diff --git a/nixos/mirai/configuration.nix b/nixos/mirai/configuration.nix deleted file mode 100644 index 707bdef9..00000000 --- a/nixos/mirai/configuration.nix +++ /dev/null @@ -1,186 +0,0 @@ -{ - config, - pkgs, - device, - ... -}: { - imports = [ - # Include the results of the hardware scan. - ./services - ./mirai.nix - # ./docker.nix - ]; - - virtualisation.docker.enable = true; - # virtualisation.podman = { - # enable = true; - # dockerSocket.enable = true; - # defaultNetwork.dnsname.enable = true; - # }; - users.extraUsers.${device.user}.extraGroups = ["docker"]; - environment.systemPackages = with pkgs; [ - arion - ]; - - security.sudo.wheelNeedsPassword = false; - sops = { - secrets."builder/mirai/cache/private" = {}; - secrets.users = { - sopsFile = ../../secrets/users.yaml; - format = "yaml"; - key = ""; - }; - }; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - nix = { - settings = { - max-jobs = 1; - cores = 8; - auto-optimise-store = true; - extra-experimental-features = "nix-command flakes auto-allocate-uids"; - trusted-users = [device.user "remotebuilder"]; - trusted-substituters = [ - "https://nix-community.cachix.org" - "https://nixos-raspberrypi.cachix.org" - # "https://sh.darksailor.dev" - ]; - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI=" - # "mirai:bcVPoFGBZ0i7JAKMXIqLj2GY3CulLC4kP7rQyqes1RM=" - ]; - }; - extraOptions = '' - build-users-group = nixbld - extra-nix-path = nixpkgs=flake:nixpkgs - builders-use-substitutes = true - secret-key-files = ${config.sops.secrets."builder/mirai/cache/private".path} - ''; - gc = { - automatic = true; - dates = "daily"; - options = "--delete-older-than 5d"; - }; - package = pkgs.nixVersions.latest; # deploy-rs doesn't work with nix >= 2.32 - distributedBuilds = true; - }; - - users.users.${device.user} = { - isNormalUser = true; - extraGroups = ["wheel" "docker" "media"]; - openssh.authorizedKeys.keyFiles = [ - ../../secrets/id_ed25519.pub - ../../secrets/id_ios.pub - ]; - }; - users.users.remotebuilder = { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ - ../../secrets/id_ed25519.pub - ]; - }; - users.groups.media = {}; - - nixpkgs.config.allowUnfree = true; - networking.hostName = "mirai"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # Set your time zone. - time.timeZone = "Europe/Helsinki"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # hardware.pulseaudio.enable = true; - # OR - # services.pipewire = { - # enable = true; - # pulse.enable = true; - # }; - - # Enable touchpad support (enabled default in most desktopManager). - # services.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.alice = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # packages = with pkgs; [ - # firefox - # tree - # ]; - # }; - - # List packages installed in system profile. To search, run: - # $ nix search wget - # environment.systemPackages = with pkgs; [ - # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - # wget - # ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [22 80 443]; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.11"; # Did you read the comment? -} diff --git a/nixos/mirai/disk-config.nix b/nixos/mirai/disk-config.nix deleted file mode 100644 index 4ce69c34..00000000 --- a/nixos/mirai/disk-config.nix +++ /dev/null @@ -1,96 +0,0 @@ -{...}: { - disko.devices = { - disk = { - one = { - type = "disk"; - device = "/dev/nvme0n1"; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "1G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = ["umask=0077"]; - }; - }; - primary = { - size = "100%"; - content = { - type = "lvm_pv"; - vg = "pool"; - }; - }; - }; - }; - }; - two = { - type = "disk"; - device = "/dev/nvme1n1"; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "lvm_pv"; - vg = "pool"; - }; - }; - }; - }; - }; - }; - lvm_vg = { - pool = { - type = "lvm_vg"; - lvs = { - root = { - size = "64G"; - lvm_type = "mirror"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ - "defaults" - ]; - }; - }; - nix = { - size = "256G"; - lvm_type = "raid0"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/nix"; - }; - }; - home = { - size = "256G"; - lvm_type = "raid0"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/home"; - }; - }; - media = { - size = "100%"; - lvm_type = "raid0"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/media"; - }; - }; - }; - }; - }; - }; -} diff --git a/nixos/mirai/docker.nix b/nixos/mirai/docker.nix deleted file mode 100644 index 3a386d90..00000000 --- a/nixos/mirai/docker.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - # virtualisation = { - # docker.enable = true; - # podman.enable = true; - # oci-containers = { - # backend = "podman"; - # containers.homeassistant = { - # volumes = ["home-assistant:/config"]; - # environment.TZ = "Asia/Kolkata"; - # image = "ghcr.io/home-assistant/home-assistant:stable"; # Warning: if the tag does not change, the image will not be updated - # extraOptions = [ - # "--network=ha-net" - # ]; - # }; - # }; - # }; - # networking.firewall.allowedTCPPorts = [8123]; - # environment.systemPackages = with pkgs; [ - # docker - # podman - # ]; - # services.caddy = { - # enable = true; - # virtualHosts."home.darksailor.dev".extraConfig = '' - # reverse_proxy localhost:8123 - # ''; - # }; - # containers.llama = { - # autoStart = true; - # privateNetwork = true; - # hostAddress = "192.168.100.10"; - # localAddress = "192.168.100.11"; - # hostAddress6 = "fc00::1"; - # localAddress6 = "fc00::2"; - # config = { - # config, - # pkgs, - # libs, - # ... - # }: { - # system.stateVersion = "24.11"; - # networking = { - # firewall = { - # enable = true; - # allowedTCPPorts = [4000]; - # }; - # # Use systemd-resolved inside the container - # # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - # useHostResolvConf = lib.mkForce false; - # }; - # services.resolved.enable = true; - # services.llama-cpp = { - # enable = true; - # host = "127.0.0.1"; - # port = 4000; - # model = builtins.fetchurl { - # name = "qwen_2.5.1_coder_7b_instruct_gguf"; - # sha256 = "61834b88c1a1ce5c277028a98c4a0c94a564210290992a7ba301bbef96ef8eba"; - # url = "https://huggingface.co/bartowski/Qwen2.5.1-Coder-7B-Instruct-GGUF/resolve/main/Qwen2.5.1-Coder-7B-Instruct-Q8_0.gguf?download=true"; - # }; - # }; - # }; - # }; -} diff --git a/nixos/mirai/mirai.nix b/nixos/mirai/mirai.nix deleted file mode 100644 index ec39b35c..00000000 --- a/nixos/mirai/mirai.nix +++ /dev/null @@ -1,64 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ./disk-config.nix - ]; - - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci"]; - boot.initrd.kernelModules = ["dm-snapshot"]; - boot.kernelModules = ["kvm-amd"]; - boot.extraModulePackages = []; - boot.binfmt.emulatedSystems = ["aarch64-linux"]; - - fileSystems."/var/lib/nextcloud" = { - device = "/media/nextcloud"; - options = [ - "bind" - ]; - }; - fileSystems."/var/lib/docker" = { - device = "/media/docker"; - options = [ - "bind" - ]; - }; - - fileSystems."/home".neededForBoot = true; - - # fileSystems."/" = { - # device = "/dev/disk/by-uuid/8f805d1b-a469-4db8-9ee1-b98ea220714a"; - # fsType = "ext4"; - # }; - # - # fileSystems."/boot" = { - # device = "/dev/disk/by-uuid/D840-A590"; - # fsType = "vfat"; - # options = ["fmask=0022" "dmask=0022"]; - # }; - # - # fileSystems."/media" = { - # device = "/dev/disk/by-uuid/cad22fc7-08d2-4650-8d5e-a101e3fd1bd1"; - # fsType = "ext4"; - # }; - - swapDevices = []; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/nixos/mirai/services/attic.nix b/nixos/mirai/services/attic.nix deleted file mode 100644 index 1d8e218e..00000000 --- a/nixos/mirai/services/attic.nix +++ /dev/null @@ -1,17 +0,0 @@ -{...}: { - services = { - atticd = { - enable = false; - listen = "/run/attic.sock"; - }; - caddy = { - virtualHosts."cache.darksailor.dev".extraConfig = '' - reverse_proxy /run/attic.sock { - transport http { - protocol = "fd" - } - } - ''; - }; - }; -} diff --git a/nixos/mirai/services/atuin.nix b/nixos/mirai/services/atuin.nix deleted file mode 100644 index 475e2b45..00000000 --- a/nixos/mirai/services/atuin.nix +++ /dev/null @@ -1,13 +0,0 @@ -{...}: { - services = { - atuin = { - enable = true; - openRegistration = false; - }; - caddy = { - virtualHosts."atuin.darksailor.dev".extraConfig = '' - reverse_proxy localhost:8888 - ''; - }; - }; -} diff --git a/nixos/mirai/services/authelia.nix b/nixos/mirai/services/authelia.nix deleted file mode 100644 index 1777c84b..00000000 --- a/nixos/mirai/services/authelia.nix +++ /dev/null @@ -1,107 +0,0 @@ -{config, ...}: { - sops = { - secrets = let - user = config.systemd.services.authelia-darksailor.serviceConfig.User; - in { - "authelia/servers/darksailor/jwtSecret".owner = user; - "authelia/servers/darksailor/storageEncryptionSecret".owner = user; - "authelia/servers/darksailor/sessionSecret".owner = user; - "authelia/users/servius".owner = user; - "lldap/users/authelia".owner = user; - users.owner = user; - "authelia/oidc/jwks".owner = user; - }; - }; - services = { - authelia = { - instances.darksailor = { - enable = true; - settings = { - authentication_backend = { - password_reset.disable = false; - password_change.disable = false; - ldap = { - address = "ldap://localhost:389"; - timeout = "5s"; - base_dn = "dc=darksailor,dc=dev"; - user = "cn=authelia,ou=people,dc=darksailor,dc=dev"; - users_filter = "(&({username_attribute}={input})(objectClass=person))"; - groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; - additional_users_dn = "OU=people"; - additional_groups_dn = "OU=groups"; - }; - }; - session = { - cookies = [ - { - domain = "darksailor.dev"; - authelia_url = "https://auth.darksailor.dev"; - name = "authelia_session"; - } - ]; - }; - access_control = { - default_policy = "one_factor"; - rules = let - bypass_api = domain: [ - { - inherit domain; - policy = "bypass"; - resources = [ - "^/api([/?].*)?$" - ]; - } - { - inherit domain; - policy = "one_factor"; - } - ]; - in - (bypass_api "sonarr.tsuba.darksailor.dev") - ++ (bypass_api "radarr.tsuba.darksailor.dev") - ++ (bypass_api "lidarr.tsuba.darksailor.dev") - ++ (bypass_api "bazarr.tsuba.darksailor.dev") - ++ (bypass_api "prowlarr.tsuba.darksailor.dev"); - }; - storage = { - local = { - path = "/var/lib/authelia-darksailor/authelia.sqlite3"; - }; - }; - theme = "dark"; - notifier.filesystem.filename = "/var/lib/authelia-darksailor/authelia-notifier.log"; - server = { - address = "0.0.0.0:5555"; - endpoints.authz = { - forward-auth = { - implementation = "ForwardAuth"; - }; - auth-request = { - implementation = "AuthRequest"; - }; - }; - }; - }; - secrets = { - jwtSecretFile = config.sops.secrets."authelia/servers/darksailor/jwtSecret".path; - storageEncryptionKeyFile = config.sops.secrets."authelia/servers/darksailor/storageEncryptionSecret".path; - sessionSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path; - oidcHmacSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path; - oidcIssuerPrivateKeyFile = config.sops.secrets."authelia/oidc/jwks".path; - }; - environmentVariables = { - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."lldap/users/authelia".path; - }; - }; - }; - caddy = { - virtualHosts."auth.darksailor.dev".extraConfig = '' - reverse_proxy localhost:5555 { - # header_up Host {http.request.header.X-Forwarded-Host} - # header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} - # header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} - } - ''; - }; - }; -} diff --git a/nixos/mirai/services/caddy.nix b/nixos/mirai/services/caddy.nix deleted file mode 100644 index ec9add9e..00000000 --- a/nixos/mirai/services/caddy.nix +++ /dev/null @@ -1,15 +0,0 @@ -{...}: { - services = { - caddy = { - enable = true; - extraConfig = '' - (auth) { - forward_auth localhost:5555 { - uri /api/authz/forward-auth?authelia_url=https://auth.darksailor.dev - copy_headers Remote-User Remote-Groups Remote-Name Remote-Email - } - } - ''; - }; - }; -} diff --git a/nixos/mirai/services/default.nix b/nixos/mirai/services/default.nix deleted file mode 100644 index 478aa438..00000000 --- a/nixos/mirai/services/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -{...}: { - imports = [ - # ./atuin.nix - # ./authelia.nix - # ./caddy.nix - # ./excalidraw.nix - # ./fail2ban.nix - # ./flaresolverr.nix - # ./games - # ./gitea.nix - # ./homepage.nix - # # ./immich.nix - # ./immich.nix - # # ./llama.nix - # ./lldap.nix - # ./nextcloud.nix - # # ./paperless.nix - # ./prowlarr.nix - # ./resolved.nix - # ./searxng.nix - ./tailscale.nix - # ./headscale.nix - # ./shitpost.nix - ]; - services = { - nix-serve = { - enable = true; - }; - }; -} diff --git a/nixos/mirai/services/excalidraw.nix b/nixos/mirai/services/excalidraw.nix deleted file mode 100644 index 08fb46fd..00000000 --- a/nixos/mirai/services/excalidraw.nix +++ /dev/null @@ -1,30 +0,0 @@ -{...}: { - virtualisation.oci-containers = { - backend = "docker"; - containers = { - excalidraw = { - image = "excalidraw/excalidraw:latest"; - ports = ["127.0.0.1:5959:80"]; - volumes = []; - }; - }; - }; - services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = '' - import auth - reverse_proxy localhost:5959 - ''; - services.authelia = { - instances.darksailor = { - settings = { - access_control = { - rules = [ - { - domain = "draw.darksailor.dev"; - policy = "one_factor"; - } - ]; - }; - }; - }; - }; -} diff --git a/nixos/mirai/services/fail2ban.nix b/nixos/mirai/services/fail2ban.nix deleted file mode 100644 index 349a705d..00000000 --- a/nixos/mirai/services/fail2ban.nix +++ /dev/null @@ -1,22 +0,0 @@ -{...}: { - # sops = { - # secrets."ryu/public" = {}; - # }; - services = { - fail2ban = { - enable = true; - bantime = "24h"; # Ban IPs for one day on the first ban - bantime-increment = { - enable = true; # Enable increment of bantime after each violation - # formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; - multipliers = "1 2 4 8 16 32 64"; - maxtime = "168h"; # Do not ban for more than 1 week - overalljails = true; # Calculate the bantime based on all the violations - }; - # I'm beind a CG-NAT - ignoreIP = [ - "106.219.121.52" - ]; - }; - }; -} diff --git a/nixos/mirai/services/flaresolverr.nix b/nixos/mirai/services/flaresolverr.nix deleted file mode 100644 index 08986daf..00000000 --- a/nixos/mirai/services/flaresolverr.nix +++ /dev/null @@ -1,8 +0,0 @@ -{stablePkgs, ...}: { - services = { - flaresolverr = { - enable = true; - package = stablePkgs.flaresolverr; - }; - }; -} diff --git a/nixos/mirai/services/games/default.nix b/nixos/mirai/services/games/default.nix deleted file mode 100644 index ddca14d6..00000000 --- a/nixos/mirai/services/games/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{...}: { - imports = [ - ./minecraft.nix - ./satisfactory.nix - ./terraria.nix - ]; -} diff --git a/nixos/mirai/services/games/minecraft.nix b/nixos/mirai/services/games/minecraft.nix deleted file mode 100644 index e0cba319..00000000 --- a/nixos/mirai/services/games/minecraft.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - pkgs, - inputs, - ... -}: { - # imports = [inputs.nix-minecraft.nixosModules.minecraft-servers]; - services = let - whitelist = { - "AbhinavSE" = "8b6c052e-69b3-4bee-b9dc-12eb94653c9e"; - "Serveus" = "79882fb6-d594-4073-a3d0-70a01d0abb67"; - "__Shun__" = "1c7a300f-98e4-402c-8741-432f3494bb25"; - "shashikant" = "20891e82-203c-4d04-9868-79a5879ecfc3"; - }; - in { - minecraft-server = { - inherit whitelist; - enable = false; - openFirewall = true; - eula = true; - declarative = true; - serverProperties = { - motd = "Servius's Minecraft Server"; - level-seed = "4504535438041489910"; - view-distance = 24; - white-list = true; - }; - package = let - getJavaVersion = v: (builtins.getAttr "openjdk${toString v}" pkgs.javaPackages.compiler).headless; - in - pkgs.minecraft-server.override { - url = "https://piston-data.mojang.com/v1/objects/6e64dcabba3c01a7271b4fa6bd898483b794c59b/server.jar"; - sha1 = "sha1-bmTcq7o8AacnG0+mvYmEg7eUxZs="; - version = "1.21.6"; - jre_headless = getJavaVersion 21; - }; - }; - # minecraft-servers = { - # enable = true; - # eula = true; - # openFirewall = true; - # servers.fabric = { - # inherit whitelist; - # enable = true; - # jvmOpts = "-Xmx4G -Xms4G"; - # package = pkgs.fabricServers.fabric-1_21_7; - # serverProperties = { - # motd = "Servius's Fabric Minecraft Server"; - # server-port = 25567; - # level-seed = "4504535438041489910"; - # view-distance = 24; - # white-list = true; - # }; - # }; - # }; - }; -} diff --git a/nixos/mirai/services/games/satisfactory.nix b/nixos/mirai/services/games/satisfactory.nix deleted file mode 100644 index de078117..00000000 --- a/nixos/mirai/services/games/satisfactory.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - imports = [ - ../../../../modules/nixos/satisfactory.nix - ]; - services.satisfactory = { - # enable = true; - enable = false; - maxPlayers = 4; - }; -} diff --git a/nixos/mirai/services/games/terraria.nix b/nixos/mirai/services/games/terraria.nix deleted file mode 100644 index 68698f58..00000000 --- a/nixos/mirai/services/games/terraria.nix +++ /dev/null @@ -1,7 +0,0 @@ -{...}: { - services.terraria = { - enable = true; - # port = 7777; - autoCreatedWorldSize = "large"; - }; -} diff --git a/nixos/mirai/services/gitea.nix b/nixos/mirai/services/gitea.nix deleted file mode 100644 index 4b3e3ce1..00000000 --- a/nixos/mirai/services/gitea.nix +++ /dev/null @@ -1,185 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: { - virtualisation.docker.enable = true; - sops = { - # secrets."gitea/registration".owner = config.systemd.services.gitea-actions-mirai.serviceConfig.User; - secrets."gitea/registration" = {}; - secrets."authelia/oidc/gitea/client_secret" = { - owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - mode = "0440"; - restartUnits = [ - "gitea.service" - "authelia-darksailor.service" - ]; - }; - secrets."authelia/oidc/gitea/client_id" = { - owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - mode = "0440"; - restartUnits = [ - "gitea.service" - "authelia-darksailor.service" - ]; - }; - templates = { - "GITEA_REGISTRATION_TOKEN.env".content = '' - TOKEN=${config.sops.placeholder."gitea/registration"} - ''; - "GITEA_OAUTH_SETUP.env".content = '' - CLIENT_ID=${config.sops.placeholder."authelia/oidc/gitea/client_id"} - CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/gitea/client_secret"} - ''; - }; - }; - services = { - gitea = { - enable = true; - lfs.enable = true; - settings = { - service = { - DISABLE_REGISTRATION = false; - ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - SHOW_REGISTRATION_BUTTON = false; - ENABLE_REVERSE_PROXY_AUTHENTICATION = false; - ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false; - ENABLE_PASSWORD_SIGNIN_FORM = false; - }; - repository = { - ENABLE_PUSH_CREATE_USER = true; - }; - mailer = { - ENABLED = true; - PROTOCOL = "sendmail"; - }; - security = { - REVERSE_PROXY_AUTHENTICATION_USER = "REMOTE-USER"; - }; - server = { - ROOT_URL = "https://git.darksailor.dev"; - DOMAIN = "git.darksailor.dev"; - # LFS_START_SERVER = true; - LFS_ALLOW_PURE_SSH = true; - }; - oauth2_client = { - ENABLE_AUTO_REGISTRATION = true; - ACCOUNT_LINKING = "auto"; - OPENID_CONNECT_SCOPES = "openid profile email"; - }; - openid = { - ENABLE_OPENID_SIGNIN = false; - ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "auth.darksailor.dev"; - }; - }; - }; - # gitea-actions-runner = { - # instances = { - # mirai = { - # enable = true; - # name = "mirai"; - # url = "https://git.darksailor.dev"; - # labels = [ - # "ubuntu-latest:docker://catthehacker/ubuntu:full-latest" - # "ubuntu-22.04:docker://catthehacker/ubuntu:full-22.04" - # "ubuntu-20.04:docker://catthehacker/ubuntu:full-20.04" - # "native:host" - # ]; - # tokenFile = "${config.sops.templates."GITEA_REGISTRATION_TOKEN.env".path}"; - # }; - # }; - # }; - caddy = { - virtualHosts."git.darksailor.dev".extraConfig = '' - reverse_proxy localhost:3000 - ''; - }; - authelia = { - instances.darksailor = { - settings = { - # access_control = { - # rules = [ - # { - # domain = "git.darksailor.dev"; - # policy = "bypass"; - # resources = [ - # "^/api([/?].*)?$" - # ]; - # } - # { - # domain = "git.darksailor.dev"; - # policy = "one_factor"; - # } - # ]; - # }; - identity_providers = { - oidc = { - clients = [ - { - client_name = "Gitea: Darksailor"; - client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_id".path}" }}''; - client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_secret".path}" }}''; - public = false; - authorization_policy = "one_factor"; - require_pkce = false; - # pkce_challenge_method = "S256"; - redirect_uris = [ - "https://git.darksailor.dev/user/oauth2/authelia/callback" - ]; - scopes = [ - "openid" - "email" - "profile" - ]; - response_types = ["code"]; - grant_types = ["authorization_code"]; - userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_post"; - } - ]; - }; - }; - }; - }; - }; - }; - systemd.services.gitea = { - after = ["sops-install-secrets.service"]; - }; - - # systemd.services."gitea-actions-mirai" = { - # after = ["gitea.service"]; - # }; - - # systemd.services.gitea-oauth-setup = let - # name = "authelia"; - # gitea_oauth_script = pkgs.writeShellApplication { - # name = "gitea_oauth2_script"; - # runtimeInputs = [config.services.gitea.package]; - # text = '' - # gitea admin auth delete --id "$(gitea admin auth list | grep "${name}" | cut -d "$(printf '\t')" -f1)" - # gitea admin auth add-oauth --provider=openidConnect --name=${name} --key="$CLIENT_ID" --secret="$CLIENT_SECRET" --auto-discover-url=https://auth.darksailor.dev/.well-known/openid-configuration --scopes='openid email profile' - # ''; - # }; - # in { - # description = "Configure Gitea OAuth with Authelia"; - # after = ["gitea.service"]; - # wants = ["gitea.service"]; - # wantedBy = ["multi-user.target"]; - # serviceConfig = { - # Type = "oneshot"; - # User = config.services.gitea.user; - # Group = config.services.gitea.group; - # RemainAfterExit = true; - # ExecStart = "${lib.getExe gitea_oauth_script}"; - # WorkingDirectory = config.services.gitea.stateDir; - # EnvironmentFile = config.sops.templates."GITEA_OAUTH_SETUP.env".path; - # }; - # environment = { - # GITEA_WORK_DIR = config.services.gitea.stateDir; - # GITEA_CUSTOM = config.services.gitea.customDir; - # }; - # }; -} diff --git a/nixos/mirai/services/headscale.nix b/nixos/mirai/services/headscale.nix deleted file mode 100644 index 74594c0c..00000000 --- a/nixos/mirai/services/headscale.nix +++ /dev/null @@ -1,79 +0,0 @@ -{config, ...}: { - sops = { - secrets.headscale-secret = { - owner = config.systemd.services.headscale.serviceConfig.User; - mode = "0440"; - restartUnits = ["headscale.service" "authelia-darksailor.service"]; - key = "authelia/oidc/headscale/client_secret"; - }; - secrets.headscale-authelia = { - owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - mode = "0440"; - restartUnits = ["headscale.service" "authelia-darksailor.service"]; - key = "authelia/oidc/headscale/client_secret"; - }; - }; - services = { - headscale = { - enable = true; - port = 8095; - settings = { - dns = { - magic_dns = true; - base_domain = "headscale.darksailor.dev"; - nameservers.global = ["1.1.1.1"]; - }; - oidc = { - issuer = "https://auth.darksailor.dev"; - client_id = "headscale"; - client_secret_path = "${config.sops.secrets.headscale-secret.path}"; - pkce = { - enabled = true; - method = "S256"; - }; - }; - }; - }; - # headplane = { - # enable = true; - # settings = { - # server.port = 42562; - # }; - # }; - caddy = { - virtualHosts."headscale.darksailor.dev".extraConfig = '' - reverse_proxy localhost:${toString config.services.headplane.settings.server.port} - ''; - }; - authelia = { - instances.darksailor = { - settings = { - identity_providers = { - oidc = { - clients = [ - { - client_name = "HeadScale"; - client_id = "headscale"; - client_secret = ''{{ secret "${config.sops.secrets.headscale-authelia.path}" }}''; - public = false; - authorization_policy = "one_factor"; - require_pkce = true; - pkce_challenge_method = "S256"; - redirect_uris = [ - "https://headscale.darksailor.dev/oidc/callback" - ]; - scopes = ["openid" "email" "profile" "groups"]; - response_types = ["code"]; - grant_types = ["authorization_code"]; - access_token_signed_response_alg = "none"; - userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_basic"; - } - ]; - }; - }; - }; - }; - }; - }; -} diff --git a/nixos/mirai/services/homepage.nix b/nixos/mirai/services/homepage.nix deleted file mode 100644 index 3d2c98a3..00000000 --- a/nixos/mirai/services/homepage.nix +++ /dev/null @@ -1,181 +0,0 @@ -{config, ...}: { - services = { - homepage-dashboard = { - enable = true; - allowedHosts = "dashboard.darksailor.dev"; - settings = { - title = "Servius' Dashboard"; - description = "A collection of services and links for quick access."; - }; - widgets = [ - { - resources = { - cpu = true; - disk = "/"; - memory = true; - }; - } - ]; - services = [ - { - "Tsuba" = [ - { - "Jellyfin" = { - icon = "jellyfin.png"; - description = "Jellyfin Media Server"; - href = "https://jellyfin.tsuba.darksailor.dev"; - }; - } - { - "Sonarr" = { - icon = "sonarr.png"; - description = "Sonarr: TV Series Management"; - href = "https://sonarr.tsuba.darksailor.dev"; - }; - } - { - "Bazarr" = { - icon = "bazarr.png"; - description = "Bazarr: Subtitles and Metadata"; - href = "https://bazarr.tsuba.darksailor.dev"; - }; - } - { - "Radarr" = { - icon = "radarr.png"; - description = "Radarr: Movie Management"; - href = "https://radarr.tsuba.darksailor.dev"; - }; - } - { - "Deluge" = { - icon = "deluge.png"; - description = "Deluge: Torrent Client"; - href = "https://deluge.tsuba.darksailor.dev"; - }; - } - { - "Prowlarr" = { - icon = "prowlarr.png"; - description = "Prowlarr: Indexer Manager"; - href = "https://prowlarr.tsuba.darksailor.dev"; - }; - } - { - "Home Assistant" = { - icon = "home-assistant.png"; - description = "Home Automation"; - href = "https://home.darksailor.dev"; - }; - } - ]; - } - { - "Mirai" = [ - { - "Gitea" = { - icon = "gitea.png"; - description = "Gitea Code Hosting"; - href = "https://git.darksailor.dev"; - }; - } - { - "Nextcloud" = { - icon = "nextcloud.png"; - description = "Nextcloud Suite"; - href = "https://cloud.darksailor.dev"; - }; - } - { - "Open WebUI" = { - icon = "open-webui.png"; - description = "Open WebUI for self hosted llms"; - href = "https://llama.darksailor.dev"; - }; - } - { - "Immich" = { - icon = "immich.png"; - description = "Immich: Self-hosted Photo and Video Backup"; - href = "https://photos.darksailor.dev"; - }; - } - { - "Excalidraw" = { - icon = "excalidraw.png"; - description = "Excalidraw: Self-hosted Collaborative Whiteboard"; - href = "https://draw.darksailor.dev"; - }; - } - ]; - } - ]; - bookmarks = [ - { - "Nix" = [ - { - "Nixpkgs" = [ - { - abbr = "pkgs"; - href = "https://search.nixos.org/packages?channel=unstable"; - } - ]; - } - { - "NixOS" = [ - { - abbr = "nixos"; - href = "https://search.nixos.org/options?channel=unstable"; - } - ]; - } - { - "Home Manager" = [ - { - abbr = "hm"; - href = "https://home-manager-options.extranix.com"; - } - ]; - } - { - "NixVim" = [ - { - abbr = "nixvim"; - href = "https://nix-community.github.io/nixvim/search"; - } - ]; - } - { - "Tailscale" = [ - { - abbr = "ts"; - href = "https://login.tailscale.com"; - } - ]; - } - ]; - } - ]; - }; - caddy = { - virtualHosts."dashboard.darksailor.dev".extraConfig = '' - import auth - reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort} - ''; - }; - authelia = { - instances.darksailor = { - settings = { - access_control = { - rules = [ - { - domain = "dashboard.darksailor.dev"; - policy = "one_factor"; - } - ]; - }; - }; - }; - }; - }; -} diff --git a/nixos/mirai/services/immich.nix b/nixos/mirai/services/immich.nix deleted file mode 100644 index b8516b94..00000000 --- a/nixos/mirai/services/immich.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ - pkgs, - config, - ... -}: { - sops = { - secrets."authelia/oidc/immich/client_id" = { - owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - mode = "0440"; - restartUnits = ["immich-server.service" "authelia-darksailor.service"]; - }; - secrets."authelia/oidc/immich/client_secret" = { - owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - mode = "0440"; - restartUnits = ["immich-server.service" "authelia-darksailor.service"]; - }; - templates = { - "immich-config.json" = { - content = - /* - json - */ - '' - { - "oauth": { - "clientId": "${config.sops.placeholder."authelia/oidc/immich/client_id"}", - "clientSecret": "${config.sops.placeholder."authelia/oidc/immich/client_secret"}", - "enabled": true, - "autoLaunch": true, - "autoRegister": true, - "buttonText": "Login with Authelia", - "scope": "openid email profile", - "issuerUrl": "https://auth.darksailor.dev" - }, - "passwordLogin" : { - "enabled": false - }, - "server": { - "externalDomain": "https://photos.darksailor.dev" - }, - { - "machineLearning": { - "enabled": true, - "urls": [ - "http://ryu.darksailor.dev:3003", - "http://localhost:3003" - ], - } - } - } - ''; - mode = "0400"; - owner = "immich"; - restartUnits = ["immich-server.service"]; - }; - }; - }; - virtualisation.oci-containers = { - backend = "docker"; - containers = { - immich-machine-learning = { - image = "ghcr.io/immich-app/immich-machine-learning:v${pkgs.immich.version}"; - ports = [ - "127.0.0.1:3003:3003" - ]; - volumes = [ - "model-cache:/cache" - ]; - }; - }; - }; - services.immich = { - enable = true; - mediaLocation = "/media/photos/immich"; - accelerationDevices = null; - machine-learning.enable = false; - environment = { - IMMICH_CONFIG_FILE = config.sops.templates."immich-config.json".path; - }; - package = pkgs.immich; - }; - services.caddy = { - virtualHosts."photos.darksailor.dev".extraConfig = '' - reverse_proxy localhost:${builtins.toString config.services.immich.port} - ''; - }; - services.authelia = { - instances.darksailor = { - settings = { - identity_providers = { - oidc = { - clients = [ - { - client_name = "immich"; - client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}''; - client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}''; - public = false; - authorization_policy = "one_factor"; - require_pkce = false; - redirect_uris = [ - "https://photos.darksailor.dev/auth/login" - "https://photos.darksailor.dev/user-settings" - "app.immich:///oauth-callback" - ]; - scopes = ["openid" "profile" "email"]; - response_types = ["code"]; - grant_types = ["authorization_code"]; - # access_token_signed_response_alg = "none"; - userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_post"; - } - ]; - }; - }; - }; - }; - }; -} diff --git a/nixos/mirai/services/llama.nix b/nixos/mirai/services/llama.nix deleted file mode 100644 index f3e21ceb..00000000 --- a/nixos/mirai/services/llama.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ - config, - pkgs, - inputs, - ... -}: { - sops = { - secrets."llama/api_key".owner = config.services.caddy.user; - secrets."llama/user".owner = config.services.caddy.user; - secrets."openai/api_key" = {}; - templates = { - "LLAMA_API_KEY.env".content = '' - LLAMA_API_KEY=${config.sops.placeholder."llama/api_key"} - ''; - api_key_env.owner = config.services.caddy.user; - "OPENAI_API_KEY.env".content = '' - OPENAI_API_KEY="${config.sops.placeholder."openai/api_key"}" - ''; - }; - }; - services = { - llama-cpp = { - enable = false; - port = 11435; - model = pkgs.fetchurl { - url = "https://huggingface.co/lmstudio-community/gpt-oss-20b-GGUF/resolve/main/gpt-oss-20b-MXFP4.gguf"; - sha256 = "65d06d31a3977d553cb3af137b5c26b5f1e9297a6aaa29ae7caa98788cde53ab"; - }; - # package = pkgs.ik_llama; - }; - ollama = { - enable = false; - loadModels = [ - "deepseek-r1:7b" - "deepseek-r1:14b" - "RobinBially/nomic-embed-text-8k" - "qwen3:8b" - ]; - port = 11434; - host = "0.0.0.0"; - environmentVariables = { - OLLAMA_ORIGINS = "*"; - }; - }; - open-webui = { - enable = false; - port = 7070; - environment = { - SCARF_NO_ANALYTICS = "True"; - DO_NOT_TRACK = "True"; - ANONYMIZED_TELEMETRY = "False"; - WEBUI_AUTH = "False"; - ENABLE_LOGIN_FORM = "False"; - WEBUI_URL = "https://llama.darksailor.dev"; - OPENAI_BASE_URL = "https://ollama.darksailor.dev/v1"; - OLLAMA_API_BASE_URL = "https://ollama.ryu.darksailor.dev"; - }; - environmentFile = "${config.sops.templates."LLAMA_API_KEY.env".path}"; - }; - - caddy = { - virtualHosts."llama.darksailor.dev".extraConfig = '' - import auth - reverse_proxy localhost:${builtins.toString config.services.open-webui.port} - ''; - virtualHosts."ollama.darksailor.dev".extraConfig = '' - @apikey { - header Authorization "Bearer {env.LLAMA_API_KEY}" - } - - handle @apikey { - header { - # Set response headers or proxy to a different service if API key is valid - Access-Control-Allow-Origin * - -Authorization "Bearer {env.LLAMA_API_KEY}" # Remove the header after validation - } - reverse_proxy localhost:${builtins.toString config.services.llama-cpp.port} - } - - respond "Unauthorized" 403 - ''; - }; - authelia = { - instances.darksailor = { - settings = { - access_control = { - rules = [ - { - domain = "llama.darksailor.dev"; - policy = "one_factor"; - } - ]; - }; - }; - }; - }; - }; - systemd.services.caddy = { - serviceConfig = { - EnvironmentFile = config.sops.templates."LLAMA_API_KEY.env".path; - }; - }; -} diff --git a/nixos/mirai/services/lldap.nix b/nixos/mirai/services/lldap.nix deleted file mode 100644 index acd9654f..00000000 --- a/nixos/mirai/services/lldap.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ - config, - lib, - ... -}: { - services.lldap = { - enable = true; - settings = { - ldap_user_dn = "admin"; - ldap_base_dn = "dc=darksailor,dc=dev"; - ldap_user_email = "admin@darksailor.dev"; - http_host = "127.0.0.1"; - http_port = 5090; - ldap_port = 389; - ldap_host = "::"; - ldap_user_pass_file = config.sops.secrets."lldap/admin".path; - environmentFile = '' - LLDAP_JWT_SECRET_FILE = ${config.sops.secrets."lldap/jwt".path}; - LLDAP_KEY_SEED_FILE = ${config.sops.secrets."lldap/seed".path}; - ''; - }; - }; - users.users.lldap = { - name = "lldap"; - group = "lldap"; - description = "LDAP Server User"; - isSystemUser = true; - }; - users.groups.lldap = {}; - - systemd.services.lldap = { - serviceConfig = { - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - DynamicUser = lib.mkForce false; - User = "lldap"; - Group = "lldap"; - }; - }; - sops = { - secrets = let - owner = config.systemd.services.lldap.serviceConfig.User; - group = config.systemd.services.lldap.serviceConfig.Group; - restartUnits = ["lldap.service"]; - cfg = { - inherit owner group restartUnits; - }; - in { - "lldap/jwt" = cfg; - "lldap/seed" = cfg; - "lldap/admin" = cfg; - }; - }; -} diff --git a/nixos/mirai/services/navidrome.nix b/nixos/mirai/services/navidrome.nix deleted file mode 100644 index 394bf372..00000000 --- a/nixos/mirai/services/navidrome.nix +++ /dev/null @@ -1,18 +0,0 @@ -{...}: { - services = { - navidrome = { - enable = true; - settings = { - MusicFolder = "/media/music"; - ReverseProxyUserHeader = "Remote-User"; - ReverseProxyWhitelist = "127.0.0.1/32"; - }; - }; - caddy = { - virtualHosts."music.darksailor.dev".extraConfig = '' - import auth - reverse_proxy localhost:4533 - ''; - }; - }; -} diff --git a/nixos/mirai/services/nextcloud.nix b/nixos/mirai/services/nextcloud.nix deleted file mode 100644 index ae6bb868..00000000 --- a/nixos/mirai/services/nextcloud.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ - config, - pkgs, - ... -}: { - sops = { - secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name; - # secrets."authelia/oidc/nextcloud/client_id".owner = config.users.users.nextcloud.name; - secrets."authelia/oidc/nextcloud/client_secret".owner = config.users.users.nextcloud.name; - }; - imports = [ - "${fetchTarball { - url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz"; - sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs"; - }}/nextcloud-extras.nix" - ]; - services = { - nextcloud = { - enable = true; - package = pkgs.nextcloud32; - extraApps = { - inherit (config.services.nextcloud.package.packages.apps) contacts calendar bookmarks user_oidc; - }; - extraAppsEnable = true; - hostName = "cloud.darksailor.dev"; - config.adminuser = "servius"; - config.adminpassFile = config.sops.secrets."nextcloud/adminpass".path; - config.dbtype = "sqlite"; - configureRedis = true; - https = true; - caching = { - redis = true; - apcu = true; - memcached = true; - }; - webserver = "caddy"; - settings = {}; - }; - # caddy = { - # virtualHosts."cloud.darksailor.dev".extraConfig = '' - # reverse_proxy localhost:8080 - # ''; - # }; - # nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ - # { - # addr = "127.0.0.1"; - # port = 8080; # NOT an exposed port - # } - # ]; - - # authelia.instances.darksailor = { - # settings = { - # definitions = { - # user_attributes = { - # is_nextcloud_admin = { - # expression = ''"nextcloud-admins" in groups"''; - # }; - # }; - # }; - # identity_providers = { - # oidc = { - # claims_policies = { - # custom_claims = { - # is_nextcloud_admin = {}; - # }; - # }; - # scopes = { - # nextcloud_userinfo = { - # claims = ["is_nextcloud_admin"]; - # }; - # }; - # clients = [ - # { - # client_name = "Nextcloud"; - # client_id = "nextcloud"; - # client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/nextcloud/client_secret".path}" }}''; - # public = false; - # authorization_policy = "one_factor"; - # require_pkce = true; - # pkce_challenge_method = "S256"; - # claims_policy = "nextcloud_userinfo"; - # redirect_uris = [ - # "https://cloud.darksailor.dev/apps/oidc_login/oidc" - # ]; - # scopes = [ - # "openid" - # "profile" - # "email" - # "groups" - # "nextcloud_userinfo" - # ]; - # response_types = ["code"]; - # grant_types = ["authorization_code"]; - # # access_token_signed_response_alg = "none"; - # userinfo_signed_response_alg = "none"; - # token_endpoint_auth_method = "client_secret_basic"; - # } - # ]; - # }; - # }; - # }; - # }; - }; -} diff --git a/nixos/mirai/services/paperless.nix b/nixos/mirai/services/paperless.nix deleted file mode 100644 index 5bfdf1d5..00000000 --- a/nixos/mirai/services/paperless.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: { - sops = { - secrets."paperless/adminpass".owner = config.users.users.paperless.name; - secrets."paperless/secret_key".owner = config.users.users.paperless.name; - secrets."authelia/oidc/paperless/client_id".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - secrets."authelia/oidc/paperless/client_secret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - templates = { - "PAPERLESS.env" = { - content = '' - PAPERLESS_SOCIALACCOUNT_PROVIDERS='${config.sops.templates."PAPERLESS_SOCIALACCOUNT_PROVIDERS.json".content}' - ''; - restartUnits = ["paperless-web.service" "authelia-darksailor.service"]; - }; - "PAPERLESS_SOCIALACCOUNT_PROVIDERS.json" = { - content = - /* - json - */ - builtins.toJSON - { - authelia = { - OAUTH_PKCE_ENABLED = "True"; - APPS = [ - { - provider_id = "authelia"; - name = "Authelia"; - "client_id" = "${config.sops.placeholder."authelia/oidc/paperless/client_id"}"; - "secret" = "${config.sops.placeholder."authelia/oidc/paperless/client_secret"}"; - "settings" = { - "server_url" = "https://auth.darksailor.dev/.well-known/openid-configuration"; - }; - } - ]; - }; - }; - restartUnits = ["paperless-web.service" "authelia-darksailor.service"]; - }; - }; - }; - # systemd.services.paperless-web.script = lib.mkBefore '' - # oidcSecret=$(< ${config.sops.secrets."authelia/oidc/paperless/client_secret".path}) - # export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$( - # ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \ - # --compact-output \ - # --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret' - # ) - # ''; - services = { - paperless = { - enable = true; - passwordFile = config.sops.secrets."paperless/adminpass".path; - settings = { - PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; - PAPERLESS_SOCIAL_AUTO_SIGNUP = "True"; - PAPERLESS_DISABLE_REGULAR_LOGIN = "True"; - PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS = "True"; - PAPERLESS_URL = "https://paperless.darksailor.dev"; - }; - environmentFile = "${config.sops.templates."PAPERLESS.env".path}"; - }; - caddy = { - virtualHosts."paperless.darksailor.dev".extraConfig = '' - reverse_proxy localhost:28981 - ''; - }; - - authelia = { - instances.darksailor = { - settings = { - identity_providers = { - oidc = { - clients = [ - { - client_name = "paperless"; - client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/paperless/client_id".path}" }}''; - client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/paperless/client_secret".path}" }}''; - public = false; - authorization_policy = "one_factor"; - require_pkce = false; - redirect_uris = [ - "https://paperless.darksailor.dev/auth/login" - ]; - scopes = ["openid" "profile" "email"]; - response_types = ["code"]; - grant_types = ["authorization_code"]; - # access_token_signed_response_alg = "none"; - userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_post"; - } - ]; - }; - }; - }; - }; - }; - }; -} diff --git a/nixos/mirai/services/polaris.nix b/nixos/mirai/services/polaris.nix deleted file mode 100644 index 57b6f8e4..00000000 --- a/nixos/mirai/services/polaris.nix +++ /dev/null @@ -1,21 +0,0 @@ -{...}: { - services = { - polaris = { - enable = false; - port = 5050; - settings = { - mount_dirs = [ - { - name = "Music"; - source = "/media/music"; - } - ]; - }; - }; - caddy = { - virtualHosts."music.darksailor.dev".extraConfig = '' - reverse_proxy localhost:5050 - ''; - }; - }; -} diff --git a/nixos/mirai/services/prowlarr.nix b/nixos/mirai/services/prowlarr.nix deleted file mode 100644 index d66ba13c..00000000 --- a/nixos/mirai/services/prowlarr.nix +++ /dev/null @@ -1,13 +0,0 @@ -{...}: { - services = { - prowlarr = { - enable = true; - settings = { - auth = { - authentication_enabled = true; - authentication_method = "External"; - }; - }; - }; - }; -} diff --git a/nixos/mirai/services/resolved.nix b/nixos/mirai/services/resolved.nix deleted file mode 100644 index e5a1ef14..00000000 --- a/nixos/mirai/services/resolved.nix +++ /dev/null @@ -1,9 +0,0 @@ -{...}: { - services.resolved = { - enable = true; - dnssec = "true"; - dnsovertls = "true"; - domains = ["lemur-newton.ts.net"]; - fallbackDns = ["1.1.1.1"]; - }; -} diff --git a/nixos/mirai/services/seafile.nix b/nixos/mirai/services/seafile.nix deleted file mode 100644 index ba72606a..00000000 --- a/nixos/mirai/services/seafile.nix +++ /dev/null @@ -1,66 +0,0 @@ -{config, ...}: { - sops = { - secrets."nextcloud/adminpass".owner = config.users.users.caddy.name; - }; - services = { - seafile = { - enable = true; - # group = config.services.caddy.group; - adminEmail = "admin@darksailor.dev"; - initialAdminPassword = "foobar"; - - seahubExtraConf = - /* - python - */ - '' - ENABLE_REMOTE_USER_AUTHENTICATION = True - # Optional, HTTP header, which is configured in your web server conf file, - # used for Seafile to get user's unique id, default value is 'HTTP_REMOTE_USER'. - REMOTE_USER_HEADER = "HTTP_REMOTE_USER" - # Optional, when the value of HTTP_REMOTE_USER is not a valid email address, - # Seafile will build a email-like unique id from the value of 'REMOTE_USER_HEADER' - # and this domain, e.g. user1@example.com. - REMOTE_USER_DOMAIN = "darksailor.dev" - # Optional, whether to create new user in Seafile system, default value is True. - # If this setting is disabled, users doesn't preexist in the Seafile DB cannot login. - # The admin has to first import the users from external systems like LDAP. - REMOTE_USER_CREATE_UNKNOWN_USER = True - # Optional, whether to activate new user in Seafile system, default value is True. - # If this setting is disabled, user will be unable to login by default. - # the administrator needs to manually activate this user. - REMOTE_USER_ACTIVATE_USER_AFTER_CREATION = True - ''; - ccnetSettings = { - General.SERVICE_URL = "https://cloud.darksailor.dev"; - }; - }; - caddy = { - virtualHosts."cloud.darksailor.dev".extraConfig = '' - import auth - reverse_proxy unix//run/seahub/gunicorn.sock - ''; - }; - authelia = { - instances.darksailor = { - settings = { - access_control = { - rules = [ - { - domain = "cloud.darksailor.dev"; - policy = "bypass"; - resources = [ - "^/(api2|seafhttp)([/?].*)?$" - ]; - } - { - domain = "cloud.darksailor.dev"; - policy = "one_factor"; - } - ]; - }; - }; - }; - }; - }; -} diff --git a/nixos/mirai/services/searxng.nix b/nixos/mirai/services/searxng.nix deleted file mode 100644 index 77368b2a..00000000 --- a/nixos/mirai/services/searxng.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - config, - pkgs, - ... -}: { - systemd.services.websurfx = { - description = "Websurfx"; - wantedBy = ["multi-user.target"]; - after = ["network.target"]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.websurfx}/bin/websurfx"; - Restart = "always"; - RestartSec = 5; - User = "websurfx"; - Group = "websurfx"; - }; - }; - users.users.websurfx = { - group = "websurfx"; - home = "/var/lib/websurfx"; - isSystemUser = true; - # uid = config.ids.uids.websurfx; - }; - users.groups.websurfx = { - # gid = config.ids.gids.websurfx; - }; - services.caddy.virtualHosts."search.darksailor.dev".extraConfig = '' - reverse_proxy localhost:8080 - ''; -} diff --git a/nixos/mirai/services/shitpost.nix b/nixos/mirai/services/shitpost.nix deleted file mode 100644 index 4f91f088..00000000 --- a/nixos/mirai/services/shitpost.nix +++ /dev/null @@ -1,12 +0,0 @@ -{pkgs, ...}: let - src = pkgs.fetchgit { - url = "https://git.darksailor.dev/servius/adarkdayinmylife.public"; - rev = "68d972f68cab8f68916b94df05b7ab6a7da4a1da"; - sha256 = "sha256-EVis06rmHq1jJK0FVsbgi7TOru7GtEUpbx0PjU2AKEo="; - }; -in { - services.caddy.virtualHosts."adarkdayinmy.life".extraConfig = '' - root * ${src}/ - file_server - ''; -} diff --git a/nixos/mirai/services/syncthing.nix b/nixos/mirai/services/syncthing.nix deleted file mode 100644 index 89a230ab..00000000 --- a/nixos/mirai/services/syncthing.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - pkgs, - device, - xdg, - ... -}: { - services.syncthing = { - enable = true; - openDefaultPorts = true; - user = "${device.user}"; - group = "${device.user}"; - dataDir = xdg.dataDirs.syncthing; - configDir = xdg.configDirs.syncthing; - }; -} diff --git a/nixos/mirai/services/tailscale.nix b/nixos/mirai/services/tailscale.nix deleted file mode 100644 index a4c03225..00000000 --- a/nixos/mirai/services/tailscale.nix +++ /dev/null @@ -1,11 +0,0 @@ -{masterPkgs, ...}: { - services.tailscale = { - enable = true; - useRoutingFeatures = "server"; - extraUpFlags = "--advertise-exit-node"; - package = masterPkgs.tailscale; - }; - networking.firewall.trustedInterfaces = [ - "tailscale0" - ]; -} diff --git a/nixos/mirai/services/vscode.nix b/nixos/mirai/services/vscode.nix deleted file mode 100644 index d37c9d83..00000000 --- a/nixos/mirai/services/vscode.nix +++ /dev/null @@ -1,17 +0,0 @@ -{pkgs, ...}: { - services = { - openvscode-server = { - enable = true; - port = 3000; - host = "0.0.0.0"; - extraPackages = with pkgs; []; - withoutConnectionToken = true; - }; - caddy = { - virtualHosts."code.darksailor.dev".extraConfig = '' - import auth - reverse_proxy localhost:3000 - ''; - }; - }; -} diff --git a/nixos/mirai/services/zerotier.nix b/nixos/mirai/services/zerotier.nix deleted file mode 100644 index 8110d4fb..00000000 --- a/nixos/mirai/services/zerotier.nix +++ /dev/null @@ -1,24 +0,0 @@ -{config, ...}: { - # sops = { - # secrets."zerotier/api_key".owner = config.systemd.services.zeronsd-abfd31bd4766754d.serviceConfig.User; - # }; - # services.zerotierone = { - # enable = true; - # port = 9994; - # joinNetworks = [ - # "abfd31bd4766754d" - # ]; - # }; - # services.zeronsd = { - # servedNetworks = { - # abfd31bd4766754d = { - # settings = { - # log_level = "trace"; - # local_url = "http://127.0.0.1:9994"; - # domain = "zt.darksailor.dev"; - # token = config.sops.secrets."zerotier/api_key".path; - # }; - # }; - # }; - # }; -} diff --git a/nixos/tako/services/prowlarr.nix b/nixos/tako/services/prowlarr.nix index e6a62577..eaae4e61 100644 --- a/nixos/tako/services/prowlarr.nix +++ b/nixos/tako/services/prowlarr.nix @@ -1,4 +1,4 @@ -{...}: { +{config, ...}: { services = { prowlarr = { enable = true; @@ -7,8 +7,12 @@ authentication_enabled = true; authentication_method = "External"; }; - server.port = 9696; + # server.port = 9696; }; }; }; + services.caddy.virtualHosts."prowlarr.darksailor.dev".extraConfig = '' + import auth + reverse_proxy localhost:${toString config.services.prowlarr.settings.server.port or "9696"} + ''; } diff --git a/nixos/tsuba/services/default.nix b/nixos/tsuba/services/default.nix index 6b1a23c0..a130a6f6 100644 --- a/nixos/tsuba/services/default.nix +++ b/nixos/tsuba/services/default.nix @@ -10,9 +10,5 @@ ./flaresolverr.nix ./caddy.nix ./monitoring.nix - - # ./dnscrypt.nix - # ./resolved.nix - # ./blocky.nix ]; } diff --git a/nixos/tsuba/services/prowlarr.nix b/nixos/tsuba/services/prowlarr.nix deleted file mode 100644 index a3ba5498..00000000 --- a/nixos/tsuba/services/prowlarr.nix +++ /dev/null @@ -1,14 +0,0 @@ -{unstablePkgs, ...}: { - services = { - prowlarr = { - enable = true; - package = unstablePkgs.prowlarr; - }; - caddy = { - virtualHosts."prowlarr.tsuba.darksailor.dev".extraConfig = '' - import cloudflare - reverse_proxy localhost:9696 - ''; - }; - }; -}