commit 18121a5b37fc88427627a4b06a24233c049c49ff · aylac.top/nixcfg-own-knot

+3 -3

flake.lock

···

       917
        
           "secrets": {

     

       918
        
             "flake": false,

     

       919
        
             "locked": {

     

       920
       -
               "lastModified": 1755789931,

     

       921
       -
               "narHash": "sha256-4BJKIbWkdajOZxVJhdDROMVtK6WfFbZjNXBt8KRtE18=",

     

       922
        
               "owner": "ayla6",

     

       923
        
               "repo": "secrets",

     

       924
       -
               "rev": "145a93b5fd6db45596d4c7607c0ef91a86aee593",

     

       925
        
               "type": "github"

     

       926
        
             },

     

       927
        
             "original": {

···

       917
        
           "secrets": {

     

       918
        
             "flake": false,

     

       919
        
             "locked": {

     

       920
       +
               "lastModified": 1755914550,

     

       921
       +
               "narHash": "sha256-3idodE8ltAGjE+j76EVNHtlHX5cufwdslUCUtDOK4BM=",

     

       922
        
               "owner": "ayla6",

     

       923
        
               "repo": "secrets",

     

       924
       +
               "rev": "3c93b9f5d1b28a8614a9f36a2816ff6369258207",

     

       925
        
               "type": "github"

     

       926
        
             },

     

       927
        
             "original": {

+6 -1

homes/ayla/default.nix

···

       92
        
                   imageViewer.package = pkgs.loupe;

     

       93
        
                   pdfViewer.package = pkgs.papers;

     

       94
        
                   terminal.package = pkgs.ptyxis;

     

       95
       -
                   terminalEditor.package = config.programs.micro.package;

     

       96
        
                   webBrowser.package = config.programs.firefox.finalPackage;

     

       97
        
                   #webBrowser = {

     

       98
        
                   #  exec = lib.getExe config.programs.zen-browser.finalPackage;

     
···

       165
        
                 flare-signal

     

       166
        
                 audacious

     

       167
        
                 audacious-plugins

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       168
        
               ];

     

       169
        
             };

     

       170
        
           })

···

       92
        
                   imageViewer.package = pkgs.loupe;

     

       93
        
                   pdfViewer.package = pkgs.papers;

     

       94
        
                   terminal.package = pkgs.ptyxis;

     

       95
       +
                   terminalEditor.package = config.programs.helix.package;

     

       96
        
                   webBrowser.package = config.programs.firefox.finalPackage;

     

       97
        
                   #webBrowser = {

     

       98
        
                   #  exec = lib.getExe config.programs.zen-browser.finalPackage;

     
···

       165
        
                 flare-signal

     

       166
        
                 audacious

     

       167
        
                 audacious-plugins

     

       168
       +
       

     

       169
       +
                 zip

     

       170
       +
                 xz

     

       171
       +
                 unzip

     

       172
       +
                 p7zip

     

       173
        
               ];

     

       174
        
             };

     

       175
        
           })

hosts/nanpi/default.nix

···

       35
        
               enable = true;

     

       36
        
               deduplicate = true;

     

       37
        
             };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       38
        
             arr.enable = true;

     

       39
        
           };

     

       40
        
           services = {

···

       35
        
               enable = true;

     

       36
        
               deduplicate = true;

     

       37
        
             };

     

       38
       +
             swap = {

     

       39
       +
               enable = true;

     

       40
       +
               size = 4096;

     

       41
       +
               location = "/.swap";

     

       42
       +
             };

     

       43
        
             arr.enable = true;

     

       44
        
           };

     

       45
        
           services = {

hosts/nanpi/glance.nix

···

       143
        
                             check-url = "http://${config.mySnippets.tailnet.networkMap.miniflux.hostName}:${toString config.mySnippets.tailnet.networkMap.miniflux.port}/";

     

       144
        
                             icon = "di:miniflux";

     

       145
        
                           }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       146
        
                         ];

     

       147
        
                       }

     

       148
        
                     ];

···

       143
        
                             check-url = "http://${config.mySnippets.tailnet.networkMap.miniflux.hostName}:${toString config.mySnippets.tailnet.networkMap.miniflux.port}/";

     

       144
        
                             icon = "di:miniflux";

     

       145
        
                           }

     

       146
       +
                           {

     

       147
       +
                             title = "audiobookshelf";

     

       148
       +
                             url = "https://${config.mySnippets.tailnet.networkMap.audiobookshelf.vHost}/";

     

       149
       +
                             check-url = "http://${config.mySnippets.tailnet.networkMap.audiobookshelf.hostName}:${toString config.mySnippets.tailnet.networkMap.audiobookshelf.port}/";

     

       150
       +
                             icon = "di:miniflux";

     

       151
       +
                           }

     

       152
        
                         ];

     

       153
        
                       }

     

       154
        
                     ];

hosts/nanpi/secrets.nix

···

       2
        
         age.secrets = {

     

       3
        
           cloudflareCertificate.file = "${self.inputs.secrets}/cloudflare/certificate.age";

     

       4
        
           cloudflareCredentials.file = "${self.inputs.secrets}/cloudflare/credentials.age";

     

       0
        
       
     

       5
        
           pds.file = "${self.inputs.secrets}/pds.age";

     

       6
        
           resticPassword.file = "${self.inputs.secrets}/restic-passwd.age";

     

       7
        
           rclone.file = "${self.inputs.secrets}/rclone.age";

···

       2
        
         age.secrets = {

     

       3
        
           cloudflareCertificate.file = "${self.inputs.secrets}/cloudflare/certificate.age";

     

       4
        
           cloudflareCredentials.file = "${self.inputs.secrets}/cloudflare/credentials.age";

     

       5
       +
           cloudflareFail2ban.file = "${self.inputs.secrets}/cloudflare/fail2ban.age";

     

       6
        
           pds.file = "${self.inputs.secrets}/pds.age";

     

       7
        
           resticPassword.file = "${self.inputs.secrets}/restic-passwd.age";

     

       8
        
           rclone.file = "${self.inputs.secrets}/rclone.age";

+70 -148

hosts/nanpi/services.nix

···

       4
        
         ...

     

       5
        
       }: let

     

       6
        
         dataDirectory = "/var/lib";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       7
        
       in {

     

       8
        
         services = {

     

       9
        
           pds = {

     
···

       25
        
                 certificateFile = config.age.secrets.cloudflareCertificate.path;

     

       26
        
                 credentialsFile = config.age.secrets.cloudflareCredentials.path;

     

       27
        
                 default = "http_status:404";

     

       28
       -
                 ingress = {

     

       29
       -
                   "${config.mySnippets.aylac-top.networkMap.pds.vHost}" = "http://${config.mySnippets.aylac-top.networkMap.pds.hostName}:${toString config.mySnippets.aylac-top.networkMap.pds.port}";

     

       30
       -
       

     

       31
       -
                   "${config.mySnippets.aylac-top.networkMap.vaultwarden.vHost}" = "http://${config.mySnippets.aylac-top.networkMap.vaultwarden.hostName}:${toString config.mySnippets.aylac-top.networkMap.vaultwarden.port}";

     

       32
       -
       

     

       33
       -
                   "${config.mySnippets.aylac-top.networkMap.forgejo.vHost}" = "http://${config.mySnippets.aylac-top.networkMap.forgejo.hostName}:${toString config.mySnippets.aylac-top.networkMap.forgejo.port}";

     

       34
       -
       

     

       35
       -
                   "${config.mySnippets.aylac-top.networkMap.ntfy.vHost}" = "http://${config.mySnippets.aylac-top.networkMap.ntfy.hostName}:${toString config.mySnippets.aylac-top.networkMap.ntfy.port}";

     

       36
       -
       

     

       37
       -
                   "${config.mySnippets.aylac-top.networkMap.glance.vHost}" = "http://${config.mySnippets.aylac-top.networkMap.glance.hostName}:${toString config.mySnippets.aylac-top.networkMap.glance.port}";

     

       38
       -
                 };

     

       39
        
               };

     

       40
        
             };

     

       41
        
           };

     

       42
        
       

     

       43
       -
           caddy.virtualHosts = {

     

       44
       -
             "${config.mySnippets.tailnet.networkMap.jellyfin.vHost}" = {

     

       45
       -
               extraConfig = ''

     

       46
       -
                 bind tailscale/jellyfin

     

       47
       -
                 encode zstd gzip

     

       48
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.jellyfin.hostName}:${toString config.mySnippets.tailnet.networkMap.jellyfin.port} {

     

       49
       -
                   flush_interval -1

     

       50
       -
                 }

     

       51
       -
               '';

     

       52
       -
             };

     

       53
       -
       

     

       54
       -
             "${config.mySnippets.tailnet.networkMap.qbittorrent.vHost}" = {

     

       55
       -
               extraConfig = ''

     

       56
       -
                 bind tailscale/qbittorrent

     

       57
       -
                 encode zstd gzip

     

       58
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.qbittorrent.hostName}:${toString config.mySnippets.tailnet.networkMap.qbittorrent.port}

     

       59
       -
               '';

     

       60
       -
             };

     

       61
       -
       

     

       62
       -
             "${config.mySnippets.tailnet.networkMap.radicale.vHost}" = {

     

       63
       -
               extraConfig = ''

     

       64
       -
                 bind tailscale/radicale

     

       65
       -
                 encode zstd gzip

     

       66
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.radicale.hostName}:${toString config.mySnippets.tailnet.networkMap.radicale.port}

     

       67
       -
               '';

     

       68
       -
             };

     

       69
       -
       

     

       70
       -
             "${config.mySnippets.tailnet.networkMap.webdav.vHost}" = {

     

       71
       -
               extraConfig = ''

     

       72
       -
                 bind tailscale/webdav

     

       73
       -
                 encode zstd gzip

     

       74
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.webdav.hostName}:${toString config.mySnippets.tailnet.networkMap.webdav.port}

     

       75
       -
               '';

     

       76
       -
             };

     

       77
       -
       

     

       78
       -
             "${config.mySnippets.tailnet.networkMap.bazarr.vHost}" = {

     

       79
       -
               extraConfig = ''

     

       80
       -
                 bind tailscale/bazarr

     

       81
       -
                 encode zstd gzip

     

       82
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.bazarr.hostName}:${toString config.mySnippets.tailnet.networkMap.bazarr.port}

     

       83
       -
               '';

     

       84
       -
             };

     

       85
       -
       

     

       86
       -
             #"${config.mySnippets.tailnet.networkMap.lidarr.vHost}" = {

     

       87
       -
             #  extraConfig = ''

     

       88
       -
             #    bind tailscale/lidarr

     

       89
       -
             #    encode zstd gzip

     

       90
       -
             #    reverse_proxy ${config.mySnippets.tailnet.networkMap.lidarr.hostName}:${toString config.mySnippets.tailnet.networkMap.lidarr.port}

     

       91
       -
             #  '';

     

       92
       -
             #};

     

       93
       -
       

     

       94
       -
             "${config.mySnippets.tailnet.networkMap.prowlarr.vHost}" = {

     

       95
       -
               extraConfig = ''

     

       96
       -
                 bind tailscale/prowlarr

     

       97
       -
                 encode zstd gzip

     

       98
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.prowlarr.hostName}:${toString config.mySnippets.tailnet.networkMap.prowlarr.port}

     

       99
       -
               '';

     

       100
       -
             };

     

       101
       -
       

     

       102
       -
             "${config.mySnippets.tailnet.networkMap.radarr.vHost}" = {

     

       103
       -
               extraConfig = ''

     

       104
       -
                 bind tailscale/radarr

     

       105
       -
                 encode zstd gzip

     

       106
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.radarr.hostName}:${toString config.mySnippets.tailnet.networkMap.radarr.port}

     

       107
       -
               '';

     

       108
       -
             };

     

       109
        
       

     

       110
       -
             "${config.mySnippets.tailnet.networkMap.sonarr.vHost}" = {

     

       111
       -
               extraConfig = ''

     

       112
       -
                 bind tailscale/sonarr

     

       113
       -
                 encode zstd gzip

     

       114
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.sonarr.hostName}:${toString config.mySnippets.tailnet.networkMap.sonarr.port}

     

       115
       -
               '';

     

       116
       -
             };

     

       117
        
       

     

       118
       -
             "${config.mySnippets.tailnet.networkMap.autobrr.vHost}" = {

     

       119
       -
               extraConfig = ''

     

       120
       -
                 bind tailscale/autobrr

     

       121
       -
                 encode zstd gzip

     

       122
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.autobrr.hostName}:${toString config.mySnippets.tailnet.networkMap.autobrr.port}

     

       123
       -
               '';

     

       124
       -
             };

     

       125
       -
       

     

       126
       -
             "${config.mySnippets.tailnet.networkMap.glance.vHost}" = {

     

       127
       -
               extraConfig = ''

     

       128
       -
                 bind tailscale/glance

     

       129
       -
                 encode zstd gzip

     

       130
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.glance.hostName}:${toString config.mySnippets.tailnet.networkMap.glance.port}

     

       131
       -
               '';

     

       132
       -
             };

     

       133
       -
       

     

       134
       -
             "${config.mySnippets.tailnet.networkMap.karakeep.vHost}" = {

     

       135
       -
               extraConfig = ''

     

       136
       -
                 bind tailscale/karakeep

     

       137
       -
                 encode zstd gzip

     

       138
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.karakeep.hostName}:${toString config.mySnippets.tailnet.networkMap.karakeep.port}

     

       139
       -
               '';

     

       140
       -
             };

     

       141
       -
       

     

       142
       -
             "${config.mySnippets.tailnet.networkMap.copyparty.vHost}" = {

     

       143
       -
               extraConfig = ''

     

       144
       -
                 bind tailscale/copyparty

     

       145
       -
                 encode zstd gzip

     

       146
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.copyparty.hostName}:${toString config.mySnippets.tailnet.networkMap.copyparty.port}

     

       147
       -
               '';

     

       148
       -
             };

     

       149
       -
       

     

       150
       -
             "${config.mySnippets.tailnet.networkMap.redlib.vHost}" = {

     

       151
       -
               extraConfig = ''

     

       152
       -
                 bind tailscale/redlib

     

       153
       -
                 encode zstd gzip

     

       154
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.redlib.hostName}:${toString config.mySnippets.tailnet.networkMap.redlib.port}

     

       155
       -
               '';

     

       156
       -
             };

     

       157
       -
       

     

       158
       -
             "${config.mySnippets.tailnet.networkMap.miniflux.vHost}" = {

     

       159
       -
               extraConfig = ''

     

       160
       -
                 bind tailscale/miniflux

     

       161
       -
                 encode zstd gzip

     

       162
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.miniflux.hostName}:${toString config.mySnippets.tailnet.networkMap.miniflux.port}

     

       163
       -
               '';

     

       164
       -
             };

     

       165
       -
       

     

       166
       -
             "${config.mySnippets.tailnet.networkMap.jellyseerr.vHost}" = {

     

       167
       -
               extraConfig = ''

     

       168
       -
                 bind tailscale/jellyseerr

     

       169
       -
                 encode zstd gzip

     

       170
       -
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.jellyseerr.hostName}:${toString config.mySnippets.tailnet.networkMap.jellyseerr.port}

     

       171
       -
               '';

     

       172
       -
             };

     

       173
        
           };

     

       174
        
       

     

       175
       -
           # it's failing to build because it can't download some stuff

     

       176
       -
           # immich = {

     

       177
       -
           #   enable = true;

     

       178
       -
           #   host = "0.0.0.0";

     

       179
       -
           #   mediaLocation = "${dataDirectory}/immich";

     

       180
       -
           #   openFirewall = true;

     

       181
       -
           #   inherit (config.mySnippets.tailnet.networkMap.immich) port;

     

       182
       -
           # };

     

       183
       -
       

     

       184
        
           vaultwarden = {

     

       185
        
             enable = true;

     

       186
        
       

     
···

       192
        
               SIGNUPS_ALLOWED = false;

     

       193
        
               ICON_SERVICE = "bitwarden";

     

       194
        
               ICON_CACHE_TTL = 0;

     

       0
        
       
     

       195
        
             };

     

       196
        
       

     

       197
        
             environmentFile = config.age.secrets.vaultwarden.path;

···

       4
        
         ...

     

       5
        
       }: let

     

       6
        
         dataDirectory = "/var/lib";

     

       7
       +
       

     

       8
       +
         mkCaddyVHosts = services:

     

       9
       +
           pkgs.lib.listToAttrs (map (service: let

     

       10
       +
             netMap = config.mySnippets.${service.location or "tailnet"}.networkMap.${service.name};

     

       11
       +
             flush = service.flushInterval or false;

     

       12
       +
             proxyConfig =

     

       13
       +
               if flush

     

       14
       +
               then ''

     

       15
       +
                 reverse_proxy ${netMap.hostName}:${toString netMap.port} {

     

       16
       +
                   flush_interval -1

     

       17
       +
                 }

     

       18
       +
               ''

     

       19
       +
               else "reverse_proxy ${netMap.hostName}:${toString netMap.port}";

     

       20
       +
           in

     

       21
       +
             pkgs.lib.nameValuePair "${netMap.vHost}" {

     

       22
       +
               extraConfig = ''

     

       23
       +
                 bind tailscale/${service.name}

     

       24
       +
                 encode zstd gzip

     

       25
       +
                 ${proxyConfig}

     

       26
       +
               '';

     

       27
       +
             })

     

       28
       +
           services);

     

       29
       +
       

     

       30
       +
         mkCloudflareIngress = services:

     

       31
       +
           pkgs.lib.listToAttrs (map (service: let

     

       32
       +
             netMap = config.mySnippets.${service.location or "aylac-top"}.networkMap.${service.name};

     

       33
       +
           in

     

       34
       +
             pkgs.lib.nameValuePair netMap.vHost "http://${netMap.hostName}:${toString netMap.port}")

     

       35
       +
           services);

     

       36
        
       in {

     

       37
        
         services = {

     

       38
        
           pds = {

     
···

       54
        
                 certificateFile = config.age.secrets.cloudflareCertificate.path;

     

       55
        
                 credentialsFile = config.age.secrets.cloudflareCredentials.path;

     

       56
        
                 default = "http_status:404";

     

       57
       +
                 ingress = mkCloudflareIngress [

     

       58
       +
                   {name = "pds";}

     

       59
       +
                   {name = "vaultwarden";}

     

       60
       +
                   {name = "forgejo";}

     

       61
       +
                   {name = "ntfy";}

     

       62
       +
                   {name = "glance";}

     

       63
       +
                 ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       64
        
               };

     

       65
        
             };

     

       66
        
           };

     

       67
        
       

     

       68
       +
           caddy.virtualHosts = mkCaddyVHosts [

     

       69
       +
             {

     

       70
       +
               name = "jellyfin";

     

       71
       +
               flushInterval = true;

     

       72
       +
             }

     

       73
       +
             {name = "qbittorrent";}

     

       74
       +
             {name = "radicale";}

     

       75
       +
             {name = "webdav";}

     

       76
       +
             {name = "bazarr";}

     

       77
       +
             {name = "prowlarr";}

     

       78
       +
             {name = "radarr";}

     

       79
       +
             {name = "sonarr";}

     

       80
       +
             {name = "autobrr";}

     

       81
       +
             {name = "glance";}

     

       82
       +
             {name = "karakeep";}

     

       83
       +
             {name = "copyparty";}

     

       84
       +
             {name = "redlib";}

     

       85
       +
             {name = "miniflux";}

     

       86
       +
             {name = "jellyseerr";}

     

       87
       +
             {name = "audiobookshelf";}

     

       88
       +
           ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       89
        
       

     

       90
       +
           #immich = {

     

       91
       +
           #  enable = true;

     

       92
       +
           #  host = "0.0.0.0";

     

       93
       +
           #  mediaLocation = "${dataDirectory}/immich";

     

       94
       +
           #  openFirewall = true;

     

       95
       +
           #  inherit (config.mySnippets.tailnet.networkMap.immich) port;

     

       96
       +
           #};

     

       97
        
       

     

       98
       +
           audiobookshelf = {

     

       99
       +
             enable = true;

     

       100
       +
             host = "0.0.0.0";

     

       101
       +
             openFirewall = true;

     

       102
       +
             inherit (config.mySnippets.tailnet.networkMap.audiobookshelf) port;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       103
        
           };

     

       104
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       105
        
           vaultwarden = {

     

       106
        
             enable = true;

     

       107
        
       

     
···

       113
        
               SIGNUPS_ALLOWED = false;

     

       114
        
               ICON_SERVICE = "bitwarden";

     

       115
        
               ICON_CACHE_TTL = 0;

     

       116
       +
               IP_HEADER = "CF-Connecting-IP";

     

       117
        
             };

     

       118
        
       

     

       119
        
             environmentFile = config.age.secrets.vaultwarden.path;

+1 -1

modules/home/default.nix

···

       4
        
           ./programs

     

       5
        
           ./services

     

       6
        
           ./profiles

     

       7
       -
           ./packages.nix

     

       8
        
           inputs.agenix.homeManagerModules.default

     

       9
        
           inputs.zen-browser.homeModules.beta

     

       10
        
         ];

···

       4
        
           ./programs

     

       5
        
           ./services

     

       6
        
           ./profiles

     

       7
       +
           ./snippets

     

       8
        
           inputs.agenix.homeManagerModules.default

     

       9
        
           inputs.zen-browser.homeModules.beta

     

       10
        
         ];

-9

modules/home/packages.nix

···

       1
       -
       {pkgs, ...}: {

     

       2
       -
         home.packages = with pkgs; [

     

       3
       -
           # --- System Utilities ---

     

       4
       -
           zip

     

       5
       -
           xz

     

       6
       -
           unzip

     

       7
       -
           p7zip

     

       8
       -
         ];

     

       9
       -
       }

-1

modules/home/programs/default.nix

···

       5
        
           ./chromium

     

       6
        
           ./fastfetch

     

       7
        
           ./firefox

     

       8
       -
           ./firefox-based

     

       9
        
           ./helix

     

       10
        
           ./git

     

       11
        
           ./micro

···

       5
        
           ./chromium

     

       6
        
           ./fastfetch

     

       7
        
           ./firefox

     

       0
        
       
     

       8
        
           ./helix

     

       9
        
           ./git

     

       10
        
           ./micro

modules/home/programs/firefox-based/betterfox/fastfox.nix modules/home/snippets/firefox-based/betterfox/fastfox.nix

modules/home/programs/firefox-based/betterfox/peskyfox.nix modules/home/snippets/firefox-based/betterfox/peskyfox.nix

modules/home/programs/firefox-based/betterfox/securefox.nix modules/home/snippets/firefox-based/betterfox/securefox.nix

modules/home/programs/firefox-based/betterfox/smoothfox.nix modules/home/snippets/firefox-based/betterfox/smoothfox.nix

-1

modules/home/programs/firefox-based/default.nix modules/home/snippets/firefox-based/default.nix

···

       163
        
                     snowflake

     

       164
        
                     sponsorblock

     

       165
        
                     karakeep

     

       166
       -
                     ff2mpv

     

       167
        
                     bitwarden

     

       168
        
                   ];

     

       169

···

       163
        
                     snowflake

     

       164
        
                     sponsorblock

     

       165
        
                     karakeep

     

       0
        
       
     

       166
        
                     bitwarden

     

       167
        
                   ];

     

       168

modules/home/programs/firefox-based/engines.nix modules/home/snippets/firefox-based/engines.nix

+116

modules/home/programs/helix/default.nix

···

       1
        
       {

     

       2
        
         config,

     

       3
        
         lib,

     

       0
        
       
     

       4
        
         ...

     

       5
        
       }: {

     

       6
        
         options.myHome.programs.helix.enable = lib.mkEnableOption "helix";

     
···

       72
        
                   o = "extend_char_right";

     

       73
        
                 };

     

       74
        
               };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       75
        
             };

     

       76
        
           };

     

       77
        
         };

···

       1
        
       {

     

       2
        
         config,

     

       3
        
         lib,

     

       4
       +
         pkgs,

     

       5
        
         ...

     

       6
        
       }: {

     

       7
        
         options.myHome.programs.helix.enable = lib.mkEnableOption "helix";

     
···

       73
        
                   o = "extend_char_right";

     

       74
        
                 };

     

       75
        
               };

     

       76
       +
             };

     

       77
       +
             languages = {

     

       78
       +
               language-server = {

     

       79
       +
                 bash-language-server = {

     

       80
       +
                   command = "bash-language-server";

     

       81
       +
                   args = ["start"];

     

       82
       +
                 };

     

       83
       +
       

     

       84
       +
                 vscode-css-languageserver = {

     

       85
       +
                   command = lib.getExe pkgs.vscode-css-languageserver;

     

       86
       +
                   args = ["--stdio"];

     

       87
       +
                 };

     

       88
       +
       

     

       89
       +
                 fish-lsp = {

     

       90
       +
                   command = lib.getExe pkgs.fish-lsp;

     

       91
       +
                   args = ["--stdio"];

     

       92
       +
                 };

     

       93
       +
       

     

       94
       +
                 lua-language-server = {

     

       95
       +
                   command = lib.getExe pkgs.lua-language-server;

     

       96
       +
                   args = ["--stdio"];

     

       97
       +
                 };

     

       98
       +
       

     

       99
       +
                 marksman = {

     

       100
       +
                   command = lib.getExe pkgs.marksman;

     

       101
       +
                   args = ["--stdio"];

     

       102
       +
                 };

     

       103
       +
       

     

       104
       +
                 nixd = {

     

       105
       +
                   command = lib.getExe pkgs.nixd;

     

       106
       +
                 };

     

       107
       +
       

     

       108
       +
                 vscode-json-languageserver = {

     

       109
       +
                   command = lib.getExe pkgs.vscode-json-languageserver;

     

       110
       +
                   args = ["--stdio"];

     

       111
       +
                 };

     

       112
       +
       

     

       113
       +
                 typescript-language-server = with pkgs.nodePackages; {

     

       114
       +
                   command = "${typescript-language-server}/bin/typescript-language-server";

     

       115
       +
                   args = ["--stdio" "--tsserver-path=${typescript}/lib/node_modules/typescript/lib"];

     

       116
       +
                 };

     

       117
       +
       

     

       118
       +
                 superhtml = {

     

       119
       +
                   command = lib.getExe pkgs.superhtml;

     

       120
       +
                   args = ["--stdio"];

     

       121
       +
                 };

     

       122
       +
               };

     

       123
       +
       

     

       124
       +
               language = [

     

       125
       +
                 {

     

       126
       +
                   name = "bash";

     

       127
       +
                   auto-format = true;

     

       128
       +
                   file-types = ["sh" "bash" "dash" "ksh" "mksh"];

     

       129
       +
       

     

       130
       +
                   formatter = {

     

       131
       +
                     command = lib.getExe pkgs.shfmt;

     

       132
       +
                     args = ["-i" "2"];

     

       133
       +
                   };

     

       134
       +
       

     

       135
       +
                   language-servers = ["bash-language-server"];

     

       136
       +
                 }

     

       137
       +
                 {

     

       138
       +
                   name = "css";

     

       139
       +
                   auto-format = true;

     

       140
       +
                   formatter = {command = lib.getExe pkgs.prettier;};

     

       141
       +
                   language-servers = ["vscode-css-languageserver"];

     

       142
       +
                 }

     

       143
       +
                 {

     

       144
       +
                   name = "fish";

     

       145
       +
                   auto-format = true;

     

       146
       +
                   language-servers = ["fish-lsp"];

     

       147
       +
                 }

     

       148
       +
                 {

     

       149
       +
                   name = "html";

     

       150
       +
                   auto-format = true;

     

       151
       +
                   formatter = {command = lib.getExe pkgs.prettier;};

     

       152
       +
                   language-servers = ["superhtml"];

     

       153
       +
                 }

     

       154
       +
                 {

     

       155
       +
                   name = "javascript";

     

       156
       +
                   auto-format = true;

     

       157
       +
                   formatter = {command = lib.getExe pkgs.prettier;};

     

       158
       +
                   language-servers = ["typescript-language-server"];

     

       159
       +
                 }

     

       160
       +
                 {

     

       161
       +
                   name = "json";

     

       162
       +
                   auto-format = true;

     

       163
       +
                   formatter = {command = lib.getExe pkgs.prettier;};

     

       164
       +
                   language-servers = ["vscode-json-languageserver"];

     

       165
       +
                 }

     

       166
       +
                 {

     

       167
       +
                   name = "lua";

     

       168
       +
                   auto-format = true;

     

       169
       +
                   formatter = {command = lib.getExe pkgs.stylua;};

     

       170
       +
                   language-servers = ["lua-language-server"];

     

       171
       +
                 }

     

       172
       +
                 {

     

       173
       +
                   name = "markdown";

     

       174
       +
                   auto-format = true;

     

       175
       +
                   formatter = {command = lib.getExe pkgs.mdformat;};

     

       176
       +
                   language-servers = ["marksman"];

     

       177
       +
                 }

     

       178
       +
                 {

     

       179
       +
                   name = "nix";

     

       180
       +
                   auto-format = true;

     

       181
       +
                   formatter = {command = lib.getExe pkgs.alejandra;};

     

       182
       +
                   language-servers = ["nixd"];

     

       183
       +
                 }

     

       184
       +
                 {

     

       185
       +
                   name = "typescript";

     

       186
       +
                   auto-format = true;

     

       187
       +
                   formatter = {command = lib.getExe pkgs.prettier;};

     

       188
       +
                   language-servers = ["typescript-language-server"];

     

       189
       +
                 }

     

       190
       +
               ];

     

       191
        
             };

     

       192
        
           };

     

       193
        
         };

modules/home/snippets/default.nix

···

       1
       +
       {...}: {

     

       2
       +
         imports = [

     

       3
       +
           ./firefox-based

     

       4
       +
         ];

     

       5
       +
       }

+211 -264

modules/nixos/profiles/backups/default.nix

···

       17
        
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/${channel}

     

       18
        
         '';

     

       19
        
       

     

       20
       -
         backupDestinationA = "rclone:a_gdrive:/backups/${config.networking.hostName}";

     

       21
       -
         mkRepoA = service: "${backupDestinationA}/${service}";

     

       22
       -
         #backupDestinationB = "rclone:b_gdrive:/backups/${config.networking.hostName}";

     

       23
       -
         #mkRepoB = service: "${backupDestinationB}/${service}";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       24
        
       

     

       25
       -
         stop = service: ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       26
        
           #!${pkgs.bash}/bin/bash

     

       27
        
           ${mkNotify {

     

       28
       -
             message = "Backing up ${service}, stopping service";

     

       29
        
             channel = "network-status";

     

       30
        
           }}

     

       31
        
           ${pkgs.systemd}/bin/systemctl stop ${service}

     

       32
        
         '';

     

       33
        
       

     

       34
       -
         start = service: ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       35
        
           #!${pkgs.bash}/bin/bash

     

       36
        
           ${mkNotify {

     

       37
       -
             message = "Back up for ${service} was completed (idk if successfully tho), starting service";

     

       38
        
             channel = "network-status";

     

       39
        
           }}

     

       40
        
           ${pkgs.systemd}/bin/systemctl start ${service}

     

       41
        
         '';

     

       42
        
       

     

       43
       -
         prepareNoService = service: ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       44
        
           #!${pkgs.bash}/bin/bash

     

       45
        
           ${mkNotify {

     

       46
       -
             message = "Backing up ${service}";

     

       47
        
             channel = "network-status";

     

       48
        
           }}

     

       49
        
         '';

     

       50
        
       

     

       51
       -
         cleanupNoService = service: ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       52
        
           #!${pkgs.bash}/bin/bash

     

       53
        
           ${mkNotify {

     

       54
       -
             message = "Back up for ${service} was completed (idk if successfully tho)";

     

       55
        
             channel = "network-status";

     

       56
        
           }}

     

       57
        
         '';

     

       58
       -
       in {

     

       59
       -
         options.myNixOS.profiles.backups = {

     

       60
       -
           enable = lib.mkEnableOption "automatically back up enabled services to gdrive";

     

       61
       -
         };

     

       62
        
       

     

       63
       -
         config = lib.mkIf config.myNixOS.profiles.backups.enable {

     

       64
       -
           services.restic.backups = {

     

       65
       -
             audiobookshelf = lib.mkIf config.services.audiobookshelf.enable (

     

       66
       -
               config.mySnippets.restic

     

       67
       -
               // {

     

       68
       -
                 backupCleanupCommand = start "audiobookshelf";

     

       69
       -
                 backupPrepareCommand = stop "audiobookshelf";

     

       70
       -
                 paths = [config.services.audiobookshelf.dataDir];

     

       71
       -
                 repository = mkRepoA "audiobookshelf";

     

       72
       -
               }

     

       73
       -
             );

     

       74
       -
       

     

       75
       -
             bazarr = lib.mkIf config.services.bazarr.enable (

     

       76
       -
               config.mySnippets.restic

     

       77
       -
               // {

     

       78
       -
                 backupCleanupCommand = start "bazarr";

     

       79
       -
                 backupPrepareCommand = stop "bazarr";

     

       80
       -
                 paths = [config.services.bazarr.dataDir];

     

       81
       -
                 repository = mkRepoA "bazarr";

     

       82
       -
               }

     

       83
       -
             );

     

       84
       -
       

     

       85
       -
             couchdb = lib.mkIf config.services.couchdb.enable (

     

       86
       -
               config.mySnippets.restic

     

       87
       -
               // {

     

       88
       -
                 backupCleanupCommand = start "couchdb";

     

       89
       -
                 backupPrepareCommand = stop "couchdb";

     

       90
       -
                 paths = [config.services.couchdb.databaseDir];

     

       91
       -
                 repository = mkRepoA "couchdb";

     

       92
       -
               }

     

       93
       -
             );

     

       94
       -
       

     

       95
       -
             forgejo = lib.mkIf (config.services.forgejo.enable && config.services.forgejo.settings.storage.STORAGE_TYPE != "minio") (

     

       96
       -
               config.mySnippets.restic

     

       97
       -
               // {

     

       98
       -
                 paths = [config.services.forgejo.stateDir];

     

       99
       -
                 repository = mkRepoA "forgejo";

     

       100
       -
               }

     

       101
       -
             );

     

       102
       -
       

     

       103
       -
             # immich = lib.mkIf config.services.immich.enable (

     

       104
       -
             #   config.mySnippets.restic

     

       105
       -
             #   // {

     

       106
       -
             #     backupCleanupCommand = start "immich-server";

     

       107
       -
             #     backupPrepareCommand = stop "immich-server";

     

       108
       -
             #

     

       109
       -
             #     paths = [

     

       110
       -
             #       "${config.services.immich.mediaLocation}/library"

     

       111
       -
             #       "${config.services.immich.mediaLocation}/profile"

     

       112
       -
             #       "${config.services.immich.mediaLocation}/upload"

     

       113
       -
             #       "${config.services.immich.mediaLocation}/backups"

     

       114
       -
             #     ];

     

       115
       -
             #

     

       116
       -
             #     repository = mkRepoB "immich";

     

       117
       -
             #   }

     

       118
       -
             # );

     

       119
       -
       

     

       120
       -
             jellyfin = lib.mkIf config.services.jellyfin.enable (

     

       121
       -
               config.mySnippets.restic

     

       122
       -
               // {

     

       123
       -
                 backupCleanupCommand = start "jellyfin";

     

       124
       -
                 backupPrepareCommand = stop "jellyfin";

     

       125
       -
                 paths = [config.services.jellyfin.dataDir];

     

       126
       -
                 repository = mkRepoA "jellyfin";

     

       127
       -
               }

     

       128
       -
             );

     

       129
        
       

     

       130
       -
             lidarr = lib.mkIf config.services.lidarr.enable (

     

       131
       -
               config.mySnippets.restic

     

       132
       -
               // {

     

       133
       -
                 backupCleanupCommand = start "lidarr";

     

       134
       -
                 backupPrepareCommand = stop "lidarr";

     

       135
       -
                 paths = [config.services.lidarr.dataDir];

     

       136
       -
                 repository = mkRepoA "lidarr";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       137
        
               }

     

       138
       -
             );

     

       139
       -
       

     

       140
       -
             ombi = lib.mkIf config.services.ombi.enable (

     

       141
       -
               config.mySnippets.restic

     

       142
       -
               // {

     

       143
       -
                 backupCleanupCommand = start "ombi";

     

       144
       -
                 backupPrepareCommand = stop "ombi";

     

       145
       -
                 paths = [config.services.ombi.dataDir];

     

       146
       -
                 repository = mkRepoA "ombi";

     

       0
        
       
     

       147
        
               }

     

       148
       -
             );

     

       149
       -
       

     

       150
       -
             pds = lib.mkIf config.services.pds.enable (

     

       151
        
               config.mySnippets.restic

     

       152
        
               // {

     

       153
       -
                 backupCleanupCommand = start "pds";

     

       154
       -
                 backupPrepareCommand = stop "pds";

     

       155
       -
                 paths = [config.services.pds.settings.PDS_DATA_DIRECTORY];

     

       156
       -
                 repository = mkRepoA "pds";

     

       157
        
               }

     

       158
       -
             );

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       159
        
       

     

       160
       -
             plex = lib.mkIf config.services.plex.enable (

     

       161
       -
               config.mySnippets.restic

     

       162
       -
               // {

     

       163
       -
                 backupCleanupCommand = start "plex";

     

       164
       -
                 backupPrepareCommand = stop "plex";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       165
        
                 exclude = ["${config.services.plex.dataDir}/Plex Media Server/Plug-in Support/Databases"];

     

       166
       -
                 paths = [config.services.plex.dataDir];

     

       167
       -
                 repository = mkRepoA "plex";

     

       168
       -
               }

     

       169
       -
             );

     

       170
       -
       

     

       171
       -
             postgresql = lib.mkIf config.services.postgresql.enable (

     

       172
       -
               config.mySnippets.restic

     

       173
       -
               // {

     

       174
       -
                 paths = [config.services.postgresql.dataDir];

     

       175
       -
                 repository = mkRepoA "postgresql";

     

       176
       -
               }

     

       177
       -
             );

     

       178
       -
       

     

       179
       -
             prowlarr = lib.mkIf config.services.prowlarr.enable (

     

       180
       -
               config.mySnippets.restic

     

       181
       -
               // {

     

       182
       -
                 backupCleanupCommand = start "prowlarr";

     

       183
       -
                 backupPrepareCommand = stop "prowlarr";

     

       184
       -
                 paths = [config.services.prowlarr.dataDir];

     

       185
       -
                 repository = mkRepoA "prowlarr";

     

       186
       -
               }

     

       187
       -
             );

     

       188
       -
       

     

       189
       -
             qbittorrent = lib.mkIf config.myNixOS.services.qbittorrent.enable (

     

       190
       -
               config.mySnippets.restic

     

       191
       -
               // {

     

       192
       -
                 backupCleanupCommand = start "qbittorrent";

     

       193
       -
                 backupPrepareCommand = stop "qbittorrent";

     

       194
       -
                 paths = [config.myNixOS.services.qbittorrent.dataDir];

     

       195
       -
                 repository = mkRepoA "qbittorrent";

     

       196
       -
               }

     

       197
       -
             );

     

       198
       -
       

     

       199
       -
             radarr = lib.mkIf config.services.radarr.enable (

     

       200
       -
               config.mySnippets.restic

     

       201
       -
               // {

     

       202
       -
                 backupCleanupCommand = start "radarr";

     

       203
       -
                 backupPrepareCommand = stop "radarr";

     

       204
       -
                 paths = [config.services.radarr.dataDir];

     

       205
       -
                 repository = mkRepoA "radarr";

     

       206
       -
               }

     

       207
       -
             );

     

       208
       -
       

     

       209
       -
             readarr = lib.mkIf config.services.readarr.enable (

     

       210
       -
               config.mySnippets.restic

     

       211
       -
               // {

     

       212
       -
                 backupCleanupCommand = start "readarr";

     

       213
       -
                 backupPrepareCommand = stop "readarr";

     

       214
       -
                 paths = [config.services.readarr.dataDir];

     

       215
       -
                 repository = mkRepoA "readarr";

     

       216
       -
               }

     

       217
       -
             );

     

       218
       -
       

     

       219
       -
             sonarr = lib.mkIf config.services.sonarr.enable (

     

       220
       -
               config.mySnippets.restic

     

       221
       -
               // {

     

       222
       -
                 backupCleanupCommand = start "sonarr";

     

       223
       -
                 backupPrepareCommand = stop "sonarr";

     

       224
       -
                 paths = [config.services.sonarr.dataDir];

     

       225
       -
                 repository = mkRepoA "sonarr";

     

       226
       -
               }

     

       227
       -
             );

     

       228
       -
       

     

       229
       -
             autobrr = lib.mkIf config.services.autobrr.enable (

     

       230
       -
               config.mySnippets.restic

     

       231
       -
               // {

     

       232
       -
                 backupCleanupCommand = start "autobrr";

     

       233
       -
                 backupPrepareCommand = stop "autobrr";

     

       234
       -
                 paths = ["${config.myNixOS.profiles.arr.dataDir}/autobrr"];

     

       235
       -
                 repository = mkRepoA "autobrr";

     

       236
       -
               }

     

       237
       -
             );

     

       238
       -
       

     

       239
       -
             tautulli = lib.mkIf config.services.tautulli.enable (

     

       240
       -
               config.mySnippets.restic

     

       241
       -
               // {

     

       242
       -
                 backupCleanupCommand = start "tautulli";

     

       243
       -
                 backupPrepareCommand = stop "tautulli";

     

       244
       -
                 paths = [config.services.tautulli.dataDir];

     

       245
       -
                 repository = mkRepoA "tautulli";

     

       246
       -
               }

     

       247
       -
             );

     

       248
       -
       

     

       249
       -
             uptime-kuma = lib.mkIf config.services.uptime-kuma.enable (

     

       250
       -
               config.mySnippets.restic

     

       251
       -
               // {

     

       252
       -
                 backupCleanupCommand = start "uptime-kuma";

     

       253
       -
                 backupPrepareCommand = stop "uptime-kuma";

     

       254
       -
                 paths = ["/var/lib/uptime-kuma"];

     

       255
       -
                 repository = mkRepoA "uptime-kuma";

     

       256
       -
               }

     

       257
       -
             );

     

       258
       -
       

     

       259
       -
             vaultwarden = lib.mkIf config.services.vaultwarden.enable (

     

       260
       -
               config.mySnippets.restic

     

       261
       -
               // {

     

       262
       -
                 backupCleanupCommand = start "vaultwarden";

     

       263
       -
                 backupPrepareCommand = stop "vaultwarden";

     

       264
       -
                 paths = ["/var/lib/vaultwarden"];

     

       265
       -
                 repository = mkRepoA "vaultwarden";

     

       266
       -
               }

     

       267
       -
             );

     

       268
       -
       

     

       269
       -
             passwords = lib.mkIf (builtins.elem config.networking.hostName config.mySnippets.syncthing.folders."Passwords".devices) (

     

       270
       -
               config.mySnippets.restic

     

       271
       -
               // {

     

       272
       -
                 backupCleanupCommand = cleanupNoService "passwords";

     

       273
       -
                 backupPrepareCommand = prepareNoService "passwords";

     

       274
       -
                 paths = [config.mySnippets.syncthing.folders."Passwords".path];

     

       275
       -
                 repository = mkRepoA "passwords";

     

       276
       -
               }

     

       277
       -
             );

     

       278
       -
       

     

       279
       -
             radicale = lib.mkIf config.services.radicale.enable (

     

       280
       -
               config.mySnippets.restic

     

       281
       -
               // {

     

       282
       -
                 backupCleanupCommand = start "radicale";

     

       283
       -
                 backupPrepareCommand = stop "radicale";

     

       284
       -
                 paths = ["/var/lib/radicale"];

     

       285
       -
                 repository = mkRepoA "radicale";

     

       286
       -
               }

     

       287
       -
             );

     

       288
       -
       

     

       289
       -
             webdav = lib.mkIf config.services.webdav-server-rs.enable (

     

       290
       -
               config.mySnippets.restic

     

       291
       -
               // {

     

       292
       -
                 backupCleanupCommand = cleanupNoService "webdav";

     

       293
       -
                 backupPrepareCommand = prepareNoService "webdav";

     

       294
       -
                 paths = ["/var/lib/webdav"];

     

       295
       -
                 repository = mkRepoA "webdav";

     

       296
       -
               }

     

       297
       -
             );

     

       298
       -
       

     

       299
       -
             miniflux = lib.mkIf config.services.miniflux.enable (

     

       300
       -
               config.mySnippets.restic

     

       301
       -
               // {

     

       302
       -
                 backupCleanupCommand = start "miniflux";

     

       303
       -
                 backupPrepareCommand = stop "miniflux";

     

       304
       -
                 paths = ["/var/lib/miniflux"];

     

       305
       -
                 repository = mkRepoA "miniflux";

     

       306
       -
               }

     

       307
       -
             );

     

       308
       -
       

     

       309
       -
             jellyseerr = lib.mkIf config.services.jellyseerr.enable (

     

       310
       -
               config.mySnippets.restic

     

       311
       -
               // {

     

       312
       -
                 backupCleanupCommand = start "jellyseerr";

     

       313
       -
                 backupPrepareCommand = stop "jellyseerr";

     

       314
       -
                 paths = ["/var/lib/jellyseerr"];

     

       315
       -
                 repository = mkRepoA "jellyseerr";

     

       316
       -
               }

     

       317
       -
             );

     

       318
       -
           };

     

       319
        
         };

     

       320
        
       }

···

       17
        
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/${channel}

     

       18
        
         '';

     

       19
        
       

     

       20
       +
         repoMap = {

     

       21
       +
           A = "rclone:a_gdrive:/backups/${config.networking.hostName}";

     

       22
       +
           B = "rclone:b_gdrive:/backups/${config.networking.hostName}";

     

       23
       +
         };

     

       24
       +
         mkRepo = {

     

       25
       +
           repo,

     

       26
       +
           service,

     

       27
       +
         }: "${repoMap.${repo}}/${service}";

     

       28
        
       

     

       29
       +
         stop = {

     

       30
       +
           service,

     

       31
       +
           repoPath,

     

       32
       +
         }: ''

     

       33
        
           #!${pkgs.bash}/bin/bash

     

       34
        
           ${mkNotify {

     

       35
       +
             message = "Backing up ${service} to ${repoPath}, stopping service";

     

       36
        
             channel = "network-status";

     

       37
        
           }}

     

       38
        
           ${pkgs.systemd}/bin/systemctl stop ${service}

     

       39
        
         '';

     

       40
        
       

     

       41
       +
         start = {

     

       42
       +
           service,

     

       43
       +
           repoPath,

     

       44
       +
         }: ''

     

       45
        
           #!${pkgs.bash}/bin/bash

     

       46
        
           ${mkNotify {

     

       47
       +
             message = "Back up for ${service} to ${repoPath} was completed (idk if successfully tho), starting service";

     

       48
        
             channel = "network-status";

     

       49
        
           }}

     

       50
        
           ${pkgs.systemd}/bin/systemctl start ${service}

     

       51
        
         '';

     

       52
        
       

     

       53
       +
         prepareNoService = {

     

       54
       +
           service,

     

       55
       +
           repoPath,

     

       56
       +
         }: ''

     

       57
        
           #!${pkgs.bash}/bin/bash

     

       58
        
           ${mkNotify {

     

       59
       +
             message = "Backing up ${service} to ${repoPath}";

     

       60
        
             channel = "network-status";

     

       61
        
           }}

     

       62
        
         '';

     

       63
        
       

     

       64
       +
         cleanupNoService = {

     

       65
       +
           service,

     

       66
       +
           repoPath,

     

       67
       +
         }: ''

     

       68
        
           #!${pkgs.bash}/bin/bash

     

       69
        
           ${mkNotify {

     

       70
       +
             message = "Back up for ${service} to ${repoPath} was completed (idk if successfully tho)";

     

       71
        
             channel = "network-status";

     

       72
        
           }}

     

       73
        
         '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       74
        
       

     

       75
       +
         mkBackups = services:

     

       76
       +
           lib.listToAttrs (map (service: let

     

       77
       +
             repoKey = service.repo or "A";

     

       78
       +
             repoPath = mkRepo {

     

       79
       +
               repo = repoKey;

     

       80
       +
               service = service.name;

     

       81
       +
             };

     

       82
       +
             systemdService = service.name;

     

       83
       +
             backupMode = service.backupMode or "stop"; # "stop", "notify", "none"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       84
        
       

     

       85
       +
             commands =

     

       86
       +
               if backupMode == "stop"

     

       87
       +
               then {

     

       88
       +
                 backupCleanupCommand = start {

     

       89
       +
                   service = systemdService;

     

       90
       +
                   inherit repoPath;

     

       91
       +
                 };

     

       92
       +
                 backupPrepareCommand = stop {

     

       93
       +
                   service = systemdService;

     

       94
       +
                   inherit repoPath;

     

       95
       +
                 };

     

       96
        
               }

     

       97
       +
               else if backupMode == "notify"

     

       98
       +
               then {

     

       99
       +
                 backupCleanupCommand = cleanupNoService {

     

       100
       +
                   service = service.name;

     

       101
       +
                   inherit repoPath;

     

       102
       +
                 };

     

       103
       +
                 backupPrepareCommand = prepareNoService {

     

       104
       +
                   service = service.name;

     

       105
       +
                   inherit repoPath;

     

       106
       +
                 };

     

       107
        
               }

     

       108
       +
               else {};

     

       109
       +
           in

     

       110
       +
             lib.nameValuePair service.name (

     

       111
        
               config.mySnippets.restic

     

       112
        
               // {

     

       113
       +
                 repository = repoPath;

     

       114
       +
                 inherit (service) paths;

     

       0
        
       
     

       0
        
       
     

       115
        
               }

     

       116
       +
               // commands

     

       117
       +
               // (service.extraConfig or {})

     

       118
       +
             )) (lib.filter (s: s.enable) services));

     

       119
       +
       in {

     

       120
       +
         options.myNixOS.profiles.backups = {

     

       121
       +
           enable = lib.mkEnableOption "automatically back up enabled services";

     

       122
       +
         };

     

       123
        
       

     

       124
       +
         config = lib.mkIf config.myNixOS.profiles.backups.enable {

     

       125
       +
           services.restic.backups = mkBackups [

     

       126
       +
             {

     

       127
       +
               name = "audiobookshelf";

     

       128
       +
               inherit (config.services.audiobookshelf) enable;

     

       129
       +
               paths = [config.services.audiobookshelf.dataDir];

     

       130
       +
             }

     

       131
       +
             {

     

       132
       +
               name = "bazarr";

     

       133
       +
               inherit (config.services.bazarr) enable;

     

       134
       +
               paths = [config.services.bazarr.dataDir];

     

       135
       +
             }

     

       136
       +
             {

     

       137
       +
               name = "couchdb";

     

       138
       +
               inherit (config.services.couchdb) enable;

     

       139
       +
               paths = [config.services.couchdb.databaseDir];

     

       140
       +
             }

     

       141
       +
             {

     

       142
       +
               name = "forgejo";

     

       143
       +
               enable = config.services.forgejo.enable && config.services.forgejo.settings.storage.STORAGE_TYPE != "minio";

     

       144
       +
               paths = [config.services.forgejo.stateDir];

     

       145
       +
               backupMode = "none";

     

       146
       +
             }

     

       147
       +
             # {

     

       148
       +
             #   name = "immich";

     

       149
       +
             #   inherit (config.services.immich) enable;

     

       150
       +
             #   name = "immich-server";

     

       151
       +
             #   paths = [

     

       152
       +
             #     "${config.services.immich.mediaLocation}/library"

     

       153
       +
             #     "${config.services.immich.mediaLocation}/profile"

     

       154
       +
             #     "${config.services.immich.mediaLocation}/upload"

     

       155
       +
             #     "${config.services.immich.mediaLocation}/backups"

     

       156
       +
             #   ];

     

       157
       +
             #   repo = "B";

     

       158
       +
             # }

     

       159
       +
             {

     

       160
       +
               name = "jellyfin";

     

       161
       +
               inherit (config.services.jellyfin) enable;

     

       162
       +
               paths = [config.services.jellyfin.dataDir];

     

       163
       +
             }

     

       164
       +
             {

     

       165
       +
               name = "lidarr";

     

       166
       +
               inherit (config.services.lidarr) enable;

     

       167
       +
               paths = [config.services.lidarr.dataDir];

     

       168
       +
             }

     

       169
       +
             {

     

       170
       +
               name = "ombi";

     

       171
       +
               inherit (config.services.ombi) enable;

     

       172
       +
               paths = [config.services.ombi.dataDir];

     

       173
       +
             }

     

       174
       +
             {

     

       175
       +
               name = "pds";

     

       176
       +
               inherit (config.services.pds) enable;

     

       177
       +
               paths = [config.services.pds.settings.PDS_DATA_DIRECTORY];

     

       178
       +
             }

     

       179
       +
             {

     

       180
       +
               name = "plex";

     

       181
       +
               inherit (config.services.plex) enable;

     

       182
       +
               paths = [config.services.plex.dataDir];

     

       183
       +
               extraConfig = {

     

       184
        
                 exclude = ["${config.services.plex.dataDir}/Plex Media Server/Plug-in Support/Databases"];

     

       185
       +
               };

     

       186
       +
             }

     

       187
       +
             {

     

       188
       +
               name = "postgresql";

     

       189
       +
               inherit (config.services.postgresql) enable;

     

       190
       +
               paths = [config.services.postgresql.dataDir];

     

       191
       +
               backupMode = "none";

     

       192
       +
             }

     

       193
       +
             {

     

       194
       +
               name = "prowlarr";

     

       195
       +
               inherit (config.services.prowlarr) enable;

     

       196
       +
               paths = [config.services.prowlarr.dataDir];

     

       197
       +
             }

     

       198
       +
             {

     

       199
       +
               name = "qbittorrent";

     

       200
       +
               inherit (config.services.qbittorrent) enable;

     

       201
       +
               paths = [config.services.qbittorrent.dataDir];

     

       202
       +
             }

     

       203
       +
             {

     

       204
       +
               name = "radarr";

     

       205
       +
               inherit (config.services.radarr) enable;

     

       206
       +
               paths = [config.services.radarr.dataDir];

     

       207
       +
             }

     

       208
       +
             {

     

       209
       +
               name = "readarr";

     

       210
       +
               inherit (config.services.readarr) enable;

     

       211
       +
               paths = [config.services.readarr.dataDir];

     

       212
       +
             }

     

       213
       +
             {

     

       214
       +
               name = "sonarr";

     

       215
       +
               inherit (config.services.sonarr) enable;

     

       216
       +
               paths = [config.services.sonarr.dataDir];

     

       217
       +
             }

     

       218
       +
             {

     

       219
       +
               name = "autobrr";

     

       220
       +
               inherit (config.services.autobrr) enable;

     

       221
       +
               paths = ["${config.myNixOS.profiles.arr.dataDir}/autobrr"];

     

       222
       +
             }

     

       223
       +
             {

     

       224
       +
               name = "tautulli";

     

       225
       +
               inherit (config.services.tautulli) enable;

     

       226
       +
               paths = [config.services.tautulli.dataDir];

     

       227
       +
             }

     

       228
       +
             {

     

       229
       +
               name = "uptime-kuma";

     

       230
       +
               inherit (config.services.uptime-kuma) enable;

     

       231
       +
               paths = ["/var/lib/uptime-kuma"];

     

       232
       +
             }

     

       233
       +
             {

     

       234
       +
               name = "vaultwarden";

     

       235
       +
               inherit (config.services.vaultwarden) enable;

     

       236
       +
               paths = ["/var/lib/vaultwarden"];

     

       237
       +
             }

     

       238
       +
             {

     

       239
       +
               name = "passwords";

     

       240
       +
               enable = builtins.elem config.networking.hostName config.mySnippets.syncthing.folders."Passwords".devices;

     

       241
       +
               paths = [config.mySnippets.syncthing.folders."Passwords".path];

     

       242
       +
               backupMode = "notify";

     

       243
       +
             }

     

       244
       +
             {

     

       245
       +
               name = "radicale";

     

       246
       +
               inherit (config.services.radicale) enable;

     

       247
       +
               paths = ["/var/lib/radicale"];

     

       248
       +
             }

     

       249
       +
             {

     

       250
       +
               name = "webdav";

     

       251
       +
               inherit (config.services.webdav-server-rs) enable;

     

       252
       +
               paths = ["/var/lib/webdav"];

     

       253
       +
               backupMode = "notify";

     

       254
       +
             }

     

       255
       +
             {

     

       256
       +
               name = "miniflux";

     

       257
       +
               inherit (config.services.miniflux) enable;

     

       258
       +
               paths = ["/var/lib/miniflux"];

     

       259
       +
             }

     

       260
       +
             {

     

       261
       +
               name = "jellyseerr";

     

       262
       +
               inherit (config.services.jellyseerr) enable;

     

       263
       +
               paths = ["/var/lib/jellyseerr"];

     

       264
       +
             }

     

       265
       +
           ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       266
        
         };

     

       267
        
       }

+88

modules/nixos/services/fail2ban/README.md

···

       1
       +
       my actual config for cloudflare is hidden because duh there's api tokens in there so here's the one i'm using

     

       2
       +
       

     

       3
       +
       because of the way cloudflare bans work, the jails don't act independently when banning an ip, so if vaultwarden blocks one ip, the ip can't access anything on aylac.top anymore. i don't think there's a way of having independent ones with cloudflare, but honestly it doesn't change much for me does it

     

       4
       +
       

     

       5
       +
       a modified version of:

     

       6
       +
       https://github.com/l4rm4nd/F2BFilters/blob/main/data/action.d/action-ban-cloudflare.conf

     

       7
       +
       

     

       8
       +
       ```conf

     

       9
       +
       #

     

       10
       +
       # Author: Mike Rushton

     

       11
       +
       #

     

       12
       +
       # IMPORTANT

     

       13
       +
       #

     

       14
       +
       # Please set jail.local's permission to 640 because it contains your CF API key.

     

       15
       +
       #

     

       16
       +
       # This action depends on curl (and optionally jq).

     

       17
       +
       # Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE

     

       18
       +
       #

     

       19
       +
       # To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account

     

       20
       +
       #

     

       21
       +
       # CloudFlare API error codes: https://www.cloudflare.com/docs/host-api.html#s4.2

     

       22
       +
       

     

       23
       +
       [Definition]

     

       24
       +
       

     

       25
       +
       # Option:  actionstart

     

       26
       +
       # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).

     

       27
       +
       # Values:  CMD

     

       28
       +
       #

     

       29
       +
       #actionstart = bash /data/action.d/telegram_notif.sh -a start

     

       30
       +
       

     

       31
       +
       # Option:  actionstop

     

       32
       +
       # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)

     

       33
       +
       # Values:  CMD

     

       34
       +
       #

     

       35
       +
       #actionstop = bash /data/action.d/telegram_notif.sh -a stop

     

       36
       +
       

     

       37
       +
       # Option:  actioncheck

     

       38
       +
       # Notes.:  command executed once before each actionban command

     

       39
       +
       # Values:  CMD

     

       40
       +
       #

     

       41
       +
       actioncheck =

     

       42
       +
       

     

       43
       +
       # Option:  actionban

     

       44
       +
       # Notes.:  command executed when banning an IP. Take care that the

     

       45
       +
       #          command is executed with Fail2Ban user rights.

     

       46
       +
       # Tags:    <ip>  IP address

     

       47
       +
       #          <failures>  number of failures

     

       48
       +
       #          <time>  unix timestamp of the ban time

     

       49
       +
       # Values:  CMD

     

       50
       +
       #

     

       51
       +
       # API v1

     

       52
       +
       #actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'

     

       53
       +
       # API v4

     

       54
       +
       actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \

     

       55
       +
                   -d '{"mode":"block","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"Fail2Ban <name>"}' \

     

       56
       +
                   <_cf_api_url>

     

       57
       +
       

     

       58
       +
       # Option:  actionunban

     

       59
       +
       # Notes.:  command executed when unbanning an IP. Take care that the

     

       60
       +
       #          command is executed with Fail2Ban user rights.

     

       61
       +
       # Tags:    <ip>  IP address

     

       62
       +
       #          <failures>  number of failures

     

       63
       +
       #          <time>  unix timestamp of the ban time

     

       64
       +
       # Values:  CMD

     

       65
       +
       #

     

       66
       +
       # API v1

     

       67
       +
       #actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'

     

       68
       +
       # API v4

     

       69
       +
       actionunban = id=$(curl -s -X GET <_cf_api_prms> \

     

       70
       +
                          "<_cf_api_url>?mode=block&configuration_target=<cftarget>&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban%%20<name>" \

     

       71
       +
                          | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; })

     

       72
       +
                     if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;

     

       73
       +
                     curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id"

     

       74
       +
       

     

       75
       +
       _cf_api_url = https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules

     

       76
       +
       _cf_api_prms = -H 'Authorization: Bearer <cftoken>' -H 'Content-Type: application/json'

     

       77
       +
       

     

       78
       +
       [Init]

     

       79
       +
       

     

       80
       +
       # cloudflare API token

     

       81
       +
       # https://dash.cloudflare.com/profile/api-tokens create a custom api here and enable account firewall access rules  both read and write

     

       82
       +
       cftoken = <putithere>

     

       83
       +
       

     

       84
       +
       cftarget = ip

     

       85
       +
       

     

       86
       +
       [Init?family=inet6]

     

       87
       +
       cftarget = ip6

     

       88
       +
       ```

+36 -8

modules/nixos/services/fail2ban/default.nix

···

       4
        
         pkgs,

     

       5
        
         ...

     

       6
        
       }: let

     

       7
       -
         # idk how to share this across files :(

     

       8
        
         mkNotify = {

     

       9
        
           message,

     

       10
        
           channel,

     

       11
        
           priority ? 1,

     

       12
        
         }: ''

     

       13
       -
           LOGIN=$(cat "${config.age.secrets.ntfyAuto.path}")

     

       14
       -
           ${pkgs.curl}/bin/curl -u $LOGIN \

     

       15
       -
           -H "X-Priority: ${toString priority}" \

     

       16
        
             -d '${message}' \

     

       17
        
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/${channel}

     

       18
        
         '';

     
···

       21
        
       

     

       22
        
         config = lib.mkIf config.myNixOS.services.fail2ban.enable {

     

       23
        
           environment.etc = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       24
        
             "fail2ban/action.d/ntfy.conf".text = ''

     

       25
        
               [Definition]

     

       26
       -
               actionbanned = ${mkNotify {

     

       27
       -
                 message = "Banned <ip> from <jail> at ${config.networking.hostName}";

     

       28
       -
                 channel = "network-status";

     

       29
        
                 priority = 3;

     

       30
        
               }}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       31
        
             '';

     

       32
        
       

     

       33
        
             "fail2ban/filter.d/forgejo.conf".text = ''

     
···

       62
        
             ignoreIP = ["100.64.0.0/10"];

     

       63
        
             bantime = "24h";

     

       64
        
             bantime-increment.enable = true;

     

       0
        
       
     

       65
        
             jails = {

     

       66
        
               forgejo.settings = {

     

       67
       -
                 action = "iptables-allports";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       68
        
                 bantime = 900;

     

       69
        
                 filter = "forgejo";

     

       70
        
                 findtime = 3600;

     
···

       74
        
               # HTTP basic-auth failures, 5 tries → 1-day ban

     

       75
        
               nginx-http-auth = {

     

       76
        
                 settings = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       77
        
                   enabled = true;

     

       78
        
                   maxretry = 5;

     

       79
        
                   findtime = 300;

     
···

       84
        
               # Generic scanner / bot patterns (wp-login.php, sqladmin, etc.)

     

       85
        
               nginx-botsearch = {

     

       86
        
                 settings = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       87
        
                   enabled = true;

     

       88
        
                   maxretry = 10;

     

       89
        
                   findtime = 300;

     
···

       96
        
                 filter = vaultwarden

     

       97
        
                 port = 80,443,${toString config.services.vaultwarden.config.ROCKET_PORT}

     

       98
        
                 maxretry = 5

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       99
        
               '';

     

       100
        
       

     

       101
        
               vaultwarden-admin = ''

     
···

       105
        
                 maxretry = 3

     

       106
        
                 bantime = 14400

     

       107
        
                 findtime = 14400

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       108
        
               '';

     

       109
        
             };

     

       110
        
           };

···

       4
        
         pkgs,

     

       5
        
         ...

     

       6
        
       }: let

     

       0
        
       
     

       7
        
         mkNotify = {

     

       8
        
           message,

     

       9
        
           channel,

     

       10
        
           priority ? 1,

     

       11
        
         }: ''

     

       12
       +
           curl -u $(cat "${config.age.secrets.ntfyAuto.path}") \

     

       13
       +
             -H "X-Priority: ${toString priority}" \

     

       0
        
       
     

       14
        
             -d '${message}' \

     

       15
        
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/${channel}

     

       16
        
         '';

     
···

       19
        
       

     

       20
        
         config = lib.mkIf config.myNixOS.services.fail2ban.enable {

     

       21
        
           environment.etc = {

     

       22
       +
             "fail2ban/action.d/mycloudflare.conf" = {

     

       23
       +
               user = "root";

     

       24
       +
               group = "root";

     

       25
       +
               mode = "0640";

     

       26
       +
               source = config.age.secrets.cloudflareFail2ban.path;

     

       27
       +
             };

     

       28
       +
       

     

       29
        
             "fail2ban/action.d/ntfy.conf".text = ''

     

       30
        
               [Definition]

     

       31
       +
               actionban = ${mkNotify {

     

       32
       +
                 message = "Arrested <ip> for trying to rob <name> at ${config.networking.hostName}";

     

       33
       +
                 channel = "fail2ban";

     

       34
        
                 priority = 3;

     

       35
        
               }}

     

       36
       +
               actionunban = ${mkNotify {

     

       37
       +
                 message = "Released <ip> from the jail at ${config.networking.hostName}";

     

       38
       +
                 channel = "fail2ban";

     

       39
       +
                 priority = 2;

     

       40
       +
               }}

     

       41
        
             '';

     

       42
        
       

     

       43
        
             "fail2ban/filter.d/forgejo.conf".text = ''

     
···

       72
        
             ignoreIP = ["100.64.0.0/10"];

     

       73
        
             bantime = "24h";

     

       74
        
             bantime-increment.enable = true;

     

       75
       +
             extraPackages = [pkgs.curl pkgs.jq pkgs.uutils-coreutils-noprefix];

     

       76
        
             jails = {

     

       77
        
               forgejo.settings = {

     

       78
       +
                 action = ''

     

       79
       +
                   mycloudflare

     

       80
       +
                     iptables-allports

     

       81
       +
                     ntfy'';

     

       82
        
                 bantime = 900;

     

       83
        
                 filter = "forgejo";

     

       84
        
                 findtime = 3600;

     
···

       88
        
               # HTTP basic-auth failures, 5 tries → 1-day ban

     

       89
        
               nginx-http-auth = {

     

       90
        
                 settings = {

     

       91
       +
                   action = ''

     

       92
       +
                     mycloudflare

     

       93
       +
                       iptables-allports

     

       94
       +
                       ntfy'';

     

       95
        
                   enabled = true;

     

       96
        
                   maxretry = 5;

     

       97
        
                   findtime = 300;

     
···

       102
        
               # Generic scanner / bot patterns (wp-login.php, sqladmin, etc.)

     

       103
        
               nginx-botsearch = {

     

       104
        
                 settings = {

     

       105
       +
                   action = ''

     

       106
       +
                     mycloudflare

     

       107
       +
                       iptables-allports

     

       108
       +
                       ntfy'';

     

       109
        
                   enabled = true;

     

       110
        
                   maxretry = 10;

     

       111
        
                   findtime = 300;

     
···

       118
        
                 filter = vaultwarden

     

       119
        
                 port = 80,443,${toString config.services.vaultwarden.config.ROCKET_PORT}

     

       120
        
                 maxretry = 5

     

       121
       +
                 action = mycloudflare

     

       122
       +
                     iptables-allports

     

       123
       +
                     ntfy

     

       124
        
               '';

     

       125
        
       

     

       126
        
               vaultwarden-admin = ''

     
···

       130
        
                 maxretry = 3

     

       131
        
                 bantime = 14400

     

       132
        
                 findtime = 14400

     

       133
       +
                 action = mycloudflare

     

       134
       +
                     iptables-allports

     

       135
       +
                     ntfy

     

       136
        
               '';

     

       137
        
             };

     

       138
        
           };

+11 -5

modules/snippets/tailnet/default.nix

···

       27
        
                 vHost = "jellyfin.${config.mySnippets.tailnet.name}";

     

       28
        
               };

     

       29
        
       

     

       30
       -
               immich = {

     

       31
       -
                 hostName = "nanpi";

     

       32
       -
                 port = 2283;

     

       33
       -
                 vHost = "immich.${config.mySnippets.tailnet.name}";

     

       34
       -
               };

     

       35
        
       

     

       36
        
               radicale = {

     

       37
        
                 hostName = "nanpi";

     
···

       121
        
                 hostName = "nanpi";

     

       122
        
                 port = 5055;

     

       123
        
                 vHost = "jellyseerr.${config.mySnippets.tailnet.name}";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       124
        
               };

     

       125
        
             };

     

       126
        
           };

···

       27
        
                 vHost = "jellyfin.${config.mySnippets.tailnet.name}";

     

       28
        
               };

     

       29
        
       

     

       30
       +
               #immich = {

     

       31
       +
               #  hostName = "nanpi";

     

       32
       +
               #  port = 2283;

     

       33
       +
               #  vHost = "immich.${config.mySnippets.tailnet.name}";

     

       34
       +
               #};

     

       35
        
       

     

       36
        
               radicale = {

     

       37
        
                 hostName = "nanpi";

     
···

       121
        
                 hostName = "nanpi";

     

       122
        
                 port = 5055;

     

       123
        
                 vHost = "jellyseerr.${config.mySnippets.tailnet.name}";

     

       124
       +
               };

     

       125
       +
       

     

       126
       +
               audiobookshelf = {

     

       127
       +
                 hostName = "nanpi";

     

       128
       +
                 port = 13378;

     

       129
       +
                 vHost = "audiobookshelf.${config.mySnippets.tailnet.name}";

     

       130
        
               };

     

       131
        
             };

     

       132
        
           };