chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

remove quassel, update stateVersion, move to new server, some tidying

Browse source
This commit is contained in:
chaos 2024-05-25 21:10:26 +01:00
parent 062200f2f4
commit 74dff8996d
No known key found for this signature in database
38 changed files with 186 additions and 628 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
data/serverIPs.nix
View file

@ -3,12 +3,8 @@ rec {
ipv4 = "65.21.145.62";
ipv6 = "2a01:4f9:c012:9dbf::1";
};
"hetzner-arm-new" = {
ipv4 = "65.21.0.145";
ipv6 = "2a01:4f9:c012:9b6b::1";
};
"vault" = {
ipv4 = "65.21.0.145";
ipv6 = "2a01:4f9:c012:9b6b::1";
};
}
}

25
home/musicLibrary.nix
View file

@ -44,23 +44,17 @@ in {
'';
};
home.file."Music/music-sync.sh" = {
home.file."Music/music-gen-listing.sh" = {
executable = true;
text = ''
#!/usr/bin/env bash
SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd "''${SCRIPT_DIR}"
rclone sync -P . Storage:Music --exclude "/*.sh"
restic-music backup $(fd -t d --max-depth=1 && fd -t f --max-depth=1)
TMPDIR=$(mktemp -d)
TITLE="chaos's Music Library"
DESCRIPTION="A listing of all music we listen to and have downloaded/brought"
LINK_BASE="https://storage-http.owo.monster/Music"
TMPDIR=$(mktemp -d)
musicutil genhtml . "$TMPDIR" --title "$TITLE" --description "$DESCRIPTION" --link-base="$LINK_BASE"
pushd "$TMPDIR"
@ -79,6 +73,21 @@ in {
'';
};
home.file."Music/music-sync.sh" = {
executable = true;
text = ''
#!/usr/bin/env bash
SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd "''${SCRIPT_DIR}"
rclone sync -P . Storage:Music --exclude "/*.sh"
restic-music backup $(fd -t d --max-depth=1 && fd -t f --max-depth=1)
bash $HOME/Music/music-gen-listing.sh
'';
};
home.file."Music/music-download.sh" = {
executable = true;
text = ''

4
hosts/hetzner-arm/containers/caldav/default.nix
View file

@ -39,8 +39,8 @@ in {
networking.firewall.allowedTCPPorts = [5232];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

4
hosts/hetzner-arm/containers/forgejo/default.nix
View file

@ -45,8 +45,8 @@ in {
networking.firewall.allowedTCPPorts = [2222];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

4
hosts/hetzner-arm/containers/grocy/default.nix
View file

@ -42,8 +42,8 @@ in {
networking.firewall.allowedTCPPorts = [80];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

4
hosts/hetzner-arm/containers/jellyfin/default.nix
View file

@ -60,8 +60,8 @@ in {
restic
]);
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

4
hosts/hetzner-arm/containers/mail/default.nix
View file

@ -72,8 +72,8 @@ in {
enable = mkForce false;
};
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

11
hosts/hetzner-arm/containers/music/default.nix
View file

@ -24,12 +24,6 @@
containerSecrets = config.containers.${containerName}.config.services.secrets.secrets;
pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path;
in {
nixpkgs.overlays = [
(final: _prev: {
mpd = final.mpd-headless;
})
];
containers.music = {
autoStart = true;
privateNetwork = true;
@ -75,7 +69,6 @@ in {
]
++ (with hosts.hetzner-arm.containers.music.profiles; [
mpd
#musicMount
]);
home-manager.users.root.imports = with tree; [home.apps.musicutil];
@ -88,8 +81,8 @@ in {
mpd-flac
];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

268
hosts/hetzner-arm/containers/music/modules/mpd-fork.nix
View file

@ -1,268 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
name = "mpd";
uid = config.ids.uids.mpd;
gid = config.ids.gids.mpd;
cfg = config.services.mpd-fork;
credentialsPlaceholder = creds: let
placeholders =
imap0
(i: c: ''password "{{password-${toString i}}}@${concatStringsSep "," c.permissions}"'')
creds;
in
concatStringsSep "\n" placeholders;
mpdConf = pkgs.writeText "mpd.conf" ''
# This file was automatically generated by NixOS. Edit mpd's configuration
# via NixOS' configuration.nix, as this file will be rewritten upon mpd's
# restart.
music_directory "${cfg.musicDirectory}"
playlist_directory "${cfg.playlistDirectory}"
${lib.optionalString (cfg.dbFile != null) ''
db_file "${cfg.dbFile}"
''}
state_file "${cfg.dataDir}/state"
sticker_file "${cfg.dataDir}/sticker.sql"
${optionalString (cfg.network.listenAddress != "any") ''bind_to_address "${cfg.network.listenAddress}"''}
${optionalString (cfg.network.port != 6600) ''port "${toString cfg.network.port}"''}
${optionalString cfg.fluidsynth ''
decoder {
plugin "fluidsynth"
soundfont "${pkgs.soundfont-fluid}/share/soundfonts/FluidR3_GM2-2.sf2"
}
''}
${optionalString (cfg.credentials != []) (credentialsPlaceholder cfg.credentials)}
${cfg.extraConfig}
'';
in {
###### interface
options = {
services.mpd-fork = {
enable = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to enable MPD, the music player daemon.
'';
};
package = mkPackageOption pkgs "mpd" {};
startWhenNeeded = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
If set, {command}`mpd` is socket-activated; that
is, instead of having it permanently running as a daemon,
systemd will start it on the first incoming connection.
'';
};
musicDirectory = mkOption {
type = with types; either path (strMatching "(http|https|nfs|smb)://.+");
default = "${cfg.dataDir}/music";
defaultText = literalExpression ''"''${dataDir}/music"'';
description = lib.mdDoc ''
The directory or NFS/SMB network share where MPD reads music from. If left
as the default value this directory will automatically be created before
the MPD server starts, otherwise the sysadmin is responsible for ensuring
the directory exists with appropriate ownership and permissions.
'';
};
playlistDirectory = mkOption {
type = types.path;
default = "${cfg.dataDir}/playlists";
defaultText = literalExpression ''"''${dataDir}/playlists"'';
description = lib.mdDoc ''
The directory where MPD stores playlists. If left as the default value
this directory will automatically be created before the MPD server starts,
otherwise the sysadmin is responsible for ensuring the directory exists
with appropriate ownership and permissions.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = lib.mdDoc ''
Extra directives added to to the end of MPD's configuration file,
mpd.conf. Basic configuration like file location and uid/gid
is added automatically to the beginning of the file. For available
options see {manpage}`mpd.conf(5)`.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/${name}";
description = lib.mdDoc ''
The directory where MPD stores its state, tag cache, playlists etc. If
left as the default value this directory will automatically be created
before the MPD server starts, otherwise the sysadmin is responsible for
ensuring the directory exists with appropriate ownership and permissions.
'';
};
user = mkOption {
type = types.str;
default = name;
description = lib.mdDoc "User account under which MPD runs.";
};
group = mkOption {
type = types.str;
default = name;
description = lib.mdDoc "Group account under which MPD runs.";
};
network = {
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1";
example = "any";
description = lib.mdDoc ''
The address for the daemon to listen on.
Use `any` to listen on all addresses.
'';
};
port = mkOption {
type = types.port;
default = 6600;
description = lib.mdDoc ''
This setting is the TCP port that is desired for the daemon to get assigned
to.
'';
};
};
dbFile = mkOption {
type = types.nullOr types.str;
default = "${cfg.dataDir}/tag_cache";
defaultText = literalExpression ''"''${dataDir}/tag_cache"'';
description = lib.mdDoc ''
The path to MPD's database. If set to `null` the
parameter is omitted from the configuration.
'';
};
credentials = mkOption {
type = types.listOf (types.submodule {
options = {
passwordFile = mkOption {
type = types.path;
description = lib.mdDoc ''
Path to file containing the password.
'';
};
permissions = let
perms = ["read" "add" "control" "admin"];
in
mkOption {
type = types.listOf (types.enum perms);
default = ["read"];
description = lib.mdDoc ''
List of permissions that are granted with this password.
Permissions can be "${concatStringsSep "\", \"" perms}".
'';
};
};
});
description = lib.mdDoc ''
Credentials and permissions for accessing the mpd server.
'';
default = [];
example = [
{
passwordFile = "/var/lib/secrets/mpd_readonly_password";
permissions = ["read"];
}
{
passwordFile = "/var/lib/secrets/mpd_admin_password";
permissions = ["read" "add" "control" "admin"];
}
];
};
fluidsynth = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
If set, add fluidsynth soundfont and configure the plugin.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
# install mpd units
systemd.packages = [cfg.package];
systemd.sockets.mpd = mkIf cfg.startWhenNeeded {
wantedBy = ["sockets.target"];
listenStreams = [
"" # Note: this is needed to override the upstream unit
(
if pkgs.lib.hasPrefix "/" cfg.network.listenAddress
then cfg.network.listenAddress
else "${optionalString (cfg.network.listenAddress != "any") "${cfg.network.listenAddress}:"}${toString cfg.network.port}"
)
];
};
systemd.services.mpd = {
wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target";
preStart =
''
set -euo pipefail
install -m 600 ${mpdConf} /run/mpd/mpd.conf
''
+ optionalString (cfg.credentials != [])
(concatStringsSep "\n"
(imap0
(i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'')
cfg.credentials));
serviceConfig = {
User = "${cfg.user}";
# Note: the first "" overrides the ExecStart from the upstream unit
ExecStart = ["" "${cfg.package}/bin/mpd --systemd /run/mpd/mpd.conf"];
RuntimeDirectory = "mpd";
StateDirectory =
optionals (cfg.dataDir == "/var/lib/${name}") [name]
++ optionals (cfg.playlistDirectory == "/var/lib/${name}/playlists") [name "${name}/playlists"]
++ optionals (cfg.musicDirectory == "/var/lib/${name}/music") [name "${name}/music"];
};
};
users.users = optionalAttrs (cfg.user == name) {
"${name}" = {
inherit uid;
inherit (cfg) group;
extraGroups = ["audio"];
description = "Music Player Daemon user";
home = "${cfg.dataDir}";
};
};
users.groups = optionalAttrs (cfg.group == name) {
"${name}".gid = gid;
};
};
}

49
hosts/hetzner-arm/containers/music/profiles/mpd.nix
View file

@ -14,10 +14,16 @@ in {
mpc_cli
];
systemd.tmpfiles.rules = [
"d /var/lib/mpd - mpd mpd"
"d /var/lib/mpd/state - mpd mpd"
];
services.mpd = {
enable = true;
network.listenAddress = "0.0.0.0";
musicDirectory = "/Music";
musicDirectory = "nfs://127.0.0.1:2049/?version=3";
dbFile = null;
credentials = [
{
passwordFile = "${secrets.mpd_control_password.path}";
@ -70,4 +76,45 @@ in {
}
'';
};
systemd.services.mpd = {
wants = ["rclone-serve-nfs-music.service"];
after = ["rclone-serve-nfs-music.service"];
};
systemd.tmpfiles.rules = [
"d /caches - root root"
"d /caches/music_serve - mpd mpd"
];
services.rclone-serve = {
enable = true;
remotes = [
{
id = "main";
remote = "Music:";
type = "nfs";
user = "mpd";
serviceConfig = {
before = ["mpd.service"];
partOf = ["mpd.service"];
};
extraArgs = let
rcloneConfig = builtins.toFile "rclone.conf" ''
[Music]
type = webdav
url = https://storage-webdav.owo.monster/MusicRO/
vendor = other
'';
in [
"--addr=127.0.0.1:2049"
"--config=${rcloneConfig}"
"--cache-dir=/caches/music_serve"
"--vfs-cache-max-age=7d"
"--vfs-cache-max-size=4g"
"--vfs-cache-mode=full"
];
}
];
};
}

70
hosts/hetzner-arm/containers/music/profiles/musicMount.nix
View file

@ -1,70 +0,0 @@
{
pkgs,
config,
...
}: let
inherit (pkgs) writeShellScriptBin;
inherit (builtins) toFile;
rcloneConfig = toFile "rclone.conf" ''
[Music]
type = webdav
url = https://storage-webdav.owo.monster/MusicRO/
vendor = other
'';
mountMusic = pkgs.writeShellScriptBin "mount-music" ''
umount -flR /Music || true
rclone --config ${rcloneConfig} mount Music: /Music \
--allow-other \
--uid=${toString config.users.users.mpd.uid} \
--gid=${toString config.users.groups.mpd.gid} \
--fast-list \
--umask=666 \
--cache-dir=/root/.cache/music-mount \
--dir-cache-time=60m \
--vfs-cache-mode=full \
--vfs-cache-max-size=2g \
--vfs-cache-max-age=7d \
--log-level=INFO "$@"
'';
in {
environment.systemPackages = with pkgs; [
rclone
(writeShellScriptBin "rclone-music" ''
rclone --config ${rcloneConfig} "$@"
'')
fuse
fuse3
mountMusic
];
programs.fuse.userAllowOther = true;
systemd.services.music-mount = {
wantedBy = ["mpd.service"];
partOf = ["mpd.service"];
path = with pkgs; [
fuse
fuse3
rclone
util-linux
];
serviceConfig.ExecStart = "${mountMusic}/bin/mount-music --syslog";
};
systemd.tmpfiles.rules = [
"d /Music - mpd mpd"
"d /root/.cache - root root"
"d /root/.cache/music-mount - root root"
];
systemd.services.mpd = {
wants = ["music-mount.service"];
after = ["music-mount.service"];
serviceConfig = {
ReadOnlyPaths = "/Music";
};
};
}

4
hosts/hetzner-arm/containers/owncast/default.nix
View file

@ -45,8 +45,8 @@ in {
8080
];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

4
hosts/hetzner-arm/containers/postgresql/default.nix
View file

@ -39,8 +39,8 @@ in {
networking.firewall.allowedTCPPorts = [5432];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};
}

6
hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix
View file

@ -8,23 +8,17 @@ in {
enableTCPIP = true;
ensureDatabases = [
"gotosocial"
"quassel"
];
ensureUsers = [
{
name = "gotosocial";
ensureDBOwnership = true;
}
{
name = "quassel";
ensureDBOwnership = true;
}
];
# If the host is a local container then use the container's IP
# otherwise use the host's IP
authentication = ''
host gotosocial gotosocial ${localContainersAddresses.containers."social"}/32 trust
host quassel quassel ${localContainersAddresses.containers."quassel"}/32 trust
'';
};
}

2
hosts/hetzner-arm/containers/postgresql/profiles/restic.nix
View file

@ -10,7 +10,6 @@
backupPrepareCommand = "${
(pkgs.writeShellScriptBin "backupPrepareCommand" ''
systemctl start remotePostgreSQLBackup-gotosocial --wait
systemctl start remotePostgreSQLBackup-quassel --wait
'')
}/bin/backupPrepareCommand";
in {
@ -47,7 +46,6 @@ in {
backupUser = "postgres";
databases = [
"gotosocial"
"quassel"
];
};
}

56
hosts/hetzner-arm/containers/quassel/default.nix
View file

@ -1,56 +0,0 @@
{
self,
hostPath,
tree,
inputs,
config,
pkgs,
...
}: let
containerAddresses = import "${hostPath}/data/containerAddresses.nix";
hostIP = containerAddresses.host;
containerIP = containerAddresses.containers.quassel;
in {
containers.quassel = {
autoStart = true;
privateNetwork = true;
hostAddress = hostIP;
localAddress = containerIP;
specialArgs = {
inherit inputs;
inherit tree;
inherit self;
inherit hostPath;
};
config = {...}: {
nixpkgs.pkgs = pkgs;
imports = with tree;
[
presets.nixos.containerBase
./secrets.nix
]
++ (with hosts.hetzner-arm.containers.quassel.profiles; [
quassel
restic
]);
networking.firewall.allowedTCPPorts = [4242];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
};
};
networking.nat.forwardPorts = [
{
sourcePort = 4242;
destination = "${containerIP}\:4242";
}
];
networking.firewall.allowedTCPPorts = [4242];
}

6
hosts/hetzner-arm/containers/quassel/profiles/quassel.nix
View file

@ -1,6 +0,0 @@
{...}: {
services.quassel = {
enable = true;
interfaces = ["0.0.0.0"];
};
}

37
hosts/hetzner-arm/containers/quassel/profiles/restic.nix
View file

@ -1,37 +0,0 @@
{
self,
pkgs,
config,
...
}: let
backupSchedules = import "${self}/data/backupSchedules.nix";
inherit (config.services.secrets) secrets;
in {
environment.systemPackages = with pkgs; [
restic
(pkgs.writeShellScriptBin "restic-quassel" ''
env \
RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
$(cat ${secrets.restic_env.path}) \
${pkgs.restic}/bin/restic $@
'')
];
services.restic.backups.quassel = {
user = "root";
paths = [
# it's only backing up initial setup / credentials
# so no matter what DB is restored to it should work
"/home/quassel/.config/quassel-irc.org"
];
# repository is overrided in environmentFile to contain auth
# make sure to keep up to date when changing repository
repository = "rest:https://storage-restic.owo.monster/Quassel";
passwordFile = "${secrets.restic_password.path}";
environmentFile = "${secrets.restic_env.path}";
pruneOpts = ["--keep-last 5"];
timerConfig = backupSchedules.restic.low;
};
}

37
hosts/hetzner-arm/containers/quassel/secrets.nix
View file

@ -1,37 +0,0 @@
{...}: {
services.secrets = {
enable = true;
vaultLogin = {
enable = true;
loginUsername = "hetzner-arm-container-quassel";
};
autoSecrets = {
enable = true;
};
requiredVaultPaths = [
"api-keys/data/storage/restic/Quassel"
"private-public-keys/data/restic/Quassel"
];
secrets = {
vault_password = {
manual = true;
};
restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Quassel" .password > "$secretFile"
'';
};
restic_env = {
fetchScript = ''
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Quassel" .restic)
echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile"
'';
};
};
};
}

4
hosts/hetzner-arm/containers/rss/default.nix
View file

@ -39,8 +39,8 @@ in {
networking.firewall.allowedTCPPorts = [80];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

4
hosts/hetzner-arm/containers/social/default.nix
View file

@ -42,8 +42,8 @@ in {
allowedTCPPorts = [8080];
};
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

17
hosts/hetzner-arm/containers/storage/data/ports.nix
View file

@ -14,15 +14,14 @@ in {
restic_music = restic + 0;
restic_vault = restic + 1;
restic_social = restic + 2;
restic_quassel = restic + 3;
restic_postgresql = restic + 4;
restic_mail = restic + 5;
restic_forgejo = restic + 6;
restic_caldav = restic + 7;
restic_owncast = restic + 8;
restic_jellyfin = restic + 9;
restic_grocy = restic + 10;
restic_lappy_t495 = restic + 11;
restic_postgresql = restic + 3;
restic_mail = restic + 4;
restic_forgejo = restic + 5;
restic_caldav = restic + 6;
restic_owncast = restic + 7;
restic_jellyfin = restic + 8;
restic_grocy = restic + 9;
restic_lappy_t495 = restic + 10;
http_music = http + 0;
http_public = http + 1;

5
hosts/hetzner-arm/containers/storage/default.nix
View file

@ -76,8 +76,8 @@ in {
allowedTCPPorts = attrValues ports;
};
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};
@ -118,7 +118,6 @@ in {
"/Music/".proxyPass = "http://${containerIP}:${toString ports.restic_music}";
"/Vault/".proxyPass = "http://${containerIP}:${toString ports.restic_vault}";
"/Social/".proxyPass = "http://${containerIP}:${toString ports.restic_social}";
"/Quassel/".proxyPass = "http://${containerIP}:${toString ports.restic_quassel}";
"/PostgreSQL/".proxyPass = "http://${containerIP}:${toString ports.restic_postgresql}";
"/Mail/".proxyPass = "http://${containerIP}:${toString ports.restic_mail}";
"/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.restic_forgejo}";

10
hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
View file

@ -163,16 +163,6 @@ in {
"--baseurl=/Social/"
];
}
{
id = "restic-quassel";
remote = "StorageBox:Backups/Restic/Quassel";
type = "restic";
extraArgs = [
"--addr=0.0.0.0:${toString ports.restic_quassel}"
"--htpasswd=${secrets.restic_quassel_htpasswd.path}"
"--baseurl=/Quassel/"
];
}
{
id = "restic-postgresql";
remote = "StorageBox:Backups/Restic/PostgreSQL";

2
hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix
View file

@ -50,7 +50,7 @@ in {
{
source = "StorageBox:Notes";
dest = "B2-Chaos-Notes:";
id = "chaos_notes_public";
id = "chaos_notes";
}
# Pheonix System's B2
{

9
hosts/hetzner-arm/containers/storage/secrets.nix
View file

@ -29,7 +29,6 @@
"api-keys/data/storage/restic/Music"
"api-keys/data/storage/restic/Vault"
"api-keys/data/storage/restic/Social"
"api-keys/data/storage/restic/Quassel"
"api-keys/data/storage/restic/PostgreSQL"
"api-keys/data/storage/restic/Mail"
"api-keys/data/storage/restic/Forgejo"
@ -131,14 +130,6 @@
'';
};
restic_quassel_htpasswd = {
user = "storage";
group = "storage";
fetchScript = ''
simple_get_htpasswd "/api-keys/storage/restic/Quassel" "$secretFile"
'';
};
restic_postgresql_htpasswd = {
user = "storage";
group = "storage";

4
hosts/hetzner-arm/containers/vault-ca/default.nix
View file

@ -41,8 +41,8 @@ in {
networking.firewall.allowedTCPPorts = [8200 8443];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};

17
hosts/hetzner-arm/data/containerAddresses.nix
View file

@ -4,14 +4,13 @@
storage = "10.0.1.2";
social = "10.0.1.3";
music = "10.0.1.4";
quassel = "10.0.1.5";
forgejo = "10.0.1.6";
postgresql = "10.0.1.7";
caldav = "10.0.1.8";
owncast = "10.0.1.9";
jellyfin = "10.0.1.10";
grocy = "10.0.1.11";
rss = "10.0.1.12";
vault-ca = "10.0.1.13";
forgejo = "10.0.1.5";
postgresql = "10.0.1.6";
caldav = "10.0.1.7";
owncast = "10.0.1.8";
jellyfin = "10.0.1.9";
grocy = "10.0.1.10";
rss = "10.0.1.11";
vault-ca = "10.0.1.12";
};
}

36
hosts/hetzner-arm/hetzner-arm.nix
View file

@ -14,7 +14,7 @@ in {
profiles.nginx
profiles.firewallAllow.httpCommon
profiles.chaosInternalWireGuard
# profiles.chaosInternalWireGuard
./hardware.nix
./secrets.nix
@ -22,22 +22,44 @@ in {
++ (forEach [
"social"
"storage"
"music"
"quassel"
"postgresql"
"mail"
"forgejo"
"caldav"
"owncast"
"jellyfin"
"grocy"
#"rss"
"vault-ca"
"music"
# "owncast"
# TODO: "rss"
] (name: ./containers + "/${name}"))
++ (with hosts.hetzner-arm.profiles; [
staticSites
]);
# TODO: environment.noXlibs = true;
nixpkgs.overlays = [
(_final: prev: {
# So we don't need to build all Vault
# when we already are using vault-bin on this server
vault = prev.vault-bin;
# Have no need for HW Accel, hoping it works with this
jellyfin-ffmpeg = prev.ffmpeg_6-headless;
ffmpeg = prev.ffmpeg-headless;
ffmpeg_4 = prev.ffmpeg_4-headless;
ffmpeg_5 = prev.ffmpeg_5-headless;
ffmpeg_6 = prev.ffmpeg_6-headless;
ffmpeg_7 = prev.ffmpeg_7-headless;
mpd = prev.mpd-headless;
})
];
# TODO: system.forbiddenDependenciesRegexes = ["libX11*"];
# For Containers
networking.nat = {
enable = true;
@ -47,6 +69,6 @@ in {
networking.hostName = "hetzner-arm";
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
}

6
hosts/lappy-surface/lappy-surface.nix
View file

@ -19,7 +19,7 @@
home-manager.users.root = {
imports = with tree; [home.base];
home.stateVersion = "23.05";
home.stateVersion = "24.05";
};
home-manager.users.chaos = {
@ -35,7 +35,7 @@
home.programming.languages.rust
home.programming.languages.nix
];
home.stateVersion = "23.05";
home.stateVersion = "24.05";
};
networking.firewall.enable = true;
@ -46,5 +46,5 @@
networking.hostName = "lappy-surface";
time.timeZone = "Europe/London";
system.stateVersion = "23.05";
system.stateVersion = "24.05";
}

2
hosts/lappy-surface/profiles/music-player-target.nix
View file

@ -52,7 +52,7 @@ in {
imports = with tree; [
home.base
];
home.stateVersion = "23.05";
home.stateVersion = "24.05";
};
systemd.services."music-player" = {

6
hosts/lappy-t495/lappy-t495.nix
View file

@ -21,7 +21,7 @@
home-manager.users.root = {
imports = with tree; [home.base];
home.stateVersion = "23.05";
home.stateVersion = "24.05";
};
home-manager.users.chaos = {
@ -39,7 +39,7 @@
home.gaming.platforms.steam
];
home.stateVersion = "23.05";
home.stateVersion = "24.05";
};
networking.firewall.enable = true;
@ -50,5 +50,5 @@
networking.hostName = "lappy-t495";
time.timeZone = "Europe/London";
system.stateVersion = "23.05";
system.stateVersion = "24.05";
}

4
hosts/nixos.nix
View file

@ -62,7 +62,7 @@
})
];
};
in {
in rec {
lappy-t495 = nixosUnstableSystem {
specialArgs =
defaultSpecialArgs
@ -77,7 +77,7 @@ in {
specialArgs =
defaultSpecialArgs
// {
hostPath = ./lappy-surfacr;
hostPath = ./lappy-surface;
};
system = "x86_64-linux";
modules = defaultModules ++ [./lappy-surface/lappy-surface.nix ./lappy-surface/hardware.nix];

4
hosts/raspberry/raspberry.nix
View file

@ -23,6 +23,6 @@
networking.hostName = "raspberry";
time.timeZone = "Europe/London";
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
}

6
hosts/wsl/wsl.nix
View file

@ -11,15 +11,15 @@
];
home-manager.users.root = {
home.stateVersion = "23.05";
home.stateVersion = "24.05";
};
home-manager.users.chaos = {
home.stateVersion = "23.05";
home.stateVersion = "24.05";
};
networking.hostName = "wsl";
time.timeZone = "Europe/London";
system.stateVersion = "23.05";
system.stateVersion = "24.05";
}

2
outputs.nix
View file

@ -54,7 +54,7 @@ in
packages = {
inherit (pkgs) comic-code comic-sans;
inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive;
inherit (pkgs) gotosocial mpd-headless owncast;
inherit (pkgs) gotosocial mpd-headless;
inherit (pkgs) kitty-terminfo;
};
}

43
overlay/default.nix
View file

@ -39,46 +39,9 @@ final: prev: rec {
"systemd"
"syslog"
"io_uring"
"curl"
"nfs"
"webdav"
];
};
owncast =
(prev.owncast.override {
ffmpeg = final.ffmpeg_6-headless;
})
.overrideAttrs (_old: {doCheck = false;});
gotosocial = prev.gotosocial.overrideAttrs (_old: let
owner = "superseriousbusiness";
repo = "gotosocial";
version = "0.15.0";
source-hash = "sha256-z0iETddkw4C2R6ig9ZO8MTvhuWnmQ37/6q3oZ4WAzd4=";
web-assets-hash = "sha256-vrSdFIdBcfj6+sxtvv1s/Mu85I1mKxjyUYS902oLKk4=";
web-assets = final.fetchurl {
url = "https://github.com/${owner}/${repo}/releases/download/v${version}/${repo}_${version}_web-assets.tar.gz";
hash = web-assets-hash;
};
in {
inherit version;
src = final.fetchFromGitHub {
inherit owner repo;
rev = "refs/tags/v${version}";
hash = source-hash;
};
passthru.web-assets = web-assets;
ldflags = ["-s" "-w" "-X main.Version=${version}"];
doCheck = false;
postInstall = ''
tar xf ${web-assets}
mkdir -p $out/share/gotosocial
mv web $out/share/gotosocial/
'';
});
}

32
profiles/serverExtras.nix
View file

@ -17,12 +17,36 @@
in {
environment.systemPackages =
[
(writeShellScriptBin "server-extras-info" ''
${pkgs.bat}/bin/bat -l markdown ${builtins.toFile "server-extras-info.md" ''
# Available Commands:
- journalctl-vaccum-all
Vaccums host and all container systemd journals
- journalctl-vaccum-host
Vaccums systemd journal on host
- journalctl-vaccum-`$name`
Vaccums systemd journal on a specific container
- journalctl-container-`$name`
journalctl but for a specific container
- systemctl-container-`$name`
systemctl but for a specific container
- systemctl-list-failed-all
Lists all failed units in host and containers
- restart-service-all
Restarts a service on host and all containers
- shell-enter-`$name`
Opens an interactive shell with container
''}
'')
(writeShellScriptBin "journalctl-vaccum-all" ''
journalctl --vacuum-size=${vaccumSize}
${concatStringsSep "\n" (forEach containerNames (name: ''
journalctl --vacuum-size=${vaccumSize} --root /var/lib/nixos-containers/${name}
''))}
'')
(writeShellScriptBin "journalctl-vaccum-host" ''
journalctl --vacuum-size=${vaccumSize}
'')
(writeShellScriptBin "systemctl-list-failed-all" ''
echo "Host: "
systemctl --failed
@ -31,6 +55,14 @@ in {
systemctl -M ${name} --failed
''))}
'')
(writeShellScriptBin "restart-service-all" ''
echo "Host: "
systemctl restart $@
${concatStringsSep "\n" (forEach containerNames (name: ''
echo "Container: ${name}"
systemctl -M ${name} restart $@
''))}
'')
]
++ forEach containerNames (name: (writeShellScriptBin "journalctl-vaccum-${name}" ''
journalctl --vacuum-size=${vaccumSize} --root /var/lib/nixos-containers/${name}