chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

kaas

Browse source
This commit is contained in:
Chris Kruining 2025-12-06 17:39:16 +01:00 committed by chris
parent a787c8c646
commit 98425c9dcc
8 changed files with 251 additions and 174 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.forgejo/workflows/action.yml
View file

@ -12,4 +12,4 @@ jobs:
steps: steps:
- name: Echo - name: Echo
run: | run: |
nix --version nix --version

2
.just/machine.just
View file

@ -8,4 +8,4 @@
[no-exit-message] [no-exit-message]
@update machine: @update machine:
just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')"
nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} nixos-rebuild switch -L --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }}

36
.just/vars.just
View file

@ -1,36 +1,38 @@
set unstable set unstable := true
base_path := invocation_directory() / "systems/x86_64-linux" base_path := invocation_directory() / "systems/x86_64-linux"
# sops := "nix shell nixpkgs#sops --command sops" # sops := "nix shell nixpkgs#sops --command sops"
# yq := "nix shell nixpkgs#yq --command yq" # yq := "nix shell nixpkgs#yq --command yq"
sops := "sops" sops := "sops"
yq := "yq" yq := "yq"
@_default: @_default:
just --list just --list
[doc('list all vars of the target machine')] [doc('list all vars of the target machine')]
list machine: list machine:
sops decrypt {{ base_path }}/{{ machine }}/secrets.yml sops decrypt {{ base_path }}/{{ machine }}/secrets.yml
@edit machine: @edit machine:
sops edit {{ base_path }}/{{ machine }}/secrets.yml sops edit {{ base_path }}/{{ machine }}/secrets.yml
@set machine key value: @set machine key value:
sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\""
git add {{ base_path }}/{{ machine }}/secrets.yml git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
echo "Done"
echo "Done"
@get machine key: @get machine key:
sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')"
@remove machine key: @remove machine key:
sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
git add {{ base_path }}/{{ machine }}/secrets.yml git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
echo "Done" echo "Done"

4
.justfile
View file

@ -19,7 +19,7 @@ mod machine '.just/machine.just'
[doc('Introspection on flake output')] [doc('Introspection on flake output')]
@select key: @select key:
nix eval --json .#{{ key }} | jq . nix eval --show-trace --json .#{{ key }} | jq .
@ -30,4 +30,4 @@ mod machine '.just/machine.just'
[no-cd] [no-cd]
[private] [private]
@assert condition message: @assert condition message:
[ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; }

6
flake.lock generated
View file

@ -713,11 +713,11 @@
"nixpkgs": "nixpkgs_5" "nixpkgs": "nixpkgs_5"
}, },
"locked": { "locked": {
"lastModified": 1764840646, "lastModified": 1764866402,
"narHash": "sha256-ffhLaQWDm4iyf7j3uxmMXg5k7FRimaj8PXA4Jj9EpB0=", "narHash": "sha256-0NOWsPks+/vV5ZM9ti71hUPMLy3FzbEIlFI6vxARvuY=",
"owner": "chris-kruining", "owner": "chris-kruining",
"repo": "mydia", "repo": "mydia",
"rev": "035fa63a276ed4dd9743fdf5ff50a651cabb9bcd", "rev": "458fc9a21c6987d994bc7932efb6c49df25ba806",
"type": "github" "type": "github"
}, },
"original": { "original": {

8
modules/nixos/services/development/forgejo/default.nix
View file

@ -184,6 +184,14 @@ in {
}; };
}; };
users = {
users."gitea-runner" = {
isSystemUser = true;
group = "gitea-runner";
};
groups."gitea-runner" = {};
};
sops.secrets = { sops.secrets = {
"forgejo/action_runner_token" = { "forgejo/action_runner_token" = {
owner = "gitea-runner"; owner = "gitea-runner";

323
modules/nixos/services/media/default.nix
View file

@ -1,13 +1,19 @@
{ pkgs, lib, namespace, config, inputs, system, ... }: {
let pkgs,
lib,
namespace,
config,
inputs,
system,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption; inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str; inherit (lib.types) str;
cfg = config.${namespace}.services.media; cfg = config.${namespace}.services.media;
arr = ["radarr" ]; arr = ["radarr"];
in in {
{
options.${namespace}.services.media = { options.${namespace}.services.media = {
enable = mkEnableOption "Enable media services"; enable = mkEnableOption "Enable media services";
@ -69,117 +75,132 @@ in
# Services # Services
#========================================================================= #=========================================================================
services = let services = let
arr-services = arr-services =
arr arr
|> lib.imap (i: service: { |> lib.imap (i: service: {
name = service; name = service;
value = { value =
enable = true; {
openFirewall = true; enable = true;
openFirewall = true;
environmentFiles = [ environmentFiles = [
config.sops.templates."${service}/config.env".path config.sops.templates."${service}/config.env".path
]; ];
settings = { settings = {
auth.authenticationMethod = "External"; auth.authenticationMethod = "External";
server = { server = {
bindaddress = "0.0.0.0"; bindaddress = "0.0.0.0";
port = 2000 + i; port = 2000 + i;
};
postgres = {
host = "localhost";
port = "5432";
user = service;
maindb = service;
logdb = service;
};
}; };
}
postgres = { // (
host = "localhost"; if service != "prowlarr"
port = "5432"; then {
user = service; user = cfg.user;
maindb = service; group = cfg.group;
logdb = service; }
}; else {}
}; );
}
// (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {});
}) })
|> lib.listToAttrs |> lib.listToAttrs;
; in
in arr-services
arr-services // { // {
bazarr = { bazarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
user = cfg.user; user = cfg.user;
group = cfg.group; group = cfg.group;
listenPort = 2005; listenPort = 2005;
};
# port is harcoded in nixpkgs module
jellyfin = {
enable = true;
openFirewall = true;
user = cfg.user;
group = cfg.group;
};
flaresolverr = {
enable = true;
openFirewall = true;
port = 2007;
};
qbittorrent = {
enable = true;
openFirewall = true;
webuiPort = 2008;
serverConfig = {
LegalNotice.Accepted = true;
}; };
user = cfg.user; # port is harcoded in nixpkgs module
group = cfg.group; jellyfin = {
}; enable = true;
openFirewall = true;
user = cfg.user;
group = cfg.group;
};
# port is harcoded in nixpkgs module flaresolverr = {
sabnzbd = { enable = true;
enable = true; openFirewall = true;
openFirewall = true; port = 2007;
configFile = "${cfg.path}/sabnzbd/config.ini"; };
user = cfg.user; qbittorrent = {
group = cfg.group; enable = true;
}; openFirewall = true;
webuiPort = 2008;
postgresql = serverConfig = {
let LegalNotice.Accepted = true;
databases = arr |> lib.concatMap (s: [ s "${s}-log" ]);
in
{
enable = true;
ensureDatabases = arr;
ensureUsers = arr |> lib.map (service: {
name = service;
ensureDBOwnership = true;
});
};
caddy = { Prefecences.WebUI = {
enable = true; Username = "admin";
virtualHosts = { };
"jellyfin.kruining.eu".extraConfig = '' };
reverse_proxy http://[::1]:8096
''; user = cfg.user;
group = cfg.group;
};
# port is harcoded in nixpkgs module
sabnzbd = {
enable = true;
openFirewall = true;
configFile = "${cfg.path}/sabnzbd/config.ini";
user = cfg.user;
group = cfg.group;
};
postgresql = let
databases = arr |> lib.concatMap (s: [s "${s}-log"]);
in {
enable = true;
ensureDatabases = arr;
ensureUsers =
arr
|> lib.map (service: {
name = service;
ensureDBOwnership = true;
});
};
caddy = {
enable = true;
virtualHosts = {
"jellyfin.kruining.eu".extraConfig = ''
reverse_proxy http://[::1]:8096
'';
};
}; };
}; };
};
systemd.services.radarrApplyTerraform = systemd.services.radarrApplyTerraform = let
let
# this is a nix package, the generated json file to be exact # this is a nix package, the generated json file to be exact
terraformConfiguration = inputs.terranix.lib.terranixConfiguration { terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
inherit system; inherit system;
modules = [ modules = [
({ config, lib, ... }: { ({
config,
lib,
...
}: {
config = { config = {
variable = { variable = {
api_key = { api_key = {
@ -207,13 +228,12 @@ in
}) })
]; ];
}; };
in in {
{
description = "Radarr terraform apply"; description = "Radarr terraform apply";
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
wants = [ "radarr.service" ]; wants = ["radarr.service"];
script = '' script = ''
#!/usr/bin/env bash #!/usr/bin/env bash
@ -255,53 +275,70 @@ in
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
sops = { sops = {
secrets = secrets = let
arr arrSecrets =
|> lib.map (service: { arr
name = "${service}/apikey"; |> lib.map (service: {
value = { name = "${service}/apikey";
value = {
owner = cfg.user;
group = cfg.group;
restartUnits = ["${service}.service"];
};
})
|> lib.listToAttrs;
in
arrSecrets
// {
# "qbittorrent/password" = {};
"qbittorrent/password_hash" = {};
};
templates = let
apikeys =
arr
|> lib.map (service: {
name = "${service}/config.env";
value = {
owner = cfg.user;
group = cfg.group;
restartUnits = ["${service}.service"];
content = ''
${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}"
'';
};
})
|> lib.listToAttrs;
tfvars =
arr
|> lib.map (service: {
name = "${service}/config.tfvars";
value = {
owner = cfg.user;
group = cfg.group;
restartUnits = ["${service}ApplyTerraform.service"];
content = ''
api_key = "${config.sops.placeholder."${service}/apikey"}"
'';
};
})
|> lib.listToAttrs;
qbittorrent = {
"qbittorrent/password.conf" = {
owner = cfg.user; owner = cfg.user;
group = cfg.group; group = cfg.group;
restartUnits = [ "${service}.service" ]; restartUnits = ["qbittorrent.service"];
path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf";
content = ''
[Preferences]
WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}"
'';
}; };
}) };
|> lib.listToAttrs in
; apikeys // tfvars // qbittorrent;
templates =
let
apikeys =
arr
|> lib.map (service: {
name = "${service}/config.env";
value = {
owner = cfg.user;
group = cfg.group;
restartUnits = [ "${service}.service" ];
content = ''
${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}"
'';
};
})
|> lib.listToAttrs;
tfvars =
arr
|> lib.map(service: {
name = "${service}/config.tfvars";
value = {
owner = cfg.user;
group = cfg.group;
restartUnits = [ "${service}ApplyTerraform.service" ];
content = ''
api_key = "${config.sops.placeholder."${service}/apikey"}"
'';
};
})
|> lib.listToAttrs;
in
apikeys // tfvars
;
}; };
}; };
} }

44
modules/nixos/services/media/mydia/default.nix
View file

@ -26,9 +26,17 @@ in {
listenAddress = "0.0.0.0"; listenAddress = "0.0.0.0";
openFirewall = true; openFirewall = true;
mediaLibraries = [
"/var/mydia/movies"
"/var/mydia/series"
];
database = { database = {
# type = "sqlite";
# uri = "file:///var/lib/mydia/mydia.db";
type = "postgres"; type = "postgres";
uri = "postgres://localhost:5432/mydia?sslMode=disable"; uri = "postgres://mydia@localhost:5432/mydia?sslmode=disable";
passwordFile = config.sops.secrets."mydia/qbittorrent_password".path;
}; };
secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path;
@ -41,16 +49,38 @@ in {
clientSecretFile = config.sops.secrets."mydia/oidc_secret".path; clientSecretFile = config.sops.secrets."mydia/oidc_secret".path;
scopes = ["openid" "profile" "email"]; scopes = ["openid" "profile" "email"];
}; };
downloadClients = {
qbittorrent = {
type = "qbittorrent";
host = "localhost";
port = 2008;
username = "admin";
passwordFile = config.sops.secrets."mydia/qbittorrent_password".path;
useSsl = false;
};
};
}; };
sops.secrets = sops.secrets = let
["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"] base =
|> lib.map (name: ["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"]
lib.nameValuePair "mydia/${name}" { |> lib.map (name:
lib.nameValuePair "mydia/${name}" {
owner = config.services.mydia.user;
group = config.services.mydia.group;
restartUnits = ["mydia.service"];
})
|> lib.listToAttrs;
in
base
// {
"mydia/qbittorrent_password" = {
owner = config.services.mydia.user; owner = config.services.mydia.user;
group = config.services.mydia.group; group = config.services.mydia.group;
restartUnits = ["mydia.service"]; restartUnits = ["mydia.service"];
}) key = "qbittorrent/password";
|> lib.listToAttrs; };
};
}; };
} }