test"
+7
View File
@@ -37,5 +37,12 @@
]; ];
}; };
}; };
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
libx11 libxcb libxi libxext libxkbfile xcbutilcursor
libpng libdrm libpulseaudio nss nspr expat libbsd
];
};
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }
+2 -5
View File
@@ -1,12 +1,9 @@
{ pkgs, config, lib, ... }: { { pkgs, config, lib, ... }: {
config = lib.mkIf (config.syscfg.make.develop) { config = lib.mkIf (config.syscfg.make.develop) {
programs.adb.enable = true;
# services.udev.packages = [
# pkgs.android-udev-rules
# ];
programs.wireshark.enable = true; programs.wireshark.enable = true;
environment.systemPackages = with pkgs; [ wget dconf wireshark ]; environment.systemPackages = with pkgs; [ wget dconf wireshark mtr android-tools ];
}; };
} }
+1 -61
View File
@@ -1,64 +1,4 @@
{ pkgs, ... }: { { pkgs, ... }: {
imports = [ ./debug ./develop ]; imports = [ ./debug ./develop ./telegraf ];
# services.telegraf = {
# enable = true;
# extraConfig = {
# agent = {
# interval = "10s";
# round_interval = true;
# metric_batch_size = 1000;
# metric_buffer_limit = 10000;
# collection_jitter = "0s";
# flush_interval = "10s";
# flush_jitter = "0s";
# precision = "";
# hostname = "valinor";
# omit_hostname = false;
# };
# inputs.cpu = {
# percpu = true;
# totalcpu = true;
# collect_cpu_time = false;
# report_active = false;
# };
# inputs.mem = {};
# inputs.swap = {};
# inputs.system = {};
# inputs.disk = {
# ignore_fs = ["tmpfs" "devtmpfs" "devfs"];
# };
# inputs.net = {};
# inputs.netstat = {};
# inputs.ping = {
# urls = ["8.8.8.8" "8.8.4.4"];
# count = 4;
# interval = "60s";
# binary = "${pkgs.iputils.out}/bin/ping";
# };
# inputs.internet_speed = {
# interval = "2m";
# };
# inputs.net_response = {
# protocol = "tcp";
# address = "google.com:80";
# timeout = "5s";
# read_timeout = "5s";
# interval = "30s";
# };
# outputs.influxdb_v2 = {
# urls = [""];
# token = "";
# organization = "";
# bucket = "";
# };
# };
# };
} }
+6
View File
@@ -9,6 +9,12 @@ in {
imports = [ ./ollama ]; imports = [ ./ollama ];
config = lib.mkIf (config.syscfg.make.develop) { config = lib.mkIf (config.syscfg.make.develop) {
services.vscode-server = lib.mkIf (config.syscfg.extra.wsl) {
enable = true;
enableFHS = true;
};
environment.systemPackages = with pkgs; environment.systemPackages = with pkgs;
[ [
# android-tools # android-tools
@@ -1,14 +1,13 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
ollamaPkg = pkgs.ollama-rocm; ollamaPkg = pkgs.ollama-vulkan;
in{ in{
config = lib.mkIf (config.syscfg.make.develop) { config = lib.mkIf (config.syscfg.make.develop) {
services.ollama = { services.ollama = {
enable = true; enable = true;
package = ollamaPkg; package = ollamaPkg;
acceleration = "rocm"; loadModels = [ ];
loadModels = [ "deepseek-v2:lite" "qwen2.5-coder:7b" "qwen2.5-coder:1.5b" ];
syncModels = true; syncModels = true;
}; };
environment.systemPackages = with pkgs; [ ollamaPkg ]; environment.systemPackages = with pkgs; [ ollamaPkg ];
+365
View File
@@ -0,0 +1,365 @@
{ config, lib, pkgs, ... }:
let
cfg = config.syscfg.monitoring.telegraf;
hasCollector = name: builtins.elem name cfg.collectors;
dockerGroups =
lib.optionals (cfg.enable && hasCollector "docker" && config.virtualisation.podman.enable) [ "podman" ]
++ lib.optionals (cfg.enable && hasCollector "docker" && config.virtualisation.docker.enable) [ "docker" ];
amdgpuMetricsScript = pkgs.writeShellScript "telegraf-amdgpu-metrics" ''
set -euo pipefail
${lib.getExe pkgs.custom.amdgpu_top} -J -n 1 | ${lib.getExe pkgs.jq} -r '
def maybe_int($name; $value):
if $value == null then empty else "\($name)=\(($value | floor))i" end;
def maybe_float($name; $value):
if $value == null then empty else "\($name)=\($value)" end;
.devices
| to_entries[]
| [
maybe_int("utilization_gpu"; (.value.gpu_activity.GFX.value // .value.GRBM2["Command Processor - Graphics"].value // 0)),
maybe_int("utilization_media"; .value.gpu_activity.MediaEngine.value),
maybe_int("utilization_memory"; .value.gpu_activity.Memory.value),
maybe_float("temperature_edge"; .value.Sensors["Edge Temperature"].value),
maybe_float("power_draw"; .value.gpu_metrics.average_socket_power.value)
] as $fields
| map(select(length > 0)) as $nonempty
| select(($nonempty | length) > 0)
| "amdgpu,card=\(.key) " + ($nonempty | join(","))
'
'';
baseConfig = {
agent = {
interval = cfg.interval;
round_interval = true;
metric_batch_size = 1000;
metric_buffer_limit = 10000;
flush_interval = cfg.interval;
hostname = config.syscfg.hostname;
omit_hostname = false;
};
global_tags = {
host = config.syscfg.hostname;
};
};
inputsConfig = lib.mkMerge [
(lib.mkIf (hasCollector "cpu") {
inputs.cpu = {
percpu = true;
totalcpu = true;
collect_cpu_time = false;
report_active = false;
fielddrop = [
"usage_guest"
"usage_guest_nice"
"usage_irq"
"usage_nice"
"usage_softirq"
"usage_steal"
];
};
})
(lib.mkIf (hasCollector "mem") {
inputs.mem = {
fielddrop = [
"available_percent"
"commit_limit"
"committed_as"
"high_free"
"high_total"
"huge_page_size"
"huge_pages_free"
"huge_pages_total"
"low_free"
"low_total"
"mapped"
"page_tables"
"slab"
"sreclaimable"
"sunreclaim"
"swap_cached"
"swap_free"
"swap_total"
"vmalloc_chunk"
"vmalloc_total"
"vmalloc_used"
"write_back"
"write_back_tmp"
];
};
})
(lib.mkIf (hasCollector "swap") {
inputs.swap = {
fielddrop = [
"free"
];
};
})
(lib.mkIf (hasCollector "system") {
inputs.system = {
fielddrop = [
"n_physical_cpus"
"n_unique_users"
"uptime_format"
];
};
})
(lib.mkIf (hasCollector "disk") {
inputs.disk = {
ignore_fs = [ "tmpfs" "devtmpfs" "devfs" "overlay" "squashfs" ];
fielddrop = [
"free"
"inodes_free"
"inodes_total"
"inodes_used"
"inodes_used_percent"
];
};
})
(lib.mkIf (hasCollector "diskio") {
inputs.diskio = {
skip_serial_number = true;
fielddrop = [
"io_svctm"
"iops_in_progress"
"merged_reads"
"merged_writes"
"weighted_io_time"
];
};
})
(lib.mkIf (hasCollector "kernel") {
inputs.kernel = {
fielddrop = [
"boot_time"
];
};
})
(lib.mkIf (hasCollector "net") {
inputs.net = {
fielddrop = [
"bytes_recv"
"bytes_sent"
"speed"
];
};
})
(lib.mkIf (hasCollector "netstat") {
inputs.netstat = {
fielddrop = [
"tcp_close"
"tcp_close_wait"
"tcp_closing"
"tcp_fin_wait1"
"tcp_fin_wait2"
"tcp_last_ack"
"tcp_none"
"tcp_syn_recv"
"tcp_syn_sent"
];
};
})
(lib.mkIf (hasCollector "processes") {
inputs.processes = {
fielddrop = [
"dead"
"idle"
"paging"
"stopped"
"unknown"
"zombies"
];
};
})
(lib.mkIf (hasCollector "temp") {
inputs.temp = { };
})
(lib.mkIf (hasCollector "mdstat") {
inputs.mdstat = { };
})
(lib.mkIf (hasCollector "smart") {
inputs.smart = {
use_sudo = true;
attributes = true;
};
})
(lib.mkIf (hasCollector "docker") {
inputs.docker = [
{
endpoint = "unix:///var/run/docker.sock";
timeout = "5s";
perdevice_include = [ ];
total_include = [ ];
docker_label_exclude = [ "*" ];
tagexclude = [
"container_image"
"container_status"
"container_version"
"engine_host"
"server_version"
];
namedrop = [
"docker_container_health"
"docker_container_mem"
"docker_container_status"
];
fielddrop = [
"memory_total"
"n_cpus"
"n_goroutines"
"n_listener_events"
"n_used_file_descriptors"
"server_version"
];
}
{
endpoint = "unix:///var/run/docker.sock";
timeout = "5s";
perdevice_include = [ ];
total_include = [ ];
docker_label_exclude = [ "*" ];
tagexclude = [
"container_image"
"container_status"
"container_version"
"engine_host"
"server_version"
];
namepass = [ "docker_container_mem" ];
fielddrop = [
"active_anon"
"active_file"
"container_id"
"hierarchical_memory_limit"
"inactive_anon"
"inactive_file"
"mapped_file"
"max_usage"
"pgfault"
"pgmajfault"
"pgpgin"
"pgpgout"
"rss_huge"
"total_active_anon"
"total_active_file"
"total_cache"
"total_inactive_anon"
"total_inactive_file"
"total_mapped_file"
"total_pgfault"
"total_pgmajfault"
"total_pgpgin"
"total_pgpgout"
"total_rss"
"total_rss_huge"
"total_unevictable"
"total_writeback"
"unevictable"
"writeback"
];
}
];
})
(lib.mkIf (hasCollector "systemd_units") {
inputs.systemd_units = {
pattern = "*";
unittype = "service";
details = true;
timeout = "5s";
};
})
(lib.mkIf (hasCollector "ping") {
inputs.ping = {
urls = [ "1.1.1.1" ];
count = 4;
interval = "60s";
timeout = 5.0;
binary = "${pkgs.iputils}/bin/ping";
fielddrop = [
"packets_received"
"packets_transmitted"
];
};
})
(lib.mkIf (hasCollector "internet_speed") {
inputs.internet_speed = {
interval = "30m";
cache = true;
memory_saving_mode = true;
};
})
(lib.mkIf (hasCollector "gpu" || hasCollector "nix") {
inputs.exec =
lib.optionals (hasCollector "gpu") [{
commands = [ amdgpuMetricsScript ];
timeout = "5s";
data_format = "influx";
}]
++ lib.optionals (hasCollector "nix") [{
commands = [
(pkgs.writeShellScript "telegraf-nix-metrics" ''
set -euo pipefail
current="$(${lib.getExe pkgs.nixos-rebuild} list-generations | ${lib.getExe pkgs.gawk} '$NF == "True" {print $1 "|" $2 " " $3; exit}')"
[ -n "$current" ]
generation="''${current%%|*}"
build_datetime="''${current#*|}"
build_timestamp="$(${lib.getExe' pkgs.coreutils "date"} -d "$build_datetime" +%s)"
now="$(${lib.getExe' pkgs.coreutils "date"} +%s)"
store_bytes="$(${lib.getExe pkgs.nix} path-info --json --json-format 1 --all --offline --no-pretty | ${lib.getExe pkgs.jq} -r 'map(.narSize // 0) | add // 0')"
current_system_bytes="$(${lib.getExe pkgs.nix} path-info --json --json-format 1 --closure-size /run/current-system --offline --no-pretty | ${lib.getExe pkgs.jq} -r 'to_entries[0].value.closureSize // 0')"
printf 'nix generation=%si,configured_packages=%si,store_bytes=%si,current_system_bytes=%si,build_timestamp=%si,seconds_since_build=%si,build_datetime="%s"\n' \
"$generation" \
${toString (builtins.length config.environment.systemPackages)} \
"$store_bytes" \
"$current_system_bytes" \
"$build_timestamp" \
"$((now - build_timestamp))" \
"$build_datetime"
'')
];
interval = "1h";
timeout = "30s";
data_format = "influx";
}];
})
];
outputsConfig = lib.mkMerge [{
outputs.influxdb_v3 = {
urls = cfg.outputs;
token = "$INFLUX_TOKEN";#config.sops.secrets.telegraf.path;
database = "telegraf";
};
}
];
in {
config = lib.mkIf cfg.enable {
services.telegraf = {
enable = true;
environmentFiles = [ config.sops.secrets.telegraf.path ];
extraConfig = lib.mkMerge [
baseConfig
inputsConfig
outputsConfig
cfg.extraConfig
];
};
users.users.telegraf.extraGroups = dockerGroups;
systemd.services.telegraf = {
path =
lib.optionals (hasCollector "smart") [ pkgs.smartmontools pkgs.nvme-cli ]
++ lib.optionals (hasCollector "gpu") [ pkgs.custom.amdgpu_top pkgs.jq ];
serviceConfig.SupplementaryGroups = dockerGroups;
};
security.sudo.extraRules = lib.optionals (hasCollector "smart") [{
users = [ "telegraf" ];
commands = [{
command = "${pkgs.smartmontools}/bin/smartctl";
options = [ "NOPASSWD" ];
}];
}];
};
}
@@ -0,0 +1,54 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "latest";
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = "EXAMPLE";
tag = "0.0.0";
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "echo 1" ];
ExposedPorts = { };
};
};
settings = pkgs.writeText "settings.yaml" ...;
templateData = builder.mkData { name = "template"; dir = "template"; vars = {
_ARGUMENT = "template";
};
};
in {
requires = {
secrets = [ ];
databases = [ ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/example/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
# imageStream = image;
image = "....:${version}";
port = 8080;
secret = name;
extraEnv = { };
overrides = {
cmd = [ ];
volumes = [ ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."EXAMPLE".path;
script = pkgs.writeShellScript "setup" ''
...
'';
};
};
}
+8
View File
@@ -0,0 +1,8 @@
# Missing
RSS: TTRSS / FreshRSS
Monitoring: Telegraf + InfluxDB
https://github.com/tarampampam/error-pages ?
kavita + mylar ? kapowarr ?
- Transmission Cfg and API/Token handling
@@ -0,0 +1,139 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "2026.2.2";
serverCfg = config.syscfg.server;
mediaCfg = config.syscfg.media;
authentikBackground = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
logoIcoFileName = builtins.baseNameOf (toString mediaCfg.logo.ico);
backgroundFileName = builtins.baseNameOf (toString authentikBackground);
logoSvgMount = "/data/media/public/branding/${logoSvgFileName}";
logoIcoMount = "/data/media/public/branding/${logoIcoFileName}";
backgroundMount = "/data/media/public/branding/${backgroundFileName}";
authentikData = builder.mkData {
name = "authentik"; dir = "authentik"; vars = {
AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
COOKIE_DOMAIN = "${serverCfg.domain}";
AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
AUTHENTIK_BRANDING_TITLE = if containerCfg.extra ? name then containerCfg.extra.name else "authentik";
AUTHENTIK_BRANDING_LOGO = "branding/${logoSvgFileName}";
AUTHENTIK_BRANDING_FAVICON = "branding/${logoIcoFileName}";
AUTHENTIK_BRANDING_BACKGROUND = "branding/${backgroundFileName}";
}
// (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?freshrss then { FRESHRSS_DOMAIN = "${serverCfg.containers.freshrss.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?homepage then { HOMEPAGE_DOMAIN = "${serverCfg.containers.homepage.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/authentik";
owner = "1000:1000";
dirs = ["media" "templates"];
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:${version}";
port = 9000;
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
} // lib.optionalAttrs (serverCfg.mail.server != null) {
AUTHENTIK_EMAIL__HOST = serverCfg.mail.server;
AUTHENTIK_EMAIL__PORT = "587";
AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
AUTHENTIK_EMAIL__USE_TLS = "true";
AUTHENTIK_EMAIL__USE_SSL = "false";
AUTHENTIK_EMAIL__TIMEOUT = "10";
AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
};
overrides = {
environmentFiles = [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
cmd = [ "server" ];
volumes = [
"${serverCfg.path.config.path}/authentik/media:/media"
"${serverCfg.path.config.path}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
"${mediaCfg.logo.svg}:${logoSvgMount}:ro"
"${mediaCfg.logo.ico}:${logoIcoMount}:ro"
"${authentikBackground}:${backgroundMount}:ro"
];
};
};
worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:${version}";
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.path.config.path}/authentik/media:/media"
"${serverCfg.path.config.path}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
"${mediaCfg.logo.svg}:${logoSvgMount}:ro"
"${mediaCfg.logo.ico}:${logoIcoMount}:ro"
"${authentikBackground}:${backgroundMount}:ro"
];
};
};
ldap = builder.mkContainer {
image = "ghcr.io/goauthentik/ldap:${version}";
secret = name;
extraEnv = {
AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}";
AUTHENTIK_INSECURE = "false";
};
};
};
setup = {
trigger = "worker";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
$AK apply_blueprint /blueprints/custom/authentik.yaml
$AK apply_blueprint /blueprints/custom/branding.yaml
$AK apply_blueprint /blueprints/custom/traefik.yaml
$AK apply_blueprint /blueprints/custom/ldap.yaml
${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
echo "Completed Authentik Setup"
'';
};
};
}
@@ -0,0 +1,42 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "crocodilestick/calibre-web-automated:${version}";
port = 8083;
# secret = name;
extraEnv = {
CWA_PORT_OVERRIDE = "8083";
PUID = "1000";
PGID = "1000";
#HARDCOVER_TOKEN= ....
TRUSTED_PROXY_COUNT= "1";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`)";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik) then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
overrides = {
volumes = [
"${serverCfg.path.book.path}:/calibre-library"
"${serverCfg.path.dlComplete.path}:/cwa-book-ingest"
];
};
};
};
};
# curl 'https://books.test.helcel.net/admin/ajaxconfig' \
# -X POST
# -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'
# --data-raw 'csrf_token=${CSRF_TOKEN}&config_certfile=&config_keyfile=&config_updatechannel=0&config_trustedhosts=&config_log_level=20&config_logfile=%2Fdev%2Fstdout&config_access_logfile=%2Fconfig%2Faccess.log&config_embed_metadata=on&config_uploading=on&config_upload_formats=m4b%2Cacsm%2Cdoc%2Cpdf%2Cmp3%2Codt%2Ccbr%2Crtf%2Clit%2Cprc%2Cm4a%2Cdjv%2Cfb2%2Copus%2Cdocx%2Cazw3%2Cepub%2Cdjvu%2Cwav%2Ccb7%2Ccbz%2Cmp4%2Ckfx-zip%2Cmobi%2Ccbt%2Cogg%2Ckfx%2Ckepub%2Ctxt%2Cazw%2Chtml%2Cflac&config_external_port=8083&config_goodreads_api_key=&config_hardcover_token=&config_use_https=on&config_reverse_proxy_login_header_name=&config_login_type=1&config_ldap_provider_url=sso.test.helcel.net&config_ldap_port=389&config_ldap_encryption=0&config_ldap_cacert_path=&config_ldap_cert_path=&config_ldap_key_path=&config_ldap_authentication=2&config_ldap_serv_username=cn%3Dldap-service%2Cou%3Dusers%2C%24%7BLDAP_DC_DOMAIN%7D&config_ldap_serv_password_e=%24DEFAULT_LDAP_PASSWORD&config_ldap_dn=%24%7BLDAP_DC_DOMAIN%7D&config_ldap_user_object=(memberOf%3Dcn%3Dcloud%2Cou%3Dgroups%2C%24%7BLDAP_DC_DOMAIN%7D)&config_ldap_openldap=on&config_ldap_auto_create_users=on&config_ldap_group_object_filter=(memberOf%3Dcn%3Dcloud%2Cou%3Dgroups%2C%24%7BLDAP_DC_DOMAIN%7D)&config_ldap_group_name=cloud&config_ldap_group_members_field=memberUid&ldap_import_user_filter=0&config_ldap_member_user_object=&config_generic_oauth_metadata_url=&config_generic_oauth_server_url=&config_generic_oauth_auth_url=&config_generic_oauth_token_url=&config_generic_oauth_userinfo_url=&config_generic_oauth_scope=email+openid+profile&config_oauth_redirect_host=&config_generic_oauth_client_id=&config_generic_oauth_client_secret=&config_generic_oauth_username_mapper=preferred_username&config_generic_oauth_email_mapper=email&config_generic_oauth_admin_group=admin&config_generic_oauth_login_button=OpenID+Connect&config_1_oauth_client_id=&config_1_oauth_client_secret=&config_2_oauth_client_id=&config_2_oauth_client_secret=&config_binariesdir=%2Fusr%2Fbin&config_calibre=&config_kepubifypath=%2Fusr%2Fbin%2Fkepubify&config_rarfile_location=%2Fusr%2Fbin%2Funrar&config_enable_oauth_group_admin_management=on&config_ratelimiter=on&config_limiter_uri=&config_limiter_options=&config_check_extensions=on&config_session=1&config_password_policy=on&config_password_min_length=8&config_password_number=on&config_password_lower=on&config_password_upper=on&config_password_character=on&config_password_special=on'
}
@@ -0,0 +1,37 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
requires.secrets = [ name ];
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "collabora/code:${version}";
port = 9980;
secret = name;
extraEnv = {
"aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
"server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
"username" = "collabora_user";
"VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
"VIRTUAL_PORT" = "9980";
"VIRTUAL_PROTO" = "http";
"DONT_GEN_SSL_CERT" = "true";
"RESOLVE_TO_PROXY_IP" = "true";
"extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
"dictionaries" = "en fr de jp no";
};
overrides = {
volumes = [
"${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
"${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
];
};
};
};
};
}
@@ -0,0 +1,42 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
ethercalc_exe = pkgs.ethercalc;
image = pkgs.dockerTools.streamLayeredImage {
name = "ethercalc";
tag = ethercalc_exe.version;
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
ExposedPorts = { "8080/tcp" = {}; };
};
};
in {
requires.secrets = [ name ];
runtime = {
paths = [{
path="${serverCfg.path.data.path}/ethercalc/";
mode = "0666";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = {
ETHERCALC_PORT = "8080";
#CONNECT TO REDIS
};
overrides = {
volumes = [
"${serverCfg.path.data.path}/ethercalc:/data"
];
};
};
};
};
}
+129
View File
@@ -0,0 +1,129 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
etherpad_exe = pkgs.etherpad-lite;
settings = pkgs.writeText"settings.json" (builtins.toJSON {
title= "\${TITLE:Etherpad}";
showRecentPads = "\${SHOW_RECENT_PADS:true}";
favicon = "\${FAVICON:null}";
publicURL = "\${PUBLIC_URL:null}";
skinName = "\${SKIN_NAME:colibris}";
skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
ip = "\${IP:0.0.0.0}";
port = "\${PORT:9001}";
showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
enableMetrics = "\${ENABLE_METRICS:true}";
updates.tier = "off";
cleanup.enabled = false;
gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
enableDarkMode = "\${ENABLE_DARK_MODE:true}";
enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
dbType = "\${DB_TYPE:dirty}";
dbSettings = {
host = "\${DB_HOST:undefined}";
port = "\${DB_PORT:undefined}";
database = "\${DB_NAME:undefined}";
user = "\${DB_USER:undefined}";
password = "\${DB_PASS:undefined}";
charset = "\${DB_CHARSET:undefined}";
filename = "\${DB_FILENAME:var/dirty.db}";
collection = "\${DB_COLLECTION:undefined}";
url = "\${DB_URL:undefined}";
};
defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
padOptions = {
noColors = "\${PAD_OPTIONS_NO_COLORS:false}";
showControls = "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
showChat = "\${PAD_OPTIONS_SHOW_CHAT:true}";
showLineNumbers = "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
userName = "\${PAD_OPTIONS_USER_NAME:null}";
userColor = "\${PAD_OPTIONS_USER_COLOR:null}";
rtl = "\${PAD_OPTIONS_RTL:false}";
alwaysShowChat = "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
chatAndUsers = "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
lang = "\${PAD_OPTIONS_LANG:null}";
fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
};
requireSession = "\${REQUIRE_SESSION:false}";
editOnly = "\${EDIT_ONLY:false}";
minify = "\${MINIFY:true}";
requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
trustProxy = "\${TRUST_PROXY:true}";
ep_headerauth.username_header = "X-authentik-username";
users.admin = {
password = "\${ADMIN_PASSWORD:null}";
is_admin = true;
};
socketTransportProtocols = ["websocket" "polling"];
socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
indentationOnNewLine = true;
loglevel = "\${LOGLEVEL:INFO}";
lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
});
image = pkgs.dockerTools.streamLayeredImage {
name = "etherpad";
tag = etherpad_exe.version;
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
ExposedPorts = { "8080/tcp" = {}; };
};
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/etherpad/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = {
TITLE = "Pad";
PORT ="8080";
DB_TYPE = "postgres";
DB_HOST = builder.host;
DB_NAME = "etherpad_db";
DB_USER = "etherpad_user";
TRUST_PROXY = "true";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
overrides = {
cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
volumes = [
"${settings}:/etc/etherpad/settings.json"
"${serverCfg.path.config.path}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."ETHERPAD".path;
script = pkgs.writeShellScript "setup" ''
echo "$APIKEY" > ${serverCfg.path.config.path}/etherpad/APIKEY.txt
chmod 444 ${serverCfg.path.config.path}/etherpad/APIKEY.txt
'';
};
};
}
+284
View File
@@ -0,0 +1,284 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
mediaCfg = config.syscfg.media;
palette = serverCfg.colorScheme.palette or { };
port = 8080;
assetSize = 64;
cacheMode = containerCfg.extra.cacheMode or "off";
cacheControl =
if cacheMode == "disk" then
containerCfg.extra.cacheControl or "public, max-age=3600"
else if cacheMode == "off" then
"no-store"
else
throw "favicon cacheMode must be either `off` or `disk`";
priority = toString (containerCfg.extra.priority or 2147482647);
logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
logoSvgMount = "/assets/${logoSvgFileName}";
ensureAttrSet = field: value:
if builtins.isAttrs value then
value
else
throw "favicon `${field}` must be an attribute set";
resolveColor = value:
if value == null then null
else if !builtins.isString value then
throw "favicon color values must be strings"
else if lib.hasPrefix "#" value then
value
else
let
paletteValue = lib.attrByPath [ value ] (throw "Unknown favicon color reference `${value}`") palette;
in
if builtins.isString paletteValue then
if lib.hasPrefix "#" paletteValue then
paletteValue
else
"#${paletteValue}"
else
throw "favicon palette reference `${value}` must resolve to a string";
normalizeProfile = profile:
let
normalizedProfile = ensureAttrSet "profile" profile;
bg =
if normalizedProfile ? bg then resolveColor normalizedProfile.bg
else if normalizedProfile ? background then resolveColor normalizedProfile.background
else null;
fg =
if normalizedProfile ? fg then resolveColor normalizedProfile.fg
else if normalizedProfile ? foreground then resolveColor normalizedProfile.foreground
else null;
in
(lib.filterAttrs (name: _: !(builtins.elem name [ "bg" "background" "fg" "foreground" ])) normalizedProfile)
// lib.optionalAttrs (bg != null) { bg = bg; }
// lib.optionalAttrs (fg != null) { fg = fg; };
hostMappings = lib.mapAttrs (_: profile: normalizeProfile profile) (
ensureAttrSet "mappings" (containerCfg.extra.mappings or { })
);
defaultProfile =
if containerCfg.extra ? default then
normalizeProfile containerCfg.extra.default
else
null;
traefikAssetPathRegexp =
"^/(.*/)?"
+ "(fav(icon)?(-[0-9]+x[0-9]+)?\\.(ico|png|svg)"
+ "|(favicon|apple-icon)(-[0-9]+)?(\\.(ico|png))?"
+ "|logo\\.(ico)"
+ "|fav([0-9]+)?\\.(ico|png)"
+ "|apple-touch-icon(-precomposed)?\\.png"
+ "|android-chrome-[0-9]+x[0-9]+\\.png"
+ "|mstile-[0-9]+x[0-9]+\\.png)$";
pythonEnv = pkgs.python3.withPackages (ps: with ps; [
cairosvg
pillow
]);
serverScript = pkgs.writeText "favicon-server.py" ''
from io import BytesIO
import hashlib
import os
from pathlib import Path
import re
import threading
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
import cairosvg
from PIL import Image
LOGO_PATH = ${builtins.toJSON logoSvgMount}
LISTEN_HOST = "0.0.0.0"
LISTEN_PORT = ${toString port}
ASSET_SIZE = ${toString assetSize}
CACHE_MODE = ${builtins.toJSON cacheMode}
CACHE_CONTROL = ${builtins.toJSON cacheControl}
CACHE_DIR = Path("/cache")
with open(LOGO_PATH, "rb") as fh:
LOGO_BYTES = fh.read()
MAPPINGS = ${builtins.toJSON hostMappings}
DEFAULT_PROFILE = ${if defaultProfile == null then "None" else builtins.toJSON defaultProfile}
APP_DOMAIN = (${builtins.toJSON serverCfg.domain} or "").strip().lower()
DEFAULT_COLORS = {"bg": "#111827", "fg": "#f8fafc"}
LOGO_HASH = hashlib.sha256(LOGO_BYTES).hexdigest()
ICON_CACHE_LOCK = threading.Lock()
def _request_host(headers):
host = (
headers.get("X-Forwarded-Host")
or headers.get("X-Original-Host")
or headers.get("Host", "")
)
return (host or "").split(",", 1)[0].split(":", 1)[0].strip().lower().rstrip(".")
def _host_candidates(host):
candidates = []
def add(candidate):
if candidate and candidate not in candidates:
candidates.append(candidate)
add(host)
if APP_DOMAIN:
suffix = f".{APP_DOMAIN}"
if host.endswith(suffix):
add(host[: -len(suffix)].rstrip("."))
if "." in host:
add(host.split(".", 1)[0])
return candidates
def _profile_for_host(host):
for candidate in _host_candidates(host):
profile = MAPPINGS.get(candidate)
if profile:
return candidate, profile
return None, DEFAULT_PROFILE
def _replace_logo_fill(svg, color):
svg, _ = re.subn(
"fill:#3193f5",
f"fill:{color}",
svg,
flags=re.IGNORECASE,
)
return svg
def _colors(profile):
profile = profile or {}
return {
"bg": profile.get("bg") or profile.get("background") or DEFAULT_COLORS["bg"],
"fg": profile.get("fg") or profile.get("foreground") or DEFAULT_COLORS["fg"],
}
def _add_background(svg, color):
return re.sub(
r"(<svg\\b[^>]*>)",
rf'\\1<circle cx="64" cy="64" r="64" fill="{color}"/>',
svg,
count=1,
flags=re.IGNORECASE,
)
def _render_icon(colors):
svg = LOGO_BYTES.decode("utf-8")
svg = _replace_logo_fill(svg, colors["fg"])
svg = _add_background(svg, colors["bg"])
png = cairosvg.svg2png(
bytestring=svg.encode("utf-8"),
output_width=ASSET_SIZE,
output_height=ASSET_SIZE,
)
output = BytesIO()
with Image.open(BytesIO(png)) as image:
with image.convert("RGBA") as rgba:
rgba.save(output, format="ICO", sizes=[(ASSET_SIZE, ASSET_SIZE)])
return output.getvalue()
def _cache_path(colors):
digest = hashlib.sha256(
f"{ASSET_SIZE}:{LOGO_HASH}:{colors['bg']}:{colors['fg']}".encode("utf-8")
).hexdigest()
return CACHE_DIR / f"{digest}.ico"
def _payload_for(colors):
if CACHE_MODE != "disk":
return _render_icon(colors)
cache_path = _cache_path(colors)
with ICON_CACHE_LOCK:
if cache_path.exists():
return cache_path.read_bytes()
payload = _render_icon(colors)
with ICON_CACHE_LOCK:
if cache_path.exists():
return cache_path.read_bytes()
CACHE_DIR.mkdir(parents=True, exist_ok=True)
tmp_path = cache_path.with_suffix(".tmp")
tmp_path.write_bytes(payload)
os.replace(tmp_path, cache_path)
return payload
class Handler(BaseHTTPRequestHandler):
server_version = "favicon-router/1.0"
def _serve(self, include_body):
host = _request_host(self.headers)
matched_host, profile = _profile_for_host(host)
if not profile:
self.send_error(404, "No favicon mapping for host")
return
colors = _colors(profile)
payload = _payload_for(colors)
self.send_response(200)
self.send_header("Content-Type", "image/x-icon")
self.send_header("Content-Length", str(len(payload)))
self.send_header("Cache-Control", CACHE_CONTROL)
self.send_header("X-Favicon-Host", host or "default")
self.send_header("X-Favicon-Mapping", matched_host or "default")
self.end_headers()
if include_body:
self.wfile.write(payload)
def do_GET(self):
self._serve(include_body=True)
def do_HEAD(self):
self._serve(include_body=False)
def log_message(self, fmt, *args):
print("%s - - [%s] %s" % (self.address_string(), self.log_date_time_string(), fmt % args))
if __name__ == "__main__":
httpd = ThreadingHTTPServer((LISTEN_HOST, LISTEN_PORT), Handler)
httpd.serve_forever()
'';
image = pkgs.dockerTools.streamLayeredImage {
name = "favicon";
tag = "1";
contents = [
pythonEnv
pkgs.cacert
pkgs.tzdata
];
config = {
Entrypoint = [ "${pythonEnv}/bin/python3" "-u" serverScript ];
ExposedPorts = { "${toString port}/tcp" = { }; };
WorkingDir = "/";
};
};
in {
runtime = {
paths = [
{
path = "${serverCfg.path.config.path}/favicon";
mode = "0755";
dirs = [ "cache" ];
}
];
containers = {
server = builder.mkContainer {
imageStream = image;
port = port;
extraLabels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "web-secure";
"traefik.http.routers.${name}.rule" = "PathRegexp(`${traefikAssetPathRegexp}`)";
"traefik.http.routers.${name}.priority" = priority;
"traefik.http.routers.${name}.tls" = "true";
"traefik.http.services.${name}.loadbalancer.server.port" = toString port;
};
overrides = {
volumes = [
"${serverCfg.path.config.path}/favicon/cache:/cache"
"${mediaCfg.logo.svg}:${logoSvgMount}:ro"
];
};
};
};
};
}
@@ -0,0 +1,61 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [
{
path = "${serverCfg.path.config.path}/freshrss";
owner = "1000:1000";
mode = "0755";
}
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/freshrss/freshrss:${version}";
port = 80;
extraEnv = {
CRON_MIN = "5,35";
TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
LISTEN = "80";
OIDC_ENABLED = "1";
OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
OIDC_REMOTE_USER_CLAIM = "preferred_username";
OIDC_CLIENT_ID = "freshrss";
OIDC_SCOPES = "openid profile";
OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
};
overrides = {
environmentFiles = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path ];
volumes = ["${serverCfg.path.config.path}/freshrss:/var/www/FreshRSS/data"];
};
};
};
setup = {
trigger = "server"; # Triggers atomic environment verification on main controller
envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path];
script = pkgs.writeShellScript "setup-freshrss" ''
RSS="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data freshrss-server"
$RSS ./cli/prepare.php
$RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \
--title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss_user --db-password $DB_PASSWORD --db-base freshrss_db
$RSS ./cli/create-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL
$RSS ./cli/reconfigure.php
# $RSS ./cli/access-permissions.sh
'';
};
};
}
@@ -0,0 +1,96 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
# Ensure the package is available (Nixpkgs includes frigate)
frigatePkg = pkgs.frigate;
image = pkgs.dockerTools.streamLayeredImage {
name = "frigate";
tag = frigatePkg.version;
contents = [
pkgs.bashInteractive
frigatePkg
pkgs.ffmpeg # Explicitly included for video stream processing
];
config = {
Entrypoint = [ "${frigatePkg}/bin/frigate" ];
Cmd = [ "start" ];
ExposedPorts = {
"5000/tcp" = {}; # Web UI / API
"8554/tcp" = {}; # RTSP Feeds
"8555/tcp" = {}; # WebRTC
};
Env = [
"FRIGATE_RTSP_PASSWORD=secret" # Base fallback, overridden by envFile/sops
];
};
};
in {
requires.secrets = [ name ];
runtime = {
paths = [
{
path = "${serverCfg.path.config.path}/frigate/";
mode = "0755";
}
{
path = "/var/lib/frigate/storage/";
mode = "0755"; # Dedicated path for heavy video recordings and media
}
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 5000;
secret = name;
extraEnv = {
PLUS_API_KEY = ""; # Optional: For Frigate Plus users
};
overrides = {
cmd = [ ];
volumes = [
"${serverCfg.path.config.path}/frigate:/config"
"/var/lib/frigate/storage:/media/frigate"
"/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
"/dev/dri:/dev/dri" # Passes Intel/AMD GPU for hardware video decoding
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."FRIGATE_ENV".path;
script = pkgs.writeShellScript "setup-frigate" ''
mkdir -p "${serverCfg.path.config.path}/frigate"
mkdir -p "/var/lib/frigate/storage"
# Bootstrap a standard configuration layout if missing
if [ ! -f "${serverCfg.path.config.path}/frigate/config.yml" ]; then
cat <<EOF > "${serverCfg.path.config.path}/frigate/config.yml"
mqtt:
enabled: False # Set to True and define host if connecting to Home Assistant
database:
path: /config/frigate.db
cameras:
dummy_camera: # Replace with your actual RTSP stream details
enabled: false
ffmpeg:
inputs:
- path: rtsp://127.0.0.1:554/live
roles:
- detect
detect:
enabled: false
EOF
fi
'';
};
};
}
+145
View File
@@ -0,0 +1,145 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.data.path}/gitea";
owner = "1000:1000";
dirs = ["data" "runner"];
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "gitea/gitea:${version}";
port = 8080;
secret = name;
extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
GITEA__repository__DISABLE_STARS = "true";
GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
# GITEA__ui__THEMES = "";
# GITEA__ui__DEFAULT_THEME = "";
# GITEA__security__SECRET_KEY = "SECRET_ENV";
# GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
# GITEA__database__PASSWD = "SECRET_ENV";
# GITEA__mailer__PASSWD="SECRET_ENV";
GITEA__database__DB_TYPE = "postgres";
GITEA__database__HOST = builder.host;
GITEA__database__NAME = "gitea_db";
GITEA__database__USER = "gitea_user";
GITEA__mailer__ENABLED = "true";
GITEA__mailer__FROM = "";
GITEA__mailer__PROTOCOL = "smtps";
GITEA__mailer__SMTP_ADDR = "";
GITEA__mailer__SMTP_PORT = "";
GITEA__mailer__USER= "";
GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
GITEA__server__PROTOCOL = "http";
GITEA__server__HTTP_PORT = "8080";
GITEA__server__LFS_START_SERVER = "true";
GITEA__security__INSTALL_LOCK = "true";
} // ( if serverCfg.containers?authentik then {
GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
GITEA__security__RREVERSE_PROXY_LIMIT = "1";
GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
} else {});
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik && containerCfg.extra?proxyauth) then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
overrides = {
volumes = [
"${serverCfg.path.data.path}/gitea/data:/data"
];
ports = [ "2222:22" ];
};
};
runner = builder.mkContainer {
image = "gitea/act_runner:${version}";
secret = name;
extraEnv = {
#CONFIG_FILE="/data/config.yml";
GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
};
overrides = {
volumes = [
"${serverCfg.path.data.path}/gitea/runner:/data"
"/var/run/podman/podman.sock:/var/run/docker.sock"
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
$GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
touch ${serverCfg.path.data.path}/gitea/data-runner/config.yml
RUNNER_TOKEN=$($GT actions generate-runner-token)
$GTR register \
--instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
--token "$RUNNER_TOKEN" \
--name "Runner" \
--labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
--no-interactive
${lib.optionalString (serverCfg.containers ? authentik) ''
$GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
--bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
--user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
--user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
--admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
--username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
--synchronize-users
''}
echo "Completed Gitea Setup"
'';
};
};
}
@@ -0,0 +1,48 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
version = "latest";
in {
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/handbrake";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
authentik = true;
tmpfs = true;
subdomain = containerCfg.subdomain;
subpath = containerCfg.subpath;
image = "ghcr.io/jlesage/handbrake:${version}";
port = 5800;
extraEnv = {
USER_ID = "1000";
GROUP_ID = "1000";
AUTOMATED_CONVERSION_PRESET = "Custom/AV1 MKV 1080p30";
AUTOMATED_CONVERSION_FORMAT = "mkv";
AUTOMATED_CONVERSION_OUTPUT_SUBDIR = "SAME_AS_SRC";
};
overrides = {
volumes = [
"${serverCfg.path.config.path}/handbrake:/config:rw"
"${serverCfg.path.dlComplete.path}:/watch:rw"
"${serverCfg.path.dlConverted.path}:/output:rw"
];
};
};
};
setup = {
trigger = "server";
script = pkgs.writeShellScript "setup" ''
mkdir -p ${serverCfg.path.data.path}/handbrake/{watch,output}
'';
};
};
}
@@ -0,0 +1,102 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
runtime = {
vm = {
portForward = [ 8123 ];
cfg = {cfg,...}: {
services.home-assistant = {
enable = true;
openFirewall = true;
extraComponents = [
"matter" "thread" "cast" "zha"
"default_config" "met" "esphome" "radio_browser"
"telegram_bot" "swiss_public_transport" "nextcloud" "jellyfin"
] ++ (if containerCfg.extra ? components then containerCfg.extra.components else []);
extraPackages = pp: with pp; [
python-telegram gtts
];
lovelaceConfig = {};
config = {
homeassistant = {
name = "Home";
latitude = "${if containerCfg.extra ? latitude then toString containerCfg.extra.latitude else toString 0}";
longitude = "${if containerCfg.extra ? longitude then toString containerCfg.extra.longitude else toString 0}";
elevation = "${if containerCfg.extra ? elevation then toString containerCfg.extra.elevation else toString 0}";
unit_system = "metric";
time_zone = config.time.timeZone;
};
lovelace = { mode = "yaml"; };
customLovelaceModules = [];
# default_config = {};
http = {
use_x_forwarded_for = true;
trusted_proxies = [ "10.0.0.0/8" "127.0.0.1" ];
};
};
};
};
};
containers = {
dummy = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "alpine:latest";
extraLabels = {
"traefik.http.services.${containerCfg.subdomain}.loadbalancer.server.url" = "http://${builder.hostIp}:8123";
};
overrides = {cmd = [ "sleep" "infinity" ];};
};
};
setup = {
trigger = "dummy";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
HASS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/manifest.json")" =~ (200|301|302) ]]; do
sleep 5
done
sleep 5
ONBOARDING_STATUS=$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/api/onboarding" 2>/dev/null || echo "000")
if [ "$ONBOARDING_STATUS" = "200" ]; then
AUTH_CODE=$( ${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/api/onboarding/users" \
-H "Content-Type: application/json" \
-d '{"client_id":"'"$HASS_URL"'","name":"'"$DEFAULT_ADMIN_USERNAME"'","username":"'"$DEFAULT_ADMIN_USERNAME"'","password":"'"$DEFAULT_ADMIN_PASSWORD"'","language":"en"}' \
| ${pkgs.jq}/bin/jq -r '.auth_code' )
ACCESS_TOKEN=$(${pkgs.curl}/bin/curl -s -X POST "$HASS_URL/auth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&code=$AUTH_CODE&client_id=$HASS_URL" \
| ${pkgs.jq}/bin/jq -r '.access_token' )
${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/core_config" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"time_zone":"${config.time.timeZone}"}' > /dev/null 2>&1 || true
# We can configure many more things above !
${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/analytics" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" -d '{}' > /dev/null 2>&1 || true
${pkgs.curl} -s -X POST "$HASS_URL/api/onboarding/integration" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"client_id":"'"$HASS_URL"'","redirect_uri":"'"$HASS_URL"'/?auth_callback=1"}' > /dev/null 2>&1 || true
fi
'';
};
};
}
+403
View File
@@ -0,0 +1,403 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
mediaCfg = config.syscfg.media;
homepageExtra = containerCfg.extra or {};
backgroundImage = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
backgroundFileName = builtins.baseNameOf (toString backgroundImage);
backgroundMount = "/app/public/media/${backgroundFileName}";
latitude =
if homepageExtra ? latitude then homepageExtra.latitude
else if homepageExtra ? lat then homepageExtra.lat
else 47.3769;
longitude =
if homepageExtra ? longitude then homepageExtra.longitude
else if homepageExtra ? lon then homepageExtra.lon
else 8.5417;
extraBookmarks = homepageExtra.bookmarks or [];
extraServices = homepageExtra.services or [];
settings = pkgs.writers.writeYAML "settings.yaml" {
title = "Home";
description = "";
startUrl = "https://${containerCfg.subdomain}.${serverCfg.domain}";
background = {
image = "/media/${backgroundFileName}";
brightness = 50;
opacity = 0.5;
blur = "";
};
cardBlur = "xs";
favicon = "https://${containerCfg.subdomain}.${serverCfg.domain}/favicon.ico";
theme = "dark";
color = "slate";
fullWidth = true;
useEqualHeights = true;
pwa = { };
layout = {
Admin = {
initiallyCollapsed = true;
style = "row";
columns = 4;
};
};
bookmarksStyle = "icons"
providers = {
finnhub = "{{HOMEPAGE_VAR_FINNHUB}}";
};
headerStyle = "clean";
hideVersion = true;
disableUpdateCheck = true;
showStats = false;
statusStyle = "dot";
hideErrors = true;
};
widgets = pkgs.writers.writeYAML "widgets.yaml" [
{ openmeteo = {
latitude = toString latitude;
longitude = toString longitude;
timezone = config.time.timeZone;
units = "metric";
cache = "15";
};
}
{ search = {
provider = "custom";
focus = true;
showSearchSuggestions = true;
target = "_blank";
} // (lib.optionalAttrs (serverCfg.containers ? searxng) {
url = "https://${serverCfg.containers.searxng.subdomain}.${serverCfg.domain}/search?q=";
suggestionUrl = "https://${serverCfg.containers.searxng.subdomain}.${serverCfg.domain}/autocompleter?q=";
});
}
{ stocks = {
provider = "finnhub";
color = true;
cache = 15;
watchlist = homepageExtra.stocks or [];
};
}
];
bookmarks = pkgs.writers.writeYAML "bookmarks.yaml" (extraBookmarks);
services = pkgs.writers.writeYAML "services.yaml" ([
{ Media = lib.flatten [
(lib.optional (serverCfg.containers ? jellyfin) {
Jellyfin = {
icon = "jellyfin.png";
href = "https://${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";
siteMonitor = "http://jellyfin-server:8096";
widget = {
type = "jellyfin";
url = "http://jellyfin-server:8096";
key = "{{HOMEPAGE_VAR_JELLYFIN_API}}";
};
};
})
(lib.optional (serverCfg.containers ? invidious) {
Invidious = {
icon = "invidious.png";
href = "https://${serverCfg.containers.invidious.subdomain}.${serverCfg.domain}";
siteMonitor = "http://invidious-server:3000";
};
})
(lib.optional (serverCfg.containers ? calibre) {
Calibre = {
icon = "calibre.png";
href = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}";
siteMonitor = "http://calibre-server:8080";
# widget = {
# type = "calibreweb";
# url = "http://calibre-server:8080";
# username = "?";
# password = "?";
# };
};
})
(lib.optional (serverCfg.containers ? freshrss) {
FreshRSS = {
icon = "freshrss.png";
href = "https://${serverCfg.containers.freshrss.subdomain}.${serverCfg.domain}";
siteMonitor = "http://freshrss-server:8080";
# widget = {
# type = "freshrss";
# url = "http://freshrss-server:8080";
# username = "?";
# password = "?";
# };
};
};
})
(lib.optional (serverCfg.containers ? miniflux) {
Miniflux = {
icon = "miniflux.png";
href = "https://${serverCfg.containers.miniflux.subdomain}.${serverCfg.domain}";
siteMonitor = "http://miniflux-server:80";
widget = {
type = "miniflux";
url = "http://miniflux-server";
key = "{{HOMEPAGE_VAR_MINIFLUX_API}}";
};
};
})
(lib.optional (serverCfg.containers ? suwayomi) {
Suwayomi = {
icon = "suwayomi.png";
href = "https://${serverCfg.containers.suwayomi.subdomain}.${serverCfg.domain}";
siteMonitor = "http://suwayomi-server:8080";
widget = {
type = "suwayomi";
url = "http://suwayomi-server:8080";
};
};
})
];
}
{ Cloud = lib.flatten [
(lib.optional (serverCfg.containers ? nextcloud) {
Nextcloud = {
icon = "nextcloud.png";
href = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
siteMonitor = "http://nextcloud-server:80";
widget = {
type = "nextcloud";
url = "http://nextcloud-server:80";
key = "{{HOMEPAGE_VAR_NEXTCLOUD_API}}";
};
};
})
(lib.optional (serverCfg.containers ? ethercalc) {
Ethercalc = {
icon = "ethercalc.png";
href = "https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}";
siteMonitor = "http://ethercalc-server:8080";
};
})
(lib.optional (serverCfg.containers ? etherpad) {
Etherpad = {
icon = "etherpad.png";
href = "https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}";
siteMonitor = "http://etherpad-server:8080";
};
})
(lib.optional (serverCfg.containers ? collabora && false) {
Collabora = {
icon = "microsoft-office.png";
href = "https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}";
siteMonitor = "http://collabora-server:9980";
};
})
(lib.optional (serverCfg.containers ? immich) {
Immich = {
icon = "immich.png";
href = "https://${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";
siteMonitor = "http://immich-server:80";
widget = {
type = "immich";
url = "http://immich-server:80";
key = "{{HOMEPAGE_VAR_IMMICH_API}}";
version = "2";
};
};
})
];
}
{ Home = lib.flatten [
(lib.optional (serverCfg.containers ? homeassistant) {
"Home Assistant" = {
icon = "home-assistant.png";
href = "https://${serverCfg.containers.homeassistant.subdomain}.${serverCfg.domain}";
siteMonitor = "http://${builder.hostIp}:8123";
};
})
(lib.optional (serverCfg.containers ? openhab) {
openHAB = {
icon = "openhab.png";
href = "https://${serverCfg.containers.openhab.subdomain}.${serverCfg.domain}";
siteMonitor = "http://openhab-server:8080";
};
})
(lib.optional (serverCfg.containers ? frigate) {
Frigate = {
icon = "frigate.png";
href = "https://${serverCfg.containers.frigate.subdomain}.${serverCfg.domain}";
siteMonitor = "http://frigate-server:5000";
};
})
];
}
{ Dev = lib.flatten [
(lib.optional (serverCfg.containers ? gitea) {
Gitea = {
icon = "gitea.png";
href = "https://${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";
siteMonitor = "http://gitea-server:3000";
widget = {
type = "gitea";
url = "http://gitea-server:3000";
key = "{{HOMEPAGE_VAR_GITEA_API}}";
};
};
})
(lib.optional (serverCfg.containers ? trmnl) {
TRMNL = {
icon = "terminal.png";
href = "https://${serverCfg.containers.trmnl.subdomain}.${serverCfg.domain}";
siteMonitor = "http://trmnl-server:8080";
};
})
];
}
{ Admin = lib.flatten [
(lib.optional (serverCfg.containers ? traefik) {
Traefik = {
icon = "traefik.png";
href = "https://${serverCfg.containers.traefik.subdomain}.${serverCfg.domain}";
siteMonitor = "http://traefik-server:8080";
widget = {
type = "traefik";
url = "http://traefik-server:8080";
};
};
})
(lib.optional (serverCfg.containers ? authentik) {
Authentik = {
icon = "authentik.png";
href = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}";
siteMonitor = "http://authentik-server:9000";
widget = {
type = "authentik";
url = "http://authentik-server:9000";
key = "{{HOMEPAGE_VAR_AUTHENTIK_API}}";
version = "2";
};
};
})
(lib.optional (serverCfg.containers ? umami) {
Umami = {
icon = "umami.png";
href = "https://${serverCfg.containers.umami.subdomain}.${serverCfg.domain}";
siteMonitor = "http://umami-server:3000";
};
})
(lib.optional (serverCfg.containers ? influx) {
Influx = {
icon = "grafana.png";
href = "https://${serverCfg.containers.influx.subdomain}.${serverCfg.domain}";
siteMonitor = "http://influx-ui:3000";
};
})
(lib.optional (serverCfg.containers ? handbrake) {
Handbrake = {
icon = "handbrake.png";
href = "https://${serverCfg.containers.handbrake.subdomain}.${serverCfg.domain}";
siteMonitor = "http://handbrake-server:5800";
};
})
(lib.optional (serverCfg.containers ? transmission) {
Transmission = {
icon = "transmission.png";
href = "https://${serverCfg.containers.transmission.subdomain}.${serverCfg.domain}/transmission";
siteMonitor = "http://transmission-server:9091";
widget = {
type = "transmission";
url = "http://transmission-server:9091";
rpcUrl = "/transmission/";
};
};
})
(lib.optional (serverCfg.containers ? selfmark) {
Selfmark = {
icon = "link.png";
href = "https://${serverCfg.containers.selfmark.subdomain}.${serverCfg.domain}";
siteMonitor = "http://selfmark-server:8080";
};
})
(lib.optional (serverCfg.containers ? servarr) (
let
modules = serverCfg.containers.servarr.extra.modules or [ "prowlarr" "sonarr" "radarr" "flaresolverr" ];
in
(lib.optional (builtins.elem "sonarr" modules) {
Sonarr = {
icon = "sonarr.png";
href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/sonarr";
siteMonitor = "http://servarr-sonarr:8989";
widget = {
type = "sonarr";
url = "http://servarr-sonarr:8989";
key = "{{HOMEPAGE_VAR_SONARR_API}}";
};
};
})
++ (lib.optional (builtins.elem "radarr" modules) {
Radarr = {
icon = "radarr.png";
href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/radarr";
siteMonitor = "http://servarr-radarr:8989";
widget = {
type = "radarr";
url = "http://servarr-radarr:8989";
key = "{{HOMEPAGE_VAR_RADARR_API}}";
};
};
})
++ (lib.optional (builtins.elem "lidarr" modules) {
Lidarr = {
icon = "lidarr.png";
href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/lidarr";
siteMonitor = "http://servarr-lidarr:8989";
widget = {
type = "lidarr";
url = "http://servarr-lidarr:8989";
key = "{{HOMEPAGE_VAR_LIDARR_API}}";
};
};
})
++ (lib.optional (builtins.elem "prowlarr" modules) {
Prowlarr = {
icon = "prowlarr.png";
href = "https://${serverCfg.containers.servarr.subdomain}.${serverCfg.domain}/prowlarr";
siteMonitor = "http://servarr-prowlarr:8989";
widget = {
type = "prowlarr";
url = "http://servarr-prowlarr:8989";
key = "{{HOMEPAGE_VAR_PROWLARR_API}}";
};
};
})
))
];
}
] ++ extraServices);
in {
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/gethomepage/homepage:${version}";
port = 3000;
extraEnv = {
HOMEPAGE_VAR_TITLE = "${serverCfg.domain}";
HOMEPAGE_ALLOWED_HOSTS = "${containerCfg.subdomain}.${serverCfg.domain},${builder.host}";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.service" = "${containerCfg.subdomain}";
};
overrides = {
environmentFiles = [ config.sops.secrets."CUSTOM".path ];
volumes = [
"${settings}:/app/config/settings.yaml:ro"
"${services}:/app/config/services.yaml:ro"
"${widgets}:/app/config/widgets.yaml:ro"
"${bookmarks}:/app/config/bookmarks.yaml:ro"
"${backgroundImage}:${backgroundMount}:ro"
];
};
};
};
};
}
+106
View File
@@ -0,0 +1,106 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "v2";
serverCfg = config.syscfg.server;
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/immich";
dirs = ["cache" "thumbs" "encoded-video"];
mode = "0755";
}{
path = "${serverCfg.path.data.path}/immich/";
dirs = ["backups"];
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/immich-app/immich-server:${version}";
port = 2283;
secret = name;
extraEnv = {
DB_HOSTNAME = builder.host;
REDIS_HOSTNAME = builder.host;
DB_USERNAME = "immich_user";
DB_DATABASE_NAME = "immich_db";
IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
# IMMICH_ALLOW_SETUP = "false";
IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
};
overrides = {
volumes = [
"${serverCfg.path.photo.path}:/data/upload"
"${serverCfg.path.data.path}/immich/backups:/data/backups"
"${serverCfg.path.config.path}/immich/thumbs:/data/thumbs"
"${serverCfg.path.config.path}/immich/encoded-video:/data/encoded-video"
];
};
};
ml = builder.mkContainer {
image = "ghcr.io/immich-app/immich-machine-learning:${version}";
port = 3003;
overrides = {
volumes = [
"${serverCfg.path.config.path}/immich/cache:/cache"
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
PSQL="${pkgs.postgresql}/bin/psql -U postgres"
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
$PSQL -d "immich_db" -tAc "ALTER EXTENSION vchord UPDATE;"
$PSQL -d "immich_db" -tAc "ALTER EXTENSION earthdistance UPDATE;"
IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
sleep 5
done
${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
-H "Content-Type: application/json" -H "Accept: application/json" \
-d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
-H "Content-Type: application/json" \
-d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
| ${pkgs.jq}/bin/jq -r '.accessToken')
${lib.optionalString (serverCfg.containers ? authentik) ''
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
${pkgs.jq}/bin/jq '.oauth.enabled = true |
.oauth.autoRegister = true |
.oauth.autoLaunch = true |
.oauth.signingAlgorithm = "RS256" |
.oauth.profileSigningAlgorithm = "RS256" |
.oauth.clientId = "immich" |
.oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" |
.oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" |
.oauth.scope = "openid profile email" |
.oauth.buttonText = "Login with SSO"' | \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
''}
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
.storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
'';
};
};
}
+147
View File
@@ -0,0 +1,147 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
version = "latest";
influxSource = pkgs.writers.writeYAML "influx.yaml" {
apiVersion = 1;
datasources = [
{
name = "Telegraf";
type = "influxdb";
access = "proxy";
url = "http://influx-db:8181";
jsonData = {
version = "SQL";
dbName = "telegraf";
httpMode = "POST";
insecureGrpc = true;
};
secureJsonData = {
token = "\${INFLUXDB_TOKEN}";
};
isDefault = true;
editable = true;
}
];
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/influxdb/";
owner = "1500:1500";
mode = "0755";
}{
path = "${serverCfg.path.data.path}/influxdb/";
dirs = ["data" "ui"];
owner = "1500:1500";
mode = "0755";
}];
containers = {
db = builder.mkContainer {
image = "influxdb:3-core";
secret = name;
extraEnv = {
INFLUXD_DB_PATH = "/db";
INFLUXD_CONFIG_PATH = "/config";
};
overrides = {
cmd = [ "influxdb3" "serve" "--node-id=node0" "--data-dir=/var/lib/influxdb3/data" "--admin-token-file=/var/lib/influxdb3/token.json" ];
ports = [ "8181:8181" ];
volumes = [
"${serverCfg.path.data.path}/influxdb/data:/var/lib/influxdb3/data:rw"
"${serverCfg.path.config.path}/influxdb/admin-token.json:/var/lib/influxdb3/token.json:ro"
];
};
};
ui = if(containerCfg.extra?explorer) then builder.mkContainer {
tmpfs = true;
authentik = true;
subdomain = containerCfg.subdomain;
image = "influxdata/influxdb3-ui:${version}";
port = 8080; # 8888 is something else
secret = name;
extraEnv = {
DATABASE_URL = "/db/sqlite.db";
DEFAULT_INFLUX_SERVER = "http://${builder.host}:8181";
};
overrides = {
cmd = [ "--mode=admin" ];
volumes = [
"${serverCfg.path.data.path}/influxdb/ui:/db:rw"
"${serverCfg.path.config.path}/influxdb/:/app-root/config:rw"
];
};
} else builder.mkContainer {
tmpfs = true;
authentik = true;
subdomain = containerCfg.subdomain;
image = "grafana/grafana:${version}";
port = 3000;
extraEnv = {
GF_DEFAULT_INSTANCE_NAME = serverCfg.domain;
GF_SECURITY_ADMIN_USER = "\${DEFAULT_ADMIN_USERNAME}";
GF_SECURITY_ADMIN_PASSWORD = "\${DEFAULT_ADMIN_PASSWORD}";
GF_SECURITY_ADMIN_EMAIL = "\${DEFAULT_ADMIN_EMAIL}";
GF_SECURITY_COOKIE_SECURE = "true";
GF_USERS_ALLOW_SIGN_UP = "false";
GF_USERS_AUTO_ASSIGN_ORG = "true";
GF_USERS_AUTO_ASSIGN_ORG_ROLE = "true";
GF_AUTH_PROXY_ENABLED = "true";
GF_AUTH_PROXY_HEADER_NAME = "X-authentik-username";
GF_AUTH_PROXY_HEADER_PROPERTY = "username";
GF_AUTH_PROXY_AUTO_SIGN_UP = "true";
GF_DATABASE_TYPE = "postgres";
GF_DATABASE_HOST = "${builder.host}";
GF_DATABASE_NAME = "influx_db";
GF_DATABASE_USER = "influx_user";
GF_ANALYTICS_REPORTING_ENABLED = "false";
GF_CHECK_FOR_UPDATED = "false";
GF_LIVE_HA_ENGINE = "redis";
GF_LIVE_HA_ENGINE_ADRESS = "${builder.host}:6379";
DEFAULT_INFLUX_SERVER = "http://${builder.host}:8181";
};
overrides = {
user = "1500:1500";
environmentFiles = [ config.sops.secrets."INFLUX".path config.sops.secrets."CUSTOM".path ] ;
volumes = [
"${serverCfg.path.data.path}/influxdb/ui:/var/lib/grafana:rw"
"${influxSource}:/etc/grafana/provisioning/datasources/influx.yaml:ro"
];
};
};
};
setup = {
trigger = "db";
envFile = config.sops.secrets."INFLUX".path;
script = pkgs.writeShellScript "setup" ''
cat > ${serverCfg.path.config.path}/influxdb/config.json << EOF
{
"DEFAULT_INFLUX_SERVER": "http://${builder.host}:8181",
"DEFAULT_INFLUX_DATABASE": "main",
"DEFAULT_API_TOKEN": "$INFLUXDB_TOKEN",
"DEFAULT_SERVER_NAME": "${serverCfg.domain}"
}
EOF
cat > ${serverCfg.path.config.path}/influxdb/admin-token.json << EOF
{
"token": "$INFLUXDB_TOKEN",
"name": "admin",
"description": "Admin token for automated deployment"
}
EOF
'';
};
};
}
@@ -0,0 +1,83 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
patchedInvidious = pkgs.invidious.overrideAttrs (oldAttrs: {
postPatch = (oldAttrs.postPatch or "") + ''
cp ${../data/invidious/login.cr} src/invidious/routes/login.cr
'';
});
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.invidious.name;
tag = pkgs.invidious.version;
contents = [ pkgs.cacert patchedInvidious ];
config = {
Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
ExposedPorts = { "3000/tcp" = {}; };
Env = [
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
];
};
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/invidious";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 3000;
secret = name;
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
extraEnv = {
INVIDIOUS_CONFIG_FILE = "/data/config.yml";
};
overrides = {
volumes = [
"${serverCfg.path.config.path}/invidious:/data:ro"
];
};
};
companion = builder.mkContainer {
image = "quay.io/invidious/invidious-companion:latest";
port = 8282;
secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
extraOptions = [
"--cap-drop=all"
"--security-opt=no-new-privileges"
];
};
};
setup = {
trigger = "server";
envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
export DB_HOST=${builder.host}
export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.path.config.path}/invidious/config.yml"
'';
};
};
}
+175
View File
@@ -0,0 +1,175 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
nss = pkgs.dockerTools.fakeNss.override {
extraPasswdLines = [
"jellyfin:x:1000:1000:Jellyfin Daemon:/config/data:/bin/false"
];
extraGroupLines = [
"jellyfin:x:1000:"
];
};
image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
name = pkgs.jellyfin.name;
tag = pkgs.jellyfin.version;
contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
config = {
User = "jellyfin:jellyfin";
Entrypoint = [ "${pkgs.jellyfin}/bin/jellyfin" ];
ExposedPorts = { "8096/tcp" = { }; };
Env = [
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
];
};
};
in {
runtime = {
paths = [
{
path = "${serverCfg.path.config.path}/jellyfin/";
owner = "1000:1000";
mode = "0755";
}
];
containers = {
server = builder.mkContainer {
tmpfs = true;
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8096;
extraEnv = {
HOME = "/config/data";
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
};
overrides = {
cmd = [
"--datadir" "/config/data"
"--cachedir" "/config/cache"
"--configdir" "/config/config"
"--logdir" "/config/log"
];
volumes = [
"${serverCfg.path.film.path}:/media:ro"
"${serverCfg.path.config.path}/jellyfin:/config"
];
# If you have an Intel/AMD GPU for transcoding, add the device:
devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
sleep 5
done
echo "Jellyfin is up. Sleeping for 20 seconds..."
sleep 20
WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
if [ "$WIZARD_COMPLETE" = "false" ]; then
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
-H "Content-Type: application/json" \
-d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
echo "ERROR: Failed to set startup configuration."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
echo "ERROR: Failed to get base user."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
-H 'accept: */*' -H "Content-Type: application/json" \
-d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
echo "ERROR: Failed to set admin user."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
-H "Content-Type: application/json" \
-d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
echo "ERROR: Failed to configure remote access."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
echo "ERROR: Failed to complete wizard."
exit 1
fi
echo "Jellyfin initialization successfully completed!"
fi
${lib.optionalString (serverCfg.containers ? authentik) ''
JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
-H "Content-Type: application/json" \
-H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
-d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
| ${pkgs.jq}/bin/jq -r '.AccessToken')
# Verify we got a token
if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
echo "ERROR: Authentication failed."
exit 1
fi
if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
"$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
echo "LDAP Plugin is already installed. Skipping setup."
else
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: Server failed to accept restart command."
exit 1
fi
sleep 1-
until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
sleep 5
done
echo "Jellyfin is up. Sleeping for 20 seconds..."
sleep 20
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Type: application/json" -H 'accept: */*' \
-d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
"LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
"LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
"LdapSearchAttributes":"uid, cn, mail, displayName",
"LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
"EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
"EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
"LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
"EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
''}
${pkgs.sqlite}/bin/sqlite3 ${serverCfg.path.config.path}/jellyfin/data/data/jellyfin.db <<EOF
INSERT OR IGNORE INTO ApiKeys (Id, AccessToken, Name, DateCreated, DateLastActivity)
VALUES ( 1, "$HOMEPAGE_VAR_JELLYFIN_API", 'Home', strftime('%Y-%m-%d %H:%M:%S', 'now'), strftime('%Y-%m-%d %H:%M:%S', 'now'));
EOF
echo "Completed Setup"
'';
};
};
}
@@ -0,0 +1,232 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "31";
serverCfg = config.syscfg.server;
mediaCfg = config.syscfg.media;
backgroundImage = if mediaCfg.banner.png != null then mediaCfg.banner.png else mediaCfg.bg;
backgroundFileName = builtins.baseNameOf (toString backgroundImage);
logoPngFileName = builtins.baseNameOf (toString mediaCfg.logo.png);
logoSvgFileName = builtins.baseNameOf (toString mediaCfg.logo.svg);
logoIcoFileName = builtins.baseNameOf (toString mediaCfg.logo.ico);
logoPngMount = "/var/www/html/themes/hcl/${logoPngFileName}";
logoSvgMount = "/var/www/html/themes/hcl/${logoSvgFileName}";
logoIcoMount = "/var/www/html/themes/hcl/${logoIcoFileName}";
backgroundMount = "/var/www/html/themes/hcl/${backgroundFileName}";
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path="${serverCfg.path.config.path}/nextcloud";
owner = "33:33";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
tmpfs = true;
subdomain = containerCfg.subdomain;
image = "nextcloud:${version}";
port = 80;
secret = name;
extraEnv = {
REDIS_HOST = builder.host;
POSTGRES_HOST = builder.host;
POSTGRES_USER = "nextcloud_user";
POSTGRES_DB = "nextcloud_db";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
NEXTCLOUD_TRUSTED_DOMAINS = "${containerCfg.subdomain}.${serverCfg.domain} nextcloud-server";
OVERWRITEPROTOCOL = "https";
NEXTCLOUD_CLI_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
# SMTP_HOST = serverCfg.mail.server;
# SMTP_NAME = "mail_user";
# SMTP_PASSWORD = "mail_password";
# MAIL_FROM_ADDRESS = "${containerCfg.subdomain}@${serverCfg.domain}";
# MAIL_DOMAIN = serverCfg.mail.domain;
TRUSTED_PROXIES = "10.10.0.0/16 192.168.0.0/16";
NEXTCLOUD_DATA_DIR = "/var/www/html/data";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "hsts-headers@docker,${containerCfg.subdomain}-caldav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
};
overrides = {
ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
volumes = [
"${serverCfg.path.config.path}/nextcloud:/var/www/html"
"${serverCfg.path.cloud.path}:/var/www/html/data"
"${mediaCfg.logo.png}:${logoPngMount}:ro"
"${mediaCfg.logo.svg}:${logoSvgMount}:ro"
"${mediaCfg.logo.ico}:${logoIcoMount}:ro"
"${backgroundImage}:${backgroundMount}:ro"
];
};
};
};
setup = {
trigger = "server";
envFile = [config.sops.secrets."CUSTOM".path config.sops.secrets."NEXTCLOUD".path ];
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e POSTGRES_PASSWORD=$POSTGRES_PASSWORD -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ"
echo "Waiting for Nextcloud container to start..."
until $OCC status > /dev/null 2>&1; do
sleep 2
done
INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
if [ -z "$INSTALLED" ]; then
echo "Running first-time setup..."
$OCC maintenance:install \
--admin-user "$DEFAULT_ADMIN_USERNAME" \
--admin-pass "$DEFAULT_ADMIN_PASSWORD" \
--database "pgsql" \
--database-host "${builder.host}" \
--database-name "nextcloud_db" \
--database-user "nextcloud_user" \
--database-pass "$POSTGRES_PASSWORD" \
--data-dir "/var/www/html/data"
fi
echo "Applying Settings..."
$OCC config:system:set dbhost --value="${builder.host}"
$OCC config:system:set dbuser --value="nextcloud_user"
$OCC config:system:set dbpassword --value="$POSTGRES_PASSWORD"
$OCC config:system:set dbname --value="nextcloud_db"
$OCC config:system:set memcache.local --value="\OC\Memcache\Redis"
$OCC config:system:set memcache.locking --value="\OC\Memcache\Redis"
$OCC config:system:set redis --value='{"host":"${builder.host}", "port":6379, "timeout":0.0}' --type=json
$OCC config:system:set trusted_domains 1 --value=${containerCfg.subdomain}.${serverCfg.domain}
$OCC config:system:set default_phone_region --value="CH"
$OCC config:system:set overwriteprotocol --value="https"
$OCC config:app:set core backgroundjobs_mode --value="cron"
$OCC config:system:set maintenance_window_start --type=integer --value=1
$OCC config:system:set default_language --value="en"
$OCC config:system:set default_locale --value="en_CH"
$OCC config:system:set overwriteprotocol --value="https"
$OCC config:system:set overwrite.cli.url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
echo "Applying Apps..."
$OCC app:disable activity || true
$OCC app:disable app_api || true
$OCC app:disable comments || true
$OCC app:disable firstrunwizard || true
$OCC config:system:set show_first_run_wizard --type=bool --value=false
$OCC app:disable nextcloud_announcements || true
$OCC app:disable oauth2 || true
$OCC app:disable recommendations || true
$OCC app:disable sharebymail || true
$OCC app:disable support || true
$OCC app:disable survey_client || true
$OCC app:disable updatenotification || true
$OCC app:disable user_status || true
$OCC app:install calendar || true
$OCC app:install contacts || true
$OCC app:install camerarawpreviews || true
$OCC app:install cospend || true
$OCC app:install deck || true
$OCC app:install files_markdown || true
$OCC app:install forms || true
$OCC app:install groupfolders || true
$OCC app:install ownpad || true
$OCC app:install previewgenerator || true
$OCC app:install richdocuments || true
${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
# $OCC app:install side_menu || true
$OCC app:install spreed || true
$OCC app:install teamfolders || true
${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
echo "Applying Apps Settings..."
$OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
$OCC config:app:set cospend allow_federation --value="yes"
${lib.optionalString (serverCfg.containers ? ethercalc) ''
$OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
$OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}"
''}
${lib.optionalString (serverCfg.containers ? etherpad) ''
$OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
$OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}"
''}
${lib.optionalString (serverCfg.containers ? collabora) ''
$OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}/"
$OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}"
$OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
''}
${lib.optionalString (serverCfg.containers ? authentik) ''
$OCC saml:config:set 1 --general-idp0_display_name="authentik"
$OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
$OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}"
$OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/sso/binding/redirect/"
$OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/slo/binding/redirect/"
AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
$OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT"
$OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
$OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
$OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
$OCC group:add cloud || true
$OCC group:adduser admin $DEFAULT_ADMIN_USERNAME
$OCC config:app:set user_saml general-group_provisioning --value="0"
$OCC config:app:set user_saml general-require_provisioning_groups --value="1"
''}
# configure side_menu ...
FOLDERS=$($OCC teamfolders:list --format=json)
${builtins.concatStringsSep "\n" (map (name: ''
if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
$OCC teamfolders:create "${name}"
fi
'') containerCfg.extra.teamFolders or [])}
SERVERS=$($OCC federation:list-servers --format=json)
${builtins.concatStringsSep "\n" (map (domain: ''
if ! echo "$SERVERS" | grep -q "${domain}"; then
$OCC federation:add-server "https://${domain}"
fi
'') containerCfg.extra.federatedServers or [])}
$OCC config:app:set systemtags allow_user_creating --value="no"
#else
# echo "Nextcloud is already installed. Skipping setup."
#fi
echo "Applying Theme..."
$OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
$OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
$OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
$OCC theming:config logo "${logoPngMount}"
$OCC theming:config logoheader "${logoSvgMount}"
$OCC theming:config favicon "${logoIcoMount}"
$OCC theming:config background "${backgroundMount}"
$OCC config:app:set serverinfo token --value="$HOMEPAGE_VAR_NEXTCLOUD_API"
echo "Maintenance..."
$OCC app:update --all
$OCC maintenance:repair --include-expensive --no-interaction
$OCC db:add-missing-indices --no-interaction
echo "Completed Setup"
'';
};
cron = [ "*/5 * * * * root ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
};
}
@@ -0,0 +1,77 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
version = "5.1.4";
in {
runtime = {
paths = [
{ path="${serverCfg.path.config.path}/openhab/conf"; owner="1000:1000"; mode = "0755"; }
{ path="${serverCfg.path.config.path}/openhab/userdata"; owner="1000:1000"; mode = "0755"; }
{ path="${serverCfg.path.config.path}/openhab/addons"; owner="1000:1000"; mode = "0755"; }
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "openhab/openhab:${version}";
port = 8080;
extraEnv = {
USER_ID = "1000";
GROUP_ID = "1000";
CRYPTO_POLICY = "unlimited";
OPENHAB_HTTP_PORT = "8080";
};
extraOptions = [
"--network=host"
"--cap-add=NET_ADMIN"
"--cap-add=NET_RAW"
"--no-healthcheck"
];
overrides = {
volumes = [
"${serverCfg.path.config.path}/openhab/conf:/openhab/conf"
"${serverCfg.path.config.path}/openhab/userdata:/openhab/userdata"
"${serverCfg.path.config.path}/openhab/addons:/opt/openhab/addons"
"/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro"
];
};
};
};
setup = {
trigger = "server";
envFile = [ config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
# Pre-generate openHAB directories on the host
OHAB="${pkgs.podman}/bin/podman --events-backend=none exec openhab-server /openhab/runtime/bin/client -u openhab -p habopen"
sleep 20
exit 0
$OHAB openhab:users add $DEFAULT_ADMIN_USERNAME $DEFAULT_ADMIN_PASSWORD administrator
$OHAB feature:list
$OHAB openhab:addons install persistance-mapdb
$OHAB openhab:addons install persistance-influxdb
$OHAB openhab:addons install ui-basic
$OHAB openhab:addons install automation-jsscripting
$OHAB openhab:addons install binding-telegram
$OHAB openhab:addons install binding-matter
$OHAB openhab:addons install binding-mqtt
$OHAB openhab:addons install binding-bluetooth
$OHAB openhab:addons install binding-zigbee
$OHAB openhab:addons install binding-chromecast
$OHAB openhab:addons install binding-astro
$OHAB openhab:addons install binding-meteoblue
$OHAB openhab:addons install binding-publictransportswitzerland
#IF APPLE DEVICE: HomeKit (siri/apple bridge)
#IF UBIQUITY NET: Unifi + UnifiProtect (net/cam bridge)
#IF YAMAHA+EPSON: EpsonProjector + Yamaha (projector and sound)
#IF BAMBULAB DEVICE: BambuLab (notify print state)
#IF GARDENA DEVICE: Gardena (smart watering)
#Extra: AndroidTV/Jellyfin (Bind with lights + more)
'';
};
};
}
@@ -0,0 +1,87 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "latest";
serverCfg = config.syscfg.server;
settings = pkgs.writeText"settings.yml" (pkgs.lib.generators.toYAML {}{
use_default_settings = true;
brand = {
issue_url = "";
docs_url = "";
public_instances = "";
wiki_url = "";
custom = {
links = {
"Home" = "https://${serverCfg.domain}";
# "Status" = "https://status.${serverCfg.domain}";
};
};
pwa_colors = {
theme_color_light = "${serverCfg.colorScheme.palette.base0C}";
background_color_light = "${serverCfg.colorScheme.palette.base07}";
theme_color_dark = "${serverCfg.colorScheme.palette.base0C}";
background_color_dark = "${serverCfg.colorScheme.palette.base02}";
theme_color_black = "${serverCfg.colorScheme.palette.base0C}";
background_color_black = "${serverCfg.colorScheme.palette.base01}";
};
};
general = {
debug = false;
instance_name = if containerCfg.extra ? instanceName then containerCfg.extra.instanceName else "SearXNG";
privacypolicy_url = false;
donation_url = false;
contact_url = false;
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = if containerCfg.extra ? autocomplete then containerCfg.extra.autocomplete else "";
languages = [ "all" "en" "en-US" "ja" "de-CH" "fr-CH" "nb" ];
};
server = {
# secret_key = ""; SET BY ENV VAR
};
ui = {
default_locale = if containerCfg.extra ? defaultLocale then containerCfg.extra.defaultLocale else "en";
# query_in_title = "true";
#default_theme = "custom";
custom_css = "footer { display: none !important; }";
};
# categories_as_tabs = {
# general = {};
# images ={};
# videos = {};
# news = {};
# files = {};
# };
plugins = {
"searx.plugins.infinite_scroll.SXNGPlugin".active = true;
"searx.plugins.tracker_url_remover.SXNGPlugin".active = true;
};
});
in {
requires.secrets = [ name ];
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "searxng/searxng:${version}";
port = 8080;
secret = name;
extraEnv = {
SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
SEARXNG_PORT = "8080";
SEARXNG_BIND_ADDRESS = "[::]";
SEARXNG_PUBLIC_INSTANCE = "false";
SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
#SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
};
overrides = {
volumes = [
"${settings}:/etc/searxng/settings.yml"
];
};
};
};
};
}
@@ -0,0 +1,91 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/selfmark/";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
authentik = true;
subdomain = containerCfg.subdomain;
subpath = containerCfg.subpath;
image = "ghcr.io/calibrain/shelfmark:${version}";
port = 8080;
extraEnv = {
# HARDCOVER_API_KEY = ""; #FROM SOPS
# AA_DONATOR_KEY = ""; #FROM SOPS
# PROWLARR_API_KEY = ""; #FROM SOPS
FLASK_PORT = "8080";
PUID = "1000";
PGID = "1000";
USING_TOR = "false";
ONBOARDING = "false";
SUPPORTED_FORMATS = "epub,mobi,azw3,fb2,djvu,cbz,cbr,pdf";
SUPPORTED_AUDIOBOOK_FORMATS = "mp3, m4b";
BOOK_LANGUAGE = "en,fr"; # ,de,jp";
SEARCH_MODE = "universal";
AA_DEFAULT_SORT = "relevance";
METADATA_PROVIDER = "openlibrary";
INGEST_DIR = "/books";
BOOKS_OUTPUT_MODE = "/output";
FILE_ORGANIZATION = "organize";
TEMPLATE_RENAME = "{Author} - {Title} ({Year})";
TEMPLATE_ORGANIZE = "{Author}/{Title} ({Year})";
HARDLINK_TORRENTS = "false";
FILE_ORGANIZATION_AUDIOBOOK = "organize";
TEMPLATE_RENAME_AUDIOBOOK = "{Author} - {Title}";
TEMPLATE_ORGANIZE_AUDIOBOOK = "{Author}/{Title} ({Year})";
HARDCOVER_ENABLED = "true";
HARDCOVER_DEFAULT_SORT = "relevance";
OPENLIBRARY_ENABLED = "true";
OPENLIBRARY_DEFAULT_SORT = "relevance";
DIRECT_DOWNLOAD_ENABLED = "true";
USE_CF_BYPASS = "true";
AA_BASE_URL = "auto";
AA_MIRROR_URLS = "https://annas-archive.gl,https://annas-archive.pk,https://annas-archive.gd,";
LIBGEN_MIRROR_URLS = "https://libgen.li,https://libgen.vg,https://libgen.la,https://libgen.bz,https://libgen.gl";
ZLIB_MIRROR_URLS = "https://z-lib.sk,https://z-library.gs,https://z-lib.fm,https://z-lib.gd,https://z-lib.gl";
# WELIB_MIRROR_URLS = "https://welib.org"; #avoid
} // lib.optionalAttrs(containerCfg.subpath != null) {
BASE_PATH = "/${containerCfg.subpath}";
URL_BASE = "/${containerCfg.subpath}";
} // lib.optionalAttrs(serverCfg.containers?calibre) {
CALIBRE_WEB_URL = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}";
} // lib.optionalAttrs(serverCfg.containers?authentik) {
AUTH_METHOD = "proxy";
PROXY_AUTH_USER_HEADER = "X-authentik-username";
PROXY_AUTH_ADMIN_GROUP_HEADER = "X-authentik-groups";
PROXY_AUTH_ADMIN_GROUP_NAME = "admin";
} // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "prowlarr" serverCfg.containers.servarr.extra.modules) ({
PROWLARR_ENABLED = "true";
PROWLARR_URL = "http://servarr-prowlarr:8989";
} // lib.optionalAttrs(serverCfg.containers?transmission) {
PROWLARR_TORRENT_CLIENT = "transmission";
TRANSMISSION_URL = "http://transmission-server:9091";
}) // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "flaresolverr" serverCfg.containers.servarr.extra.modules) {
USING_EXTERNAL_BYPASSER = "true";
EXT_BYPASSER_URL = "http://servarr-flaresolverr:8191";
EXT_BYPASSER_PATH = "/v1";
EXT_BYPASSER_TIMEOUT = "60000";
};
overrides = {
volumes = [
"${serverCfg.path.dlIncomplete.path}:/books:rw"
"${serverCfg.path.dlComplete.path}:/output:rw"
"${serverCfg.path.config.path}/selfmark:/config:rw"
];
};
};
};
};
}
File diff suppressed because one or more lines are too long
@@ -0,0 +1,53 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "stable";
serverCfg = config.syscfg.server;
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/suwayomi/suwayomi-server:${version}";
port = 4567;
secret = name;
extraEnv = {
BIND_PORT = "4567";
AUTH_MODE = "ui_login";
WEB_UI_ENABLED = "true";
WEB_UI_FLAVOR = "WebUI";
# AUTO_DOWNLOAD_CHAPTERS = true;
# AUTO_DOWNLOAD_EXCLUDE_UNREAD = true;
# AUTO_DOWNLOAD_NEW_CHAPTERS_LIMIT = 0;
# AUTO_DOWNLOAD_IGNORE_REUPLOADS = false;
# DOWNLOAD_CONVERSIONS = {};
# SERVE_CONVERSIONS = {};
# MAX_SOURCES_IN_PARALLEL = 6;
# UPDATE_EXCLUDE_UNREAD = true;
# UPDATE_EXCLUDE_STARTED = true;
# UPDATE_EXCLUDE_COMPLETED = true;
# UPDATE_INTERVAL = 12; #Hours
# UPDATE_MANGA_INFO = false;
DATABASE_TYPE = "POSTGRESQL";
DATABASE_URL = "postgresql://${builder.host}/suwayomi_db";
DATABASE_USERNAME = "suwayomi_user";
FLARESOLVERR_ENABLED = lib.boolToString (builtins.elem "flaresolverr" (((config.syscfg.server.containers.servarr or {}).extra or {}).modules or []));
FLARESOLVERR_URL = "http://servarr-flaresolverr:8191";
EXTENSION_REPOS = "[\"https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json\"]"; #https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json
};
overrides = {
volumes = [
"${serverCfg.path.manga.path}:/home/suwayomi/.local/share/Tachidesk/downloads"
# "${serverCfg.path.config.path}/suwayomi:/home/suwayomi/.local/share/Tachidesk"
];
};
};
};
};
}
@@ -0,0 +1,88 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = "traefik";
tag = pkgs.traefik.version;
contents = with pkgs;[ cacert tzdata ];
config = {
Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
WorkingDir = "/";
};
};
in {
requires.secrets = [ name ];
runtime = {
containers = {
server = builder.mkContainer {
imageStream = image;
subdomain = containerCfg.subdomain;
port = 8080;
secret = name;
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
"traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
"traefik.http.middlewares.hsts-headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.hsts-headers.headers.stsIncludeSubdomains" = "true";
"traefik.http.middlewares.hsts-headers.headers.stsPreload" = "true";
"traefik.http.middlewares.hsts-headers.headers.forceSTSHeader" = "true";
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
} // (if serverCfg.containers?authentik then {
"traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
"traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
} else {}) // (if serverCfg.containers?umami then {
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
} else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then {
"traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}";
} else {});
extraEnv = { };
overrides = {
cmd = [
"--api"
"--log.level=INFO"
"--providers.docker=true"
"--global.checknewversion=false"
"--global.sendanonymoususage=false"
"--api.insecure=true"
"--api.dashboard=true"
"--providers.docker.exposedByDefault=false"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
"--entrypoints.web.http.redirections.entrypoint.to=web-secure"
"--entrypoints.web.http.redirections.entrypoint.scheme=https"
"--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
"--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
] ++ (if serverCfg.containers ? umami then [
"--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
"--experimental.plugins.umami-feeder.version=v1.4.1"
"--entrypoints.web-secure.http.middlewares=umami-global@docker"
] else []) ++ (if containerCfg.extra ? provider then [
"--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}"
"--certificatesresolvers.default.acme.dnschallenge=true"
"--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
"--certificatesresolvers.default.acme.storage=/acme.json"
] else if serverCfg.domain != "localhost" then [
"--certificatesresolvers.default.acme.httpchallenge=false"
"--certificatesresolvers.default.acme.tlschallenge=true"
] else []);
ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
volumes = [
"/var/run/podman/podman.sock:/var/run/docker.sock"
];
};
};
};
};
}
@@ -0,0 +1,59 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.transmission_4.name;
tag = pkgs.transmission_4.version;
contents = [ pkgs.cacert ];
config = {
Cmd = [ "${pkgs.transmission_4}/bin/transmission-daemon" "--foreground" "--config-dir" "/config" ];
ExposedPorts = {
"9091/tcp" = {};
"51413/tcp" = {}; "51413/udp" = {};
};
};
};
in {
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/transmission";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
authentik = true;
subdomain = containerCfg.subdomain;
subpath = containerCfg.subpath;
imageStream = image;
port = 9091;
extraEnv = {
PUID = "1000";
PGID = "1000";
WHITELIST = "";# 127.0.0.1,::1,10.*";
# HOST_WHITELIST = "traefik-server,authentik-server,authentik-worker";
};
overrides = {
volumes = [
"${serverCfg.path.dlComplete.path}:/downloads/complete"
"${serverCfg.path.dlIncomplete.path}:/downloads/incomplete"
"${serverCfg.path.config.path}/transmission:/config"
];
};
};
};
setup = {
trigger = "server";
envFile = [ config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
${pkgs.gettext}/bin/envsubst < "${../data/transmission/settings.json}" > "${serverCfg.path.config.path}/transmission/config/settings.json"
'';
};
};
}
+3
View File
@@ -0,0 +1,3 @@
{...}:{
}
+54
View File
@@ -0,0 +1,54 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
# Umami image built from nixpkgs
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.umami.name;
tag = pkgs.umami.version;
contents = with pkgs; [ cacert openssl ];
config = {
# Umami in nixpkgs typically provides a binary or script to start the server
Entrypoint = [ "${pkgs.umami}/bin/umami-server" ];
ExposedPorts = { "3000/tcp" = {}; };
Env = [ "NODE_ENV=production" ];
};
};
in {
requires = {
secrets = [ name ];
databases = [ name ];
};
runtime = {
paths = [{
path = "${serverCfg.path.config.path}/umami/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
authentik = true;
tmpfs = true;
subdomain = containerCfg.subdomain;
image = "${pkgs.umami.name}:${pkgs.umami.version}";
imageStream = image;
port = 3000;
secret = name;
extraEnv = {
PORT = "3000";
# HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
DATABASE_TYPE = "postgresql";
REDIS_URL = "redis://${builder.host}";
CLIENT_IP_HEADER = "X-Forwarded-For";
BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
# DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
};
overrides = {
cmd = [ "start" ]; # Specific command for the umami binary
};
};
};
};
}
+129
View File
@@ -0,0 +1,129 @@
{ config, lib, pkgs, serverCfg }:
let
mkRouterName = { subdomain, subpath ? null }:
if subpath != null
then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}"
else subdomain;
getOr = attrs: path: default: lib.attrByPath path default attrs;
mkTmpfsOption = size: "--tmpfs=/tmp:rw,noexec,nosuid,size=${size}";
mkAuthentikLabels =
{ subdomain
, subpath ? null
, routerName ? mkRouterName { inherit subdomain subpath; }
, middleware ? "authentik"
}:
lib.optionalAttrs (serverCfg.containers ? authentik) {
"traefik.http.routers.${routerName}.middlewares" = middleware;
};
contBuilder =
{ image ? null, imageStream ? null, imageFile ? null
, secret ? null
, subdomain ? null, subpath?null, port ? null
, authentik ? false
, tmpfs ? false
, tmpfsSize ? "512m"
, extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
, overrides ? { }
}:
let
routerName = mkRouterName { inherit subdomain subpath; };
base = {
image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}"
else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
imageStream = imageStream;
imageFile = imageFile;
environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
environment = {
TZ = config.time.timeZone;
} // extraEnv;
labels = (if subdomain!=null then ({
"traefik.enable" = "true";
"traefik.http.routers.${routerName}.entrypoints" = "web-secure";
"traefik.http.routers.${routerName}.rule" = if subpath != null
then "Host(`${subdomain}.${serverCfg.domain}`) && PathPrefix(`/${subpath}`)"
else "Host(`${subdomain}.${serverCfg.domain}`)";
"traefik.http.routers.${routerName}.tls" = "true";
} // lib.optionalAttrs (port!=null) {
"traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
}) else {
"traefik.enable" = "false";
})
// lib.optionalAttrs authentik (mkAuthentikLabels { inherit subdomain subpath routerName; })
// extraLabels;
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
]
++ lib.optional tmpfs (mkTmpfsOption tmpfsSize)
++ extraOptions;
};
in lib.recursiveUpdate base overrides;
vmBuilder = { name, vm }: ((import "${pkgs.path}/nixos/lib/eval-config.nix" {
system = "x86_64-linux";
modules = [ vm.cfg
({ config, lib, modulesPath, ... }: {
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
"${modulesPath}/virtualisation/qemu-vm.nix"
];
networking.hostName = name;
networking.useDHCP = true;
networking.firewall.enable = false;
services.qemuGuest.enable = true;
system.stateVersion = "26.05";
virtualisation = {
memorySize = vm.memory or 2048;
cores = vm.cores or 2;
forwardPorts = let
parsePortString = port: {
from = "host";
host.port = port;
guest.port = port;
};
in if (vm ? portForward && vm.portForward != null) then map parsePortString vm.portForward else [];
};})
];
}).config.system.build.vm);
in {
mkContainer = contBuilder;
mkVm = vmBuilder;
mkApp = name: app:
{
inherit name;
requires = {
secrets = getOr app [ "requires" "secrets" ] [ ];
databases = getOr app [ "requires" "databases" ] [ ];
};
exports = {
authentik = {
blueprints = getOr app [ "exports" "authentik" "blueprints" ] [ ];
};
};
runtime = {
paths = getOr app [ "runtime" "paths" ] [ ];
containers = getOr app [ "runtime" "containers" ] { };
vm = getOr app [ "runtime" "vm" ] null;
cron = getOr app [ "runtime" "cron" ] [ ];
setup = {
trigger = "";
script = null;
envFile = [ ];
} // getOr app [ "runtime" "setup" ] { };
};
};
mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
mkdir -p $out
cp -r ${./data + "/${dir}"}/. $out/
find $out -type f | while read file; do
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
substituteInPlace "$file" --replace "@${n}@" "${toString v}"
'') vars)}
done
'';
host = "host.containers.internal";
hostIp = if (config.virtualisation.podman.defaultNetwork.settings ? subnets)
then (builtins.elemAt config.virtualisation.podman.defaultNetwork.settings.subnets 0).gateway
else "10.88.0.1";
}
@@ -0,0 +1,70 @@
version: 1
metadata:
name: "Initial User Setup"
labels:
blueprint-type: core
entries:
# Optionally, disable the default enrollment flow entirely
- model: authentik_flows.flow
identifiers:
slug: "default-source-enrollment"
attrs:
designation: "enrollment"
enabled: false
# --- GROUPS ---
- model: authentik_core.group
identifiers:
name: "admin"
attrs:
is_superuser: true
- model: authentik_core.group
identifiers:
name: "cloud"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "dev"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "flix"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "family"
attrs:
is_superuser: false
# --- ADMIN USERS ---
- model: authentik_core.user
identifiers:
username: !Env DEFAULT_ADMIN_USERNAME
attrs:
name: !Env DEFAULT_ADMIN_USERNAME
email: !Env DEFAULT_ADMIN_EMAIL
password: !Env DEFAULT_ADMIN_PASSWORD
path: "users"
groups:
- !Find [authentik_core.group, [name, "admin"]]
# Disable the Initial Setup Flow
- model: authentik_flows.flow
identifiers:
slug: "initial-setup"
attrs:
authentication: "require_superuser"
enabled: false
# Disable the default 'akadmin' if it exists
- model: authentik_core.user
identifiers:
username: "akadmin"
attrs:
is_active: false
@@ -0,0 +1,13 @@
version: 1
metadata:
name: "Branding Setup"
entries:
- model: authentik_brands.brand
identifiers:
domain: "@AUTHENTIK_DOMAIN@"
attrs:
domain: "@AUTHENTIK_DOMAIN@"
branding_title: "@AUTHENTIK_BRANDING_TITLE@"
branding_logo: "@AUTHENTIK_BRANDING_LOGO@"
branding_favicon: "@AUTHENTIK_BRANDING_FAVICON@"
branding_default_flow_background: "@AUTHENTIK_BRANDING_BACKGROUND@"
@@ -0,0 +1,58 @@
version: 1
metadata:
name: "FreshRSS OAuth2 Provisioning"
labels:
app: freshrss
entries:
- model: authentik_providers_oauth2.oauth2provider
identifiers:
name: "FreshRSS Provider"
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
authentication_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: "confidential"
client_id: "freshrss"
client_secret: !Env FRESHRSS_OAUTH_SECRET
access_code_validity: "minutes=5"
token_validity: "days=30"
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
redirect_uris:
- url: "https://@FRESHRSS_DOMAIN@.*"
matching_mode: "regex"
property_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'openid'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'email'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'profile'"],
]
- model: authentik_core.application
identifiers:
slug: "freshrss"
attrs:
name: "FreshRSS"
launch_url: "@FRESHRSS_DOMAIN@"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "FreshRSS Provider"],
]
@@ -0,0 +1,11 @@
version: 1
metadata:
name: gitea-ldap-setup
entries:
- model: authentik_core.application
id: gitea-app
identifiers:
slug: gitea
attrs:
name: Gitea
launch_url: "@GITEA_DOMAIN@"
@@ -0,0 +1,108 @@
version: 1
metadata:
name: "Homepage Dashboard - OIDC Provisioning"
labels:
app: homepage
entries:
- model: authentik_providers_oauth2.scopemapping
identifiers:
name: "Homepage Custom Scope: Groups"
attrs:
scope_name: "groups"
description: "Pass user groups array to Homepage for conditional element rendering"
expression: |
return {
"groups": [group.name for group in request.user.ak_groups.all()]
}
# 1. Create the OAuth2/OIDC Provider
- model: authentik_providers_oauth2.oauth2provider
identifiers:
name: "Homepage Provider"
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
authentication_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: "confidential"
client_id: "homepage"
client_secret: !Env HOMEPAGE_VAR_OAUTH_SECRET
access_code_validity: "minutes=5"
token_validity: "days=30"
redirect_uris:
- url: "https://@HOMEPAGE_DOMAIN@/login"
matching_mode: "regex"
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
property_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'openid'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'email'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'profile'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "Homepage Custom Scope: Groups"],
]
# 2. Create the Application and link it to the Provider
- model: authentik_core.application
identifiers:
slug: homepage
attrs:
name: "Homepage"
launch_url: "@HOMEPAGE_DOMAIN@"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, Homepage Provider],
]
open_in_new_tab: false
# 3. Provision the static API token linked to the user account
- model: authentik_rbac.role
state: present
identifiers:
name: homepage-viewer
attrs:
permissions:
- authentik_core.view_user
- authentik_events.view_event
- model: authentik_core.user
state: present
identifiers:
username: homepage-svc
attrs:
roles:
- !Find [authentik_rbac.role, [name, "homepage-viewer"]]
name: Homepage Service Account
path: goauthentik.io/service-accounts
is_active: true
attributes:
goauthentik.io/user/service-account: true
- model: authentik_core.token
state: present
identifiers:
identifier: homepage-token
attrs:
key: !Env HOMEPAGE_VAR_AUTHENTIK_API
user: !Find [authentik_core.user, [username, "homepage-svc"]]
intent: api
expiring: false
@@ -0,0 +1,62 @@
version: 1
metadata:
name: "Immich OAuth2 Provisioning"
labels:
app: immich
entries:
- model: authentik_providers_oauth2.oauth2provider
identifiers:
name: "Immich Provider"
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
authentication_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: "confidential"
client_id: "immich"
client_secret: !Env IMMICH_OAUTH_SECRET
access_code_validity: "minutes=5"
token_validity: "days=30"
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
redirect_uris:
- url: "app.immich:///oauth-callback"
matching_mode: "strict"
- url: "https://@IMMICH_DOMAIN@/auth/login"
matching_mode: "regex"
- url: "https://@IMMICH_DOMAIN@/user-settings"
matching_mode: "regex"
property_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'openid'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'email'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'profile'"],
]
- model: authentik_core.application
identifiers:
slug: "immich"
attrs:
name: "Immich"
launch_url: "@IMMICH_DOMAIN@"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "Immich Provider"],
]
@@ -0,0 +1,11 @@
version: 1
metadata:
name: jellyfin-ldap-setup
entries:
- model: authentik_core.application
id: jellyfin-app
identifiers:
slug: jellyfin
attrs:
name: Jellyfin
launch_url: "@JELLYFIN_DOMAIN@"
@@ -0,0 +1,79 @@
version: 1
metadata:
name: Pre-configured LDAP Outpost
entries:
- model: authentik_providers_ldap.ldapprovider
identifiers:
name: ldap-provider
attrs:
base_dn: "@AUTHENTIK_LDAP_DC_DOMAIN@"
search_group: null
authorization_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
- model: authentik_core.user
state: present
identifiers:
username: "ldap-service"
attrs:
name: "LDAP Bind Service Account"
type: "service_account"
path: "goauthentik.io"
is_active: true
password: !Env DEFAULT_LDAP_PASSWORD
attributes:
ak_recovery_immutable: true
- model: authentik_core.token
identifiers:
identifier: ldap-outpost-static-token
attrs:
intent: api
expiring: false
key: !Env AUTHENTIK_TOKEN
user: !Find [authentik_core.user, [username, "ldap-service"]]
- model: authentik_outposts.outpost
identifiers:
name: LDAP Outpost
attrs:
type: ldap
providers:
- !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
token:
!Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
config:
log_level: info
authentik_host: https://sso.test.helcel.net/
refresh_interval: minutes=5
authentik_host_insecure: false
- model: authentik_rbac.role
state: present
identifiers:
name: "LDAP Search Role"
attrs:
permissions:
- "authentik_providers_ldap.search_full_directory"
- model: authentik_core.group
state: present
identifiers:
name: "LDAP Search Group"
attrs:
users:
- !Find [authentik_core.user, [username, "ldap-service"]]
roles:
- !Find [authentik_rbac.role, [name, "LDAP Search Role"]]
- model: authentik_core.application
id: ldap-placeholder
identifiers:
slug: ldap
attrs:
name: ldap
group: _
provider:
!Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
@@ -0,0 +1,58 @@
version: 1
metadata:
name: nextcloud-saml-setup
entries:
- model: authentik_providers_saml.samlprovider
identifiers:
name: Nextcloud SAML
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-explicit-consent],
]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
issuer: https://@AUTHENTIK_DOMAIN@
sp_binding: post
property_mappings:
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Name"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Email"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Groups"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Username"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: User ID"],
]
signing_kp:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
sign_assertion: true
sign_response: false
- model: authentik_core.application
identifiers:
slug: nextcloud
attrs:
name: Nextcloud
provider:
!Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
launch_url: "@NEXTCLOUD_DOMAIN@"
@@ -0,0 +1,46 @@
version: 1
metadata:
name: domain-wide-proxy-setup
entries:
# 1. The Provider
- model: authentik_providers_proxy.proxyprovider
identifiers:
name: Domain Wide Proxy
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
external_host: https://@AUTHENTIK_DOMAIN@
cookie_domain: "@COOKIE_DOMAIN@"
mode: forward_domain
intercept_header_auth: true
# 2. The Application (Required to link the provider)
- model: authentik_core.application
identifiers:
slug: authentik-proxy
attrs:
name: "Domain Auth Provider"
group: _
provider:
!Find [
authentik_providers_proxy.proxyprovider,
[name, Domain Wide Proxy],
]
# 3. Add to Outpost
- model: authentik_outposts.outpost
identifiers:
name: authentik Embedded Outpost
attrs:
providers:
- !Find [
authentik_providers_proxy.proxyprovider,
[name, Domain Wide Proxy],
]
@@ -0,0 +1,137 @@
db:
user: invidious_user
password: $DB_PASSWORD
host: $DB_HOST
port: 5432
dbname: invidious_db
check_tables: true
invidious_companion:
- private_url: "http://invidious-companion:8282/companion"
invidious_companion_key: $SERVER_SECRET_KEY
port: 3000
external_port: 443
host_binding: 0.0.0.0
domain: $INVIDIOUS_DOMAIN
https_only: false
#hsts: true
## Accepted values: true, false, dash, livestreams, downloads, local
#disable_proxy: false
# use_innertube_for_captions: false
# -----------------------------
# Features
# -----------------------------
popular_enabled: false
statistics_enabled: true
registration_enabled: true
login_enabled: true
captcha_enabled: false
admins: ["$DEFAULT_ADMIN_EMAIL"]
enable_user_notifications: false
# -----------------------------
# Background jobs
# -----------------------------
channel_threads: 1
#channel_refresh_interval: 30m
full_refresh: false
feed_threads: 1
jobs:
clear_expired_items:
enable: true
refresh_channels:
enable: true
refresh_feeds:
enable: true
# -----------------------------
# Miscellaneous
# -----------------------------
#banner:
# use_pubsub_feeds: true
hmac_key: $HMAC_KEY
#dmca_content:
#cache_annotations: false
#modified_source_code_url: ""
#playlist_length_limit: 500
#########################################
#
# Default user preferences
#
#########################################
default_user_preferences:
# -----------------------------
# Internationalization
# -----------------------------
#locale: en-US
#region: US
## Top 3 preferred languages for video captions.
#captions: ["", "", ""]
# -----------------------------
# Interface
# -----------------------------
dark_mode: "auto"
#thin_mode: false
feed_menu: ["Subscriptions", "Playlists"]
default_home: Subscriptions
#max_results: 40
#annotations: false
#annotations_subscribed: false
#comments: ["youtube", ""]
#player_style: invidious
#related_videos: true
# -----------------------------
# Video player behavior
# -----------------------------
#preload: true
#autoplay: false
#continue: false
#continue_autoplay: true
#listen: false
#video_loop: false
# -----------------------------
# Video playback settings
# -----------------------------
#quality: dash
#quality_dash: auto
#speed: 1.0
#volume: 100
#vr_mode: true
save_player_pos: true
# -----------------------------
# Subscription feed
# -----------------------------
#latest_only: false
#notifications_only: false
unseen_only: true
#sort: published
# -----------------------------
# Miscellaneous
# -----------------------------
#local: false
show_nick: false
#automatic_instance_redirect: false
#extend_desc: false
@@ -0,0 +1,101 @@
{% skip_file if flag?(:api_only) %}
module Invidious::Routes::Login
def self.login_page(env)
locale = env.get("preferences").as(Preferences).locale
user = env.get? "user"
referer = get_referer(env, "/feed/subscriptions")
return env.redirect referer if user
return error_template(400, "Login has been disabled by administrator.") if !CONFIG.login_enabled
if forwarded_user = env.request.headers["X-authentik-email"]?
begin
email = forwarded_user.try &.downcase.byte_slice(0, 254)
return error_template(401, "User ID is a required field") if email.nil? || email.empty?
user = Invidious::Database::Users.select(email: email)
if user
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
Invidious::Database::SessionIDs.insert(sid, email)
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
else
return error_template(400, "Registration has been disabled by administrator.") if !CONFIG.registration_enabled
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user, sid = create_user(sid, email, "")
if language_header = env.request.headers["Accept-Language"]?
if language = ANG.language_negotiator.best(language_header, LOCALES.keys)
user.preferences.locale = language.header
end
end
Invidious::Database::Users.insert(user)
Invidious::Database::SessionIDs.insert(sid, email)
view_name = "subscriptions_#{sha256(user.email)}"
PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}")
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
user.preferences = env.get("preferences").as(Preferences)
Invidious::Database::Users.update_preferences(user)
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
end
return env.redirect referer
rescue ex
return error_template(500, "Authentication error: #{ex.message}")
end
end
env.redirect referer
end
def self.login(env)
referer = get_referer(env, "/feed/subscriptions")
env.redirect referer
return error_template(403, "Login post is not supported.")
end
def self.signout(env)
locale = env.get("preferences").as(Preferences).locale
user = env.get? "user"
sid = env.get? "sid"
referer = get_referer(env)
return env.redirect referer if !user
user = user.as(User)
sid = sid.as(String)
token = env.params.body["csrf_token"]?
begin
validate_request(token, sid, env.request, HMAC_KEY, locale)
rescue ex
return error_template(400, ex)
end
Invidious::Database::SessionIDs.delete(sid: sid)
env.request.cookies.each do |cookie|
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
env.redirect referer
end
end
@@ -0,0 +1,70 @@
{
"alt-speed-down": 50,
"alt-speed-enabled": false,
"alt-speed-time-begin": 540,
"alt-speed-time-day": 127,
"alt-speed-time-enabled": false,
"alt-speed-time-end": 1020,
"alt-speed-up": 50,
"bind-address-ipv4": "0.0.0.0",
"bind-address-ipv6": "::",
"blocklist-enabled": false,
"blocklist-url": "http://www.example.com/blocklist",
"cache-size-mb": 4,
"dht-enabled": true,
"download-dir": "/downloads/complete",
"download-queue-enabled": true,
"download-queue-size": 5,
"encryption": 1,
"idle-seeding-limit": 30,
"idle-seeding-limit-enabled": false,
"incomplete-dir": "/downloads/incomplete",
"incomplete-dir-enabled": true,
"lpd-enabled": false,
"message-level": 2,
"peer-congestion-algorithm": "",
"peer-id-ttl-hours": 6,
"peer-limit-global": 200,
"peer-limit-per-torrent": 50,
"peer-port": 51413,
"peer-port-random-high": 65535,
"peer-port-random-low": 49152,
"peer-port-random-on-start": false,
"peer-socket-tos": "default",
"pex-enabled": true,
"port-forwarding-enabled": true,
"preallocation": 1,
"prefetch-enabled": 1,
"queue-stalled-enabled": true,
"queue-stalled-minutes": 30,
"ratio-limit": 2,
"ratio-limit-enabled": false,
"rename-partial-files": true,
"rpc-authentication-required": false,
"rpc-bind-address": "0.0.0.0",
"rpc-enabled": true,
"rpc-password": "$TRANSMISSION_RPC_PASSWORD",
"rpc-port": 9091,
"rpc-url": "/transmission/",
"rpc-username": "",
"rpc-host-whitelist": "127.0.0.1",
"rpc-host-whitelist-enabled": false,
"rpc-whitelist": "127.0.0.1",
"rpc-whitelist-enabled": false,
"scrape-paused-torrents-enabled": true,
"script-torrent-done-enabled": false,
"script-torrent-done-filename": "",
"seed-queue-enabled": false,
"seed-queue-size": 10,
"speed-limit-down": 100,
"speed-limit-down-enabled": false,
"speed-limit-up": 100,
"speed-limit-up-enabled": false,
"start-added-torrents": true,
"trash-original-torrent-files": false,
"umask": 2,
"upload-slots-per-torrent": 14,
"utp-enabled": false,
"watch-dir": "/watch",
"watch-dir-enabled": true
}
+109 -36
View File
@@ -1,40 +1,113 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.syscfg.server.containers; serverCfg = config.syscfg.server;
enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg; builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
containerSetsList = lib.mapAttrsToList (name: containerCfg: loadApp = name: containerCfg:
import (./defs + "/${name}.nix") { builder.mkApp name ((import (./apps + "/${name}.nix")) {
inherit config pkgs lib containerCfg; inherit config pkgs lib containerCfg builder name;
} });
) enabledConfigs; loadedContainers = lib.mapAttrs loadApp serverCfg.containers;
mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList); appsList = builtins.attrValues loadedContainers;
allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList); concatRuntimeLists = field: lib.concatMap (app: app.runtime.${field}) appsList;
in mkNamedUnits = mkUnit: items: lib.listToAttrs (map mkUnit items);
{ mergedContainers = lib.concatMapAttrs (appName: app:
config = lib.mkIf ( enabledConfigs != {} ) { lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.runtime.containers
) loadedContainers;
basePathConfigs =
lib.mapAttrsToList (_: cfg: cfg) (lib.filterAttrs (name: _: name != "config" && name != "data") serverCfg.path);
runtimePathConfigs = concatRuntimeLists "paths";
allSetupConfigs = map (app: ({ name = app.name; envFile = ""; } // app.runtime.setup)) appsList;
allCronsConfigs = concatRuntimeLists "cron";
allVMConfigs = builtins.filter (app: app.runtime.vm != null) appsList;
mkPathSetup = cfg:
let
effectiveCfg = {
owner = "root:root";
mode = "0755";
dirs = [];
} // cfg;
in ''
${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
${lib.concatMapStringsSep "\n" (dir: "${pkgs.coreutils}/bin/mkdir -p ${effectiveCfg.path}/${lib.escapeShellArg dir}") effectiveCfg.dirs}
${pkgs.coreutils}/bin/chown -R ${effectiveCfg.owner} "${effectiveCfg.path}"
${pkgs.coreutils}/bin/chmod -R ${effectiveCfg.mode} "${effectiveCfg.path}"
'';
in {
config = lib.mkMerge [{
syscfg.server.loadedContainers = loadedContainers;
} (lib.mkIf (loadedContainers != {}) {
virtualisation.oci-containers = {
backend = "podman";
containers = mergedContainers;
};
system.activationScripts.container-setup-base-dirs = {
deps = [ "users" "groups" ];
text = lib.concatStringsSep "\n" (map mkPathSetup basePathConfigs);
};
system.activationScripts.container-setup-runtime-dirs = {
deps = [ "container-setup-base-dirs" ];
text = lib.concatStringsSep "\n" (map mkPathSetup runtimePathConfigs);
};
virtualisation.oci-containers = { systemd.services = {
backend = "podman"; podman-gc = {
containers = mergedContainers; description = "Podman garbage collection";
}; serviceConfig.Type = "oneshot";
script = ''
${pkgs.podman}/bin/podman container prune -f
${pkgs.podman}/bin/podman image prune -f
${pkgs.podman}/bin/podman system prune -a --volumes -f
'';
startAt = "weekly";
};
}
// mkNamedUnits (e: {
name = "${e.name}-vm";
value = {
description = "Isolated NixOS Guest VM for ${e.name}";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
QEMU_VM_REG_SND = "0";
NIX_DISK_IMAGE = "/media/data/kvm/${e.name}-guest.qcw2";
};
serviceConfig = {
Type = "simple";
Restart = "always";
RestartSec = "10s";
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /media/data/kvm";
ExecStart = ''
${builder.mkVm { name = e.name; vm = e.runtime.vm; }}/bin/run-${e.name}-vm -nographic
'';
};
};
}) allVMConfigs
// mkNamedUnits (e: {
name = "${e.name}-setup";
value = {
description = "Run ${e.name} setup";
after = [ "podman-${e.name}-${e.trigger}.service" ];
wants = [ "podman-${e.name}-${e.trigger}.service" ];
partOf = [ "podman-${e.name}-${e.trigger}.service" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ e.script ];
serviceConfig = {
Type = "simple";
Restart = "on-failure";
RestartSec = "15s";
TimeoutStartSec = "360s";
EnvironmentFile = e.envFile;
ExecStart = e.script;
RemainAfterExit = true;
User = "root";
};
};
}) allSetupConfigs;
systemd.services.podman-gc = { services.cron = {
description = "Podman garbage collection"; enable = true;
serviceConfig.Type = "oneshot"; systemCronJobs = allCronsConfigs;
script = '' };
${pkgs.podman}/bin/podman container prune -f })];
${pkgs.podman}/bin/podman image prune -f }
'';
startAt = "weekly";
};
system.activationScripts.container-setup-dirs = {
deps = [ "users" "groups" ];
text = lib.concatStringsSep "\n" (map (cfg: ''
mkdir -p "${cfg.path}"
chown ${cfg.owner} "${cfg.path}"
chmod ${cfg.mode} "${cfg.path}"
'') allPathConfigs);
};
};
}
@@ -1,84 +0,0 @@
{ config, containerCfg, pkgs, lib, ... }:
let
serverCfg = config.syscfg.server;
in {
paths = [{
path="${serverCfg.dataPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.dataPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
auth_server = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_server";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.sso.entrypoints" = "web-secure";
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
"traefik.http.routers.sso.tls" = "true";
"traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
};
cmd = [ "server" ];
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
"--ip=${containerCfg.ip}"
];
ports = [
"9999:${toString containerCfg.port}"
];
};
auth_worker = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_worker";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
"/var/run/docker.sock:/var/run/docker.sock"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
};
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
];
cmd = [ "worker" ];
};
};
}
-152
View File
@@ -1,152 +0,0 @@
{ config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
project.name = "cloud";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
cloud_nextcloud.service = {
image = "nextcloud:27";
container_name = "cloud";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"${serverCfg.configPath}/data/nextcloud:/var/www/html"
"${serverCfg.dataPath}/data/music:/media/music"
"${serverCfg.dataPath}/data/video:/media/video"
"${serverCfg.dataPath}/data/photo:/media/photo"
];
tmpfs = [ "/tmp" ];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.nextcloud.entrypoints" = "web-secure";
"traefik.http.routers.nextcloud.rule" =
"Host(`cloud.${serverCfg.hostDomain}`)";
"traefik.http.routers.nextcloud.tls" = "true";
"traefik.http.routers.nextcloud.middlewares" =
"sts_headers,nextcloud-caldav";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
"true";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
"^https://(.*)/.well-known/(card|cal)dav";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
"https://$\${1}/remote.php/dav/";
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
"true";
};
};
cloud_office.service = {
image = "collabora/code:latest";
container_name = "cloud_office";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ ];
environment = {
username = "COLLABORA_USER";
password = "COLLABORA_PASSWORD";
aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
server_name = "office.${serverCfg.hostDomain}";
VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
VIRTUAL_PORT = "9980";
VIRTUAL_PROTO = "http";
DONT_GEN_SSL_CERT = "true";
RESOLVE_TO_PROXY_IP = "true";
NETWORK_ACCESS = "internal";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
dictionaries = "en fr de jp";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.collabora.entrypoints" = "web-secure";
"traefik.http.routers.collabora.rule" =
"Host(`office.${serverCfg.hostDomain}`)";
"traefik.http.routers.collabora.tls" = "true";
};
};
cloud_etherpad.service = {
image = "etherpad/etherpad:latest";
container_name = "etherpad";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
];
environment = {
NODE_ENV = "production";
TITLE = "Helcel-Pad";
DB_TYPE = "mysql";
DB_HOST = serverCfg.dbHost;
DB_PORT = serverCfg.dbPort;
DB_NAME = "etherpad";
DB_USER = "ETHERPAD_DB_USER";
DB_PASS = "ETHERPAD_DB_PASSWORD";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "P A D";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.etherpad.entrypoints" = "web-secure";
"traefik.http.routers.etherpad.rule" =
"Host(`pad.${serverCfg.hostDomain}`)";
"traefik.http.routers.etherpad.tls" = "true";
};
};
cloud_ethercalc.service = {
image = "audreyt/ethercalc:latest";
container_name = "ethercalc";
restart = "unless-stopped";
networks = [ "external" "internal" ];
volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
];
environment = {
NODE_ENV = "production";
TITLE = "Helcel-Calc";
REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
REDIS_PORT_6379_TCP_PORT = "6379";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.ethercalc.entrypoints" = "web-secure";
"traefik.http.routers.ethercalc.rule" =
"Host(`calc.${serverCfg.hostDomain}`)";
"traefik.http.routers.ethercalc.tls" = "true";
};
};
cloud_redis.service = {
image = "redis:latest";
container_name = "ethercalc-redis";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
};
}
-30
View File
@@ -1,30 +0,0 @@
{ config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
project.name = "name";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
NAME.service = {
image = "NAME:latest";
container_name = "NAME";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
};
}
@@ -1,81 +0,0 @@
{ config, pkgs, ... }: {
project.name = "traefik";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
traefik.service = {
image = "traefik:latest";
container_name = "traefik";
restart = "unless-stopped";
networks = [ "internal" "external" ];
command = [
"--api"
"--providers.docker=true"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
];
port = [ "443" "80" ];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
"${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
"${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.configPath}/traefik/acme.json:/acme.json"
];
environment = {
"INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
};
labels = { "traefik.enable" = "false"; };
};
matomo.service = {
image = "matomo:latest";
container_name = "matomo";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${serverCfg.configPath}/matomo:/var/www/html/config:rw"
"${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
];
environment = { };
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`matomo.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
searx.service = {
image = "searxng/searxng:latest";
container_name = "searx";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ "/etc/localtime:/etc/localtime:ro" ];
environment = {
"BASE_URL" = "https://searx.${serverCfg.hostDomain}";
"AUTOCOMPLETE" = "true";
"INSTANCE_NAME" = "searx${serverCfg.shortName}";
};
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`searx.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
};
}
+9 -10
View File
@@ -1,21 +1,20 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = lib.concatMap (app: app.requires.databases) (builtins.attrValues config.syscfg.server.loadedContainers);
containerNames = lib.mapAttrsToList
(name: cfg: name)
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in { in {
config = lib.mkIf ( builtins.length allApps > 0) { config = lib.mkIf ( builtins.length allApps > 0) {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; # Required to listen on network interfaces enableTCPIP = true;
extensions = ps: with ps; [ vectorchord pgvector ];
settings = { settings = {
listen_addresses = lib.mkForce "*"; listen_addresses = lib.mkForce "*";
shared_preload_libraries = "vchord";
}; };
authentication = pkgs.lib.mkOverride 10 '' authentication = pkgs.lib.mkOverride 10 ''
# TYPE DATABASE USER ADDRESS METHOD # TYPE DATABASE USER ADDRESS METHOD
@@ -42,7 +41,6 @@ in {
settings.protected-mode = "no"; settings.protected-mode = "no";
}; };
systemd.services.postgresql-init = { systemd.services.postgresql-init = {
description = "Custom Postgres Setup (Ownership & Passwords)"; description = "Custom Postgres Setup (Ownership & Passwords)";
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
@@ -55,14 +53,15 @@ in {
}; };
script = '' script = ''
${pkgs.coreutils}/bin/sleep 2 ${pkgs.coreutils}/bin/sleep 20
PSQL="${pkgs.postgresql}/bin/psql" PSQL="${pkgs.postgresql}/bin/psql"
${lib.concatMapStringsSep "\n" (name: '' ${lib.concatMapStringsSep "\n" (name: ''
$PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;" $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
$PSQL -d "${name}_db" -tAc "REINDEX DATABASE ${name}_db;"
$PSQL -d "${name}_db" -tAc "ALTER DATABASE ${name}_db REFRESH COLLATION VERSION;"
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-) PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
echo $PASS
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
echo " Successfully set password for ${name}_user" echo " Successfully set password for ${name}_user"
else else
@@ -73,4 +72,4 @@ in {
''; '';
}; };
}; };
} }
+7 -13
View File
@@ -1,7 +1,8 @@
{ config, lib, ... }:
let
{ config, lib, ... }:{ cfg = config.syscfg.server;
config = lib.mkIf (config.syscfg.server.nftables.enable) { in {
config = lib.mkIf (cfg.ipfw.enable) {
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1;
@@ -9,13 +10,6 @@
networking.nftables.enable = true; networking.nftables.enable = true;
networking.nftables.ruleset = '' networking.nftables.ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
}
}
table inet nat { table inet nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
@@ -34,12 +28,12 @@
iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
'' ''
) config.syscfg.server.nftables.ports} ) cfg.ipfw.ports}
} }
chain postrouting { chain postrouting {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
} }
} }
''; '';
+1 -1
View File
@@ -9,8 +9,8 @@ in {
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = [ 422 ]; ports = [ 422 ];
banner = "";
settings = { settings = {
#Banner = "";
PasswordAuthentication = false; PasswordAuthentication = false;
PermitRootLogin = "no"; PermitRootLogin = "no";
ClientAliveInterval = 60; ClientAliveInterval = 60;
+8 -8
View File
@@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = lib.mapAttrsToList (name: cfg: name) containerNames = lib.concatMap (app: app.requires.secrets) (builtins.attrValues config.syscfg.server.loadedContainers);
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in{ in{
config = lib.mkIf (config.syscfg.server.sops) {
sops.secrets = { sops.secrets = {
INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; }; CUSTOM = {
} // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: { mode = "0444";
owner = "postgres"; sopsFile = ./server.yaml;
};
} // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
mode = "0444";
sopsFile = ./server.yaml; sopsFile = ./server.yaml;
})); }));
};
} }
+48
View File
@@ -0,0 +1,48 @@
CUSTOM: |
DEFAULT_ADMIN_USERNAME=...
DEFAULT_ADMIN_PASSWORD=...
DEFAULT_ADMIN_EMAIL=...
DEFAULT_LDAP_PASSWORD=...
TRAEFIK: |
INFOMANIAK_ACCESS_TOKEN=...
AUTHENTIK: |
DB_PASSWORD=...
POSTGRES_PASSWORD=...
AUTHENTIK_SECRET_KEY=...
AUTHENTIK_EMAIL__PASSWORD=...
AUTHENTIK_TOKEN=...
NEXTCLOUD: |
DB_PASSWORD=...
POSTGRES_PASSWORD=...
COLLABORA: |
password=...
ETHERPAD: |
DB_PASSWORD=...
DB_PASS=...
ADMIN_PASSWORD=...
APIKEY=...
ETHERCALC: |
ETHERCALC_KEY=...
GITEA: |
DB_PASSWORD=...
GITEA__database__PASSWD=...
GITEA__security__SECRET_KEY=...
GITEA__security__INTERNAL_TOKEN=...
SEARXNG: |
SEARXNG_SECRET=...
UMAMI: |
DB_PASSWORD=...
DATABASE_URL=postgresql://username:mypassword@localhost:5432/mydb
APP_SECRET=...
IMMICH: |
DB_URL = "postgresql://immich_user:...@localhost:5432/immich_db";
SERVARR: |
SONARR__AUTH__APIKEY=...
RADARR__AUTH__APIKEY=...
FRESHRSS: |
DB_PASSWORD=...
SUWAYOMI: |
DATABASE_PASSWORD=...
DB_PASSWORD=...
CALIBRE: |
DB_PASSWORD=...
+25 -9
View File
@@ -1,9 +1,24 @@
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str] CUSTOM: ENC[AES256_GCM,data:UdxcMBZVmWKoikP713KcpuiMH0OJbR+CFvJ9Os4lTfLkVb0PMOCftprLKIdVbb39Ov4O1F4cpWbVD5ypCj5PPBygQM8ce1bDNRa/M7E3VPPwZw5ZtXtkgGlPwPpuHeoVC1K8XxltxpuqdQtSNUPsDg4rYnsEaXTnpJ3YTWHliM7W1oU8okEgxdtQFvjcHFhNTTSNKHfMHd3CyOABf1J0FX55uqgXydCBbeHnge9Rbiue4FjIdewvpZatVy6mhi0ILGEEL6XAObkFrWrv9rLWM/ymd6Lb5I+xAkmYTJ7AaYfaokTey/NJ1cJ5KBftQBgQ5Wo11kfRuNrGGRZROT59vGIEaO/QUiiKndsSGE5XpRylAkHNV8SEHg2PWeI8fz/n2zVRT6Gmy+xXQTbvEhRm+LQ2hMNXVEzUq47tsPL2OXcWgNZKrhz95Ct2/OegPI7/HTdMmD3Wbqs3FlrkOMrL1W3GKCzUfV69cmXFy8llXBMyEk7Vf/+2CjOmeDuvjlFKF4Jkip/rVGB5rTB4xPToS5tCz2qksggaRXidd4lSCyI+CxZN9NdL8klMSJ0bhawxltt3xMBO7egF4KDHmxJTBvohp4HBHZXy3pJ9AXQX2aYzC+L9cjSkvto7qyuC5rD/HgX8n4YiHFR8ua72bickgZ2JKpNawVDRWdDFNyVBCQbhZfkZzyCECQ1AfNUn969TQsTzP91vEk+F2QzmoE6hYEVJ8PRg2p89TeevcTuH70qVBMT2TAtLAlkZ4gQegByo4vvjtSGlFzHy5idKTxjHM/HTLkRImCXRBj663PU7e/zse+bCzk6DfhM4JsNt8mZRRPU1cYqnzgfjz5O+IP50BUYYgmsoQhNKH22E3tUaXihvddNusfnxdq5RFgwcGTcfIVUSB3c98Q1yf2Ft896dzl9OLcRj6tsAUId2e3iJ13FhZEpm5Y+zc5CSAdOuEAya0j5FRYopMUkKJ8uC/CRXTFuSIAo4kw9/Dc05Td/IsLGVQKnL9oyWzj7p1V4J0hLc37ELF5/TShFmkCL99m50XXctupVoLOVP35O36QzFcduw8knNF9iNqrK42tTS8Jt1ZY3BR4L5Nm1TM9rMO6afGy18b1fag5Zk7pByTzGwLped7ST2qf3R3KtbK3CWXbojpnQhYHYnDVaXT0JCPhdqSRIXV+f7hFEH6AwvyCkoahBO19oL6/YizqJe51pKQqWudzVjqDhSt9Z9NsqLRfCIL+cl63LSjQjhyBXKTtxJbqqkYP6uGLULAE89WUzjP5D1oE8EspHmcpirfDyjLa6JJyLWBMGbFDAzHeOJT3AXmGXNvEYsHk28DrJ+LsWFH8MDUPFCXz2Acj8M0B1Kv8822/Xir4xw2AlnS2Y0mL6i8evQ7S2/wg0C9G/nscLZfNeFOvph+sZhQd3/5osgit38TwWPCvg6ulu9nzDjAjI8vAZ3PG/d1PgeJzoWLDmE1EDxqDlR/UFq,iv:0bnj/W2ys7bNJKfAfUmgsiXeyHdiqhRAeB3qDGU2Is0=,tag:oiZMxOk4ABhzguaZbRQZxg==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str] TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
COLLABORA: ENC[AES256_GCM,data:cLGEziks5dyxTF1jugfpQE0l0nSkDP7MpROzCxCM94jv49sguA+d/SnY1olE8ZP9iCBnlvbMZyNR7uYo88B92Pmv8wVWfeuhHiHFIXh5aaOxntpt80UMg3Jy,iv:gmFG7C893QPuZ4rEqllAlUpNIXMcGsf9+/QCPLhWLTM=,tag:WpKHCUk6zhQRfFX2d6OPbQ==,type:str]
ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWNWhDQlTc0ImJoK6efr2uyp3sVu3o+KlCNvUGhDOJ1you6socyTgRP0q7oLPC+Ln+bFP8gWG8v2nyEFY=,iv:YqvVjBFG/WZg1l4aMAiioOruWZ9zcTMr74DVW+1+2DQ=,tag:ePBXd4ddipJtxhFE1amfMg==,type:str]
GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str]
SEARXNG: ENC[AES256_GCM,data:gtKhEmMemzLRl4c3cYhMAQ+5vUth1IhWQeLvW1YtaG5TbhQHBR4PDREQOlGt+tlfGQrft+FeNhMSN/SKOp8gmScVWa+9qmltzxRGRpLm3m/VuBZvOlGdeUcKAX8zEH6A,iv:B2UEtjTRIjT6W+tH2gtcl6XMvZNgbvZUXTiBePGOu24=,tag:SHIF6eaWBLwy9RrEy1N9kg==,type:str]
UMAMI: ENC[AES256_GCM,data:onB/uXLajaRLmeQMGNHFsjREzPih9ha+cogGRw+nRomERSRrbBv+6gCqEr8F3Dcm818JB4jGRYKoIYG8Jl6gMDaz5QQiA4qAnbG19LuzVeVUgz4NGEgXBULoT/0sQacnyAPIfPEp+ESWRQH81nO6Qcs+rICpS2Xfeye5hb+8rSAxmLpY991AJ3+avGyMwPcpfNCkixWt68KuG5ZN/IGDksM/sSLGgyMisClbEdhigq4mwibOxpiWjcKk/17xYgY6Xz93h/yloHKZIZZpnyA+85YC6oNWgCPhkGIAVu3dGshp10a0nk1A2INm6vxNPbfUjYLkt3zDAPZtoBRCqUs+43Eh62hYgajgWCQJhjJkDgF4Y1ifGfDerIXs/cDpIKLt2+7VqM6/ouqIDPJ7khSAr+8bcHU4CKDtsDagob5PpCG4ABt44cg9cGw=,iv:HD450JZuWn2+V0pvOsDHy9oVAanFMf1el9LA1z0PULY=,tag:p7Vl7dtM8UdAUNgmdG+7cg==,type:str]
IMMICH: ENC[AES256_GCM,data:1y78yeawkRjUXLWPyFdMB5HCDQhb1PoxEMfHmKSZfv0CWloOrQWT735dlH+W9yC6ljZjqVD9Fwq/9GqqKQMTFMCpr8wVRwSHEuqmaG3UgKzbLA3aWZ1SIB0AiJi+eUunzHj2vikUJx9dMRjC+iNXrsVWh2HqMrOyFCWetZoIfxNiAgsgNKPgYYsHLv6OAZs9XT7V3veqe0zc0nyw7ghWSXne/yNhQESyyGlMAdagrJRNimvXIp/AoAUKl2WUJm2MBl7lb6K1YeJ1XW8OjAHzV8isBiUwU8ZD81VJog0fgTGjbUa+HO7jEo+9YwmDIMx3f5z9N4A=,iv:pboITW2rr7+w8VNZM6uYMMEFZ1S/JtqjNOVthpYJ2tQ=,tag:0dgrJ191sB4MLJHMoQBlCg==,type:str]
INVIDIOUS: ENC[AES256_GCM,data:ZfgU5UFMmG9Cx9UaR0xnKr9VPebG3kut0difTFZmoqOSs+stG6YJfV82OOhj1RQLVJlPr/scydYy1+3LytwvP1BT7tLe0jII7XupbkL0w3n79KBaiIzAPdicqLxeqjKH45I0NjHra4djdnO2Ff4T8CTiFDlPn1rMuiw=,iv:UaDmOKJ4bFPGCaIePLXkWot9E6sTu2nhaVs83sI38G0=,tag:spTjxWEmLfPc8BZl2GglBA==,type:str]
SERVARR: ENC[AES256_GCM,data:757WdthmToCGr2boph7iW1ycs3tQyGgD3lhYOcX/X3hjs9dLLPCWGI2zt5axp72IGJ/sVYEop2rqsRLxdPn3VIyQLvQ+3MYdo8Z/yOuMy7DAlnITQQQUI2ylZKHVmFAt39/xBpwsVjh3m/hBQvn/LbCDtR2s4qa+8fQDfeZXksTtnf7YZbVygTF7jWZ+0oVvkvNO1ZUejvP+uHL+jHwgMEwQnR22hOYWEKZ1s7PI+EZHujqyOhnwXB4jRG+XD7R4N6AhC5Z+nmkFpy3ffszCJ0/H,iv:NrNbkL6GWN4r+uzxNYrhoECD1APbRsRBcMBbVHD3DwM=,tag:YK1O50wV+lHAQa6TX9huUw==,type:str]
INFLUX: ENC[AES256_GCM,data:lLn/cSYWtjxeHafHUku9QnGV/pVPvx1WFSC6vgJP7w1XfL+7mk54M56cGr1VXGsM993ynjzrWDrxO8WtQPh1F9BOMH15ZY6B10rw0hLxsJyIapPrhp1/1HtryhmL8eNTU7N7UnPKdzeN/XFwjqqlktka4H9FcMg8A8STns8vNa6it4hx+IxKj3Dukdq2DSS7w9s1/+j08vZMwIULBRR+ZcGOGUppIS8umZ4/4yzPO03w4A9RNMIXhWdwbU64Xj49hOlxuqNoRcxw7dDp/GpHRXijsKdhPOegKo1tRQII,iv:Y9G/cXYzn3H91c/JLWglrtokUi7jjQxPgVgz4xUtoug=,tag:LvpuWeIzpHScnwjzz1J56A==,type:str]
FRESHRSS: ENC[AES256_GCM,data:M5C76yVyi0Uw28FWj+IvQJbP1hdxxBGWfp30egjlv8Eu4tSZjHyfni+OLwgziDeQQyvRbn2OHwKtztEu4N2C7iU0UaotB0jCOc2BKuwfSWrxWfmkTDrY1YBfbGgLWEKQ1ddafI/Dn99n4HFbGpMZ8Fbe+sRKKGgpAPj9bMkUjoP3eXw4HUWhu84b6LWu3x8DwArhNDOkHJnDL+Rlif7hILg7+eI/IUB0XakKCMIKHZn9djk4yjgXMQGF5EFRlPVWgQ==,iv:2Kb916TksnVhby/GORx9nzir6A7GiRNL9S0wrbc8yDQ=,tag:v2Nhj61qd4f/YV1HcF0v5Q==,type:str]
SUWAYOMI: ENC[AES256_GCM,data:xVzuIWdEZLeFtkVew/Jbt0U+ouOjA+U/flhSAsWHPQHWgp7+6uvdBYIxcyQ+firHAu9qcAO/HahDgnr0lhcQx/n5XgEhCchiGxCNBcAi/AD+FE9/PgSJf2DvjCp0ckCWvPChGsy+TD8uNi1bg0lqSrbDExRS28f3FVPrbrJJ1vj/V9Gk4PABg/UcdvycgCpf266aFMMzNuPJGyaRuQEnyFNvQgs53R7t9D9hC9GSc4MkEGt7g0GeX1MTRTzjjISgCdzZxjUiJGSuFTBemQggcWOAJNdYFq1vuh5X3zBvlF+zz75g3cin9S58CQ==,iv:/zlNBdu5SuzC8+t4zOYVga3hLWnxlNUALi6BS4MjNog=,tag:DfeC0X7uX9/qhltFl2D2hg==,type:str]
CALIBRE: ENC[AES256_GCM,data:Uxz/5H4q/ugmW49a6oIQsG450w+SS1H58gOMXDVX/JQ8OCGxWQ8DRNmSGBZLgGsJ9UA1rxYRS4+pDuDL+iQsNVOmZzFRAuWJwUhEiF72B/Ah0IyXpnPIups8S2Nq,iv:rK274zWuvguY/DPHXxG174j+Ne11SB7ZCQLxO6Tvvg4=,tag:7wJyt94jRvRCZxgHWotzVA==,type:str]
SELFMARK: ENC[AES256_GCM,data:YDCfMay/SxmJxQcVPvXJe7h/BGjOjVZLU4eJ3+t6z4EDqUueNzmBPWtF1hrNJCC2XlZFlD+PmCyoo8tzuPiig4Uxwf4Gos15Skddx8Jt4/PKjR3AW0z0U8kAtXmByBAAa/nLEVwTkyRybYTXcd36SlqyTrbVfDLkIQW0yiqp93Fh40gWTV3u/gz2ZeLit12o3LNnm7Zne7y8w7iAO2vm2L5h2W8R+9B8oW1MSweclKgDlMieNh+pmxexnNdvGX5jAgaOM2xSUC8Z/PcgSCAYwNVe0CYsHPypES/miS3XrVs4E/YIaMGaTi7lTS+zxy9x8F17O/MVHoy7yuzjQYBZ1w+PmMOYv+Wc1mVJswAHMfvZE6EUFL/P7Qy2T+c19cowphZTuuGZMaIqjeWfn4ZHPlVhWEdamk3dhyqA2I2g1X5cANP1FV73FJC/3gTqKXkkp9wcWqN59gAHmUzn2D5Mhmvx2UkTbyUyNxR71VdpSN4szYifmEdp56KQVpjrw4dSst97sWCzI6nrDn4P9J3TrTpCFJM2PSbyF23NIVuPCx2pdqTdjCr1IX+9v1qLKOcbIZq/S3ldQ6E2PZnvIA6faoE5SO5uy8qUwct54Jc+p6WTNFRMzfbFs31xVgiiR3Y5HsTc3Ee2ePhu1ggvCa8o4CW9zqO5jqFX38C8n0jYhc31AlVui0hswECHBgDqFQ3pZS10Fx4heYjnfJRTB8OrE0/lf0QYgMqLcWJyxJqwutoa5uaQxiq1QV3beyj8Yv0/kSEqrWvItvZaM2MCkmBjxDtfBqx1zIZ3Lm2xYJmOLB/SgYYWi+0d9yS2Dhe8mpOr2/xMsgdUUz2YbCX5YfA=,iv:nohcihzxdZORTKrrYnupqts4REcyioqlfFhQOM9K/H8=,tag:2sPes1v7LfvIj0hC/tKClw==,type:str]
sops: sops:
age: age:
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg - enc: |
enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rzc3ak4vRVZiNWxNZEN3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rzc3ak4vRVZiNWxNZEN3
N21rSjZqUm9XVWF5TUxNTXVybEMzNCtod0NnClNjODB6VWhzU1VHeVdlZ3hEaE5D N21rSjZqUm9XVWF5TUxNTXVybEMzNCtod0NnClNjODB6VWhzU1VHeVdlZ3hEaE5D
@@ -11,8 +26,8 @@ sops:
clZnQXpPbWs5aXZJeUlxOWhJNmIrOFkKZfZ19Y4yfCJi1GrxLsv76JyBmuxW/glF clZnQXpPbWs5aXZJeUlxOWhJNmIrOFkKZfZ19Y4yfCJi1GrxLsv76JyBmuxW/glF
BCJCvmdSSOJx5JW26Y3Y3LwiIuL8yboKR+8ZAwU2fG5OQfs+2czFdQ== BCJCvmdSSOJx5JW26Y3Y3LwiIuL8yboKR+8ZAwU2fG5OQfs+2czFdQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3 recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cEpsb2gvbDJ0aG5BRWNS YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cEpsb2gvbDJ0aG5BRWNS
WXgydFo3ZkF3SmVIU1EvaHVjb3RvK3BxVDJrCis2ME9zUEVGQURFdmJXS2lTSklk WXgydFo3ZkF3SmVIU1EvaHVjb3RvK3BxVDJrCis2ME9zUEVGQURFdmJXS2lTSklk
@@ -20,8 +35,9 @@ sops:
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-06T01:10:20Z" recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str] lastmodified: "2026-06-06T19:05:55Z"
mac: ENC[AES256_GCM,data:Qi14yxgLfSqQrFgemT80pwBEfQde06/17DOhjUrUSkJbdMy278a+VXZrCrG61z0QSMXtZutAdQTIJ7KPGot7pmTY9mHNl6zRyDqzC2Jfy2HALG8hWmpOFQepq03RaYO36mwWaMHEB3u4AwhFlKi6OSxIj3RhS1N4xpOwAZxWaGM=,iv:73h8YUYDkCjTVD81VEfFLuby61PQaxz28dw4tcOvx4c=,tag:3eujXdrYqSXTDYbYqo6DSw==,type:str]
pgp: pgp:
- created_at: "2026-05-05T23:46:27Z" - created_at: "2026-05-05T23:46:27Z"
enc: |- enc: |-
@@ -44,4 +60,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0 fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.1 version: 3.13.1
+1 -1
View File
@@ -1,4 +1,4 @@
{ config, ... }: { { ... }: {
imports = [ ./sorahiro.nix ]; imports = [ ./sorahiro.nix ];
colorScheme.palette.border-radius = "#8"; colorScheme.palette.border-radius = "#8";
+1 -1
View File
@@ -1,4 +1,4 @@
{ nix-colors, ... }: { ... }:
let use_pastelle = true; let use_pastelle = true;
in{ in{
# usage: a = "#${config.colorScheme.palette.base00}"; # usage: a = "#${config.colorScheme.palette.base00}";

Some files were not shown because too many files have changed in this diff Show More