sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

Compare commits

merge into: sora:main
Branches Tags
sora:main sora:dev
...
pull from: sora:dev
Branches Tags
sora:main sora:dev

373 Commits
main ... dev

Author SHA1 Message Date
soraefir
94a27bb403 fix ssl ? 2026-05-15 16:37:40 +02:00
soraefir
1d656dc4ae add db creation 2026-05-15 16:31:14 +02:00
soraefir
b3014bce85 Fix keys 2026-05-15 16:26:27 +02:00
soraefir
ef845edd12 typo 2026-05-15 16:22:52 +02:00
soraefir
c456e4cad8 Fix env config path 2026-05-15 16:19:18 +02:00
soraefir
39b12966f1 Login rule 2026-05-15 16:06:25 +02:00
soraefir
cbef43ae83 missing end 2026-05-15 16:03:34 +02:00
soraefir
765f18d5a0 Add missing func 2026-05-15 16:02:31 +02:00
soraefir
76302840d0 fix typos 2026-05-15 15:59:52 +02:00
soraefir
e02aca85bd fix cr code 2026-05-15 15:55:17 +02:00
soraefir
0378ce7dff fix cr code 2026-05-15 15:51:34 +02:00
soraefir
0fd8286331 type fix 2026-05-15 15:47:30 +02:00
soraefir
e4aac05b6a fix 2026-05-15 15:44:50 +02:00
soraefir
fd7b95e12e Fix 2026-05-15 15:42:49 +02:00
soraefir
a94e8beb37 Fix invidious env 2026-05-15 15:41:37 +02:00
soraefir
3e05dfbc07 Override login page 2026-05-15 14:51:32 +02:00
soraefir
a94574a53d wip 2026-05-15 13:51:23 +02:00
soraefir
03bec133ba fix 2026-05-15 02:46:04 +02:00
soraefir
b6de2d2ccf fix scope 2026-05-15 02:39:27 +02:00
soraefir
334a484ad4 fix scope 2026-05-15 02:35:00 +02:00
soraefir
11f7e95d95 Authentik immich 2026-05-15 02:26:48 +02:00
soraefir
24a0fb6a93 disable IMMICH_IGNORE_MOUNT_CHECK_ERRORS 2026-05-15 02:15:05 +02:00
soraefir
892e271719 Fix typo 2026-05-15 02:12:49 +02:00
soraefir
8769b6da9d Fix immich setup 2026-05-15 02:12:14 +02:00
soraefir
00bdef4307 Fix 2026-05-15 01:31:57 +02:00
soraefir
6ed72c00ff mkdir missings 2026-05-15 01:22:43 +02:00
soraefir
6d5cd82e72 fix 2026-05-15 01:15:59 +02:00
soraefir
3e921ef2ab fix setup 2026-05-15 01:10:34 +02:00
soraefir
09cc16bc40 fix 2026-05-15 00:59:20 +02:00
soraefir
425722e2c6 Disable Setup 2026-05-15 00:55:53 +02:00
soraefir
0fb6aa0047 Fix env 2026-05-15 00:45:59 +02:00
soraefir
07283e1f26 Fix temp 2026-05-15 00:41:21 +02:00
soraefir
362afd3d4e temp override 2026-05-15 00:40:14 +02:00
soraefir
1154cbb3bd Fix dirs 2026-05-15 00:33:48 +02:00
soraefir
25c7823f38 add vchord 2026-05-15 00:26:32 +02:00
soraefir
d57fb32f67 Add missing extensions 2026-05-15 00:22:56 +02:00
soraefir
08a7ed2469 fix user 2026-05-15 00:15:40 +02:00
soraefir
45e375168e db setup immich 2026-05-15 00:12:30 +02:00
soraefir
56252474d9 add vector to dbs 2026-05-15 00:04:02 +02:00
soraefir
0ee26c817c add vector pgsql 2026-05-14 23:51:31 +02:00
soraefir
51bd495981 Fix immich 2026-05-14 23:34:32 +02:00
soraefir
d9a59e9593 fix image 2026-05-14 23:20:41 +02:00
soraefir
8557df0199 fix image 2026-05-14 23:14:12 +02:00
soraefir
84d9b0ade0 immich db setup 2026-05-14 23:12:56 +02:00
soraefir
7e3d86e37e Simplify 2026-05-14 23:10:11 +02:00
soraefir
f5c16775c4 sops immich 2026-05-14 23:07:38 +02:00
soraefir
83dec697d1 cleanup 2026-05-14 23:05:27 +02:00
soraefir
dd47977cbd ldap default app 2026-05-14 22:53:12 +02:00
soraefir
601999180b Fix token 2026-05-14 21:30:11 +02:00
soraefir
97004b4b75 Fix ldap 2026-05-14 21:11:19 +02:00
soraefir
d15895d8e3 fix ldap role 2026-05-14 20:59:07 +02:00
soraefir
983c19eaa5 Fix 2026-05-14 20:54:43 +02:00
soraefir
4e7a348461 Fix ldap 2026-05-14 20:41:28 +02:00
soraefir
4ccb941766 Fix 2026-05-14 20:31:14 +02:00
soraefir
e19fe6a973 remove usuported blueprint 2026-05-14 20:27:24 +02:00
soraefir
d9e07543ba fix ldap authentik 2026-05-14 20:19:25 +02:00
soraefir
5d4aaeb49f Fix escaping 2026-05-14 17:51:30 +02:00
soraefir
14540f043d fix script errors 2026-05-14 17:40:57 +02:00
soraefir
2c29f8a41b grep fix 2026-05-14 17:33:45 +02:00
soraefir
cd994d6359 check installed plugins 2026-05-14 17:32:48 +02:00
soraefir
a1da14f9fb Fix script health check 2026-05-14 17:27:04 +02:00
soraefir
143ea35dc1 Ldap setup jellyfin 2026-05-14 17:18:39 +02:00
soraefir
c23ad28f85 fix 2026-05-14 16:34:59 +02:00
soraefir
c60123ca3c fix 2026-05-14 16:29:30 +02:00
soraefir
c069079a3a fix setup gitea 2026-05-14 16:01:52 +02:00
soraefir
e777a56816 fix ldap 2026-05-14 15:57:01 +02:00
soraefir
9933d12183 Fix ldap password 2026-05-14 15:46:51 +02:00
soraefir
2e6c044b89 Ldap WIP 2026-05-14 15:43:52 +02:00
soraefir
252373f956 Fix 2026-05-14 14:46:55 +02:00
soraefir
511837f0a5 Fix JQ 2026-05-14 14:45:11 +02:00
soraefir
2882889eae Add LDAP 2026-05-14 14:43:59 +02:00
soraefir
c174fe20ae Fix script 2026-05-14 14:34:39 +02:00
soraefir
31a972d55b Fix 2026-05-14 13:37:41 +02:00
soraefir
9de6cedf33 Jellyfin nss 2026-05-14 13:00:30 +02:00
soraefir
f80107efab nss 2026-05-14 12:32:10 +02:00
soraefir
ea21907e5d add nss 2026-05-14 11:52:38 +02:00
soraefir
d86c3b76b5 perms 2026-05-14 01:35:26 +02:00
soraefir
66e878b902 user 2026-05-14 01:25:44 +02:00
soraefir
6a3327386f home&script 2026-05-14 00:59:26 +02:00
soraefir
860955f555 fix curl 2026-05-14 00:33:01 +02:00
soraefir
f5fd711636 fix ssl 2026-05-14 00:26:20 +02:00
soraefir
677c9bc7d4 fixes 2026-05-14 00:21:53 +02:00
soraefir
2cb8d6c24e test 2026-05-14 00:12:18 +02:00
soraefir
3b4e7d07a4 jellyfin setup script 2026-05-14 00:10:38 +02:00
soraefir
8ecef91c92 Authentik apps 2026-05-13 23:27:09 +02:00
soraefir
95c1bb126e typo 2026-05-13 22:48:10 +02:00
soraefir
de18ad8127 Try secure 2026-05-13 22:45:44 +02:00
soraefir
8e57822c10 Fix host 2026-05-13 22:45:28 +02:00
soraefir
f2883aa33d Fix ldap env 2026-05-13 22:43:17 +02:00
soraefir
7bd5ceacd9 fix name 2026-05-13 22:33:28 +02:00
soraefir
e940bd0ec1 Fix ldap 2026-05-13 22:28:55 +02:00
soraefir
44813226c2 ldap insecure 2026-05-13 22:26:34 +02:00
soraefir
7381a17f87 fix ldap 2026-05-13 22:26:18 +02:00
soraefir
19cec13a43 fix authentik token 2026-05-13 22:23:26 +02:00
soraefir
9117530393 Fix authentik 2026-05-13 22:18:16 +02:00
soraefir
868ba53208 move traefik rule 2026-05-13 22:00:34 +02:00
soraefir
f7c55f3a5a Fix Authentik LDAP 2026-05-13 21:48:57 +02:00
sora-ext
7cfd1bb245 Update modules/server/sops/example.server.yaml 2026-05-13 17:32:12 +02:00
sora-ext
85a6517609 Add modules/server/containers/data/authentik/ldap.yaml 2026-05-13 17:31:46 +02:00
sora-ext
d55756f8f8 Update modules/server/containers/apps/servarr.nix 2026-05-13 17:31:29 +02:00
sora-ext
18beb41cd8 Update modules/server/containers/apps/jellyfin.nix 2026-05-13 17:31:19 +02:00
sora-ext
78f01cf111 Update modules/server/containers/apps/invidious.nix 2026-05-13 17:31:07 +02:00
sora-ext
c582d89715 Add modules/server/containers/apps/influx.nix 2026-05-13 17:30:57 +02:00
sora-ext
4270b15f9d Update modules/server/containers/apps/immich.nix 2026-05-13 17:30:43 +02:00
sora-ext
a62bc660c5 Update modules/server/containers/apps/homeassistant.nix 2026-05-13 17:30:33 +02:00
sora-ext
973fd78c1b Update modules/server/containers/apps/frigate.nix 2026-05-13 17:30:24 +02:00
sora-ext
7e62883e66 Update modules/server/containers/apps/authentik.nix 2026-05-13 17:30:10 +02:00
sora-ext
feccc2c3e0 Update modules/server/containers/apps/.template.nix 2026-05-13 17:30:00 +02:00
sora-ext
0b02de0957 Update modules/server/containers/default.nix 2026-05-13 17:29:49 +02:00
sora-ext
721838df2b Update modules/server/containers/builder.nix 2026-05-13 17:29:33 +02:00
soraefir
8c800ad0d3 Jellyfin LDAP 2026-05-13 01:56:45 +02:00
soraefir
f7af832d8e fix jellyfin media path 2026-05-13 01:31:15 +02:00
soraefir
6ddf4a07cc fix umami db 2026-05-13 01:00:14 +02:00
soraefir
0df674647c sops 2026-05-13 00:50:22 +02:00
soraefir
7bead6b3ac fix umami 2026-05-13 00:41:36 +02:00
soraefir
f0befa87be test 2026-05-12 22:52:25 +02:00
soraefir
6d665ee59c add sops to servarr 2026-05-12 21:28:24 +02:00
soraefir
befe46c085 sops 2026-05-12 21:26:46 +02:00
soraefir
ba6d057600 Fix 2026-05-12 21:26:07 +02:00
soraefir
db5230bd69 typo 2026-05-12 21:25:01 +02:00
soraefir
e1a80bb7ce Add new modules 2026-05-12 21:24:02 +02:00
sora-ext
7d95ba04a9 Add modules/shared/syscfg/user.nix 2026-05-12 18:02:13 +02:00
sora-ext
9169205357 Add modules/shared/syscfg/make.nix 2026-05-12 18:02:01 +02:00
sora-ext
74721f6b09 Add modules/shared/syscfg/net.nix 2026-05-12 18:01:52 +02:00
sora-ext
668c0107f9 Add modules/shared/syscfg/server.nix 2026-05-12 18:01:44 +02:00
sora-ext
331291c54d Update modules/shared/syscfg/default.nix 2026-05-12 18:01:33 +02:00
sora-ext
d10f53e485 Add modules/server/containers/apps/immich.nix 2026-05-12 17:47:01 +02:00
sora-ext
82aea8268f Update modules/shared/syscfg/default.nix 2026-05-12 17:46:23 +02:00
sora-ext
050eaedca2 Update modules/server/sops/example.server.yaml 2026-05-12 17:46:11 +02:00
sora-ext
be9cb270aa Update modules/server/sops/default.nix 2026-05-12 17:45:59 +02:00
sora-ext
a5e0e96b52 Update modules/server/database/default.nix 2026-05-12 17:45:49 +02:00
sora-ext
4366232f18 Update modules/server/containers/apps/umami.nix 2026-05-12 17:45:34 +02:00
sora-ext
4398b1d888 Update modules/server/containers/apps/transmission.nix 2026-05-12 17:45:25 +02:00
sora-ext
c4b5c47aa4 Update modules/server/containers/apps/traefik.nix 2026-05-12 17:45:16 +02:00
sora-ext
ff64e6c231 Update modules/server/containers/apps/servarr.nix 2026-05-12 17:45:07 +02:00
sora-ext
e7d656141a Update modules/server/containers/apps/searxng.nix 2026-05-12 17:44:59 +02:00
sora-ext
cf3c2428fb Update modules/server/containers/apps/nextcloud.nix 2026-05-12 17:44:50 +02:00
sora-ext
a2dc050b1c Update modules/server/containers/apps/jellyfin.nix 2026-05-12 17:44:41 +02:00
sora-ext
8bf332caf2 Update modules/server/containers/apps/gitea.nix 2026-05-12 17:44:25 +02:00
sora-ext
20d3786547 Update modules/server/containers/apps/etherpad.nix 2026-05-12 17:44:18 +02:00
sora-ext
79422c180a Update modules/server/containers/apps/ethercalc.nix 2026-05-12 17:44:11 +02:00
sora-ext
65fc9c6df2 Update modules/server/containers/apps/collabora.nix 2026-05-12 17:44:03 +02:00
sora-ext
a59cbd13a3 Update modules/server/containers/apps/authentik.nix 2026-05-12 17:43:55 +02:00
sora-ext
5f04ef7ae5 Update modules/server/containers/apps/.todo.md 2026-05-12 17:43:48 +02:00
sora-ext
0aff508cda Add modules/server/containers/apps/.template.nix 2026-05-12 17:43:40 +02:00
sora-ext
30df106b94 Update modules/server/containers/default.nix 2026-05-12 17:43:28 +02:00
sora-ext
3abdb6d637 Update modules/server/containers/builder.nix 2026-05-12 17:43:18 +02:00
soraefir
cd4c727255 gitea runner 2026-05-12 01:06:14 +02:00
soraefir
26cb095014 Fix 2026-05-12 00:55:55 +02:00
soraefir
2a9113e07d fix calc 2026-05-12 00:50:25 +02:00
soraefir
42a170283d add sops 2026-05-12 00:45:07 +02:00
soraefir
3d4cdaf6e9 new stuff 2026-05-12 00:42:09 +02:00
soraefir
21d959b592 fix script admin 2026-05-11 23:00:07 +02:00
soraefir
0895d67489 fix gitea script 2026-05-11 22:57:43 +02:00
soraefir
86f1fc116c Fix gitea script 2026-05-11 22:55:03 +02:00
soraefir
b82033f857 gitea adminify 2026-05-11 22:45:34 +02:00
soraefir
fbe8399886 Fix 2026-05-11 22:11:26 +02:00
soraefir
036f1117be fix mkdir 2026-05-11 22:05:38 +02:00
soraefir
b3eb1de9e6 fix 2026-05-11 22:02:16 +02:00
soraefir
91c2928a56 Fix 2026-05-11 21:53:49 +02:00
soraefir
89ffc75db2 Fix sops APIKEY 2026-05-11 21:49:20 +02:00
soraefir
63fc0bde6e Fix port 2026-05-11 21:29:16 +02:00
soraefir
bc765ea0c6 Fix cloud port 2026-05-11 20:35:14 +02:00
soraefir
df236d4ec7 sh 2026-05-11 20:18:14 +02:00
soraefir
2f24725df4 add sh 2026-05-11 20:16:37 +02:00
soraefir
4708753085 Gitea 2026-05-11 19:22:06 +02:00
soraefir
370416edba Fix sops 2026-05-11 19:04:16 +02:00
soraefir
ee1dec3d44 rm port 2026-05-11 18:50:36 +02:00
sora-ext
b748db9550 Add modules/server/containers/apps/.todo.md 2026-05-11 18:47:46 +02:00
sora-ext
78381d15ff Update modules/server/containers/apps/authentik.nix 2026-05-11 18:47:46 +02:00
sora-ext
037d75af2a Update modules/server/containers/apps/collabora.nix 2026-05-11 18:47:46 +02:00
sora-ext
9e9338d136 Add modules/server/containers/apps/ethercalc.nix 2026-05-11 18:47:46 +02:00
sora-ext
cd19d8ac06 Update modules/server/containers/apps/etherpad.nix 2026-05-11 18:47:46 +02:00
sora-ext
6dda5f6bd5 Add modules/server/containers/apps/frigate.nix 2026-05-11 18:47:46 +02:00
sora-ext
836b890fab Add modules/server/containers/apps/gitea.nix 2026-05-11 18:47:46 +02:00
sora-ext
40ed44aa52 Add modules/server/containers/apps/handbrake.nix 2026-05-11 18:47:46 +02:00
sora-ext
2fcbf6adb3 Add modules/server/containers/apps/homeassistant.nix 2026-05-11 18:47:46 +02:00
sora-ext
f3fbf159b4 Add modules/server/containers/apps/invidious.nix 2026-05-11 18:47:46 +02:00
sora-ext
f3b8feb50d Update modules/server/containers/apps/nextcloud.nix 2026-05-11 18:47:46 +02:00
sora-ext
f6f51597cd Add modules/server/containers/apps/jellyfin.nix 2026-05-11 18:47:46 +02:00
sora-ext
5c7b5fcbfe Add modules/server/containers/apps/searxng.nix 2026-05-11 18:47:46 +02:00
sora-ext
07b6868d27 Add modules/server/containers/apps/servarr.nix 2026-05-11 18:47:46 +02:00
sora-ext
870b13ef36 Update modules/server/containers/apps/traefik.nix 2026-05-11 18:47:46 +02:00
sora-ext
4b8c8bdc51 Add modules/server/containers/apps/transmission.nix 2026-05-11 18:47:46 +02:00
sora-ext
c24628b574 Add modules/server/containers/apps/trmnl.nix 2026-05-11 18:47:46 +02:00
sora-ext
c1fb77a89f Add modules/server/containers/apps/umami.nix 2026-05-11 18:47:46 +02:00
sora-ext
94012aa44c Update modules/shared/sops/default.nix 2026-05-11 18:47:46 +02:00
sora-ext
5ff282e65c Update modules/shared/syscfg/default.nix 2026-05-11 18:47:46 +02:00
Renovate Bot
0bedb71d07 Lock file maintenance 2026-05-11 18:47:46 +02:00
Renovate Bot
47cbbc56cb Lock file maintenance 2026-05-11 18:47:46 +02:00
sora
e116efd45c Update modules/server/containers/apps/etherpad.nix 2026-05-11 03:03:52 +02:00
soraefir
ff498d15a3 fix 2026-05-11 02:51:27 +02:00
soraefir
90c596270f Fix 2026-05-11 02:49:57 +02:00
soraefir
458a9091d4 fix 2026-05-11 02:32:08 +02:00
soraefir
123d18d1e8 fix 2026-05-11 02:29:11 +02:00
soraefir
f05f7b0147 fix 2026-05-11 02:23:54 +02:00
soraefir
a41390dcee Fix key 2026-05-11 02:19:31 +02:00
soraefir
29478e2aed Fix api 2026-05-11 02:11:15 +02:00
soraefir
82b422883e Fix api 2026-05-11 01:56:11 +02:00
soraefir
4151e50a42 fix 2026-05-11 01:36:08 +02:00
soraefir
5afaf859b9 fix 2026-05-11 00:55:20 +02:00
soraefir
0cd20319fe fix script 2026-05-11 00:54:02 +02:00
soraefir
468cd34fca fix 2026-05-11 00:46:52 +02:00
soraefir
882d36ff83 typo 2026-05-11 00:45:43 +02:00
soraefir
dc2682c829 fix 2026-05-11 00:44:26 +02:00
soraefir
f354a99d56 test new setup script 2026-05-11 00:42:34 +02:00
soraefir
bf1fbea959 chmod and fix 2026-05-11 00:38:02 +02:00
soraefir
31addeda66 Opt dir 2026-05-11 00:33:38 +02:00
soraefir
d0ca9761d7 fix 2026-05-11 00:24:31 +02:00
soraefir
bbbb5831a8 etherpad api 2026-05-11 00:15:54 +02:00
soraefir
46f4b5288b Admin 2026-05-10 22:39:33 +02:00
soraefir
8293df4974 Fix 2026-05-10 22:36:43 +02:00
soraefir
08866273cc fix 2026-05-10 22:31:31 +02:00
soraefir
e2772e51d9 Fix group 2026-05-10 22:27:29 +02:00
soraefir
6bf856b702 WIP 2026-05-10 22:21:02 +02:00
soraefir
93199b4359 tmp fix 2026-05-10 22:11:53 +02:00
soraefir
d3ffacf4ca Fix admin 2026-05-10 22:08:03 +02:00
soraefir
ac0e28b5ab fix authentic flow 2026-05-10 22:02:11 +02:00
soraefir
e76f53d887 test template 2026-05-10 21:47:49 +02:00
soraefir
f67e142f53 fix envfile 2026-05-10 21:43:48 +02:00
soraefir
8165bf6935 Add force exec 2026-05-10 21:40:49 +02:00
soraefir
09539b5866 Add user setup script 2026-05-10 21:39:12 +02:00
soraefir
1b2a724a26 Fix idp & co, add base ak setup 2026-05-10 20:42:19 +02:00
soraefir
e6e6e4af49 Fix saml url 2026-05-10 19:56:05 +02:00
soraefir
e999a5bf2c Fix 2026-05-10 19:49:32 +02:00
soraefir
a57818e37e Fix db 2026-05-10 19:43:19 +02:00
soraefir
0e61b2fad4 saml name 2026-05-10 19:41:58 +02:00
soraefir
9016657699 import cert 2026-05-10 19:34:46 +02:00
soraefir
5462434558 Fix 2026-05-10 19:19:15 +02:00
soraefir
aa36fa812c Foix blueprint 2026-05-10 19:14:37 +02:00
soraefir
f5f28968c6 test blueprint fix 2026-05-10 18:58:13 +02:00
soraefir
4c2ef6e264 Fix blueprints 2026-05-10 18:51:58 +02:00
soraefir
fa808f3eb2 Fix nix mkdata 2026-05-10 18:44:58 +02:00
soraefir
7bc9ae1f2d Fix mkData 2026-05-10 18:42:03 +02:00
soraefir
e53be27e96 Fix 2026-05-10 18:36:20 +02:00
soraefir
88ab6e2007 typo 2026-05-10 18:34:23 +02:00
soraefir
864e698272 fix 2026-05-10 18:33:22 +02:00
soraefir
8961706503 fix 2026-05-10 18:31:56 +02:00
soraefir
c637fea0d0 Add authentik blueprints 2026-05-10 18:29:53 +02:00
soraefir
9813e7d49a Longer timeout 2026-05-10 12:29:46 +02:00
soraefir
ea6db4b9bf fix 2026-05-10 12:26:34 +02:00
soraefir
2eff0969e0 fix 2026-05-10 12:21:46 +02:00
soraefir
cf5648122d fix 2026-05-10 12:21:01 +02:00
soraefir
b10e7a5a93 fix 2026-05-10 12:04:03 +02:00
soraefir
882a43b705 cfg 2026-05-10 12:03:05 +02:00
soraefir
e9868a2513 fix 2026-05-10 12:02:02 +02:00
soraefir
43a0f903b0 Fix 2026-05-10 12:01:28 +02:00
soraefir
1b76ec20b4 fix 2026-05-10 11:59:37 +02:00
soraefir
6a7fcf6152 fix 2026-05-10 11:58:29 +02:00
soraefir
b6bc6dd138 dbg 2026-05-10 11:57:59 +02:00
soraefir
90f8387192 tmp ignore 2026-05-10 11:56:13 +02:00
soraefir
25604d6c14 test 2026-05-10 11:55:53 +02:00
soraefir
51d60de5c0 fix 2026-05-10 11:54:37 +02:00
soraefir
5e8cd65785 fix 2026-05-10 11:52:32 +02:00
soraefir
fa5845808b fix 2026-05-10 11:50:34 +02:00
soraefir
28c17d9bb6 colors 2026-05-10 11:49:18 +02:00
soraefir
89d2f9a48e typo2 2026-05-10 11:42:53 +02:00
soraefir
e58d323ea0 typo 2026-05-10 11:41:59 +02:00
soraefir
7465b6b24c script omprovement 2026-05-10 11:38:19 +02:00
soraefir
59c6b68501 Add cron 2026-05-09 19:40:22 +02:00
soraefir
9273387170 Script improvements 2026-05-09 19:35:05 +02:00
soraefir
55a08673f0 fix caldav 2026-05-09 19:25:06 +02:00
soraefir
5dbb95603d silence script verbosity 2026-05-09 19:20:35 +02:00
soraefir
d60f8dd56f improve script 2026-05-09 19:18:27 +02:00
soraefir
7d35cb319f Fix 2026-05-09 19:12:36 +02:00
soraefir
8d4caac83b group for nextcloud 2026-05-09 18:47:38 +02:00
soraefir
ad2b492b51 Fix service 2026-05-09 18:42:22 +02:00
soraefir
4b68accf2f fix nextcloud 2026-05-09 17:52:39 +02:00
soraefir
0d9c8a2974 fix 2026-05-09 17:51:06 +02:00
soraefir
63d2dddd1e setup scripts 2026-05-09 17:50:23 +02:00
soraefir
55d678df19 bump nextcloud 2026-05-09 13:33:56 +02:00
soraefir
88a4ab069e registries 2026-05-09 13:28:48 +02:00
soraefir
c54ed4a712 Admin user 2026-05-09 12:54:13 +02:00
soraefir
3db4517a3b temps 2026-05-09 12:43:16 +02:00
soraefir
f3dfe561ad add plugin 2026-05-09 12:38:04 +02:00
soraefir
b58da2b2e1 port fix 2026-05-09 12:12:42 +02:00
soraefir
28fa63919f Fix env 2026-05-09 12:09:27 +02:00
soraefir
cb7e29bfe0 container settings 2026-05-09 11:58:38 +02:00
soraefir
ea58be6fdc fix typo 2026-05-09 11:57:21 +02:00
soraefir
da51e61c05 escape 2026-05-09 11:56:42 +02:00
soraefir
1ca61b70d2 fix env 2026-05-09 11:53:29 +02:00
soraefir
eafafe876f postgres 2026-05-09 11:03:58 +02:00
soraefir
21adca1fbc tmp perm 2026-05-09 10:50:25 +02:00
soraefir
57efc58bc2 Fix user etherpad 2026-05-09 10:46:04 +02:00
soraefir
cd5deea849 etherpad 2026-05-09 10:45:16 +02:00
soraefir
9f5f8751e5 fix ddos 2026-05-09 10:32:18 +02:00
soraefir
f02adc6d93 fix 2026-05-09 10:24:13 +02:00
soraefir
b2f6d8cc9e Fix 2026-05-09 10:19:21 +02:00
soraefir
c18ac097fa test 2026-05-09 10:17:27 +02:00
soraefir
1fc9017e7e fix 2026-05-09 10:12:01 +02:00
soraefir
8ff90e54b8 fix 2026-05-09 10:11:21 +02:00
soraefir
fba3a24f16 custom image 2026-05-09 10:09:51 +02:00
soraefir
fcb97828f4 test custom img 2026-05-09 10:04:47 +02:00
soraefir
e04382742f cleanup traefik 2026-05-09 10:03:09 +02:00
soraefir
48b40d819b fix typo 2026-05-09 09:56:28 +02:00
soraefir
8b75968f11 fix tls 2026-05-09 09:55:30 +02:00
soraefir
dda8409329 cert 2026-05-09 09:46:18 +02:00
soraefir
9a0b5171b1 fix dns 2026-05-09 09:42:33 +02:00
soraefir
9abb5b2f26 logs 2026-05-09 09:35:41 +02:00
soraefir
8362599b54 traefik 2026-05-09 09:34:07 +02:00
soraefir
c1b9c12281 fix 2026-05-09 09:26:40 +02:00
soraefir
e4dcb0bd39 api port 2026-05-09 00:20:27 +02:00
soraefir
a31991c507 typo 2026-05-08 23:58:53 +02:00
soraefir
e1651cba2a traefik docker 2026-05-08 23:57:19 +02:00
soraefir
bb5ecbba73 acme 2026-05-08 23:54:20 +02:00
soraefir
0c79617647 test acme 2026-05-08 23:48:37 +02:00
soraefir
a3bc8b80c5 fix acme 2026-05-08 23:39:48 +02:00
soraefir
55fcf8b71a fix 2026-05-08 23:32:25 +02:00
soraefir
5aabd9acce Fix 2026-05-08 23:31:56 +02:00
soraefir
e652c12bf2 fix traefik 2026-05-08 23:30:04 +02:00
soraefir
4c684cf9b1 Fix portfw traefik 2026-05-08 23:18:43 +02:00
soraefir
0c60bbbaa8 rm deprecated 2026-05-08 23:14:51 +02:00
soraefir
097334b483 fix statfs 2026-05-08 23:10:52 +02:00
soraefir
bfd099d201 container registry 2026-05-08 23:05:25 +02:00
soraefir
1fe6e43046 sops 2026-05-08 22:56:05 +02:00
soraefir
23b8ad480e fix subdomain 2026-05-08 22:55:21 +02:00
soraefir
3d1fc2a2c9 traefik 2026-05-08 22:53:41 +02:00
soraefir
aacca16eb2 fix tmpfs 2026-05-08 21:05:08 +02:00
soraefir
5de459c347 fix nulls 2026-05-08 21:01:46 +02:00
soraefir
d898116ff4 fix nulls 2026-05-08 20:59:40 +02:00
soraefir
e2b688c836 fix sops 2026-05-08 20:54:54 +02:00
soraefir
b5d57bf9c8 test 2026-05-08 20:52:08 +02:00
soraefir
236f9dbdc3 Sops 2026-05-08 20:50:13 +02:00
soraefir
9696ca9a6d ipfw 2026-05-08 20:47:00 +02:00
soraefir
df523c48e5 rename and fix 2026-05-08 20:46:23 +02:00
soraefir
4d398d5596 sops 2026-05-08 20:36:26 +02:00
soraefir
5045291097 sops 2026-05-08 20:35:43 +02:00
soraefir
2dc1632a40 sops 2026-05-08 20:32:37 +02:00
soraefir
744a2b8563 Secrets 2026-05-08 20:31:12 +02:00
soraefir
b722d349af fix cloud 2026-05-08 20:28:22 +02:00
soraefir
7438905618 WIP 2026-05-08 20:25:51 +02:00
soraefir
908c144c73 add cloud 2026-05-08 20:25:14 +02:00
soraefir
6d353df19f fix collabora 2026-05-08 20:23:40 +02:00
soraefir
7194d91b1c WIP 2026-05-08 20:22:04 +02:00
soraefir
d3c301db36 Fix 2026-05-08 02:52:56 +02:00
soraefir
135d48d78c test 2026-05-08 02:47:19 +02:00
soraefir
d4292cd46d test 2026-05-08 02:45:33 +02:00
soraefir
4a4d3e3604 typo 2026-05-08 02:37:06 +02:00
soraefir
d076538901 test 2026-05-08 02:35:32 +02:00
soraefir
8fedaf18cd firewall? 2026-05-08 02:20:28 +02:00
soraefir
4c1f9f0e78 nft 2026-05-08 02:17:10 +02:00
soraefir
1a8eb085df fix db ? 2026-05-08 02:13:44 +02:00
soraefir
8a619d9fc6 env 2026-05-08 02:00:10 +02:00
soraefir
a76f920297 Fix 2026-05-08 01:58:37 +02:00
soraefir
fe93cb708e accept podman traffic 2026-05-08 01:49:31 +02:00
soraefir
cb29056296 Sops 2026-05-08 01:37:57 +02:00
soraefir
4bc68eeeaf more fix 2026-05-08 01:34:17 +02:00
soraefir
9cf9937cb7 wg nft 2026-05-08 01:26:53 +02:00
soraefir
593514c100 fix ssh 2026-05-08 01:21:56 +02:00
soraefir
6ad9a0b34c Env 2026-05-08 01:19:04 +02:00
soraefir
65e3568072 Db 2026-05-08 01:18:02 +02:00
soraefir
c55b06cca9 fix nft 2026-05-08 01:15:56 +02:00
soraefir
40dba4b959 Fix nftable 2026-05-08 01:15:27 +02:00
soraefir
bc8a9d42f9 Fix nftable 2026-05-08 01:09:51 +02:00
soraefir
cd5a1aeed4 temp fix 2026-05-08 01:08:59 +02:00
soraefir
0f2081486d Wops 2026-05-08 01:08:07 +02:00
soraefir
1c022d7642 Fix secret 2026-05-08 00:53:00 +02:00
soraefir
379f6befb3 fix 2026-05-08 00:44:13 +02:00
soraefir
868d2ce116 fix 2026-05-08 00:29:12 +02:00
soraefir
94fdfa2b33 Test acme 2026-05-08 00:17:46 +02:00
soraefir
a73ad174ea Fix 2026-05-08 00:14:41 +02:00
soraefir
fba5a79ce6 Fix parenthesis 2026-05-08 00:12:17 +02:00
soraefir
e8c9fc52fb Update 2026-05-08 00:06:21 +02:00
soraefir
8092bac6b7 nginx 2026-05-07 00:03:43 +02:00
soraefir
7d80478e83 more fixes authentik 2026-05-06 23:47:09 +02:00
soraefir
2cab462db5 Fix authentik worker 2026-05-06 23:45:21 +02:00
soraefir
0bb796fbe8 Fix cfg 2026-05-06 23:42:29 +02:00
soraefir
1f2cc94a0a Fix builder 2026-05-06 23:39:28 +02:00
soraefir
3caf507905 Fix attempt 2026-05-06 23:35:03 +02:00
soraefir
27a5566ac6 Rename file 2026-05-06 23:31:12 +02:00
soraefir
b439888fa8 Fix naming 2026-05-06 23:30:08 +02:00
soraefir
093497367a container builder 2026-05-06 23:28:49 +02:00
soraefir
1c0cfd1afe change podman building 2026-05-06 22:59:11 +02:00
58 changed files with 2605 additions and 624 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,3 +2,4 @@ result
age-key.txt age-key.txt
.decrypted~common.yaml .decrypted~common.yaml
.decrypted* .decrypted*
.tmp

48
flake.lock generated
View File

@@ -45,11 +45,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775037210, "lastModified": 1777780666,
"narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=", "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "06648f4902343228ce2de79f291dd5a58ee12146", "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -103,11 +103,11 @@
}, },
"hardware": { "hardware": {
"locked": { "locked": {
"lastModified": 1776983936, "lastModified": 1778143761,
"narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=", "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61", "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -139,11 +139,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777771528, "lastModified": 1777851538,
"narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=", "narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51", "rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -174,11 +174,11 @@
}, },
"nixUnstable": { "nixUnstable": {
"locked": { "locked": {
"lastModified": 1777641297, "lastModified": 1778274207,
"narHash": "sha256-WNGcmeOZ8Tr9dq6ztCspYbzWFswr2mPebM9LpsfGxPk=", "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0", "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -190,11 +190,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1777428379, "lastModified": 1778003029,
"narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=", "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "755f5aa91337890c432639c60b6064bb7fe67769", "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -221,11 +221,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1777578337, "lastModified": 1777954456,
"narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=", "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "15f4ee454b1dce334612fa6843b3e05cf546efab", "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -241,11 +241,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1777763626, "lastModified": 1778376280,
"narHash": "sha256-UFwZDbdMezNnxZwikhDR4EWiCPUiEmPXHmqLOrcG34g=", "narHash": "sha256-pL2F2FF2FN7zWr5o/vG7GiYOSjp+DUNyPIYqNaLQFFs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nur", "repo": "nur",
"rev": "3873764e5896bd6da6cf0df17172849ea51ac5eb", "rev": "828688994167eb57628c98fd1d7e1223b079cda1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -274,11 +274,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777338324, "lastModified": 1777944972,
"narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=", "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5", "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"type": "github" "type": "github"
}, },
"original": { "original": {

8
flake.nix
View File

@@ -17,19 +17,11 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# hyprland = {
# url = "github:hyprwm/Hyprland";
# inputs.nixpkgs.follows = "nixpkgs";
# };
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nix-colors.url = "github:misterio77/nix-colors"; nix-colors.url = "github:misterio77/nix-colors";
arion.url = "github:hercules-ci/arion";
arion.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = inputs: outputs = inputs:

1
generator.nix
View File

@@ -13,7 +13,6 @@
./modules/nixos ./modules/nixos
syscfg syscfg
./systems/${host} ./systems/${host}
inputs.arion.nixosModules.arion
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
{ {

6
modules/nixos/system/default.nix
View File

@@ -1,3 +1,9 @@
{ ... }: { { ... }: {
imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ]; imports = [ ./dbus ./fonts ./hw ./locale ./network ./nix ./security ./xdg ];
# services.journald.extraConfig = ''
# LineMax=128K
# SystemMaxUse=512M
# SystemMaxFileSize=128M
# '';
} }

1
modules/nixos/system/hw/virt/default.nix
View File

@@ -18,5 +18,6 @@
}; };
}; };
}; };
virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
}; };
} }

6
modules/nixos/system/network/base/default.nix
View File

@@ -7,11 +7,13 @@
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = allowedUDPPorts =
(if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
[ ]; [ ];
allowedTCPPorts = allowedTCPPorts =
(if config.syscfg.server ? web then [ 80 443 22 ] else [ ]) ++ (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
(if (config.syscfg.server != false) then [ 5432 6379 ] else [ ]) ++
[ ]; [ ];
}; };
}; };

46
modules/server/containers/apps/.template.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = "EXAMPLE";
tag = "0.0.0";
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "echo 1" ];
ExposedPorts = { };
};
};
templateData = builder.mkData { name = "template"; dir = "template"; vars = {
_ARGUMENT = "template";
};
};
in {
sops = false;
db = false;
paths = [{
path="${serverCfg.configPath}/example/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = { };
overrides = {
cmd = [ ];
volumes = [ ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."EXAMPLE".path;
script = pkgs.writeShellScript "setup" ''
...
'';
};
}

7
modules/server/containers/apps/.todo.md Normal file
View File

@@ -0,0 +1,7 @@
# Missing
RSS: TTRSS / FreshRSS
Monitoring: Telegraf + InfluxDB
https://github.com/tarampampam/error-pages ?
- Transmission Cfg and API/Token handling

111
modules/server/containers/apps/authentik.nix Normal file
View File

@@ -0,0 +1,111 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "2026.2.2";
serverCfg = config.syscfg.server;
authentikData = builder.mkData {
name = "authentik"; dir = "authentik"; vars = {
AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
COOKIE_DOMAIN = "${serverCfg.domain}";
AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
}
// (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
};
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.configPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.configPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:${version}";
port = 9000;
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
AUTHENTIK_EMAIL__PORT = "587";
AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
AUTHENTIK_EMAIL__USE_TLS = "true";
AUTHENTIK_EMAIL__USE_SSL = "false";
AUTHENTIK_EMAIL__TIMEOUT = "10";
AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "server" ];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:${version}";
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
ldap = builder.mkContainer {
image = "ghcr.io/goauthentik/ldap:${version}";
secret = name;
extraEnv = {
AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}";
AUTHENTIK_INSECURE = "false";
};
};
};
setup = {
trigger = "worker";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
$AK apply_blueprint /blueprints/custom/authentik.yaml
$AK apply_blueprint /blueprints/custom/traefik.yaml
$AK apply_blueprint /blueprints/custom/ldap.yaml
${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
echo "Completed Authentik Setup"
'';
};
}

34
modules/server/containers/apps/collabora.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
sops = true;
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "collabora/code:${version}";
port = 9980;
secret = name;
extraEnv = {
"aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
"server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
"username" = "collabora_user";
"VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
"VIRTUAL_PORT" = "9980";
"VIRTUAL_PROTO" = "http";
"DONT_GEN_SSL_CERT" = "true";
"RESOLVE_TO_PROXY_IP" = "true";
"extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
"dictionaries" = "en fr de jp no";
};
overrides = {
volumes = [
"${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
"${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
];
};
};
};
}

39
modules/server/containers/apps/ethercalc.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
ethercalc_exe = pkgs.ethercalc;
image = pkgs.dockerTools.streamLayeredImage {
name = "ethercalc";
tag = ethercalc_exe.version;
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
ExposedPorts = { "8080/tcp" = {}; };
};
};
in {
sops = true;
paths = [{
path="${serverCfg.dataPath}/ethercalc/";
mode = "0666";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = {
ETHERCALC_PORT = "8080";
#CONNECT TO REDIS
};
overrides = {
volumes = [
"${serverCfg.dataPath}/ethercalc:/data"
];
};
};
};
}

124
modules/server/containers/apps/etherpad.nix Normal file
View File

@@ -0,0 +1,124 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
etherpad_exe = pkgs.etherpad-lite;
settings = pkgs.writeText"settings.json" (builtins.toJSON {
title= "\${TITLE:Etherpad}";
showRecentPads = "\${SHOW_RECENT_PADS:true}";
favicon = "\${FAVICON:null}";
publicURL = "\${PUBLIC_URL:null}";
skinName = "\${SKIN_NAME:colibris}";
skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
ip = "\${IP:0.0.0.0}";
port = "\${PORT:9001}";
showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
enableMetrics = "\${ENABLE_METRICS:true}";
updates.tier = "off";
cleanup.enabled = false;
gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
enableDarkMode = "\${ENABLE_DARK_MODE:true}";
enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
dbType = "\${DB_TYPE:dirty}";
dbSettings = {
host = "\${DB_HOST:undefined}";
port = "\${DB_PORT:undefined}";
database = "\${DB_NAME:undefined}";
user = "\${DB_USER:undefined}";
password = "\${DB_PASS:undefined}";
charset = "\${DB_CHARSET:undefined}";
filename = "\${DB_FILENAME:var/dirty.db}";
collection = "\${DB_COLLECTION:undefined}";
url = "\${DB_URL:undefined}";
};
defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
padOptions = {
noColors = "\${PAD_OPTIONS_NO_COLORS:false}";
showControls = "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
showChat = "\${PAD_OPTIONS_SHOW_CHAT:true}";
showLineNumbers = "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
userName = "\${PAD_OPTIONS_USER_NAME:null}";
userColor = "\${PAD_OPTIONS_USER_COLOR:null}";
rtl = "\${PAD_OPTIONS_RTL:false}";
alwaysShowChat = "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
chatAndUsers = "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
lang = "\${PAD_OPTIONS_LANG:null}";
fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
};
requireSession = "\${REQUIRE_SESSION:false}";
editOnly = "\${EDIT_ONLY:false}";
minify = "\${MINIFY:true}";
requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
trustProxy = "\${TRUST_PROXY:true}";
ep_headerauth.username_header = "X-authentik-username";
users.admin = {
password = "\${ADMIN_PASSWORD:null}";
is_admin = true;
};
socketTransportProtocols = ["websocket" "polling"];
socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
indentationOnNewLine = true;
loglevel = "\${LOGLEVEL:INFO}";
lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
});
image = pkgs.dockerTools.streamLayeredImage {
name = "etherpad";
tag = etherpad_exe.version;
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
ExposedPorts = { "8080/tcp" = {}; };
};
};
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.configPath}/etherpad/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = {
TITLE = "Pad";
PORT ="8080";
DB_TYPE = "postgres";
DB_HOST = builder.host;
DB_NAME = "etherpad_db";
DB_USER = "etherpad_user";
TRUST_PROXY = "true";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
overrides = {
cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
volumes = [
"${settings}:/etc/etherpad/settings.json"
"${serverCfg.configPath}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."ETHERPAD".path;
script = pkgs.writeShellScript "setup" ''
echo "$APIKEY" > ${serverCfg.configPath}/etherpad/APIKEY.txt
chmod 444 ${serverCfg.configPath}/etherpad/APIKEY.txt
'';
};
}

95
modules/server/containers/apps/frigate.nix Normal file
View File

@@ -0,0 +1,95 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
# Ensure the package is available (Nixpkgs includes frigate)
frigatePkg = pkgs.frigate;
image = pkgs.dockerTools.streamLayeredImage {
name = "frigate";
tag = frigatePkg.version;
contents = [
pkgs.bashInteractive
frigatePkg
pkgs.ffmpeg # Explicitly included for video stream processing
];
config = {
Entrypoint = [ "${frigatePkg}/bin/frigate" ];
Cmd = [ "start" ];
ExposedPorts = {
"5000/tcp" = {}; # Web UI / API
"8554/tcp" = {}; # RTSP Feeds
"8555/tcp" = {}; # WebRTC
};
Env = [
"FRIGATE_RTSP_PASSWORD=secret" # Base fallback, overridden by envFile/sops
];
};
};
in {
sops = true; # Enabled to safeguard sensitive camera RTSP stream credentials
db = false; # Internal SQLite is used by default in Frigate
paths = [
{
path = "${serverCfg.configPath}/frigate/";
mode = "0755";
}
{
path = "/var/lib/frigate/storage/";
mode = "0755"; # Dedicated path for heavy video recordings and media
}
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 5000;
secret = name;
extraEnv = {
PLUS_API_KEY = ""; # Optional: For Frigate Plus users
};
overrides = {
cmd = [ ];
volumes = [
"${serverCfg.configPath}/frigate:/config"
"/var/lib/frigate/storage:/media/frigate"
"/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
"/dev/dri:/dev/dri" # Passes Intel/AMD GPU for hardware video decoding
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."FRIGATE_ENV".path;
script = pkgs.writeShellScript "setup-frigate" ''
mkdir -p "${serverCfg.configPath}/frigate"
mkdir -p "/var/lib/frigate/storage"
# Bootstrap a standard configuration layout if missing
if [ ! -f "${serverCfg.configPath}/frigate/config.yml" ]; then
cat <<EOF > "${serverCfg.configPath}/frigate/config.yml"
mqtt:
enabled: False # Set to True and define host if connecting to Home Assistant
database:
path: /config/frigate.db
cameras:
dummy_camera: # Replace with your actual RTSP stream details
enabled: false
ffmpeg:
inputs:
- path: rtsp://127.0.0.1:554/live
roles:
- detect
detect:
enabled: false
EOF
fi
'';
};
}

145
modules/server/containers/apps/gitea.nix Normal file
View File

@@ -0,0 +1,145 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.dataPath}/gitea/data";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.dataPath}/gitea/data-runner";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "gitea/gitea:${version}";
port = 8080;
secret = name;
extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
GITEA__repository__DISABLE_STARS = "true";
GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
# GITEA__ui__THEMES = "";
# GITEA__ui__DEFAULT_THEME = "";
# GITEA__security__SECRET_KEY = "SECRET_ENV";
# GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
# GITEA__database__PASSWD = "SECRET_ENV";
# GITEA__mailer__PASSWD="SECRET_ENV";
GITEA__database__DB_TYPE = "postgres";
GITEA__database__HOST = builder.host;
GITEA__database__NAME = "gitea_db";
GITEA__database__USER = "gitea_user";
GITEA__mailer__ENABLED = "true";
GITEA__mailer__FROM = "";
GITEA__mailer__PROTOCOL = "smtps";
GITEA__mailer__SMTP_ADDR = "";
GITEA__mailer__SMTP_PORT = "";
GITEA__mailer__USER= "";
GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
GITEA__server__PROTOCOL = "http";
GITEA__server__HTTP_PORT = "8080";
GITEA__server__LFS_START_SERVER = "true";
GITEA__security__INSTALL_LOCK = "true";
} // ( if serverCfg.containers?authentik then {
GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
GITEA__security__RREVERSE_PROXY_LIMIT = "1";
GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
} else {});
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
overrides = {
volumes = [
"${serverCfg.dataPath}/gitea/data:/data"
];
ports = [ "2222:22" ];
};
};
runner = builder.mkContainer {
image = "gitea/act_runner:${version}";
secret = name;
extraEnv = {
CONFIG_FILE="/data/config.yml";
GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
};
overrides = {
volumes = [
"${serverCfg.dataPath}/gitea/data-runner:/data"
"/var/run/podman/podman.sock:/var/run/docker.sock"
];
# ports = [ "8088:8088" ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
$GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
touch ${serverCfg.dataPath}/gitea/data-runner/config.yml
RUNNER_TOKEN=$($GT actions generate-runner-token)
$GTR register \
--instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
--token "$RUNNER_TOKEN" \
--name "Runner" \
--labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
--no-interactive
${lib.optionalString (serverCfg.containers ? authentik) ''
$GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
--bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
--user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
--user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
--admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
--username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
--synchronize-users
''}
echo "Completed Gitea Setup"
'';
};
}

3
modules/server/containers/apps/handbrake.nix Normal file
View File

@@ -0,0 +1,3 @@
{...}:{
}

43
modules/server/containers/apps/homeassistant.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.home-assistant.name;
tag = pkgs.home-assistant.version;
contents = [ ];
config = {
Entrypoint = [ "${pkgs.home-assistant}/bin/hass" ];
ExposedPorts = {
"8123/tcp" = {};
};
};
};
in {
sops = true;
db = false;
paths = [{
path = "${serverCfg.configPath}/homeassistant/";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8123;
secret = name;
extraEnv = {
TZ = config.time.timeZone or "UTC";
};
overrides = {
cmd = [ "--config" "/config" ];
volumes = [
"${serverCfg.configPath}/homeassistant/:/config"
"/run/dbus:/run/dbus:ro" # Required for Bluetooth/mDNS service discovery
];
};
};
};
}

97
modules/server/containers/apps/immich.nix Normal file
View File

@@ -0,0 +1,97 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "v2";
serverCfg = config.syscfg.server;
in {
sops = true;
db = true;
paths = [{
path = "${serverCfg.configPath}/immich/cache";
mode = "0750";
}{
path = "${serverCfg.dataPath}/immich/";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/immich-app/immich-server:${version}";
port = 2283;
secret = name;
extraEnv = {
DB_HOSTNAME = builder.host;
REDIS_HOSTNAME = builder.host;
DB_USERNAME = "immich_user";
DB_DATABASE_NAME = "immich_db";
IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
# IMMICH_ALLOW_SETUP = "false";
# IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
};
overrides = {
volumes = [
"${serverCfg.dataPath}/immich:/data"
];
};
};
ml = builder.mkContainer {
image = "ghcr.io/immich-app/immich-machine-learning:${version}";
port = 3003;
overrides = {
volumes = [
"${serverCfg.configPath}/immich/cache:/cache"
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
PSQL="${pkgs.postgresql}/bin/psql -U postgres"
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
$PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
mkdir -p ${serverCfg.dataPath}/immich/{upload,library,thumbs,encoded-video,profile,backups}
IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
sleep 5
done
${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
-H "Content-Type: application/json" -H "Accept: application/json" \
-d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
-H "Content-Type: application/json" \
-d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
| ${pkgs.jq}/bin/jq -r '.accessToken')
${lib.optionalString (serverCfg.containers ? authentik) ''
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
${pkgs.jq}/bin/jq '.oauth.enabled = true |
.oauth.autoRegister = true |
.oauth.autoLaunch = true |
.oauth.signingAlgorithm = "RS256" |
.oauth.profileSigningAlgorithm = "RS256" |
.oauth.clientId = "immich" |
.oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" |
.oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" |
.oauth.scope = "openid profile email" |
.oauth.buttonText = "Login with SSO"' | \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
''}
${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
.storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
'';
};
}

45
modules/server/containers/apps/influx.nix Normal file
View File

@@ -0,0 +1,45 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
influxPkg = pkgs.influxdb2;
image = pkgs.dockerTools.streamLayeredImage {
name = influxPkg.name;
tag = influxPkg.version;
contents = [ ];
config = {
Entrypoint = [ "${influxPkg}/bin/influxd" ];
ExposedPorts = {
"8086/tcp" = {}; # Combined Engine and UI port
};
};
};
in {
sops = true; # Highly recommended for initial admin passwords and setup tokens
db = false; # Using InfluxDB directly as the primary database
paths = [{
path = "${serverCfg.configPath}/influxdb/";
mode = "0700"; # Strict database permissions
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8086;
secret = name;
extraEnv = {
INFLUXD_CONFIG_PATH = "var/lib/influxdb2/config";
INFLUXD_BOLT_PATH = "/var/lib/influxdb2/influxdb.bolt";
INFLUXD_ENGINE_PATH = "/var/lib/influxdb2/engine";
};
overrides = {
volumes = [
"${serverCfg.configPath}/influxdb/:/var/lib/influxdb2"
];
};
};
};
}

78
modules/server/containers/apps/invidious.nix Normal file
View File

@@ -0,0 +1,78 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
patchedInvidious = pkgs.invidious.overrideAttrs (oldAttrs: {
postPatch = (oldAttrs.postPatch or "") + ''
cp ${../data/invidious/login.cr} src/invidious/routes/login.cr
'';
});
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.invidious.name;
tag = pkgs.invidious.version;
contents = [ pkgs.cacert patchedInvidious ];
config = {
Entrypoint = [ "${patchedInvidious}/bin/invidious" ];
ExposedPorts = { "3000/tcp" = {}; };
Env = [
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
];
};
};
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.configPath}/invidious";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 3000;
secret = name;
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
extraEnv = {
INVIDIOUS_CONFIG_FILE = "/data/config.yml";
};
overrides = {
volumes = [
"${serverCfg.configPath}/invidious:/data:ro"
];
};
};
companion = builder.mkContainer {
image = "quay.io/invidious/invidious-companion:latest";
port = 8282;
secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
extraOptions = [
"--cap-drop=all"
"--security-opt=no-new-privileges"
];
};
};
setup = {
trigger = "server";
envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
script = pkgs.writeShellScript "setup" ''
export DB_HOST=${builder.host}
export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.configPath}/invidious/config.yml"
'';
};
}

177
modules/server/containers/apps/jellyfin.nix Normal file
View File

@@ -0,0 +1,177 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
nss = pkgs.dockerTools.fakeNss.override {
extraPasswdLines = [
"jellyfin:x:1000:1000:Jellyfin Daemon:/config/data:/bin/false"
];
extraGroupLines = [
"jellyfin:x:1000:"
];
};
image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
name = pkgs.jellyfin.name;
tag = pkgs.jellyfin.version;
contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
config = {
User = "jellyfin:jellyfin";
Entrypoint = [ "${pkgs.jellyfin}/bin/jellyfin" ];
ExposedPorts = { "8096/tcp" = { }; };
Env = [
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
];
};
};
in {
paths = [
{
path = "${serverCfg.dataPath}/media/";
owner = "1000:1000";
mode = "0755";
}
{
path = "${serverCfg.configPath}/jellyfin/";
owner = "1000:1000";
mode = "0755";
}
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8096;
extraEnv = {
HOME = "/config/data";
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
};
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
cmd = [
"--datadir" "/config/data"
"--cachedir" "/config/cache"
"--configdir" "/config/config"
"--logdir" "/config/log"
];
volumes = [
"${serverCfg.dataPath}/media:/media:ro"
"${serverCfg.configPath}/jellyfin:/config"
];
# If you have an Intel/AMD GPU for transcoding, add the device:
devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
sleep 5
done
echo "Jellyfin is up. Sleeping for 20 seconds..."
sleep 20
WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
if [ "$WIZARD_COMPLETE" = "false" ]; then
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
-H "Content-Type: application/json" \
-d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
echo "ERROR: Failed to set startup configuration."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
echo "ERROR: Failed to get base user."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
-H 'accept: */*' -H "Content-Type: application/json" \
-d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
echo "ERROR: Failed to set admin user."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
-H "Content-Type: application/json" \
-d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
echo "ERROR: Failed to configure remote access."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
echo "ERROR: Failed to complete wizard."
exit 1
fi
echo "Jellyfin initialization successfully completed!"
fi
${lib.optionalString (serverCfg.containers ? authentik) ''
JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
-H "Content-Type: application/json" \
-H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
-d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
| ${pkgs.jq}/bin/jq -r '.AccessToken')
# Verify we got a token
if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
echo "ERROR: Authentication failed."
exit 1
fi
if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
"$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
echo "LDAP Plugin is already installed. Skipping setup."
else
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: Server failed to accept restart command."
exit 1
fi
sleep 1-
until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
sleep 5
done
echo "Jellyfin is up. Sleeping for 20 seconds..."
sleep 20
fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Type: application/json" -H 'accept: */*' \
-d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
"LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
"LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
"LdapSearchAttributes":"uid, cn, mail, displayName",
"LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
"EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
"EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
"LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
"EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
echo "ERROR: LDAP Plugin Setup Failed."
exit 1
fi
''}
echo "Completed Setup"
'';
};
}

0
modules/server/containers/apps/miniflux.nix Normal file
View File

199
modules/server/containers/apps/nextcloud.nix Normal file
View File

@@ -0,0 +1,199 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "31";
serverCfg = config.syscfg.server;
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.dataPath}/nextcloud/www";
owner = "33:33";
mode = "0755";
}{
path="${serverCfg.dataPath}/nextcloud/data";
owner = "33:33";
mode = "0755";
backup = true;
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "nextcloud:${version}";
port = 80;
secret = name;
extraEnv = {
REDIS_HOST = builder.host;
POSTGRES_HOST = builder.host;
POSTGRES_USER = "nextcloud_user";
POSTGRES_DB = "nextcloud_db";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
"NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.domain}";
"SMTP_HOST" = serverCfg.mailServer;
"SMTP_NAME" = "mail_user";
"SMTP_PASSWORD" = "mail_password";
"MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.domain}";
"MAIL_DOMAIN" = serverCfg.mailDomain;
"TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
};
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
volumes = [
"${serverCfg.dataPath}/nextcloud/www:/var/www/html"
"${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
];
};
};
};
setup = {
trigger = "server";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ"
echo "Waiting for Nextcloud container to start..."
until $OCC status > /dev/null 2>&1; do
sleep 2
done
INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
if [ -z "$INSTALLED" ]; then
echo "Running first-time setup..."
$OCC maintenance:install \
--admin-user "$DEFAULT_ADMIN_USERNAME" \
--admin-pass "$DEFAULT_ADMIN_PASSWORD"
fi
if [ -z "$INSTALLED" ] || [ -f "/tmp/force-nextcloud-setup" ]; then
rm -f "/tmp/force-nextcloud-setup"
echo "Applying Settings..."
$OCC config:system:set default_phone_region --value="CH"
$OCC config:system:set overwriteprotocol --value="https"
$OCC config:app:set core backgroundjobs_mode --value="cron"
$OCC config:system:set maintenance_window_start --type=integer --value=1
$OCC config:system:set default_language --value="en"
$OCC config:system:set default_locale --value="en_CH"
echo "Applying Apps..."
$OCC app:disable activity || true
$OCC app:disable app_api || true
$OCC app:disable comments || true
$OCC app:disable firstrunwizard || true
$OCC config:system:set show_first_run_wizard --type=bool --value=false
$OCC app:disable nextcloud_announcements || true
$OCC app:disable oauth2 || true
$OCC app:disable recommendations || true
$OCC app:disable sharebymail || true
$OCC app:disable support || true
$OCC app:disable survey_client || true
$OCC app:disable updatenotification || true
$OCC app:disable user_status || true
$OCC app:install calendar || true
$OCC app:install calendar || true
$OCC app:install contacts || true
$OCC app:install camerarawpreviews || true
$OCC app:install cospend || true
$OCC app:install deck || true
$OCC app:install files_markdown || true
$OCC app:install forms || true
$OCC app:install groupfolders || true
$OCC app:install ownpad || true
$OCC app:install previewgenerator || true
$OCC app:install richdocuments || true
${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
# $OCC app:install side_menu || true
$OCC app:install spreed || true
$OCC app:install teamfolders || true
${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
echo "Applying Apps Settings..."
$OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
$OCC config:app:set cospend allow_federation --value="yes"
${lib.optionalString (serverCfg.containers ? ethercalc) ''
$OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
$OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.domain}"
''}
${lib.optionalString (serverCfg.containers ? etherpad) ''
$OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
$OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.domain}"
''}
${lib.optionalString (serverCfg.containers ? collabora) ''
$OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}/"
$OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.domain}"
$OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
''}
${lib.optionalString (serverCfg.containers ? authentik) ''
$OCC saml:config:set 1 --general-idp0_display_name="authentik"
$OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
$OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}"
$OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/sso/binding/redirect/"
$OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/saml/nextcloud/slo/binding/redirect/"
AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
$OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT"
$OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
$OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
$OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
$OCC group:add admin || true
$OCC group:add cloud || true
$OCC config:app:set user_saml general-group_provisioning --value="0"
$OCC config:app:set user_saml general-require_provisioning_groups --value="1"
''}
# configure side_menu ...
FOLDERS=$($OCC teamfolders:list --format=json)
${builtins.concatStringsSep "\n" (map (name: ''
if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
$OCC teamfolders:create "${name}"
fi
'') containerCfg.extra.teamFolders or [])}
SERVERS=$($OCC federation:list-servers --format=json)
${builtins.concatStringsSep "\n" (map (domain: ''
if ! echo "$SERVERS" | grep -q "${domain}"; then
$OCC federation:add-server "https://${domain}"
fi
'') containerCfg.extra.federatedServers or [])}
$OCC config:app:set systemtags allow_user_creating --value="no"
echo "Applying Theme..."
$OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.domain}"
${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
$OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
$OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
#$OCC theming:config logo {serverCfg.colorScheme.logo}
#$OCC theming:config logoheader {serverCfg.colorScheme.logo}
#$OCC theming:config background {serverCfg.colorScheme.bg}
else
echo "Nextcloud is already installed. Skipping setup."
fi
echo "Maintenance..."
$OCC app:update --all
$OCC maintenance:repair --include-expensive --no-interaction
$OCC db:add-missing-indices --no-interaction
echo "Completed Setup"
'';
};
cron = [ "*/5 * * * * root ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
}

92
modules/server/containers/apps/searxng.nix Normal file
View File

@@ -0,0 +1,92 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version= "latest";
serverCfg = config.syscfg.server;
settings = pkgs.writeText"settings.yml" (pkgs.lib.generators.toYAML {}{
use_default_settings = true;
brand = {
issue_url = "";
docs_url = "";
public_instances = "";
wiki_url = "";
custom = {
links = {
"Home" = "https://${serverCfg.domain}";
# "Status" = "https://status.${serverCfg.domain}";
};
};
pwa_colors = {
theme_color_light = "${serverCfg.colorScheme.palette.base0C}";
background_color_light = "${serverCfg.colorScheme.palette.base07}";
theme_color_dark = "${serverCfg.colorScheme.palette.base0C}";
background_color_dark = "${serverCfg.colorScheme.palette.base02}";
theme_color_black = "${serverCfg.colorScheme.palette.base0C}";
background_color_black = "${serverCfg.colorScheme.palette.base01}";
};
};
general = {
debug = false;
instance_name = if containerCfg.extra ? instanceName then containerCfg.extra.instanceName else "SearXNG";
privacypolicy_url = false;
donation_url = false;
contact_url = false;
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = if containerCfg.extra ? autocomplete then containerCfg.extra.autocomplete else "";
languages = [ "all" "en" "en-US" "ja" "de-CH" "fr-CH" "nb" ];
};
server = {
# secret_key = ""; SET BY ENV VAR
};
ui = {
default_locale = if containerCfg.extra ? defaultLocale then containerCfg.extra.defaultLocale else "en";
# query_in_title = "true";
#default_theme = "custom";
custom_css = "footer { display: none !important; }";
};
# categories_as_tabs = {
# general = {};
# images ={};
# videos = {};
# news = {};
# files = {};
# };
plugins = {
"searx.plugins.infinite_scroll.SXNGPlugin".active = true;
"searx.plugins.tracker_url_remover.SXNGPlugin".active = true;
};
});
in {
sops = true;
# paths = [{
# path="${serverCfg.dataPath}/searxng/";
# mode = "0444";
# }];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "searxng/searxng:${version}";
port = 8080;
secret = name;
extraEnv = {
SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
SEARXNG_PORT = "8080";
SEARXNG_BIND_ADDRESS = "[::]";
SEARXNG_PUBLIC_INSTANCE = "false";
SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
#SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
};
overrides = {
cmd = [ ];
volumes = [
"${settings}:/etc/searxng/settings.yml"
# "/path/to/your/logo.png:/usr/local/searxng/searx/static/themes/simple/img/searxng.png
# "${serverCfg.dataPath}/searxng:/var/cache/searxng/"
];
};
};
};
}

83
modules/server/containers/apps/servarr.nix Normal file
View File

@@ -0,0 +1,83 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
mkServarrImage = appName: appPkg: binaryPath: pkgs.dockerTools.streamLayeredImage {
name = appPkg.name;
tag = appPkg.version;
contents = with pkgs; [ cacert openssl ];
config = {
Cmd = [ "${appPkg}/${binaryPath}" "-nobrowser" "-data=/config" ];
Env = [ "DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1" "HOME=/tmp" ];
};
};
images = {
prowlarr = mkServarrImage "prowlarr" pkgs.prowlarr "bin/Prowlarr";
radarr = mkServarrImage "radarr" pkgs.radarr "bin/Radarr";
sonarr = mkServarrImage "sonarr" pkgs.sonarr "bin/Sonarr";
bazarr = mkServarrImage "bazarr" pkgs.bazarr "bin/bazarr";
lidarr = mkServarrImage "lidarr" pkgs.lidarr "bin/Lidarr";
readarr = mkServarrImage "readarr" pkgs.readarr "bin/Readarr";
};
sharedVolumes = [
"${serverCfg.dataPath}/media:/media" # Fast hardlinking requires a single shared root
"${serverCfg.configPath}/servarr:/config-root"
];
in {
sops = true;
paths = [
{ path = "${serverCfg.dataPath}/media/"; mode = "0755"; }
{ path = "${serverCfg.configPath}/servarr/prowlarr"; mode = "0755"; }
{ path = "${serverCfg.configPath}/servarr/radarr"; mode = "0755"; }
{ path = "${serverCfg.configPath}/servarr/sonarr"; mode = "0755"; }
];
containers = {
prowlarr = builder.mkContainer {
subdomain = containerCfg.subdomain;
subpath = "prowlarr";
imageStream = images.prowlarr;
port = 9696;
secret = name;
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/prowlarr:/config" ];
};
radarr = builder.mkContainer {
subdomain = containerCfg.subdomain;
subpath = "radarr";
imageStream = images.radarr;
port = 7878;
secret = name;
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/radarr:/config" ];
};
sonarr = builder.mkContainer {
subdomain = containerCfg.subdomain;
subpath = "sonarr";
imageStream = images.sonarr;
port = 8989;
secret = name;
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/sonarr:/config" ];
};
};
# setup = {
# trigger = "prowlarr"; # Triggers atomic environment verification on main controller
# envFile = config.sops.secrets."SERVARR".path;
# script = pkgs.writeShellScript "setup-servarr" ''
# echo "Validating multi-container path permission nodes..."
# # mkdir -p ${serverCfg.configPath}/servarr/{prowlarr,radarr,sonarr}
# '';
# };
}

87
modules/server/containers/apps/traefik.nix Normal file
View File

@@ -0,0 +1,87 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = "traefik";
tag = pkgs.traefik.version;
contents = with pkgs;[ cacert tzdata ];
config = {
Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
WorkingDir = "/";
};
};
in {
sops = true;
paths = [{
path="${serverCfg.configPath}/traefik";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
imageStream = image;
subdomain = containerCfg.subdomain;
port = 8080;
secret = name;
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
"traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
} // (if serverCfg.containers?authentik then {
"traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
"traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
} else {}) // (if serverCfg.containers?umami then {
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
} else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then {
"traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}";
} else {});
extraEnv = { };
overrides = {
cmd = [
"--api"
"--log.level=INFO"
"--providers.docker=true"
"--global.checknewversion=false"
"--global.sendanonymoususage=false"
"--api.insecure=true"
"--api.dashboard=true"
"--providers.docker.exposedByDefault=false"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
"--entrypoints.web.http.redirections.entrypoint.to=web-secure"
"--entrypoints.web.http.redirections.entrypoint.scheme=https"
"--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
"--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
] ++ (if serverCfg.containers ? umami then [
"--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
"--experimental.plugins.umami-feeder.version=v1.4.1"
"--entrypoints.web-secure.http.middlewares=umami-global@docker"
] else []) ++ (if containerCfg.extra ? provider then [
"--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}"
"--certificatesresolvers.default.acme.dnschallenge=true"
"--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
"--certificatesresolvers.default.acme.storage=/custom/acme.json"
] else []) ++ (if serverCfg.domain != "localhost" then [
"--certificatesresolvers.default.acme.httpchallenge=false"
"--certificatesresolvers.default.acme.tlschallenge=true"
] else []);
ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
volumes = [
"/var/run/podman/podman.sock:/var/run/docker.sock"
# "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.configPath}/traefik:/custom"
];
};
};
};
}

57
modules/server/containers/apps/transmission.nix Normal file
View File

@@ -0,0 +1,57 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.transmission_4.name;
tag = pkgs.transmission_4.version;
contents = [ pkgs.cacert ];
config = {
Cmd = [ "${pkgs.transmission_4}/bin/transmission-daemon" "--foreground" "--config-dir" "/config" ];
ExposedPorts = {
"9091/tcp" = {};
"51413/tcp" = {}; "51413/udp" = {};
};
};
};
in {
paths = [{
path = "${serverCfg.dataPath}/transmission/complete";
owner = "1000:1000";
mode = "0755";
}{
path = "${serverCfg.dataPath}/transmission/incomplete";
owner = "1000:1000";
mode = "0755";
}{
path = "${serverCfg.dataPath}/transmission/config";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 9091;
extraEnv = {
PUID = "1000";
PGID = "1000";
TZ = "Europe/Zurich";
};
extraLabels = { } // (if serverCfg.containers ? authentik then {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
} else {});
overrides = {
cmd = [ ];
volumes = [
"${serverCfg.dataPath}/transmission/complete:/downloads/complete"
"${serverCfg.dataPath}/transmission/incomplete:/downloads/incomplete"
"${serverCfg.dataPath}/transmission/config:/config"
];
};
};
};
}

3
modules/server/containers/apps/trmnl.nix Normal file
View File

@@ -0,0 +1,3 @@
{...}:{
}

54
modules/server/containers/apps/umami.nix Normal file
View File

@@ -0,0 +1,54 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
# Umami image built from nixpkgs
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.umami.name;
tag = pkgs.umami.version;
contents = with pkgs; [ cacert openssl ];
config = {
# Umami in nixpkgs typically provides a binary or script to start the server
Entrypoint = [ "${pkgs.umami}/bin/umami-server" ];
ExposedPorts = { "3000/tcp" = {}; };
Env = [ "NODE_ENV=production" ];
};
};
in {
sops = true;
db = true;
paths = [{
path = "${serverCfg.configPath}/umami/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "${pkgs.umami.name}:${pkgs.umami.version}";
imageStream = image;
port = 3000;
secret = name;
extraEnv = {
PORT = "3000";
# HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
DATABASE_TYPE = "postgresql";
REDIS_URL = "redis://${builder.host}";
CLIENT_IP_HEADER = "X-Forwarded-For";
BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
# DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
};
extraLabels = { } // ( if serverCfg.containers?authentik then {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
} else {});
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
cmd = [ "start" ]; # Specific command for the umami binary
};
};
};
}

53
modules/server/containers/builder.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, lib, pkgs, serverCfg }:
let
builder =
{ image ? null, imageStream ? null, imageFile ? null
, secret ? null
, subdomain ? null, subpath?null, port ? 0
, extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
, overrides ? { }
}:
let
routerName = if subpath != null
then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}"
else subdomain;
base = {
image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}"
else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
imageStream = imageStream;
imageFile = imageFile;
environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
environment = {} // extraEnv;
labels = (if subdomain!=null then ({
"traefik.enable" = "true";
"traefik.http.routers.${routerName}.entrypoints" = "web-secure";
"traefik.http.routers.${routerName}.rule" = if subpath != null
then "Host(`${subdomain}.${serverCfg.domain}`) && PathPrefix(`/${subpath}`)"
else "Host(`${subdomain}.${serverCfg.domain}`)";
"traefik.http.routers.${routerName}.tls" = "true";
} // lib.optionalAttrs (port!=null) {
"traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
}) else {
"traefik.enable" = "false";
}) // extraLabels;
extraOptions = extraOptions ++ [
"--add-host=host.containers.internal:host-gateway"
];
};
in lib.recursiveUpdate base overrides;
in {
mkContainer = builder;
mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
mkdir -p $out
cp -r ${./data + "/${dir}"}/. $out/
find $out -type f | while read file; do
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
substituteInPlace "$file" --replace "@${n}@" "${toString v}"
'') vars)}
done
'';
host = "host.containers.internal";
}

70
modules/server/containers/data/authentik/authentik.yaml Normal file
View File

@@ -0,0 +1,70 @@
version: 1
metadata:
name: "Initial User Setup"
labels:
blueprint-type: core
entries:
# Optionally, disable the default enrollment flow entirely
- model: authentik_flows.flow
identifiers:
slug: "default-source-enrollment"
attrs:
designation: "enrollment"
enabled: false
# --- GROUPS ---
- model: authentik_core.group
identifiers:
name: "admin"
attrs:
is_superuser: true
- model: authentik_core.group
identifiers:
name: "cloud"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "dev"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "flix"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "family"
attrs:
is_superuser: false
# --- ADMIN USERS ---
- model: authentik_core.user
identifiers:
username: !Env DEFAULT_ADMIN_USERNAME
attrs:
name: !Env DEFAULT_ADMIN_USERNAME
email: !Env DEFAULT_ADMIN_EMAIL
password: !Env DEFAULT_ADMIN_PASSWORD
path: "users"
groups:
- !Find [authentik_core.group, [name, "admin"]]
# Disable the Initial Setup Flow
- model: authentik_flows.flow
identifiers:
slug: "initial-setup"
attrs:
authentication: "require_superuser"
enabled: false
# Disable the default 'akadmin' if it exists
- model: authentik_core.user
identifiers:
username: "akadmin"
attrs:
is_active: false

11
modules/server/containers/data/authentik/gitea.yaml Normal file
View File

@@ -0,0 +1,11 @@
version: 1
metadata:
name: gitea-ldap-setup
entries:
- model: authentik_core.application
id: gitea-app
identifiers:
slug: gitea
attrs:
name: Gitea
launch_url: "@GITEA_DOMAIN@"

62
modules/server/containers/data/authentik/immich.yaml Normal file
View File

@@ -0,0 +1,62 @@
version: 1
metadata:
name: "Immich OAuth2 Provisioning"
labels:
app: immich
entries:
- model: authentik_providers_oauth2.oauth2provider
identifiers:
name: "Immich Provider"
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
authentication_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: "confidential"
client_id: "immich"
client_secret: !Env IMMICH_OAUTH_SECRET
access_code_validity: "minutes=5"
token_validity: "days=30"
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
redirect_uris:
- url: "app.immich:///oauth-callback"
matching_mode: "strict"
- url: "https://@IMMICH_DOMAIN@/auth/login"
matching_mode: "regex"
- url: "https://@IMMICH_DOMAIN@/user-settings"
matching_mode: "regex"
property_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'openid'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'email'"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "authentik default OAuth Mapping: OpenID 'profile'"],
]
- model: authentik_core.application
identifiers:
slug: "immich"
attrs:
name: "Immich"
launch_url: "@IMMICH_DOMAIN@"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "Immich Provider"],
]

11
modules/server/containers/data/authentik/jellyfin.yaml Normal file
View File

@@ -0,0 +1,11 @@
version: 1
metadata:
name: jellyfin-ldap-setup
entries:
- model: authentik_core.application
id: jellyfin-app
identifiers:
slug: jellyfin
attrs:
name: Jellyfin
launch_url: "@JELLYFIN_DOMAIN@"

78
modules/server/containers/data/authentik/ldap.yaml Normal file
View File

@@ -0,0 +1,78 @@
version: 1
metadata:
name: Pre-configured LDAP Outpost
entries:
- model: authentik_providers_ldap.ldapprovider
identifiers:
name: ldap-provider
attrs:
base_dn: "@AUTHENTIK_LDAP_DC_DOMAIN@"
search_group: null
authorization_flow:
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
- model: authentik_core.user
state: present
identifiers:
username: "ldap-service"
attrs:
name: "LDAP Bind Service Account"
type: "service_account"
path: "goauthentik.io"
is_active: true
password: !Env DEFAULT_LDAP_PASSWORD
attributes:
ak_recovery_immutable: true
- model: authentik_core.token
identifiers:
identifier: ldap-outpost-static-token
attrs:
intent: api
key: !Env AUTHENTIK_TOKEN
user: !Find [authentik_core.user, [username, "ldap-service"]]
- model: authentik_outposts.outpost
identifiers:
name: LDAP Outpost
attrs:
type: ldap
providers:
- !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
token:
!Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
config:
log_level: info
authentik_host: https://sso.test.helcel.net/
refresh_interval: minutes=5
authentik_host_insecure: false
- model: authentik_rbac.role
state: present
identifiers:
name: "LDAP Search Role"
attrs:
permissions:
- "authentik_providers_ldap.search_full_directory"
- model: authentik_core.group
state: present
identifiers:
name: "LDAP Search Group"
attrs:
users:
- !Find [authentik_core.user, [username, "ldap-service"]]
roles:
- !Find [authentik_rbac.role, [name, "LDAP Search Role"]]
- model: authentik_core.application
id: ldap-placeholder
identifiers:
slug: ldap
attrs:
name: ldap
group: _
provider:
!Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]

58
modules/server/containers/data/authentik/nextcloud.yaml Normal file
View File

@@ -0,0 +1,58 @@
version: 1
metadata:
name: nextcloud-saml-setup
entries:
- model: authentik_providers_saml.samlprovider
identifiers:
name: Nextcloud SAML
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-explicit-consent],
]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
issuer: https://@AUTHENTIK_DOMAIN@
sp_binding: post
property_mappings:
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Name"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Email"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Groups"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Username"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: User ID"],
]
signing_kp:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
sign_assertion: true
sign_response: false
- model: authentik_core.application
identifiers:
slug: nextcloud
attrs:
name: Nextcloud
provider:
!Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
launch_url: "@NEXTCLOUD_DOMAIN@"

46
modules/server/containers/data/authentik/traefik.yaml Normal file
View File

@@ -0,0 +1,46 @@
version: 1
metadata:
name: domain-wide-proxy-setup
entries:
# 1. The Provider
- model: authentik_providers_proxy.proxyprovider
identifiers:
name: Domain Wide Proxy
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
external_host: https://@AUTHENTIK_DOMAIN@
cookie_domain: "@COOKIE_DOMAIN@"
mode: forward_domain
intercept_header_auth: true
# 2. The Application (Required to link the provider)
- model: authentik_core.application
identifiers:
slug: authentik-proxy
attrs:
name: "Domain Auth Provider"
group: _
provider:
!Find [
authentik_providers_proxy.proxyprovider,
[name, Domain Wide Proxy],
]
# 3. Add to Outpost
- model: authentik_outposts.outpost
identifiers:
name: authentik Embedded Outpost
attrs:
providers:
- !Find [
authentik_providers_proxy.proxyprovider,
[name, Domain Wide Proxy],
]

137
modules/server/containers/data/invidious/config.yml Normal file
View File

@@ -0,0 +1,137 @@
db:
user: invidious_user
password: $DB_PASSWORD
host: $DB_HOST
port: 5432
dbname: invidious_db
check_tables: true
invidious_companion:
- private_url: "http://immich-companion:8282/companion"
invidious_companion_key: $SERVER_SECRET_KEY
port: 3000
external_port: 443
host_binding: 0.0.0.0
domain: $INVIDIOUS_DOMAIN
https_only: false
#hsts: true
## Accepted values: true, false, dash, livestreams, downloads, local
#disable_proxy: false
# use_innertube_for_captions: false
# -----------------------------
# Features
# -----------------------------
popular_enabled: false
statistics_enabled: true
registration_enabled: true
login_enabled: true
captcha_enabled: false
admins: ["$DEFAULT_ADMIN_EMAIL"]
enable_user_notifications: false
# -----------------------------
# Background jobs
# -----------------------------
channel_threads: 1
#channel_refresh_interval: 30m
full_refresh: false
feed_threads: 1
jobs:
clear_expired_items:
enable: true
refresh_channels:
enable: true
refresh_feeds:
enable: true
# -----------------------------
# Miscellaneous
# -----------------------------
#banner:
# use_pubsub_feeds: true
hmac_key: $HMAC_KEY
#dmca_content:
#cache_annotations: false
#modified_source_code_url: ""
#playlist_length_limit: 500
#########################################
#
# Default user preferences
#
#########################################
default_user_preferences:
# -----------------------------
# Internationalization
# -----------------------------
#locale: en-US
#region: US
## Top 3 preferred languages for video captions.
#captions: ["", "", ""]
# -----------------------------
# Interface
# -----------------------------
dark_mode: "auto"
#thin_mode: false
feed_menu: ["Subscriptions", "Playlists"]
default_home: Subscriptions
#max_results: 40
#annotations: false
#annotations_subscribed: false
#comments: ["youtube", ""]
#player_style: invidious
#related_videos: true
# -----------------------------
# Video player behavior
# -----------------------------
#preload: true
#autoplay: false
#continue: false
#continue_autoplay: true
#listen: false
#video_loop: false
# -----------------------------
# Video playback settings
# -----------------------------
#quality: dash
#quality_dash: auto
#speed: 1.0
#volume: 100
#vr_mode: true
save_player_pos: true
# -----------------------------
# Subscription feed
# -----------------------------
#latest_only: false
#notifications_only: false
unseen_only: true
#sort: published
# -----------------------------
# Miscellaneous
# -----------------------------
#local: false
show_nick: false
#automatic_instance_redirect: false
#extend_desc: false

101
modules/server/containers/data/invidious/login.cr Normal file
View File

@@ -0,0 +1,101 @@
{% skip_file if flag?(:api_only) %}
module Invidious::Routes::Login
def self.login_page(env)
locale = env.get("preferences").as(Preferences).locale
user = env.get? "user"
referer = get_referer(env, "/feed/subscriptions")
return env.redirect referer if user
return error_template(400, "Login has been disabled by administrator.") if !CONFIG.login_enabled
if forwarded_user = env.request.headers["X-authentik-email"]?
begin
email = forwarded_user.try &.downcase.byte_slice(0, 254)
return error_template(401, "User ID is a required field") if email.nil? || email.empty?
user = Invidious::Database::Users.select(email: email)
if user
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
Invidious::Database::SessionIDs.insert(sid, email)
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
else
return error_template(400, "Registration has been disabled by administrator.") if !CONFIG.registration_enabled
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user, sid = create_user(sid, email, "")
if language_header = env.request.headers["Accept-Language"]?
if language = ANG.language_negotiator.best(language_header, LOCALES.keys)
user.preferences.locale = language.header
end
end
Invidious::Database::Users.insert(user)
Invidious::Database::SessionIDs.insert(sid, email)
view_name = "subscriptions_#{sha256(user.email)}"
PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}")
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
user.preferences = env.get("preferences").as(Preferences)
Invidious::Database::Users.update_preferences(user)
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
end
return env.redirect referer
rescue ex
return error_template(500, "Authentication error: #{ex.message}")
end
end
env.redirect referer
end
def self.login(env)
referer = get_referer(env, "/feed/subscriptions")
env.redirect referer
return error_template(403, "Login post is not supported.")
end
def self.signout(env)
locale = env.get("preferences").as(Preferences).locale
user = env.get? "user"
sid = env.get? "sid"
referer = get_referer(env)
return env.redirect referer if !user
user = user.as(User)
sid = sid.as(String)
token = env.params.body["csrf_token"]?
begin
validate_request(token, sid, env.request, HMAC_KEY, locale)
rescue ex
return error_template(400, ex)
end
Invidious::Database::SessionIDs.delete(sid: sid)
env.request.cookies.each do |cookie|
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
env.redirect referer
end
end

77
modules/server/containers/default.nix
View File

@@ -1,24 +1,44 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.syscfg.server.containers; serverCfg = config.syscfg.server;
enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg; builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
containerSetsList = lib.mapAttrsToList (name: containerCfg:
import (./defs + "/${name}.nix") {
inherit config pkgs lib containerCfg;
}
) enabledConfigs;
mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList);
allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
in
{
config = lib.mkIf ( enabledConfigs != {} ) {
in{
config = lib.mkMerge [{
syscfg.server.loadedContainers = lib.mapAttrs (name: containerCfg:
(import (./apps + "/${name}.nix")) { inherit config pkgs lib containerCfg builder name; }
) config.syscfg.server.containers;
} (lib.mkIf ( serverCfg.containers != {} ) (
let
appsList = builtins.attrValues config.syscfg.server.loadedContainers;
mergedContainers = lib.concatMapAttrs (appName: app:
lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.containers
) config.syscfg.server.loadedContainers;
allPathConfigs = lib.concatMap (app: app.paths) appsList;
allSetupConfigs = lib.concatMap (app: if app.setup?script then [({name = app.name; envFile="";} // app.setup)] else []) appsList;
allCronsConfigs = lib.concatMap (app: app.cron) appsList;
in{
virtualisation.oci-containers = { virtualisation.oci-containers = {
backend = "podman"; backend = "podman";
containers = mergedContainers; containers = mergedContainers;
}; };
system.activationScripts.container-setup-dirs = {
deps = [ "users" "groups" ];
text = lib.concatStringsSep "\n" (map (cfg:
let
effectiveCfg = {
owner = "root:root";
mode = "0400";
} // cfg;
in ''
${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
'') allPathConfigs);
};
systemd.services.podman-gc = { systemd.services = {
podman-gc = {
description = "Podman garbage collection"; description = "Podman garbage collection";
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = '' script = ''
@@ -27,14 +47,29 @@ in
''; '';
startAt = "weekly"; startAt = "weekly";
}; };
} // lib.listToAttrs (lib.concatMap (e: [{
name = "${e.name}-setup";
value = {
description = "Run ${e.name} setup";
after = [ "podman-${e.name}-${e.trigger}.service" ];
wants = [ "podman-${e.name}-${e.trigger}.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
TimeoutStartSec = "360s";
EnvironmentFile = e.envFile;
ExecStart = e.script;
RemainAfterExit = true;
User = "root";
};
};
}]) allSetupConfigs );
system.activationScripts.container-setup-dirs = { services.cron = {
deps = [ "users" "groups" ]; enable = true;
text = lib.concatStringsSep "\n" (map (cfg: '' systemCronJobs = allCronsConfigs;
mkdir -p "${cfg.path}"
chown ${cfg.owner} "${cfg.path}"
chmod ${cfg.mode} "${cfg.path}"
'') allPathConfigs);
};
}; };
}))];
} }

84
modules/server/containers/defs/authentik.nix
View File

@@ -1,84 +0,0 @@
{ config, containerCfg, pkgs, lib, ... }:
let
serverCfg = config.syscfg.server;
in {
paths = [{
path="${serverCfg.dataPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.dataPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
auth_server = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_server";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.sso.entrypoints" = "web-secure";
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
"traefik.http.routers.sso.tls" = "true";
"traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
};
cmd = [ "server" ];
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
"--ip=${containerCfg.ip}"
];
ports = [
"9999:${toString containerCfg.port}"
];
};
auth_worker = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_worker";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
"/var/run/docker.sock:/var/run/docker.sock"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
};
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
];
cmd = [ "worker" ];
};
};
}

152
modules/server/containers/defs/cloud.nix
View File

@@ -1,152 +0,0 @@
{ config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
project.name = "cloud";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
cloud_nextcloud.service = {
image = "nextcloud:27";
container_name = "cloud";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"${serverCfg.configPath}/data/nextcloud:/var/www/html"
"${serverCfg.dataPath}/data/music:/media/music"
"${serverCfg.dataPath}/data/video:/media/video"
"${serverCfg.dataPath}/data/photo:/media/photo"
];
tmpfs = [ "/tmp" ];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.nextcloud.entrypoints" = "web-secure";
"traefik.http.routers.nextcloud.rule" =
"Host(`cloud.${serverCfg.hostDomain}`)";
"traefik.http.routers.nextcloud.tls" = "true";
"traefik.http.routers.nextcloud.middlewares" =
"sts_headers,nextcloud-caldav";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
"true";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
"^https://(.*)/.well-known/(card|cal)dav";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
"https://$\${1}/remote.php/dav/";
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
"true";
};
};
cloud_office.service = {
image = "collabora/code:latest";
container_name = "cloud_office";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ ];
environment = {
username = "COLLABORA_USER";
password = "COLLABORA_PASSWORD";
aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
server_name = "office.${serverCfg.hostDomain}";
VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
VIRTUAL_PORT = "9980";
VIRTUAL_PROTO = "http";
DONT_GEN_SSL_CERT = "true";
RESOLVE_TO_PROXY_IP = "true";
NETWORK_ACCESS = "internal";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
dictionaries = "en fr de jp";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.collabora.entrypoints" = "web-secure";
"traefik.http.routers.collabora.rule" =
"Host(`office.${serverCfg.hostDomain}`)";
"traefik.http.routers.collabora.tls" = "true";
};
};
cloud_etherpad.service = {
image = "etherpad/etherpad:latest";
container_name = "etherpad";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
];
environment = {
NODE_ENV = "production";
TITLE = "Helcel-Pad";
DB_TYPE = "mysql";
DB_HOST = serverCfg.dbHost;
DB_PORT = serverCfg.dbPort;
DB_NAME = "etherpad";
DB_USER = "ETHERPAD_DB_USER";
DB_PASS = "ETHERPAD_DB_PASSWORD";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "P A D";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.etherpad.entrypoints" = "web-secure";
"traefik.http.routers.etherpad.rule" =
"Host(`pad.${serverCfg.hostDomain}`)";
"traefik.http.routers.etherpad.tls" = "true";
};
};
cloud_ethercalc.service = {
image = "audreyt/ethercalc:latest";
container_name = "ethercalc";
restart = "unless-stopped";
networks = [ "external" "internal" ];
volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
];
environment = {
NODE_ENV = "production";
TITLE = "Helcel-Calc";
REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
REDIS_PORT_6379_TCP_PORT = "6379";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.ethercalc.entrypoints" = "web-secure";
"traefik.http.routers.ethercalc.rule" =
"Host(`calc.${serverCfg.hostDomain}`)";
"traefik.http.routers.ethercalc.tls" = "true";
};
};
cloud_redis.service = {
image = "redis:latest";
container_name = "ethercalc-redis";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
};
}

30
modules/server/containers/defs/sample.nix
View File

@@ -1,30 +0,0 @@
{ config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
project.name = "name";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
NAME.service = {
image = "NAME:latest";
container_name = "NAME";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
};
}

81
modules/server/containers/defs/traefik.nix
View File

@@ -1,81 +0,0 @@
{ config, pkgs, ... }: {
project.name = "traefik";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
traefik.service = {
image = "traefik:latest";
container_name = "traefik";
restart = "unless-stopped";
networks = [ "internal" "external" ];
command = [
"--api"
"--providers.docker=true"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
];
port = [ "443" "80" ];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
"${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
"${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.configPath}/traefik/acme.json:/acme.json"
];
environment = {
"INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
};
labels = { "traefik.enable" = "false"; };
};
matomo.service = {
image = "matomo:latest";
container_name = "matomo";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${serverCfg.configPath}/matomo:/var/www/html/config:rw"
"${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
];
environment = { };
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`matomo.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
searx.service = {
image = "searxng/searxng:latest";
container_name = "searx";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ "/etc/localtime:/etc/localtime:ro" ];
environment = {
"BASE_URL" = "https://searx.${serverCfg.hostDomain}";
"AUTOCOMPLETE" = "true";
"INSTANCE_NAME" = "searx${serverCfg.shortName}";
};
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`searx.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
};
}

15
modules/server/database/default.nix
View File

@@ -1,21 +1,19 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.db) config.syscfg.server.loadedContainers);
containerNames = lib.mapAttrsToList
(name: cfg: name)
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in { in {
config = lib.mkIf ( builtins.length allApps > 0) { config = lib.mkIf ( builtins.length allApps > 0) {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; # Required to listen on network interfaces enableTCPIP = true;
extensions = ps: with ps; [ vectorchord pgvector ];
settings = { settings = {
listen_addresses = lib.mkForce "*"; listen_addresses = lib.mkForce "*";
shared_preload_libraries = "vchord";
}; };
authentication = pkgs.lib.mkOverride 10 '' authentication = pkgs.lib.mkOverride 10 ''
# TYPE DATABASE USER ADDRESS METHOD # TYPE DATABASE USER ADDRESS METHOD
@@ -55,14 +53,13 @@ in {
}; };
script = '' script = ''
${pkgs.coreutils}/bin/sleep 2 ${pkgs.coreutils}/bin/sleep 20
PSQL="${pkgs.postgresql}/bin/psql" PSQL="${pkgs.postgresql}/bin/psql"
${lib.concatMapStringsSep "\n" (name: '' ${lib.concatMapStringsSep "\n" (name: ''
$PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;" $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-) PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
echo $PASS
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
echo " Successfully set password for ${name}_user" echo " Successfully set password for ${name}_user"
else else

20
modules/server/nftables/default.nix
View File

@@ -1,7 +1,8 @@
{ config, lib, ... }:
let
{ config, lib, ... }:{ cfg = config.syscfg.server;
config = lib.mkIf (config.syscfg.server.nftables.enable) { in {
config = lib.mkIf (cfg.ipfw.enable) {
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1;
@@ -9,13 +10,6 @@
networking.nftables.enable = true; networking.nftables.enable = true;
networking.nftables.ruleset = '' networking.nftables.ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
}
}
table inet nat { table inet nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
@@ -34,12 +28,12 @@
iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
'' ''
) config.syscfg.server.nftables.ports} ) cfg.ipfw.ports}
} }
chain postrouting { chain postrouting {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
} }
} }
''; '';

14
modules/server/sops/default.nix
View File

@@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = lib.mapAttrsToList (name: cfg: name) containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.sops) config.syscfg.server.loadedContainers);
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in{ in{
config = lib.mkIf (config.syscfg.server.sops) {
sops.secrets = { sops.secrets = {
INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; }; CUSTOM = {
} // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: { mode = "0444";
owner = "postgres"; sopsFile = ./server.yaml;
};
} // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
mode = "0444";
sopsFile = ./server.yaml; sopsFile = ./server.yaml;
})); }));
};
} }

38
modules/server/sops/example.server.yaml Normal file
View File

@@ -0,0 +1,38 @@
CUSTOM: |
DEFAULT_ADMIN_USERNAME=...
DEFAULT_ADMIN_PASSWORD=...
DEFAULT_ADMIN_EMAIL=...
DEFAULT_LDAP_PASSWORD=...
TRAEFIK: |
INFOMANIAK_ACCESS_TOKEN=...
AUTHENTIK: |
DB_PASSWORD=...
POSTGRES_PASSWORD=...
AUTHENTIK_SECRET_KEY=...
AUTHENTIK_EMAIL__PASSWORD=...
AUTHENTIK_TOKEN=...
NEXTCLOUD: |
DB_PASSWORD=...
POSTGRES_PASSWORD=...
COLLABORA: |
password=...
ETHERPAD: |
DB_PASSWORD=...
DB_PASS=...
ADMIN_PASSWORD=...
APIKEY=...
ETHERCALC: |
ETHERCALC_KEY=...
GITEA: |
DB_PASSWORD=...
GITEA__database__PASSWD=...
GITEA__security__SECRET_KEY=...
GITEA__security__INTERNAL_TOKEN=...
SEARXNG: |
SEARXNG_SECRET=...
UMAMI: |
DB_PASSWORD=...
DATABASE_URL=postgresql://username:mypassword@localhost:5432/mydb
APP_SECRET=...
IMMICH: |
DB_URL = "postgresql://immich_user:...@localhost:5432/immich_db";

19
modules/server/sops/server.yaml
View File

@@ -1,5 +1,16 @@
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str] CUSTOM: ENC[AES256_GCM,data:8+973kGKWFbxGHTSnc+UDKC1Q5KKiTeESY68XHX2e2BVw7zpl2oYLPYv7wQ3JA2u6q5rFXrokNvh3ti6JcvQ/302APloPrw6YfC8RofjX7h+WVS9cBaND+AlliQqf+vGWI0VQoEFmJKogxbliIN9nGiL9FLa1QJHRJb1X4P76daakh1+P1eJlE4pgPvblPygDezabC/Pa2k3qCaGAvyOOyZYFNj5ttufmB0FlNQZMVLLuyA3xe92z6I/zbFPBY9RNa10v1+Wm5GRdD8JZHsJfPD1bLqH61mt/ZtczVY7fXnX9n3vbYYGaHiF/ylunydXgmAsDXjSWKwq5r7TCDnQR5lPqDpNtbLpnD+aY22e8AOSRlKLOhVUH2CU3B3Ry8pIYbVZz983DHgMoymd8ZISoHE+,iv:8/DRKfCYp+IG/UgxxxN2PgFjdd24Rc4wNpcVHP9KsAo=,tag:/ikcKONeiE5BWVLYoaWaCw==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str] TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
COLLABORA: ENC[AES256_GCM,data:cLGEziks5dyxTF1jugfpQE0l0nSkDP7MpROzCxCM94jv49sguA+d/SnY1olE8ZP9iCBnlvbMZyNR7uYo88B92Pmv8wVWfeuhHiHFIXh5aaOxntpt80UMg3Jy,iv:gmFG7C893QPuZ4rEqllAlUpNIXMcGsf9+/QCPLhWLTM=,tag:WpKHCUk6zhQRfFX2d6OPbQ==,type:str]
ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWNWhDQlTc0ImJoK6efr2uyp3sVu3o+KlCNvUGhDOJ1you6socyTgRP0q7oLPC+Ln+bFP8gWG8v2nyEFY=,iv:YqvVjBFG/WZg1l4aMAiioOruWZ9zcTMr74DVW+1+2DQ=,tag:ePBXd4ddipJtxhFE1amfMg==,type:str]
GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str]
SEARXNG: ENC[AES256_GCM,data:gtKhEmMemzLRl4c3cYhMAQ+5vUth1IhWQeLvW1YtaG5TbhQHBR4PDREQOlGt+tlfGQrft+FeNhMSN/SKOp8gmScVWa+9qmltzxRGRpLm3m/VuBZvOlGdeUcKAX8zEH6A,iv:B2UEtjTRIjT6W+tH2gtcl6XMvZNgbvZUXTiBePGOu24=,tag:SHIF6eaWBLwy9RrEy1N9kg==,type:str]
UMAMI: ENC[AES256_GCM,data:onB/uXLajaRLmeQMGNHFsjREzPih9ha+cogGRw+nRomERSRrbBv+6gCqEr8F3Dcm818JB4jGRYKoIYG8Jl6gMDaz5QQiA4qAnbG19LuzVeVUgz4NGEgXBULoT/0sQacnyAPIfPEp+ESWRQH81nO6Qcs+rICpS2Xfeye5hb+8rSAxmLpY991AJ3+avGyMwPcpfNCkixWt68KuG5ZN/IGDksM/sSLGgyMisClbEdhigq4mwibOxpiWjcKk/17xYgY6Xz93h/yloHKZIZZpnyA+85YC6oNWgCPhkGIAVu3dGshp10a0nk1A2INm6vxNPbfUjYLkt3zDAPZtoBRCqUs+43Eh62hYgajgWCQJhjJkDgF4Y1ifGfDerIXs/cDpIKLt2+7VqM6/ouqIDPJ7khSAr+8bcHU4CKDtsDagob5PpCG4ABt44cg9cGw=,iv:HD450JZuWn2+V0pvOsDHy9oVAanFMf1el9LA1z0PULY=,tag:p7Vl7dtM8UdAUNgmdG+7cg==,type:str]
IMMICH: ENC[AES256_GCM,data:1y78yeawkRjUXLWPyFdMB5HCDQhb1PoxEMfHmKSZfv0CWloOrQWT735dlH+W9yC6ljZjqVD9Fwq/9GqqKQMTFMCpr8wVRwSHEuqmaG3UgKzbLA3aWZ1SIB0AiJi+eUunzHj2vikUJx9dMRjC+iNXrsVWh2HqMrOyFCWetZoIfxNiAgsgNKPgYYsHLv6OAZs9XT7V3veqe0zc0nyw7ghWSXne/yNhQESyyGlMAdagrJRNimvXIp/AoAUKl2WUJm2MBl7lb6K1YeJ1XW8OjAHzV8isBiUwU8ZD81VJog0fgTGjbUa+HO7jEo+9YwmDIMx3f5z9N4A=,iv:pboITW2rr7+w8VNZM6uYMMEFZ1S/JtqjNOVthpYJ2tQ=,tag:0dgrJ191sB4MLJHMoQBlCg==,type:str]
INVIDIOUS: ENC[AES256_GCM,data:ZfgU5UFMmG9Cx9UaR0xnKr9VPebG3kut0difTFZmoqOSs+stG6YJfV82OOhj1RQLVJlPr/scydYy1+3LytwvP1BT7tLe0jII7XupbkL0w3n79KBaiIzAPdicqLxeqjKH45I0NjHra4djdnO2Ff4T8CTiFDlPn1rMuiw=,iv:UaDmOKJ4bFPGCaIePLXkWot9E6sTu2nhaVs83sI38G0=,tag:spTjxWEmLfPc8BZl2GglBA==,type:str]
SERVARR: ENC[AES256_GCM,data:fukF7bejebMU7yp48fix,iv:CZkLyO8N8BqSk+0KDcMDrz1pbwaNH7Pg+NvNebdIdYM=,tag:AOMvnZOE0H6QDCmkPg3Kyw==,type:str]
sops: sops:
age: age:
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
@@ -20,8 +31,8 @@ sops:
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-06T01:10:20Z" lastmodified: "2026-05-15T14:26:21Z"
mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str] mac: ENC[AES256_GCM,data:fIG4gFNzgbyfkn1ofd23c45MzCCExrga47y9/2vtuzRU5xXmB9A9uA80JQHCoRTdu/2NlJIrGyOKoZK4RENo75s8s2ZK+HzcTNGWyZptLjrRBIiBQJyDHDaAE34Ghdm96m8YwOyBsnanbgz8LhR8gyIDxSMEcqx+OQcOHqPGd20=,iv:fa7ToxI8mWqc5NqPjITqzxLvtTNodj7yohLkP51b058=,tag:DhXrHxqFON5zjI3uNclnxw==,type:str]
pgp: pgp:
- created_at: "2026-05-05T23:46:27Z" - created_at: "2026-05-05T23:46:27Z"
enc: |- enc: |-

2
modules/shared/colors/default.nix
View File

@@ -1,4 +1,4 @@
{ config, ... }: { { ... }: {
imports = [ ./sorahiro.nix ]; imports = [ ./sorahiro.nix ];
colorScheme.palette.border-radius = "#8"; colorScheme.palette.border-radius = "#8";

2
modules/shared/colors/sorahiro.nix
View File

@@ -1,4 +1,4 @@
{ nix-colors, ... }: { ... }:
let use_pastelle = true; let use_pastelle = true;
in{ in{
# usage: a = "#${config.colorScheme.palette.base00}"; # usage: a = "#${config.colorScheme.palette.base00}";

164
modules/shared/syscfg/default.nix
View File

@@ -5,160 +5,9 @@ let
(name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix")) (name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix"))
(builtins.readDir systemsDir)); (builtins.readDir systemsDir));
userOpt = with lib; {
username = mkOption { type = types.str; };
pubssh = mkOption { type = types.str; default=""; };
wm = mkOption {
type = types.enum [ "Wayland" "X11" "-" ];
default = "-";
};
git = {
username = mkOption { type = types.str; default = "Anonymous";};
email = mkOption { type = types.str; default = "anonymous@domain"; };
key = mkOption { type = types.nullOr types.str; default=null; };
};
};
netOpt = with lib; {
ble = {
enable = mkOption {
type = types.bool;
default = false;
};
};
wlp = {
enable = mkOption {
type = types.bool;
default = false;
};
nif = mkOption {
type = types.str;
default = "";
};
};
wg = {
enable = mkOption {
type = types.bool;
default = false;
};
ip4 = mkOption {
type = types.str;
default = "";
};
ip6 = mkOption {
type = types.str;
default = "";
};
pubkey = mkOption {
type = types.str;
default = "";
};
};
};
makeOpt = with lib; {
cli = mkOption {
type = types.bool;
default = true;
};
gui = mkOption {
type = types.bool;
default = false;
};
virt = mkOption {
type = types.bool;
default = false;
};
power = mkOption {
type = types.bool;
default = false;
};
game = mkOption {
type = types.bool;
default = false;
};
develop = mkOption {
type = types.bool;
default = false;
};
};
serverOpt = with lib; {
hostDomain = mkOption { type = types.str; };
shortName = mkOption { type = types.str; };
mailDomain = mkOption { type = types.str; };
mailServer = mkOption { type = types.str; };
dbHost = mkOption {
type = types.str;
default = "localhost";
};
dbPort = mkOption {
type = types.str;
default = "3306";
};
configPath = mkOption {
type = types.str;
default = "/media/config";
};
dataPath = mkOption {
type = types.str;
default = "/media/data";
};
containers = mkOption {
type = types.attrsOf (types.submodule {
options = {
enable = mkOption { type = types.bool;default = false; };
db = mkOption { type = types.bool;default = false; };
ip = mkOption { type = types.str; };
port = mkOption { type = types.port; };
extraParam = mkOption { type = types.str; default = ""; };
};
});
default = {};
};
sops = mkOption {
type = types.bool;
default = false;
};
openssh = mkOption {
type = types.bool;
default = false;
};
wireguard = mkOption {
type = types.bool;
default = false;
};
web = mkOption {
type = types.bool;
default = false;
};
nftables = {
enable = mkOption {
type = types.bool;
default = false;
};
ifs = mkOption {
type = types.listOf types.str;
default = [ ];
};
ports = mkOption {
type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
default = [];
description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
example = [
[ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
[ "ens3" "10.10.1.2" "IPV6" 80 80 ]
[ "ens3" "10.10.1.2" "IPV6" 443 443 ]
];
};
};
db = mkOption {
type = types.listOf (types.str);
default = [ ];
};
};
in with lib; { in with lib; {
options.usercfg = userOpt; options.usercfg = import ./user.nix {inherit lib;};
options.syscfg = { options.syscfg = {
hostname = mkOption { type = types.str; }; hostname = mkOption { type = types.str; };
type = mkOption { type = mkOption {
@@ -170,20 +19,17 @@ in with lib; {
default = "x86_64-linux"; default = "x86_64-linux";
}; };
defaultUser = mkOption { type = types.str; }; defaultUser = mkOption { type = types.str; };
make = makeOpt; make = import ./make.nix {inherit lib;};
net = netOpt; net = import ./net.nix {inherit lib;};
users = mkOption { users = mkOption {
type = types.listOf (types.submodule { options = userOpt; }); type = types.listOf (types.submodule { options = import ./user.nix {inherit lib;}; });
default = [ ]; default = [ ];
}; };
peers = mkOption { peers = mkOption {
default = map (name: import (systemsDir + "/${name}/cfg.nix")) systemNames; default = map (name: import (systemsDir + "/${name}/cfg.nix")) systemNames;
}; };
server = mkOption { server = mkOption {
type = types.oneOf [ type = types.oneOf [ types.bool (types.submodule { options = import ./server.nix {inherit lib;}; }) ];
types.bool
(types.submodule { options = serverOpt; })
];
default = false; default = false;
}; };
}; };

9
modules/shared/syscfg/make.nix Normal file
View File

@@ -0,0 +1,9 @@
{ lib,... }:
with lib; {
cli = mkOption { type = types.bool; default = true; };
gui = mkOption { type = types.bool; default = false; };
virt = mkOption { type = types.bool; default = false; };
power = mkOption { type = types.bool; default = false; };
game = mkOption { type = types.bool; default = false; };
develop = mkOption { type = types.bool; default = false; };
}

14
modules/shared/syscfg/net.nix Normal file
View File

@@ -0,0 +1,14 @@
{ lib,... }:
with lib; {
ble.enable = mkOption { type = types.bool; default = false; };
wlp = {
enable = mkOption { type = types.bool; default = false; };
nif = mkOption { type = types.str; default = ""; };
};
wg = {
enable = mkOption { type = types.bool; default = false; };
ip4 = mkOption { type = types.str; default = ""; };
ip6 = mkOption { type = types.str; default = ""; };
pubkey = mkOption { type = types.str; default = ""; };
};
}

92
modules/shared/syscfg/server.nix Normal file
View File

@@ -0,0 +1,92 @@
{ lib,... }:
let
in with lib; {
domain = mkOption { type = types.str; };
mailDomain = mkOption { type = types.str; };
mailServer = mkOption { type = types.str; };
configPath = mkOption {
type = types.str;
default = "/media/config";
};
dataPath = mkOption {
type = types.str;
default = "/media/data";
};
colorScheme = mkOption {
type = types.attrs;
default = (lib.evalModules { modules =[ { freeformType = with lib.types; attrsOf anything; } ../colors ];}).config.colorScheme ;
};
loadedContainers = lib.mkOption {
readOnly = true;
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
name = lib.mkOption {type = lib.types.str; default = name;};
sops = lib.mkOption {type = lib.types.bool; default = false;};
db = lib.mkOption {type = lib.types.bool; default = false;};
paths = lib.mkOption {type = lib.types.listOf lib.types.attrs; default = [ ];};
containers = lib.mkOption {type = lib.types.attrsOf lib.types.attrs; default = { };};
cron = lib.mkOption {type = lib.types.listOf lib.types.str; default = [ ];};
setup = {
trigger = lib.mkOption {type = lib.types.str; default = "";};
script = lib.mkOption {type = lib.types.nullOr lib.types.package; default = null;};
envFile = lib.mkOption {type = with lib.types; coercedTo str (x: [x]) (listOf str); default = [];};
};
};
}));
};
containers = mkOption {
type = types.attrsOf (types.submodule {
options = {
subdomain = mkOption { type = types.nullOr types.str; default=null;};
subpath = mkOption { type = types.nullOr types.str; default=null;};
port = mkOption { type = types.nullOr types.port; default = null; };
extra = mkOption { type = types.attrs; default = {}; };
};
});
default = {};
};
openssh = mkOption {
type = types.bool;
default = false;
};
wireguard = mkOption {
type = types.bool;
default = false;
};
web = mkOption {
type = types.bool;
default = false;
};
ipfw = {
enable = mkOption {
type = types.bool;
default = false;
};
ifs = mkOption {
type = types.listOf types.str;
default = [ ];
};
ports = mkOption {
type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
default = [];
description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
example = [
[ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
[ "ens3" "10.10.1.2" "IPV6" 80 80 ]
[ "ens3" "10.10.1.2" "IPV6" 443 443 ]
];
};
};
db = mkOption {
type = types.listOf (types.str);
default = [ ];
};
}

14
modules/shared/syscfg/user.nix Normal file
View File

@@ -0,0 +1,14 @@
{ lib,... }:
with lib; {
username = mkOption { type = types.str; };
pubssh = mkOption { type = types.str; default=""; };
wm = mkOption {
type = types.enum [ "Wayland" "X11" "-" ];
default = "-";
};
git = {
username = mkOption { type = types.str; default = "Anonymous";};
email = mkOption { type = types.str; default = "anonymous@domain"; };
key = mkOption { type = types.nullOr types.str; default=null; };
};
}

2
systems/gateway/cfg.nix
View File

@@ -29,7 +29,7 @@
openssh = true; openssh = true;
wireguard = true; wireguard = true;
web = true; web = true;
nftables = { ipfw = {
enable = true; enable = true;
ifs = ["ens3" "wg0" ]; ifs = ["ens3" "wg0" ];
ports = [ ports = [

53
systems/sandbox/cfg.nix
View File

@@ -19,25 +19,56 @@
virt = true; virt = true;
}; };
server = { server = {
domain = "test.helcel.net";
openssh = true; openssh = true;
web = true; web = true;
sops = true;
hostDomain = "test.helcel.net"; # mail = {
shortName = "testcel"; # server = ...
# user = ...
# ...
# };
mailDomain = "test@helcel"; mailDomain = "test@helcel";
mailServer = "infomaniak.ch"; mailServer = "infomaniak.ch";
dbHost = "localhost";
containers = { containers = {
#cloud = {enable = true;}; # ===== BASE =====
authentik = { traefik.subdomain = "traefik";
enable = true; traefik.extra={provider="infomaniak";};
db = true; umami.subdomain = "umami";
ip = "10.88.0.125"; authentik.subdomain = "sso";
port = 9000 ; searxng.subdomain = "searx";
# ===== CLOUD =====
nextcloud.subdomain = "cloud";
collabora.subdomain = "office";
etherpad.subdomain = "pad";
ethercalc.subdomain = "calc";
immich.subdomain = "pic";
# ===== FLIX =====
invidious.subdomain = "yt";
jellyfin.subdomain = "flix";
# servarr.subdomain = "arr";
transmission = {
subdomain = "arr";
subpath = "p2p";
}; };
# handbrake = {
# subdomain = "arr";
# subpath = "hb";
# };
# ===== DEV =====
gitea.subdomain = "git";
# ===== HOME =====
# homeassistant.subdomain = "hass";
# frigate = {
# subdomain = "hass";
# subpath = "cam";
# };
# trmnl = {
# subdomain = "hass";
# subpath = "trmnl";
# };
# influx.subdomain = "metrum";
}; };
}; };
}; };