jsw/NiksOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jsw:2f4c2c8e3eb87b712d798933e8607d1f6a14b3cd
Branches Tags
jsw:master
jsw:derek-site
...
compare: jsw:87bef5a352b1c58d1a2e0191ca548391aa558b68
Branches Tags
jsw:derek-site
jsw:master

4 commits
2f4c2c8e3e ... 87bef5a352

Author SHA1 Message Date
Jurn Wubben
87bef5a352 Server: immich mobile support login oauth 2025-07-20 21:29:53 +02:00
Jurn Wubben
488cb7fad8 Immich: added openid login 2025-07-20 20:54:17 +02:00
Jurn Wubben
713ea0cf68 Forgejo: disabled login screen for oauth + added mailserver + renamed some things 2025-07-20 18:45:18 +02:00
Jurn Wubben
657211eb26 Disabled forgejo internal signin so that it uses zitade. 2025-07-20 17:04:59 +02:00
7 changed files with 184 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

8
secrets/default.nix
View file

@ -33,5 +33,13 @@ in {
file = ./zitadel-key.age; file = ./zitadel-key.age;
owner = abstrServiceUser "zitadel"; owner = abstrServiceUser "zitadel";
}; };
forgejo-mailpass = mkIf server {
file = ./forgejo-mailpass.age;
owner = abstrServiceUser "forgejo";
};
immich-oidc = mkIf server {
file = ./immich-oidc.age;
owner = abstrServiceUser "immich";
};
}; };
} }

15
secrets/forgejo-mailpass.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 GQzYWA j5yj1cq9FbYSW767zObF4RbJ7Jhx0818BryvWGWwnSw
LelnyL/SIat9BKl4hsz0n6rl8xPgchk+nQmfb1xkXkU
-> ssh-ed25519 MfR7VA sVGSrPd10dOdnDNROMGW1gLuczlVwMLpymgx6+cCJRE
8vf0ubRiRUWfc6Mgt0bNq99SgrY4pYJ0f4BHVRn+lYU
-> ssh-ed25519 +cvRTg VK4bHTmw+Oz7JLdP0zEbfKTjNUBtVxcbHX4zyZrQxx4
1BjqL4TuNJO8VH9c2MT24ZlGz8ifniUZaK4AkK4VjM4
-> ssh-ed25519 WCPLrA lD5KmpPXdvmTGMXMhye/ivnkbb0+XRCpUA4i6JBsK2w
0LKCxV8vSewkNOLJa+xEZp4w+qIRAVezv37g6hExpb0
-> ssh-ed25519 7/ziYw Yq6qqosp/yOekCO7NBpNTJQVv8NciaSLiDFNuLaOjyA
8Joor9/H+ExdOQBavTMH13SI9MZgBKQQA2HPxKAF9uU
-> ssh-ed25519 VQy60Q /+R2djdRbYoWq1GzMFSj+gwXGf085axPJHOa0tIeFTs
dBVQQ7yucfpbmeR82Fp6MR1/IiQun3bqNVCm9qegL2g
--- fHjHEH5JtSZnKnJFC/KDQELHDwVsExA5aeuKN7DvL1M
ªóAHñæ¥?Û '‰ah·Ç·¹<C2B7>âÂPñ>"/Þy†ûR¯<52>Æ„!I ¾G4äÙº^iXÄ}a:

15
secrets/immich-oidc.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 GQzYWA MbczMCSPu7pJru1rmOsFuloCYLKlh7koC5drXcKlwiw
ZghUrcs7YT3ciwqOkrPDEzlZe3qN9ypBw3xRGYWNPaY
-> ssh-ed25519 MfR7VA KB6RE2QZ//Z6xoyQC502dJeg79rYXFJJdOwV+c6tOWo
e1zIz2nsV9JbBaadTnONrPLI5Ztyv9vf4Ewzd9uSHnU
-> ssh-ed25519 +cvRTg GntHLoUwpIrxm3FcVw+Bavaq6kLaZpVdTRLoMMVfpAY
abE1ZkhS39vylBg8bZ5K3vgnXr70Vbk1bLCKsCFlUvU
-> ssh-ed25519 WCPLrA +/GlB5CbM/1FwI5JE63DJVUChADjJfD3jJY3Y2KmXEU
pPqBhV49/wg/hWffFm2XFRGC9p1nQ57tj1YK7pPkQ3U
-> ssh-ed25519 7/ziYw lxlJVNMIqfoMPj6VGTt2V4PxFi+6WRMfOYcv1hpEMkM
kd8CI7RECJA5uPJu33D61OEnqWwZuNQ6VmYLqXew6gc
-> ssh-ed25519 VQy60Q YSgYVPPN7QutKhbv6/1vmoRnh14KXs0g2k9qxKuvQ2U
FL3fImxWoBeHrCLd+jp/a1oRd/Acgi6sV/g40dCRrTA
--- TipdjwDPkRxiV/R1FUYCm/tcD6M+XEaZhQjrzwMxiuA
証E%キZDケ<44>Ts<54>,リ5ノ<>LタO<EFBE80>ソzエァア<>クT<>Θ <0B>煖_蕘熙H演始ロナ*ヤxQ7$釉淸v`W<04>瀲t%<25>6 <0C>5

2
secrets/secrets.nix
View file

@ -20,4 +20,6 @@ in {
"matrix-registration.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys;
"mail-admin.age".publicKeys = keys; "mail-admin.age".publicKeys = keys;
"zitadel-key.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys;
"forgejo-mailpass.age".publicKeys = keys;
"immich-oidc.age".publicKeys = keys;
} }

23
system/server/forgejo.nix
View file

@ -26,11 +26,32 @@ in {
ROOT_URL = "https://${DOMAIN}/"; ROOT_URL = "https://${DOMAIN}/";
HTTP_PORT = 9004; HTTP_PORT = 9004;
}; };
service.DISABLE_REGISTRATION = true; service = {
ENABLE_INTERNAL_SIGNIN = false;
# DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
};
"ui.meta" = {
AUTHOR = "JSW Git";
DESCRIPTION = "Personal GIT-Forgejo instance.";
};
actions = { actions = {
ENABLED = true; ENABLED = true;
DEFAULT_ACTIONS_URL = "github"; DEFAULT_ACTIONS_URL = "github";
}; };
mailer = {
ENABLED = true;
SUBJECT_PREFIX = "JSWGit";
PROTOCOL = "smtps";
SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
SMTP_PORT = 465;
FROM = "git@jsw.tf";
USER = "git";
PASSWD_URI = "file:${config.age.secrets.forgejo-mailpass.path}";
};
}; };
}; };
}; };

137
system/server/immich.nix
View file

@ -1,61 +1,102 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: let }: let
inherit (lib) mkIf mkForce mkDefault;
cfg = config.niksos.server; cfg = config.niksos.server;
oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
config-dir = "/run/immich-conf";
url = "photos.jsw.tf";
httpsUrl = "https://" + url;
in { in {
services.immich = { config =
enable = cfg; mkIf cfg
{
users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
services.caddy.virtualHosts.${url}.extraConfig = ''
reverse_proxy localhost:9002
'';
port = 9002; services.immich = mkIf cfg {
machine-learning.enable = false; enable = true;
settings = { port = 9002;
server.externalDomain = "https://photos.jsw.tf"; machine-learning.enable = false;
ffmpeg = {
crf = 23; accelerationDevices = mkDefault null;
threads = 0;
preset = "ultrafast"; #NOTE: immich doesn't support variables in their config file, so we have to subsitute ourselfs..
targetVideoCodec = "h264"; environment.IMMICH_CONFIG_FILE = mkForce "${config-dir}/immich.json";
acceptedVideoCodecs = [ settings = {
"h264" server.externalDomain = httpsUrl;
oauth = {
enabled = true;
autoLaunch = true;
autoRegister = true;
buttonText = "Login with JSWAuth";
clientId = "329735769805619570";
clientSecret = oidcSubstitute;
issuerUrl = "https://${config.services.zitadel.settings.ExternalDomain}/.well-known/openid-configuration";
mobileRedirectUri = "${httpsUrl}/api/oauth/mobile-redirect";
mobileOverrideEnabled = true;
};
passwordLogin.enabled = false;
ffmpeg = {
crf = 23;
threads = 0;
preset = "ultrafast";
targetVideoCodec = "h264";
acceptedVideoCodecs = [
"h264"
];
targetAudioCodec = "aac";
acceptedAudioCodecs = [
"aac"
"mp3"
"libopus"
"pcm_s16le"
];
acceptedContainers = [
"mov"
"ogg"
"webm"
];
targetResolution = "720";
maxBitrate = "0";
bframes = -1;
refs = 0;
gopSize = 0;
temporalAQ = false;
cqMode = "auto";
twoPass = false;
preferredHwDevice = lib.mkDefault "auto";
transcode = "all";
tonemap = "hable";
accel = lib.mkDefault "vaapi";
accelDecode = true;
};
};
};
systemd = {
services.immich-server = {
preStart = let
refConfig = (pkgs.formats.json {}).generate "immich.json" config.services.immich.settings;
newConfig = "${config-dir}/immich.json";
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
in ''
umask 077
cp -f '${refConfig}' '${newConfig}'
chmod u+w '${newConfig}'
${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.immich-oidc.path}' '${newConfig}'
'';
};
tmpfiles.rules = [
"d ${config-dir} 0700 immich immich"
]; ];
targetAudioCodec = "aac";
acceptedAudioCodecs = [
"aac"
"mp3"
"libopus"
"pcm_s16le"
];
acceptedContainers = [
"mov"
"ogg"
"webm"
];
targetResolution = "720";
maxBitrate = "0";
bframes = -1;
refs = 0;
gopSize = 0;
temporalAQ = false;
cqMode = "auto";
twoPass = false;
preferredHwDevice = lib.mkDefault "auto";
transcode = "all";
tonemap = "hable";
accel = lib.mkDefault "vaapi";
accelDecode = true;
}; };
}; };
accelerationDevices = lib.mkDefault null;
};
users.users.immich = lib.mkIf cfg {extraGroups = ["video" "render"];}; #NOTE: was first groups = lib.mkIf.. but then users.immich gets set even when server is disabled.
services.caddy.virtualHosts."photos.jsw.tf" = {
extraConfig = ''
reverse_proxy localhost:9002
'';
};
} }

40
system/server/seafile.nix
View file

@ -3,25 +3,52 @@
inputs, inputs,
pkgs, pkgs,
... ...
}: { }: let
url = "files.jsw.tf";
httpsUrl = "https://" + url;
authUrl = config.services.zitadel.settings.ExternalDomain;
httpsAuthUrl = "https://" + authUrl;
oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
config-dir = "/run/immich-conf";
in {
services.seafile = { services.seafile = {
enable = config.niksos.server; enable = config.niksos.server;
seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub; seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub;
adminEmail = "jurnwubben@gmail.com"; adminEmail = "jsw@jsw.tf";
initialAdminPassword = "ChangeMeTheFuckNow!"; initialAdminPassword = "ChangeMeTheFuckNow!";
gc.enable = true; gc.enable = true;
ccnetSettings.General.SERVICE_URL = "https://files.jsw.tf"; ccnetSettings.General.SERVICE_URL = httpsUrl;
seahubExtraConf = '' seahubExtraConf = ''
ALLOWED_HOSTS = ['.files.jsw.tf'] ALLOWED_HOSTS = ['.${url}']
CSRF_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'Strict' CSRF_COOKIE_SAMESITE = 'Strict'
CSRF_TRUSTED_ORIGINS = ['https://files.jsw.tf', 'https://www.files.jsw.tf'] CSRF_TRUSTED_ORIGINS = ['${httpsUrl}']
SITE_NAME = "JSW Cloud" SITE_NAME = "JSW Cloud"
SITE_TITLE = "JSW Cloud" SITE_TITLE = "JSW Cloud"
ENABLE_OAUTH = True
OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID = "329743411726844274"
OAUTH_CLIENT_SECRET = "${oidcSubstitute}"
OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/'
OAUTH_PROVIDER_DOMAIN = '${authUrl}'
OAUTH_PROVIDER = 'JSW Auth'
OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize'
OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token'
OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo'
OAUTH_SCOPE = ["user",]
OAUTH_ATTRIBUTE_MAP = {
"id": (True, "email"),
"name": (False, "name"),
"email": (False, "contact_email"),
"uid": (True, "uid"),
}
''; '';
seafileSettings = { seafileSettings = {
quota.default = 30; quota.default = 30;
@ -35,8 +62,7 @@
}; };
}; };
services.caddy.virtualHosts."files.jsw.tf" = { services.caddy.virtualHosts.${url} = {
# serverAliases = ["www.share.jsw.tf"];
extraConfig = '' extraConfig = ''
handle_path /seafhttp/* { handle_path /seafhttp/* {
reverse_proxy * unix//run/seafile/server.sock reverse_proxy * unix//run/seafile/server.sock