commit c052bf03fc5d564ca101b225ad0379edf84209f9 · pyrox.dev/nix

+3 -5

hosts/marvin/default.nix

···

       8
       8
        
           ./hardware.nix

     

       9
       9
        
       

     

       10
       10
        
           # Running Services

     

       11
       11
       +
           # keep-sorted start

     

       11
       12
        
           ./services/anubis.nix

     

       12
       12
       -
           # ./services/authentik.nix

     

       13
       13
        
           ./services/avahi.nix

     

       14
       14
        
           ./services/bots.nix

     

       15
       15
        
           ./services/deemix.nix

     
···

       17
       17
        
           ./services/git.nix

     

       18
       18
        
           ./services/golink.nix

     

       19
       19
        
           ./services/grafana.nix

     

       20
       20
       -
           # ./services/iceshrimp.nix

     

       21
       20
        
           ./services/jellyfin.nix

     

       22
       21
        
           ./services/matrix.nix

     

       23
       22
        
           ./services/miniflux.nix

     

       24
       24
       -
           ./services/nginx.nix

     

       25
       23
        
           ./services/nextcloud

     

       24
       24
       +
           ./services/nginx.nix

     

       26
       25
        
           ./services/pinchflat.nix

     

       27
       27
       -
           ./services/pingvin-share.nix

     

       28
       26
        
           ./services/planka.nix

     

       29
       27
        
           ./services/pocket-id.nix

     

       30
       28
        
           ./services/podman.nix

     

       31
       29
        
           ./services/postgres.nix

     

       32
       30
        
           ./services/prometheus.nix

     

       33
       33
       -
           # ./services/redlib.nix

     

       34
       31
        
           ./services/scrutiny.nix

     

       35
       32
        
           ./services/syncthing.nix

     

       36
       33
        
           ./services/tailscale.nix

     

       37
       34
        
           ./services/tangled.nix

     

       38
       35
        
           ./services/vaultwarden.nix

     

       39
       36
        
           ./services/zfs.nix

     

       37
       37
       +
           # keep-sorted end

     

       40
       38
        
         ];

     

       41
       39
        
         nix.settings.max-jobs = 12;

     

       42
       40
        
         networking = {

-92

hosts/marvin/services/authentik.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         config,

     

       3
       3
       -
         self,

     

       4
       4
       -
         ...

     

       5
       5
       -
       }:

     

       6
       6
       -
       let

     

       7
       7
       -
         d = self.lib.data.services.authentik;

     

       8
       8
       -
       in

     

       9
       9
       -
       {

     

       10
       10
       -
         virtualisation.oci-containers.containers =

     

       11
       11
       -
           let

     

       12
       12
       -
             authentikVersion = "2025.4";

     

       13
       13
       -
             base = {

     

       14
       14
       -
               environmentFiles = [ config.age.secrets.authentik-env.path ];

     

       15
       15
       -
               extraOptions = [ "--network=authentik" ];

     

       16
       16
       -
             };

     

       17
       17
       -
             authentikBase = base // {

     

       18
       18
       -
               image = "ghcr.io/goauthentik/server:${authentikVersion}";

     

       19
       19
       -
               environment = {

     

       20
       20
       -
                 AUTHENTIK_REDIS__HOST = "authentik-redict";

     

       21
       21
       -
       

     

       22
       22
       -
                 # Postgres Settings

     

       23
       23
       -
                 AUTHENTIK_POSTGRESQL__HOST = "authentik-db";

     

       24
       24
       -
                 AUTHENTIK_POSTGRESQL__PORT = "5432";

     

       25
       25
       -
                 AUTHENTIK_POSTGRESQL__USER = "authentik";

     

       26
       26
       -
                 AUTHENTIK_POSTGRESQL__NAME = "authentik";

     

       27
       27
       -
                 AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}";

     

       28
       28
       -
       

     

       29
       29
       -
                 # Disable error reporting

     

       30
       30
       -
                 AUTHENTIK_ERROR_REPORTING__ENABLED = "false";

     

       31
       31
       -
       

     

       32
       32
       -
                 # Avatars are an attribute based on an uploaded file

     

       33
       33
       -
                 AUTHENTIK_AVATARS = "attributes.user.avatar";

     

       34
       34
       -
       

     

       35
       35
       -
                 # Email Settings

     

       36
       36
       -
                 AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev";

     

       37
       37
       -
                 AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev";

     

       38
       38
       -
                 AUTHENTIK_EMAIL__PORT = "465";

     

       39
       39
       -
                 AUTHENTIK_EMAIL__USE_TLS = "true";

     

       40
       40
       -
                 AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>";

     

       41
       41
       -
               };

     

       42
       42
       -
             };

     

       43
       43
       -
             authentikVols = [

     

       44
       44
       -
               "/var/lib/authentik/media:/media"

     

       45
       45
       -
               "/var/lib/authentik/templates:/templates"

     

       46
       46
       -
             ];

     

       47
       47
       -
           in

     

       48
       48
       -
           {

     

       49
       49
       -
             authentik-db = base // {

     

       50
       50
       -
               image = "postgres:17-alpine";

     

       51
       51
       -
               volumes = [ "/var/lib/authentik/db:/var/lib/postgresql/data" ];

     

       52
       52
       -
               environment = {

     

       53
       53
       -
                 POSTGRES_PASSWORD = "\${PG_PASS}";

     

       54
       54
       -
                 POSTGRES_USER = "authentik";

     

       55
       55
       -
                 POSTGRES_DB = "authentik";

     

       56
       56
       -
               };

     

       57
       57
       -
             };

     

       58
       58
       -
             authentik-redict = {

     

       59
       59
       -
               image = "registry.redict.io/redict:alpine";

     

       60
       60
       -
               extraOptions = [ "--network=authentik" ];

     

       61
       61
       -
             };

     

       62
       62
       -
             authentik-server = authentikBase // {

     

       63
       63
       -
               cmd = [ "server" ];

     

       64
       64
       -
               ports = [

     

       65
       65
       -
                 "${toString d.port}:9000"

     

       66
       66
       -
                 "6943:9443"

     

       67
       67
       -
                 "9301:9300"

     

       68
       68
       -
               ];

     

       69
       69
       -
               volumes = authentikVols ++ [ "/var/lib/authentik/custom.css:/web/dist/custom.css" ];

     

       70
       70
       -
             };

     

       71
       71
       -
             authentik-worker = authentikBase // {

     

       72
       72
       -
               cmd = [ "worker" ];

     

       73
       73
       -
               volumes = authentikVols ++ [ "/var/lib/authentik/certs:/certs" ];

     

       74
       74
       -
             };

     

       75
       75
       -
             authentik-ldap = base // {

     

       76
       76
       -
               image = "ghcr.io/goauthentik/ldap:${authentikVersion}";

     

       77
       77
       -
               ports = [

     

       78
       78
       -
                 "389:3389"

     

       79
       79
       -
                 "636:6636"

     

       80
       80
       -
               ];

     

       81
       81
       -
               environment = {

     

       82
       82
       -
                 AUTHENTIK_HOST = "https://${d.extUrl}";

     

       83
       83
       -
                 AUTHENTIK_INSECURE = "false";

     

       84
       84
       -
               };

     

       85
       85
       -
             };

     

       86
       86
       -
           };

     

       87
       87
       -
         age.secrets.authentik-env = {

     

       88
       88
       -
           file = ./secrets/authentik-env.age;

     

       89
       89
       -
           owner = "thehedgehog";

     

       90
       90
       -
           group = "misc";

     

       91
       91
       -
         };

     

       92
       92
       -
       }

-5

hosts/marvin/services/bookstack.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         services.bookstack = {

     

       3
       3
       -
           enable = true;

     

       4
       4
       -
         };

     

       5
       5
       -
       }

-97

hosts/marvin/services/iceshrimp.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         config,

     

       3
       3
       -
         inputs,

     

       4
       4
       -
         pkgs,

     

       5
       5
       -
         lib,

     

       6
       6
       -
         self,

     

       7
       7
       -
         ...

     

       8
       8
       -
       }:

     

       9
       9
       -
       let

     

       10
       10
       -
       

     

       11
       11
       -
         d = self.lib.data.services.iceshrimp;

     

       12
       12
       -
       

     

       13
       13
       -
         package = inputs.iceshrimp.packages.x86_64-linux.iceshrimp-pre.overrideAttrs rec {

     

       14
       14
       -
           version = "2023.12.8-pyrox1";

     

       15
       15
       -
           src = pkgs.fetchgit {

     

       16
       16
       -
             url = "https://iceshrimp.dev/pyrox/iceshrimp";

     

       17
       17
       -
             hash = "sha256-hxZ3rVVAiAMFAYhZ2o+WhlMuhjbt5EyHKOl1VyyL5RA=";

     

       18
       18
       -
             rev = "v${version}";

     

       19
       19
       -
             fetchLFS = true;

     

       20
       20
       -
             deepClone = false;

     

       21
       21
       -
           };

     

       22
       22
       -
           patches = [ ];

     

       23
       23
       -
         };

     

       24
       24
       -
       in

     

       25
       25
       -
       {

     

       26
       26
       -
         services.iceshrimp = {

     

       27
       27
       -
           inherit package;

     

       28
       28
       -
           enable = false;

     

       29
       29
       -
           secretConfig = config.age.secrets.iceshrimp-secret-config.path;

     

       30
       30
       -
           dbPasswordFile = config.age.secrets.iceshrimp-db-password.path;

     

       31
       31
       -
           createDb = true;

     

       32
       32
       -
           configureNginx.enable = false;

     

       33
       33
       -
           settings = {

     

       34
       34
       -
             inherit (d) port;

     

       35
       35
       -
             url = "https://${d.extUrl}";

     

       36
       36
       -
             accountDomain = "pyrox.dev";

     

       37
       37
       -
             redis.port = 6997;

     

       38
       38
       -
             maxNoteLength = 16384;

     

       39
       39
       -
             maxCaptionLength = 8192;

     

       40
       40
       -
             clusterLimit = 4;

     

       41
       41
       -
             deliverJobConcurrency = 192;

     

       42
       42
       -
             inboxJobConcurrency = 32;

     

       43
       43
       -
             deliverJobPerSec = 256;

     

       44
       44
       -
             inboxJobPerSec = 32;

     

       45
       45
       -
             outgoingAddressFamily = "dual";

     

       46
       46
       -
             # See the withdrawal patches for obliterate info

     

       47
       47
       -
             enableObliterate = true;

     

       48
       48
       -
             obliterateJobPerSec = 16;

     

       49
       49
       -
             obliterateJobMaxAttempts = 3;

     

       50
       50
       -
             mediaCleanup = {

     

       51
       51
       -
               cron = true;

     

       52
       52
       -
               maxAgeDays = 30;

     

       53
       53
       -
               cleanAvatars = true;

     

       54
       54
       -
               cleanHeaders = true;

     

       55
       55
       -
             };

     

       56
       56
       -
             htmlCache = {

     

       57
       57
       -
               ttl = "6h";

     

       58
       58
       -
               prewarm = true;

     

       59
       59
       -
               dbFallback = true;

     

       60
       60
       -
             };

     

       61
       61
       -
             wordMuteCache.ttl = "24h";

     

       62
       62
       -
             isManagedHosting = true;

     

       63
       63
       -
             email = {

     

       64
       64
       -
               managed = true;

     

       65
       65
       -
               address = "social@pyrox.dev";

     

       66
       66
       -
               host = "mail.pyrox.dev";

     

       67
       67
       -
               port = 465;

     

       68
       68
       -
               user = "social@pyrox.dev";

     

       69
       69
       -
               useImplicitSslTls = true;

     

       70
       70
       -
             };

     

       71
       71
       -
             objectStorage = {

     

       72
       72
       -
               managed = true;

     

       73
       73
       -
               baseUrl = "https://pool.jortage.com/socialpyroxdev";

     

       74
       74
       -
               bucket = "socialpyroxdev";

     

       75
       75
       -
               prefix = "mkmedia";

     

       76
       76
       -
               endpoint = "pool-api.jortage.com";

     

       77
       77
       -
               region = "jort";

     

       78
       78
       -
               useSsl = true;

     

       79
       79
       -
               connnectOverProxy = false;

     

       80
       80
       -
               setPublicReadOnUpload = false;

     

       81
       81
       -
               s3ForcePathStyle = true;

     

       82
       82
       -
             };

     

       83
       83
       -
           };

     

       84
       84
       -
         };

     

       85
       85
       -
         age.secrets = lib.mkIf config.services.iceshrimp.enable {

     

       86
       86
       -
           iceshrimp-secret-config = {

     

       87
       87
       -
             inherit (config.services.iceshrimp) group;

     

       88
       88
       -
             file = ./secrets/iceshrimp-secret-config.age;

     

       89
       89
       -
             owner = config.services.iceshrimp.user;

     

       90
       90
       -
           };

     

       91
       91
       -
           iceshrimp-db-password = {

     

       92
       92
       -
             file = ./secrets/iceshrimp-db-password.age;

     

       93
       93
       -
             owner = "postgres";

     

       94
       94
       -
             group = "postgres";

     

       95
       95
       -
           };

     

       96
       96
       -
         };

     

       97
       97
       -
       }

-11

hosts/marvin/services/minio.nix

···

       1
       1
       -
       { config, ... }:

     

       2
       2
       -
       {

     

       3
       3
       -
         services.minio = {

     

       4
       4
       -
           enable = true;

     

       5
       5
       -
           region = "us-east-1";

     

       6
       6
       -
           browser = true;

     

       7
       7
       -
           listenAddress = ":6990";

     

       8
       8
       -
           consoleAddress = ":6991";

     

       9
       9
       -
           rootCredentialsFile = config.age.secrets.minio-root.path;

     

       10
       10
       -
         };

     

       11
       11
       -
       }

-130

hosts/marvin/services/pingvin-share.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         config,

     

       3
       3
       -
         pkgs,

     

       4
       4
       -
         self',

     

       5
       5
       -
         self,

     

       6
       6
       -
         ...

     

       7
       7
       -
       }:

     

       8
       8
       -
       let

     

       9
       9
       -
         d = self.lib.data.services.pingvin-share;

     

       10
       10
       -
         cfg = config.services.pingvin-share;

     

       11
       11
       -
         configFormat = pkgs.formats.yaml { };

     

       12
       12
       -
         configFile = configFormat.generate "config.yaml" {

     

       13
       13
       -
           general = {

     

       14
       14
       -
             appName = "dishNet Share";

     

       15
       15
       -
             appUrl = "https://share.pyrox.dev";

     

       16
       16
       -
             secureCookies = "true";

     

       17
       17
       -
             showHomePage = "false";

     

       18
       18
       -
           };

     

       19
       19
       -
           share = {

     

       20
       20
       -
             allowRegistration = "false";

     

       21
       21
       -
             allowUnauthenticatedShares = "false";

     

       22
       22
       -
             maxSize = "10000000000";

     

       23
       23
       -
           };

     

       24
       24
       -
           email.enableShareEmailRecipients = "true";

     

       25
       25
       -
           smtp = {

     

       26
       26
       -
             enabled = "true";

     

       27
       27
       -
             host = "mail.pyrox.dev";

     

       28
       28
       -
             port = "465";

     

       29
       29
       -
             email = "share@pyrox.dev";

     

       30
       30
       -
             username = "share@pyrox.dev";

     

       31
       31
       -
             password = "SMTP_PASSWORD";

     

       32
       32
       -
           };

     

       33
       33
       -
           ldap.enabled = "false";

     

       34
       34
       -
           legal.enabled = "false";

     

       35
       35
       -
           s3.enabled = "false";

     

       36
       36
       -
           oauth = {

     

       37
       37
       -
             ignoreTotp = "true";

     

       38
       38
       -
             oidc-enabled = "true";

     

       39
       39
       -
             oidc-clientSecret = "CLIENT_SECRET";

     

       40
       40
       -
             oidc-clientId = "d83006a6-9b08-47eb-af56-418065db09b5";

     

       41
       41
       -
             oidc-discoveryUri = "https://auth.pyrox.dev/.well-known/openid-configuration";

     

       42
       42
       -
             oidc-signOut = "false";

     

       43
       43
       -
             oidc-scope = "openid email profile groups";

     

       44
       44
       -
             oidc-rolePath = "groups";

     

       45
       45
       -
             oidc-roleAdminAccess = "admins";

     

       46
       46
       -
           };

     

       47
       47
       -
           initUser.enabled = false;

     

       48
       48
       -
         };

     

       49
       49
       -
       in

     

       50
       50
       -
       {

     

       51
       51
       -
         virtualisation.oci-containers.containers = {

     

       52
       52
       -
           pingvin-share-server = {

     

       53
       53
       -
             image = "ghcr.io/stonith404/pingvin-share:latest";

     

       54
       54
       -
             ports = [

     

       55
       55
       -
               "${toString d.port}:3000"

     

       56
       56
       -
               "${toString d.be-port}:8080"

     

       57
       57
       -
             ];

     

       58
       58
       -
             volumes = [

     

       59
       59
       -
               "/var/lib/pingvin-share/data:/opt/app/backend/data"

     

       60
       60
       -
               "/var/lib/pingvin-share/data/images:/opt/app/frontend/public/img"

     

       61
       61
       -
               "/var/lib/pingvin-share/config.yaml:/opt/app/config.yaml"

     

       62
       62
       -
             ];

     

       63
       63
       -
             environment = {

     

       64
       64
       -
               API_URL = "https://share.pyrox.dev";

     

       65
       65
       -
               PUID = "962";

     

       66
       66
       -
               PGID = "959";

     

       67
       67
       -
             };

     

       68
       68
       -
           };

     

       69
       69
       -
         };

     

       70
       70
       -
         users.users.pingvin = {

     

       71
       71
       -
           uid = 962;

     

       72
       72
       -
           inherit (cfg) group;

     

       73
       73
       -
           isSystemUser = true;

     

       74
       74
       -
         };

     

       75
       75
       -
         users.groups.pingvin = {

     

       76
       76
       -
           gid = 959;

     

       77
       77
       -
         };

     

       78
       78
       -
       

     

       79
       79
       -
         services = {

     

       80
       80
       -
           pingvin-share = {

     

       81
       81
       -
             enable = false;

     

       82
       82
       -
             backend.port = d.be-port;

     

       83
       83
       -
             frontend.port = d.port;

     

       84
       84
       -
             hostname = "share.pyrox.dev";

     

       85
       85
       -
             https = true;

     

       86
       86
       -
           };

     

       87
       87
       -
           anubis.instances = {

     

       88
       88
       -
             pingvin-share-be = {

     

       89
       89
       -
               settings = {

     

       90
       90
       -
                 BIND = ":${toString d.be-anubis}";

     

       91
       91
       -
                 POLICY_FNAME = "${self'.packages.anubis-files}/policies/pingvin-share.yaml";

     

       92
       92
       -
                 TARGET = "http://localhost:${toString d.be-port}";

     

       93
       93
       -
               };

     

       94
       94
       -
             };

     

       95
       95
       -
             pingvin-share-fe = {

     

       96
       96
       -
               settings = {

     

       97
       97
       -
                 BIND = ":${toString d.anubis}";

     

       98
       98
       -
                 POLICY_FNAME = "${self'.packages.anubis-files}/policies/pingvin-share.yaml";

     

       99
       99
       -
                 TARGET = "http://localhost:${toString d.port}";

     

       100
       100
       -
               };

     

       101
       101
       -
             };

     

       102
       102
       -
           };

     

       103
       103
       -
         };

     

       104
       104
       -
         systemd.services.init-pingvin-config = {

     

       105
       105
       -
           enable = true;

     

       106
       106
       -
           description = "Pingvin Share configuration setup";

     

       107
       107
       -
           wantedBy = [ "multi-user.target" ];

     

       108
       108
       -
           before = [

     

       109
       109
       -
             "docker-pingvin-share-server.service"

     

       110
       110
       -
           ];

     

       111
       111
       -
           path = [ pkgs.gnused ];

     

       112
       112
       -
           script = ''

     

       113
       113
       -
             rm ${cfg.dataDir}/config.yaml

     

       114
       114
       -
             cp ${configFile} ${cfg.dataDir}/config.yaml

     

       115
       115
       -
             sed -i "s/SMTP_PASSWORD/\"$SMTP_PASSWORD\"/" ${cfg.dataDir}/config.yaml

     

       116
       116
       -
             sed -i "s/CLIENT_SECRET/\"$CLIENT_SECRET\"/" ${cfg.dataDir}/config.yaml

     

       117
       117
       -
           '';

     

       118
       118
       -
           serviceConfig = {

     

       119
       119
       -
             EnvironmentFile = config.age.secrets.pingvin-secrets.path;

     

       120
       120
       -
             User = cfg.user;

     

       121
       121
       -
             Group = cfg.group;

     

       122
       122
       -
             ReadWritePaths = [ "${cfg.dataDir}" ];

     

       123
       123
       -
           };

     

       124
       124
       -
         };

     

       125
       125
       -
         age.secrets.pingvin-secrets = {

     

       126
       126
       -
           file = ./secrets/pingvin-secrets.age;

     

       127
       127
       -
           owner = cfg.user;

     

       128
       128
       -
           inherit (cfg) group;

     

       129
       129
       -
         };

     

       130
       130
       -
       }

-5

hosts/marvin/services/prosody.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         services.prosody = {

     

       3
       3
       -
           enable = true;

     

       4
       4
       -
         };

     

       5
       5
       -
       }

-12

hosts/marvin/services/redlib.nix

···

       1
       1
       -
       { pkgs, self, ... }:

     

       2
       2
       -
       let

     

       3
       3
       -
         d = self.lib.data.services.redlib;

     

       4
       4
       -
       in

     

       5
       5
       -
       {

     

       6
       6
       -
         services.libreddit = {

     

       7
       7
       -
           inherit (d) port;

     

       8
       8
       -
           enable = true;

     

       9
       9
       -
           package = pkgs.redlib;

     

       10
       10
       -
           openFirewall = false;

     

       11
       11
       -
         };

     

       12
       12
       -
       }

-23

hosts/marvin/services/webmentiond.nix

···

       1
       1
       -
       { config, self, ... }:

     

       2
       2
       -
       let

     

       3
       3
       -
         d = self.lib.data.services.webmentiond;

     

       4
       4
       -
         p = toString d.port;

     

       5
       5
       -
       in

     

       6
       6
       -
       {

     

       7
       7
       -
         virtualisation.oci-containers.containers.webmentiond = {

     

       8
       8
       -
           image = "zerok/webmentiond:latest";

     

       9
       9
       -
           volumes = [ "/var/lib/webmentiond:/data" ];

     

       10
       10
       -
           environmentFiles = [ config.age.secrets.webmentiond-env.path ];

     

       11
       11
       -
           ports = [ "${p}:${p}" ];

     

       12
       12
       -
           cmd = [

     

       13
       13
       -
             "--addr 0.0.0.0:${p}"

     

       14
       14
       -
             "--public-url https://${d.extUrl}"

     

       15
       15
       -
             "--auth-admin-emails pyrox@pyrox.dev"

     

       16
       16
       -
           ];

     

       17
       17
       -
         };

     

       18
       18
       -
         config.age.secrets = {

     

       19
       19
       -
           webmentiond-env.path = ./secrets/webmentiond-env.age;

     

       20
       20
       -
           owner = "thehedgehog";

     

       21
       21
       -
           group = "misc";

     

       22
       22
       -
         };

     

       23
       23
       -
       }