This commit is contained in:
Daniel Flanagan 2023-09-28 12:29:21 -05:00
parent 4d719bfbbe
commit 5f63c11c18
Signed by: lytedev
GPG key ID: 5B2020A0F9921EF4
4 changed files with 88 additions and 12 deletions

View file

@ -26,7 +26,7 @@
# TODO: enable dark theme by default # TODO: enable dark theme by default
enable = true; enable = true;
package = (pkgs.firefox.override { extraNativeMessagingHosts = [ pkgs.passff-host ]; }); package = (pkgs.firefox-wayland.override { extraNativeMessagingHosts = [ pkgs.passff-host ]; });
# extensions = with pkgs.nur.repos.rycee.firefox-addons; [ # extensions = with pkgs.nur.repos.rycee.firefox-addons; [
# ublock-origin # ublock-origin

View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running 'nixos-help'). # and in the NixOS manual (accessible by running 'nixos-help').
{ modulesPath, config, pkgs, ... }: rec { { modulesPath, config, pkgs, ... }: {
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
../modules/intel.nix ../modules/intel.nix
@ -45,7 +45,7 @@
enable = true; enable = true;
port = 5757; port = 5757;
stateDir = "/var/lib/api-lyte-dev"; stateDir = "/var/lib/api-lyte-dev";
configFile = sops.secrets."api.lyte.dev".path; configFile = config.sops.secrets."api.lyte.dev".path;
user = "api-lyte-dev"; user = "api-lyte-dev";
group = user; group = user;
}; };
@ -83,16 +83,32 @@
# "myservice/my_subdir/my_secret" = { }; # "myservice/my_subdir/my_secret" = { };
"api.lyte.dev" = { "api.lyte.dev" = {
path = "${services.api-lyte-dev.stateDir}/secrets.json"; path = "${config.services.api-lyte-dev.stateDir}/secrets.json";
# TODO: would be cool to assert that it's correctly-formatted JSON? # TODO: would be cool to assert that it's correctly-formatted JSON?
mode = "0440"; mode = "0440";
owner = services.api-lyte-dev.user; owner = config.services.api-lyte-dev.user;
group = services.api-lyte-dev.group; group = config.services.api-lyte-dev.group;
}; };
plausible-admin-password = { }; plausible-admin-password = {
plausible-erlang-cookie = { }; # TODO: path = "${config.systemd.services.plausible.serviceConfig.WorkingDirectory}/plausible-admin-password.txt";
plausible-secret-key-base = { }; path = "/var/lib/plausible/plausible-admin-password";
mode = "0440";
owner = config.systemd.services.plausible.serviceConfig.User;
group = config.systemd.services.plausible.serviceConfig.Group;
};
plausible-erlang-cookie = {
path = "/var/lib/plausible/plausible-erlang-cookie";
mode = "0440";
owner = config.systemd.services.plausible.serviceConfig.User;
group = config.systemd.services.plausible.serviceConfig.Group;
};
plausible-secret-key-base = {
path = "/var/lib/plausible/plausible-secret-key-base";
mode = "0440";
owner = config.systemd.services.plausible.serviceConfig.User;
group = config.systemd.services.plausible.serviceConfig.Group;
};
}; };
}; };
@ -123,6 +139,10 @@
networking.hostName = "beefcake"; networking.hostName = "beefcake";
users.extraGroups = {
"plausible" = { };
"lytedev" = { };
};
users.groups.daniel.members = [ "daniel" ]; users.groups.daniel.members = [ "daniel" ];
users.groups.nixadmin.members = [ "daniel" ]; users.groups.nixadmin.members = [ "daniel" ];
@ -174,6 +194,13 @@
createHome = true; createHome = true;
}; };
users.users.plausible = {
# used for anonymous samba access
isSystemUser = true;
createHome = false;
group = "plausible";
};
environment.systemPackages = [ pkgs.linuxquota ]; environment.systemPackages = [ pkgs.linuxquota ];
# TODO: make the client declarative? right now I think it's manually git # TODO: make the client declarative? right now I think it's manually git
@ -202,11 +229,29 @@
enable = true; enable = true;
adapter = "caddyfile"; adapter = "caddyfile";
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
# TODO: there are some hardcoded ports here!
# https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
configFile = pkgs.writeText "Caddyfile" '' configFile = pkgs.writeText "Caddyfile" ''
video.lyte.dev { video.lyte.dev {
reverse_proxy :8096 reverse_proxy :8096
} }
# lidarr.h.lyte.dev {
# reverse_proxy :8686
# }
# radarr.h.lyte.dev {
# reverse_proxy :7878
# }
# sonarr.h.lyte.dev {
# reverse_proxy :8989
# }
# bazarr.h.lyte.dev {
# reverse_proxy :${toString config.services.bazarr.listenPort}
# }
bw.lyte.dev { bw.lyte.dev {
reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}
} }
@ -295,8 +340,12 @@
# TODO: ensure we're not doing the same dumb thing we were doing on the old host and eating storage # TODO: ensure we're not doing the same dumb thing we were doing on the old host and eating storage
services.clickhouse.enable = true; services.clickhouse.enable = true;
systemd.services.plausible.serviceConfig.User = "plausible";
systemd.services.plausible.serviceConfig.Group = "plausible";
services.plausible = { services.plausible = {
enable = true; # TODO: enable
enable = false;
releaseCookiePath = config.sops.secrets.plausible-erlang-cookie.path; releaseCookiePath = config.sops.secrets.plausible-erlang-cookie.path;
database = { database = {
clickhouse.setup = true; clickhouse.setup = true;
@ -408,6 +457,26 @@
]; ];
}; };
services.lidarr = {
enable = true;
dataDir = "/storage/lidarr";
};
services.radarr = {
enable = true;
dataDir = "/storage/radarr";
};
services.sonarr = {
enable = true;
dataDir = "/storage/sonarr";
};
services.bazarr = {
enable = true;
listenPort = 6767;
};
services.samba-wsdd.enable = true; services.samba-wsdd.enable = true;
services.samba = { services.samba = {
@ -502,6 +571,7 @@
"/var/lib/bitwarden_rs" # does this need any sqlite preprocessing? "/var/lib/bitwarden_rs" # does this need any sqlite preprocessing?
# https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault # https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault
# specifically, https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#sqlite-database-files # specifically, https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#sqlite-database-files
# TODO: backup lidarr/radarr configs?
"/storage/postgres-backups" "/storage/postgres-backups"
]; ];

View file

@ -192,6 +192,9 @@ in
enable = true; enable = true;
}; };
}; };
# https://github.com/nix-community/home-manager/issues/3113
dconf.enable = true;
}; };
time = { time = {

View file

@ -47,10 +47,13 @@ nix run nixpkgs#nixos-rebuild -- --flake 'git+https://git.lyte.dev/lytedev/nix#h
# initialize a delayed reboot by a process you can kill later if things look good # initialize a delayed reboot by a process you can kill later if things look good
# note that the amount of time you give it probably needs to be enough time to both complete the upgrade # note that the amount of time you give it probably needs to be enough time to both complete the upgrade
# _and_ perform whatever testing you need # _and_ perform whatever testing you need
ssh root@host bash -c ' ssh -t root@host "bash -c '
set -m
(sleep 300; reboot;) & (sleep 300; reboot;) &
jobs -p jobs -p
' bg
disown
'"
# build the system and start running it, but do NOT set the machine up to boot to that system yet # build the system and start running it, but do NOT set the machine up to boot to that system yet
# we will test things and make sure it works first # we will test things and make sure it works first