jsw/NiksOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jsw:87bef5a352b1c58d1a2e0191ca548391aa558b68
Branches Tags
jsw:master
jsw:derek-site
..
compare: jsw:2f4c2c8e3eb87b712d798933e8607d1f6a14b3cd
Branches Tags
jsw:derek-site
jsw:master

No commits in common. "87bef5a352b1c58d1a2e0191ca548391aa558b68" and "2f4c2c8e3eb87b712d798933e8607d1f6a14b3cd" have entirely different histories.
87bef5a352 ... 2f4c2c8e3e

7 changed files with 56 additions and 184 deletions
Download patch file Download diff file Expand all files Collapse all files

8
secrets/default.nix
View file

@ -33,13 +33,5 @@ in {
file = ./zitadel-key.age;
owner = abstrServiceUser "zitadel";
};
forgejo-mailpass = mkIf server {
file = ./forgejo-mailpass.age;
owner = abstrServiceUser "forgejo";
};
immich-oidc = mkIf server {
file = ./immich-oidc.age;
owner = abstrServiceUser "immich";
};
};
}

15
secrets/forgejo-mailpass.age
View file

@ -1,15 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 GQzYWA j5yj1cq9FbYSW767zObF4RbJ7Jhx0818BryvWGWwnSw
LelnyL/SIat9BKl4hsz0n6rl8xPgchk+nQmfb1xkXkU
-> ssh-ed25519 MfR7VA sVGSrPd10dOdnDNROMGW1gLuczlVwMLpymgx6+cCJRE
8vf0ubRiRUWfc6Mgt0bNq99SgrY4pYJ0f4BHVRn+lYU
-> ssh-ed25519 +cvRTg VK4bHTmw+Oz7JLdP0zEbfKTjNUBtVxcbHX4zyZrQxx4
1BjqL4TuNJO8VH9c2MT24ZlGz8ifniUZaK4AkK4VjM4
-> ssh-ed25519 WCPLrA lD5KmpPXdvmTGMXMhye/ivnkbb0+XRCpUA4i6JBsK2w
0LKCxV8vSewkNOLJa+xEZp4w+qIRAVezv37g6hExpb0
-> ssh-ed25519 7/ziYw Yq6qqosp/yOekCO7NBpNTJQVv8NciaSLiDFNuLaOjyA
8Joor9/H+ExdOQBavTMH13SI9MZgBKQQA2HPxKAF9uU
-> ssh-ed25519 VQy60Q /+R2djdRbYoWq1GzMFSj+gwXGf085axPJHOa0tIeFTs
dBVQQ7yucfpbmeR82Fp6MR1/IiQun3bqNVCm9qegL2g
--- fHjHEH5JtSZnKnJFC/KDQELHDwVsExA5aeuKN7DvL1M
ªóAHñæ¥?Û '‰ah·Ç·¹<C2B7>âÂPñ>"/Þy†ûR¯<52>Æ„!I ¾G4äÙº^iXÄ}a:

15
secrets/immich-oidc.age
View file

@ -1,15 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 GQzYWA MbczMCSPu7pJru1rmOsFuloCYLKlh7koC5drXcKlwiw
ZghUrcs7YT3ciwqOkrPDEzlZe3qN9ypBw3xRGYWNPaY
-> ssh-ed25519 MfR7VA KB6RE2QZ//Z6xoyQC502dJeg79rYXFJJdOwV+c6tOWo
e1zIz2nsV9JbBaadTnONrPLI5Ztyv9vf4Ewzd9uSHnU
-> ssh-ed25519 +cvRTg GntHLoUwpIrxm3FcVw+Bavaq6kLaZpVdTRLoMMVfpAY
abE1ZkhS39vylBg8bZ5K3vgnXr70Vbk1bLCKsCFlUvU
-> ssh-ed25519 WCPLrA +/GlB5CbM/1FwI5JE63DJVUChADjJfD3jJY3Y2KmXEU
pPqBhV49/wg/hWffFm2XFRGC9p1nQ57tj1YK7pPkQ3U
-> ssh-ed25519 7/ziYw lxlJVNMIqfoMPj6VGTt2V4PxFi+6WRMfOYcv1hpEMkM
kd8CI7RECJA5uPJu33D61OEnqWwZuNQ6VmYLqXew6gc
-> ssh-ed25519 VQy60Q YSgYVPPN7QutKhbv6/1vmoRnh14KXs0g2k9qxKuvQ2U
FL3fImxWoBeHrCLd+jp/a1oRd/Acgi6sV/g40dCRrTA
--- TipdjwDPkRxiV/R1FUYCm/tcD6M+XEaZhQjrzwMxiuA
証E%キZDケ<44>Ts<54>,リ5ノ<>LタO<EFBE80>ソzエァア<>クT<>Θ <0B>煖_蕘熙H演始ロナ*ヤxQ7$釉淸v`W<04>瀲t%<25>6 <0C>5

2
secrets/secrets.nix
View file

@ -20,6 +20,4 @@ in {
"matrix-registration.age".publicKeys = keys;
"mail-admin.age".publicKeys = keys;
"zitadel-key.age".publicKeys = keys;
"forgejo-mailpass.age".publicKeys = keys;
"immich-oidc.age".publicKeys = keys;
}

23
system/server/forgejo.nix
View file

@ -26,32 +26,11 @@ in {
ROOT_URL = "https://${DOMAIN}/";
HTTP_PORT = 9004;
};
service = {
ENABLE_INTERNAL_SIGNIN = false;
# DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
};
"ui.meta" = {
AUTHOR = "JSW Git";
DESCRIPTION = "Personal GIT-Forgejo instance.";
};
service.DISABLE_REGISTRATION = true;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
mailer = {
ENABLED = true;
SUBJECT_PREFIX = "JSWGit";
PROTOCOL = "smtps";
SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
SMTP_PORT = 465;
FROM = "git@jsw.tf";
USER = "git";
PASSWD_URI = "file:${config.age.secrets.forgejo-mailpass.path}";
};
};
};
};

137
system/server/immich.nix
View file

@ -1,102 +1,61 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkIf mkForce mkDefault;
cfg = config.niksos.server;
oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
config-dir = "/run/immich-conf";
url = "photos.jsw.tf";
httpsUrl = "https://" + url;
in {
config =
mkIf cfg
{
users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
services.caddy.virtualHosts.${url}.extraConfig = ''
reverse_proxy localhost:9002
'';
services.immich = {
enable = cfg;
services.immich = mkIf cfg {
enable = true;
port = 9002;
machine-learning.enable = false;
port = 9002;
machine-learning.enable = false;
accelerationDevices = mkDefault null;
#NOTE: immich doesn't support variables in their config file, so we have to subsitute ourselfs..
environment.IMMICH_CONFIG_FILE = mkForce "${config-dir}/immich.json";
settings = {
server.externalDomain = httpsUrl;
oauth = {
enabled = true;
autoLaunch = true;
autoRegister = true;
buttonText = "Login with JSWAuth";
clientId = "329735769805619570";
clientSecret = oidcSubstitute;
issuerUrl = "https://${config.services.zitadel.settings.ExternalDomain}/.well-known/openid-configuration";
mobileRedirectUri = "${httpsUrl}/api/oauth/mobile-redirect";
mobileOverrideEnabled = true;
};
passwordLogin.enabled = false;
ffmpeg = {
crf = 23;
threads = 0;
preset = "ultrafast";
targetVideoCodec = "h264";
acceptedVideoCodecs = [
"h264"
];
targetAudioCodec = "aac";
acceptedAudioCodecs = [
"aac"
"mp3"
"libopus"
"pcm_s16le"
];
acceptedContainers = [
"mov"
"ogg"
"webm"
];
targetResolution = "720";
maxBitrate = "0";
bframes = -1;
refs = 0;
gopSize = 0;
temporalAQ = false;
cqMode = "auto";
twoPass = false;
preferredHwDevice = lib.mkDefault "auto";
transcode = "all";
tonemap = "hable";
accel = lib.mkDefault "vaapi";
accelDecode = true;
};
};
};
systemd = {
services.immich-server = {
preStart = let
refConfig = (pkgs.formats.json {}).generate "immich.json" config.services.immich.settings;
newConfig = "${config-dir}/immich.json";
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
in ''
umask 077
cp -f '${refConfig}' '${newConfig}'
chmod u+w '${newConfig}'
${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.immich-oidc.path}' '${newConfig}'
'';
};
tmpfiles.rules = [
"d ${config-dir} 0700 immich immich"
settings = {
server.externalDomain = "https://photos.jsw.tf";
ffmpeg = {
crf = 23;
threads = 0;
preset = "ultrafast";
targetVideoCodec = "h264";
acceptedVideoCodecs = [
"h264"
];
targetAudioCodec = "aac";
acceptedAudioCodecs = [
"aac"
"mp3"
"libopus"
"pcm_s16le"
];
acceptedContainers = [
"mov"
"ogg"
"webm"
];
targetResolution = "720";
maxBitrate = "0";
bframes = -1;
refs = 0;
gopSize = 0;
temporalAQ = false;
cqMode = "auto";
twoPass = false;
preferredHwDevice = lib.mkDefault "auto";
transcode = "all";
tonemap = "hable";
accel = lib.mkDefault "vaapi";
accelDecode = true;
};
};
accelerationDevices = lib.mkDefault null;
};
users.users.immich = lib.mkIf cfg {extraGroups = ["video" "render"];}; #NOTE: was first groups = lib.mkIf.. but then users.immich gets set even when server is disabled.
services.caddy.virtualHosts."photos.jsw.tf" = {
extraConfig = ''
reverse_proxy localhost:9002
'';
};
}

40
system/server/seafile.nix
View file

@ -3,52 +3,25 @@
inputs,
pkgs,
...
}: let
url = "files.jsw.tf";
httpsUrl = "https://" + url;
authUrl = config.services.zitadel.settings.ExternalDomain;
httpsAuthUrl = "https://" + authUrl;
oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
config-dir = "/run/immich-conf";
in {
}: {
services.seafile = {
enable = config.niksos.server;
seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub;
adminEmail = "jsw@jsw.tf";
adminEmail = "jurnwubben@gmail.com";
initialAdminPassword = "ChangeMeTheFuckNow!";
gc.enable = true;
ccnetSettings.General.SERVICE_URL = httpsUrl;
ccnetSettings.General.SERVICE_URL = "https://files.jsw.tf";
seahubExtraConf = ''
ALLOWED_HOSTS = ['.${url}']
ALLOWED_HOSTS = ['.files.jsw.tf']
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'Strict'
CSRF_TRUSTED_ORIGINS = ['${httpsUrl}']
CSRF_TRUSTED_ORIGINS = ['https://files.jsw.tf', 'https://www.files.jsw.tf']
SITE_NAME = "JSW Cloud"
SITE_TITLE = "JSW Cloud"
ENABLE_OAUTH = True
OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID = "329743411726844274"
OAUTH_CLIENT_SECRET = "${oidcSubstitute}"
OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/'
OAUTH_PROVIDER_DOMAIN = '${authUrl}'
OAUTH_PROVIDER = 'JSW Auth'
OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize'
OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token'
OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo'
OAUTH_SCOPE = ["user",]
OAUTH_ATTRIBUTE_MAP = {
"id": (True, "email"),
"name": (False, "name"),
"email": (False, "contact_email"),
"uid": (True, "uid"),
}
'';
seafileSettings = {
quota.default = 30;
@ -62,7 +35,8 @@ in {
};
};
services.caddy.virtualHosts.${url} = {
services.caddy.virtualHosts."files.jsw.tf" = {
# serverAliases = ["www.share.jsw.tf"];
extraConfig = ''
handle_path /seafhttp/* {
reverse_proxy * unix//run/seafile/server.sock