chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

kaas

Browse source
This commit is contained in:
Chris Kruining 2025-12-06 17:39:16 +01:00 committed by chris
parent a787c8c646
commit 98425c9dcc
8 changed files with 251 additions and 174 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.just/machine.just
View file

@ -8,4 +8,4 @@
[no-exit-message] [no-exit-message]
@update machine: @update machine:
just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')"
nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} nixos-rebuild switch -L --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }}

8
.just/vars.just
View file

@ -1,8 +1,10 @@
set unstable set unstable := true
base_path := invocation_directory() / "systems/x86_64-linux" base_path := invocation_directory() / "systems/x86_64-linux"
# sops := "nix shell nixpkgs#sops --command sops" # sops := "nix shell nixpkgs#sops --command sops"
# yq := "nix shell nixpkgs#yq --command yq" # yq := "nix shell nixpkgs#yq --command yq"
sops := "sops" sops := "sops"
yq := "yq" yq := "yq"
@ -20,7 +22,7 @@ list machine:
sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\""
git add {{ base_path }}/{{ machine }}/secrets.yml git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
echo "Done" echo "Done"
@ -31,6 +33,6 @@ list machine:
sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
git add {{ base_path }}/{{ machine }}/secrets.yml git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
echo "Done" echo "Done"

2
.justfile
View file

@ -19,7 +19,7 @@ mod machine '.just/machine.just'
[doc('Introspection on flake output')] [doc('Introspection on flake output')]
@select key: @select key:
nix eval --json .#{{ key }} | jq . nix eval --show-trace --json .#{{ key }} | jq .

6
flake.lock generated
View file

@ -713,11 +713,11 @@
"nixpkgs": "nixpkgs_5" "nixpkgs": "nixpkgs_5"
}, },
"locked": { "locked": {
"lastModified": 1764840646, "lastModified": 1764866402,
"narHash": "sha256-ffhLaQWDm4iyf7j3uxmMXg5k7FRimaj8PXA4Jj9EpB0=", "narHash": "sha256-0NOWsPks+/vV5ZM9ti71hUPMLy3FzbEIlFI6vxARvuY=",
"owner": "chris-kruining", "owner": "chris-kruining",
"repo": "mydia", "repo": "mydia",
"rev": "035fa63a276ed4dd9743fdf5ff50a651cabb9bcd", "rev": "458fc9a21c6987d994bc7932efb6c49df25ba806",
"type": "github" "type": "github"
}, },
"original": { "original": {

8
modules/nixos/services/development/forgejo/default.nix
View file

@ -184,6 +184,14 @@ in {
}; };
}; };
users = {
users."gitea-runner" = {
isSystemUser = true;
group = "gitea-runner";
};
groups."gitea-runner" = {};
};
sops.secrets = { sops.secrets = {
"forgejo/action_runner_token" = { "forgejo/action_runner_token" = {
owner = "gitea-runner"; owner = "gitea-runner";

105
modules/nixos/services/media/default.nix
View file

@ -1,13 +1,19 @@
{ pkgs, lib, namespace, config, inputs, system, ... }: {
let pkgs,
lib,
namespace,
config,
inputs,
system,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption; inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str; inherit (lib.types) str;
cfg = config.${namespace}.services.media; cfg = config.${namespace}.services.media;
arr = ["radarr" ]; arr = ["radarr"];
in in {
{
options.${namespace}.services.media = { options.${namespace}.services.media = {
enable = mkEnableOption "Enable media services"; enable = mkEnableOption "Enable media services";
@ -73,7 +79,8 @@ in
arr arr
|> lib.imap (i: service: { |> lib.imap (i: service: {
name = service; name = service;
value = { value =
{
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@ -98,12 +105,19 @@ in
}; };
}; };
} }
// (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {}); // (
if service != "prowlarr"
then {
user = cfg.user;
group = cfg.group;
}
else {}
);
}) })
|> lib.listToAttrs |> lib.listToAttrs;
;
in in
arr-services // { arr-services
// {
bazarr = { bazarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@ -133,6 +147,10 @@ in
serverConfig = { serverConfig = {
LegalNotice.Accepted = true; LegalNotice.Accepted = true;
Prefecences.WebUI = {
Username = "admin";
};
}; };
user = cfg.user; user = cfg.user;
@ -149,14 +167,14 @@ in
group = cfg.group; group = cfg.group;
}; };
postgresql = postgresql = let
let databases = arr |> lib.concatMap (s: [s "${s}-log"]);
databases = arr |> lib.concatMap (s: [ s "${s}-log" ]); in {
in
{
enable = true; enable = true;
ensureDatabases = arr; ensureDatabases = arr;
ensureUsers = arr |> lib.map (service: { ensureUsers =
arr
|> lib.map (service: {
name = service; name = service;
ensureDBOwnership = true; ensureDBOwnership = true;
}); });
@ -172,14 +190,17 @@ in
}; };
}; };
systemd.services.radarrApplyTerraform = systemd.services.radarrApplyTerraform = let
let
# this is a nix package, the generated json file to be exact # this is a nix package, the generated json file to be exact
terraformConfiguration = inputs.terranix.lib.terranixConfiguration { terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
inherit system; inherit system;
modules = [ modules = [
({ config, lib, ... }: { ({
config,
lib,
...
}: {
config = { config = {
variable = { variable = {
api_key = { api_key = {
@ -207,12 +228,11 @@ in
}) })
]; ];
}; };
in in {
{
description = "Radarr terraform apply"; description = "Radarr terraform apply";
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
wants = [ "radarr.service" ]; wants = ["radarr.service"];
script = '' script = ''
#!/usr/bin/env bash #!/usr/bin/env bash
@ -255,21 +275,26 @@ in
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
sops = { sops = {
secrets = secrets = let
arrSecrets =
arr arr
|> lib.map (service: { |> lib.map (service: {
name = "${service}/apikey"; name = "${service}/apikey";
value = { value = {
owner = cfg.user; owner = cfg.user;
group = cfg.group; group = cfg.group;
restartUnits = [ "${service}.service" ]; restartUnits = ["${service}.service"];
}; };
}) })
|> lib.listToAttrs |> lib.listToAttrs;
; in
arrSecrets
// {
# "qbittorrent/password" = {};
"qbittorrent/password_hash" = {};
};
templates = templates = let
let
apikeys = apikeys =
arr arr
|> lib.map (service: { |> lib.map (service: {
@ -277,7 +302,7 @@ in
value = { value = {
owner = cfg.user; owner = cfg.user;
group = cfg.group; group = cfg.group;
restartUnits = [ "${service}.service" ]; restartUnits = ["${service}.service"];
content = '' content = ''
${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}"
''; '';
@ -287,21 +312,33 @@ in
tfvars = tfvars =
arr arr
|> lib.map(service: { |> lib.map (service: {
name = "${service}/config.tfvars"; name = "${service}/config.tfvars";
value = { value = {
owner = cfg.user; owner = cfg.user;
group = cfg.group; group = cfg.group;
restartUnits = [ "${service}ApplyTerraform.service" ]; restartUnits = ["${service}ApplyTerraform.service"];
content = '' content = ''
api_key = "${config.sops.placeholder."${service}/apikey"}" api_key = "${config.sops.placeholder."${service}/apikey"}"
''; '';
}; };
}) })
|> lib.listToAttrs; |> lib.listToAttrs;
qbittorrent = {
"qbittorrent/password.conf" = {
owner = cfg.user;
group = cfg.group;
restartUnits = ["qbittorrent.service"];
path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf";
content = ''
[Preferences]
WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}"
'';
};
};
in in
apikeys // tfvars apikeys // tfvars // qbittorrent;
;
}; };
}; };
} }

34
modules/nixos/services/media/mydia/default.nix
View file

@ -26,9 +26,17 @@ in {
listenAddress = "0.0.0.0"; listenAddress = "0.0.0.0";
openFirewall = true; openFirewall = true;
mediaLibraries = [
"/var/mydia/movies"
"/var/mydia/series"
];
database = { database = {
# type = "sqlite";
# uri = "file:///var/lib/mydia/mydia.db";
type = "postgres"; type = "postgres";
uri = "postgres://localhost:5432/mydia?sslMode=disable"; uri = "postgres://mydia@localhost:5432/mydia?sslmode=disable";
passwordFile = config.sops.secrets."mydia/qbittorrent_password".path;
}; };
secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path;
@ -41,9 +49,21 @@ in {
clientSecretFile = config.sops.secrets."mydia/oidc_secret".path; clientSecretFile = config.sops.secrets."mydia/oidc_secret".path;
scopes = ["openid" "profile" "email"]; scopes = ["openid" "profile" "email"];
}; };
downloadClients = {
qbittorrent = {
type = "qbittorrent";
host = "localhost";
port = 2008;
username = "admin";
passwordFile = config.sops.secrets."mydia/qbittorrent_password".path;
useSsl = false;
};
};
}; };
sops.secrets = sops.secrets = let
base =
["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"] ["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"]
|> lib.map (name: |> lib.map (name:
lib.nameValuePair "mydia/${name}" { lib.nameValuePair "mydia/${name}" {
@ -52,5 +72,15 @@ in {
restartUnits = ["mydia.service"]; restartUnits = ["mydia.service"];
}) })
|> lib.listToAttrs; |> lib.listToAttrs;
in
base
// {
"mydia/qbittorrent_password" = {
owner = config.services.mydia.user;
group = config.services.mydia.group;
restartUnits = ["mydia.service"];
key = "qbittorrent/password";
};
};
}; };
} }