diff --git a/flake.lock b/flake.lock index 467a6b2..62cb83d 100644 --- a/flake.lock +++ b/flake.lock @@ -169,11 +169,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1737751639, - "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", + "lastModified": 1738816619, + "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", + "rev": "2eccff41bab80839b1d25b303b53d339fbb07087", "type": "github" }, "original": { @@ -216,11 +216,11 @@ }, "nixpkgsUnstable": { "locked": { - "lastModified": 1737885589, - "narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=", + "lastModified": 1739446958, + "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8", + "rev": "2ff53fe64443980e139eaa286017f53f88336dd0", "type": "github" }, "original": { @@ -244,11 +244,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1738023785, - "narHash": "sha256-BPHmb3fUwdHkonHyHi1+x89eXB3kA1jffIpwPVJIVys=", + "lastModified": 1739357830, + "narHash": "sha256-9xim3nJJUFbVbJCz48UP4fGRStVW5nv4VdbimbKxJ3I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2b4230bf03deb33103947e2528cac2ed516c5c89", + "rev": "0ff09db9d034a04acd4e8908820ba0b410d7a33a", "type": "github" }, "original": { diff --git a/hosts/hub/apps/actual.nix b/hosts/hub/apps/actual.nix index 115d411..8bf4170 100644 --- a/hosts/hub/apps/actual.nix +++ b/hosts/hub/apps/actual.nix @@ -10,6 +10,9 @@ ports = [ "5006:5006" ]; + environment = { + ACTUAL_LOGIN_METHOD = "header"; + }; volumes = [ "/var/lib/actual:/data" ]; }; diff --git a/hosts/hub/apps/audiobookshelf.nix b/hosts/hub/apps/audiobookshelf.nix index 8ed3581..aea7883 100644 --- a/hosts/hub/apps/audiobookshelf.nix +++ b/hosts/hub/apps/audiobookshelf.nix @@ -8,5 +8,12 @@ reverse_proxy localhost:8000 ''; }; - environment.systemPackages = with pkgs; [ audible-cli ]; + environment.systemPackages = with pkgs; [ + audible-cli + ffmpeg + lame + jq + mp4v2 + mediainfo + ]; } diff --git a/hosts/hub/apps/dev.nix b/hosts/hub/apps/dev.nix index f102c1a..f309b8c 100644 --- a/hosts/hub/apps/dev.nix +++ b/hosts/hub/apps/dev.nix @@ -1,42 +1,81 @@ +{ pkgs, config, ... }: + +let + name = "dev"; + domain = "dev.thewordnerd.info"; + appName = "Nolan's Projects"; +in { + age.secrets."${name}_runner_linux".file = ../../../secrets/${name}_runner_linux.age; + services = { postgresql = { - ensureDatabases = [ "dev" ]; + ensureDatabases = [ name ]; ensureUsers = [ { - name = "dev"; + name = name; ensureDBOwnership = true; } ]; }; authelia.instances.main.settings.access_control.rules = [ { - domain = "dev.thewordnerd.info"; + domain = domain; policy = "bypass"; } ]; + + caddy.virtualHosts.${domain}.extraConfig = '' + forward_auth localhost:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + reverse_proxy ${name}:3000 + ''; + + gitea-actions-runner = { + package = pkgs.unstable.forgejo-runner; + instances."${name}-linux" = { + name = "Linux"; + enable = true; + url = "https://${domain}"; + labels = [ + "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04" + "native:host" + ]; + tokenFile = config.age.secrets."${name}_runner_linux".path; + }; + }; }; - containers.dev = { + environment.systemPackages = with pkgs; [ unstable.forgejo-runner ]; + + networking.firewall.trustedInterfaces = [ "br-+" ]; + + containers."${name}" = { autoStart = true; privateNetwork = true; hostAddress = "192.168.0.1"; localAddress = "192.168.0.2"; config = + let + hostPkgs = pkgs; + in { - config, - pkgs, lib, ... }: { - services.gitea = { + services.forgejo = { enable = true; - appName = "Nolan's projects"; + package = hostPkgs.unstable.forgejo; settings = { + DEFAULT = { + APP_NAME = appName; + }; server = { - ROOT_URL = "https://dev.thewordnerd.info"; - DOMAIN = "dev.thewordnerd.info"; + ROOT_URL = "https://${domain}"; + DOMAIN = domain; DISABLE_SSH = true; LANDING_PAGE = "explore"; }; @@ -55,8 +94,8 @@ lfs.enable = true; database = { type = "postgres"; - name = "dev"; - user = "dev"; + name = name; + user = name; socket = "/run/postgresql"; createDatabase = false; }; @@ -67,7 +106,7 @@ }; services.resolved.enable = true; environment.sessionVariables = { - PATH = [ "${pkgs.gitea}/bin" ]; + PATH = [ "${pkgs.forgejo}/bin" ]; GITEA_WORK_DIR = "/var/lib/gitea"; }; }; @@ -77,12 +116,4 @@ }; }; }; - - services.caddy.virtualHosts."dev.thewordnerd.info".extraConfig = '' - forward_auth localhost:9091 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - reverse_proxy dev:3000 - ''; } diff --git a/hosts/hub/apps/nextcloud.nix b/hosts/hub/apps/nextcloud.nix index 918361f..b842149 100644 --- a/hosts/hub/apps/nextcloud.nix +++ b/hosts/hub/apps/nextcloud.nix @@ -32,12 +32,18 @@ configureRedis = true; maxUploadSize = "16G"; # autoUpdateApps.enable = true; - notify_push.enable = true; + notify_push = { + enable = true; + bendDomainToLocalhost = true; + }; webfinger = true; settings = { overwriteprotocol = "https"; - trusted_proxies = [ "192.168.0.1" ]; + trusted_proxies = [ + "192.168.0.1" + ]; default_phone_region = "US"; + # loglevel = 0; }; config = { dbtype = "pgsql"; @@ -46,10 +52,6 @@ }; phpOptions."opcache.interned_strings_buffer" = "23"; }; - onlyoffice = { - enable = true; - hostname = "onlyoffice.thewordnerd.info"; - }; resolved.enable = true; }; programs.nix-ld.enable = true; @@ -57,12 +59,19 @@ firewall.allowedTCPPorts = [ 80 ]; useHostResolvConf = lib.mkForce false; }; - virtualisation.podman = { - enable = true; - dockerCompat = true; - dockerSocket.enable = true; - }; + virtualisation.docker.enable = true; + users.users.nextcloud.extraGroups = [ "docker" ]; + environment.systemPackages = [ + (pkgs.writeScriptBin "occ" '' + #!${pkgs.bash}/bin/bash + exec nextcloud-occ "$@" + '') + ]; }; + # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12 + additionalCapabilities = [ + ''all" --system-call-filter="add_key keyctl bpf" --capability="all'' + ]; bindMounts = { "/run/postgresql" = { hostPath = "/run/postgresql"; @@ -74,4 +83,8 @@ reverse_proxy nextcloud header Strict-Transport-Security max-age=31536000; ''; + + services.caddy.virtualHosts."collabora.thewordnerd.info".extraConfig = '' + reverse_proxy nextcloud:9980 + ''; } diff --git a/hosts/hub/apps/ollama.nix b/hosts/hub/apps/ollama.nix index e4fc202..a2190e2 100644 --- a/hosts/hub/apps/ollama.nix +++ b/hosts/hub/apps/ollama.nix @@ -1,7 +1,6 @@ { - services.ollama.enable = true; - services.caddy.virtualHosts."https://ollama.tailc50184.ts.net".extraConfig = '' - bind tailscale/ollama - reverse_proxy http://localhost:11434 - ''; -} \ No newline at end of file + services.ollama = { + enable = true; + host = "0.0.0.0"; + }; +} diff --git a/hosts/hub/default.nix b/hosts/hub/default.nix index e7855eb..1f69fab 100644 --- a/hosts/hub/default.nix +++ b/hosts/hub/default.nix @@ -26,6 +26,7 @@ ./apps/actual.nix ./apps/adguard.nix ./apps/audiobookshelf.nix + ./apps/ollama.nix ]; boot.loader.grub = { @@ -116,6 +117,15 @@ 443 ]; + services.caddy.virtualHosts."thewordnerd.info".extraConfig = + ''redir https://www.thewordnerd.info{uri}''; + + services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = '' + file_server + root * /var/www/thewordnerd.info + header /.well-known/matrix/* content-type application/json + ''; + services.caddy.virtualHosts."users.thewordnerd.info".extraConfig = ''reverse_proxy localhost:17170''; @@ -139,12 +149,6 @@ } ''; - services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = '' - file_server - root * /var/www/thewordnerd.info - header /.well-known/matrix/* content-type application/json - ''; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # diff --git a/pkgs/caddy/flake.nix b/pkgs/caddy/flake.nix index 5820d9e..0144ea8 100644 --- a/pkgs/caddy/flake.nix +++ b/pkgs/caddy/flake.nix @@ -23,7 +23,7 @@ packages = { default = pkgs.caddy.withPlugins { plugins = [ "github.com/tailscale/caddy-tailscale@f21c01b660c896bdd6bacc37178dc00d9af282b4" ]; - hash = "sha256-zrL1wrWXbXnBrWHSnuNaoO2Q7R9GL3/DfUtS5vTqono="; + hash = "sha256-WCyobNu2We2q/wP8H3C3pwxmXQ4cqybsNKL3nOSHrFo="; }; }; } diff --git a/roles/authelia.nix b/roles/authelia.nix index 200b7ae..abacde7 100644 --- a/roles/authelia.nix +++ b/roles/authelia.nix @@ -49,7 +49,6 @@ authentication_backend = { password_reset.disable = false; refresh_interval = "1m"; - ldap = { implementation = "custom"; address = "ldap://localhost:3890"; diff --git a/secrets/dev_runner_linux.age b/secrets/dev_runner_linux.age new file mode 100644 index 0000000..de532a8 --- /dev/null +++ b/secrets/dev_runner_linux.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 5X7MKw OFZLirNVsQ5klS+bNgG9frnbZbRw0cje5xPUV9WiBSs +q31jUX8SNN8tYEx666oBFmRHWCqbskLFb3ya4V5NKlQ +--- beVB7IjgzaVWLSJ3XMRQ870aK7dwswvQF91k/DM3dz4 +ʞpɇS;]7D_xyx|ߦdxm+ +A[y>)%og \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e873b7f..12474e2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -5,7 +5,10 @@ let flynode = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhYhgpzyqIbSX779o6TI9yZA1qvha+SUfrdHwndj69I"; in { - "nolan.age".publicKeys = [ nolan flynode ]; + "nolan.age".publicKeys = [ + nolan + flynode + ]; "ldap.age".publicKeys = [ hub ]; "jwt.age".publicKeys = [ hub ]; "authelia_session.age".publicKeys = [ hub ]; @@ -15,4 +18,5 @@ in hub garden ]; + "dev_runner_linux.age".publicKeys = [ hub ]; }