From 748948bfbfdbc189c4a9997c90d4445c9ad362fb Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 3 Jan 2025 21:39:15 +0100 Subject: [PATCH 01/73] WIP generic-device-plugin --- flake.lock | 6 +++--- nixng-configurations/default.nix | 1 + nixng-configurations/generic-device-plugin.nix | 10 ++++++++++ 3 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 nixng-configurations/generic-device-plugin.nix diff --git a/flake.lock b/flake.lock index 7dbc1cd..6ad2f9b 100644 --- a/flake.lock +++ b/flake.lock @@ -688,11 +688,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1735551011, - "narHash": "sha256-rp26PcdLjfgxsCeaSeZ0K1rGPN1Ap7YCy1UVuo9gRJA=", + "lastModified": 1735726395, + "narHash": "sha256-rwhsZuwJzJ825Et7YI73G7+wHiPLFfx3SOnozWZfLJ0=", "owner": "pizzapim", "repo": "NixNG", - "rev": "aa35f7a3d426e906b15e3083c90bf2972bcfb4b4", + "rev": "dbbbb22d8feed064455a8653a0450b3da5a31424", "type": "github" }, "original": { diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index cd02779..80375cb 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -23,6 +23,7 @@ flake-utils.lib.eachDefaultSystem (system: let bazarr = ./bazarr.nix; prowlarr = ./prowlarr.nix; blog = ./blog.nix; + generic-device-plugin = ./generic-device-plugin.nix; }; in { nixngConfigurations = builtins.mapAttrs (name: configFile: diff --git a/nixng-configurations/generic-device-plugin.nix b/nixng-configurations/generic-device-plugin.nix new file mode 100644 index 0000000..abb2406 --- /dev/null +++ b/nixng-configurations/generic-device-plugin.nix @@ -0,0 +1,10 @@ +{globals, ...}: { + dinit.enable = true; + init.services.generic-device-plugin.shutdownOnExit = true; + + services.generic-device-plugin = { + enable = true; + settings = { + }; + }; +} From 3b0a54581d336d85f17191caafd09a874971f000 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 4 Jan 2025 11:22:05 +0100 Subject: [PATCH 02/73] Move non-upstreamed NixNG modules into this repo --- flake.lock | 6 +-- flake.nix | 1 + nixng-configurations/default.nix | 6 +++ nixng-modules/bazarr.nix | 29 ++++++++++++ nixng-modules/default.nix | 10 +++++ nixng-modules/jellyseerr.nix | 46 ++++++++++++++++++++ nixng-modules/prowlarr.nix | 33 ++++++++++++++ nixng-modules/radarr.nix | 31 +++++++++++++ nixng-modules/radicale.nix | 75 ++++++++++++++++++++++++++++++++ nixng-modules/sonarr.nix | 31 +++++++++++++ 10 files changed, 265 insertions(+), 3 deletions(-) create mode 100644 nixng-modules/bazarr.nix create mode 100644 nixng-modules/default.nix create mode 100644 nixng-modules/jellyseerr.nix create mode 100644 nixng-modules/prowlarr.nix create mode 100644 nixng-modules/radarr.nix create mode 100644 nixng-modules/radicale.nix create mode 100644 nixng-modules/sonarr.nix diff --git a/flake.lock b/flake.lock index 7dbc1cd..b1b5976 100644 --- a/flake.lock +++ b/flake.lock @@ -688,11 +688,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1735551011, - "narHash": "sha256-rp26PcdLjfgxsCeaSeZ0K1rGPN1Ap7YCy1UVuo9gRJA=", + "lastModified": 1735985475, + "narHash": "sha256-7blkWqfcvYKfaL2hpy/nWTooHRfJSqaO0a2+XWccqkE=", "owner": "pizzapim", "repo": "NixNG", - "rev": "aa35f7a3d426e906b15e3083c90bf2972bcfb4b4", + "rev": "dea65c6a83945c755b9d0097aa2535991daeb907", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index c875d9f..d1a3a35 100644 --- a/flake.nix +++ b/flake.nix @@ -60,5 +60,6 @@ ./formatter.nix ./shell.nix ./nixng-configurations + ./nixng-modules ]; } diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index cd02779..e70cce2 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -37,6 +37,12 @@ in { }; extraModules = [ + self.nixngModules.bazarr + self.nixngModules.radicale + self.nixngModules.jellyseerr + self.nixngModules.radarr + self.nixngModules.sonarr + self.nixngModules.prowlarr { nixpkgs.overlays = [ (final: _prev: { diff --git a/nixng-modules/bazarr.nix b/nixng-modules/bazarr.nix new file mode 100644 index 0000000..4620479 --- /dev/null +++ b/nixng-modules/bazarr.nix @@ -0,0 +1,29 @@ +{ + lib, + config, + pkgs, + ... +}: let + cfg = config.services.bazarr; +in { + options.services.bazarr = { + enable = lib.mkEnableOption "bazarr"; + package = lib.mkPackageOption pkgs "bazarr" {}; + configDir = lib.mkOption { + description = "Where Bazarr's configuration files are stored."; + type = lib.types.str; + default = "/config"; + }; + }; + config = lib.mkIf cfg.enable { + init.services.bazarr = { + enabled = true; + script = pkgs.writeShellScript "bazarr-run" '' + ${lib.getExe cfg.package} \ + --no-update \ + --config '${cfg.configDir}' + ''; + }; + environment.systemPackages = [cfg.package]; + }; +} diff --git a/nixng-modules/default.nix b/nixng-modules/default.nix new file mode 100644 index 0000000..e39eca0 --- /dev/null +++ b/nixng-modules/default.nix @@ -0,0 +1,10 @@ +{...}: { + nixngModules = { + bazarr = import ./bazarr.nix; + radicale = import ./radicale.nix; + jellyseerr = import ./jellyseerr.nix; + radarr = import ./radarr.nix; + sonarr = import ./sonarr.nix; + prowlarr = import ./prowlarr.nix; + }; +} diff --git a/nixng-modules/jellyseerr.nix b/nixng-modules/jellyseerr.nix new file mode 100644 index 0000000..c9179c6 --- /dev/null +++ b/nixng-modules/jellyseerr.nix @@ -0,0 +1,46 @@ +{ + lib, + pkgs, + config, + ... +}: let + cfg = config.services.jellyseerr; +in { + options.services.jellyseerr = { + enable = lib.mkEnableOption "jellyseerr"; + package = lib.mkPackageOption pkgs "jellyseerr" {}; + + port = lib.mkOption { + description = '' + The port Jellyseerr should listen on. + ''; + type = lib.types.port; + example = 8080; + default = 5055; + }; + + configDir = lib.mkOption { + description = '' + The directory to save run-time configuration. + ''; + type = lib.types.str; + example = "/jellyseerr"; + default = "/var/lib/jellyseerr"; + }; + }; + + config = lib.mkIf cfg.enable { + init.services.jellyseerr = { + enabled = true; + script = lib.getExe cfg.package; + }; + + environment = { + systemPackages = [cfg.package]; + variables = { + PORT = builtins.toString cfg.port; + CONFIG_DIRECTORY = cfg.configDir; + }; + }; + }; +} diff --git a/nixng-modules/prowlarr.nix b/nixng-modules/prowlarr.nix new file mode 100644 index 0000000..e8f9677 --- /dev/null +++ b/nixng-modules/prowlarr.nix @@ -0,0 +1,33 @@ +{ + pkgs, + lib, + config, + ... +}: let + cfg = config.services.prowlarr; +in { + options.services.prowlarr = { + enable = lib.mkEnableOption "prowlarr"; + package = lib.mkPackageOption pkgs "prowlarr" {}; + + dataDir = lib.mkOption { + description = "Directory to store Prowlarr's data"; + type = lib.types.str; + default = "/config"; + }; + }; + + config = lib.mkIf cfg.enable { + init.services.prowlarr = { + enabled = true; + + script = pkgs.writeShellScript "prowlarr-run" '' + ${lib.getExe cfg.package} \ + -nobrowser \ + -data=${cfg.dataDir} + ''; + }; + + environment.systemPackages = [cfg.package]; + }; +} diff --git a/nixng-modules/radarr.nix b/nixng-modules/radarr.nix new file mode 100644 index 0000000..aa6af40 --- /dev/null +++ b/nixng-modules/radarr.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.radarr; +in { + options.services.radarr = { + enable = lib.mkEnableOption "radarr"; + package = lib.mkPackageOption pkgs "radarr" {}; + + dataDir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/radarr/.config/Radarr"; + description = "The directory where Radarr stores its data files."; + }; + }; + + config = lib.mkIf cfg.enable { + init.services.radarr = { + enabled = true; + + script = pkgs.writeShellScript "radarr-run.sh" '' + ${lib.getExe cfg.package} -nobrowser -data='${cfg.dataDir}' + ''; + }; + + environment.systemPackages = [cfg.package]; + }; +} diff --git a/nixng-modules/radicale.nix b/nixng-modules/radicale.nix new file mode 100644 index 0000000..f12b0bd --- /dev/null +++ b/nixng-modules/radicale.nix @@ -0,0 +1,75 @@ +{ + lib, + pkgs, + config, + nglib, + ... +}: let + cfg = config.services.radicale; + + settingsFormat = pkgs.formats.ini { + listToValue = lib.concatMapStringsSep ", " (lib.generators.mkValueStringDefault {}); + }; +in { + options.services.radicale = { + enable = lib.mkEnableOption "radicale"; + package = lib.mkPackageOption pkgs "radicale" {}; + user = lib.mkOption { + description = "radicale user"; + type = lib.types.str; + default = "radicale"; + }; + group = lib.mkOption { + description = "radicale group"; + type = lib.types.str; + default = "radicale"; + }; + settings = lib.mkOption { + type = settingsFormat.type; + default = {}; + description = '' + Configuration for Radicale. See + . + ''; + example = lib.literalExpression '' + server = { + hosts = [ "0.0.0.0:5232" "[::]:5232" ]; + }; + auth = { + type = "htpasswd"; + htpasswd_filename = "/etc/radicale/users"; + htpasswd_encryption = "bcrypt"; + }; + storage = { + filesystem_folder = "/var/lib/radicale/collections"; + }; + ''; + }; + }; + config = lib.mkIf cfg.enable (let + configFile = settingsFormat.generate "radicale.ini" cfg.settings; + in { + init.services.radicale = { + enabled = true; + script = pkgs.writeShellScript "radicale-run" '' + chpst -u ${cfg.user}:${cfg.group} ${cfg.package}/bin/radicale \ + --config ${configFile} + ''; + }; + environment.systemPackages = [cfg.package]; + users.users.${cfg.user} = nglib.mkDefaultRec { + description = "radicale"; + group = cfg.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.radicale; + }; + users.groups.${cfg.group} = nglib.mkDefaultRec {gid = config.ids.gids.radicale;}; + + ids = { + uids.radicale = 408; + gids.radicale = 408; + }; + }); +} diff --git a/nixng-modules/sonarr.nix b/nixng-modules/sonarr.nix new file mode 100644 index 0000000..5ebff69 --- /dev/null +++ b/nixng-modules/sonarr.nix @@ -0,0 +1,31 @@ +{ + lib, + config, + pkgs, + ... +}: let + cfg = config.services.sonarr; +in { + options.services.sonarr = { + enable = lib.mkEnableOption "sonarr"; + package = lib.mkPackageOption pkgs "sonarr" {}; + + dataDir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/sonarr/.config/NzbDrone"; + description = "The directory where Sonarr stores its data files."; + }; + }; + + config = lib.mkIf cfg.enable { + init.services.sonarr = { + enabled = true; + + script = pkgs.writeShellScript "sonarr-run" '' + ${lib.getExe cfg.package} -nobrowser -data=${cfg.dataDir} + ''; + }; + + environment.systemPackages = [cfg.package]; + }; +} From 6106f2f7959bcc64f41c185744ad1175c624903c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 4 Jan 2025 11:33:17 +0100 Subject: [PATCH 03/73] Update flake inputs --- flake.lock | 67 ++++++++++++++++++++---------------------------------- 1 file changed, 25 insertions(+), 42 deletions(-) diff --git a/flake.lock b/flake.lock index b1b5976..9bb46b8 100644 --- a/flake.lock +++ b/flake.lock @@ -383,15 +383,14 @@ "gitignore": "gitignore", "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1734797603, - "narHash": "sha256-ulZN7ps8nBV31SE+dwkDvKIzvN6hroRY8sYOT0w+E28=", + "lastModified": 1735882644, + "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "f0f0dc4920a903c3e08f5bdb9246bb572fcae498", + "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656", "type": "github" }, "original": { @@ -408,7 +407,7 @@ "servers", "nixpkgs-unstable" ], - "nixpkgs-stable": "nixpkgs-stable_2" + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { "lastModified": 1730302582, @@ -667,11 +666,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1735607967, - "narHash": "sha256-hdOdhQskvxyPPrf4w/k484xfVEVsqktHjwS0noTRRCw=", + "lastModified": 1735953485, + "narHash": "sha256-t0DNGHwMAI6xqDpf3ba+VfHkpI7QHBB3uY/euSVCOdc=", "owner": "farcaller", "repo": "nixhelm", - "rev": "6ce9cfd0e06bbf609af333069b3c4e84cd739755", + "rev": "1db94e2f5a8084b8cbaa12d64701ac432188e1cb", "type": "github" }, "original": { @@ -773,11 +772,11 @@ }, "nixpkgs-bazarr": { "locked": { - "lastModified": 1735086895, - "narHash": "sha256-893hOoQn5t9g0r57N0D8/G5WC4pPaNlprjAYO0TWRxc=", + "lastModified": 1735934023, + "narHash": "sha256-i28ekcGQ5UIngZUGlFdLe7/7ppC4lHu3roTuwfEnvnQ=", "owner": "r-ryantm", "repo": "nixpkgs", - "rev": "89e79d58769436a8cfd0d80ae28012d51134f2f3", + "rev": "65ac365bbea82b7d4529b9f89fd9e61b67df43ae", "type": "github" }, "original": { @@ -805,11 +804,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1735935963, - "narHash": "sha256-i6xTJb3sb4BeWypD/DjAmslDzGXZUGU1OFJliaKFuuc=", + "lastModified": 1735986103, + "narHash": "sha256-9de+/q2M04zItuD47uIfA7kPY/R2bgkPDM/G2HQ2UwQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "20166d17f391d2e11311baaa74344381fa44e4a0", + "rev": "fd152bc101e2a4498a06365c0c0ab031800dc030", "type": "github" }, "original": { @@ -836,22 +835,6 @@ } }, "nixpkgs-stable": { - "locked": { - "lastModified": 1730741070, - "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_2": { "locked": { "lastModified": 1720386169, "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", @@ -867,7 +850,7 @@ "type": "github" } }, - "nixpkgs-stable_3": { + "nixpkgs-stable_2": { "locked": { "lastModified": 1729357638, "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", @@ -917,11 +900,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1735471104, - "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", + "lastModified": 1735834308, + "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", + "rev": "6df24922a1400241dae323af55f30e4318a6ca65", "type": "github" }, "original": { @@ -965,11 +948,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1733097829, - "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=", + "lastModified": 1735554305, + "narHash": "sha256-zExSA1i/b+1NMRhGGLtNfFGXgLtgo+dcuzHzaWA6w3Q=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a", + "rev": "0e82ab234249d8eee3e8c91437802b32c74bb3fd", "type": "github" }, "original": { @@ -1063,7 +1046,7 @@ "servers", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable_3" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1729775275, @@ -1295,11 +1278,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1735649548, - "narHash": "sha256-/4pTzlmABhx26AOTYvFN1OTCxJJL/LBUB49giqoMhJA=", + "lastModified": 1735905407, + "narHash": "sha256-1hKMRIT+QZNWX46e4gIovoQ7H8QRb7803ZH4qSKI45o=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "597705118f16d1dcd0fef99707700d13b2b324d7", + "rev": "29806abab803e498df96d82dd6f34b32eb8dd2c8", "type": "github" }, "original": { From e7ddf543c80debabff816c13fb321cf9673e3c52 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 4 Jan 2025 11:54:21 +0100 Subject: [PATCH 04/73] Use Jellyseerr from nixpkgs master branch --- flake.lock | 17 ----------------- flake.nix | 1 - nixng-configurations/default.nix | 3 +-- 3 files changed, 1 insertion(+), 20 deletions(-) diff --git a/flake.lock b/flake.lock index 9bb46b8..0610d00 100644 --- a/flake.lock +++ b/flake.lock @@ -786,22 +786,6 @@ "type": "github" } }, - "nixpkgs-jellyseerr": { - "locked": { - "lastModified": 1735406088, - "narHash": "sha256-Cwah5iXhOJ3cbrPYG5oeSyhQ7F7BsAabHTeezD4elh0=", - "owner": "coonce", - "repo": "nixpkgs", - "rev": "25569750ccc0c692128e667a77585d6d27ff7e57", - "type": "github" - }, - "original": { - "owner": "coonce", - "ref": "jellyseerr", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-master": { "locked": { "lastModified": 1735986103, @@ -1000,7 +984,6 @@ "nixng": "nixng", "nixpkgs": "nixpkgs_3", "nixpkgs-bazarr": "nixpkgs-bazarr", - "nixpkgs-jellyseerr": "nixpkgs-jellyseerr", "nixpkgs-master": "nixpkgs-master", "nixpkgs-radicale": "nixpkgs-radicale", "servers": "servers", diff --git a/flake.nix b/flake.nix index d1a3a35..b966856 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,6 @@ flake-utils.url = "github:numtide/flake-utils"; treefmt-nix.url = "github:numtide/treefmt-nix"; blog.url = "git+https://git.kun.is/pim/blog"; - nixpkgs-jellyseerr.url = "github:coonce/nixpkgs?ref=jellyseerr"; nixpkgs-bazarr.url = "github:r-ryantm/nixpkgs?ref=auto-update/bazarr"; nixpkgs-radicale.url = "github:erictapen/nixpkgs?ref=radicale"; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index e70cce2..9b2a803 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -5,7 +5,6 @@ nginx, blog, nixpkgs, - nixpkgs-jellyseerr, nixpkgs-bazarr, nixpkgs-radicale, nixpkgs-master, @@ -48,10 +47,10 @@ in { (final: _prev: { # From master branch prowlarr = nixpkgs-master.legacyPackages.${system}.prowlarr; + jellyseerr = nixpkgs-master.legacyPackages.${system}.jellyseerr; # From forks bazarr = nixpkgs-bazarr.legacyPackages.${system}.bazarr; - jellyseerr = nixpkgs-jellyseerr.legacyPackages.${system}.jellyseerr; radicale = nixpkgs-radicale.legacyPackages.${system}.radicale; }) ]; From fe960448c6b9c723beed178dd07ae75bce6de611 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 4 Jan 2025 23:23:41 +0100 Subject: [PATCH 05/73] Use group/user option for Radicale --- flake.lock | 8 ++++---- flake.nix | 2 +- nixng-modules/radicale.nix | 8 +++++++- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 0610d00..b391b3d 100644 --- a/flake.lock +++ b/flake.lock @@ -687,16 +687,16 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1735985475, - "narHash": "sha256-7blkWqfcvYKfaL2hpy/nWTooHRfJSqaO0a2+XWccqkE=", + "lastModified": 1736029062, + "narHash": "sha256-7X65+TP0luFpQsA6KV80R05qnWp7NxMaIDryFfJ4MqI=", "owner": "pizzapim", "repo": "NixNG", - "rev": "dea65c6a83945c755b9d0097aa2535991daeb907", + "rev": "6211c11d7ef2cc8067efcd169e0b8fd02f1816b6", "type": "github" }, "original": { "owner": "pizzapim", - "ref": "kubernetes", + "ref": "dinit-fixes", "repo": "NixNG", "type": "github" } diff --git a/flake.nix b/flake.nix index b966856..ef37fa5 100644 --- a/flake.nix +++ b/flake.nix @@ -36,7 +36,7 @@ }; nixng = { - url = "github:pizzapim/NixNG/kubernetes"; + url = "github:pizzapim/NixNG/dinit-fixes"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/nixng-modules/radicale.nix b/nixng-modules/radicale.nix index f12b0bd..996788c 100644 --- a/nixng-modules/radicale.nix +++ b/nixng-modules/radicale.nix @@ -51,12 +51,17 @@ in { in { init.services.radicale = { enabled = true; + user = lib.mkDefault "radicale"; + group = lib.mkDefault "radicale"; + script = pkgs.writeShellScript "radicale-run" '' - chpst -u ${cfg.user}:${cfg.group} ${cfg.package}/bin/radicale \ + ${cfg.package}/bin/radicale \ --config ${configFile} ''; }; + environment.systemPackages = [cfg.package]; + users.users.${cfg.user} = nglib.mkDefaultRec { description = "radicale"; group = cfg.group; @@ -65,6 +70,7 @@ in { useDefaultShell = true; uid = config.ids.uids.radicale; }; + users.groups.${cfg.group} = nglib.mkDefaultRec {gid = config.ids.gids.radicale;}; ids = { From a22c34716e6f7ffdae0036c4e654f6487ce1561f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 5 Jan 2025 00:17:35 +0100 Subject: [PATCH 06/73] Run all nixng containers under particular user/group --- modules/media.nix | 11 ++++++----- nixng-configurations/default.nix | 1 + nixng-modules/bazarr.nix | 19 +++++++++++++++++++ nixng-modules/default.nix | 1 + nixng-modules/ids.nix | 21 +++++++++++++++++++++ nixng-modules/jellyseerr.nix | 16 ++++++++++++++++ nixng-modules/prowlarr.nix | 15 +++++++++++++++ nixng-modules/radarr.nix | 15 +++++++++++++++ nixng-modules/radicale.nix | 26 ++++++++------------------ nixng-modules/sonarr.nix | 15 +++++++++++++++ 10 files changed, 117 insertions(+), 23 deletions(-) create mode 100644 nixng-modules/ids.nix diff --git a/modules/media.nix b/modules/media.nix index 3b4be3e..1cb753a 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -186,7 +186,8 @@ }; securityContext = { - fsGroup = 0; + # TODO: don't hardcode this + fsGroup = 409; fsGroupChangePolicy = "OnRootMismatch"; }; }; @@ -244,7 +245,7 @@ }; securityContext = { - fsGroup = 1000; + fsGroup = 410; fsGroupChangePolicy = "OnRootMismatch"; }; }; @@ -295,7 +296,7 @@ }; securityContext = { - fsGroup = 1000; + fsGroup = 413; fsGroupChangePolicy = "OnRootMismatch"; }; }; @@ -353,7 +354,7 @@ }; securityContext = { - fsGroup = 1000; + fsGroup = 411; fsGroupChangePolicy = "OnRootMismatch"; }; }; @@ -411,7 +412,7 @@ }; securityContext = { - fsGroup = 1000; + fsGroup = 412; fsGroupChangePolicy = "OnRootMismatch"; }; }; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index 9b2a803..c42e58e 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -36,6 +36,7 @@ in { }; extraModules = [ + self.nixngModules.ids self.nixngModules.bazarr self.nixngModules.radicale self.nixngModules.jellyseerr diff --git a/nixng-modules/bazarr.nix b/nixng-modules/bazarr.nix index 4620479..e063d18 100644 --- a/nixng-modules/bazarr.nix +++ b/nixng-modules/bazarr.nix @@ -1,29 +1,48 @@ { lib, + nglib, config, pkgs, ... }: let cfg = config.services.bazarr; + cfgInit = config.init.services.bazarr; in { options.services.bazarr = { enable = lib.mkEnableOption "bazarr"; package = lib.mkPackageOption pkgs "bazarr" {}; + configDir = lib.mkOption { description = "Where Bazarr's configuration files are stored."; type = lib.types.str; default = "/config"; }; }; + config = lib.mkIf cfg.enable { init.services.bazarr = { enabled = true; + user = lib.mkDefault "bazarr"; + group = lib.mkDefault "bazarr"; + script = pkgs.writeShellScript "bazarr-run" '' ${lib.getExe cfg.package} \ --no-update \ --config '${cfg.configDir}' ''; }; + environment.systemPackages = [cfg.package]; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "bazarr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.bazarr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.bazarr;}; }; } diff --git a/nixng-modules/default.nix b/nixng-modules/default.nix index e39eca0..c2dcd85 100644 --- a/nixng-modules/default.nix +++ b/nixng-modules/default.nix @@ -6,5 +6,6 @@ radarr = import ./radarr.nix; sonarr = import ./sonarr.nix; prowlarr = import ./prowlarr.nix; + ids = import ./ids.nix; }; } diff --git a/nixng-modules/ids.nix b/nixng-modules/ids.nix new file mode 100644 index 0000000..fa4e1fe --- /dev/null +++ b/nixng-modules/ids.nix @@ -0,0 +1,21 @@ +{...}: { + ids = { + uids = { + radicale = 408; + jellyseerr = 409; + radarr = 410; + sonarr = 411; + bazarr = 412; + prowlarr = 413; + }; + + gids = { + radicale = 408; + jellyseerr = 409; + radarr = 410; + sonarr = 411; + bazarr = 412; + prowlarr = 413; + }; + }; +} diff --git a/nixng-modules/jellyseerr.nix b/nixng-modules/jellyseerr.nix index c9179c6..cfe64b1 100644 --- a/nixng-modules/jellyseerr.nix +++ b/nixng-modules/jellyseerr.nix @@ -1,10 +1,12 @@ { lib, + nglib, pkgs, config, ... }: let cfg = config.services.jellyseerr; + cfgInit = config.init.services.jellyseerr; in { options.services.jellyseerr = { enable = lib.mkEnableOption "jellyseerr"; @@ -33,14 +35,28 @@ in { init.services.jellyseerr = { enabled = true; script = lib.getExe cfg.package; + user = lib.mkDefault "jellyseerr"; + group = lib.mkDefault "jellyseerr"; }; environment = { systemPackages = [cfg.package]; + variables = { PORT = builtins.toString cfg.port; CONFIG_DIRECTORY = cfg.configDir; }; }; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "jellyseerr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.jellyseerr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;}; }; } diff --git a/nixng-modules/prowlarr.nix b/nixng-modules/prowlarr.nix index e8f9677..4a8fc29 100644 --- a/nixng-modules/prowlarr.nix +++ b/nixng-modules/prowlarr.nix @@ -1,10 +1,12 @@ { pkgs, lib, + nglib, config, ... }: let cfg = config.services.prowlarr; + cfgInit = config.init.services.prowlarr; in { options.services.prowlarr = { enable = lib.mkEnableOption "prowlarr"; @@ -20,6 +22,8 @@ in { config = lib.mkIf cfg.enable { init.services.prowlarr = { enabled = true; + user = lib.mkDefault "prowlarr"; + group = lib.mkDefault "prowlarr"; script = pkgs.writeShellScript "prowlarr-run" '' ${lib.getExe cfg.package} \ @@ -29,5 +33,16 @@ in { }; environment.systemPackages = [cfg.package]; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "prowlarr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.prowlarr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.prowlarr;}; }; } diff --git a/nixng-modules/radarr.nix b/nixng-modules/radarr.nix index aa6af40..4b9fe56 100644 --- a/nixng-modules/radarr.nix +++ b/nixng-modules/radarr.nix @@ -1,10 +1,12 @@ { config, lib, + nglib, pkgs, ... }: let cfg = config.services.radarr; + cfgInit = config.init.services.radarr; in { options.services.radarr = { enable = lib.mkEnableOption "radarr"; @@ -20,6 +22,8 @@ in { config = lib.mkIf cfg.enable { init.services.radarr = { enabled = true; + user = lib.mkDefault "radarr"; + group = lib.mkDefault "radarr"; script = pkgs.writeShellScript "radarr-run.sh" '' ${lib.getExe cfg.package} -nobrowser -data='${cfg.dataDir}' @@ -27,5 +31,16 @@ in { }; environment.systemPackages = [cfg.package]; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "radarr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.radarr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.radarr;}; }; } diff --git a/nixng-modules/radicale.nix b/nixng-modules/radicale.nix index 996788c..80dd38a 100644 --- a/nixng-modules/radicale.nix +++ b/nixng-modules/radicale.nix @@ -6,6 +6,7 @@ ... }: let cfg = config.services.radicale; + cfgInit = config.init.services.radicale; settingsFormat = pkgs.formats.ini { listToValue = lib.concatMapStringsSep ", " (lib.generators.mkValueStringDefault {}); @@ -14,23 +15,16 @@ in { options.services.radicale = { enable = lib.mkEnableOption "radicale"; package = lib.mkPackageOption pkgs "radicale" {}; - user = lib.mkOption { - description = "radicale user"; - type = lib.types.str; - default = "radicale"; - }; - group = lib.mkOption { - description = "radicale group"; - type = lib.types.str; - default = "radicale"; - }; + settings = lib.mkOption { type = settingsFormat.type; default = {}; + description = '' Configuration for Radicale. See . ''; + example = lib.literalExpression '' server = { hosts = [ "0.0.0.0:5232" "[::]:5232" ]; @@ -46,6 +40,7 @@ in { ''; }; }; + config = lib.mkIf cfg.enable (let configFile = settingsFormat.generate "radicale.ini" cfg.settings; in { @@ -62,20 +57,15 @@ in { environment.systemPackages = [cfg.package]; - users.users.${cfg.user} = nglib.mkDefaultRec { + users.users.${cfgInit.user} = nglib.mkDefaultRec { description = "radicale"; - group = cfg.group; + group = cfgInit.group; createHome = false; home = "/var/empty"; useDefaultShell = true; uid = config.ids.uids.radicale; }; - users.groups.${cfg.group} = nglib.mkDefaultRec {gid = config.ids.gids.radicale;}; - - ids = { - uids.radicale = 408; - gids.radicale = 408; - }; + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.radicale;}; }); } diff --git a/nixng-modules/sonarr.nix b/nixng-modules/sonarr.nix index 5ebff69..47dc581 100644 --- a/nixng-modules/sonarr.nix +++ b/nixng-modules/sonarr.nix @@ -1,10 +1,12 @@ { lib, + nglib, config, pkgs, ... }: let cfg = config.services.sonarr; + cfgInit = config.init.services.sonarr; in { options.services.sonarr = { enable = lib.mkEnableOption "sonarr"; @@ -20,6 +22,8 @@ in { config = lib.mkIf cfg.enable { init.services.sonarr = { enabled = true; + user = lib.mkDefault "sonarr"; + group = lib.mkDefault "sonarr"; script = pkgs.writeShellScript "sonarr-run" '' ${lib.getExe cfg.package} -nobrowser -data=${cfg.dataDir} @@ -27,5 +31,16 @@ in { }; environment.systemPackages = [cfg.package]; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "sonarr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.sonarr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.sonarr;}; }; } From abb7a131bcea394c75c0b800d572ec9b6b9d8e8f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 5 Jan 2025 23:08:24 +0100 Subject: [PATCH 07/73] Package Deluge with NixNG Use same group for all media images --- modules/media.nix | 8 ++- nixng-configurations/bazarr.nix | 18 +++++- nixng-configurations/default.nix | 2 + nixng-configurations/deluge.nix | 30 ++++++++++ nixng-configurations/jellyseerr.nix | 12 +++- nixng-configurations/prowlarr.nix | 17 +++++- nixng-configurations/radarr.nix | 17 +++++- nixng-configurations/sonarr.nix | 17 +++++- nixng-modules/bazarr.nix | 6 +- nixng-modules/default.nix | 1 + nixng-modules/deluge.nix | 85 +++++++++++++++++++++++++++++ nixng-modules/ids.nix | 3 + nixng-modules/prowlarr.nix | 6 +- nixng-modules/radarr.nix | 6 +- nixng-modules/sonarr.nix | 6 +- 15 files changed, 212 insertions(+), 22 deletions(-) create mode 100644 nixng-configurations/deluge.nix create mode 100644 nixng-modules/deluge.nix diff --git a/modules/media.nix b/modules/media.nix index 1cb753a..d9d22c7 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -108,7 +108,7 @@ spec = { containers.deluge = { - image = globals.images.deluge; + image = utils.mkNixNGImage "deluge"; imagePullPolicy = "IfNotPresent"; env = { @@ -139,6 +139,12 @@ config.persistentVolumeClaim.claimName = "deluge"; media.persistentVolumeClaim.claimName = "media"; }; + + securityContext = { + fsGroup = 51; + # FIXME + fsGroupChangePolicy = "Always"; + }; }; }; }; diff --git a/nixng-configurations/bazarr.nix b/nixng-configurations/bazarr.nix index 03d7b6a..703ee94 100644 --- a/nixng-configurations/bazarr.nix +++ b/nixng-configurations/bazarr.nix @@ -1,9 +1,23 @@ -{...}: { +{ + lib, + nglib, + config, + ... +}: { dinit.enable = true; - init.services.bazarr.shutdownOnExit = true; + + init.services.bazarr = { + shutdownOnExit = true; + group = lib.mkForce "media"; + }; services.bazarr = { enable = true; configDir = "/config"; }; + + users.groups.media = nglib.mkDefaultRec { + gid = config.ids.gids.media; + members = ["bazarr"]; + }; } diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index c42e58e..9fa19e8 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -22,6 +22,7 @@ flake-utils.lib.eachDefaultSystem (system: let bazarr = ./bazarr.nix; prowlarr = ./prowlarr.nix; blog = ./blog.nix; + deluge = ./deluge.nix; }; in { nixngConfigurations = builtins.mapAttrs (name: configFile: @@ -43,6 +44,7 @@ in { self.nixngModules.radarr self.nixngModules.sonarr self.nixngModules.prowlarr + self.nixngModules.deluge { nixpkgs.overlays = [ (final: _prev: { diff --git a/nixng-configurations/deluge.nix b/nixng-configurations/deluge.nix new file mode 100644 index 0000000..3f44f37 --- /dev/null +++ b/nixng-configurations/deluge.nix @@ -0,0 +1,30 @@ +{ + config, + nglib, + lib, + ... +}: { + dinit.enable = true; + init.services = { + deluged = { + shutdownOnExit = true; + group = lib.mkForce "media"; + }; + + deluge-web = { + shutdownOnExit = true; + group = lib.mkForce "media"; + }; + }; + + services.deluge = { + enable = true; + configDir = "/config"; + web.enable = true; + }; + + users.groups.media = nglib.mkDefaultRec { + gid = config.ids.gids.media; + members = ["deluge"]; + }; +} diff --git a/nixng-configurations/jellyseerr.nix b/nixng-configurations/jellyseerr.nix index b86802e..71d757f 100644 --- a/nixng-configurations/jellyseerr.nix +++ b/nixng-configurations/jellyseerr.nix @@ -1,4 +1,8 @@ -{...}: { +{ + config, + nglib, + ... +}: { dinit.enable = true; init.services.jellyseerr.shutdownOnExit = true; @@ -6,4 +10,10 @@ enable = true; configDir = "/app/config"; }; + + # TODO: should actually make this the main GID I think + users.groups.media = nglib.mkDefaultRec { + gid = config.ids.gids.media; + members = ["jellyseerr"]; + }; } diff --git a/nixng-configurations/prowlarr.nix b/nixng-configurations/prowlarr.nix index e12e1bb..7214747 100644 --- a/nixng-configurations/prowlarr.nix +++ b/nixng-configurations/prowlarr.nix @@ -1,9 +1,22 @@ -{...}: { +{ + lib, + nglib, + config, + ... +}: { dinit.enable = true; - init.services.prowlarr.shutdownOnExit = true; + init.services.prowlarr = { + shutdownOnExit = true; + group = lib.mkForce "media"; + }; services.prowlarr = { enable = true; dataDir = "/config"; }; + + users.groups.media = nglib.mkDefaultRec { + gid = config.ids.gids.media; + members = ["prowlarr"]; + }; } diff --git a/nixng-configurations/radarr.nix b/nixng-configurations/radarr.nix index c647100..21cd30a 100644 --- a/nixng-configurations/radarr.nix +++ b/nixng-configurations/radarr.nix @@ -1,9 +1,22 @@ -{...}: { +{ + lib, + nglib, + config, + ... +}: { dinit.enable = true; - init.services.radarr.shutdownOnExit = true; + init.services.radarr = { + shutdownOnExit = true; + group = lib.mkForce "media"; + }; services.radarr = { enable = true; dataDir = "/config"; }; + + users.groups.media = nglib.mkDefaultRec { + gid = config.ids.gids.media; + members = ["radarr"]; + }; } diff --git a/nixng-configurations/sonarr.nix b/nixng-configurations/sonarr.nix index b98f9cf..f756fde 100644 --- a/nixng-configurations/sonarr.nix +++ b/nixng-configurations/sonarr.nix @@ -1,9 +1,22 @@ -{...}: { +{ + lib, + config, + nglib, + ... +}: { dinit.enable = true; - init.services.sonarr.shutdownOnExit = true; + init.services.sonarr = { + shutdownOnExit = true; + group = lib.mkForce "media"; + }; services.sonarr = { enable = true; dataDir = "/config"; }; + + users.groups.media = nglib.mkDefaultRec { + gid = config.ids.gids.media; + members = ["sonarr"]; + }; } diff --git a/nixng-modules/bazarr.nix b/nixng-modules/bazarr.nix index e063d18..94def37 100644 --- a/nixng-modules/bazarr.nix +++ b/nixng-modules/bazarr.nix @@ -34,15 +34,15 @@ in { environment.systemPackages = [cfg.package]; - users.users.${cfgInit.user} = nglib.mkDefaultRec { + users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "bazarr") (nglib.mkDefaultRec { description = "bazarr"; group = cfgInit.group; createHome = false; home = "/var/empty"; useDefaultShell = true; uid = config.ids.uids.bazarr; - }; + }); - users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.bazarr;}; + users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "bazarr") (nglib.mkDefaultRec {gid = config.ids.gids.bazarr;}); }; } diff --git a/nixng-modules/default.nix b/nixng-modules/default.nix index c2dcd85..63903ab 100644 --- a/nixng-modules/default.nix +++ b/nixng-modules/default.nix @@ -7,5 +7,6 @@ sonarr = import ./sonarr.nix; prowlarr = import ./prowlarr.nix; ids = import ./ids.nix; + deluge = import ./deluge.nix; }; } diff --git a/nixng-modules/deluge.nix b/nixng-modules/deluge.nix new file mode 100644 index 0000000..db5917e --- /dev/null +++ b/nixng-modules/deluge.nix @@ -0,0 +1,85 @@ +{ + lib, + nglib, + config, + pkgs, + ... +}: let + cfg = config.services.deluge; + cfgInit = config.init.services.deluged; +in { + options.services.deluge = { + enable = lib.mkEnableOption "deluge"; + package = lib.mkPackageOption pkgs "deluge-2_x" {}; + + configDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/deluge"; + + description = '' + Directory for Deluge's run-time configuration + ''; + }; + + web = { + enable = lib.mkEnableOption "Deluge web daemon"; + + port = lib.mkOption { + type = lib.types.port; + default = 8112; + description = '' + Deluge web UI port + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + init.services = { + deluged = { + enabled = true; + user = lib.mkDefault "deluge"; + group = lib.mkDefault "deluge"; + tmpfiles = with nglib.nottmpfiles.dsl; [(d cfg.configDir "-" cfgInit.user cfgInit.group _ _)]; + + script = pkgs.writeShellScript "deluged-run" '' + # TODO: make init-level option? + umask 0002 + ${cfg.package}/bin/deluged \ + --do-not-daemonize \ + --config ${cfg.configDir} + ''; + }; + + deluge-web = { + enabled = cfg.web.enable; + dependencies = ["deluged"]; + user = lib.mkDefault "deluge"; + group = lib.mkDefault "deluge"; + + script = pkgs.writeShellScript "deluge-web-run" '' + ${cfg.package}/bin/deluge-web \ + --do-not-daemonize \ + --port ${toString cfg.web.port} \ + --config ${cfg.configDir} + ''; + }; + }; + + environment = { + systemPackages = [cfg.package]; + variables.PYTHON_EGG_CACHE = "${config.users.users.${cfgInit.user}.home}/.cache"; + }; + + users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "deluge") (nglib.mkDefaultRec { + description = "deluge"; + group = cfgInit.group; + createHome = true; + home = "/home/deluge"; + useDefaultShell = true; + uid = config.ids.uids.deluge; + }); + + users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "deluge") (nglib.mkDefaultRec {gid = config.ids.gids.deluge;}); + }; +} diff --git a/nixng-modules/ids.nix b/nixng-modules/ids.nix index fa4e1fe..fce4278 100644 --- a/nixng-modules/ids.nix +++ b/nixng-modules/ids.nix @@ -7,15 +7,18 @@ sonarr = 411; bazarr = 412; prowlarr = 413; + deluge = 414; }; gids = { + media = 51; radicale = 408; jellyseerr = 409; radarr = 410; sonarr = 411; bazarr = 412; prowlarr = 413; + deluge = 414; }; }; } diff --git a/nixng-modules/prowlarr.nix b/nixng-modules/prowlarr.nix index 4a8fc29..cf79cea 100644 --- a/nixng-modules/prowlarr.nix +++ b/nixng-modules/prowlarr.nix @@ -34,15 +34,15 @@ in { environment.systemPackages = [cfg.package]; - users.users.${cfgInit.user} = nglib.mkDefaultRec { + users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "prowlarr") (nglib.mkDefaultRec { description = "prowlarr"; group = cfgInit.group; createHome = false; home = "/var/empty"; useDefaultShell = true; uid = config.ids.uids.prowlarr; - }; + }); - users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.prowlarr;}; + users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "prowlarr") (nglib.mkDefaultRec {gid = config.ids.gids.prowlarr;}); }; } diff --git a/nixng-modules/radarr.nix b/nixng-modules/radarr.nix index 4b9fe56..dfcfa9f 100644 --- a/nixng-modules/radarr.nix +++ b/nixng-modules/radarr.nix @@ -32,15 +32,15 @@ in { environment.systemPackages = [cfg.package]; - users.users.${cfgInit.user} = nglib.mkDefaultRec { + users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "radarr") (nglib.mkDefaultRec { description = "radarr"; group = cfgInit.group; createHome = false; home = "/var/empty"; useDefaultShell = true; uid = config.ids.uids.radarr; - }; + }); - users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.radarr;}; + users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "radarr") (nglib.mkDefaultRec {gid = config.ids.gids.radarr;}); }; } diff --git a/nixng-modules/sonarr.nix b/nixng-modules/sonarr.nix index 47dc581..68ee377 100644 --- a/nixng-modules/sonarr.nix +++ b/nixng-modules/sonarr.nix @@ -32,15 +32,15 @@ in { environment.systemPackages = [cfg.package]; - users.users.${cfgInit.user} = nglib.mkDefaultRec { + users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "sonarr") (nglib.mkDefaultRec { description = "sonarr"; group = cfgInit.group; createHome = false; home = "/var/empty"; useDefaultShell = true; uid = config.ids.uids.sonarr; - }; + }); - users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.sonarr;}; + users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "sonarr") (nglib.mkDefaultRec {gid = config.ids.gids.sonarr;}); }; } From 9ae4ff3ca32f497c4f508c572a64ccdf05deaea6 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 6 Jan 2025 12:58:02 +0100 Subject: [PATCH 08/73] Fix GID of Jellyseerr Run media containers with umask --- modules/media.nix | 5 ++--- nixng-configurations/jellyseerr.nix | 7 +++++-- nixng-modules/bazarr.nix | 1 + nixng-modules/jellyseerr.nix | 11 +++++++---- nixng-modules/radarr.nix | 1 + nixng-modules/sonarr.nix | 1 + 6 files changed, 17 insertions(+), 9 deletions(-) diff --git a/modules/media.nix b/modules/media.nix index d9d22c7..b70402e 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -142,8 +142,7 @@ securityContext = { fsGroup = 51; - # FIXME - fsGroupChangePolicy = "Always"; + fsGroupChangePolicy = "OnRootMismatch"; }; }; }; @@ -193,7 +192,7 @@ securityContext = { # TODO: don't hardcode this - fsGroup = 409; + fsGroup = 51; fsGroupChangePolicy = "OnRootMismatch"; }; }; diff --git a/nixng-configurations/jellyseerr.nix b/nixng-configurations/jellyseerr.nix index 71d757f..034306c 100644 --- a/nixng-configurations/jellyseerr.nix +++ b/nixng-configurations/jellyseerr.nix @@ -1,17 +1,20 @@ { config, + lib, nglib, ... }: { dinit.enable = true; - init.services.jellyseerr.shutdownOnExit = true; + init.services.jellyseerr = { + shutdownOnExit = true; + group = lib.mkForce "media"; + }; services.jellyseerr = { enable = true; configDir = "/app/config"; }; - # TODO: should actually make this the main GID I think users.groups.media = nglib.mkDefaultRec { gid = config.ids.gids.media; members = ["jellyseerr"]; diff --git a/nixng-modules/bazarr.nix b/nixng-modules/bazarr.nix index 94def37..c5e5ffe 100644 --- a/nixng-modules/bazarr.nix +++ b/nixng-modules/bazarr.nix @@ -26,6 +26,7 @@ in { group = lib.mkDefault "bazarr"; script = pkgs.writeShellScript "bazarr-run" '' + umask 0002 ${lib.getExe cfg.package} \ --no-update \ --config '${cfg.configDir}' diff --git a/nixng-modules/jellyseerr.nix b/nixng-modules/jellyseerr.nix index cfe64b1..745ba4c 100644 --- a/nixng-modules/jellyseerr.nix +++ b/nixng-modules/jellyseerr.nix @@ -34,7 +34,10 @@ in { config = lib.mkIf cfg.enable { init.services.jellyseerr = { enabled = true; - script = lib.getExe cfg.package; + script = pkgs.writeShellScript "jellyseerr-run" '' + umask 0002 + ${lib.getExe cfg.package} + ''; user = lib.mkDefault "jellyseerr"; group = lib.mkDefault "jellyseerr"; }; @@ -48,15 +51,15 @@ in { }; }; - users.users.${cfgInit.user} = nglib.mkDefaultRec { + users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "jellyseerr") (nglib.mkDefaultRec { description = "jellyseerr"; group = cfgInit.group; createHome = false; home = "/var/empty"; useDefaultShell = true; uid = config.ids.uids.jellyseerr; - }; + }); - users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;}; + users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "jellyseerr") (nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;}); }; } diff --git a/nixng-modules/radarr.nix b/nixng-modules/radarr.nix index dfcfa9f..965f387 100644 --- a/nixng-modules/radarr.nix +++ b/nixng-modules/radarr.nix @@ -26,6 +26,7 @@ in { group = lib.mkDefault "radarr"; script = pkgs.writeShellScript "radarr-run.sh" '' + umask 0002 ${lib.getExe cfg.package} -nobrowser -data='${cfg.dataDir}' ''; }; diff --git a/nixng-modules/sonarr.nix b/nixng-modules/sonarr.nix index 68ee377..425033f 100644 --- a/nixng-modules/sonarr.nix +++ b/nixng-modules/sonarr.nix @@ -26,6 +26,7 @@ in { group = lib.mkDefault "sonarr"; script = pkgs.writeShellScript "sonarr-run" '' + umask 0002 ${lib.getExe cfg.package} -nobrowser -data=${cfg.dataDir} ''; }; From b11f4bd67acf7ea69b6bd9d5058ec6e972ead247 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 11 Jan 2025 22:00:09 +0100 Subject: [PATCH 09/73] radicale: 1.24.3 -> 1.25.0 --- globals.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index 40081c5..9ba3180 100644 --- a/globals.nix +++ b/globals.nix @@ -20,7 +20,7 @@ immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; kitchenowl = "tombursch/kitchenowl:v0.6.4"; cyberchef = "mpepping/cyberchef:latest"; - freshrss = "freshrss/freshrss:1.24.3"; + freshrss = "freshrss/freshrss:1.25.0"; bind9 = "ubuntu/bind9:9.18-22.04_beta"; hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.0"; minecraft = "itzg/minecraft-server:latest"; From 8bc63131128d7f132e1b4ff9ac974b62bb0face2 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 11 Jan 2025 22:00:22 +0100 Subject: [PATCH 10/73] Format some files --- applyset-deploy.sh | 31 ++++++++++++++----------------- kubenix.nix | 2 +- 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/applyset-deploy.sh b/applyset-deploy.sh index 81bc8dc..e7d4e5b 100644 --- a/applyset-deploy.sh +++ b/applyset-deploy.sh @@ -3,9 +3,10 @@ set -euo pipefail first_server="${SERVERS%% *}" -previous_manifest=$(ssh -T "root@$first_server" << EOF -if [[ -f "$GCROOTDIR/${NAME}.yml" ]]; then - cat "$GCROOTDIR/${NAME}.yml" +previous_manifest=$( + envsubst < Date: Sat, 11 Jan 2025 22:55:42 +0100 Subject: [PATCH 11/73] Use nixpkgs master branch for Bazarr and Radicale --- flake.lock | 34 -------------------------------- flake.nix | 2 -- nixng-configurations/default.nix | 11 ++--------- 3 files changed, 2 insertions(+), 45 deletions(-) diff --git a/flake.lock b/flake.lock index b391b3d..fae83b0 100644 --- a/flake.lock +++ b/flake.lock @@ -770,22 +770,6 @@ "type": "github" } }, - "nixpkgs-bazarr": { - "locked": { - "lastModified": 1735934023, - "narHash": "sha256-i28ekcGQ5UIngZUGlFdLe7/7ppC4lHu3roTuwfEnvnQ=", - "owner": "r-ryantm", - "repo": "nixpkgs", - "rev": "65ac365bbea82b7d4529b9f89fd9e61b67df43ae", - "type": "github" - }, - "original": { - "owner": "r-ryantm", - "ref": "auto-update/bazarr", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-master": { "locked": { "lastModified": 1735986103, @@ -802,22 +786,6 @@ "type": "github" } }, - "nixpkgs-radicale": { - "locked": { - "lastModified": 1735496163, - "narHash": "sha256-oqUP98g0eqfzCDA/i88qRIBq4BIyxEk9um7dfNGiw+I=", - "owner": "erictapen", - "repo": "nixpkgs", - "rev": "e14050d0c94dc929543f7e4502fda8539d36536f", - "type": "github" - }, - "original": { - "owner": "erictapen", - "ref": "radicale", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1720386169, @@ -983,9 +951,7 @@ "nixhelm": "nixhelm", "nixng": "nixng", "nixpkgs": "nixpkgs_3", - "nixpkgs-bazarr": "nixpkgs-bazarr", "nixpkgs-master": "nixpkgs-master", - "nixpkgs-radicale": "nixpkgs-radicale", "servers": "servers", "treefmt-nix": "treefmt-nix_4" } diff --git a/flake.nix b/flake.nix index ef37fa5..0a2c12d 100644 --- a/flake.nix +++ b/flake.nix @@ -7,8 +7,6 @@ flake-utils.url = "github:numtide/flake-utils"; treefmt-nix.url = "github:numtide/treefmt-nix"; blog.url = "git+https://git.kun.is/pim/blog"; - nixpkgs-bazarr.url = "github:r-ryantm/nixpkgs?ref=auto-update/bazarr"; - nixpkgs-radicale.url = "github:erictapen/nixpkgs?ref=radicale"; git-hooks = { url = "github:cachix/git-hooks.nix"; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index 9fa19e8..5fd8979 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -5,8 +5,6 @@ nginx, blog, nixpkgs, - nixpkgs-bazarr, - nixpkgs-radicale, nixpkgs-master, ... }: @@ -47,14 +45,9 @@ in { self.nixngModules.deluge { nixpkgs.overlays = [ - (final: _prev: { + (_final: _prev: { # From master branch - prowlarr = nixpkgs-master.legacyPackages.${system}.prowlarr; - jellyseerr = nixpkgs-master.legacyPackages.${system}.jellyseerr; - - # From forks - bazarr = nixpkgs-bazarr.legacyPackages.${system}.bazarr; - radicale = nixpkgs-radicale.legacyPackages.${system}.radicale; + inherit (nixpkgs-master.legacyPackages.${system}) prowlarr jellyseerr radicale bazarr; }) ]; } From 7ca3ed929396caafd618d774b7064b0449717ca0 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 12 Jan 2025 00:06:36 +0100 Subject: [PATCH 12/73] prowlarr: 1.28.2.4885 -> 1.29.2.4915 --- flake.lock | 17 +++++++++++++++++ flake.nix | 1 + nixng-configurations/default.nix | 5 ++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index fae83b0..21bdf72 100644 --- a/flake.lock +++ b/flake.lock @@ -786,6 +786,22 @@ "type": "github" } }, + "nixpkgs-prowlarr": { + "locked": { + "lastModified": 1736414454, + "narHash": "sha256-nhzwiWZeUdCqx4bYfBwtJcwBvWhRt1f1vTJGb3fMnrY=", + "owner": "r-ryantm", + "repo": "nixpkgs", + "rev": "b70e60ed75d38ddaab1fabdd1bb99a8d8ff55a63", + "type": "github" + }, + "original": { + "owner": "r-ryantm", + "ref": "auto-update/prowlarr", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1720386169, @@ -952,6 +968,7 @@ "nixng": "nixng", "nixpkgs": "nixpkgs_3", "nixpkgs-master": "nixpkgs-master", + "nixpkgs-prowlarr": "nixpkgs-prowlarr", "servers": "servers", "treefmt-nix": "treefmt-nix_4" } diff --git a/flake.nix b/flake.nix index 0a2c12d..8fdfcb5 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,7 @@ flake-utils.url = "github:numtide/flake-utils"; treefmt-nix.url = "github:numtide/treefmt-nix"; blog.url = "git+https://git.kun.is/pim/blog"; + nixpkgs-prowlarr.url = "github:r-ryantm/nixpkgs?ref=auto-update/prowlarr"; git-hooks = { url = "github:cachix/git-hooks.nix"; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index 5fd8979..e0f119d 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -6,6 +6,7 @@ blog, nixpkgs, nixpkgs-master, + nixpkgs-prowlarr, ... }: flake-utils.lib.eachDefaultSystem (system: let @@ -47,7 +48,9 @@ in { nixpkgs.overlays = [ (_final: _prev: { # From master branch - inherit (nixpkgs-master.legacyPackages.${system}) prowlarr jellyseerr radicale bazarr; + inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr; + # Other branches + inherit (nixpkgs-prowlarr.legacyPackages.${system}) prowlarr; }) ]; } From 5b3687f80252b4df9069cfb465fc0c32184da9a5 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 16 Jan 2025 21:20:02 +0100 Subject: [PATCH 13/73] Update flake inputs --- flake.lock | 55 +++++++++++--------------------- flake.nix | 1 - nixng-configurations/default.nix | 5 +-- 3 files changed, 20 insertions(+), 41 deletions(-) diff --git a/flake.lock b/flake.lock index 21bdf72..ab6eadc 100644 --- a/flake.lock +++ b/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1735508994, - "narHash": "sha256-SMMX3irZ4Y+0QEAq0mOYEnJIYRe3YnXHrkCSRvdxHxU=", + "lastModified": 1736683360, + "narHash": "sha256-Zz9aEPm5TCtoNt+FoWQaEjngEh8uXDpCH+N2DDpW4Tk=", "ref": "refs/heads/master", - "rev": "433c1ef4b5874e2c4782be7322604d17182035ab", - "revCount": 23, + "rev": "95b66d8c45b1fda87e63938fbdc0e31d5035f204", + "revCount": 24, "type": "git", "url": "https://git.kun.is/pim/blog" }, @@ -559,11 +559,11 @@ "nginx": { "flake": false, "locked": { - "lastModified": 1735301654, - "narHash": "sha256-PHcSyHYyPUwPAls0BgtnGu2e936vhxW2nt7bQxDyGAQ=", + "lastModified": 1736428764, + "narHash": "sha256-poKKXq1S4xjC9phulyZE34t8tdaaqwJ7IbmeyjUpsDU=", "owner": "nginx", "repo": "nginx", - "rev": "e3a9b6ad08a86e799a3d77da3f2fc507d3c9699e", + "rev": "57d54fd922e7ecbebb78598d13adc9df1a4b69c0", "type": "github" }, "original": { @@ -666,11 +666,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1735953485, - "narHash": "sha256-t0DNGHwMAI6xqDpf3ba+VfHkpI7QHBB3uY/euSVCOdc=", + "lastModified": 1736990287, + "narHash": "sha256-f5DfFkMglyrCozBW/dU6WeZfHOueUm8Q1rv4r5yDOeE=", "owner": "farcaller", "repo": "nixhelm", - "rev": "1db94e2f5a8084b8cbaa12d64701ac432188e1cb", + "rev": "09b4f8373f142206456f9c15a3b638e3ce4feeb0", "type": "github" }, "original": { @@ -772,11 +772,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1735986103, - "narHash": "sha256-9de+/q2M04zItuD47uIfA7kPY/R2bgkPDM/G2HQ2UwQ=", + "lastModified": 1737014460, + "narHash": "sha256-u45ycukf/qnwb3EsOHf5KuO7GPxR1noxgkiL5Fra2V4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fd152bc101e2a4498a06365c0c0ab031800dc030", + "rev": "d6a640c0d7d42202fdabc93bbfc01430af249e0c", "type": "github" }, "original": { @@ -786,22 +786,6 @@ "type": "github" } }, - "nixpkgs-prowlarr": { - "locked": { - "lastModified": 1736414454, - "narHash": "sha256-nhzwiWZeUdCqx4bYfBwtJcwBvWhRt1f1vTJGb3fMnrY=", - "owner": "r-ryantm", - "repo": "nixpkgs", - "rev": "b70e60ed75d38ddaab1fabdd1bb99a8d8ff55a63", - "type": "github" - }, - "original": { - "owner": "r-ryantm", - "ref": "auto-update/prowlarr", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1720386169, @@ -868,11 +852,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1735834308, - "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", + "lastModified": 1736883708, + "narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6df24922a1400241dae323af55f30e4318a6ca65", + "rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8", "type": "github" }, "original": { @@ -968,7 +952,6 @@ "nixng": "nixng", "nixpkgs": "nixpkgs_3", "nixpkgs-master": "nixpkgs-master", - "nixpkgs-prowlarr": "nixpkgs-prowlarr", "servers": "servers", "treefmt-nix": "treefmt-nix_4" } @@ -1244,11 +1227,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1735905407, - "narHash": "sha256-1hKMRIT+QZNWX46e4gIovoQ7H8QRb7803ZH4qSKI45o=", + "lastModified": 1736154270, + "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "29806abab803e498df96d82dd6f34b32eb8dd2c8", + "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8fdfcb5..0a2c12d 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,6 @@ flake-utils.url = "github:numtide/flake-utils"; treefmt-nix.url = "github:numtide/treefmt-nix"; blog.url = "git+https://git.kun.is/pim/blog"; - nixpkgs-prowlarr.url = "github:r-ryantm/nixpkgs?ref=auto-update/prowlarr"; git-hooks = { url = "github:cachix/git-hooks.nix"; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index e0f119d..5a9c943 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -6,7 +6,6 @@ blog, nixpkgs, nixpkgs-master, - nixpkgs-prowlarr, ... }: flake-utils.lib.eachDefaultSystem (system: let @@ -48,9 +47,7 @@ in { nixpkgs.overlays = [ (_final: _prev: { # From master branch - inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr; - # Other branches - inherit (nixpkgs-prowlarr.legacyPackages.${system}) prowlarr; + inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr prowlarr; }) ]; } From 0c75d07f73582ae4b192e0c85ddc0a427d4baab9 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 18 Jan 2025 16:20:24 +0100 Subject: [PATCH 14/73] Add deployment options for media kubenix manifest Cleanup sonarr log files Increase size of sonarr volume --- modules/bootstrap-default.nix | 2 +- modules/media.nix | 877 ++++++++++++++++++---------------- nixng-modules/sonarr.nix | 3 +- 3 files changed, 462 insertions(+), 420 deletions(-) diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index edc12e8..e578fa6 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -132,7 +132,7 @@ jellyseerr.storage = "75Mi"; radarr.storage = "300Mi"; prowlarr.storage = "150Mi"; - sonarr.storage = "150Mi"; + sonarr.storage = "250Mi"; bazarr.storage = "25Mi"; minecraft.storage = "1Gi"; ntfy.storage = "300Mi"; diff --git a/modules/media.nix b/modules/media.nix index b70402e..13f64b2 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -4,421 +4,446 @@ lib, utils, ... -}: { - options.media.enable = lib.mkEnableOption "media"; +}: let + cfg = config.media; +in { + options.media = { + enable = lib.mkEnableOption "media"; + jellyfin.enable = (lib.mkEnableOption "jellyfin") // {default = true;}; + deluge.enable = (lib.mkEnableOption "deluge") // {default = true;}; + jellyseerr.enable = (lib.mkEnableOption "jellyseerr") // {default = true;}; + radarr.enable = (lib.mkEnableOption "radarr") // {default = true;}; + prowlarr.enable = (lib.mkEnableOption "prowlarr") // {default = true;}; + sonarr.enable = (lib.mkEnableOption "sonarr") // {default = true;}; + bazarr.enable = (lib.mkEnableOption "bazarr") // {default = true;}; + }; - config = lib.mkIf config.media.enable { + config = lib.mkIf cfg.enable { kubernetes.resources = { deployments = { - jellyfin.spec = { - selector.matchLabels = { - app = "media"; - component = "jellyfin"; - }; - - strategy = { - type = "RollingUpdate"; - - rollingUpdate = { - maxSurge = 0; - maxUnavailable = 1; - }; - }; - - template = { - metadata.labels = { + jellyfin = lib.mkIf cfg.jellyfin.enable { + spec = { + selector.matchLabels = { app = "media"; component = "jellyfin"; }; - spec = { - containers.jellyfin = { - image = globals.images.jellyfin; - ports.web.containerPort = 8096; - imagePullPolicy = "IfNotPresent"; + strategy = { + type = "RollingUpdate"; - env.JELLYFIN_PublishedServerUrl.value = "https://media.kun.is"; + rollingUpdate = { + maxSurge = 0; + maxUnavailable = 1; + }; + }; - volumeMounts = [ + template = { + metadata.labels = { + app = "media"; + component = "jellyfin"; + }; + + spec = { + containers.jellyfin = { + image = globals.images.jellyfin; + ports.web.containerPort = 8096; + imagePullPolicy = "IfNotPresent"; + + env.JELLYFIN_PublishedServerUrl.value = "https://media.kun.is"; + + volumeMounts = [ + { + name = "config"; + mountPath = "/config"; + } + { + name = "media"; + mountPath = "/media"; + } + { + name = "cache"; + mountPath = "/config/transcodes"; + } + ]; + }; + + volumes = { + config.persistentVolumeClaim.claimName = "jellyfin"; + cache.persistentVolumeClaim.claimName = "jellyfin-cache"; + + media.hostPath = { + path = "/mnt/longhorn/persistent/media"; + type = "Directory"; + }; + }; + + securityContext = { + fsGroup = 0; + fsGroupChangePolicy = "OnRootMismatch"; + }; + + affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [ { - name = "config"; - mountPath = "/config"; - } - { - name = "media"; - mountPath = "/media"; - } - { - name = "cache"; - mountPath = "/config/transcodes"; + matchExpressions = [ + { + key = "hasMedia"; + operator = "In"; + values = ["true"]; + } + ]; } ]; }; - - volumes = { - config.persistentVolumeClaim.claimName = "jellyfin"; - cache.persistentVolumeClaim.claimName = "jellyfin-cache"; - - media.hostPath = { - path = "/mnt/longhorn/persistent/media"; - type = "Directory"; - }; - }; - - securityContext = { - fsGroup = 0; - fsGroupChangePolicy = "OnRootMismatch"; - }; - - affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [ - { - matchExpressions = [ - { - key = "hasMedia"; - operator = "In"; - values = ["true"]; - } - ]; - } - ]; }; }; }; - deluge.spec = { - selector.matchLabels = { - app = "media"; - component = "deluge"; - }; - - strategy = { - type = "RollingUpdate"; - - rollingUpdate = { - maxSurge = 0; - maxUnavailable = 1; - }; - }; - - template = { - metadata.labels = { + deluge = lib.mkIf cfg.deluge.enable { + spec = { + selector.matchLabels = { app = "media"; component = "deluge"; }; - spec = { - containers.deluge = { - image = utils.mkNixNGImage "deluge"; - imagePullPolicy = "IfNotPresent"; + strategy = { + type = "RollingUpdate"; - env = { - PUID.value = "1000"; - PGID.value = "1000"; - TZ.value = "Europe/Amsterdam"; - DELUGE_LOGLEVEL.value = "info"; - }; + rollingUpdate = { + maxSurge = 0; + maxUnavailable = 1; + }; + }; - ports = { - web.containerPort = 8112; - bittorrent.containerPort = 31780; - }; - - volumeMounts = [ - { - name = "config"; - mountPath = "/config"; - } - { - name = "media"; - mountPath = "/media"; - } - ]; + template = { + metadata.labels = { + app = "media"; + component = "deluge"; }; - volumes = { - config.persistentVolumeClaim.claimName = "deluge"; - media.persistentVolumeClaim.claimName = "media"; - }; + spec = { + containers.deluge = { + image = utils.mkNixNGImage "deluge"; + imagePullPolicy = "IfNotPresent"; - securityContext = { - fsGroup = 51; - fsGroupChangePolicy = "OnRootMismatch"; + env = { + PUID.value = "1000"; + PGID.value = "1000"; + TZ.value = "Europe/Amsterdam"; + DELUGE_LOGLEVEL.value = "info"; + }; + + ports = { + web.containerPort = 8112; + bittorrent.containerPort = 31780; + }; + + volumeMounts = [ + { + name = "config"; + mountPath = "/config"; + } + { + name = "media"; + mountPath = "/media"; + } + ]; + }; + + volumes = { + config.persistentVolumeClaim.claimName = "deluge"; + media.persistentVolumeClaim.claimName = "media"; + }; + + securityContext = { + fsGroup = 51; + fsGroupChangePolicy = "OnRootMismatch"; + }; }; }; }; }; - jellyseerr.spec = { - selector.matchLabels = { - app = "media"; - component = "jellyseerr"; - }; - - strategy = { - type = "RollingUpdate"; - - rollingUpdate = { - maxSurge = 0; - maxUnavailable = 1; - }; - }; - - template = { - metadata.labels = { + jellyseerr = lib.mkIf cfg.jellyseerr.enable { + spec = { + selector.matchLabels = { app = "media"; component = "jellyseerr"; }; - spec = { - volumes.config.persistentVolumeClaim.claimName = "jellyseerr"; + strategy = { + type = "RollingUpdate"; - containers.jellyseerr = { - image = utils.mkNixNGImage "jellyseerr"; - ports.web.containerPort = 5055; - imagePullPolicy = "IfNotPresent"; + rollingUpdate = { + maxSurge = 0; + maxUnavailable = 1; + }; + }; - env = { - LOG_LEVEL.value = "debug"; - TZ.value = "Europe/Amsterdam"; - }; - - volumeMounts = [ - { - name = "config"; - mountPath = "/app/config"; - } - ]; + template = { + metadata.labels = { + app = "media"; + component = "jellyseerr"; }; - securityContext = { - # TODO: don't hardcode this - fsGroup = 51; - fsGroupChangePolicy = "OnRootMismatch"; + spec = { + volumes.config.persistentVolumeClaim.claimName = "jellyseerr"; + + containers.jellyseerr = { + image = utils.mkNixNGImage "jellyseerr"; + ports.web.containerPort = 5055; + imagePullPolicy = "IfNotPresent"; + + env = { + LOG_LEVEL.value = "debug"; + TZ.value = "Europe/Amsterdam"; + }; + + volumeMounts = [ + { + name = "config"; + mountPath = "/app/config"; + } + ]; + }; + + securityContext = { + # TODO: don't hardcode this + fsGroup = 51; + fsGroupChangePolicy = "OnRootMismatch"; + }; }; }; }; }; - radarr.spec = { - selector.matchLabels = { - app = "media"; - component = "radarr"; - }; - - strategy = { - type = "RollingUpdate"; - - rollingUpdate = { - maxSurge = 0; - maxUnavailable = 1; - }; - }; - - template = { - metadata.labels = { + radarr = lib.mkIf cfg.radarr.enable { + spec = { + selector.matchLabels = { app = "media"; component = "radarr"; }; - spec = { - containers.radarr = { - image = utils.mkNixNGImage "radarr"; - ports.web.containerPort = 7878; - imagePullPolicy = "IfNotPresent"; + strategy = { + type = "RollingUpdate"; - env = { - PUID.value = "1000"; - PGID.value = "1000"; - TZ.value = "Europe/Amsterdam"; + rollingUpdate = { + maxSurge = 0; + maxUnavailable = 1; + }; + }; + + template = { + metadata.labels = { + app = "media"; + component = "radarr"; + }; + + spec = { + containers.radarr = { + image = utils.mkNixNGImage "radarr"; + ports.web.containerPort = 7878; + imagePullPolicy = "IfNotPresent"; + + env = { + PUID.value = "1000"; + PGID.value = "1000"; + TZ.value = "Europe/Amsterdam"; + }; + + volumeMounts = [ + { + name = "config"; + mountPath = "/config"; + } + { + name = "media"; + mountPath = "/media"; + } + ]; }; - volumeMounts = [ - { - name = "config"; - mountPath = "/config"; - } - { - name = "media"; - mountPath = "/media"; - } - ]; - }; + volumes = { + config.persistentVolumeClaim.claimName = "radarr"; + media.persistentVolumeClaim.claimName = "media"; + }; - volumes = { - config.persistentVolumeClaim.claimName = "radarr"; - media.persistentVolumeClaim.claimName = "media"; - }; - - securityContext = { - fsGroup = 410; - fsGroupChangePolicy = "OnRootMismatch"; + securityContext = { + fsGroup = 410; + fsGroupChangePolicy = "OnRootMismatch"; + }; }; }; }; }; - prowlarr.spec = { - selector.matchLabels = { - app = "media"; - component = "prowlarr"; - }; - - strategy = { - type = "RollingUpdate"; - - rollingUpdate = { - maxSurge = 0; - maxUnavailable = 1; - }; - }; - - template = { - metadata.labels = { + prowlarr = lib.mkIf cfg.prowlarr.enable { + spec = { + selector.matchLabels = { app = "media"; component = "prowlarr"; }; - spec = { - volumes.config.persistentVolumeClaim.claimName = "prowlarr"; + strategy = { + type = "RollingUpdate"; - containers.prowlarr = { - image = utils.mkNixNGImage "prowlarr"; - ports.web.containerPort = 9696; - imagePullPolicy = "IfNotPresent"; + rollingUpdate = { + maxSurge = 0; + maxUnavailable = 1; + }; + }; - env = { - PUID.value = "1000"; - PGID.value = "1000"; - TZ.value = "Europe/Amsterdam"; - }; - - volumeMounts = [ - { - name = "config"; - mountPath = "/config"; - } - ]; + template = { + metadata.labels = { + app = "media"; + component = "prowlarr"; }; - securityContext = { - fsGroup = 413; - fsGroupChangePolicy = "OnRootMismatch"; + spec = { + volumes.config.persistentVolumeClaim.claimName = "prowlarr"; + + containers.prowlarr = { + image = utils.mkNixNGImage "prowlarr"; + ports.web.containerPort = 9696; + imagePullPolicy = "IfNotPresent"; + + env = { + PUID.value = "1000"; + PGID.value = "1000"; + TZ.value = "Europe/Amsterdam"; + }; + + volumeMounts = [ + { + name = "config"; + mountPath = "/config"; + } + ]; + }; + + securityContext = { + fsGroup = 413; + fsGroupChangePolicy = "OnRootMismatch"; + }; }; }; }; }; - sonarr.spec = { - selector.matchLabels = { - app = "media"; - component = "sonarr"; - }; - - strategy = { - type = "RollingUpdate"; - - rollingUpdate = { - maxSurge = 0; - maxUnavailable = 1; - }; - }; - - template = { - metadata.labels = { + sonarr = lib.mkIf cfg.sonarr.enable { + spec = { + selector.matchLabels = { app = "media"; component = "sonarr"; }; - spec = { - containers.sonarr = { - image = utils.mkNixNGImage "sonarr"; - ports.web.containerPort = 8989; - imagePullPolicy = "IfNotPresent"; + strategy = { + type = "RollingUpdate"; - env = { - PUID.value = "1000"; - PGID.value = "1000"; - TZ.value = "Europe/Amsterdam"; + rollingUpdate = { + maxSurge = 0; + maxUnavailable = 1; + }; + }; + + template = { + metadata.labels = { + app = "media"; + component = "sonarr"; + }; + + spec = { + containers.sonarr = { + image = utils.mkNixNGImage "sonarr"; + ports.web.containerPort = 8989; + imagePullPolicy = "IfNotPresent"; + + env = { + PUID.value = "1000"; + PGID.value = "1000"; + TZ.value = "Europe/Amsterdam"; + }; + + volumeMounts = [ + { + name = "config"; + mountPath = "/config"; + } + { + name = "media"; + mountPath = "/media"; + } + ]; }; - volumeMounts = [ - { - name = "config"; - mountPath = "/config"; - } - { - name = "media"; - mountPath = "/media"; - } - ]; - }; + volumes = { + config.persistentVolumeClaim.claimName = "sonarr"; + media.persistentVolumeClaim.claimName = "media"; + }; - volumes = { - config.persistentVolumeClaim.claimName = "sonarr"; - media.persistentVolumeClaim.claimName = "media"; - }; - - securityContext = { - fsGroup = 411; - fsGroupChangePolicy = "OnRootMismatch"; + securityContext = { + fsGroup = 411; + fsGroupChangePolicy = "OnRootMismatch"; + }; }; }; }; }; - bazarr.spec = { - selector.matchLabels = { - app = "media"; - component = "bazarr"; - }; - - strategy = { - type = "RollingUpdate"; - - rollingUpdate = { - maxSurge = 0; - maxUnavailable = 1; - }; - }; - - template = { - metadata.labels = { + bazarr = lib.mkIf cfg.bazarr.enable { + spec = { + selector.matchLabels = { app = "media"; component = "bazarr"; }; - spec = { - containers.bazarr = { - image = utils.mkNixNGImage "bazarr"; - ports.web.containerPort = 6767; - imagePullPolicy = "IfNotPresent"; + strategy = { + type = "RollingUpdate"; - env = { - PUID.value = "1000"; - PGID.value = "1000"; - TZ.value = "Europe/Amsterdam"; + rollingUpdate = { + maxSurge = 0; + maxUnavailable = 1; + }; + }; + + template = { + metadata.labels = { + app = "media"; + component = "bazarr"; + }; + + spec = { + containers.bazarr = { + image = utils.mkNixNGImage "bazarr"; + ports.web.containerPort = 6767; + imagePullPolicy = "IfNotPresent"; + + env = { + PUID.value = "1000"; + PGID.value = "1000"; + TZ.value = "Europe/Amsterdam"; + }; + + volumeMounts = [ + { + name = "config"; + mountPath = "/config"; + } + { + name = "media"; + mountPath = "/media"; + } + ]; }; - volumeMounts = [ - { - name = "config"; - mountPath = "/config"; - } - { - name = "media"; - mountPath = "/media"; - } - ]; - }; + volumes = { + config.persistentVolumeClaim.claimName = "bazarr"; + media.persistentVolumeClaim.claimName = "media"; + }; - volumes = { - config.persistentVolumeClaim.claimName = "bazarr"; - media.persistentVolumeClaim.claimName = "media"; - }; - - securityContext = { - fsGroup = 412; - fsGroupChangePolicy = "OnRootMismatch"; + securityContext = { + fsGroup = 412; + fsGroupChangePolicy = "OnRootMismatch"; + }; }; }; }; @@ -426,120 +451,136 @@ }; services = { - jellyfin.spec = { - selector = { - app = "media"; - component = "jellyfin"; - }; - - ports.web = { - port = 80; - targetPort = "web"; - }; - }; - - deluge.spec = { - type = "LoadBalancer"; - loadBalancerIP = globals.transmissionIPv4; - - selector = { - app = "media"; - component = "deluge"; - }; - - ports = { - bittorrent = { - port = 31780; - targetPort = "bittorrent"; + jellyfin = lib.mkIf cfg.jellyfin.enable { + spec = { + selector = { + app = "media"; + component = "jellyfin"; }; - web = { + ports.web = { port = 80; targetPort = "web"; }; }; }; - jellyseerr.spec = { - type = "LoadBalancer"; - loadBalancerIP = globals.jellyseerrIPv4; + deluge = lib.mkIf cfg.deluge.enable { + spec = { + type = "LoadBalancer"; + loadBalancerIP = globals.transmissionIPv4; - selector = { - app = "media"; - component = "jellyseerr"; - }; + selector = { + app = "media"; + component = "deluge"; + }; - ports.web = { - port = 80; - targetPort = "web"; + ports = { + bittorrent = { + port = 31780; + targetPort = "bittorrent"; + }; + + web = { + port = 80; + targetPort = "web"; + }; + }; }; }; - radarr.spec = { - type = "LoadBalancer"; - loadBalancerIP = globals.radarrIPv4; + jellyseerr = lib.mkIf cfg.jellyseerr.enable { + spec = { + type = "LoadBalancer"; + loadBalancerIP = globals.jellyseerrIPv4; - selector = { - app = "media"; - component = "radarr"; - }; + selector = { + app = "media"; + component = "jellyseerr"; + }; - ports.web = { - port = 80; - targetPort = "web"; + ports.web = { + port = 80; + targetPort = "web"; + }; }; }; - prowlarr.spec = { - type = "LoadBalancer"; - loadBalancerIP = globals.prowlarrIPv4; + radarr = lib.mkIf cfg.radarr.enable { + spec = { + type = "LoadBalancer"; + loadBalancerIP = globals.radarrIPv4; - selector = { - app = "media"; - component = "prowlarr"; - }; + selector = { + app = "media"; + component = "radarr"; + }; - ports.web = { - port = 80; - targetPort = "web"; + ports.web = { + port = 80; + targetPort = "web"; + }; }; }; - sonarr.spec = { - type = "LoadBalancer"; - loadBalancerIP = globals.sonarrIPv4; + prowlarr = lib.mkIf cfg.prowlarr.enable { + spec = { + type = "LoadBalancer"; + loadBalancerIP = globals.prowlarrIPv4; - selector = { - app = "media"; - component = "sonarr"; - }; + selector = { + app = "media"; + component = "prowlarr"; + }; - ports.web = { - port = 80; - targetPort = "web"; + ports.web = { + port = 80; + targetPort = "web"; + }; }; }; - bazarr.spec = { - type = "LoadBalancer"; - loadBalancerIP = globals.bazarrIPv4; + sonarr = lib.mkIf cfg.sonarr.enable { + spec = { + type = "LoadBalancer"; + loadBalancerIP = globals.sonarrIPv4; - selector = { - app = "media"; - component = "bazarr"; + selector = { + app = "media"; + component = "sonarr"; + }; + + ports.web = { + port = 80; + targetPort = "web"; + }; }; + }; - ports.web = { - port = 80; - targetPort = "web"; + bazarr = lib.mkIf cfg.bazarr.enable { + spec = { + type = "LoadBalancer"; + loadBalancerIP = globals.bazarrIPv4; + + selector = { + app = "media"; + component = "bazarr"; + }; + + ports.web = { + port = 80; + targetPort = "web"; + }; }; }; }; persistentVolumeClaims = { - jellyfin-cache.spec = { - accessModes = ["ReadWriteOnce"]; - resources.requests.storage = "20Gi"; + jellyfin-cache = lib.mkIf cfg.jellyfin.enable { + spec = { + accessModes = ["ReadWriteOnce"]; + resources.requests.storage = "20Gi"; + }; }; media.spec = { @@ -553,7 +594,7 @@ lab = { ingresses = { - jellyfin = { + jellyfin = lib.mkIf cfg.jellyfin.enable { host = "media.kun.is"; service = { @@ -562,7 +603,7 @@ }; }; - jellyseerr = { + jellyseerr = lib.mkIf cfg.jellyseerr.enable { host = "jellyseerr.kun.is"; entrypoint = "localsecure"; @@ -574,69 +615,69 @@ }; tailscaleIngresses = { - tailscale-jellyseerr = { + tailscale-jellyseerr = lib.mkIf cfg.jellyseerr.enable { host = "jellyseerr"; service.name = "jellyseerr"; }; - tailscale-radarr = { + tailscale-radarr = lib.mkIf cfg.radarr.enable { host = "radarr"; service.name = "radarr"; }; - tailscale-sonarr = { + tailscale-sonarr = lib.mkIf cfg.sonarr.enable { host = "sonarr"; service.name = "sonarr"; }; - tailscale-bazarr = { + tailscale-bazarr = lib.mkIf cfg.bazarr.enable { host = "bazarr"; service.name = "bazarr"; }; - tailscale-prowlarr = { + tailscale-prowlarr = lib.mkIf cfg.prowlarr.enable { host = "prowlarr"; service.name = "prowlarr"; }; - tailscale-deluge = { + tailscale-deluge = lib.mkIf cfg.deluge.enable { host = "deluge"; service.name = "deluge"; }; }; longhorn.persistentVolumeClaim = { - jellyfin = { + jellyfin = lib.mkIf cfg.jellyfin.enable { volumeName = "jellyfin"; storage = "5Gi"; }; - deluge = { + deluge = lib.mkIf cfg.deluge.enable { volumeName = "deluge"; storage = "500Mi"; }; - jellyseerr = { + jellyseerr = lib.mkIf cfg.jellyseerr.enable { volumeName = "jellyseerr"; storage = "75Mi"; }; - radarr = { + radarr = lib.mkIf cfg.radarr.enable { volumeName = "radarr"; storage = "300Mi"; }; - prowlarr = { + prowlarr = lib.mkIf cfg.prowlarr.enable { volumeName = "prowlarr"; storage = "150Mi"; }; - sonarr = { + sonarr = lib.mkIf cfg.sonarr.enable { volumeName = "sonarr"; - storage = "150Mi"; + storage = "250Mi"; }; - bazarr = { + bazarr = lib.mkIf cfg.bazarr.enable { volumeName = "bazarr"; storage = "25Mi"; }; diff --git a/nixng-modules/sonarr.nix b/nixng-modules/sonarr.nix index 425033f..b78a4cc 100644 --- a/nixng-modules/sonarr.nix +++ b/nixng-modules/sonarr.nix @@ -24,6 +24,7 @@ in { enabled = true; user = lib.mkDefault "sonarr"; group = lib.mkDefault "sonarr"; + tmpfiles = with nglib.nottmpfiles.dsl; [(e "${cfg.dataDir}/logs" "-" cfgInit.user cfgInit.group "7d" _)]; script = pkgs.writeShellScript "sonarr-run" '' umask 0002 @@ -35,7 +36,7 @@ in { users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "sonarr") (nglib.mkDefaultRec { description = "sonarr"; - group = cfgInit.group; + inherit (cfgInit) group; createHome = false; home = "/var/empty"; useDefaultShell = true; From 8fb2b3ab57a759394858cbd7b170561e246dd061 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 22 Jan 2025 17:16:51 +0100 Subject: [PATCH 15/73] jellyfin: 10.10.3 -> 10.10.4 --- globals.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/globals.nix b/globals.nix index 9ba3180..3958631 100644 --- a/globals.nix +++ b/globals.nix @@ -1,8 +1,7 @@ {servers, ...}: let globals = { images = { - jellyfin = "jellyfin/jellyfin:10.10.3"; - deluge = "linuxserver/deluge:2.1.1"; + jellyfin = "jellyfin/jellyfin:10.10.4"; atuin = "ghcr.io/atuinsh/atuin:18.3.0"; postgres14 = "postgres:14"; kms = "teddysun/kms:latest"; From 36cf2214540df4adda93fc5bde6587095335cff1 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 22 Jan 2025 17:31:10 +0100 Subject: [PATCH 16/73] atuin: 18.3.0 -> 18.4.0 paperless-ngx: 2.13.5 -> 2.14.5 nextcloud: 30.0.2 -> 30.0.5 syncthing: 1.28.0 -> 1.29.2 forgejo: 9.0.2 -> 10.0.0 kitchenowl: 0.6.4 -> 0.6.8 --- globals.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/globals.nix b/globals.nix index 3958631..07bd5f7 100644 --- a/globals.nix +++ b/globals.nix @@ -2,22 +2,22 @@ globals = { images = { jellyfin = "jellyfin/jellyfin:10.10.4"; - atuin = "ghcr.io/atuinsh/atuin:18.3.0"; + atuin = "ghcr.io/atuinsh/atuin:18.4.0"; postgres14 = "postgres:14"; kms = "teddysun/kms:latest"; - paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.13.5"; + paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.14.5"; redis7 = "docker.io/library/redis:7"; - nextcloud = "nextcloud:30.0.2"; + nextcloud = "nextcloud:30.0.5"; postgres15 = "postgres:15"; inbucket = "inbucket/inbucket:edge"; - syncthing = "lscr.io/linuxserver/syncthing:1.28.0"; - forgejo = "codeberg.org/forgejo/forgejo:9.0.2"; + syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; + forgejo = "codeberg.org/forgejo/forgejo:10.0.0"; pihole = "pihole/pihole:2024.07.0"; immich = "ghcr.io/immich-app/immich-server:v1.122.3"; immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.122.3"; immich-redis = "docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; - kitchenowl = "tombursch/kitchenowl:v0.6.4"; + kitchenowl = "tombursch/kitchenowl:v0.6.8"; cyberchef = "mpepping/cyberchef:latest"; freshrss = "freshrss/freshrss:1.25.0"; bind9 = "ubuntu/bind9:9.18-22.04_beta"; From b2ffb5d1bbcefcd3de31f1a400d1da7c73c5d3d6 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 25 Jan 2025 22:20:55 +0100 Subject: [PATCH 17/73] immich: 1.122.3 -> 1.125.2 --- globals.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/globals.nix b/globals.nix index 07bd5f7..a5e2f10 100644 --- a/globals.nix +++ b/globals.nix @@ -13,9 +13,9 @@ syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; forgejo = "codeberg.org/forgejo/forgejo:10.0.0"; pihole = "pihole/pihole:2024.07.0"; - immich = "ghcr.io/immich-app/immich-server:v1.122.3"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.122.3"; - immich-redis = "docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8"; + immich = "ghcr.io/immich-app/immich-server:v1.125.2"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.125.2"; + immich-redis = "docker.io/redis:6.2-alpine@sha256:905c4ee67b8e0aa955331960d2aa745781e6bd89afc44a8584bfd13bc890f0ae"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; kitchenowl = "tombursch/kitchenowl:v0.6.8"; cyberchef = "mpepping/cyberchef:latest"; From e43d2a1475ecf15966680e6944addddd2693dca2 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 25 Jan 2025 23:42:41 +0100 Subject: [PATCH 18/73] Allow creating local GC roots for manifests --- .gitignore | 1 + applyset-deploy.sh | 36 ++++++++++++++++++++++++++++++++---- kubenix.nix | 2 +- 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index c56a9cf..217032a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .direnv .pre-commit-config.yaml result +.manifests diff --git a/applyset-deploy.sh b/applyset-deploy.sh index e7d4e5b..e5b1232 100644 --- a/applyset-deploy.sh +++ b/applyset-deploy.sh @@ -2,12 +2,31 @@ set -euo pipefail +CREATE_LOCAL_GCROOT=false + +while [[ "$#" -gt 0 ]]; do + case "$1" in + --help) + echo "Use --create-local-gcroot to create local GC root" + exit 0 + ;; + --create-local-gcroot) + CREATE_LOCAL_GCROOT=true + shift + ;; + *) + echo "Unknown option: $1" + exit 1 + ;; + esac +done + first_server="${SERVERS%% *}" previous_manifest=$( envsubst < Date: Sat, 25 Jan 2025 23:42:57 +0100 Subject: [PATCH 19/73] jellyfin: 10.10.4 -> 10.10.5 --- globals.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index a5e2f10..011531f 100644 --- a/globals.nix +++ b/globals.nix @@ -1,7 +1,7 @@ {servers, ...}: let globals = { images = { - jellyfin = "jellyfin/jellyfin:10.10.4"; + jellyfin = "jellyfin/jellyfin:10.10.5"; atuin = "ghcr.io/atuinsh/atuin:18.4.0"; postgres14 = "postgres:14"; kms = "teddysun/kms:latest"; From ff5aa0526a0ee73291c929835187d08f4b0a6b9c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 30 Jan 2025 11:11:05 +0100 Subject: [PATCH 20/73] prowlarr: 1.29.2.4915 -> 1.30.2.4939 --- flake.lock | 17 +++++++++++++++++ flake.nix | 1 + nixng-configurations/default.nix | 5 ++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index ab6eadc..d50241e 100644 --- a/flake.lock +++ b/flake.lock @@ -786,6 +786,22 @@ "type": "github" } }, + "nixpkgs-prowlarr": { + "locked": { + "lastModified": 1737932785, + "narHash": "sha256-0OW0c742vfXyJflQGWhwMSxk/nbivBOibHei8P2ADRA=", + "owner": "rhoriguchi", + "repo": "nixpkgs", + "rev": "67ead92f4a53625a8afbead0107a6139c4f668b6", + "type": "github" + }, + "original": { + "owner": "rhoriguchi", + "ref": "prowlarr", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1720386169, @@ -952,6 +968,7 @@ "nixng": "nixng", "nixpkgs": "nixpkgs_3", "nixpkgs-master": "nixpkgs-master", + "nixpkgs-prowlarr": "nixpkgs-prowlarr", "servers": "servers", "treefmt-nix": "treefmt-nix_4" } diff --git a/flake.nix b/flake.nix index 0a2c12d..817bea0 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,7 @@ flake-utils.url = "github:numtide/flake-utils"; treefmt-nix.url = "github:numtide/treefmt-nix"; blog.url = "git+https://git.kun.is/pim/blog"; + nixpkgs-prowlarr.url = "github:rhoriguchi/nixpkgs/prowlarr"; git-hooks = { url = "github:cachix/git-hooks.nix"; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index 5a9c943..f4664ed 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -6,6 +6,7 @@ blog, nixpkgs, nixpkgs-master, + nixpkgs-prowlarr, ... }: flake-utils.lib.eachDefaultSystem (system: let @@ -46,8 +47,10 @@ in { { nixpkgs.overlays = [ (_final: _prev: { + inherit (nixpkgs-prowlarr.legacyPackages.${system}) prowlarr; + # From master branch - inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr prowlarr; + inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr; }) ]; } From 742f293a7167f5a0d08383a6b1ca22537a534f60 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 31 Jan 2025 11:51:04 +0100 Subject: [PATCH 21/73] immich: 1.125.2 -> 1.125.7 --- globals.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/globals.nix b/globals.nix index 011531f..ed1ff6c 100644 --- a/globals.nix +++ b/globals.nix @@ -13,8 +13,8 @@ syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; forgejo = "codeberg.org/forgejo/forgejo:10.0.0"; pihole = "pihole/pihole:2024.07.0"; - immich = "ghcr.io/immich-app/immich-server:v1.125.2"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.125.2"; + immich = "ghcr.io/immich-app/immich-server:v1.125.7"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.125.7"; immich-redis = "docker.io/redis:6.2-alpine@sha256:905c4ee67b8e0aa955331960d2aa745781e6bd89afc44a8584bfd13bc890f0ae"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; kitchenowl = "tombursch/kitchenowl:v0.6.8"; From 29ad11e6f2cd41e338659c1cbee0b8d955d65b58 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 4 Feb 2025 17:24:51 +0100 Subject: [PATCH 22/73] MVP Authelia deployment --- deployments.nix | 5 ++ flake.lock | 6 +- modules/authelia.nix | 116 ++++++++++++++++++++++++++++++++++ modules/bootstrap-default.nix | 2 + modules/cyberchef.nix | 2 + modules/default.nix | 1 + modules/dummy-types.nix | 7 ++ modules/ingress.nix | 4 +- modules/traefik.nix | 17 +++++ 9 files changed, 155 insertions(+), 5 deletions(-) create mode 100644 modules/authelia.nix diff --git a/deployments.nix b/deployments.nix index eb0433d..a2bce23 100644 --- a/deployments.nix +++ b/deployments.nix @@ -123,4 +123,9 @@ module.ntfy.enable = true; namespace = "ntfy"; }; + + authelia = { + module.authelia.enable = true; + namespace = "authelia"; + }; } diff --git a/flake.lock b/flake.lock index d50241e..fb4e805 100644 --- a/flake.lock +++ b/flake.lock @@ -666,11 +666,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1736990287, - "narHash": "sha256-f5DfFkMglyrCozBW/dU6WeZfHOueUm8Q1rv4r5yDOeE=", + "lastModified": 1738631908, + "narHash": "sha256-ndQgb/SAeOcgbsG7b+7qhrVn+XSTjs/Vk5m7eEb/HZY=", "owner": "farcaller", "repo": "nixhelm", - "rev": "09b4f8373f142206456f9c15a3b638e3ce4feeb0", + "rev": "e105a8264cc981d47a0f6fbfcdcc87681487aa0c", "type": "github" }, "original": { diff --git a/modules/authelia.nix b/modules/authelia.nix new file mode 100644 index 0000000..ec2d0ef --- /dev/null +++ b/modules/authelia.nix @@ -0,0 +1,116 @@ +{ + nixhelm, + system, + config, + lib, + ... +}: { + options.authelia.enable = lib.mkEnableOption "authelia"; + + config = lib.mkIf config.authelia.enable { + kubernetes = { + helm.releases.authelia = { + chart = nixhelm.chartsDerivations.${system}.authelia.authelia; + includeCRDs = true; + namespace = "authelia"; + + values = { + pod = { + kind = "Deployment"; + replicas = 1; + }; + + configMap = { + authentication_backend = { + password_reset.disable = true; + ldap.enabled = false; + + file = { + enabled = true; + # TODO: use better path + path = "/tmp/users.yml"; + search.email = true; + password.algorithm = "argon2"; + }; + }; + + access_control = { + default_policy = "one_factor"; + }; + + storage = { + # TODO: dummy secret, replace with real one + encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8"; + + local = { + enabled = true; + path = "/tmp/storage"; # TODO + }; + }; + + session = { + # TODO: dummy secret, replace with real one + encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288"; + + cookies = [ + { + domain = "kun.is"; + subdomain = "auth"; + } + ]; + }; + + notifier = { + filesystem = { + enabled = true; + # TODO: switch to SMTP + filename = "/tmp/notifications.txt"; + }; + }; + }; + }; + }; + + resources = { + # TODO: replace with secret and encrypt it + configMaps.users.data.users = lib.generators.toYAML {} { + users = { + pim = { + disabled = false; + displayname = "Pim Kunis"; + password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI"; + groups = ["admins"]; + }; + }; + }; + + deployments.authelia.spec.template.spec = { + volumes.users.configMap.name = "users"; + containers.authelia.volumeMounts = [ + { + name = "users"; + mountPath = "/tmp/users.yml"; + subPath = "users"; + } + ]; + }; + }; + }; + + lab = { + ingresses.authelia = { + host = "auth.kun.is"; + + service = { + name = "authelia"; + portName = "http"; + }; + }; + + longhorn.persistentVolumeClaim.data = { + volumeName = "authelia"; + storage = "100Mi"; + }; + }; + }; +} diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index e578fa6..bc2676c 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -62,6 +62,7 @@ minecraft = {}; tailscale = {}; ntfy = {}; + authelia = {}; }; nodes = @@ -137,6 +138,7 @@ minecraft.storage = "1Gi"; ntfy.storage = "300Mi"; deluge.storage = "500Mi"; + authelia.storage = "100Mi"; }; tailscaleIngresses.tailscale-longhorn = { diff --git a/modules/cyberchef.nix b/modules/cyberchef.nix index d2dabbc..3a5529a 100644 --- a/modules/cyberchef.nix +++ b/modules/cyberchef.nix @@ -31,6 +31,8 @@ targetPort = "web"; }; }; + + ingresses.cyberchef.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd"; }; lab.ingresses.cyberchef = { diff --git a/modules/default.nix b/modules/default.nix index c976c14..0958257 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -29,5 +29,6 @@ ./tailscale.nix ./ntfy.nix ./minecraft.nix + ./authelia.nix ]; } diff --git a/modules/dummy-types.nix b/modules/dummy-types.nix index 0a6a7f7..394e3a6 100644 --- a/modules/dummy-types.nix +++ b/modules/dummy-types.nix @@ -38,5 +38,12 @@ version = "v1beta1"; kind = "RecurringJob"; }; + + middlewares = { + attrName = "middlewares"; + group = "traefik.io"; + version = "v1alpha1"; + kind = "Middleware"; + }; }; } diff --git a/modules/ingress.nix b/modules/ingress.nix index 9dbcb86..d6a27aa 100644 --- a/modules/ingress.nix +++ b/modules/ingress.nix @@ -47,7 +47,7 @@ in { rules = [ { - host = ingress.host; + inherit (ingress) host; http.paths = [ { @@ -55,7 +55,7 @@ in { pathType = "Prefix"; backend.service = { - name = ingress.service.name; + inherit (ingress.service) name; port.name = ingress.service.portName; }; } diff --git a/modules/traefik.nix b/modules/traefik.nix index b59253d..e4e1c09 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -61,6 +61,23 @@ }; }; }; + + middlewares.forwardauth-authelia = { + metadata.labels = { + "app.kubernetes.io/instance" = "authelia"; + "app.kubernetes.io/name" = "authelia"; + }; + + spec.forwardAuth = { + address = "http://authelia.authelia.svc.cluster.local/api/authz/forward-auth"; + authResponseHeaders = [ + "Remote-User" + "Remote-Groups" + "Remote-Email" + "Remote-Name" + ]; + }; + }; }; lab = { From 20a72b00a6144887a97220eceed9d9dedc8ede31 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 5 Feb 2025 18:06:30 +0100 Subject: [PATCH 23/73] Recreate and encrypt Authelia secrets --- modules/attic.nix | 1 - modules/authelia.nix | 73 +++++++++++++++++++++----------------------- secrets.yml | 11 +++++-- 3 files changed, 42 insertions(+), 43 deletions(-) diff --git a/modules/attic.nix b/modules/attic.nix index 2742b7b..3c6a77b 100644 --- a/modules/attic.nix +++ b/modules/attic.nix @@ -1,5 +1,4 @@ { - self, utils, lib, config, diff --git a/modules/authelia.nix b/modules/authelia.nix index ec2d0ef..b961dc8 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -20,27 +20,41 @@ replicas = 1; }; + secret.additionalSecrets.authelia.items = [ + { + key = "storage"; + path = "storage"; + } + { + key = "session"; + path = "session"; + } + { + key = "users"; + path = "users"; + } + ]; + configMap = { + access_control.default_policy = "one_factor"; + authentication_backend = { password_reset.disable = true; ldap.enabled = false; file = { enabled = true; - # TODO: use better path - path = "/tmp/users.yml"; + path = "/secrets/authelia/users"; search.email = true; password.algorithm = "argon2"; }; }; - access_control = { - default_policy = "one_factor"; - }; - storage = { - # TODO: dummy secret, replace with real one - encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8"; + encryption_key = { + secret_name = "authelia"; + path = "storage"; + }; local = { enabled = true; @@ -49,8 +63,10 @@ }; session = { - # TODO: dummy secret, replace with real one - encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288"; + encryption_key = { + secret_name = "authelia"; + path = "session"; + }; cookies = [ { @@ -60,40 +76,19 @@ ]; }; - notifier = { - filesystem = { - enabled = true; - # TODO: switch to SMTP - filename = "/tmp/notifications.txt"; - }; + notifier.filesystem = { + enabled = true; + # TODO: switch to SMTP + filename = "/tmp/notifications.txt"; }; }; }; }; - resources = { - # TODO: replace with secret and encrypt it - configMaps.users.data.users = lib.generators.toYAML {} { - users = { - pim = { - disabled = false; - displayname = "Pim Kunis"; - password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI"; - groups = ["admins"]; - }; - }; - }; - - deployments.authelia.spec.template.spec = { - volumes.users.configMap.name = "users"; - containers.authelia.volumeMounts = [ - { - name = "users"; - mountPath = "/tmp/users.yml"; - subPath = "users"; - } - ]; - }; + resources.secrets.authelia.stringData = { + storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage"; + session = "ref+sops://secrets.yml#/authelia/encryption_keys/session"; + users = "ref+sops://secrets.yml#/authelia/users"; }; }; diff --git a/secrets.yml b/secrets.yml index 170dd31..843cc1e 100644 --- a/secrets.yml +++ b/secrets.yml @@ -29,6 +29,11 @@ immich: tailscale: clientID: ENC[AES256_GCM,data:O8tTyy55xP85JkbJNR5daB4=,iv:SMj83Sxh7BvPRG3l5TnnpmclO5N2treUQCCJuMy8cO8=,tag:UUSN3bsZvb09cyYN65RQDg==,type:str] clientSecret: ENC[AES256_GCM,data:c8E/a7McI+wGN9TFJ/yzTSkrhUlISmrNJdjDDMqAQrZ8s5wFEZ+4+h+dtwcjF9Ykj198glgny7cP3HubHVDw,iv:ifaP4NmLRQbYQtJQaMMCMaehosapZ2R3im9ew5h6f9E=,tag:XF+xB94nua8RZlkGxFDFFQ==,type:str] +authelia: + encryption_keys: + storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str] + session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str] + users: ENC[AES256_GCM,data:Bstr2ZYDwUdcw0AXG/UxRcabEOk2k/cix+L73IHQugmSNG2wGSNbDhZdvPxLbyZcxlpa7MU9o63YIjk+f+5zl7NZsARSw1NSUtrXzk62mz/lvQzGW+gZXIG78Q5vLOp652xFRwt0L/5x3wEoP64T6E3AMn23sfntf/OA04CMCbeleTkR+MzeLD+k1A2qHb7zZV7k44IMHToBOkZ15ICfZ27wN7NWOoQ+cqlJeKQWSG34I0DWW+iKjnT4H5YIcSWlLSEhA7c2pzxzkPmxwgnLCIyCXF1WesIUqxor3klpYGkW9A==,iv:3bJOTCAW2QWmNQgX3duXLQGki1FoaJ1aZvDXvX0T2Z0=,tag:kbiDE0M7KQRuyV9PiIg0Vw==,type:str] sops: kms: [] gcp_kms: [] @@ -53,8 +58,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-01T13:22:41Z" - mac: ENC[AES256_GCM,data:6UqmxHJC4KWsiQttXFEEG1opPcrGntYj9nlD8m0iBqjc9g/SHxEogpaiYEnriGNXGw0HhRWjrd+JX29Ht4xVeiYqthYX+4rVuIuv+SI7p08hJeIBbIYrfonAJsebbSsynuy9YgyUkNZhoqjZTtuzFU/c4Dh5453RVnuQmu4PZNs=,iv:yA//mqJ0Ft63eRME8A1HBiZ/B0gcVYlS4MaP0LykooU=,tag:0NxU0lVi67N34eDhsT82kQ==,type:str] + lastmodified: "2025-02-05T16:59:14Z" + mac: ENC[AES256_GCM,data:hfH7il2xkxaz+Uzv4V4BaLv3RnS4nmAic2G4RVJmB7jc9mEBthcPdf0OPo6pXZ14YqVgfzsR3zNdqnaPwPIks07BZ27zo7pKvpdiJACGi6RXIpJwzgd3bwrVm5P11gBmPZbMv+vkoTVNl3EENOOKsfqoDNI3/Pwj6fXSWIJ5m1o=,iv:d3K/3gOLpo8bd6JfpiYhC/KHU/SsgQ9vSgc5lYvkdhk=,tag:PAB+jDOnP1z9IiR5gHdImA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.2 From b5fdd14ea6599d1be3f8235a58719000203978d4 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 5 Feb 2025 22:24:08 +0100 Subject: [PATCH 24/73] Add persistent data for Authelia --- modules/authelia.nix | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/modules/authelia.nix b/modules/authelia.nix index b961dc8..d8152fb 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -18,6 +18,20 @@ pod = { kind = "Deployment"; replicas = 1; + + extraVolumes = [ + { + name = "data"; + persistentVolumeClaim.claimName = "data"; + } + ]; + + extraVolumeMounts = [ + { + name = "data"; + mountPath = "/storage"; + } + ]; }; secret.additionalSecrets.authelia.items = [ @@ -58,7 +72,7 @@ local = { enabled = true; - path = "/tmp/storage"; # TODO + path = "/storage/database.sqlite"; }; }; @@ -78,17 +92,29 @@ notifier.filesystem = { enabled = true; - # TODO: switch to SMTP filename = "/tmp/notifications.txt"; }; }; }; }; - resources.secrets.authelia.stringData = { - storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage"; - session = "ref+sops://secrets.yml#/authelia/encryption_keys/session"; - users = "ref+sops://secrets.yml#/authelia/users"; + resources = { + deployments.authelia.spec = { + strategy = { + type = "RollingUpdate"; + + rollingUpdate = { + maxSurge = lib.mkForce 0; + maxUnavailable = lib.mkForce 1; + }; + }; + }; + + secrets.authelia.stringData = { + storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage"; + session = "ref+sops://secrets.yml#/authelia/encryption_keys/session"; + users = "ref+sops://secrets.yml#/authelia/users"; + }; }; }; From 05f020ecb3646a4380545a094333d4e222da5e2d Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 6 Feb 2025 10:55:05 +0100 Subject: [PATCH 25/73] authelia: enable 2fa authelia: configure SMTP for notifications --- modules/authelia.nix | 34 ++++++++++++++++++++++++++++++---- secrets.yml | 7 ++++--- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/modules/authelia.nix b/modules/authelia.nix index d8152fb..0eb45cc 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -47,10 +47,23 @@ key = "users"; path = "users"; } + { + key = "smtpPassword"; + path = "smtpPassword"; + } ]; configMap = { - access_control.default_policy = "one_factor"; + access_control = { + default_policy = "one_factor"; + + rules = [ + { + domain = "cyberchef.kun.is"; + policy = "two_factor"; + } + ]; + }; authentication_backend = { password_reset.disable = true; @@ -90,9 +103,21 @@ ]; }; - notifier.filesystem = { - enabled = true; - filename = "/tmp/notifications.txt"; + notifier = { + filesystem.enabled = false; + + smtp = { + enabled = true; + address = "submission://mail.smtp2go.com:2525"; + identifier = "auth.kun.is"; + sender = "Authelia "; + username = "uxY88HYzbBTAoWYm4PUxpT76u"; + + password = { + secret_name = "authelia"; + path = "smtpPassword"; + }; + }; }; }; }; @@ -113,6 +138,7 @@ secrets.authelia.stringData = { storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage"; session = "ref+sops://secrets.yml#/authelia/encryption_keys/session"; + smtpPassword = "ref+sops://secrets.yml#/authelia/smtpPassword"; users = "ref+sops://secrets.yml#/authelia/users"; }; }; diff --git a/secrets.yml b/secrets.yml index 843cc1e..4c1dc37 100644 --- a/secrets.yml +++ b/secrets.yml @@ -33,7 +33,8 @@ authelia: encryption_keys: storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str] session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str] - users: ENC[AES256_GCM,data:Bstr2ZYDwUdcw0AXG/UxRcabEOk2k/cix+L73IHQugmSNG2wGSNbDhZdvPxLbyZcxlpa7MU9o63YIjk+f+5zl7NZsARSw1NSUtrXzk62mz/lvQzGW+gZXIG78Q5vLOp652xFRwt0L/5x3wEoP64T6E3AMn23sfntf/OA04CMCbeleTkR+MzeLD+k1A2qHb7zZV7k44IMHToBOkZ15ICfZ27wN7NWOoQ+cqlJeKQWSG34I0DWW+iKjnT4H5YIcSWlLSEhA7c2pzxzkPmxwgnLCIyCXF1WesIUqxor3klpYGkW9A==,iv:3bJOTCAW2QWmNQgX3duXLQGki1FoaJ1aZvDXvX0T2Z0=,tag:kbiDE0M7KQRuyV9PiIg0Vw==,type:str] + smtpPassword: ENC[AES256_GCM,data:Zd2F237gWaL555lf022zjr7VHVcAFUyFxg==,iv:ka8YuGFclNrWV1U0g2ERypiKy6rN5ppPIVlsjBqkFrI=,tag:e+5fO6VR1z1cqYTXJ6Yo+Q==,type:str] + users: ENC[AES256_GCM,data:Az1vmno1PPpFAqIpZKiMtdAP5TqgoCSzu+x2P3eI2h4C+FPbdRjQrnybpLdKRmaQaVvfGS8p4+RbM8jF1H4sSgAZRcBQIzanWtW4fl+KK4aHxPmRIbH75bGUGnSK8u94jCYMotll5tpMbkR+st6xEkh+IkPz+CSIopZ1o6VeFu9od7qJ2LBwnl+FzZp3XFoLXHLNFf4J01gUwtlxvbLHOD5tFxOFHXDi/CKsYJOBr3m9wUoHKGwaeuYpNfy+3C5dcwf0eiXOkxYyjwjlxQ0MumcyzSdVBCTWJRRTwFa1akw6P/sl0Cdw/9GL83zBGLSfFK+DaIaHzG+h51KcELj9lVbNHPbC1UwRnwy0SdxYXiPz7Y8R9J/u5wI5eyyimDtJp83+c4eqOO7+animxUJ8EIuKEiUPMr5mQg0KtK5P3jTu/wZuGgxdqi1nR44+UHKmWrD62qDwjcjv60RDlQxcm4dBOL3wCaV7V8K5UBF0UhiyA2/N0XFHLnibQ1LS/vRfgXjrsjZ6JYzVeY7mDCGa0Kb4NkJJLeMvEEmwsw9sGst9um1w7AQevQPowBST4nkRVdb12JGWrq4S77gDa19Qbm2a0z5XvwvEq1C/47OOEDoSFh/uY2Ycn8tOIZw7S53h5z++cAVKBgYAFVI0fw==,iv:9hm49dFfD6O0YV5YdyXqyiU1vjSHNuH4/+JcXiN+PWI=,tag:jM6atf1M0cgDcAiFOd626Q==,type:str] sops: kms: [] gcp_kms: [] @@ -58,8 +59,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-05T16:59:14Z" - mac: ENC[AES256_GCM,data:hfH7il2xkxaz+Uzv4V4BaLv3RnS4nmAic2G4RVJmB7jc9mEBthcPdf0OPo6pXZ14YqVgfzsR3zNdqnaPwPIks07BZ27zo7pKvpdiJACGi6RXIpJwzgd3bwrVm5P11gBmPZbMv+vkoTVNl3EENOOKsfqoDNI3/Pwj6fXSWIJ5m1o=,iv:d3K/3gOLpo8bd6JfpiYhC/KHU/SsgQ9vSgc5lYvkdhk=,tag:PAB+jDOnP1z9IiR5gHdImA==,type:str] + lastmodified: "2025-02-06T09:44:26Z" + mac: ENC[AES256_GCM,data:1KuTjnTtXftuVzE18ULskydigmLavdy740+/K0PN7p8FSJ7IKU1XP9L93mmxoQOFN1MrVl7ENrY0Wu9/UOG6xSK0S3HcfQKyO8i0Jtgj1tUodcWR/kb7BTwJ3oylQ5xXnHd2rdlaE1y3ZfarFvZqokBsNyux0t9tZYGcRA5W6ZQ=,iv:hnHbV2oNeFu+EJXZS39oa7QMOSL9tuHCVpvjIg6TSFk=,tag:4EijW78hQ4IHb6atatJktQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 From 7f1505878b01fda78fa66dff15733761a6bdf35c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 8 Feb 2025 13:02:59 +0100 Subject: [PATCH 26/73] Use OIDC auth for freshrss --- modules/authelia.nix | 47 +++++++++++++++++++++++++++++++++++ modules/freshrss.nix | 19 ++++++++++++++ modules/tailscale-ingress.nix | 2 +- secrets.yml | 11 ++++++-- 4 files changed, 76 insertions(+), 3 deletions(-) diff --git a/modules/authelia.nix b/modules/authelia.nix index 0eb45cc..a5c1d2b 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -51,9 +51,52 @@ key = "smtpPassword"; path = "smtpPassword"; } + { + key = "oidc_hmac_secret"; + path = "oidc_hmac_secret"; + } + { + key = "oidc_jwk_rs256_private"; + path = "oidc.jwk.RS256.pem"; + } + { + key = "freshrss_client_secret"; + path = "freshrss_client_secret"; + } ]; configMap = { + identity_providers.oidc = { + enabled = true; + consent_mode = "implicit"; + + hmac_secret = { + secret_name = "authelia"; + path = "oidc_hmac_secret"; + }; + + jwks = [ + { + algorithm = "RS256"; + key.path = "/secrets/authelia/oidc.jwk.RS256.pem"; + } + ]; + + clients = [ + { + client_id = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44"; + client_name = "FreshRSS"; + client_secret.path = "/secrets/authelia/freshrss_client_secret"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = ["https://rss.kun.is:443/i/oidc/"]; + scopes = ["openid" "groups" "email" "profile"]; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_basic"; + } + ]; + }; + access_control = { default_policy = "one_factor"; @@ -140,6 +183,10 @@ session = "ref+sops://secrets.yml#/authelia/encryption_keys/session"; smtpPassword = "ref+sops://secrets.yml#/authelia/smtpPassword"; users = "ref+sops://secrets.yml#/authelia/users"; + oidc_hmac_secret = "ref+sops://secrets.yml#/authelia/oidc/hmac_secret"; + oidc_jwk_rs256_private = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/private"; + oidc_jwk_rs256_public = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/public"; + freshrss_client_secret = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret"; }; }; }; diff --git a/modules/freshrss.nix b/modules/freshrss.nix index 0581d95..8f703ee 100644 --- a/modules/freshrss.nix +++ b/modules/freshrss.nix @@ -36,6 +36,14 @@ CRON_MIN.value = "2,32"; ADMIN_EMAIL.value = "pim@kunis.nl"; PUBLISHED_PORT.value = "443"; + OIDC_ENABLED.value = "1"; + OIDC_PROVIDER_METADATA_URL.value = "https://auth.kun.is/.well-known/openid-configuration"; + OIDC_CLIENT_ID.value = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44"; + OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret"; + OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key"; + OIDC_REMOTE_USER_CLAIM.value = "preferred_username"; + OIDC_SCOPES.value = "openid groups email profile"; + OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto"; ADMIN_PASSWORD.valueFrom.secretKeyRef = { name = "server"; @@ -76,9 +84,20 @@ targetPort = "web"; }; }; + + ingresses.freshrss.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd"; }; lab = { + ingresses.freshrss = { + host = "rss.kun.is"; + + service = { + name = "server"; + portName = "web"; + }; + }; + tailscaleIngresses.tailscale = { host = "freshrss"; service.name = "server"; diff --git a/modules/tailscale-ingress.nix b/modules/tailscale-ingress.nix index 83e3f96..23eedb3 100644 --- a/modules/tailscale-ingress.nix +++ b/modules/tailscale-ingress.nix @@ -42,7 +42,7 @@ pathType = "Prefix"; backend.service = { - name = service.name; + inherit (service) name; port.name = service.portName; }; } diff --git a/secrets.yml b/secrets.yml index 4c1dc37..b3830ac 100644 --- a/secrets.yml +++ b/secrets.yml @@ -1,5 +1,6 @@ freshrss: password: ENC[AES256_GCM,data:ECDPrW+VgO8PY9p2fLIreRETNiRL5ZGnu/PMC7aNj8KaWfyNYL+l3w==,iv:srR/r1EtOpC/CKKrCDKcTLVdMFPAYIJIB1CCg8mS0UU=,tag:YN4PqR5uvPkVskpJWD+91g==,type:str] + oidc_crypto_key: ENC[AES256_GCM,data:+RX1P6PmMuyBeSFlwAChM9tX/JMda4DrQ7JH7Z+tbzXRuRb4nTMR6G7cINeQFah4W30VwdxBqbpRsCdfjR1FrkcwsG1ioDRpuma5VTaHp3TyLZvBWZ/BCi7G+d89qJmymaPGclES2j9YHWRobr7jcFIuiJD/t3jQ/T8iwt72jiY=,iv:lawZnDO7JH2P3jViaFzVzJZFp0e/Ym4/169AsvHg2+0=,tag:SO33RifFpLRXqXFpLQczjw==,type:str] pihole: password: ENC[AES256_GCM,data:MA60825Tl6aYEFVoPgo8k5Vjb9zmIxtPLJriQV1B3P1bOKu1KK7vxQ==,iv:RGZHox8CbJiEEEjMo2k/tNbtjCPy/QY7vOuMN/YNZcg=,tag:yphrq03IKpXM/tSDBLeSgA==,type:str] hedgedoc: @@ -34,6 +35,12 @@ authelia: storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str] session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str] smtpPassword: ENC[AES256_GCM,data:Zd2F237gWaL555lf022zjr7VHVcAFUyFxg==,iv:ka8YuGFclNrWV1U0g2ERypiKy6rN5ppPIVlsjBqkFrI=,tag:e+5fO6VR1z1cqYTXJ6Yo+Q==,type:str] + oidc: + hmac_secret: ENC[AES256_GCM,data:4SDX5lopMeomhkMpkei6Qu6S+BBhFGCZswBfOtfWNSzv3qAEme9h3wQeIQ2W18J84RwprTpDZdkk++bbAYoch2iZF1yEV+8XBcmVcg4q+s5isn0lAaTDhHHCZ6Cci8KuyYy5/tcMDgF61oM5H0g7nGv7rhPD8clDubZwAvEDf7g=,iv:S7cCKyWbB4QaqGYsrp9JavKBAMxnfzhnl5bMRyq4TT4=,tag:S2+NglxgDsi4ivvR2FYjsQ==,type:str] + freshrss_client_secret: ENC[AES256_GCM,data:TLCQaJ8FZX9fVErXE84akyRE0ZWPJBiAxKjdpr4eXClxECGUQZO0Vu07dwj0mzRUiMMpNthBibxNeOGnE147Fht1tET3EuEe,iv:F0iZpzJyZvYjNlxMFeVzLlquWqsV3J0M1eTr0oNn+QQ=,tag:6eD4AUc7VK6aBGUr/Oe0lQ==,type:str] + jwk_rs256: + private: ENC[AES256_GCM,data:WaTdMntWZF40pBOsHpKlQAcsVoceQDKkPlNbkwlPjY231cZSgHYw2u3V89BHx1p3LT4OUAEQvBcQ3c8sJbRYHTo7wXVYTwMrWL+KIu5AOp1pqHWESJrxO/12tgITcM5xJx+zwAoc/85l0LK3EIXYayEYe6ISNjx13K3YaSuD74iEXrNtWuvqwvbT9zNtYg8gb+l1FEW+TwS6wdzWyglfZl4erOQXb1a373qRdTz5m71MEPY8nJPS948nxO5M1DgJ8eqyztVdHY+z3X40vsDv3anSApeBNe/jexUVGBmuRtOhoAbirbNo7F8tjbI1qVy1lw0YNiaXAyH/BY2EtcSb9bU/VqCRdLteZnSed4LFrCIFt9mYoAWPX4GjXanfshNUaqM0IEFVjH7cXzf4rKql9VnxvCufupIGKhcOkAuxFtuOPL9q3RVT4CkarhmgDpKKjUlyAHRAvLH2F2l+K6zwEengiYDXkyBzd393Gsee6ML30X/MRSwd1TBqKZ1VInpk3bn/GwVMipywiYsviLE6JW+IcRJiHCI3bbch2aRsq9MP8AE9qornqC9nt6DQKnOr2HvEAjTHGvmiJN2nKaRU/B6T5xmH9nsdZ3CTsmTIkWBi/Fa8th9DvT8UrQe4LiQ8t6/6TrhgZ+QCjgwp59B2dwrPnT7oY8B0o5O0k/06HnsaG0YxyEM2JgVBer0K4BzUAoap4S8YGj88oPVlSHV3ks7qjx8J+pytNmyND3O1CzKUuluTjCLoowyDx9OA8AcfxVCva6BI6EqJEVU0eqlo146kdgERPR4U6TgCAU6uk4rb+SQgwN6brd15AezRKUW9iDbr4hoxCA0XNTzcDLJKKFFU2ZlHdvs9WTif7gmVwAsogy31xWyKdTdSCoUME4mAKeHM2o763UICjL4HO6drMn16G5yA0anxkctVJqWKcpLrD9rVCC30bbFy8u3H1Icfzf2dZxbTLCbJVn5i39I9AqehIOapD7SwN3pyXwicfnr6h1prGKdHQ0cXjlwCiiP7lSBLP+Q4DwjoSVF/Iei4DcFQoHqSpGreGeP5yRNiRe8HEp63yQXFM/l6PMIVZw+0q/VDb5sEUZ6XItAi/UL3CqY1WI5SVvbeuxbKivuxRcspiFRHB9aXS2eG8hx/Oq9OFvPq3eAQ7xtZLw5oMAFgED4epZl3mAaYz8n5m2i2J8QujxP1POqotkeA1uQFelQL1xMUdpIg41mRNch0M3H50fcgR5dJ3k41NAJTCi5B+X9lFVoo/ByLvX4hkmx4YeZ5VPW6hVLiZMcdA+RluBWVAShYXBBg5rV3ak/G8Lj9P/cc1Tg32Qr1m9h3Tl4Q8AEmWBABRXYcZ526fMFdTQa0SkdvO3jp6Zt/6TObygSyOrOjBIgXye4BAT3zuyNK07Z1gOP1X0rE23T50S5A4KCI59QCs+szugk9umUbqeZF3DKj1oiVq1f5I1m2zbBuWq6vi6kH7eD7eSnTqpIuYeOsuWlREvsNHfXOA7lrURy+yLheKYuIRqx+5TKJaapgMkagw5nQ74RAvEJgAPHJaKYt5YJklMSxTkUR6FlvZNq2salMpM+mGrtH9l1tEVUbKh6QAyG4EkUbnFmT3orCgBJJFh+HXMpb6pwVL06+/0sSvgBI1ZBfbGYWk//RKSHbVzOi1UXyW1izeLgSwKNc/ZUCDnZ0hrBafQn3S8Ap+5j9h++fdH9NwfQyGV7GuTMYBkCtG3+l9+iitFWPUnZ2PvNypi4kJX31XlSyR/JoQfvFNm3nWw1pdLJRF7shqYxbSuGx/Fz02zocEvNNu5NBp5+0nPXIWp5PoRHqWHXI6TvNduji0/ycKjLhtpnFV3NhhWq0no5fKo+t4seoQ88oFzbH0wVXnLRALPq6yZ1kzbWhGp5RLmtixEMXcAwuw2Ewol2BhIf2+5o7d7ndgmZ6lOM4LzApumzS0m3z91XQ1keqHZUWA0XdCekIucNrhw4uVIWg228G5IWjI1QuL6c9zeIHl8NvSCzC7lJLXR6NiCzFvVH92krQ91yiEsSvg3+8MkU+6mlLiCvbl98WVMcQ6Ig9Hh+p1ALSuUDDqOK8k4ja3sblwjDE1vQhacm9gaCjYfID+UFpbJ1FLwdOiBrcUu3jSnN2zBViWjH48xnM7kvxliDRbAElyMPylD2wE6Gce/nyueSAktsfPzt3GnHzspfuoDokJ2pss+8u/x/5whe+xkMMEhExWJWTe4WiwYxyM7dIX8JLJBqQ+T3pUQLMYwECHvPstLiQjpWy,iv:cZQEw3E1Kq+Qg1ZB0gwMW87NG1z/tGDnQOpRiCsdpUs=,tag:N/JqLdXIwCerHynMhmvhug==,type:str] + public: ENC[AES256_GCM,data:TivRCWgU3skYJbDopZAdSAZBi7OhgzLjOLi0f8bUN3hEfDS9Bqbo3ZirepWkxDZcEBJH9ut/rAwumWGedU6C71eFtOpC/++c/++VILmWGM2BDUvlUaksaWZE0sNQRZxXmHFd5Fnxq13vVhs0i5Grdu6WG6wdq9dD9iFooLqee5KT6z33lD9THitecYiGf4hccVfJXKriNmNfmFkyv2KMaDNBwgSHtAsXSbYoHOpIz68SzS3KrngSIAvavfSSsW1RXDXvf/3aB94lPtizCZVtKZ+JcHYg3xPesXdwwA6h7A5W7rfJoAQdiDGQJMb4hFhtjhaBGmiUAv5JwRvvEAhQIrVtPmkO9ibir3yDDrcwNXuJDgHrcd0rpSjYWyAM1pgzXiWAiLzhh/AcL+l2xV286XRDwm1xxoPNdGdmOYkiN2AZre8CoR1aFkIP+T479rkOylJq14RzSQAbJ8AaZ6dK2mFxKYFyVpW0aMjEoo9Yqd4IFZpMWIlVALeh3+bpqgtCCkBYq3MX3J0FJ6vL4LUV5855GUrP4CJhSSCAnKaiXKnps2TrHN8Kp1dqtnv1ihq8fwVoSgqiISN4xY8VXsW/IjJYcQ==,iv:o8F7qgHLWhWXEOOSzum+Qore2tGSraqmC1VMWtpaj0I=,tag:Kn5myis0OwoCMa+8yhssPg==,type:str] users: ENC[AES256_GCM,data:Az1vmno1PPpFAqIpZKiMtdAP5TqgoCSzu+x2P3eI2h4C+FPbdRjQrnybpLdKRmaQaVvfGS8p4+RbM8jF1H4sSgAZRcBQIzanWtW4fl+KK4aHxPmRIbH75bGUGnSK8u94jCYMotll5tpMbkR+st6xEkh+IkPz+CSIopZ1o6VeFu9od7qJ2LBwnl+FzZp3XFoLXHLNFf4J01gUwtlxvbLHOD5tFxOFHXDi/CKsYJOBr3m9wUoHKGwaeuYpNfy+3C5dcwf0eiXOkxYyjwjlxQ0MumcyzSdVBCTWJRRTwFa1akw6P/sl0Cdw/9GL83zBGLSfFK+DaIaHzG+h51KcELj9lVbNHPbC1UwRnwy0SdxYXiPz7Y8R9J/u5wI5eyyimDtJp83+c4eqOO7+animxUJ8EIuKEiUPMr5mQg0KtK5P3jTu/wZuGgxdqi1nR44+UHKmWrD62qDwjcjv60RDlQxcm4dBOL3wCaV7V8K5UBF0UhiyA2/N0XFHLnibQ1LS/vRfgXjrsjZ6JYzVeY7mDCGa0Kb4NkJJLeMvEEmwsw9sGst9um1w7AQevQPowBST4nkRVdb12JGWrq4S77gDa19Qbm2a0z5XvwvEq1C/47OOEDoSFh/uY2Ycn8tOIZw7S53h5z++cAVKBgYAFVI0fw==,iv:9hm49dFfD6O0YV5YdyXqyiU1vjSHNuH4/+JcXiN+PWI=,tag:jM6atf1M0cgDcAiFOd626Q==,type:str] sops: kms: [] @@ -59,8 +66,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-06T09:44:26Z" - mac: ENC[AES256_GCM,data:1KuTjnTtXftuVzE18ULskydigmLavdy740+/K0PN7p8FSJ7IKU1XP9L93mmxoQOFN1MrVl7ENrY0Wu9/UOG6xSK0S3HcfQKyO8i0Jtgj1tUodcWR/kb7BTwJ3oylQ5xXnHd2rdlaE1y3ZfarFvZqokBsNyux0t9tZYGcRA5W6ZQ=,iv:hnHbV2oNeFu+EJXZS39oa7QMOSL9tuHCVpvjIg6TSFk=,tag:4EijW78hQ4IHb6atatJktQ==,type:str] + lastmodified: "2025-02-08T11:58:45Z" + mac: ENC[AES256_GCM,data:ZHE9vdafH6oQnwHJb1p9FRBKB3Q5V6UK+6kiRt96p82aWG/PYtlxxt/Fc9pdgItSN4iVma8sDSs+IRpS5qUvRE5H71fqNDpGE7gfKn3QbK/GRN1WJv4P0Dg3tghFw+oqQ8hqPffGM2UurYlax9T2TnUEyZw8VdDMaTrGbQrjjQ8=,iv:iErbT0QSfgGFVNbz/QBqqZQbEJcfPn3t5QIGEWQgRx8=,tag:xJsYBMoGmxF26c7Rewtvlg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 From ceebecbfa3630eb59988d215cf9d2faab1616bcf Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 8 Feb 2025 13:36:04 +0100 Subject: [PATCH 27/73] Fix consent mode for FreshRSS --- modules/authelia.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authelia.nix b/modules/authelia.nix index a5c1d2b..021dec6 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -68,7 +68,6 @@ configMap = { identity_providers.oidc = { enabled = true; - consent_mode = "implicit"; hmac_secret = { secret_name = "authelia"; @@ -93,6 +92,7 @@ scopes = ["openid" "groups" "email" "profile"]; userinfo_signed_response_alg = "none"; token_endpoint_auth_method = "client_secret_basic"; + consent_mode = "implicit"; } ]; }; From f97f7d4666c6b02947e1d685fa6f4d232f447c33 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 8 Feb 2025 14:49:38 +0100 Subject: [PATCH 28/73] Share keepassxc using syncthing Remove unused syncthing shares --- modules/bootstrap-default.nix | 27 ++++++++------------------- modules/syncthing.nix | 26 +++++++++++++------------- 2 files changed, 21 insertions(+), 32 deletions(-) diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index bc2676c..59e51a1 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -67,7 +67,7 @@ nodes = builtins.mapAttrs - (name: labels: { + (_name: labels: { metadata.labels = labels; }) globals.nodeLabels; @@ -82,25 +82,13 @@ ipAddressPools.main.spec.addresses = ["192.168.30.128-192.168.30.200" "2a0d:6e00:1a77:30::2-2a0d:6e00:1a77:30:ffff:ffff:ffff:fffe"]; l2Advertisements.main.metadata = {}; - persistentVolumes = { - music-syncthing.spec = { - capacity.storage = "1Gi"; - accessModes = ["ReadWriteMany"]; + persistentVolumes.media-media.spec = { + capacity.storage = "1Gi"; + accessModes = ["ReadWriteMany"]; - nfs = { - server = "lewis.dmz"; - path = "/mnt/longhorn/persistent/media/music"; - }; - }; - - media-media.spec = { - capacity.storage = "1Gi"; - accessModes = ["ReadWriteMany"]; - - nfs = { - server = "lewis.dmz"; - path = "/mnt/longhorn/persistent/media"; - }; + nfs = { + server = "lewis.dmz"; + path = "/mnt/longhorn/persistent/media"; }; }; }; @@ -139,6 +127,7 @@ ntfy.storage = "300Mi"; deluge.storage = "500Mi"; authelia.storage = "100Mi"; + keepassxc.storage = "100Mi"; }; tailscaleIngresses.tailscale-longhorn = { diff --git a/modules/syncthing.nix b/modules/syncthing.nix index c06b81a..31bde21 100644 --- a/modules/syncthing.nix +++ b/modules/syncthing.nix @@ -45,15 +45,15 @@ mountPath = "/config"; } { - name = "music"; - mountPath = "/music"; + name = "keepassxc"; + mountPath = "/keepassxc"; } ]; }; volumes = { config.persistentVolumeClaim.claimName = "config"; - music.persistentVolumeClaim.claimName = "music"; + keepassxc.persistentVolumeClaim.claimName = "keepassxc"; }; securityContext = { @@ -74,19 +74,19 @@ targetPort = "web"; }; }; - - persistentVolumeClaims.music.spec = { - accessModes = ["ReadWriteMany"]; - storageClassName = ""; - resources.requests.storage = "1Mi"; - volumeName = "music-syncthing"; - }; }; lab = { - longhorn.persistentVolumeClaim.config = { - volumeName = "syncthing"; - storage = "400Mi"; + longhorn.persistentVolumeClaim = { + config = { + volumeName = "syncthing"; + storage = "400Mi"; + }; + + keepassxc = { + volumeName = "keepassxc"; + storage = "100Mi"; + }; }; tailscaleIngresses.tailscale = { From 74c29e3fd00907ef3e3864c9bb9e62e7462d00da Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 8 Feb 2025 15:26:08 +0100 Subject: [PATCH 29/73] forgejo: 10.0.0 -> 10.0.1 --- globals.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index ed1ff6c..41f4666 100644 --- a/globals.nix +++ b/globals.nix @@ -11,7 +11,7 @@ postgres15 = "postgres:15"; inbucket = "inbucket/inbucket:edge"; syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; - forgejo = "codeberg.org/forgejo/forgejo:10.0.0"; + forgejo = "codeberg.org/forgejo/forgejo:10.0.1"; pihole = "pihole/pihole:2024.07.0"; immich = "ghcr.io/immich-app/immich-server:v1.125.7"; immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.125.7"; From c69d909b2f411146d8f3b9dc208790e429bf781c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 8 Feb 2025 22:09:40 +0100 Subject: [PATCH 30/73] Enable OIDC for FreshRSS on Tailscale --- modules/authelia.nix | 2 +- modules/freshrss.nix | 11 ----------- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/modules/authelia.nix b/modules/authelia.nix index 021dec6..ae51e5d 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -88,7 +88,7 @@ client_secret.path = "/secrets/authelia/freshrss_client_secret"; public = false; authorization_policy = "two_factor"; - redirect_uris = ["https://rss.kun.is:443/i/oidc/"]; + redirect_uris = ["https://freshrss.griffin-mermaid.ts.net/i/oidc/"]; scopes = ["openid" "groups" "email" "profile"]; userinfo_signed_response_alg = "none"; token_endpoint_auth_method = "client_secret_basic"; diff --git a/modules/freshrss.nix b/modules/freshrss.nix index 8f703ee..849f438 100644 --- a/modules/freshrss.nix +++ b/modules/freshrss.nix @@ -84,20 +84,9 @@ targetPort = "web"; }; }; - - ingresses.freshrss.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd"; }; lab = { - ingresses.freshrss = { - host = "rss.kun.is"; - - service = { - name = "server"; - portName = "web"; - }; - }; - tailscaleIngresses.tailscale = { host = "freshrss"; service.name = "server"; From 9838069c4cf13b1e499060b31e9d77e544d9afd6 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 9 Feb 2025 00:23:12 +0100 Subject: [PATCH 31/73] Enable Authelia auth for Hedgedoc --- modules/authelia.nix | 18 +++++++++++++++++- modules/freshrss.nix | 4 ++-- modules/hedgedoc.nix | 13 +++++++++++++ modules/traefik.nix | 1 + secrets.yml | 17 ++++++++++++----- 5 files changed, 45 insertions(+), 8 deletions(-) diff --git a/modules/authelia.nix b/modules/authelia.nix index ae51e5d..f092bf8 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -63,6 +63,10 @@ key = "freshrss_client_secret"; path = "freshrss_client_secret"; } + { + key = "hedgedoc_client_secret"; + path = "hedgedoc_client_secret"; + } ]; configMap = { @@ -94,6 +98,17 @@ token_endpoint_auth_method = "client_secret_basic"; consent_mode = "implicit"; } + { + client_id = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq"; + client_name = "HedgeDoc"; + client_secret.path = "/secrets/authelia/hedgedoc_client_secret"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = ["https://md.kun.is/auth/oauth2/callback"]; + scopes = ["openid" "profile" "email" "groups"]; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_post"; + } ]; }; @@ -186,7 +201,8 @@ oidc_hmac_secret = "ref+sops://secrets.yml#/authelia/oidc/hmac_secret"; oidc_jwk_rs256_private = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/private"; oidc_jwk_rs256_public = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/public"; - freshrss_client_secret = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret"; + freshrss_client_secret = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/digest"; + hedgedoc_client_secret = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/digest"; }; }; }; diff --git a/modules/freshrss.nix b/modules/freshrss.nix index 849f438..347bb9e 100644 --- a/modules/freshrss.nix +++ b/modules/freshrss.nix @@ -39,8 +39,8 @@ OIDC_ENABLED.value = "1"; OIDC_PROVIDER_METADATA_URL.value = "https://auth.kun.is/.well-known/openid-configuration"; OIDC_CLIENT_ID.value = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44"; - OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret"; - OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key"; + OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/password"; + OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc/crypto_key"; OIDC_REMOTE_USER_CLAIM.value = "preferred_username"; OIDC_SCOPES.value = "openid groups email profile"; OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto"; diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index d41b200..868c684 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -54,6 +54,19 @@ CMD_PROTOCOL_USESSL.value = "true"; CMD_CSP_ENABLE.value = "false"; + CMD_OAUTH2_PROVIDERNAME.value = "Authelia"; + CMD_OAUTH2_AUTHORIZATION_URL.value = "https://auth.kun.is/api/oidc/authorization"; + CMD_OAUTH2_TOKEN_URL.value = "https://auth.kun.is/api/oidc/token"; + CMD_OAUTH2_USER_PROFILE_URL.value = "https://auth.kun.is/api/oidc/userinfo"; + CMD_OAUTH2_CLIENT_ID.value = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq"; + CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/password"; + CMD_OAUTH2_SCOPE.value = "openid email profile groups"; + CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR.value = "preferred_username"; + CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR.value = "name"; + CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR.value = "email"; + CMD_OAUTH2_ROLES_CLAIM.value = "groups"; + CMD_OAUTH2_ACCESS_ROLE.value = "hedgedoc"; + CMD_DB_URL.valueFrom.secretKeyRef = { name = "hedgedoc"; key = "databaseURL"; diff --git a/modules/traefik.nix b/modules/traefik.nix index e4e1c09..48a8899 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -70,6 +70,7 @@ spec.forwardAuth = { address = "http://authelia.authelia.svc.cluster.local/api/authz/forward-auth"; + authResponseHeaders = [ "Remote-User" "Remote-Groups" diff --git a/secrets.yml b/secrets.yml index b3830ac..02f9c79 100644 --- a/secrets.yml +++ b/secrets.yml @@ -1,12 +1,20 @@ freshrss: password: ENC[AES256_GCM,data:ECDPrW+VgO8PY9p2fLIreRETNiRL5ZGnu/PMC7aNj8KaWfyNYL+l3w==,iv:srR/r1EtOpC/CKKrCDKcTLVdMFPAYIJIB1CCg8mS0UU=,tag:YN4PqR5uvPkVskpJWD+91g==,type:str] - oidc_crypto_key: ENC[AES256_GCM,data:+RX1P6PmMuyBeSFlwAChM9tX/JMda4DrQ7JH7Z+tbzXRuRb4nTMR6G7cINeQFah4W30VwdxBqbpRsCdfjR1FrkcwsG1ioDRpuma5VTaHp3TyLZvBWZ/BCi7G+d89qJmymaPGclES2j9YHWRobr7jcFIuiJD/t3jQ/T8iwt72jiY=,iv:lawZnDO7JH2P3jViaFzVzJZFp0e/Ym4/169AsvHg2+0=,tag:SO33RifFpLRXqXFpLQczjw==,type:str] + oidc: + client_secret: + password: ENC[AES256_GCM,data:wlMJwiqCxUFqSVRGZvVkMtcRHW+r74EwpMtIAD499qnmJADsK1jPFsLuAODZ4QsklxWdWDqfNsk7T5FMZ+e61947fEp+QzGC,iv:qDEjlk5sywrMEIXQr8daVntYdTQ5M3KrtCpIHIgLy4U=,tag:QWGI0zISqE6kDR5n3IxQDg==,type:str] + digest: ENC[AES256_GCM,data:8uw5mg6VIERkb96FiJ7CuutUqWfcFk9qDA8w+8e8DBWRlegrfmvHKyg6tfUP6JKc6I1OkzuPMiSHweNJghMY5oH0eJWxU9F9YCtxjW3iJINUYF3tq2phO1kk3LEbjdnmglFMajHz2c8d4NkQ6iAfWziOaTieCN88yvnAACYnBBiU/yA=,iv:rQMDRDavPSHA8rcfJ/iijsMhGFYfcrQfOv6JF4iPbMA=,tag:tDM3+NquRN0Y6Kq9yyTSYA==,type:str] + crypto_key: ENC[AES256_GCM,data:AKEX6F1rAwapjvzz5JSyBbvDxSl4vjeOIKzH13/CMK1QGT5AzhEawpYb1j95/QVREt1M8bKulFpHHZIn8WuFZbdChgA/PMXssd5yznEMVY/qmymGqDOLe0CFv75zRG4c6RTuc0/U33Ez2tSi+DgKtLHpU9MZlgLFXIS4aCb0p0A=,iv:VhWgEzq8gqNDJPP/akmv6c/kuKHH4cv6yT9Mz47bTf4=,tag:b8DviZh9I5ZOFXpEFCU6GQ==,type:str] pihole: password: ENC[AES256_GCM,data:MA60825Tl6aYEFVoPgo8k5Vjb9zmIxtPLJriQV1B3P1bOKu1KK7vxQ==,iv:RGZHox8CbJiEEEjMo2k/tNbtjCPy/QY7vOuMN/YNZcg=,tag:yphrq03IKpXM/tSDBLeSgA==,type:str] hedgedoc: databaseURL: ENC[AES256_GCM,data:6+IV4TaClIGE1XVkUf7JwXzqx3EvWiIKFx9X5x7QKvQKC7bIieD1ADVeAMQmiQfibnH/YV5TgjNY8Ft+3eX881c3yD+2j7mM+O1fX6taK/BCokDnqhIwTN2qxHsu+mrPcM/Pgg5Zqy8HvUgX8jM=,iv:bCwuNk5CVgK2T5IgLebcKwxwloi6FkWMWhnxwJek1GM=,tag:UDQ0KmRDVlDh35Fjm6eaAA==,type:str] sessionSecret: ENC[AES256_GCM,data:7FdRjAShjjue1fFwizCgK+94mkbT4ohAPxdyn/8Z8/f2nvGWPZHO/hGexOixbRGLPewJSaMunTMeJL+IzFlGlg==,iv:iz7640b8Mlb6mNps20b+TbphWDEFUbKwKNUXc0kR5NY=,tag:fdEr1tbes1h8VCA/q+0sOw==,type:str] databasePassword: ENC[AES256_GCM,data:wdRhCluNx2IzgDqouAoIcG6yOWwNLOaEkpqgYEeFvJDZsMC8OUuV7Q==,iv:Csut0c+LRKWD2b4uVuQpGnwwVqnGT6Sk6T/ODlH57Bk=,tag:7bS6a18GyRifq2D6cIheaw==,type:str] + oidc: + client_secret: + password: ENC[AES256_GCM,data:rLkMFkEzCF3+ejGAUliaBMpfOrxL5b3pJVvkblEFIvHupmr9DTS71L4T6/oo616E4IoCuZxqKh0FxhdWZRM4KrEk5YZMbgp9,iv:TbySrCTY+Kps4v/q5maQglm4aOzuUPch2ECBHPp4FYc=,tag:mz71m6JqIemVCypf93hkBQ==,type:str] + digest: ENC[AES256_GCM,data:m+abt7SEXZoeOA+ioB3BmiWN09CDpCWdZ5eNRhShvuUJW7rjbSJAQ2NTZkMTnFoNv6PO6rSUD6lmStFfO/mqVUFvWXBBDMK3xK+ILcgDoZZ1Pnmr19noqTL5OxyYLAtUHRNOohsUBYlZKyv2lFNQlqxk6kOi+fUPitmmsO6BO1nrq2s=,iv:CmC0JLXuT9O29Rtu7Pp8i0h/SyaEAT0bsXQb2LRFAkk=,tag:/IL39BCMuw+bqxv2OaNwhw==,type:str] nextcloud: databasePassword: ENC[AES256_GCM,data:jRLgW96FnMEpU0T5z/iQOX/CgjpH2ZykZGd1qGFHK8o=,iv:YrY9IsrlCaiQ8BFYqu+UnOxnvvB/JN4iYfy3vMa3wcw=,tag:41iWc4iVqjdUr02O5CLu7g==,type:str] paperless: @@ -37,11 +45,10 @@ authelia: smtpPassword: ENC[AES256_GCM,data:Zd2F237gWaL555lf022zjr7VHVcAFUyFxg==,iv:ka8YuGFclNrWV1U0g2ERypiKy6rN5ppPIVlsjBqkFrI=,tag:e+5fO6VR1z1cqYTXJ6Yo+Q==,type:str] oidc: hmac_secret: ENC[AES256_GCM,data:4SDX5lopMeomhkMpkei6Qu6S+BBhFGCZswBfOtfWNSzv3qAEme9h3wQeIQ2W18J84RwprTpDZdkk++bbAYoch2iZF1yEV+8XBcmVcg4q+s5isn0lAaTDhHHCZ6Cci8KuyYy5/tcMDgF61oM5H0g7nGv7rhPD8clDubZwAvEDf7g=,iv:S7cCKyWbB4QaqGYsrp9JavKBAMxnfzhnl5bMRyq4TT4=,tag:S2+NglxgDsi4ivvR2FYjsQ==,type:str] - freshrss_client_secret: ENC[AES256_GCM,data:TLCQaJ8FZX9fVErXE84akyRE0ZWPJBiAxKjdpr4eXClxECGUQZO0Vu07dwj0mzRUiMMpNthBibxNeOGnE147Fht1tET3EuEe,iv:F0iZpzJyZvYjNlxMFeVzLlquWqsV3J0M1eTr0oNn+QQ=,tag:6eD4AUc7VK6aBGUr/Oe0lQ==,type:str] jwk_rs256: private: ENC[AES256_GCM,data:WaTdMntWZF40pBOsHpKlQAcsVoceQDKkPlNbkwlPjY231cZSgHYw2u3V89BHx1p3LT4OUAEQvBcQ3c8sJbRYHTo7wXVYTwMrWL+KIu5AOp1pqHWESJrxO/12tgITcM5xJx+zwAoc/85l0LK3EIXYayEYe6ISNjx13K3YaSuD74iEXrNtWuvqwvbT9zNtYg8gb+l1FEW+TwS6wdzWyglfZl4erOQXb1a373qRdTz5m71MEPY8nJPS948nxO5M1DgJ8eqyztVdHY+z3X40vsDv3anSApeBNe/jexUVGBmuRtOhoAbirbNo7F8tjbI1qVy1lw0YNiaXAyH/BY2EtcSb9bU/VqCRdLteZnSed4LFrCIFt9mYoAWPX4GjXanfshNUaqM0IEFVjH7cXzf4rKql9VnxvCufupIGKhcOkAuxFtuOPL9q3RVT4CkarhmgDpKKjUlyAHRAvLH2F2l+K6zwEengiYDXkyBzd393Gsee6ML30X/MRSwd1TBqKZ1VInpk3bn/GwVMipywiYsviLE6JW+IcRJiHCI3bbch2aRsq9MP8AE9qornqC9nt6DQKnOr2HvEAjTHGvmiJN2nKaRU/B6T5xmH9nsdZ3CTsmTIkWBi/Fa8th9DvT8UrQe4LiQ8t6/6TrhgZ+QCjgwp59B2dwrPnT7oY8B0o5O0k/06HnsaG0YxyEM2JgVBer0K4BzUAoap4S8YGj88oPVlSHV3ks7qjx8J+pytNmyND3O1CzKUuluTjCLoowyDx9OA8AcfxVCva6BI6EqJEVU0eqlo146kdgERPR4U6TgCAU6uk4rb+SQgwN6brd15AezRKUW9iDbr4hoxCA0XNTzcDLJKKFFU2ZlHdvs9WTif7gmVwAsogy31xWyKdTdSCoUME4mAKeHM2o763UICjL4HO6drMn16G5yA0anxkctVJqWKcpLrD9rVCC30bbFy8u3H1Icfzf2dZxbTLCbJVn5i39I9AqehIOapD7SwN3pyXwicfnr6h1prGKdHQ0cXjlwCiiP7lSBLP+Q4DwjoSVF/Iei4DcFQoHqSpGreGeP5yRNiRe8HEp63yQXFM/l6PMIVZw+0q/VDb5sEUZ6XItAi/UL3CqY1WI5SVvbeuxbKivuxRcspiFRHB9aXS2eG8hx/Oq9OFvPq3eAQ7xtZLw5oMAFgED4epZl3mAaYz8n5m2i2J8QujxP1POqotkeA1uQFelQL1xMUdpIg41mRNch0M3H50fcgR5dJ3k41NAJTCi5B+X9lFVoo/ByLvX4hkmx4YeZ5VPW6hVLiZMcdA+RluBWVAShYXBBg5rV3ak/G8Lj9P/cc1Tg32Qr1m9h3Tl4Q8AEmWBABRXYcZ526fMFdTQa0SkdvO3jp6Zt/6TObygSyOrOjBIgXye4BAT3zuyNK07Z1gOP1X0rE23T50S5A4KCI59QCs+szugk9umUbqeZF3DKj1oiVq1f5I1m2zbBuWq6vi6kH7eD7eSnTqpIuYeOsuWlREvsNHfXOA7lrURy+yLheKYuIRqx+5TKJaapgMkagw5nQ74RAvEJgAPHJaKYt5YJklMSxTkUR6FlvZNq2salMpM+mGrtH9l1tEVUbKh6QAyG4EkUbnFmT3orCgBJJFh+HXMpb6pwVL06+/0sSvgBI1ZBfbGYWk//RKSHbVzOi1UXyW1izeLgSwKNc/ZUCDnZ0hrBafQn3S8Ap+5j9h++fdH9NwfQyGV7GuTMYBkCtG3+l9+iitFWPUnZ2PvNypi4kJX31XlSyR/JoQfvFNm3nWw1pdLJRF7shqYxbSuGx/Fz02zocEvNNu5NBp5+0nPXIWp5PoRHqWHXI6TvNduji0/ycKjLhtpnFV3NhhWq0no5fKo+t4seoQ88oFzbH0wVXnLRALPq6yZ1kzbWhGp5RLmtixEMXcAwuw2Ewol2BhIf2+5o7d7ndgmZ6lOM4LzApumzS0m3z91XQ1keqHZUWA0XdCekIucNrhw4uVIWg228G5IWjI1QuL6c9zeIHl8NvSCzC7lJLXR6NiCzFvVH92krQ91yiEsSvg3+8MkU+6mlLiCvbl98WVMcQ6Ig9Hh+p1ALSuUDDqOK8k4ja3sblwjDE1vQhacm9gaCjYfID+UFpbJ1FLwdOiBrcUu3jSnN2zBViWjH48xnM7kvxliDRbAElyMPylD2wE6Gce/nyueSAktsfPzt3GnHzspfuoDokJ2pss+8u/x/5whe+xkMMEhExWJWTe4WiwYxyM7dIX8JLJBqQ+T3pUQLMYwECHvPstLiQjpWy,iv:cZQEw3E1Kq+Qg1ZB0gwMW87NG1z/tGDnQOpRiCsdpUs=,tag:N/JqLdXIwCerHynMhmvhug==,type:str] public: ENC[AES256_GCM,data:TivRCWgU3skYJbDopZAdSAZBi7OhgzLjOLi0f8bUN3hEfDS9Bqbo3ZirepWkxDZcEBJH9ut/rAwumWGedU6C71eFtOpC/++c/++VILmWGM2BDUvlUaksaWZE0sNQRZxXmHFd5Fnxq13vVhs0i5Grdu6WG6wdq9dD9iFooLqee5KT6z33lD9THitecYiGf4hccVfJXKriNmNfmFkyv2KMaDNBwgSHtAsXSbYoHOpIz68SzS3KrngSIAvavfSSsW1RXDXvf/3aB94lPtizCZVtKZ+JcHYg3xPesXdwwA6h7A5W7rfJoAQdiDGQJMb4hFhtjhaBGmiUAv5JwRvvEAhQIrVtPmkO9ibir3yDDrcwNXuJDgHrcd0rpSjYWyAM1pgzXiWAiLzhh/AcL+l2xV286XRDwm1xxoPNdGdmOYkiN2AZre8CoR1aFkIP+T479rkOylJq14RzSQAbJ8AaZ6dK2mFxKYFyVpW0aMjEoo9Yqd4IFZpMWIlVALeh3+bpqgtCCkBYq3MX3J0FJ6vL4LUV5855GUrP4CJhSSCAnKaiXKnps2TrHN8Kp1dqtnv1ihq8fwVoSgqiISN4xY8VXsW/IjJYcQ==,iv:o8F7qgHLWhWXEOOSzum+Qore2tGSraqmC1VMWtpaj0I=,tag:Kn5myis0OwoCMa+8yhssPg==,type:str] - users: ENC[AES256_GCM,data:Az1vmno1PPpFAqIpZKiMtdAP5TqgoCSzu+x2P3eI2h4C+FPbdRjQrnybpLdKRmaQaVvfGS8p4+RbM8jF1H4sSgAZRcBQIzanWtW4fl+KK4aHxPmRIbH75bGUGnSK8u94jCYMotll5tpMbkR+st6xEkh+IkPz+CSIopZ1o6VeFu9od7qJ2LBwnl+FzZp3XFoLXHLNFf4J01gUwtlxvbLHOD5tFxOFHXDi/CKsYJOBr3m9wUoHKGwaeuYpNfy+3C5dcwf0eiXOkxYyjwjlxQ0MumcyzSdVBCTWJRRTwFa1akw6P/sl0Cdw/9GL83zBGLSfFK+DaIaHzG+h51KcELj9lVbNHPbC1UwRnwy0SdxYXiPz7Y8R9J/u5wI5eyyimDtJp83+c4eqOO7+animxUJ8EIuKEiUPMr5mQg0KtK5P3jTu/wZuGgxdqi1nR44+UHKmWrD62qDwjcjv60RDlQxcm4dBOL3wCaV7V8K5UBF0UhiyA2/N0XFHLnibQ1LS/vRfgXjrsjZ6JYzVeY7mDCGa0Kb4NkJJLeMvEEmwsw9sGst9um1w7AQevQPowBST4nkRVdb12JGWrq4S77gDa19Qbm2a0z5XvwvEq1C/47OOEDoSFh/uY2Ycn8tOIZw7S53h5z++cAVKBgYAFVI0fw==,iv:9hm49dFfD6O0YV5YdyXqyiU1vjSHNuH4/+JcXiN+PWI=,tag:jM6atf1M0cgDcAiFOd626Q==,type:str] + users: ENC[AES256_GCM,data:XPnB3wFj8rDPaq8bfgsnDiNmaA+GE6tguPqtnPxfHhM2gVUatnyP5RLIrBxQTUja8w70NBHPQMPEFh3TydBDlWI8tvV8mid1iu7/pRgb6u+LtVSPtrqkSkQBponsxTsila1uvyYLITaB6pI2w0ijcWx3enu1W/a5ssgBQUNVqKfftAF9tB/W0Jhn6m4U9KfB1NbR708eO1LcGHVlqgCs4u9FwR9FEWHDDGgwDjeDQ5w+w9NMAbg7YfwmPgMv3VwRqpie0AE5jj+qtpnAZCpKJK/AzWN7T++TXg6IywPSk/4thFDtLsgke0gtNOMS2DlCRZ7LqdyzwuhQMVX5YbmmQdk5+z4fYKYgWGT8L9ABA6fl/LeMygJVM9cNOl1VGT7SsTBj5WdrU3gR6n0UCybLIyOIA7q+0mT1RR7sKJ1OFKz6bappzIn2Y1UREGTvz63Quw1Kgbciq5WRag4WFVRuq89JKYD8Y9bkWfHgF5L1kCzep79CvB9uxnO+wXwbtxsSEyxllQIDuVMejdVV/l9FPjhgWPe3ho1Eh78nTibNo0cEijvf5ub6MKPelpMvEhEU4J2OH5AJjixqM3RyxO6IKAKx4gg6bm0nUgKPa+7jZ+mZ4xj7AyDh3v8t8C0GOJZSbdtD54YzBjkWLu9I+OhErQQUfgKB5DTDUF+RogkH9LAWn9C2,iv:3lY+ghmpQrKME8xa264RqFR4BzhY4MvcbTwwXmsaf0k=,tag:EmrYcmWBH1zrLDBFgTp25g==,type:str] sops: kms: [] gcp_kms: [] @@ -66,8 +73,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-08T11:58:45Z" - mac: ENC[AES256_GCM,data:ZHE9vdafH6oQnwHJb1p9FRBKB3Q5V6UK+6kiRt96p82aWG/PYtlxxt/Fc9pdgItSN4iVma8sDSs+IRpS5qUvRE5H71fqNDpGE7gfKn3QbK/GRN1WJv4P0Dg3tghFw+oqQ8hqPffGM2UurYlax9T2TnUEyZw8VdDMaTrGbQrjjQ8=,iv:iErbT0QSfgGFVNbz/QBqqZQbEJcfPn3t5QIGEWQgRx8=,tag:xJsYBMoGmxF26c7Rewtvlg==,type:str] + lastmodified: "2025-02-08T22:34:17Z" + mac: ENC[AES256_GCM,data:i9suj/TCZdqZW3KxU8Ye3qZnGwIlHFJ4FvsuEhNlq5llC7H/eRnYW8bkZkg2848CRasaco+0eimMcJc2vD7YFO8AuVxIEFr2U2MXP+9tRKPrWd5bae7X2wJo+C1AYCpjpllFlS/T50wSKM7y4ugJtKIibJs/Q3YB3D8D6hfB884=,iv:wdqVREuVVEUBwEKNQBAl0kHUhF+KNDzOPVbo9xfDHDU=,tag:++8BJRRk0xCGezS+RTPc3g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 From b09ce94621e9d3baf32a88c35117a78d3551325a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 9 Feb 2025 15:35:51 +0100 Subject: [PATCH 32/73] Set Authelia consent mode for Hedgedoc to implicit Add niels to hedgedoc group in Authelia --- modules/authelia.nix | 1 + secrets.yml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/authelia.nix b/modules/authelia.nix index f092bf8..517c4a7 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -108,6 +108,7 @@ scopes = ["openid" "profile" "email" "groups"]; userinfo_signed_response_alg = "none"; token_endpoint_auth_method = "client_secret_post"; + consent_mode = "implicit"; } ]; }; diff --git a/secrets.yml b/secrets.yml index 02f9c79..4208f96 100644 --- a/secrets.yml +++ b/secrets.yml @@ -48,7 +48,7 @@ authelia: jwk_rs256: private: ENC[AES256_GCM,data:WaTdMntWZF40pBOsHpKlQAcsVoceQDKkPlNbkwlPjY231cZSgHYw2u3V89BHx1p3LT4OUAEQvBcQ3c8sJbRYHTo7wXVYTwMrWL+KIu5AOp1pqHWESJrxO/12tgITcM5xJx+zwAoc/85l0LK3EIXYayEYe6ISNjx13K3YaSuD74iEXrNtWuvqwvbT9zNtYg8gb+l1FEW+TwS6wdzWyglfZl4erOQXb1a373qRdTz5m71MEPY8nJPS948nxO5M1DgJ8eqyztVdHY+z3X40vsDv3anSApeBNe/jexUVGBmuRtOhoAbirbNo7F8tjbI1qVy1lw0YNiaXAyH/BY2EtcSb9bU/VqCRdLteZnSed4LFrCIFt9mYoAWPX4GjXanfshNUaqM0IEFVjH7cXzf4rKql9VnxvCufupIGKhcOkAuxFtuOPL9q3RVT4CkarhmgDpKKjUlyAHRAvLH2F2l+K6zwEengiYDXkyBzd393Gsee6ML30X/MRSwd1TBqKZ1VInpk3bn/GwVMipywiYsviLE6JW+IcRJiHCI3bbch2aRsq9MP8AE9qornqC9nt6DQKnOr2HvEAjTHGvmiJN2nKaRU/B6T5xmH9nsdZ3CTsmTIkWBi/Fa8th9DvT8UrQe4LiQ8t6/6TrhgZ+QCjgwp59B2dwrPnT7oY8B0o5O0k/06HnsaG0YxyEM2JgVBer0K4BzUAoap4S8YGj88oPVlSHV3ks7qjx8J+pytNmyND3O1CzKUuluTjCLoowyDx9OA8AcfxVCva6BI6EqJEVU0eqlo146kdgERPR4U6TgCAU6uk4rb+SQgwN6brd15AezRKUW9iDbr4hoxCA0XNTzcDLJKKFFU2ZlHdvs9WTif7gmVwAsogy31xWyKdTdSCoUME4mAKeHM2o763UICjL4HO6drMn16G5yA0anxkctVJqWKcpLrD9rVCC30bbFy8u3H1Icfzf2dZxbTLCbJVn5i39I9AqehIOapD7SwN3pyXwicfnr6h1prGKdHQ0cXjlwCiiP7lSBLP+Q4DwjoSVF/Iei4DcFQoHqSpGreGeP5yRNiRe8HEp63yQXFM/l6PMIVZw+0q/VDb5sEUZ6XItAi/UL3CqY1WI5SVvbeuxbKivuxRcspiFRHB9aXS2eG8hx/Oq9OFvPq3eAQ7xtZLw5oMAFgED4epZl3mAaYz8n5m2i2J8QujxP1POqotkeA1uQFelQL1xMUdpIg41mRNch0M3H50fcgR5dJ3k41NAJTCi5B+X9lFVoo/ByLvX4hkmx4YeZ5VPW6hVLiZMcdA+RluBWVAShYXBBg5rV3ak/G8Lj9P/cc1Tg32Qr1m9h3Tl4Q8AEmWBABRXYcZ526fMFdTQa0SkdvO3jp6Zt/6TObygSyOrOjBIgXye4BAT3zuyNK07Z1gOP1X0rE23T50S5A4KCI59QCs+szugk9umUbqeZF3DKj1oiVq1f5I1m2zbBuWq6vi6kH7eD7eSnTqpIuYeOsuWlREvsNHfXOA7lrURy+yLheKYuIRqx+5TKJaapgMkagw5nQ74RAvEJgAPHJaKYt5YJklMSxTkUR6FlvZNq2salMpM+mGrtH9l1tEVUbKh6QAyG4EkUbnFmT3orCgBJJFh+HXMpb6pwVL06+/0sSvgBI1ZBfbGYWk//RKSHbVzOi1UXyW1izeLgSwKNc/ZUCDnZ0hrBafQn3S8Ap+5j9h++fdH9NwfQyGV7GuTMYBkCtG3+l9+iitFWPUnZ2PvNypi4kJX31XlSyR/JoQfvFNm3nWw1pdLJRF7shqYxbSuGx/Fz02zocEvNNu5NBp5+0nPXIWp5PoRHqWHXI6TvNduji0/ycKjLhtpnFV3NhhWq0no5fKo+t4seoQ88oFzbH0wVXnLRALPq6yZ1kzbWhGp5RLmtixEMXcAwuw2Ewol2BhIf2+5o7d7ndgmZ6lOM4LzApumzS0m3z91XQ1keqHZUWA0XdCekIucNrhw4uVIWg228G5IWjI1QuL6c9zeIHl8NvSCzC7lJLXR6NiCzFvVH92krQ91yiEsSvg3+8MkU+6mlLiCvbl98WVMcQ6Ig9Hh+p1ALSuUDDqOK8k4ja3sblwjDE1vQhacm9gaCjYfID+UFpbJ1FLwdOiBrcUu3jSnN2zBViWjH48xnM7kvxliDRbAElyMPylD2wE6Gce/nyueSAktsfPzt3GnHzspfuoDokJ2pss+8u/x/5whe+xkMMEhExWJWTe4WiwYxyM7dIX8JLJBqQ+T3pUQLMYwECHvPstLiQjpWy,iv:cZQEw3E1Kq+Qg1ZB0gwMW87NG1z/tGDnQOpRiCsdpUs=,tag:N/JqLdXIwCerHynMhmvhug==,type:str] public: ENC[AES256_GCM,data:TivRCWgU3skYJbDopZAdSAZBi7OhgzLjOLi0f8bUN3hEfDS9Bqbo3ZirepWkxDZcEBJH9ut/rAwumWGedU6C71eFtOpC/++c/++VILmWGM2BDUvlUaksaWZE0sNQRZxXmHFd5Fnxq13vVhs0i5Grdu6WG6wdq9dD9iFooLqee5KT6z33lD9THitecYiGf4hccVfJXKriNmNfmFkyv2KMaDNBwgSHtAsXSbYoHOpIz68SzS3KrngSIAvavfSSsW1RXDXvf/3aB94lPtizCZVtKZ+JcHYg3xPesXdwwA6h7A5W7rfJoAQdiDGQJMb4hFhtjhaBGmiUAv5JwRvvEAhQIrVtPmkO9ibir3yDDrcwNXuJDgHrcd0rpSjYWyAM1pgzXiWAiLzhh/AcL+l2xV286XRDwm1xxoPNdGdmOYkiN2AZre8CoR1aFkIP+T479rkOylJq14RzSQAbJ8AaZ6dK2mFxKYFyVpW0aMjEoo9Yqd4IFZpMWIlVALeh3+bpqgtCCkBYq3MX3J0FJ6vL4LUV5855GUrP4CJhSSCAnKaiXKnps2TrHN8Kp1dqtnv1ihq8fwVoSgqiISN4xY8VXsW/IjJYcQ==,iv:o8F7qgHLWhWXEOOSzum+Qore2tGSraqmC1VMWtpaj0I=,tag:Kn5myis0OwoCMa+8yhssPg==,type:str] - users: ENC[AES256_GCM,data:XPnB3wFj8rDPaq8bfgsnDiNmaA+GE6tguPqtnPxfHhM2gVUatnyP5RLIrBxQTUja8w70NBHPQMPEFh3TydBDlWI8tvV8mid1iu7/pRgb6u+LtVSPtrqkSkQBponsxTsila1uvyYLITaB6pI2w0ijcWx3enu1W/a5ssgBQUNVqKfftAF9tB/W0Jhn6m4U9KfB1NbR708eO1LcGHVlqgCs4u9FwR9FEWHDDGgwDjeDQ5w+w9NMAbg7YfwmPgMv3VwRqpie0AE5jj+qtpnAZCpKJK/AzWN7T++TXg6IywPSk/4thFDtLsgke0gtNOMS2DlCRZ7LqdyzwuhQMVX5YbmmQdk5+z4fYKYgWGT8L9ABA6fl/LeMygJVM9cNOl1VGT7SsTBj5WdrU3gR6n0UCybLIyOIA7q+0mT1RR7sKJ1OFKz6bappzIn2Y1UREGTvz63Quw1Kgbciq5WRag4WFVRuq89JKYD8Y9bkWfHgF5L1kCzep79CvB9uxnO+wXwbtxsSEyxllQIDuVMejdVV/l9FPjhgWPe3ho1Eh78nTibNo0cEijvf5ub6MKPelpMvEhEU4J2OH5AJjixqM3RyxO6IKAKx4gg6bm0nUgKPa+7jZ+mZ4xj7AyDh3v8t8C0GOJZSbdtD54YzBjkWLu9I+OhErQQUfgKB5DTDUF+RogkH9LAWn9C2,iv:3lY+ghmpQrKME8xa264RqFR4BzhY4MvcbTwwXmsaf0k=,tag:EmrYcmWBH1zrLDBFgTp25g==,type:str] + users: ENC[AES256_GCM,data:9V0vcpT//ZzFLhlO2gZnns/5T7XEk92iDqTzHFujWC177QUi3LSYY6jcGQ0/3VlDXjsA0PsOV1UzIKc1LJXj9QuedABu48c+4OVN3cinKFs6Tqur/0yQ/T74U8lyap35qwK24lpRE02DZxKd1Tin57AfyfRqG5V6L4MVWzbApDn1cGtIWC3+TuWmO2PeSvNx5KQp/nk36rmTHcNAMZ5srsxMTtzCSTc6SUuCQvdkTbL6UpxQ34WUMkPJM0UfB06eJ19dxXJ6NnG7QlRgf21szuI11I+g6al2XYmCvvcbu2tK6IXVmIbWvdlrZmsaZ6RfN+ZcKqgwZobDTBPVou/Zuaa1SbtBaK45NDVi5I8AlcnKqhejiCdEKMhDavQ5yQrT52GmhbMTCyD3DZTn9fBZDwmpGDJ82Ty7iOtsSuwjKoblOEkEJPn+dJWMJqRcaXw6kguRSjaq7LmS43IWtiGbVhSaZDmKGsnFHHjun6mhvK2irpSw79XXsKxZC5BZhaU3S6aKB8pplak4MqId6hW1Rx7AvBtUJL8A+HIZKcmJzXckM0dvQKrKGQ3JbvmC6QNTtq5YLDLV4wiC4Za8xOxYL+f8ry2+hsFQmXIe5pElmam08nncNo9ZIRSQXYhk/5aeqqDMIjXocIXi9YwN0k2biZLfP5muWq44uIyLciWfSQxhYbTR2xibb4kpoA2eNyptYXul4AR8,iv:qbp7+yepBIPsmpuEGTeHLPENrvfEGoL9u+smf7jqHzo=,tag:u3bkLxICTMm/EEjGjt5ENA==,type:str] sops: kms: [] gcp_kms: [] @@ -73,8 +73,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-08T22:34:17Z" - mac: ENC[AES256_GCM,data:i9suj/TCZdqZW3KxU8Ye3qZnGwIlHFJ4FvsuEhNlq5llC7H/eRnYW8bkZkg2848CRasaco+0eimMcJc2vD7YFO8AuVxIEFr2U2MXP+9tRKPrWd5bae7X2wJo+C1AYCpjpllFlS/T50wSKM7y4ugJtKIibJs/Q3YB3D8D6hfB884=,iv:wdqVREuVVEUBwEKNQBAl0kHUhF+KNDzOPVbo9xfDHDU=,tag:++8BJRRk0xCGezS+RTPc3g==,type:str] + lastmodified: "2025-02-09T12:24:21Z" + mac: ENC[AES256_GCM,data:oXJ06eJS12T0T2i0XxQ2wsyLAojIa7X2lJgb4JWY11If7BOtl8wK/FFKh6ukRdM/pM5nARS2ZUgYPmIQxRX+0dfo85AcqAuFzIb8VMhLdLCIuOVciQMMWyrNmyuMzNgYq2lmk8xQarVk2A1DNBfxCiKVc07J/Uz3tVhnXOXkmGA=,iv:4MObZijkp5TDacLRLYVctEhsvDtkY/soYZ3a4WpC/+I=,tag:KUvalf5sLEouIxMDcA4acw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 From 81b553c8b00845dd33a6095d4cb6ce8fdf277e7a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 10 Feb 2025 22:51:18 +0100 Subject: [PATCH 33/73] Replace Authelia with Authentik --- deployments.nix | 6 +- flake.lock | 23 +--- flake.nix | 1 - modules/authelia.nix | 227 ------------------------------- modules/authentik.nix | 78 +++++++++++ modules/bootstrap-default.nix | 5 +- modules/cyberchef.nix | 2 - modules/default.nix | 2 +- modules/freshrss.nix | 13 +- modules/hedgedoc.nix | 16 +-- modules/traefik.nix | 18 --- nixng-configurations/default.nix | 5 +- secrets.yml | 34 ++--- 13 files changed, 117 insertions(+), 313 deletions(-) delete mode 100644 modules/authelia.nix create mode 100644 modules/authentik.nix diff --git a/deployments.nix b/deployments.nix index a2bce23..f99a14b 100644 --- a/deployments.nix +++ b/deployments.nix @@ -124,8 +124,8 @@ namespace = "ntfy"; }; - authelia = { - module.authelia.enable = true; - namespace = "authelia"; + authentik = { + module.authentik.enable = true; + namespace = "authentik"; }; } diff --git a/flake.lock b/flake.lock index fb4e805..5cc2453 100644 --- a/flake.lock +++ b/flake.lock @@ -666,11 +666,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1738631908, - "narHash": "sha256-ndQgb/SAeOcgbsG7b+7qhrVn+XSTjs/Vk5m7eEb/HZY=", + "lastModified": 1739200411, + "narHash": "sha256-9Vil9l0+QIPhEh/97Ehu3yoqaR+5d820F/tMY6rtbYs=", "owner": "farcaller", "repo": "nixhelm", - "rev": "e105a8264cc981d47a0f6fbfcdcc87681487aa0c", + "rev": "5b365cdeae7077e6c06524d5317f82a593546b50", "type": "github" }, "original": { @@ -786,22 +786,6 @@ "type": "github" } }, - "nixpkgs-prowlarr": { - "locked": { - "lastModified": 1737932785, - "narHash": "sha256-0OW0c742vfXyJflQGWhwMSxk/nbivBOibHei8P2ADRA=", - "owner": "rhoriguchi", - "repo": "nixpkgs", - "rev": "67ead92f4a53625a8afbead0107a6139c4f668b6", - "type": "github" - }, - "original": { - "owner": "rhoriguchi", - "ref": "prowlarr", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1720386169, @@ -968,7 +952,6 @@ "nixng": "nixng", "nixpkgs": "nixpkgs_3", "nixpkgs-master": "nixpkgs-master", - "nixpkgs-prowlarr": "nixpkgs-prowlarr", "servers": "servers", "treefmt-nix": "treefmt-nix_4" } diff --git a/flake.nix b/flake.nix index 817bea0..0a2c12d 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,6 @@ flake-utils.url = "github:numtide/flake-utils"; treefmt-nix.url = "github:numtide/treefmt-nix"; blog.url = "git+https://git.kun.is/pim/blog"; - nixpkgs-prowlarr.url = "github:rhoriguchi/nixpkgs/prowlarr"; git-hooks = { url = "github:cachix/git-hooks.nix"; diff --git a/modules/authelia.nix b/modules/authelia.nix deleted file mode 100644 index 517c4a7..0000000 --- a/modules/authelia.nix +++ /dev/null @@ -1,227 +0,0 @@ -{ - nixhelm, - system, - config, - lib, - ... -}: { - options.authelia.enable = lib.mkEnableOption "authelia"; - - config = lib.mkIf config.authelia.enable { - kubernetes = { - helm.releases.authelia = { - chart = nixhelm.chartsDerivations.${system}.authelia.authelia; - includeCRDs = true; - namespace = "authelia"; - - values = { - pod = { - kind = "Deployment"; - replicas = 1; - - extraVolumes = [ - { - name = "data"; - persistentVolumeClaim.claimName = "data"; - } - ]; - - extraVolumeMounts = [ - { - name = "data"; - mountPath = "/storage"; - } - ]; - }; - - secret.additionalSecrets.authelia.items = [ - { - key = "storage"; - path = "storage"; - } - { - key = "session"; - path = "session"; - } - { - key = "users"; - path = "users"; - } - { - key = "smtpPassword"; - path = "smtpPassword"; - } - { - key = "oidc_hmac_secret"; - path = "oidc_hmac_secret"; - } - { - key = "oidc_jwk_rs256_private"; - path = "oidc.jwk.RS256.pem"; - } - { - key = "freshrss_client_secret"; - path = "freshrss_client_secret"; - } - { - key = "hedgedoc_client_secret"; - path = "hedgedoc_client_secret"; - } - ]; - - configMap = { - identity_providers.oidc = { - enabled = true; - - hmac_secret = { - secret_name = "authelia"; - path = "oidc_hmac_secret"; - }; - - jwks = [ - { - algorithm = "RS256"; - key.path = "/secrets/authelia/oidc.jwk.RS256.pem"; - } - ]; - - clients = [ - { - client_id = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44"; - client_name = "FreshRSS"; - client_secret.path = "/secrets/authelia/freshrss_client_secret"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = ["https://freshrss.griffin-mermaid.ts.net/i/oidc/"]; - scopes = ["openid" "groups" "email" "profile"]; - userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_basic"; - consent_mode = "implicit"; - } - { - client_id = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq"; - client_name = "HedgeDoc"; - client_secret.path = "/secrets/authelia/hedgedoc_client_secret"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = ["https://md.kun.is/auth/oauth2/callback"]; - scopes = ["openid" "profile" "email" "groups"]; - userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_post"; - consent_mode = "implicit"; - } - ]; - }; - - access_control = { - default_policy = "one_factor"; - - rules = [ - { - domain = "cyberchef.kun.is"; - policy = "two_factor"; - } - ]; - }; - - authentication_backend = { - password_reset.disable = true; - ldap.enabled = false; - - file = { - enabled = true; - path = "/secrets/authelia/users"; - search.email = true; - password.algorithm = "argon2"; - }; - }; - - storage = { - encryption_key = { - secret_name = "authelia"; - path = "storage"; - }; - - local = { - enabled = true; - path = "/storage/database.sqlite"; - }; - }; - - session = { - encryption_key = { - secret_name = "authelia"; - path = "session"; - }; - - cookies = [ - { - domain = "kun.is"; - subdomain = "auth"; - } - ]; - }; - - notifier = { - filesystem.enabled = false; - - smtp = { - enabled = true; - address = "submission://mail.smtp2go.com:2525"; - identifier = "auth.kun.is"; - sender = "Authelia "; - username = "uxY88HYzbBTAoWYm4PUxpT76u"; - - password = { - secret_name = "authelia"; - path = "smtpPassword"; - }; - }; - }; - }; - }; - }; - - resources = { - deployments.authelia.spec = { - strategy = { - type = "RollingUpdate"; - - rollingUpdate = { - maxSurge = lib.mkForce 0; - maxUnavailable = lib.mkForce 1; - }; - }; - }; - - secrets.authelia.stringData = { - storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage"; - session = "ref+sops://secrets.yml#/authelia/encryption_keys/session"; - smtpPassword = "ref+sops://secrets.yml#/authelia/smtpPassword"; - users = "ref+sops://secrets.yml#/authelia/users"; - oidc_hmac_secret = "ref+sops://secrets.yml#/authelia/oidc/hmac_secret"; - oidc_jwk_rs256_private = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/private"; - oidc_jwk_rs256_public = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/public"; - freshrss_client_secret = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/digest"; - hedgedoc_client_secret = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/digest"; - }; - }; - }; - - lab = { - ingresses.authelia = { - host = "auth.kun.is"; - - service = { - name = "authelia"; - portName = "http"; - }; - }; - - longhorn.persistentVolumeClaim.data = { - volumeName = "authelia"; - storage = "100Mi"; - }; - }; - }; -} diff --git a/modules/authentik.nix b/modules/authentik.nix new file mode 100644 index 0000000..d29c715 --- /dev/null +++ b/modules/authentik.nix @@ -0,0 +1,78 @@ +{ + nixhelm, + system, + config, + lib, + ... +}: { + options.authentik.enable = lib.mkEnableOption "authentik"; + + config = lib.mkIf config.authentik.enable { + kubernetes = { + helm.releases.authentik = { + chart = nixhelm.chartsDerivations.${system}.authentik.authentik; + includeCRDs = true; + namespace = "authentik"; + + values = { + authentik = { + secret_key = "ref+sops://secrets.yml#/authentik/secret_key"; + postgresql.password = "ref+sops://secrets.yml#/authentik/postgresql_password"; + }; + + postgresql = { + enabled = true; + auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password"; + primary.persistence.existingClaim = "db"; + }; + + redis = { + enabled = true; + master.persistence.existingClaim = "redis"; + }; + + email = { + host = "mail.smtp2go.com"; + port = 2525; + username = "ref+sops://secrets.yml#/smtp2go/username"; + password = "ref+sops://secrets.yml#/smtp2go/password"; + from = "Authentik "; + }; + }; + }; + }; + + lab = { + longhorn.persistentVolumeClaim = { + db = { + volumeName = "authentik-db"; + storage = "10Gi"; + }; + + redis = { + volumeName = "authentik-redis"; + storage = "5Gi"; + }; + }; + + ingresses.authentik = { + host = "authentik.kun.is"; + + service = { + name = "authentik-server"; + portName = "http"; + }; + }; + + tailscaleIngresses = { + tailscale-authentik = { + host = "authentik"; + service = { + name = "authentik-server"; + portName = "http"; + }; + }; + }; + }; + }; +} diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index 59e51a1..9a0fbb7 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -62,7 +62,7 @@ minecraft = {}; tailscale = {}; ntfy = {}; - authelia = {}; + authentik = {}; }; nodes = @@ -126,8 +126,9 @@ minecraft.storage = "1Gi"; ntfy.storage = "300Mi"; deluge.storage = "500Mi"; - authelia.storage = "100Mi"; keepassxc.storage = "100Mi"; + authentik-db.storage = "10Gi"; + authentik-redis.storage = "5Gi"; }; tailscaleIngresses.tailscale-longhorn = { diff --git a/modules/cyberchef.nix b/modules/cyberchef.nix index 3a5529a..d2dabbc 100644 --- a/modules/cyberchef.nix +++ b/modules/cyberchef.nix @@ -31,8 +31,6 @@ targetPort = "web"; }; }; - - ingresses.cyberchef.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd"; }; lab.ingresses.cyberchef = { diff --git a/modules/default.nix b/modules/default.nix index 0958257..ef212e2 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -29,6 +29,6 @@ ./tailscale.nix ./ntfy.nix ./minecraft.nix - ./authelia.nix + ./authentik.nix ]; } diff --git a/modules/freshrss.nix b/modules/freshrss.nix index 347bb9e..614fb78 100644 --- a/modules/freshrss.nix +++ b/modules/freshrss.nix @@ -37,13 +37,12 @@ ADMIN_EMAIL.value = "pim@kunis.nl"; PUBLISHED_PORT.value = "443"; OIDC_ENABLED.value = "1"; - OIDC_PROVIDER_METADATA_URL.value = "https://auth.kun.is/.well-known/openid-configuration"; - OIDC_CLIENT_ID.value = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44"; - OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/password"; - OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc/crypto_key"; - OIDC_REMOTE_USER_CLAIM.value = "preferred_username"; - OIDC_SCOPES.value = "openid groups email profile"; - OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto"; + OIDC_PROVIDER_METADATA_URL.value = "https://authentik.kun.is/application/o/freshrss/.well-known/openid-configuration"; + OIDC_CLIENT_ID.value = "5J2L7Ufq4KMayQ8qrqxHCslxHWL2SXNMKJmsbbiQ"; + OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/freshrss/client_secret"; + OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key"; + OIDC_SCOPES.value = "openid email profile"; + OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host"; ADMIN_PASSWORD.valueFrom.secretKeyRef = { name = "server"; diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index 868c684..b9471b4 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -54,18 +54,16 @@ CMD_PROTOCOL_USESSL.value = "true"; CMD_CSP_ENABLE.value = "false"; - CMD_OAUTH2_PROVIDERNAME.value = "Authelia"; - CMD_OAUTH2_AUTHORIZATION_URL.value = "https://auth.kun.is/api/oidc/authorization"; - CMD_OAUTH2_TOKEN_URL.value = "https://auth.kun.is/api/oidc/token"; - CMD_OAUTH2_USER_PROFILE_URL.value = "https://auth.kun.is/api/oidc/userinfo"; - CMD_OAUTH2_CLIENT_ID.value = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq"; - CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/password"; - CMD_OAUTH2_SCOPE.value = "openid email profile groups"; + CMD_OAUTH2_PROVIDERNAME.value = "Authentik"; + CMD_OAUTH2_CLIENT_ID.value = "ZF56062l4BPnq2INv2zaO9cEiE6sAj7CrxbWhExj"; + CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/hedgedoc/client_secret"; + CMD_OAUTH2_SCOPE.value = "openid email profile"; + CMD_OAUTH2_USER_PROFILE_URL.value = "https://authentik.kun.is/application/o/userinfo/"; + CMD_OAUTH2_TOKEN_URL.value = "https://authentik.kun.is/application/o/token/"; + CMD_OAUTH2_AUTHORIZATION_URL.value = "https://authentik.kun.is/application/o/authorize/"; CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR.value = "preferred_username"; CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR.value = "name"; CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR.value = "email"; - CMD_OAUTH2_ROLES_CLAIM.value = "groups"; - CMD_OAUTH2_ACCESS_ROLE.value = "hedgedoc"; CMD_DB_URL.valueFrom.secretKeyRef = { name = "hedgedoc"; diff --git a/modules/traefik.nix b/modules/traefik.nix index 48a8899..b59253d 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -61,24 +61,6 @@ }; }; }; - - middlewares.forwardauth-authelia = { - metadata.labels = { - "app.kubernetes.io/instance" = "authelia"; - "app.kubernetes.io/name" = "authelia"; - }; - - spec.forwardAuth = { - address = "http://authelia.authelia.svc.cluster.local/api/authz/forward-auth"; - - authResponseHeaders = [ - "Remote-User" - "Remote-Groups" - "Remote-Email" - "Remote-Name" - ]; - }; - }; }; lab = { diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index f4664ed..5a9c943 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -6,7 +6,6 @@ blog, nixpkgs, nixpkgs-master, - nixpkgs-prowlarr, ... }: flake-utils.lib.eachDefaultSystem (system: let @@ -47,10 +46,8 @@ in { { nixpkgs.overlays = [ (_final: _prev: { - inherit (nixpkgs-prowlarr.legacyPackages.${system}) prowlarr; - # From master branch - inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr; + inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr prowlarr; }) ]; } diff --git a/secrets.yml b/secrets.yml index 4208f96..c3bca77 100644 --- a/secrets.yml +++ b/secrets.yml @@ -1,10 +1,6 @@ freshrss: password: ENC[AES256_GCM,data:ECDPrW+VgO8PY9p2fLIreRETNiRL5ZGnu/PMC7aNj8KaWfyNYL+l3w==,iv:srR/r1EtOpC/CKKrCDKcTLVdMFPAYIJIB1CCg8mS0UU=,tag:YN4PqR5uvPkVskpJWD+91g==,type:str] - oidc: - client_secret: - password: ENC[AES256_GCM,data:wlMJwiqCxUFqSVRGZvVkMtcRHW+r74EwpMtIAD499qnmJADsK1jPFsLuAODZ4QsklxWdWDqfNsk7T5FMZ+e61947fEp+QzGC,iv:qDEjlk5sywrMEIXQr8daVntYdTQ5M3KrtCpIHIgLy4U=,tag:QWGI0zISqE6kDR5n3IxQDg==,type:str] - digest: ENC[AES256_GCM,data:8uw5mg6VIERkb96FiJ7CuutUqWfcFk9qDA8w+8e8DBWRlegrfmvHKyg6tfUP6JKc6I1OkzuPMiSHweNJghMY5oH0eJWxU9F9YCtxjW3iJINUYF3tq2phO1kk3LEbjdnmglFMajHz2c8d4NkQ6iAfWziOaTieCN88yvnAACYnBBiU/yA=,iv:rQMDRDavPSHA8rcfJ/iijsMhGFYfcrQfOv6JF4iPbMA=,tag:tDM3+NquRN0Y6Kq9yyTSYA==,type:str] - crypto_key: ENC[AES256_GCM,data:AKEX6F1rAwapjvzz5JSyBbvDxSl4vjeOIKzH13/CMK1QGT5AzhEawpYb1j95/QVREt1M8bKulFpHHZIn8WuFZbdChgA/PMXssd5yznEMVY/qmymGqDOLe0CFv75zRG4c6RTuc0/U33Ez2tSi+DgKtLHpU9MZlgLFXIS4aCb0p0A=,iv:VhWgEzq8gqNDJPP/akmv6c/kuKHH4cv6yT9Mz47bTf4=,tag:b8DviZh9I5ZOFXpEFCU6GQ==,type:str] + oidc_crypto_key: ENC[AES256_GCM,data:dFQKZtFVd5l8W2go6WcK76o7O7hpQWnQKXCGTf9EhSVURvWigv6zzBULie7Y4lkJCsItG8oKmIiCYSy3MhFnU3DJTUJcenm4I7NHyINjvzHOBgUVPXbYQjQhouJwOlPkdqlSKv1f38ItZKNPJebMObZj+kACKbjdik6e6yM40RM=,iv:g6Ygval2qTQwKnrliI+n/r9OxJFePT9MKYyBLU6b3UQ=,tag:kWXTbm2JIR5aL/s4OX2Tqg==,type:str] pihole: password: ENC[AES256_GCM,data:MA60825Tl6aYEFVoPgo8k5Vjb9zmIxtPLJriQV1B3P1bOKu1KK7vxQ==,iv:RGZHox8CbJiEEEjMo2k/tNbtjCPy/QY7vOuMN/YNZcg=,tag:yphrq03IKpXM/tSDBLeSgA==,type:str] hedgedoc: @@ -38,17 +34,17 @@ immich: tailscale: clientID: ENC[AES256_GCM,data:O8tTyy55xP85JkbJNR5daB4=,iv:SMj83Sxh7BvPRG3l5TnnpmclO5N2treUQCCJuMy8cO8=,tag:UUSN3bsZvb09cyYN65RQDg==,type:str] clientSecret: ENC[AES256_GCM,data:c8E/a7McI+wGN9TFJ/yzTSkrhUlISmrNJdjDDMqAQrZ8s5wFEZ+4+h+dtwcjF9Ykj198glgny7cP3HubHVDw,iv:ifaP4NmLRQbYQtJQaMMCMaehosapZ2R3im9ew5h6f9E=,tag:XF+xB94nua8RZlkGxFDFFQ==,type:str] -authelia: - encryption_keys: - storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str] - session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str] - smtpPassword: ENC[AES256_GCM,data:Zd2F237gWaL555lf022zjr7VHVcAFUyFxg==,iv:ka8YuGFclNrWV1U0g2ERypiKy6rN5ppPIVlsjBqkFrI=,tag:e+5fO6VR1z1cqYTXJ6Yo+Q==,type:str] - oidc: - hmac_secret: ENC[AES256_GCM,data:4SDX5lopMeomhkMpkei6Qu6S+BBhFGCZswBfOtfWNSzv3qAEme9h3wQeIQ2W18J84RwprTpDZdkk++bbAYoch2iZF1yEV+8XBcmVcg4q+s5isn0lAaTDhHHCZ6Cci8KuyYy5/tcMDgF61oM5H0g7nGv7rhPD8clDubZwAvEDf7g=,iv:S7cCKyWbB4QaqGYsrp9JavKBAMxnfzhnl5bMRyq4TT4=,tag:S2+NglxgDsi4ivvR2FYjsQ==,type:str] - jwk_rs256: - private: ENC[AES256_GCM,data:WaTdMntWZF40pBOsHpKlQAcsVoceQDKkPlNbkwlPjY231cZSgHYw2u3V89BHx1p3LT4OUAEQvBcQ3c8sJbRYHTo7wXVYTwMrWL+KIu5AOp1pqHWESJrxO/12tgITcM5xJx+zwAoc/85l0LK3EIXYayEYe6ISNjx13K3YaSuD74iEXrNtWuvqwvbT9zNtYg8gb+l1FEW+TwS6wdzWyglfZl4erOQXb1a373qRdTz5m71MEPY8nJPS948nxO5M1DgJ8eqyztVdHY+z3X40vsDv3anSApeBNe/jexUVGBmuRtOhoAbirbNo7F8tjbI1qVy1lw0YNiaXAyH/BY2EtcSb9bU/VqCRdLteZnSed4LFrCIFt9mYoAWPX4GjXanfshNUaqM0IEFVjH7cXzf4rKql9VnxvCufupIGKhcOkAuxFtuOPL9q3RVT4CkarhmgDpKKjUlyAHRAvLH2F2l+K6zwEengiYDXkyBzd393Gsee6ML30X/MRSwd1TBqKZ1VInpk3bn/GwVMipywiYsviLE6JW+IcRJiHCI3bbch2aRsq9MP8AE9qornqC9nt6DQKnOr2HvEAjTHGvmiJN2nKaRU/B6T5xmH9nsdZ3CTsmTIkWBi/Fa8th9DvT8UrQe4LiQ8t6/6TrhgZ+QCjgwp59B2dwrPnT7oY8B0o5O0k/06HnsaG0YxyEM2JgVBer0K4BzUAoap4S8YGj88oPVlSHV3ks7qjx8J+pytNmyND3O1CzKUuluTjCLoowyDx9OA8AcfxVCva6BI6EqJEVU0eqlo146kdgERPR4U6TgCAU6uk4rb+SQgwN6brd15AezRKUW9iDbr4hoxCA0XNTzcDLJKKFFU2ZlHdvs9WTif7gmVwAsogy31xWyKdTdSCoUME4mAKeHM2o763UICjL4HO6drMn16G5yA0anxkctVJqWKcpLrD9rVCC30bbFy8u3H1Icfzf2dZxbTLCbJVn5i39I9AqehIOapD7SwN3pyXwicfnr6h1prGKdHQ0cXjlwCiiP7lSBLP+Q4DwjoSVF/Iei4DcFQoHqSpGreGeP5yRNiRe8HEp63yQXFM/l6PMIVZw+0q/VDb5sEUZ6XItAi/UL3CqY1WI5SVvbeuxbKivuxRcspiFRHB9aXS2eG8hx/Oq9OFvPq3eAQ7xtZLw5oMAFgED4epZl3mAaYz8n5m2i2J8QujxP1POqotkeA1uQFelQL1xMUdpIg41mRNch0M3H50fcgR5dJ3k41NAJTCi5B+X9lFVoo/ByLvX4hkmx4YeZ5VPW6hVLiZMcdA+RluBWVAShYXBBg5rV3ak/G8Lj9P/cc1Tg32Qr1m9h3Tl4Q8AEmWBABRXYcZ526fMFdTQa0SkdvO3jp6Zt/6TObygSyOrOjBIgXye4BAT3zuyNK07Z1gOP1X0rE23T50S5A4KCI59QCs+szugk9umUbqeZF3DKj1oiVq1f5I1m2zbBuWq6vi6kH7eD7eSnTqpIuYeOsuWlREvsNHfXOA7lrURy+yLheKYuIRqx+5TKJaapgMkagw5nQ74RAvEJgAPHJaKYt5YJklMSxTkUR6FlvZNq2salMpM+mGrtH9l1tEVUbKh6QAyG4EkUbnFmT3orCgBJJFh+HXMpb6pwVL06+/0sSvgBI1ZBfbGYWk//RKSHbVzOi1UXyW1izeLgSwKNc/ZUCDnZ0hrBafQn3S8Ap+5j9h++fdH9NwfQyGV7GuTMYBkCtG3+l9+iitFWPUnZ2PvNypi4kJX31XlSyR/JoQfvFNm3nWw1pdLJRF7shqYxbSuGx/Fz02zocEvNNu5NBp5+0nPXIWp5PoRHqWHXI6TvNduji0/ycKjLhtpnFV3NhhWq0no5fKo+t4seoQ88oFzbH0wVXnLRALPq6yZ1kzbWhGp5RLmtixEMXcAwuw2Ewol2BhIf2+5o7d7ndgmZ6lOM4LzApumzS0m3z91XQ1keqHZUWA0XdCekIucNrhw4uVIWg228G5IWjI1QuL6c9zeIHl8NvSCzC7lJLXR6NiCzFvVH92krQ91yiEsSvg3+8MkU+6mlLiCvbl98WVMcQ6Ig9Hh+p1ALSuUDDqOK8k4ja3sblwjDE1vQhacm9gaCjYfID+UFpbJ1FLwdOiBrcUu3jSnN2zBViWjH48xnM7kvxliDRbAElyMPylD2wE6Gce/nyueSAktsfPzt3GnHzspfuoDokJ2pss+8u/x/5whe+xkMMEhExWJWTe4WiwYxyM7dIX8JLJBqQ+T3pUQLMYwECHvPstLiQjpWy,iv:cZQEw3E1Kq+Qg1ZB0gwMW87NG1z/tGDnQOpRiCsdpUs=,tag:N/JqLdXIwCerHynMhmvhug==,type:str] - public: ENC[AES256_GCM,data:TivRCWgU3skYJbDopZAdSAZBi7OhgzLjOLi0f8bUN3hEfDS9Bqbo3ZirepWkxDZcEBJH9ut/rAwumWGedU6C71eFtOpC/++c/++VILmWGM2BDUvlUaksaWZE0sNQRZxXmHFd5Fnxq13vVhs0i5Grdu6WG6wdq9dD9iFooLqee5KT6z33lD9THitecYiGf4hccVfJXKriNmNfmFkyv2KMaDNBwgSHtAsXSbYoHOpIz68SzS3KrngSIAvavfSSsW1RXDXvf/3aB94lPtizCZVtKZ+JcHYg3xPesXdwwA6h7A5W7rfJoAQdiDGQJMb4hFhtjhaBGmiUAv5JwRvvEAhQIrVtPmkO9ibir3yDDrcwNXuJDgHrcd0rpSjYWyAM1pgzXiWAiLzhh/AcL+l2xV286XRDwm1xxoPNdGdmOYkiN2AZre8CoR1aFkIP+T479rkOylJq14RzSQAbJ8AaZ6dK2mFxKYFyVpW0aMjEoo9Yqd4IFZpMWIlVALeh3+bpqgtCCkBYq3MX3J0FJ6vL4LUV5855GUrP4CJhSSCAnKaiXKnps2TrHN8Kp1dqtnv1ihq8fwVoSgqiISN4xY8VXsW/IjJYcQ==,iv:o8F7qgHLWhWXEOOSzum+Qore2tGSraqmC1VMWtpaj0I=,tag:Kn5myis0OwoCMa+8yhssPg==,type:str] - users: ENC[AES256_GCM,data:9V0vcpT//ZzFLhlO2gZnns/5T7XEk92iDqTzHFujWC177QUi3LSYY6jcGQ0/3VlDXjsA0PsOV1UzIKc1LJXj9QuedABu48c+4OVN3cinKFs6Tqur/0yQ/T74U8lyap35qwK24lpRE02DZxKd1Tin57AfyfRqG5V6L4MVWzbApDn1cGtIWC3+TuWmO2PeSvNx5KQp/nk36rmTHcNAMZ5srsxMTtzCSTc6SUuCQvdkTbL6UpxQ34WUMkPJM0UfB06eJ19dxXJ6NnG7QlRgf21szuI11I+g6al2XYmCvvcbu2tK6IXVmIbWvdlrZmsaZ6RfN+ZcKqgwZobDTBPVou/Zuaa1SbtBaK45NDVi5I8AlcnKqhejiCdEKMhDavQ5yQrT52GmhbMTCyD3DZTn9fBZDwmpGDJ82Ty7iOtsSuwjKoblOEkEJPn+dJWMJqRcaXw6kguRSjaq7LmS43IWtiGbVhSaZDmKGsnFHHjun6mhvK2irpSw79XXsKxZC5BZhaU3S6aKB8pplak4MqId6hW1Rx7AvBtUJL8A+HIZKcmJzXckM0dvQKrKGQ3JbvmC6QNTtq5YLDLV4wiC4Za8xOxYL+f8ry2+hsFQmXIe5pElmam08nncNo9ZIRSQXYhk/5aeqqDMIjXocIXi9YwN0k2biZLfP5muWq44uIyLciWfSQxhYbTR2xibb4kpoA2eNyptYXul4AR8,iv:qbp7+yepBIPsmpuEGTeHLPENrvfEGoL9u+smf7jqHzo=,tag:u3bkLxICTMm/EEjGjt5ENA==,type:str] +authentik: + secret_key: ENC[AES256_GCM,data:bbEEpymADAGY/fDNMU7FfzveyK2SBUBCitQLN85tB5C5u32PRsRnOa2MDjKGU4kArnyV/WtJQXT4HJ//nMLVh53Q8BYclWYYVFourEjaajTixkZ2gkAfcMJ1mMaQG09ylrwMhLsZWbeaLFzW6dfPSQOCchvj3VhgvJSXuhNmr90=,iv:aE/DGt/yd9wL5qlWfdyT/9SIsCj7U3GcljArcGIdh9k=,tag:CVeiZITOJ71/jdLzjZjteA==,type:str] + postgresql_password: ENC[AES256_GCM,data:4okPqDzPDnx7ZBFQV2Jtk6SEHTskRd2GVG4XLdpMQrgivKsuhQJf1QAnCWHrjmtg74xdlUy2TdPwTWGd5UiM1G90GwHSzLPSJt6X0IFMxCuq/eyYYbD9w8Wk1pVuvqoluPcjN6WoRJdCzap1QITih8B+oSkTJ/rk84xczsjah4U=,iv:r0dYWcsIqdH8FGuBd2dxAJ1AjRmk6k4QYKq0cnZITk4=,tag:errORaXgO7yJW7ERbmdtRg==,type:str] + oauth2: + freshrss: + client_secret: ENC[AES256_GCM,data:e7wdwWRS8KivGkcWaMgSrUEEuOTHzj1oim+qUcLD35/DA/V6itM2XqVPhqIOXHrf6pOyYgprEv14bEx8zUvtT6iXV4fsEUEWeWTgt4NI3YULtx/t0yVDq9Zc8fN9cIqGxGeig1mcQwmm7vByq58mNJEpcfz46swjN2ATf/CPJQs=,iv:xeNgSKd+g4ne8NLw/2KQjTXSvNkqezOhMn5niuWpD38=,tag:ElOUMg0oZ+q15hCgh/Mzug==,type:str] + hedgedoc: + client_secret: ENC[AES256_GCM,data:hdNQzatO6Pf6mxvfO4h1XrhycKMBUHElEwacGttzByi4JDbIndAwYc2GXdwUmytPMYs/s+lVjcdHhspUFWS01DETWQfnWm/GN73GzW18uj3XyRXqt62HhMf18GvRlOWkGX+jYpUTGGoonYes2xijhD/mNCjxKk5Q+6FVFT2mdJ4=,iv:pScEX6YnoU7HelxmCes8A9vJjPdvFbqbclHYMme8OOE=,tag:FURxphI8IDMvOwB4ahD8hg==,type:str] +smtp2go: + username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str] + password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str] sops: kms: [] gcp_kms: [] @@ -73,8 +69,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-09T12:24:21Z" - mac: ENC[AES256_GCM,data:oXJ06eJS12T0T2i0XxQ2wsyLAojIa7X2lJgb4JWY11If7BOtl8wK/FFKh6ukRdM/pM5nARS2ZUgYPmIQxRX+0dfo85AcqAuFzIb8VMhLdLCIuOVciQMMWyrNmyuMzNgYq2lmk8xQarVk2A1DNBfxCiKVc07J/Uz3tVhnXOXkmGA=,iv:4MObZijkp5TDacLRLYVctEhsvDtkY/soYZ3a4WpC/+I=,tag:KUvalf5sLEouIxMDcA4acw==,type:str] + lastmodified: "2025-02-10T21:46:28Z" + mac: ENC[AES256_GCM,data:NMQNgNKgms8fyK0gLSjvLxVprk5k/zSVdJL07+dnXjbbYA7IjsktQF4Nljg641NVU12F4IHr6vLvihDfCI78Qm9c66osp+vdmsYvGwLdploWwjOLONJL8WNiJI6AJjgnbUP9puca+AeKgl8o3ymNfhro+K8GsbRb5+mk8frasGM=,iv:KUSyiojnjbY3e59Ci40+Vk6+6bAyyuhQ5rUlUmVIDBs=,tag:Cr3eQfO8AIiBihTR1T4jxw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.9.4 From d963610517d776a51634a7db58d5ba350a825ac6 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 11 Feb 2025 13:49:25 +0100 Subject: [PATCH 34/73] Enable Authentik auth on Paperless-ngx --- modules/paperless.nix | 19 +++++++++++++++++++ secrets.yml | 6 ++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/modules/paperless.nix b/modules/paperless.nix index 5ac3937..e0e4824 100644 --- a/modules/paperless.nix +++ b/modules/paperless.nix @@ -57,6 +57,25 @@ PAPERLESS_OCR_LANGUAGE.value = "nld"; USERMAP_UID.value = "33"; USERMAP_GID.value = "33"; + PAPERLESS_APPS.value = "allauth.socialaccount.providers.openid_connect"; + PAPERLESS_SOCIALACCOUNT_PROVIDERS.value = '' + { + "openid_connect": { + "APPS": [ + { + "provider_id": "authentik", + "name": "Authentik", + "client_id": "z5PlhxTB1eXJ9L39Ix2BfhLV72TbF3vbGJZUtyBJ", + "secret": "ref+sops://secrets.yml#/authentik/oauth2/paperless-ngx/client_secret+", + "settings": { + "server_url": "https://authentik.kun.is/application/o/paperless-ngx/.well-known/openid-configuration" + } + } + ], + "OAUTH_PKCE_ENABLED": "True" + } + } + ''; PAPERLESS_DBPASS.valueFrom.secretKeyRef = { name = "database"; diff --git a/secrets.yml b/secrets.yml index c3bca77..194cd09 100644 --- a/secrets.yml +++ b/secrets.yml @@ -42,6 +42,8 @@ authentik: client_secret: ENC[AES256_GCM,data:e7wdwWRS8KivGkcWaMgSrUEEuOTHzj1oim+qUcLD35/DA/V6itM2XqVPhqIOXHrf6pOyYgprEv14bEx8zUvtT6iXV4fsEUEWeWTgt4NI3YULtx/t0yVDq9Zc8fN9cIqGxGeig1mcQwmm7vByq58mNJEpcfz46swjN2ATf/CPJQs=,iv:xeNgSKd+g4ne8NLw/2KQjTXSvNkqezOhMn5niuWpD38=,tag:ElOUMg0oZ+q15hCgh/Mzug==,type:str] hedgedoc: client_secret: ENC[AES256_GCM,data:hdNQzatO6Pf6mxvfO4h1XrhycKMBUHElEwacGttzByi4JDbIndAwYc2GXdwUmytPMYs/s+lVjcdHhspUFWS01DETWQfnWm/GN73GzW18uj3XyRXqt62HhMf18GvRlOWkGX+jYpUTGGoonYes2xijhD/mNCjxKk5Q+6FVFT2mdJ4=,iv:pScEX6YnoU7HelxmCes8A9vJjPdvFbqbclHYMme8OOE=,tag:FURxphI8IDMvOwB4ahD8hg==,type:str] + paperless-ngx: + client_secret: ENC[AES256_GCM,data:GgF+gQt8olzKUzGMDL6mh6UWDv49OPDH5tB/gboWkFd7Njc1SrSkqf71gQryOcPQ0vpXrh0nK1z6ZjMpmDEA5ohTwWymeLCgwNtJSAMHZ1VlZ2aQZr70r3KtAxKjmTiT5flUYnxS79fCF43BveSMGeAshRCvQmYCdi43sP2E4To=,iv:DzsIRPiMzxaqVrjaHMVKWgOR0asZQzWf8EE1nxRSJmk=,tag:79bo7EzVq9tvL6ap6jfV+Q==,type:str] smtp2go: username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str] password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str] @@ -69,8 +71,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-10T21:46:28Z" - mac: ENC[AES256_GCM,data:NMQNgNKgms8fyK0gLSjvLxVprk5k/zSVdJL07+dnXjbbYA7IjsktQF4Nljg641NVU12F4IHr6vLvihDfCI78Qm9c66osp+vdmsYvGwLdploWwjOLONJL8WNiJI6AJjgnbUP9puca+AeKgl8o3ymNfhro+K8GsbRb5+mk8frasGM=,iv:KUSyiojnjbY3e59Ci40+Vk6+6bAyyuhQ5rUlUmVIDBs=,tag:Cr3eQfO8AIiBihTR1T4jxw==,type:str] + lastmodified: "2025-02-10T22:06:20Z" + mac: ENC[AES256_GCM,data:h0ftLDeqbu/CRzjKJ3XXqFvkIZ3ukUR1nLNnYkqEuZ+91pHgzwY+zrTd17rFtTR6qVWh3i6BNLy7bCG+sHO+V3+573mzOsKkkEsUMp0ldR2MWz/1hpeNKma0gKWFZ8TCyligS6De4eZAStyhmT6sSiV4vYmj5Hh6mzX9DIp5TFI=,iv:353NJukBFAVaAqHzpWxpcmDwAqJVaB26/bXHmyKKzLo=,tag:XtvsmLS7GvRUGeKaTFmmlw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 From d1429d92a007d9c636e9054261ad60ab46e03424 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 11 Feb 2025 17:02:00 +0100 Subject: [PATCH 35/73] Enable OIDC login in Forgejo --- modules/forgejo/config.nix | 15 +++++++++++---- secrets.yml | 6 ++++-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/modules/forgejo/config.nix b/modules/forgejo/config.nix index 7f49f33..133ad38 100644 --- a/modules/forgejo/config.nix +++ b/modules/forgejo/config.nix @@ -7,11 +7,18 @@ "repository.pull-request".DEFAULT_MERGE_STYLE = "merge"; "repository.signing".DEFAULT_TRUST_MODEL = "committer"; ui.DEFAULT_THEME = "forgejo-light"; + oauth2 = { - ENABLED = false; + ENABLED = true; JWT_SECRET = "ref+sops://secrets.yml#/forgejo/jwtSecret"; }; + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + ACCOUNT_LINKING = "auto"; + USERNAME = "email"; + }; + DEFAULT = { APP_NAME = "Forgejo: Beyond coding. We forge."; RUN_MODE = "prod"; @@ -85,11 +92,11 @@ }; service = { - DISABLE_REGISTRATION = true; + DISABLE_REGISTRATION = false; REQUIRE_SIGNIN_VIEW = false; REGISTER_EMAIL_CONFIRM = false; ENABLE_NOTIFY_MAIL = false; - ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ENABLE_CAPTCHA = false; DEFAULT_KEEP_EMAIL_PRIVATE = true; DEFAULT_ALLOW_CREATE_ORGANIZATION = true; @@ -98,7 +105,7 @@ }; openid = { - ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNIN = false; ENABLE_OPENID_SIGNUP = false; }; } diff --git a/secrets.yml b/secrets.yml index 194cd09..55b771f 100644 --- a/secrets.yml +++ b/secrets.yml @@ -44,6 +44,8 @@ authentik: client_secret: ENC[AES256_GCM,data:hdNQzatO6Pf6mxvfO4h1XrhycKMBUHElEwacGttzByi4JDbIndAwYc2GXdwUmytPMYs/s+lVjcdHhspUFWS01DETWQfnWm/GN73GzW18uj3XyRXqt62HhMf18GvRlOWkGX+jYpUTGGoonYes2xijhD/mNCjxKk5Q+6FVFT2mdJ4=,iv:pScEX6YnoU7HelxmCes8A9vJjPdvFbqbclHYMme8OOE=,tag:FURxphI8IDMvOwB4ahD8hg==,type:str] paperless-ngx: client_secret: ENC[AES256_GCM,data:GgF+gQt8olzKUzGMDL6mh6UWDv49OPDH5tB/gboWkFd7Njc1SrSkqf71gQryOcPQ0vpXrh0nK1z6ZjMpmDEA5ohTwWymeLCgwNtJSAMHZ1VlZ2aQZr70r3KtAxKjmTiT5flUYnxS79fCF43BveSMGeAshRCvQmYCdi43sP2E4To=,iv:DzsIRPiMzxaqVrjaHMVKWgOR0asZQzWf8EE1nxRSJmk=,tag:79bo7EzVq9tvL6ap6jfV+Q==,type:str] + forgejo: + client_secret: ENC[AES256_GCM,data:I0LBIrsPuARFEcvu0sKhIbkEYxLhZrwpRfPls3KDARu5rnfwgbJ6AVtfMmcAIM9ISFzXykoyMXossHo1i23N90PsHdl2t580EffhJ+q/UUfCIk7/rX/6CXlcb8WHdab4ymN5r9jEsgD3mAWX55IehU96ZKGRKRhxSIowCIYRhyQ=,iv:1wQDGCDhSu0s+IqXULiHmRiKGTLRvOjwsYaNMCWfkjg=,tag:p1mwks0KP9lhbciTIv3/Dw==,type:str] smtp2go: username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str] password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str] @@ -71,8 +73,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-10T22:06:20Z" - mac: ENC[AES256_GCM,data:h0ftLDeqbu/CRzjKJ3XXqFvkIZ3ukUR1nLNnYkqEuZ+91pHgzwY+zrTd17rFtTR6qVWh3i6BNLy7bCG+sHO+V3+573mzOsKkkEsUMp0ldR2MWz/1hpeNKma0gKWFZ8TCyligS6De4eZAStyhmT6sSiV4vYmj5Hh6mzX9DIp5TFI=,iv:353NJukBFAVaAqHzpWxpcmDwAqJVaB26/bXHmyKKzLo=,tag:XtvsmLS7GvRUGeKaTFmmlw==,type:str] + lastmodified: "2025-02-11T13:15:47Z" + mac: ENC[AES256_GCM,data:IzXlag5LcmeuH43IdsTJ6pflQYr8B4GqQYXtC385E5oqnnYHUVa27zo8XZEmaL6O9ooDOmcq1rtlZaPIMgawbvfbT2r31C9Z4zuAz50ogypOKuAh+/KeKO5an9YqySM/mrFWujpVk+kExurS+BwKvgLGvKxcRrznWgqjVOEPiiE=,iv:7frEopY+a36KGfCW2/obTOym4RV5sutqKXoiszZ+OJY=,tag:w/8c0Xic/zF22qSXyC+j6A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 From 5c9b23503abeebbe04d39686557e8a2cdcbc4443 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 11 Feb 2025 18:36:53 +0100 Subject: [PATCH 36/73] paperless-ngx: 2.14.5 -> 2.14.7 --- globals.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index 41f4666..d2f52e6 100644 --- a/globals.nix +++ b/globals.nix @@ -5,7 +5,7 @@ atuin = "ghcr.io/atuinsh/atuin:18.4.0"; postgres14 = "postgres:14"; kms = "teddysun/kms:latest"; - paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.14.5"; + paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.14.7"; redis7 = "docker.io/library/redis:7"; nextcloud = "nextcloud:30.0.5"; postgres15 = "postgres:15"; From 63d30455a9565306b398abd8d2b033f15037ae82 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 11 Feb 2025 18:41:58 +0100 Subject: [PATCH 37/73] immich: 1.125.7 -> 1.126.1 --- globals.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/globals.nix b/globals.nix index d2f52e6..68c67c2 100644 --- a/globals.nix +++ b/globals.nix @@ -13,8 +13,8 @@ syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; forgejo = "codeberg.org/forgejo/forgejo:10.0.1"; pihole = "pihole/pihole:2024.07.0"; - immich = "ghcr.io/immich-app/immich-server:v1.125.7"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.125.7"; + immich = "ghcr.io/immich-app/immich-server:v1.126.1"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.126.1"; immich-redis = "docker.io/redis:6.2-alpine@sha256:905c4ee67b8e0aa955331960d2aa745781e6bd89afc44a8584bfd13bc890f0ae"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; kitchenowl = "tombursch/kitchenowl:v0.6.8"; From ce635e415c1d8c77aa6e0416211847e1dd0edad7 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 11 Feb 2025 22:49:43 +0100 Subject: [PATCH 38/73] Configure Authentik auth to Immich Fix secret substituion for Authentik --- modules/authentik.nix | 32 +++++++++++++++++++++++--------- secrets.yml | 6 ++++-- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/modules/authentik.nix b/modules/authentik.nix index d29c715..ad09497 100644 --- a/modules/authentik.nix +++ b/modules/authentik.nix @@ -16,28 +16,42 @@ values = { authentik = { - secret_key = "ref+sops://secrets.yml#/authentik/secret_key"; - postgresql.password = "ref+sops://secrets.yml#/authentik/postgresql_password"; + email = { + host = "mail.smtp2go.com"; + port = 2525; + from = "Authentik authentik@kun.is"; + }; }; postgresql = { enabled = true; auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password"; primary.persistence.existingClaim = "db"; + primary.extraEnvVarsSecret = "postgresql-env"; }; redis = { enabled = true; master.persistence.existingClaim = "redis"; }; + }; + }; - email = { - host = "mail.smtp2go.com"; - port = 2525; - username = "ref+sops://secrets.yml#/smtp2go/username"; - password = "ref+sops://secrets.yml#/smtp2go/password"; - from = "Authentik "; - }; + resources = let + env = { + AUTHENTIK_POSTGRESQL__PASSWORD.value = "ref+sops://secrets.yml#/authentik/postgresql_password"; + AUTHENTIK_SECRET_KEY.value = "ref+sops://secrets.yml#/authentik/secret_key"; + AUTHENTIK_EMAIL__USERNAME.value = "ref+sops://secrets.yml#/smtp2go/username"; + AUTHENTIK_EMAIL__PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password"; + }; + in { + secrets.postgresql-env.stringData = { + POSTGRES_PASSWORD = "ref+sops://secrets.yml#/authentik/postgresql_password"; + }; + + deployments = { + authentik-server.spec.template.spec.containers.server.env = env; + authentik-worker.spec.template.spec.containers.worker.env = env; }; }; }; diff --git a/secrets.yml b/secrets.yml index 55b771f..01ef5e8 100644 --- a/secrets.yml +++ b/secrets.yml @@ -46,6 +46,8 @@ authentik: client_secret: ENC[AES256_GCM,data:GgF+gQt8olzKUzGMDL6mh6UWDv49OPDH5tB/gboWkFd7Njc1SrSkqf71gQryOcPQ0vpXrh0nK1z6ZjMpmDEA5ohTwWymeLCgwNtJSAMHZ1VlZ2aQZr70r3KtAxKjmTiT5flUYnxS79fCF43BveSMGeAshRCvQmYCdi43sP2E4To=,iv:DzsIRPiMzxaqVrjaHMVKWgOR0asZQzWf8EE1nxRSJmk=,tag:79bo7EzVq9tvL6ap6jfV+Q==,type:str] forgejo: client_secret: ENC[AES256_GCM,data:I0LBIrsPuARFEcvu0sKhIbkEYxLhZrwpRfPls3KDARu5rnfwgbJ6AVtfMmcAIM9ISFzXykoyMXossHo1i23N90PsHdl2t580EffhJ+q/UUfCIk7/rX/6CXlcb8WHdab4ymN5r9jEsgD3mAWX55IehU96ZKGRKRhxSIowCIYRhyQ=,iv:1wQDGCDhSu0s+IqXULiHmRiKGTLRvOjwsYaNMCWfkjg=,tag:p1mwks0KP9lhbciTIv3/Dw==,type:str] + immich: + client_secret: ENC[AES256_GCM,data:KrsaLLsjfQsyNQzvQF/pCLj1dhi8tr/OdToY7WczvPUUQKMtSk//oxsiPike/HoVEuCUp+j7UlTfIRPF2xUcPPvw7pkcLhQhcot79aieI1ciIeLZ1Q5svsPrqDBmDY7g65jkzA9vjM9VLTsx4Dx/1vGHDqo7I12qadEQlKAuhhQ=,iv:3icAM7sVe2HlmosbP7VPbcF4SRz/mlbzdQ1gENR9TRs=,tag:O8TCN7NltNpDGoG3T8Ds1w==,type:str] smtp2go: username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str] password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str] @@ -73,8 +75,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-11T13:15:47Z" - mac: ENC[AES256_GCM,data:IzXlag5LcmeuH43IdsTJ6pflQYr8B4GqQYXtC385E5oqnnYHUVa27zo8XZEmaL6O9ooDOmcq1rtlZaPIMgawbvfbT2r31C9Z4zuAz50ogypOKuAh+/KeKO5an9YqySM/mrFWujpVk+kExurS+BwKvgLGvKxcRrznWgqjVOEPiiE=,iv:7frEopY+a36KGfCW2/obTOym4RV5sutqKXoiszZ+OJY=,tag:w/8c0Xic/zF22qSXyC+j6A==,type:str] + lastmodified: "2025-02-11T17:44:56Z" + mac: ENC[AES256_GCM,data:YR0UTMbTjiByzocy9CTSn/veADgundo37Y8Z7MOL1HpvnaCnSiYlYRh70ODRaM73F3SaKgzPW0INKUy6T8kMq/HxlGrrIv331yG88LltR6xkalRBhP3h3mhkW75Px9iXNj8KFE4Q/eUp+Ds2/7gFo/oRryDngXoPPBqgBFupr/U=,iv:TmpXbrFY2XmBA2XwCIy6Vgbj0W0Rcn4GrJ0Ra7tSXiY=,tag:coymhw3aTjbTIAmEDdiHkw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 From 12103605095c54ecfd3f76a31e676c443f28f5b7 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 12 Feb 2025 21:17:24 +0100 Subject: [PATCH 39/73] Enable OIDC login into Nextcloud --- secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/secrets.yml b/secrets.yml index 01ef5e8..2034a8c 100644 --- a/secrets.yml +++ b/secrets.yml @@ -48,6 +48,8 @@ authentik: client_secret: ENC[AES256_GCM,data:I0LBIrsPuARFEcvu0sKhIbkEYxLhZrwpRfPls3KDARu5rnfwgbJ6AVtfMmcAIM9ISFzXykoyMXossHo1i23N90PsHdl2t580EffhJ+q/UUfCIk7/rX/6CXlcb8WHdab4ymN5r9jEsgD3mAWX55IehU96ZKGRKRhxSIowCIYRhyQ=,iv:1wQDGCDhSu0s+IqXULiHmRiKGTLRvOjwsYaNMCWfkjg=,tag:p1mwks0KP9lhbciTIv3/Dw==,type:str] immich: client_secret: ENC[AES256_GCM,data:KrsaLLsjfQsyNQzvQF/pCLj1dhi8tr/OdToY7WczvPUUQKMtSk//oxsiPike/HoVEuCUp+j7UlTfIRPF2xUcPPvw7pkcLhQhcot79aieI1ciIeLZ1Q5svsPrqDBmDY7g65jkzA9vjM9VLTsx4Dx/1vGHDqo7I12qadEQlKAuhhQ=,iv:3icAM7sVe2HlmosbP7VPbcF4SRz/mlbzdQ1gENR9TRs=,tag:O8TCN7NltNpDGoG3T8Ds1w==,type:str] + nextcloud: + client_secret: ENC[AES256_GCM,data:zLejYbfudK/4OquLXPYTv9YOmFpCVfg0KLNkDSDCpFrxroDUAXBCLtYXiGuYkYrD/t7LAzRt+OTq70d7ciuHhBNSLclP2U97BQoXCWscWnxQauRZ+UCABvP+DB9VPQmCwU+uKPrKQ8l51baj+MkpIDdk2lwavpONMU57Zov6N2o=,iv:aQ4bsXUXn177tCxe1kAsSMP9ynEzvDwN0hwFhrT3Nko=,tag:EFcnf6VmyFt2i4+aL56sWw==,type:str] smtp2go: username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str] password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str] @@ -75,8 +77,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-11T17:44:56Z" - mac: ENC[AES256_GCM,data:YR0UTMbTjiByzocy9CTSn/veADgundo37Y8Z7MOL1HpvnaCnSiYlYRh70ODRaM73F3SaKgzPW0INKUy6T8kMq/HxlGrrIv331yG88LltR6xkalRBhP3h3mhkW75Px9iXNj8KFE4Q/eUp+Ds2/7gFo/oRryDngXoPPBqgBFupr/U=,iv:TmpXbrFY2XmBA2XwCIy6Vgbj0W0Rcn4GrJ0Ra7tSXiY=,tag:coymhw3aTjbTIAmEDdiHkw==,type:str] + lastmodified: "2025-02-12T14:31:02Z" + mac: ENC[AES256_GCM,data:fURqCQvs849+xxfzzqRIwOcxJm2Grz2m3fPoF7/XNH1+HpuS7FlnU2gIZ2LH/hun5kUDD1x4BXH+hrM4nGzl+jI0ZUa9NBDxT69N2mAkFI7oqeWLVLdYfGyit64kwCe2aupW0kdtrW1OsxY2JzfqEqFykSW9oPld9tx+JMVOPQA=,iv:impIJ13OHqWto2U+HV6unGGQgtRmVQKl2L3ukEeb4cM=,tag:jaEhmbxxiHlC/4ifpYLoXA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 From d29332fd6d4a96cf07437145e3a378a8a86b5610 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Feb 2025 17:59:35 +0100 Subject: [PATCH 40/73] Enable OIDC login for kitchenowl --- modules/kitchenowl.nix | 13 ++++++++++--- secrets.yml | 6 ++++-- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/modules/kitchenowl.nix b/modules/kitchenowl.nix index 1042468..d2bbf15 100644 --- a/modules/kitchenowl.nix +++ b/modules/kitchenowl.nix @@ -33,9 +33,16 @@ ports.web.containerPort = 8080; imagePullPolicy = "IfNotPresent"; - env.JWT_SECRET_KEY.valueFrom.secretKeyRef = { - name = "server"; - key = "jwtSecretKey"; + env = { + FRONT_URL.value = "https://boodschappen.kun.is"; + OIDC_ISSUER.value = "https://authentik.kun.is/application/o/kitchenowl/"; + OIDC_CLIENT_ID.value = "OptR5S9hPix9beuJWFdfNBWRBr2l0nPx7mj8FpB3"; + OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/kitchenowl/client_secret"; + + JWT_SECRET_KEY.valueFrom.secretKeyRef = { + name = "server"; + key = "jwtSecretKey"; + }; }; volumeMounts = [ diff --git a/secrets.yml b/secrets.yml index 2034a8c..33ad123 100644 --- a/secrets.yml +++ b/secrets.yml @@ -50,6 +50,8 @@ authentik: client_secret: ENC[AES256_GCM,data:KrsaLLsjfQsyNQzvQF/pCLj1dhi8tr/OdToY7WczvPUUQKMtSk//oxsiPike/HoVEuCUp+j7UlTfIRPF2xUcPPvw7pkcLhQhcot79aieI1ciIeLZ1Q5svsPrqDBmDY7g65jkzA9vjM9VLTsx4Dx/1vGHDqo7I12qadEQlKAuhhQ=,iv:3icAM7sVe2HlmosbP7VPbcF4SRz/mlbzdQ1gENR9TRs=,tag:O8TCN7NltNpDGoG3T8Ds1w==,type:str] nextcloud: client_secret: ENC[AES256_GCM,data:zLejYbfudK/4OquLXPYTv9YOmFpCVfg0KLNkDSDCpFrxroDUAXBCLtYXiGuYkYrD/t7LAzRt+OTq70d7ciuHhBNSLclP2U97BQoXCWscWnxQauRZ+UCABvP+DB9VPQmCwU+uKPrKQ8l51baj+MkpIDdk2lwavpONMU57Zov6N2o=,iv:aQ4bsXUXn177tCxe1kAsSMP9ynEzvDwN0hwFhrT3Nko=,tag:EFcnf6VmyFt2i4+aL56sWw==,type:str] + kitchenowl: + client_secret: ENC[AES256_GCM,data:x4Xsd3d3El59HKBYNV56ah314hYSRhzt46upW34cOopXNHSB3zCDrD46LUa6i8g6V5GJyrMpMfO5mv+b80JrmfHkhGUXZXuTwDNu6ijnO6ZCvC2Bdlo+T0tlkJe25OMCBseJkkC++UBrpKQQTAhyVjnPSVrGVvtY4WtdAw+X/OY=,iv:pOowIhPD7kb2F3ylFzLwNW3BhPZyzoFCGRm2+KCmhno=,tag:GxFI0w06EyGxFwj6Fv4ZLQ==,type:str] smtp2go: username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str] password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str] @@ -77,8 +79,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-12T14:31:02Z" - mac: ENC[AES256_GCM,data:fURqCQvs849+xxfzzqRIwOcxJm2Grz2m3fPoF7/XNH1+HpuS7FlnU2gIZ2LH/hun5kUDD1x4BXH+hrM4nGzl+jI0ZUa9NBDxT69N2mAkFI7oqeWLVLdYfGyit64kwCe2aupW0kdtrW1OsxY2JzfqEqFykSW9oPld9tx+JMVOPQA=,iv:impIJ13OHqWto2U+HV6unGGQgtRmVQKl2L3ukEeb4cM=,tag:jaEhmbxxiHlC/4ifpYLoXA==,type:str] + lastmodified: "2025-02-13T16:43:24Z" + mac: ENC[AES256_GCM,data:EJ3TwNwTEsbA2Y/v7ZNgRq3ENgl1tyIzTbrW3x58p5MA6sPMCshVnu6cqrssn3l/cHZdGYxeyachVbqbaVC60Gbw1UiywkjAj5w5l92PMne142unjeLDsVgGv3ItalWLgmWBVp6B1YfxID9V5CxNZjSglVzH3o0bseqIGnvcDrQ=,iv:dK2QR6s5m9BCW+7ZXwE0Ksca0EAGtHtrTfigbUkY2AY=,tag:+HUoCt7tu5yDCG3LbwEq8w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 From 268559dbce9399747f4a0ddd0d04c141bc0a3be0 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 15 Feb 2025 15:51:40 +0100 Subject: [PATCH 41/73] Add missing Longhorn backup target Increase Jellyfin storage to 10Gi Fix file system group for Ntfy files --- modules/bootstrap-default.nix | 7 ++++++- modules/dummy-types.nix | 7 +++++++ modules/media.nix | 2 +- modules/ntfy.nix | 5 +++++ 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index 9a0fbb7..31e18f8 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -79,6 +79,11 @@ concurrency = 1; }; + backuptargets.backup.spec = { + backupTargetURL = "nfs://lewis.dmz:/mnt/longhorn/persistent/longhorn-backup"; + pollInterval = "5m0s"; + }; + ipAddressPools.main.spec.addresses = ["192.168.30.128-192.168.30.200" "2a0d:6e00:1a77:30::2-2a0d:6e00:1a77:30:ffff:ffff:ffff:fffe"]; l2Advertisements.main.metadata = {}; @@ -116,7 +121,7 @@ immich-db.storage = "5Gi"; attic.storage = "15Gi"; attic-db.storage = "150Mi"; - jellyfin.storage = "5Gi"; + jellyfin.storage = "10Gi"; transmission.storage = "25Mi"; jellyseerr.storage = "75Mi"; radarr.storage = "300Mi"; diff --git a/modules/dummy-types.nix b/modules/dummy-types.nix index 394e3a6..d54dd1f 100644 --- a/modules/dummy-types.nix +++ b/modules/dummy-types.nix @@ -45,5 +45,12 @@ version = "v1alpha1"; kind = "Middleware"; }; + + backuptargets = { + attrName = "backuptargets"; + group = "longhorn.io"; + version = "v1beta1"; + kind = "BackupTarget"; + }; }; } diff --git a/modules/media.nix b/modules/media.nix index 13f64b2..2264a70 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -649,7 +649,7 @@ in { longhorn.persistentVolumeClaim = { jellyfin = lib.mkIf cfg.jellyfin.enable { volumeName = "jellyfin"; - storage = "5Gi"; + storage = "10Gi"; }; deluge = lib.mkIf cfg.deluge.enable { diff --git a/modules/ntfy.nix b/modules/ntfy.nix index d970fbe..d4f49f3 100644 --- a/modules/ntfy.nix +++ b/modules/ntfy.nix @@ -50,6 +50,11 @@ attachment-cache.persistentVolumeClaim.claimName = "attachment-cache"; data.persistentVolumeClaim.claimName = "data"; }; + + securityContext = { + fsGroup = 407; + fsGroupChangePolicy = "Always"; + }; }; }; }; From 028d7e781d6cf202a04e73cff96e632872d143d9 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 16 Feb 2025 10:45:40 +0100 Subject: [PATCH 42/73] Add Mealie service --- deployments.nix | 5 ++ modules/bootstrap-default.nix | 2 + modules/default.nix | 1 + modules/mealie.nix | 76 ++++++++++++++++++++++++++++ nixng-configurations/default.nix | 2 + nixng-configurations/mealie.nix | 25 ++++++++++ nixng-modules/default.nix | 3 +- nixng-modules/ids.nix | 4 +- nixng-modules/mealie.nix | 85 ++++++++++++++++++++++++++++++++ nixng-modules/radarr.nix | 2 +- secrets.yml | 6 ++- 11 files changed, 206 insertions(+), 5 deletions(-) create mode 100644 modules/mealie.nix create mode 100644 nixng-configurations/mealie.nix create mode 100644 nixng-modules/mealie.nix diff --git a/deployments.nix b/deployments.nix index f99a14b..6469c14 100644 --- a/deployments.nix +++ b/deployments.nix @@ -128,4 +128,9 @@ module.authentik.enable = true; namespace = "authentik"; }; + + mealie = { + module.mealie.enable = true; + namespace = "mealie"; + }; } diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index 31e18f8..25bc712 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -63,6 +63,7 @@ tailscale = {}; ntfy = {}; authentik = {}; + mealie = {}; }; nodes = @@ -134,6 +135,7 @@ keepassxc.storage = "100Mi"; authentik-db.storage = "10Gi"; authentik-redis.storage = "5Gi"; + mealie.storage = "3Gi"; }; tailscaleIngresses.tailscale-longhorn = { diff --git a/modules/default.nix b/modules/default.nix index ef212e2..f730e1c 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -30,5 +30,6 @@ ./ntfy.nix ./minecraft.nix ./authentik.nix + ./mealie.nix ]; } diff --git a/modules/mealie.nix b/modules/mealie.nix new file mode 100644 index 0000000..df3db99 --- /dev/null +++ b/modules/mealie.nix @@ -0,0 +1,76 @@ +{ + lib, + config, + utils, + ... +}: { + options.mealie.enable = lib.mkEnableOption "mealie"; + + config = lib.mkIf config.mealie.enable { + kubernetes.resources = { + deployments.mealie.spec = { + selector.matchLabels.app = "mealie"; + + strategy = { + type = "RollingUpdate"; + + rollingUpdate = { + maxSurge = 0; + maxUnavailable = 1; + }; + }; + + template = { + metadata.labels.app = "mealie"; + + spec = { + containers.mealie = { + image = utils.mkNixNGImage "mealie"; + ports.web.containerPort = 8000; + + env = { + SMTP_USER.value = "ref+sops://secrets.yml#/smtp2go/username"; + SMTP_PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password"; + OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/mealie/client_secret"; + }; + + volumeMounts = [ + { + name = "mealie"; + mountPath = "/data"; + } + ]; + }; + + volumes.mealie.persistentVolumeClaim.claimName = "mealie"; + }; + }; + }; + + services.mealie.spec = { + selector.app = "mealie"; + + ports.web = { + port = 80; + targetPort = "web"; + }; + }; + }; + + lab = { + ingresses.mealie = { + host = "mealie.kun.is"; + + service = { + name = "mealie"; + portName = "web"; + }; + }; + + longhorn.persistentVolumeClaim.mealie = { + volumeName = "mealie"; + storage = "3Gi"; + }; + }; + }; +} diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index 5a9c943..c1803c8 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -21,6 +21,7 @@ flake-utils.lib.eachDefaultSystem (system: let prowlarr = ./prowlarr.nix; blog = ./blog.nix; deluge = ./deluge.nix; + mealie = ./mealie.nix; }; in { nixngConfigurations = builtins.mapAttrs (name: configFile: @@ -43,6 +44,7 @@ in { self.nixngModules.sonarr self.nixngModules.prowlarr self.nixngModules.deluge + self.nixngModules.mealie { nixpkgs.overlays = [ (_final: _prev: { diff --git a/nixng-configurations/mealie.nix b/nixng-configurations/mealie.nix new file mode 100644 index 0000000..bd3350c --- /dev/null +++ b/nixng-configurations/mealie.nix @@ -0,0 +1,25 @@ +{ + dinit.enable = true; + init.services.mealie.shutdownOnExit = true; + + services.mealie = { + enable = true; + + settings = { + DATA_DIR = "/data"; + BASE_URL = "https://mealie.kun.is"; + ALLOW_SIGNUP = "False"; + SMTP_HOST = "mail.smtp2go.com"; + SMTP_PORT = "2525"; + SMTP_FROM_NAME = "Mealie"; + SMTP_AUTH_STRATEGY = "ssl"; + SMTP_FROM_EMAIL = "mealie@kun.is"; + OIDC_AUTH_ENABLED = "True"; + OIDC_CONFIGURATION_URL = "https://authentik.kun.is/application/o/mealie/.well-known/openid-configuration"; + OIDC_CLIENT_ID = "lvkHoIPacUXjY4jr9YyEQC7YyhccOH0atbpOiKmG"; + OIDC_AUTO_REDIRECT = "True"; + OIDC_PROVIDER_NAME = "Authentik"; + OIDC_REMEMBER_ME = "True"; + }; + }; +} diff --git a/nixng-modules/default.nix b/nixng-modules/default.nix index 63903ab..629a244 100644 --- a/nixng-modules/default.nix +++ b/nixng-modules/default.nix @@ -1,4 +1,4 @@ -{...}: { +_: { nixngModules = { bazarr = import ./bazarr.nix; radicale = import ./radicale.nix; @@ -8,5 +8,6 @@ prowlarr = import ./prowlarr.nix; ids = import ./ids.nix; deluge = import ./deluge.nix; + mealie = import ./mealie.nix; }; } diff --git a/nixng-modules/ids.nix b/nixng-modules/ids.nix index fce4278..228b5da 100644 --- a/nixng-modules/ids.nix +++ b/nixng-modules/ids.nix @@ -1,4 +1,4 @@ -{...}: { +{ ids = { uids = { radicale = 408; @@ -8,6 +8,7 @@ bazarr = 412; prowlarr = 413; deluge = 414; + mealie = 415; }; gids = { @@ -19,6 +20,7 @@ bazarr = 412; prowlarr = 413; deluge = 414; + mealie = 415; }; }; } diff --git a/nixng-modules/mealie.nix b/nixng-modules/mealie.nix new file mode 100644 index 0000000..583d4b4 --- /dev/null +++ b/nixng-modules/mealie.nix @@ -0,0 +1,85 @@ +{ + lib, + nglib, + pkgs, + config, + ... +}: let + cfg = config.services.mealie; + cfgInit = config.init.services.mealie; +in { + options.services.mealie = { + enable = lib.mkEnableOption "mealie"; + package = lib.mkPackageOption pkgs "mealie" {}; + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = with lib.types; attrsOf str; + + options = { + PRODUCTION = lib.mkOption { + type = lib.types.str; + default = "true"; + }; + + DATA_DIR = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + }; + + DB_ENGINE = lib.mkOption { + type = with lib.types; nullOr str; + default = "sqlite"; + }; + + ALEMBIC_CONFIG_FILE = lib.mkOption { + type = with lib.types; nullOr str; + default = "${cfg.package}/alembic.ini"; + }; + }; + }; + + description = '' + Configuration of the Mealie service. + + See [the Mealie documentation](https://nightly.mealie.io/documentation/getting-started/installation/backend-config/) for available options and default values. + ''; + default = {}; + }; + }; + + config = lib.mkIf cfg.enable { + init.services.mealie = { + enabled = true; + user = lib.mkDefault "mealie"; + group = lib.mkDefault "mealie"; + + tmpfiles = with nglib.nottmpfiles.dsl; lib.optional (cfg.settings.DATA_DIR != null) (d "${cfg.settings.DATA_DIR}" "-" cfgInit.user cfgInit.group "-" _); + + execStart = + pkgs.writeShellScript "mealie-run" + (let + # Mealie can only be configured via environmental variables. + # With this, we don't accidentally overwrite env variables set by the user. + extraEnvLines = lib.mapAttrsToList (key: value: ''export ${key}=''${${key}:=${value}}'') cfg.settings; + in '' + ${lib.concatStringsSep "\n" extraEnvLines} + ${cfg.package}/libexec/init_db + + ${lib.getExe cfg.package} -b 0.0.0.0:8000 + ''); + }; + + environment.systemPackages = [cfg.package]; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "mealie"; + inherit (cfgInit) group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.mealie; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.mealie;}; + }; +} diff --git a/nixng-modules/radarr.nix b/nixng-modules/radarr.nix index 965f387..8ea2b39 100644 --- a/nixng-modules/radarr.nix +++ b/nixng-modules/radarr.nix @@ -35,7 +35,7 @@ in { users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "radarr") (nglib.mkDefaultRec { description = "radarr"; - group = cfgInit.group; + inherit (cfgInit) group; createHome = false; home = "/var/empty"; useDefaultShell = true; diff --git a/secrets.yml b/secrets.yml index 33ad123..8d8e5c1 100644 --- a/secrets.yml +++ b/secrets.yml @@ -52,6 +52,8 @@ authentik: client_secret: ENC[AES256_GCM,data:zLejYbfudK/4OquLXPYTv9YOmFpCVfg0KLNkDSDCpFrxroDUAXBCLtYXiGuYkYrD/t7LAzRt+OTq70d7ciuHhBNSLclP2U97BQoXCWscWnxQauRZ+UCABvP+DB9VPQmCwU+uKPrKQ8l51baj+MkpIDdk2lwavpONMU57Zov6N2o=,iv:aQ4bsXUXn177tCxe1kAsSMP9ynEzvDwN0hwFhrT3Nko=,tag:EFcnf6VmyFt2i4+aL56sWw==,type:str] kitchenowl: client_secret: ENC[AES256_GCM,data:x4Xsd3d3El59HKBYNV56ah314hYSRhzt46upW34cOopXNHSB3zCDrD46LUa6i8g6V5GJyrMpMfO5mv+b80JrmfHkhGUXZXuTwDNu6ijnO6ZCvC2Bdlo+T0tlkJe25OMCBseJkkC++UBrpKQQTAhyVjnPSVrGVvtY4WtdAw+X/OY=,iv:pOowIhPD7kb2F3ylFzLwNW3BhPZyzoFCGRm2+KCmhno=,tag:GxFI0w06EyGxFwj6Fv4ZLQ==,type:str] + mealie: + client_secret: ENC[AES256_GCM,data:VNEV8a1KZc6XVeRzyBWzuwldTmxEepPRUOEMEM3HKrDIkxcGHDuoLh5P7Ti+jS5rbmua+ET4GPcJTYXR+pO5/cMaxqFONj1D1w9541QPYZNBbTfPM/Zfu8OnzngVsCnnKEtu1bVwflUnmf7F5hHED8zJRe1F9PT/HYA6NCd4ajQ=,iv:58ysTItP8UNnQWwgWRS1dk/K/2dJv3P5wa5rGnz2P/I=,tag:vLGrFldzOey9ANW010GylA==,type:str] smtp2go: username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str] password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str] @@ -79,8 +81,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-13T16:43:24Z" - mac: ENC[AES256_GCM,data:EJ3TwNwTEsbA2Y/v7ZNgRq3ENgl1tyIzTbrW3x58p5MA6sPMCshVnu6cqrssn3l/cHZdGYxeyachVbqbaVC60Gbw1UiywkjAj5w5l92PMne142unjeLDsVgGv3ItalWLgmWBVp6B1YfxID9V5CxNZjSglVzH3o0bseqIGnvcDrQ=,iv:dK2QR6s5m9BCW+7ZXwE0Ksca0EAGtHtrTfigbUkY2AY=,tag:+HUoCt7tu5yDCG3LbwEq8w==,type:str] + lastmodified: "2025-02-15T15:37:53Z" + mac: ENC[AES256_GCM,data:tsoDYbuhxEH3PrxOPgfKczD8Hh1XGJRhGAtm2DWpPP9T99ub/l3KAV2pInvUi5Kn+1QvhJUAwFAP6A/435cqfsHxQI066N7ADUYO4qshcsAYKK7ofBVNnI431D3oD+kBujWKmvSqhlamdP+O7O1ICtbfI5PEM8SN5KWEvEtyp9A=,iv:pDiPy6EWLaZQbNydRFTktRlcf7M9Uf8OS+WPbQkUx9M=,tag:D+tMTFVbWE7TQIw/0MUZjw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 From 201af045c9bf2a1a6b19ff12c5962cd9ca84d052 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 16 Feb 2025 10:46:18 +0100 Subject: [PATCH 43/73] Fix Traefik Helm values --- modules/traefik.nix | 2 +- nixng-configurations/ntfy.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/traefik.nix b/modules/traefik.nix index b59253d..e512b99 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -20,7 +20,7 @@ ports = { localsecure = { port = 8444; - expose = true; + expose.default = true; exposedPort = 444; protocol = "TCP"; diff --git a/nixng-configurations/ntfy.nix b/nixng-configurations/ntfy.nix index 7fc7ef1..a957c42 100644 --- a/nixng-configurations/ntfy.nix +++ b/nixng-configurations/ntfy.nix @@ -1,4 +1,4 @@ -{...}: { +{ dinit.enable = true; init.services.ntfy-sh.shutdownOnExit = true; From 8cfa7d2b3d008c48115dd40947fc202567e883ee Mon Sep 17 00:00:00 2001 From: Niels Kunis Date: Sun, 16 Feb 2025 15:15:56 +0100 Subject: [PATCH 44/73] added config lines to Inbucket and bugjes opgelost in deployment scripts --- applyset-deploy.sh | 2 +- modules/inbucket.nix | 9 ++++++++- scripts/gen-k3s-cert.sh | 5 +++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/applyset-deploy.sh b/applyset-deploy.sh index e5b1232..397cfbb 100644 --- a/applyset-deploy.sh +++ b/applyset-deploy.sh @@ -23,7 +23,7 @@ done first_server="${SERVERS%% *}" previous_manifest=$( - envsubst < Date: Sun, 16 Feb 2025 15:53:31 +0100 Subject: [PATCH 45/73] little update on inbucket config --- modules/inbucket.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/inbucket.nix b/modules/inbucket.nix index 947ccb9..7da77a7 100644 --- a/modules/inbucket.nix +++ b/modules/inbucket.nix @@ -24,9 +24,9 @@ env = { INBUCKET_MAILBOXNAMING.value = "full"; INBUCKET_SMTP_DEFAULTACCEPT.value = "false"; - INBUCKET_SMTP_ACCEPTDOMAINS.value = "kunis.nl,kun.is"; + INBUCKET_SMTP_ACCEPTDOMAINS.value = "kun.is"; INBUCKET_SMTP_DEFAULTSTORE.value = "false"; - INBUCKET_SMTP_STOREDOMAINS.value = "kunis.nl,kun.is"; + INBUCKET_SMTP_STOREDOMAINS.value = "kun.is"; INBUCKET_STORAGE_RETENTIONPERIOD.value = "168h"; }; ports = { From 7418159761addf50a52833981510cc168d2b7a09 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 17 Feb 2025 22:03:32 +0100 Subject: [PATCH 46/73] Remove reliance on NFS volumes --- modules/bootstrap-default.nix | 10 ---------- modules/longhorn-volume.nix | 12 ++++++------ modules/media.nix | 23 +++++++++-------------- 3 files changed, 15 insertions(+), 30 deletions(-) diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index 25bc712..f2db421 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -87,16 +87,6 @@ ipAddressPools.main.spec.addresses = ["192.168.30.128-192.168.30.200" "2a0d:6e00:1a77:30::2-2a0d:6e00:1a77:30:ffff:ffff:ffff:fffe"]; l2Advertisements.main.metadata = {}; - - persistentVolumes.media-media.spec = { - capacity.storage = "1Gi"; - accessModes = ["ReadWriteMany"]; - - nfs = { - server = "lewis.dmz"; - path = "/mnt/longhorn/persistent/media"; - }; - }; }; }; diff --git a/modules/longhorn-volume.nix b/modules/longhorn-volume.nix index 6eb4bfd..db08037 100644 --- a/modules/longhorn-volume.nix +++ b/modules/longhorn-volume.nix @@ -3,7 +3,7 @@ config, ... }: let - longhornVolumeOpts = {name, ...}: { + longhornVolumeOpts = _: { options = { storage = lib.mkOption { type = lib.types.str; @@ -16,7 +16,7 @@ }; }; - longhornPVOpts = {name, ...}: { + longhornPVOpts = _: { options = { storage = lib.mkOption { type = lib.types.str; @@ -71,7 +71,7 @@ in { claimRef = { inherit name; - namespace = longhornVolume.namespace; + inherit (longhornVolume) namespace; }; csi = { @@ -134,7 +134,7 @@ in { persistentVolumeClaims = lib.mergeAttrs (builtins.mapAttrs - (name: longhornVolume: { + (_name: longhornVolume: { spec = { accessModes = ["ReadWriteOnce"]; resources.requests.storage = longhornVolume.storage; @@ -143,12 +143,12 @@ in { }) config.lab.longhornVolumes) (builtins.mapAttrs - (name: longhornPVC: { + (_name: longhornPVC: { spec = { accessModes = ["ReadWriteOnce"]; resources.requests.storage = longhornPVC.storage; storageClassName = ""; - volumeName = longhornPVC.volumeName; + inherit (longhornPVC) volumeName; }; }) config.lab.longhorn.persistentVolumeClaim); diff --git a/modules/media.nix b/modules/media.nix index 2264a70..ee035b3 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -151,7 +151,11 @@ in { volumes = { config.persistentVolumeClaim.claimName = "deluge"; - media.persistentVolumeClaim.claimName = "media"; + + media.hostPath = { + path = "/mnt/longhorn/persistent/media"; + type = "Directory"; + }; }; securityContext = { @@ -575,19 +579,10 @@ in { }; }; - persistentVolumeClaims = { - jellyfin-cache = lib.mkIf cfg.jellyfin.enable { - spec = { - accessModes = ["ReadWriteOnce"]; - resources.requests.storage = "20Gi"; - }; - }; - - media.spec = { - accessModes = ["ReadWriteMany"]; - storageClassName = ""; - resources.requests.storage = "1Mi"; - volumeName = "media-media"; + persistentVolumeClaims.jellyfin-cache = lib.mkIf cfg.jellyfin.enable { + spec = { + accessModes = ["ReadWriteOnce"]; + resources.requests.storage = "20Gi"; }; }; }; From 851a7d0dcf40fd9f6e9f15e0352cd43635fb8151 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 17 Feb 2025 22:43:34 +0100 Subject: [PATCH 47/73] Mount media locally --- modules/media.nix | 66 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 63 insertions(+), 3 deletions(-) diff --git a/modules/media.nix b/modules/media.nix index ee035b3..44535f7 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -162,6 +162,18 @@ in { fsGroup = 51; fsGroupChangePolicy = "OnRootMismatch"; }; + + affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [ + { + matchExpressions = [ + { + key = "hasMedia"; + operator = "In"; + values = ["true"]; + } + ]; + } + ]; }; }; }; @@ -268,13 +280,29 @@ in { volumes = { config.persistentVolumeClaim.claimName = "radarr"; - media.persistentVolumeClaim.claimName = "media"; + + media.hostPath = { + path = "/mnt/longhorn/persistent/media"; + type = "Directory"; + }; }; securityContext = { fsGroup = 410; fsGroupChangePolicy = "OnRootMismatch"; }; + + affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [ + { + matchExpressions = [ + { + key = "hasMedia"; + operator = "In"; + values = ["true"]; + } + ]; + } + ]; }; }; }; @@ -381,13 +409,29 @@ in { volumes = { config.persistentVolumeClaim.claimName = "sonarr"; - media.persistentVolumeClaim.claimName = "media"; + + media.hostPath = { + path = "/mnt/longhorn/persistent/media"; + type = "Directory"; + }; }; securityContext = { fsGroup = 411; fsGroupChangePolicy = "OnRootMismatch"; }; + + affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [ + { + matchExpressions = [ + { + key = "hasMedia"; + operator = "In"; + values = ["true"]; + } + ]; + } + ]; }; }; }; @@ -441,13 +485,29 @@ in { volumes = { config.persistentVolumeClaim.claimName = "bazarr"; - media.persistentVolumeClaim.claimName = "media"; + + media.hostPath = { + path = "/mnt/longhorn/persistent/media"; + type = "Directory"; + }; }; securityContext = { fsGroup = 412; fsGroupChangePolicy = "OnRootMismatch"; }; + + affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [ + { + matchExpressions = [ + { + key = "hasMedia"; + operator = "In"; + values = ["true"]; + } + ]; + } + ]; }; }; }; From 93ad02b2dafa30e14ddca9ecc75fbd9d4dc383ff Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 18 Feb 2025 17:30:19 +0100 Subject: [PATCH 48/73] Create Longhorn volume for music --- modules/bootstrap-default.nix | 9 ++++----- modules/media.nix | 10 ++++++++++ 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index f2db421..d9c419c 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -16,11 +16,6 @@ includeCRDs = true; }; - # argo-workflows = { - # chart = nixhelm.chartsDerivations.${system}.argoproj.argo-workflows; - # includeCRDs = true; - # }; - longhorn = { chart = nixhelm.chartsDerivations.${system}.longhorn.longhorn; includeCRDs = true; @@ -87,6 +82,9 @@ ipAddressPools.main.spec.addresses = ["192.168.30.128-192.168.30.200" "2a0d:6e00:1a77:30::2-2a0d:6e00:1a77:30:ffff:ffff:ffff:fffe"]; l2Advertisements.main.metadata = {}; + + # We don't need backups for music, just replication is enough. + persistentVolumes.music.spec.csi.volumeAttributes.recurringJobSelector = lib.mkForce ""; }; }; @@ -126,6 +124,7 @@ authentik-db.storage = "10Gi"; authentik-redis.storage = "5Gi"; mealie.storage = "3Gi"; + music.storage = "70Gi"; }; tailscaleIngresses.tailscale-longhorn = { diff --git a/modules/media.nix b/modules/media.nix index 44535f7..43e629b 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -64,12 +64,17 @@ in { name = "cache"; mountPath = "/config/transcodes"; } + { + name = "music"; + mountPath = "/media/music"; + } ]; }; volumes = { config.persistentVolumeClaim.claimName = "jellyfin"; cache.persistentVolumeClaim.claimName = "jellyfin-cache"; + music.persistentVolumeClaim.claimName = "music"; media.hostPath = { path = "/mnt/longhorn/persistent/media"; @@ -736,6 +741,11 @@ in { volumeName = "bazarr"; storage = "25Mi"; }; + + music = lib.mkIf cfg.jellyfin.enable { + volumeName = "music"; + storage = "70Gi"; + }; }; }; }; From a75fae6efb9f61f9b075909271ec1ab27c22fa5a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 18 Feb 2025 22:10:04 +0100 Subject: [PATCH 49/73] jellyfin: 10.10.5 -> 10.10.6 --- globals.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index 68c67c2..1eb956d 100644 --- a/globals.nix +++ b/globals.nix @@ -1,7 +1,7 @@ {servers, ...}: let globals = { images = { - jellyfin = "jellyfin/jellyfin:10.10.5"; + jellyfin = "jellyfin/jellyfin:10.10.6"; atuin = "ghcr.io/atuinsh/atuin:18.4.0"; postgres14 = "postgres:14"; kms = "teddysun/kms:latest"; From 9f534327ab3cf8de4ee6b91fd074bdcc9c96fe53 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 19 Feb 2025 10:57:04 +0100 Subject: [PATCH 50/73] Update readme --- README.md | 110 +++++++++++++++++++++++++++++------------------------- 1 file changed, 60 insertions(+), 50 deletions(-) diff --git a/README.md b/README.md index 19e76c3..b0211b5 100644 --- a/README.md +++ b/README.md @@ -5,74 +5,84 @@ We use [Kubenix](https://kubenix.org/) to write Kubernetes deployments in Nix! ## Images used Legend: -- ✨: Image built with Nix (including [NixNG](https://github.com/nix-community/NixNG)) + +- ✨: Image built with Nix (including + [NixNG](https://github.com/nix-community/NixNG)) - ✅: Official image or trusted publisher - 🫤: Unofficial image -| Status | Image | Comments | -| --- | --- | --- | -| ✨ | `nixng-blog` | | -| ✨ | `nixng-dnsmasq` | | -| ✨ | `nixng-attic` | | -| ✨ | `nixng-ntfy-sh` | | -| ✨ | `nixng-radicale` | | -| ✨ | `nixng-jellyseerr` | | -| ✨ | `nixng-radarr` | | -| ✨ | `nixng-sonarr` | | -| ✨ | `nixng-bazarr` | | -| ✨ | `nixng-prowlarr` | | -| ✅ | `jellyfin/jellyfin` | | -| ✅ | `linuxserver/deluge` | | -| ✅ | `ghcr.io/atuinsh/atuin` | | -| ✅ | `postgres:14` | Database for Atuin | -| ✅ | `ghcr.io/paperless-ngx/paperless-ngx` | | -| ✅ | `docker.io/library/redis:7` | Database for Paperless-ngx | -| ✅ | `nextcloud` | | -| ✅ | `postgres:15` | Database for Attic, Nextcloud, Paperless-ngx and Hedgedoc | -| ✅ | `inbucket/inbucket` | | -| ✅ | `lscr.io/linuxserver/syncthing` | | -| ✅ | `codeberg.org/forgejo/forgejo` | | -| ✅ | `pihole/pihole` | | -| ✅ | `ghcr.io/immich-app/immich-server` | | -| ✅ | `ghcr.io/immich-app/immich-machine-learning` | | -| ✅ | `docker.io/redis:6.2-alpine` | Database for Immich | -| ✅ | `docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0` | Database for Immich | -| ✅ | `tombursch/kitchenowl` | | -| ✅ | `freshrss/freshrss` | | -| ✅ | `ubuntu/bind9` | | -| ✅ | `quay.io/hedgedoc/hedgedoc` | | -| 🫤 | `itzg/minecraft-server` | | -| 🫤 | `teddysun/kms` | | -| 🫤 | `mpepping/cyberchef` | | +| Status | Image | Comments | +| ------ | ---------------------------------------------- | --------------------------------------------------------- | +| ✨ | `nixng-blog` | | +| ✨ | `nixng-dnsmasq` | | +| ✨ | `nixng-attic` | | +| ✨ | `nixng-ntfy-sh` | | +| ✨ | `nixng-radicale` | | +| ✨ | `nixng-jellyseerr` | | +| ✨ | `nixng-radarr` | | +| ✨ | `nixng-sonarr` | | +| ✨ | `nixng-bazarr` | | +| ✨ | `nixng-prowlarr` | | +| ✨ | `nixng-deluge` | | +| ✨ | `nixng-mealie` | | +| ✅ | `jellyfin/jellyfin` | | +| ✅ | `ghcr.io/atuinsh/atuin` | | +| ✅ | `postgres:14` | Database for Atuin | +| ✅ | `ghcr.io/paperless-ngx/paperless-ngx` | | +| ✅ | `docker.io/library/redis:7` | Database for Paperless-ngx | +| ✅ | `nextcloud` | | +| ✅ | `postgres:15` | Database for Attic, Nextcloud, Paperless-ngx and Hedgedoc | +| ✅ | `inbucket/inbucket` | | +| ✅ | `lscr.io/linuxserver/syncthing` | | +| ✅ | `codeberg.org/forgejo/forgejo` | | +| ✅ | `pihole/pihole` | | +| ✅ | `ghcr.io/immich-app/immich-server` | | +| ✅ | `ghcr.io/immich-app/immich-machine-learning` | | +| ✅ | `docker.io/redis:6.2-alpine` | Database for Immich | +| ✅ | `docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0` | Database for Immich | +| ✅ | `tombursch/kitchenowl` | | +| ✅ | `freshrss/freshrss` | | +| ✅ | `ubuntu/bind9` | | +| ✅ | `quay.io/hedgedoc/hedgedoc` | | +| 🫤 | `itzg/minecraft-server` | | +| 🫤 | `teddysun/kms` | | +| 🫤 | `mpepping/cyberchef` | | ## Acknowledgements -- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones -- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes -- [kubenix](https://kubenix.org/): Declare and deploy Kubernetes resources using Nix +- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS + zones +- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to + develop Nix flakes +- [kubenix](https://kubenix.org/): Declare and deploy Kubernetes resources using + Nix - [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts - [sops-nix](https://github.com/Mic92/sops-nix): Sops secret management for Nix ## Prerequisites -To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster. -You can generate this using `nix run '.#gen-k3s-cert' ~/.kube`, assuming you have SSH access to the master node. -This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory +To deploy to the Kubernetes cluster, first make sure you have an admin account +on the cluster. You can generate this using +`nix run '.#gen-k3s-cert' ~/.kube`, assuming you have +SSH access to the master node. This puts a private key, signed certificate and a +kubeconfig in the kubeconfig directory ## Bootstrapping -We are now ready to deploy to the Kubernetes cluster. -Deployments are done through an experimental Kubernetes feature called [ApplySets](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#how-to-delete-objects). +We are now ready to deploy to the Kubernetes cluster. Deployments are done +through an experimental Kubernetes feature called +[ApplySets](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#how-to-delete-objects). Each applyset is responsible for a set number of resources within a namespace. -If the cluster has not been initialized yet, we must bootstrap it first. -Run these deployments: +If the cluster has not been initialized yet, we must bootstrap it first. Run +these deployments: + - `nix run '.#bootstrap-default-deploy'` - `nix run '.#bootstrap-kube-system-deploy'` ## Deployment -Now the cluster has been initialized and we can deploy applications. -To explore which applications we can deploy, run `nix flake show`. -Then, for each application, run `nix run '.#-deploy'`. -Or, if you're lazy: `nix flake show --json | jq -r '.packages."x86_64-linux"|keys[]' | grep -- -deploy | xargs -I{} nix run ".#{}"`. +Now the cluster has been initialized and we can deploy applications. To explore +which applications we can deploy, run `nix flake show`. Then, for each +application, run `nix run '.#-deploy'`. Or, if you're lazy: +`nix flake show --json | jq -r '.packages."x86_64-linux"|keys[]' | grep -- -deploy | xargs -I{} nix run ".#{}"`. From ae0d45e71f0b34e61d637e8da6c840d0c64150a4 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 19 Feb 2025 13:52:36 +0100 Subject: [PATCH 51/73] nextcloud: 30.0.5 -> 30.0.6 pihole: 2024.07.5 -> 2025.02.1 kitchenowl: 0.6.8 -> 0.6.10 hedgedoc: 1.10.0 -> 10.10.2 --- globals.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/globals.nix b/globals.nix index 1eb956d..af73ac5 100644 --- a/globals.nix +++ b/globals.nix @@ -7,21 +7,21 @@ kms = "teddysun/kms:latest"; paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.14.7"; redis7 = "docker.io/library/redis:7"; - nextcloud = "nextcloud:30.0.5"; + nextcloud = "nextcloud:30.0.6"; postgres15 = "postgres:15"; inbucket = "inbucket/inbucket:edge"; syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; forgejo = "codeberg.org/forgejo/forgejo:10.0.1"; - pihole = "pihole/pihole:2024.07.0"; + pihole = "pihole/pihole:2025.02.1"; immich = "ghcr.io/immich-app/immich-server:v1.126.1"; immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.126.1"; immich-redis = "docker.io/redis:6.2-alpine@sha256:905c4ee67b8e0aa955331960d2aa745781e6bd89afc44a8584bfd13bc890f0ae"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; - kitchenowl = "tombursch/kitchenowl:v0.6.8"; + kitchenowl = "tombursch/kitchenowl:v0.6.10"; cyberchef = "mpepping/cyberchef:latest"; freshrss = "freshrss/freshrss:1.25.0"; bind9 = "ubuntu/bind9:9.18-22.04_beta"; - hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.0"; + hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.2"; minecraft = "itzg/minecraft-server:latest"; }; From 613bc83b899cdb67e53fc8615786a4c4354c1b2f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 19 Feb 2025 17:43:29 +0100 Subject: [PATCH 52/73] Package Atuin as NixNG image --- README.md | 2 +- modules/atuin.nix | 42 ++++------------ modules/bootstrap-default.nix | 1 - nixng-configurations/atuin.nix | 12 +++++ nixng-configurations/default.nix | 3 +- nixng-modules/atuin.nix | 86 ++++++++++++++++++++++++++++++++ nixng-modules/default.nix | 1 + nixng-modules/ids.nix | 2 + 8 files changed, 113 insertions(+), 36 deletions(-) create mode 100644 nixng-configurations/atuin.nix create mode 100644 nixng-modules/atuin.nix diff --git a/README.md b/README.md index b0211b5..cbf1cd4 100644 --- a/README.md +++ b/README.md @@ -25,8 +25,8 @@ Legend: | ✨ | `nixng-prowlarr` | | | ✨ | `nixng-deluge` | | | ✨ | `nixng-mealie` | | +| ✨ | `nixng-atuin` | | | ✅ | `jellyfin/jellyfin` | | -| ✅ | `ghcr.io/atuinsh/atuin` | | | ✅ | `postgres:14` | Database for Atuin | | ✅ | `ghcr.io/paperless-ngx/paperless-ngx` | | | ✅ | `docker.io/library/redis:7` | Database for Paperless-ngx | diff --git a/modules/atuin.nix b/modules/atuin.nix index 7485f9f..9552e8f 100644 --- a/modules/atuin.nix +++ b/modules/atuin.nix @@ -1,5 +1,6 @@ { config, + utils, globals, lib, ... @@ -29,35 +30,17 @@ metadata.labels.app = "atuin"; spec = { - volumes = { - data.persistentVolumeClaim.claimName = "data"; - database.persistentVolumeClaim.claimName = "database"; - }; + volumes.database.persistentVolumeClaim.claimName = "database"; containers = { atuin = { - image = globals.images.atuin; - imagePullPolicy = "IfNotPresent"; + image = utils.mkNixNGImage "atuin"; ports.web.containerPort = 8888; - args = ["server" "start"]; - env = { - ATUIN_HOST.value = "0.0.0.0"; - ATUIN_PORT.value = "8888"; - ATUIN_OPEN_REGISTRATION.value = "false"; - - ATUIN_DB_URI.valueFrom.secretKeyRef = { - name = "database"; - key = "databaseURL"; - }; + env.ATUIN_DB_URI.valueFrom.secretKeyRef = { + name = "database"; + key = "databaseURL"; }; - - volumeMounts = [ - { - name = "data"; - mountPath = "/config"; - } - ]; }; database = { @@ -106,16 +89,9 @@ }; }; - longhorn.persistentVolumeClaim = { - data = { - volumeName = "atuin"; - storage = "300Mi"; - }; - - database = { - volumeName = "atuin-db"; - storage = "300Mi"; - }; + longhorn.persistentVolumeClaim.database = { + volumeName = "atuin-db"; + storage = "300Mi"; }; }; }; diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index d9c419c..e685d58 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -92,7 +92,6 @@ longhorn.persistentVolume = { freshrss.storage = "1Gi"; radicale.storage = "200Mi"; - atuin.storage = "300Mi"; atuin-db.storage = "300Mi"; nextcloud.storage = "50Gi"; nextcloud-db.storage = "400Mi"; diff --git a/nixng-configurations/atuin.nix b/nixng-configurations/atuin.nix new file mode 100644 index 0000000..189895e --- /dev/null +++ b/nixng-configurations/atuin.nix @@ -0,0 +1,12 @@ +{ + dinit.enable = true; + init.services.atuin.shutdownOnExit = true; + + services.atuin = { + enable = true; + + settings = { + open_registration = false; + }; + }; +} diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index c1803c8..aa10a38 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -22,6 +22,7 @@ flake-utils.lib.eachDefaultSystem (system: let blog = ./blog.nix; deluge = ./deluge.nix; mealie = ./mealie.nix; + atuin = ./atuin.nix; }; in { nixngConfigurations = builtins.mapAttrs (name: configFile: @@ -44,7 +45,7 @@ in { self.nixngModules.sonarr self.nixngModules.prowlarr self.nixngModules.deluge - self.nixngModules.mealie + self.nixngModules.atuin { nixpkgs.overlays = [ (_final: _prev: { diff --git a/nixng-modules/atuin.nix b/nixng-modules/atuin.nix new file mode 100644 index 0000000..914f5a7 --- /dev/null +++ b/nixng-modules/atuin.nix @@ -0,0 +1,86 @@ +{ + pkgs, + lib, + nglib, + config, + ... +}: let + cfg = config.services.atuin; + cfgInit = config.init.services.atuin; + settingsFormat = pkgs.formats.toml {}; +in { + options.services.atuin = { + enable = lib.mkEnableOption "atuin"; + package = lib.mkPackageOption pkgs "atuin" {}; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + + options = { + host = lib.mkOption { + type = lib.types.str; + default = "0.0.0.0"; + description = "The host to listen on"; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 8888; + description = "The TCP port to listen on"; + }; + + open_registration = lib.mkOption { + type = lib.types.bool; + default = false; + description = "If true, accept new user registrations"; + }; + + db_uri = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + description = "A valid PostgreSQL URI, for saving history"; + }; + + path = lib.mkOption { + type = lib.types.str; + default = ""; + description = "A path to prepend to all the routes of the server"; + }; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable { + init.services.atuin = { + enabled = true; + user = lib.mkDefault "atuin"; + group = lib.mkDefault "atuin"; + + script = pkgs.writeShellScript "atuin-run" '' + ${lib.getExe cfg.package} server start + ''; + }; + + environment = { + systemPackages = [cfg.package]; + + variables.ATUIN_CONFIG_DIR = let + settingsFile = settingsFormat.generate "server.toml" (lib.filterAttrs (_: v: v != null) cfg.settings); + in + toString (pkgs.writeTextDir "server.toml" (builtins.readFile settingsFile)); + }; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "atuin"; + inherit (cfgInit) group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.atuin; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.atuin;}; + }; +} diff --git a/nixng-modules/default.nix b/nixng-modules/default.nix index 629a244..01f9eed 100644 --- a/nixng-modules/default.nix +++ b/nixng-modules/default.nix @@ -9,5 +9,6 @@ _: { ids = import ./ids.nix; deluge = import ./deluge.nix; mealie = import ./mealie.nix; + atuin = import ./atuin.nix; }; } diff --git a/nixng-modules/ids.nix b/nixng-modules/ids.nix index 228b5da..1470307 100644 --- a/nixng-modules/ids.nix +++ b/nixng-modules/ids.nix @@ -9,6 +9,7 @@ prowlarr = 413; deluge = 414; mealie = 415; + atuin = 416; }; gids = { @@ -21,6 +22,7 @@ prowlarr = 413; deluge = 414; mealie = 415; + atuin = 416; }; }; } From ca0234e8454be69da752e0276539cd23bb1a5757 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 27 Feb 2025 10:03:39 +0100 Subject: [PATCH 53/73] immich: 1.126.1 -> 1.127.0 freshrss: 1.25.0 -> 1.26.0 --- globals.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/globals.nix b/globals.nix index af73ac5..31ecf06 100644 --- a/globals.nix +++ b/globals.nix @@ -13,13 +13,13 @@ syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; forgejo = "codeberg.org/forgejo/forgejo:10.0.1"; pihole = "pihole/pihole:2025.02.1"; - immich = "ghcr.io/immich-app/immich-server:v1.126.1"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.126.1"; - immich-redis = "docker.io/redis:6.2-alpine@sha256:905c4ee67b8e0aa955331960d2aa745781e6bd89afc44a8584bfd13bc890f0ae"; + immich = "ghcr.io/immich-app/immich-server:v1.127.0"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.127.0"; + immich-redis = "docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; kitchenowl = "tombursch/kitchenowl:v0.6.10"; cyberchef = "mpepping/cyberchef:latest"; - freshrss = "freshrss/freshrss:1.25.0"; + freshrss = "freshrss/freshrss:1.26.0"; bind9 = "ubuntu/bind9:9.18-22.04_beta"; hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.2"; minecraft = "itzg/minecraft-server:latest"; From e362e05351eb542356bda674543eb692c7a8c2e3 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 2 Mar 2025 13:13:38 +0100 Subject: [PATCH 54/73] immich: 1.127.0 -> 1.128.0 --- globals.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/globals.nix b/globals.nix index 31ecf06..8bf3480 100644 --- a/globals.nix +++ b/globals.nix @@ -13,8 +13,8 @@ syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; forgejo = "codeberg.org/forgejo/forgejo:10.0.1"; pihole = "pihole/pihole:2025.02.1"; - immich = "ghcr.io/immich-app/immich-server:v1.127.0"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.127.0"; + immich = "ghcr.io/immich-app/immich-server:v1.128.0"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.128.0"; immich-redis = "docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; kitchenowl = "tombursch/kitchenowl:v0.6.10"; From e0462fce837a9b8cde64fd2fa7ff89b0a83d2b9b Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 2 Mar 2025 21:08:29 +0100 Subject: [PATCH 55/73] Update flake inputs --- flake.lock | 91 +++++++++++++++++++++++++++--------------------------- 1 file changed, 46 insertions(+), 45 deletions(-) diff --git a/flake.lock b/flake.lock index 5cc2453..06a5b1d 100644 --- a/flake.lock +++ b/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1736683360, - "narHash": "sha256-Zz9aEPm5TCtoNt+FoWQaEjngEh8uXDpCH+N2DDpW4Tk=", + "lastModified": 1740929559, + "narHash": "sha256-53kqXVABAkjh+ujEDoID51kLrYzTufwkYLaKftdSRMI=", "ref": "refs/heads/master", - "rev": "95b66d8c45b1fda87e63938fbdc0e31d5035f204", - "revCount": 24, + "rev": "0494eff9f5433aad58d9eedbf53dfa591ec1d128", + "revCount": 26, "type": "git", "url": "https://git.kun.is/pim/blog" }, @@ -68,11 +68,11 @@ ] }, "locked": { - "lastModified": 1733919067, - "narHash": "sha256-ZsL5pKwEDhcZhVJh+3IwgHus7kSW/N8qOlBscwB6BCI=", + "lastModified": 1737653493, + "narHash": "sha256-qTbv8Pm9WWF63M5Fj0Od9E54/lsbMSQUBHw/s30eFok=", "owner": "kirelagin", "repo": "dns.nix", - "rev": "a23f43f9762aa96d3e35c8eeefa7610bd0cdf456", + "rev": "96e548ae8bd44883afc5bddb9dacd0502542276d", "type": "github" }, "original": { @@ -296,11 +296,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -313,11 +313,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -386,11 +386,11 @@ ] }, "locked": { - "lastModified": 1735882644, - "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=", + "lastModified": 1740915799, + "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656", + "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732", "type": "github" }, "original": { @@ -559,11 +559,11 @@ "nginx": { "flake": false, "locked": { - "lastModified": 1736428764, - "narHash": "sha256-poKKXq1S4xjC9phulyZE34t8tdaaqwJ7IbmeyjUpsDU=", + "lastModified": 1740577203, + "narHash": "sha256-76NFp0NDdEgn1bqw17glDPAnEl0NF5vDvs0xCPmUCL4=", "owner": "nginx", "repo": "nginx", - "rev": "57d54fd922e7ecbebb78598d13adc9df1a4b69c0", + "rev": "d16251969bf113272b577920940f020524d5fceb", "type": "github" }, "original": { @@ -581,11 +581,11 @@ ] }, "locked": { - "lastModified": 1703863825, - "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", "owner": "nix-community", "repo": "nix-github-actions", - "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", "type": "github" }, "original": { @@ -596,11 +596,11 @@ }, "nix-kube-generators": { "locked": { - "lastModified": 1708155396, - "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=", + "lastModified": 1729269463, + "narHash": "sha256-8jDDpC99fYl5CSHjZyPwb5PK7nQSknhkpfe8+DXI910=", "owner": "farcaller", "repo": "nix-kube-generators", - "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88", + "rev": "2be4f3cb99e179d9f94e6c8723862421437f8efb", "type": "github" }, "original": { @@ -666,11 +666,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1739200411, - "narHash": "sha256-9Vil9l0+QIPhEh/97Ehu3yoqaR+5d820F/tMY6rtbYs=", + "lastModified": 1740878204, + "narHash": "sha256-89pRJBO37WyhwcI2gtHjFlymbL+Ov0DlvD7B/eBWz+I=", "owner": "farcaller", "repo": "nixhelm", - "rev": "5b365cdeae7077e6c06524d5317f82a593546b50", + "rev": "f2cbd3e7ff4c435e4842450f7e7173de3172b0ca", "type": "github" }, "original": { @@ -772,11 +772,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1737014460, - "narHash": "sha256-u45ycukf/qnwb3EsOHf5KuO7GPxR1noxgkiL5Fra2V4=", + "lastModified": 1740943876, + "narHash": "sha256-5jz7u/lzLE2jpT4OCu+IKwXKWuVS88/NhBouUSnkGNw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d6a640c0d7d42202fdabc93bbfc01430af249e0c", + "rev": "51037fd434106266567884332a9d94635c5ab87e", "type": "github" }, "original": { @@ -852,11 +852,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1736883708, - "narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=", + "lastModified": 1740828860, + "narHash": "sha256-cjbHI+zUzK5CPsQZqMhE3npTyYFt9tJ3+ohcfaOF/WM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8", + "rev": "303bd8071377433a2d8f76e684ec773d70c5b642", "type": "github" }, "original": { @@ -926,11 +926,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1718285706, - "narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=", + "lastModified": 1738741221, + "narHash": "sha256-UiTOA89yQV5YNlO1ZAp4IqJUGWOnTyBC83netvt8rQE=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9", + "rev": "be1fe795035d3d36359ca9135b26dcc5321b31fb", "type": "github" }, "original": { @@ -1095,8 +1095,9 @@ "type": "github" }, "original": { - "id": "systems", - "type": "indirect" + "owner": "nix-systems", + "repo": "default", + "type": "github" } }, "systems_7": { @@ -1173,11 +1174,11 @@ ] }, "locked": { - "lastModified": 1717850719, - "narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=", + "lastModified": 1730120726, + "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed", + "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", "type": "github" }, "original": { @@ -1227,11 +1228,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1736154270, - "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=", + "lastModified": 1739829690, + "narHash": "sha256-mL1szCeIsjh6Khn3nH2cYtwO5YXG6gBiTw1A30iGeDU=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b", + "rev": "3d0579f5cc93436052d94b73925b48973a104204", "type": "github" }, "original": { From ffe733385d9a6db2a91fc644f052a32bff042c17 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 9 Mar 2025 10:45:56 +0100 Subject: [PATCH 56/73] immich: 1.128.0 -> 1.129.0 --- globals.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/globals.nix b/globals.nix index 8bf3480..a2e1ac3 100644 --- a/globals.nix +++ b/globals.nix @@ -13,10 +13,10 @@ syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; forgejo = "codeberg.org/forgejo/forgejo:10.0.1"; pihole = "pihole/pihole:2025.02.1"; - immich = "ghcr.io/immich-app/immich-server:v1.128.0"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.128.0"; + immich = "ghcr.io/immich-app/immich-server:v1.129.0"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.129.0"; immich-redis = "docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8"; - immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; + immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; kitchenowl = "tombursch/kitchenowl:v0.6.10"; cyberchef = "mpepping/cyberchef:latest"; freshrss = "freshrss/freshrss:1.26.0"; From ec300bbae631ed9b71a3e05e7c174ef74ac2fb6a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 12 Mar 2025 20:58:20 +0100 Subject: [PATCH 57/73] kitchenowl: 0.6.10 -> 0.6.11 syncthing: 1.29.2 -> 1.29.3 --- globals.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/globals.nix b/globals.nix index a2e1ac3..8c03274 100644 --- a/globals.nix +++ b/globals.nix @@ -10,14 +10,14 @@ nextcloud = "nextcloud:30.0.6"; postgres15 = "postgres:15"; inbucket = "inbucket/inbucket:edge"; - syncthing = "lscr.io/linuxserver/syncthing:1.29.2"; + syncthing = "lscr.io/linuxserver/syncthing:1.29.3"; forgejo = "codeberg.org/forgejo/forgejo:10.0.1"; pihole = "pihole/pihole:2025.02.1"; immich = "ghcr.io/immich-app/immich-server:v1.129.0"; immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.129.0"; immich-redis = "docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; - kitchenowl = "tombursch/kitchenowl:v0.6.10"; + kitchenowl = "tombursch/kitchenowl:v0.6.11"; cyberchef = "mpepping/cyberchef:latest"; freshrss = "freshrss/freshrss:1.26.0"; bind9 = "ubuntu/bind9:9.18-22.04_beta"; From 4309d9a7f060399a79d7e9fb4af29a5338f50444 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 17 Mar 2025 21:00:55 +0100 Subject: [PATCH 58/73] freshrss: 1.26.0 -> 1.26.1 --- globals.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index 8c03274..f28138a 100644 --- a/globals.nix +++ b/globals.nix @@ -19,7 +19,7 @@ immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; kitchenowl = "tombursch/kitchenowl:v0.6.11"; cyberchef = "mpepping/cyberchef:latest"; - freshrss = "freshrss/freshrss:1.26.0"; + freshrss = "freshrss/freshrss:1.26.1"; bind9 = "ubuntu/bind9:9.18-22.04_beta"; hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.2"; minecraft = "itzg/minecraft-server:latest"; From dbbe166ef3ecb49c66452590b5137b75abb3a8ce Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 17 Mar 2025 21:34:03 +0100 Subject: [PATCH 59/73] Update flake inputs --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 06a5b1d..75a4d7b 100644 --- a/flake.lock +++ b/flake.lock @@ -386,11 +386,11 @@ ] }, "locked": { - "lastModified": 1740915799, - "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=", + "lastModified": 1742058297, + "narHash": "sha256-b4SZc6TkKw8WQQssbN5O2DaCEzmFfvSTPYHlx/SFW9Y=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732", + "rev": "59f17850021620cd348ad2e9c0c64f4e6325ce2a", "type": "github" }, "original": { @@ -559,11 +559,11 @@ "nginx": { "flake": false, "locked": { - "lastModified": 1740577203, - "narHash": "sha256-76NFp0NDdEgn1bqw17glDPAnEl0NF5vDvs0xCPmUCL4=", + "lastModified": 1741624327, + "narHash": "sha256-O5AHLXzkJUfDjKKzPQcGDhj3L381cGkb58ByJoy1Ttk=", "owner": "nginx", "repo": "nginx", - "rev": "d16251969bf113272b577920940f020524d5fceb", + "rev": "d31305653701bd99e8e5e6aa48094599a08f9f12", "type": "github" }, "original": { @@ -666,11 +666,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1740878204, - "narHash": "sha256-89pRJBO37WyhwcI2gtHjFlymbL+Ov0DlvD7B/eBWz+I=", + "lastModified": 1742237758, + "narHash": "sha256-DMQKqoVUPA0ktYnRrgq5eJo3kViZEwW4Es4drULBFTE=", "owner": "farcaller", "repo": "nixhelm", - "rev": "f2cbd3e7ff4c435e4842450f7e7173de3172b0ca", + "rev": "2e60d786f987b452464847f7cfed1b2b6a5f50b8", "type": "github" }, "original": { @@ -772,11 +772,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1740943876, - "narHash": "sha256-5jz7u/lzLE2jpT4OCu+IKwXKWuVS88/NhBouUSnkGNw=", + "lastModified": 1742241638, + "narHash": "sha256-Y/1tCsLOp47lwMTVTdsb/5/ldN0lTFLMHt2dAd9OQEY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "51037fd434106266567884332a9d94635c5ab87e", + "rev": "ee090321f15e3cdc78455c91afbcc1f8745544b3", "type": "github" }, "original": { @@ -852,11 +852,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1740828860, - "narHash": "sha256-cjbHI+zUzK5CPsQZqMhE3npTyYFt9tJ3+ohcfaOF/WM=", + "lastModified": 1742069588, + "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=", "owner": "nixos", "repo": "nixpkgs", - "rev": "303bd8071377433a2d8f76e684ec773d70c5b642", + "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5", "type": "github" }, "original": { From c70084a7b669214b5d2ad2596f42a53d6b7ba9fa Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 17 Mar 2025 21:59:17 +0100 Subject: [PATCH 60/73] Fix Mealie module import --- globals.nix | 1 - nixng-configurations/default.nix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index f28138a..f2eb013 100644 --- a/globals.nix +++ b/globals.nix @@ -2,7 +2,6 @@ globals = { images = { jellyfin = "jellyfin/jellyfin:10.10.6"; - atuin = "ghcr.io/atuinsh/atuin:18.4.0"; postgres14 = "postgres:14"; kms = "teddysun/kms:latest"; paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.14.7"; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index aa10a38..67eed07 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -45,6 +45,7 @@ in { self.nixngModules.sonarr self.nixngModules.prowlarr self.nixngModules.deluge + self.nixngModules.mealie self.nixngModules.atuin { nixpkgs.overlays = [ From b2886545671d3f3b98cc0c0c4f37c64a7faef5a2 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 23 Mar 2025 08:28:59 +0100 Subject: [PATCH 61/73] Add nzbget --- flake.lock | 568 +------------------------------ flake.nix | 5 - globals.nix | 32 +- modules/bootstrap-default.nix | 1 + modules/media.nix | 95 ++++++ nixng-configurations/default.nix | 2 + nixng-configurations/nzbget.nix | 22 ++ nixng-modules/default.nix | 1 + nixng-modules/deluge.nix | 2 +- nixng-modules/ids.nix | 2 + nixng-modules/nzbget.nix | 49 +++ 11 files changed, 203 insertions(+), 576 deletions(-) create mode 100644 nixng-configurations/nzbget.nix create mode 100644 nixng-modules/nzbget.nix diff --git a/flake.lock b/flake.lock index 75a4d7b..170f25e 100644 --- a/flake.lock +++ b/flake.lock @@ -19,47 +19,6 @@ "url": "https://git.kun.is/pim/blog" } }, - "deploy-rs": { - "inputs": { - "flake-compat": "flake-compat_4", - "nixpkgs": "nixpkgs_4", - "utils": "utils" - }, - "locked": { - "lastModified": 1727447169, - "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", - "owner": "serokell", - "repo": "deploy-rs", - "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", - "type": "github" - }, - "original": { - "owner": "serokell", - "repo": "deploy-rs", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "servers", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729712798, - "narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=", - "owner": "nix-community", - "repo": "disko", - "rev": "09a776702b004fdf9c41a024e1299d575ee18a7d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, "dns": { "inputs": { "flake-utils": "flake-utils", @@ -81,28 +40,6 @@ "type": "github" } }, - "dns_2": { - "inputs": { - "flake-utils": "flake-utils_5", - "nixpkgs": [ - "servers", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1726867691, - "narHash": "sha256-IK3r16N9pizf53AipOmrcrcyjVsPJwC4PI5hIqEyKwQ=", - "owner": "kirelagin", - "repo": "dns.nix", - "rev": "a3196708a56dee76186a9415c187473b94e6cbae", - "type": "github" - }, - "original": { - "owner": "kirelagin", - "repo": "dns.nix", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { @@ -151,70 +88,6 @@ "type": "github" } }, - "flake-compat_4": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_5": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_6": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_7": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -236,28 +109,6 @@ "type": "github" } }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "servers", - "nix-snapshotter", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-utils": { "locked": { "lastModified": 1614513358, @@ -326,39 +177,6 @@ "type": "github" } }, - "flake-utils_5": { - "locked": { - "lastModified": 1614513358, - "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { - "inputs": { - "systems": "systems_8" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "flutils": { "inputs": { "systems": "systems" @@ -399,30 +217,6 @@ "type": "github" } }, - "git-hooks_2": { - "inputs": { - "flake-compat": "flake-compat_5", - "gitignore": "gitignore_2", - "nixpkgs": [ - "servers", - "nixpkgs-unstable" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1730302582, - "narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, "gitignore": { "inputs": { "nixpkgs": [ @@ -444,28 +238,6 @@ "type": "github" } }, - "gitignore_2": { - "inputs": { - "nixpkgs": [ - "servers", - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, "globset": { "inputs": { "nixpkgs-lib": [ @@ -532,30 +304,6 @@ "type": "github" } }, - "kubenix_2": { - "inputs": { - "flake-compat": "flake-compat_6", - "nixpkgs": [ - "servers", - "nixpkgs-unstable" - ], - "systems": "systems_9", - "treefmt": "treefmt_2" - }, - "locked": { - "lastModified": 1717788185, - "narHash": "sha256-Uc6QSQqJa2lyv/1W4StwoKrjtq7cFjlKNhdrtanToGo=", - "owner": "pizzapim", - "repo": "kubenix", - "rev": "a9590abe23a2f7577bc3271d90955e9ccc2923fe", - "type": "github" - }, - "original": { - "owner": "pizzapim", - "repo": "kubenix", - "type": "github" - } - }, "nginx": { "flake": false, "locked": { @@ -632,29 +380,6 @@ "type": "github" } }, - "nix-snapshotter_2": { - "inputs": { - "flake-compat": "flake-compat_7", - "flake-parts": "flake-parts_2", - "nixpkgs": [ - "servers", - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1729627456, - "narHash": "sha256-TCZdXCmnqCPsd3PjLv/LDSKJhTspLliL0DE+c/XP9BY=", - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "rev": "f2957822a3748c91e678657a1cfd009b0440bbfd", - "type": "github" - }, - "original": { - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "type": "github" - } - }, "nixhelm": { "inputs": { "flake-utils": "flake-utils_3", @@ -701,59 +426,6 @@ "type": "github" } }, - "nixng_2": { - "inputs": { - "nixpkgs": [ - "servers", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1726571270, - "narHash": "sha256-LEug48WOL+mmFYtKM57e/oudgjBk2Km5zIP3p27hF8I=", - "owner": "pizzapim", - "repo": "NixNG", - "rev": "9538892da603608f0176d07d33b1265e038c0adf", - "type": "github" - }, - "original": { - "owner": "pizzapim", - "ref": "dnsmasq", - "repo": "NixNG", - "type": "github" - } - }, - "nixos-facter-modules": { - "locked": { - "lastModified": 1730737399, - "narHash": "sha256-PzJrTMhHb9f46uMxmRD4GjnyVuNqxeyEvxaq7OierUQ=", - "owner": "numtide", - "repo": "nixos-facter-modules", - "rev": "c22b916f629fee6941a2976c62247b0bec68082b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "nixos-facter-modules", - "type": "github" - } - }, - "nixos-hardware": { - "locked": { - "lastModified": 1729742320, - "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1714076141, @@ -786,54 +458,6 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1720386169, - "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_2": { - "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1729818716, - "narHash": "sha256-XRfkUsxLzFkMn3Tpstio1gNOIQ+2PZPCKbifJ2IXxlw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "062c4f59744fcffa2e5aa3ef443dc8b4d1674ed6", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1726871744, @@ -867,38 +491,6 @@ } }, "nixpkgs_4": { - "locked": { - "lastModified": 1702272962, - "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1726871744, - "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "a1d92660c6b3b7c26fb883500a80ea9d33321be2", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_6": { "locked": { "lastModified": 1735554305, "narHash": "sha256-zExSA1i/b+1NMRhGGLtNfFGXgLtgo+dcuzHzaWA6w3Q=", @@ -952,63 +544,7 @@ "nixng": "nixng", "nixpkgs": "nixpkgs_3", "nixpkgs-master": "nixpkgs-master", - "servers": "servers", - "treefmt-nix": "treefmt-nix_4" - } - }, - "servers": { - "inputs": { - "deploy-rs": "deploy-rs", - "disko": "disko", - "dns": "dns_2", - "flake-utils": "flake-utils_6", - "git-hooks": "git-hooks_2", - "kubenix": "kubenix_2", - "nix-snapshotter": "nix-snapshotter_2", - "nixng": "nixng_2", - "nixos-facter-modules": "nixos-facter-modules", - "nixos-hardware": "nixos-hardware", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-unstable": "nixpkgs-unstable", - "sops-nix": "sops-nix", "treefmt-nix": "treefmt-nix_3" - }, - "locked": { - "lastModified": 1733068232, - "narHash": "sha256-iZJ/cq07OVk2TQy6UV9JaXgLARQqJedmuPIHTtgVeeo=", - "ref": "refs/heads/master", - "rev": "68b79e086c4cc6b850ba12c60f3a978d18bd41b1", - "revCount": 495, - "type": "git", - "url": "https://git.kun.is/home/nixos-servers" - }, - "original": { - "type": "git", - "url": "https://git.kun.is/home/nixos-servers" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "servers", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_2" - }, - "locked": { - "lastModified": 1729775275, - "narHash": "sha256-J2vtHq9sw1wWm0aTMXpEEAzsVCUMZDTEe5kiBYccpLE=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "78a0e634fc8981d6b564f08b6715c69a755c4c7d", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" } }, "systems": { @@ -1100,50 +636,6 @@ "type": "github" } }, - "systems_7": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_8": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_9": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "id": "systems", - "type": "indirect" - } - }, "treefmt": { "inputs": { "nixpkgs": [ @@ -1207,25 +699,7 @@ }, "treefmt-nix_3": { "inputs": { - "nixpkgs": "nixpkgs_5" - }, - "locked": { - "lastModified": 1730025913, - "narHash": "sha256-Y9NtFmP8ciLyRsopcCx1tyoaaStKeq+EndwtGCgww7I=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "bae131e525cc8718da22fbeb8d8c7c43c4ea502a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_4": { - "inputs": { - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1739829690, @@ -1240,46 +714,6 @@ "repo": "treefmt-nix", "type": "github" } - }, - "treefmt_2": { - "inputs": { - "nixpkgs": [ - "servers", - "kubenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1688026376, - "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "utils": { - "inputs": { - "systems": "systems_7" - }, - "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 0a2c12d..673b304 100644 --- a/flake.nix +++ b/flake.nix @@ -28,11 +28,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - servers = { - url = "git+https://git.kun.is/home/nixos-servers"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixng = { url = "github:pizzapim/NixNG/dinit-fixes"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/globals.nix b/globals.nix index f2eb013..92cdbee 100644 --- a/globals.nix +++ b/globals.nix @@ -1,4 +1,4 @@ -{servers, ...}: let +{...}: { globals = { images = { jellyfin = "jellyfin/jellyfin:10.10.6"; @@ -33,7 +33,33 @@ hasMedia = "true"; }; }; + + routerPublicIPv4 = "192.145.57.90"; + routerPublicIPv6 = "2a0d:6e00:1a77::1"; + bind9Ipv6 = "2a0d:6e00:1a77:30::134"; + + # Load balancer IPv4 + traefikIPv4 = "192.168.30.128"; + kmsIPv4 = "192.168.30.129"; + inbucketIPv4 = "192.168.30.130"; + piholeIPv4 = "192.168.30.131"; + gitIPv4 = "192.168.30.132"; + transmissionIPv4 = "192.168.30.133"; + bind9IPv4 = "192.168.30.134"; + dnsmasqIPv4 = "192.168.30.135"; + minecraftIPv4 = "192.168.30.136"; + jellyseerrIPv4 = "192.168.30.137"; + syncthingIPv4 = "192.168.30.138"; + longhornIPv4 = "192.168.30.139"; + radarrIPv4 = "192.168.30.140"; + prowlarrIPv4 = "192.168.30.141"; + sonarrIPv4 = "192.168.30.142"; + bazarrIPv4 = "192.168.30.143"; + paperlessIPv4 = "192.168.30.144"; + radicaleIPv4 = "192.168.30.145"; + freshrssIPv4 = "192.168.30.146"; + immichIPv4 = "192.168.30.147"; + nextcloudIPv4 = "192.168.30.148"; + nzbgetIPv4 = "192.168.30.149"; }; -in { - globals = globals // servers.globals; } diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index e685d58..32f4d69 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -124,6 +124,7 @@ authentik-redis.storage = "5Gi"; mealie.storage = "3Gi"; music.storage = "70Gi"; + nzbget.storage = "150Mi"; }; tailscaleIngresses.tailscale-longhorn = { diff --git a/modules/media.nix b/modules/media.nix index 43e629b..a9b4565 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -16,6 +16,7 @@ in { prowlarr.enable = (lib.mkEnableOption "prowlarr") // {default = true;}; sonarr.enable = (lib.mkEnableOption "sonarr") // {default = true;}; bazarr.enable = (lib.mkEnableOption "bazarr") // {default = true;}; + nzbget.enable = (lib.mkEnableOption "nzbget") // {default = true;}; }; config = lib.mkIf cfg.enable { @@ -184,6 +185,73 @@ in { }; }; + nzbget = lib.mkIf cfg.nzbget.enable { + spec = { + selector.matchLabels = { + app = "media"; + component = "nzbget"; + }; + + strategy = { + type = "RollingUpdate"; + + rollingUpdate = { + maxSurge = 0; + maxUnavailable = 1; + }; + }; + + template = { + metadata.labels = { + app = "media"; + component = "nzbget"; + }; + + spec = { + containers.nzbget = { + image = utils.mkNixNGImage "nzbget"; + imagePullPolicy = "IfNotPresent"; + stdin = true; + tty = true; + + ports.web.containerPort = 6789; + + volumeMounts = [ + { + name = "config"; + mountPath = "/home/nzbget"; + } + { + name = "media"; + mountPath = "/media"; + } + ]; + }; + + volumes = { + config.persistentVolumeClaim.claimName = "nzbget"; + media.hostPath = { + path = "/mnt/longhorn/persistent/media"; + type = "Directory"; + }; + }; + + affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [ + { + matchExpressions = [ + { + key = "hasMedia"; + operator = "In"; + values = ["true"]; + } + ]; + } + ]; + }; + }; + }; + }; + jellyseerr = lib.mkIf cfg.jellyseerr.enable { spec = { selector.matchLabels = { @@ -642,6 +710,23 @@ in { }; }; }; + + nzbget = lib.mkIf cfg.nzbget.enable { + spec = { + type = "LoadBalancer"; + loadBalancerIP = globals.nzbgetIPv4; + + selector = { + app = "media"; + component = "nzbget"; + }; + + ports.web = { + port = 80; + targetPort = "web"; + }; + }; + }; }; persistentVolumeClaims.jellyfin-cache = lib.mkIf cfg.jellyfin.enable { @@ -704,6 +789,11 @@ in { host = "deluge"; service.name = "deluge"; }; + + tailscale-nzbget = lib.mkIf cfg.nzbget.enable { + host = "nzbget"; + service.name = "nzbget"; + }; }; longhorn.persistentVolumeClaim = { @@ -746,6 +836,11 @@ in { volumeName = "music"; storage = "70Gi"; }; + + nzbget = lib.mkIf cfg.nzbget.enable { + volumeName = "nzbget"; + storage = "150Mi"; + }; }; }; }; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index 67eed07..3ab28c1 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -23,6 +23,7 @@ flake-utils.lib.eachDefaultSystem (system: let deluge = ./deluge.nix; mealie = ./mealie.nix; atuin = ./atuin.nix; + nzbget = ./nzbget.nix; }; in { nixngConfigurations = builtins.mapAttrs (name: configFile: @@ -47,6 +48,7 @@ in { self.nixngModules.deluge self.nixngModules.mealie self.nixngModules.atuin + self.nixngModules.nzbget { nixpkgs.overlays = [ (_final: _prev: { diff --git a/nixng-configurations/nzbget.nix b/nixng-configurations/nzbget.nix new file mode 100644 index 0000000..5a85465 --- /dev/null +++ b/nixng-configurations/nzbget.nix @@ -0,0 +1,22 @@ +{ + lib, + nglib, + config, + ... +}: { + dinit.enable = true; + + init.services.nzbget = { + shutdownOnExit = true; + group = lib.mkForce "media"; + }; + + services.nzbget = { + enable = true; + }; + + users.groups.media = nglib.mkDefaultRec { + gid = config.ids.gids.media; + members = ["nzbget"]; + }; +} diff --git a/nixng-modules/default.nix b/nixng-modules/default.nix index 01f9eed..05c22df 100644 --- a/nixng-modules/default.nix +++ b/nixng-modules/default.nix @@ -10,5 +10,6 @@ _: { deluge = import ./deluge.nix; mealie = import ./mealie.nix; atuin = import ./atuin.nix; + nzbget = import ./nzbget.nix; }; } diff --git a/nixng-modules/deluge.nix b/nixng-modules/deluge.nix index db5917e..505f4bf 100644 --- a/nixng-modules/deluge.nix +++ b/nixng-modules/deluge.nix @@ -73,7 +73,7 @@ in { users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "deluge") (nglib.mkDefaultRec { description = "deluge"; - group = cfgInit.group; + inherit (cfgInit) group; createHome = true; home = "/home/deluge"; useDefaultShell = true; diff --git a/nixng-modules/ids.nix b/nixng-modules/ids.nix index 1470307..f113fe9 100644 --- a/nixng-modules/ids.nix +++ b/nixng-modules/ids.nix @@ -10,6 +10,7 @@ deluge = 414; mealie = 415; atuin = 416; + nzbget = 417; }; gids = { @@ -23,6 +24,7 @@ deluge = 414; mealie = 415; atuin = 416; + nzbget = 417; }; }; } diff --git a/nixng-modules/nzbget.nix b/nixng-modules/nzbget.nix new file mode 100644 index 0000000..428f51a --- /dev/null +++ b/nixng-modules/nzbget.nix @@ -0,0 +1,49 @@ +{ + pkgs, + lib, + nglib, + config, + ... +}: let + cfg = config.services.nzbget; + cfgInit = config.init.services.nzbget; + stateDir = "/home/nzbget"; + configFile = "${stateDir}/nzbget.conf"; +in { + options.services.nzbget = { + enable = lib.mkEnableOption "nzbget"; + package = lib.mkPackageOption pkgs "nzbget" {}; + }; + + config = lib.mkIf cfg.enable { + init.services.nzbget = { + enabled = true; + user = lib.mkDefault "nzbget"; + group = lib.mkDefault "nzbget"; + + execStartPre = pkgs.writeShellScript "nzbget-pre.sh" '' + if [ ! -f ${configFile} ]; then + ${pkgs.coreutils}/bin/install -m 0700 ${cfg.package}/share/nzbget/nzbget.conf ${configFile} + fi + ''; + + script = pkgs.writeShellScript "nzbget-run.sh" '' + umask 0002 + ${lib.getExe cfg.package} --server --configfile ${configFile} + ''; + }; + + environment.systemPackages = with pkgs; [cfg.package unrar p7zip]; + + users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "nzbget") (nglib.mkDefaultRec { + description = "nzbget"; + inherit (cfgInit) group; + createHome = true; + home = "/home/nzbget"; + useDefaultShell = true; + uid = config.ids.uids.nzbget; + }); + + users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "nzbget") (nglib.mkDefaultRec {gid = config.ids.gids.nzbget;}); + }; +} From db099f38f3357e7a7b988a3e4aaf83dfb318b67c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 25 Mar 2025 23:02:14 +0100 Subject: [PATCH 62/73] forgejo: 10.0.1 -> 10.0.3 immich: 1.129.0 -> 1.130.1 --- globals.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/globals.nix b/globals.nix index 92cdbee..0ab825f 100644 --- a/globals.nix +++ b/globals.nix @@ -1,4 +1,4 @@ -{...}: { +_: { globals = { images = { jellyfin = "jellyfin/jellyfin:10.10.6"; @@ -10,10 +10,10 @@ postgres15 = "postgres:15"; inbucket = "inbucket/inbucket:edge"; syncthing = "lscr.io/linuxserver/syncthing:1.29.3"; - forgejo = "codeberg.org/forgejo/forgejo:10.0.1"; + forgejo = "codeberg.org/forgejo/forgejo:10.0.3"; pihole = "pihole/pihole:2025.02.1"; - immich = "ghcr.io/immich-app/immich-server:v1.129.0"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.129.0"; + immich = "ghcr.io/immich-app/immich-server:v1.130.1"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.130.1"; immich-redis = "docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; kitchenowl = "tombursch/kitchenowl:v0.6.11"; From 77ec4f6cd07056d9d2bdab605b97ee4150bfbe35 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 27 Mar 2025 21:43:48 +0100 Subject: [PATCH 63/73] immich: 1.130.1 -> 1.130.3 --- globals.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/globals.nix b/globals.nix index 0ab825f..f33c975 100644 --- a/globals.nix +++ b/globals.nix @@ -12,8 +12,8 @@ _: { syncthing = "lscr.io/linuxserver/syncthing:1.29.3"; forgejo = "codeberg.org/forgejo/forgejo:10.0.3"; pihole = "pihole/pihole:2025.02.1"; - immich = "ghcr.io/immich-app/immich-server:v1.130.1"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.130.1"; + immich = "ghcr.io/immich-app/immich-server:v1.130.3"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.130.3"; immich-redis = "docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; kitchenowl = "tombursch/kitchenowl:v0.6.11"; From 02bb8127d54ddc47ea21c2edff8bbd0ff6dec64b Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 1 Apr 2025 21:49:21 +0200 Subject: [PATCH 64/73] syncthing: 1.29.3 -> 1.29.4 immich: 1.130.3 -> 1.131.2 --- globals.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/globals.nix b/globals.nix index f33c975..5174321 100644 --- a/globals.nix +++ b/globals.nix @@ -9,11 +9,11 @@ _: { nextcloud = "nextcloud:30.0.6"; postgres15 = "postgres:15"; inbucket = "inbucket/inbucket:edge"; - syncthing = "lscr.io/linuxserver/syncthing:1.29.3"; + syncthing = "lscr.io/linuxserver/syncthing:1.29.4"; forgejo = "codeberg.org/forgejo/forgejo:10.0.3"; pihole = "pihole/pihole:2025.02.1"; - immich = "ghcr.io/immich-app/immich-server:v1.130.3"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.130.3"; + immich = "ghcr.io/immich-app/immich-server:v1.131.2"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.131.2"; immich-redis = "docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; kitchenowl = "tombursch/kitchenowl:v0.6.11"; From 7c162332dee1c7b968856efd6aa423da3fd5400a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 5 Apr 2025 08:20:13 +0200 Subject: [PATCH 65/73] immich: 1.131.2 -> 1.131.3 --- globals.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/globals.nix b/globals.nix index 5174321..2cdc542 100644 --- a/globals.nix +++ b/globals.nix @@ -12,8 +12,8 @@ _: { syncthing = "lscr.io/linuxserver/syncthing:1.29.4"; forgejo = "codeberg.org/forgejo/forgejo:10.0.3"; pihole = "pihole/pihole:2025.02.1"; - immich = "ghcr.io/immich-app/immich-server:v1.131.2"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.131.2"; + immich = "ghcr.io/immich-app/immich-server:v1.131.3"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.131.3"; immich-redis = "docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; kitchenowl = "tombursch/kitchenowl:v0.6.11"; From 1f882ef5cff91620d04c682e35734dcb2be4be79 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 6 Apr 2025 14:32:54 +0200 Subject: [PATCH 66/73] jellyfin: 10.10.6 -> 10.10.7 --- globals.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index 2cdc542..9b09298 100644 --- a/globals.nix +++ b/globals.nix @@ -1,7 +1,7 @@ _: { globals = { images = { - jellyfin = "jellyfin/jellyfin:10.10.6"; + jellyfin = "jellyfin/jellyfin:10.10.7"; postgres14 = "postgres:14"; kms = "teddysun/kms:latest"; paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.14.7"; From 835df1b97c62bf0c892a3899bc84dc4978d065c5 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 11 Apr 2025 19:35:44 +0200 Subject: [PATCH 67/73] paperless-ngx: 2.14.7 -> 2.15.1 hedgedoc: 1.10.2 -> 1.10.3 --- globals.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/globals.nix b/globals.nix index 9b09298..7e7d498 100644 --- a/globals.nix +++ b/globals.nix @@ -4,7 +4,7 @@ _: { jellyfin = "jellyfin/jellyfin:10.10.7"; postgres14 = "postgres:14"; kms = "teddysun/kms:latest"; - paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.14.7"; + paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.15.1"; redis7 = "docker.io/library/redis:7"; nextcloud = "nextcloud:30.0.6"; postgres15 = "postgres:15"; @@ -20,7 +20,7 @@ _: { cyberchef = "mpepping/cyberchef:latest"; freshrss = "freshrss/freshrss:1.26.1"; bind9 = "ubuntu/bind9:9.18-22.04_beta"; - hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.2"; + hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.3"; minecraft = "itzg/minecraft-server:latest"; }; From ab4c0650533642d40d14bb22ca58fac237ddac1d Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 12 Apr 2025 12:12:04 +0200 Subject: [PATCH 68/73] Use Prowlarr from branch --- flake.lock | 17 +++++++++++++++++ flake.nix | 1 + nixng-configurations/default.nix | 4 +++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index 170f25e..d8fa2dc 100644 --- a/flake.lock +++ b/flake.lock @@ -458,6 +458,22 @@ "type": "github" } }, + "nixpkgs-prowlarr": { + "locked": { + "lastModified": 1744321727, + "narHash": "sha256-+DCwKaFrUQAgFN4DLwQu7/FyX58m35hJ1u6eNaSv7v4=", + "owner": "rhoriguchi", + "repo": "nixpkgs", + "rev": "07251d38564ea52ccb36255222709a59c18a5677", + "type": "github" + }, + "original": { + "owner": "rhoriguchi", + "ref": "prowlarr", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1726871744, @@ -544,6 +560,7 @@ "nixng": "nixng", "nixpkgs": "nixpkgs_3", "nixpkgs-master": "nixpkgs-master", + "nixpkgs-prowlarr": "nixpkgs-prowlarr", "treefmt-nix": "treefmt-nix_3" } }, diff --git a/flake.nix b/flake.nix index 673b304..815df0d 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-master.url = "github:nixos/nixpkgs/master"; + nixpkgs-prowlarr.url = "github:rhoriguchi/nixpkgs/prowlarr"; flake-utils.url = "github:numtide/flake-utils"; treefmt-nix.url = "github:numtide/treefmt-nix"; blog.url = "git+https://git.kun.is/pim/blog"; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index 3ab28c1..c2a60d5 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -6,6 +6,7 @@ blog, nixpkgs, nixpkgs-master, + nixpkgs-prowlarr, ... }: flake-utils.lib.eachDefaultSystem (system: let @@ -53,7 +54,8 @@ in { nixpkgs.overlays = [ (_final: _prev: { # From master branch - inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr prowlarr; + inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr; + inherit (nixpkgs-prowlarr.legacyPackages.${system}) prowlarr; }) ]; } From d1e4c164ecd869a8a8853eda85c3d20952b8709f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 20 Apr 2025 10:54:53 +0200 Subject: [PATCH 69/73] paperless-ngx: 2.15.1 -> 2.15.3 syncthing: 1.29.4 -> 1.29.5 forgejo: 10.0.3 -> 11.0.0 --- globals.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/globals.nix b/globals.nix index 7e7d498..d5f184d 100644 --- a/globals.nix +++ b/globals.nix @@ -4,13 +4,13 @@ _: { jellyfin = "jellyfin/jellyfin:10.10.7"; postgres14 = "postgres:14"; kms = "teddysun/kms:latest"; - paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.15.1"; + paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.15.3"; redis7 = "docker.io/library/redis:7"; nextcloud = "nextcloud:30.0.6"; postgres15 = "postgres:15"; inbucket = "inbucket/inbucket:edge"; - syncthing = "lscr.io/linuxserver/syncthing:1.29.4"; - forgejo = "codeberg.org/forgejo/forgejo:10.0.3"; + syncthing = "lscr.io/linuxserver/syncthing:1.29.5"; + forgejo = "codeberg.org/forgejo/forgejo:11.0.0"; pihole = "pihole/pihole:2025.02.1"; immich = "ghcr.io/immich-app/immich-server:v1.131.3"; immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.131.3"; From 2371c6f03ff9f2503f31827302210eefed954676 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 24 Apr 2025 09:36:35 +0200 Subject: [PATCH 70/73] immich: 1.131.3 -> 1.132.1 --- globals.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/globals.nix b/globals.nix index d5f184d..1ce4536 100644 --- a/globals.nix +++ b/globals.nix @@ -12,9 +12,9 @@ _: { syncthing = "lscr.io/linuxserver/syncthing:1.29.5"; forgejo = "codeberg.org/forgejo/forgejo:11.0.0"; pihole = "pihole/pihole:2025.02.1"; - immich = "ghcr.io/immich-app/immich-server:v1.131.3"; - immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.131.3"; - immich-redis = "docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8"; + immich = "ghcr.io/immich-app/immich-server:v1.132.1"; + immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.132.1"; + immich-redis = "docker.io/valkey/valkey:8-bookworm@sha256:42cba146593a5ea9a622002c1b7cba5da7be248650cbb64ecb9c6c33d29794b1"; immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; kitchenowl = "tombursch/kitchenowl:v0.6.11"; cyberchef = "mpepping/cyberchef:latest"; From 241847c7c78bf28f0112d7b68872a5285f86c438 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 30 Apr 2025 22:29:13 +0200 Subject: [PATCH 71/73] Move to new house --- applyset-deploy.sh | 6 +++--- globals.nix | 4 ++-- modules/bind9/default.nix | 2 ++ modules/bind9/kun.is.zone.nix | 10 ++++++---- 4 files changed, 13 insertions(+), 9 deletions(-) diff --git a/applyset-deploy.sh b/applyset-deploy.sh index 397cfbb..f7ec8e7 100644 --- a/applyset-deploy.sh +++ b/applyset-deploy.sh @@ -23,7 +23,7 @@ done first_server="${SERVERS%% *}" previous_manifest=$( - envsubst < Date: Sat, 3 May 2025 10:25:27 +0200 Subject: [PATCH 72/73] forgejo: 11.0.0 -> 11.0.1 --- globals.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index 296b4f5..3e92f75 100644 --- a/globals.nix +++ b/globals.nix @@ -10,7 +10,7 @@ _: { postgres15 = "postgres:15"; inbucket = "inbucket/inbucket:edge"; syncthing = "lscr.io/linuxserver/syncthing:1.29.5"; - forgejo = "codeberg.org/forgejo/forgejo:11.0.0"; + forgejo = "codeberg.org/forgejo/forgejo:11.0.1"; pihole = "pihole/pihole:2025.02.1"; immich = "ghcr.io/immich-app/immich-server:v1.132.1"; immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.132.1"; From 86349adba93243f2eb0dc35495d70532ce371a61 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 4 May 2025 09:36:54 +0200 Subject: [PATCH 73/73] freshrss: 1.26.1 -> 1.26.2 --- globals.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globals.nix b/globals.nix index 3e92f75..9085f1b 100644 --- a/globals.nix +++ b/globals.nix @@ -18,7 +18,7 @@ _: { immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; kitchenowl = "tombursch/kitchenowl:v0.6.11"; cyberchef = "mpepping/cyberchef:latest"; - freshrss = "freshrss/freshrss:1.26.1"; + freshrss = "freshrss/freshrss:1.26.2"; bind9 = "ubuntu/bind9:9.18-22.04_beta"; hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.3"; minecraft = "itzg/minecraft-server:latest";