chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

kaas

Browse source
This commit is contained in:
Chris Kruining 2025-12-06 17:39:16 +01:00 committed by chris
parent a787c8c646
commit 98425c9dcc
8 changed files with 251 additions and 174 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.just/machine.just
View file

@ -8,4 +8,4 @@
[no-exit-message]
@update machine:
just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')"
nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }}
nixos-rebuild switch -L --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }}

4
.just/vars.just
View file

@ -1,8 +1,10 @@
set unstable
set unstable := true
base_path := invocation_directory() / "systems/x86_64-linux"
# sops := "nix shell nixpkgs#sops --command sops"
# yq := "nix shell nixpkgs#yq --command yq"
sops := "sops"
yq := "yq"

2
.justfile
View file

@ -19,7 +19,7 @@ mod machine '.just/machine.just'
[doc('Introspection on flake output')]
@select key:
nix eval --json .#{{ key }} | jq .
nix eval --show-trace --json .#{{ key }} | jq .

6
flake.lock generated
View file

@ -713,11 +713,11 @@
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1764840646,
"narHash": "sha256-ffhLaQWDm4iyf7j3uxmMXg5k7FRimaj8PXA4Jj9EpB0=",
"lastModified": 1764866402,
"narHash": "sha256-0NOWsPks+/vV5ZM9ti71hUPMLy3FzbEIlFI6vxARvuY=",
"owner": "chris-kruining",
"repo": "mydia",
"rev": "035fa63a276ed4dd9743fdf5ff50a651cabb9bcd",
"rev": "458fc9a21c6987d994bc7932efb6c49df25ba806",
"type": "github"
},
"original": {

8
modules/nixos/services/development/forgejo/default.nix
View file

@ -184,6 +184,14 @@ in {
};
};
users = {
users."gitea-runner" = {
isSystemUser = true;
group = "gitea-runner";
};
groups."gitea-runner" = {};
};
sops.secrets = {
"forgejo/action_runner_token" = {
owner = "gitea-runner";

89
modules/nixos/services/media/default.nix
View file

@ -1,13 +1,19 @@
{ pkgs, lib, namespace, config, inputs, system, ... }:
let
{
pkgs,
lib,
namespace,
config,
inputs,
system,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str;
cfg = config.${namespace}.services.media;
arr = ["radarr"];
in
{
in {
options.${namespace}.services.media = {
enable = mkEnableOption "Enable media services";
@ -73,7 +79,8 @@ in
arr
|> lib.imap (i: service: {
name = service;
value = {
value =
{
enable = true;
openFirewall = true;
@ -98,12 +105,19 @@ in
};
};
}
// (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {});
// (
if service != "prowlarr"
then {
user = cfg.user;
group = cfg.group;
}
else {}
);
})
|> lib.listToAttrs
;
|> lib.listToAttrs;
in
arr-services // {
arr-services
// {
bazarr = {
enable = true;
openFirewall = true;
@ -133,6 +147,10 @@ in
serverConfig = {
LegalNotice.Accepted = true;
Prefecences.WebUI = {
Username = "admin";
};
};
user = cfg.user;
@ -149,14 +167,14 @@ in
group = cfg.group;
};
postgresql =
let
postgresql = let
databases = arr |> lib.concatMap (s: [s "${s}-log"]);
in
{
in {
enable = true;
ensureDatabases = arr;
ensureUsers = arr |> lib.map (service: {
ensureUsers =
arr
|> lib.map (service: {
name = service;
ensureDBOwnership = true;
});
@ -172,14 +190,17 @@ in
};
};
systemd.services.radarrApplyTerraform =
let
systemd.services.radarrApplyTerraform = let
# this is a nix package, the generated json file to be exact
terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
inherit system;
modules = [
({ config, lib, ... }: {
({
config,
lib,
...
}: {
config = {
variable = {
api_key = {
@ -207,8 +228,7 @@ in
})
];
};
in
{
in {
description = "Radarr terraform apply";
wantedBy = ["multi-user.target"];
@ -255,7 +275,8 @@ in
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
sops = {
secrets =
secrets = let
arrSecrets =
arr
|> lib.map (service: {
name = "${service}/apikey";
@ -265,11 +286,15 @@ in
restartUnits = ["${service}.service"];
};
})
|> lib.listToAttrs
;
|> lib.listToAttrs;
in
arrSecrets
// {
# "qbittorrent/password" = {};
"qbittorrent/password_hash" = {};
};
templates =
let
templates = let
apikeys =
arr
|> lib.map (service: {
@ -299,9 +324,21 @@ in
};
})
|> lib.listToAttrs;
qbittorrent = {
"qbittorrent/password.conf" = {
owner = cfg.user;
group = cfg.group;
restartUnits = ["qbittorrent.service"];
path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf";
content = ''
[Preferences]
WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}"
'';
};
};
in
apikeys // tfvars
;
apikeys // tfvars // qbittorrent;
};
};
}

34
modules/nixos/services/media/mydia/default.nix
View file

@ -26,9 +26,17 @@ in {
listenAddress = "0.0.0.0";
openFirewall = true;
mediaLibraries = [
"/var/mydia/movies"
"/var/mydia/series"
];
database = {
# type = "sqlite";
# uri = "file:///var/lib/mydia/mydia.db";
type = "postgres";
uri = "postgres://localhost:5432/mydia?sslMode=disable";
uri = "postgres://mydia@localhost:5432/mydia?sslmode=disable";
passwordFile = config.sops.secrets."mydia/qbittorrent_password".path;
};
secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path;
@ -41,9 +49,21 @@ in {
clientSecretFile = config.sops.secrets."mydia/oidc_secret".path;
scopes = ["openid" "profile" "email"];
};
downloadClients = {
qbittorrent = {
type = "qbittorrent";
host = "localhost";
port = 2008;
username = "admin";
passwordFile = config.sops.secrets."mydia/qbittorrent_password".path;
useSsl = false;
};
};
};
sops.secrets =
sops.secrets = let
base =
["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"]
|> lib.map (name:
lib.nameValuePair "mydia/${name}" {
@ -52,5 +72,15 @@ in {
restartUnits = ["mydia.service"];
})
|> lib.listToAttrs;
in
base
// {
"mydia/qbittorrent_password" = {
owner = config.services.mydia.user;
group = config.services.mydia.group;
restartUnits = ["mydia.service"];
key = "qbittorrent/password";
};
};
};
}