diff --git a/hosts/ds9/containers.nix b/hosts/ds9/containers.nix index cd54fc7f..23e03b40 100644 --- a/hosts/ds9/containers.nix +++ b/hosts/ds9/containers.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let postgres-multi-db = pkgs.writeText "postgres-multiple-db.sh" '' #!/usr/bin/env bash @@ -22,9 +27,15 @@ let ''; in { - imports = [ ./authentik.nix ./part-db.nix ]; + imports = [ + ./authentik.nix + ./part-db.nix + ]; networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; - networking.firewall.interfaces."podman+".allowedTCPPorts = [ 12300 3001 ]; + networking.firewall.interfaces."podman+".allowedTCPPorts = [ + 12300 + 3001 + ]; fileSystems."/var/lib/containers" = { device = "spool/safe/containers"; fsType = "zfs"; @@ -58,7 +69,11 @@ in }; virtualisation.oci-containers.containers.postgres = { image = "docker.io/tensorchord/pgvecto-rs:pg16-v0.2.1"; - extraOptions = [ "--network=db-net" "--health-cmd" "pg_isready -U postgres" ]; + extraOptions = [ + "--network=db-net" + "--health-cmd" + "pg_isready -U postgres" + ]; dependsOn = [ "db-network" ]; environment = { POSTGRES_INITDB_ARGS = "--data-checksums"; @@ -83,7 +98,11 @@ in virtualisation.oci-containers.containers.immich-redis = { image = "docker.io/valkey/valkey:7.2.6-alpine"; environment.TZ = "Europe/Berlin"; - extraOptions = [ "--health-cmd" "valkey-cli ping || exit 1" "--network=immich-net" ]; + extraOptions = [ + "--health-cmd" + "valkey-cli ping || exit 1" + "--network=immich-net" + ]; environmentFiles = [ config.age.secrets.ds9ImmichEnv.path ]; @@ -92,8 +111,16 @@ in virtualisation.oci-containers.containers.immich-server = { user = "1000:100"; image = "ghcr.io/immich-app/immich-server:release"; - extraOptions = [ "--network=podman" "--network=immich-net" "--network=db-net" ]; - dependsOn = [ "immich-network" "immich-redis" "postgres" ]; + extraOptions = [ + "--network=podman" + "--network=immich-net" + "--network=db-net" + ]; + dependsOn = [ + "immich-network" + "immich-redis" + "postgres" + ]; ports = [ "8765:3001" ]; volumes = [ "/data/immich:/usr/src/app/upload" @@ -111,8 +138,16 @@ in virtualisation.oci-containers.containers.immich-machine-learning = { user = "1000:100"; image = "ghcr.io/immich-app/immich-machine-learning:release"; - extraOptions = [ "--network=immich-net" "--network=db-net" "--network=podman" ]; - dependsOn = [ "immich-network" "immich-redis" "postgres" ]; + extraOptions = [ + "--network=immich-net" + "--network=db-net" + "--network=podman" + ]; + dependsOn = [ + "immich-network" + "immich-redis" + "postgres" + ]; volumes = [ "immich-model-cache:/cache" ]; @@ -162,7 +197,10 @@ in virtualisation.oci-containers.containers.changedetection = { image = "dgtlmoon/changedetection.io"; - extraOptions = [ "--network=podman" "--network=cd-net" ]; + extraOptions = [ + "--network=podman" + "--network=cd-net" + ]; volumes = [ "changedetection-data:/datastore" ]; @@ -170,7 +208,10 @@ in virtualisation.oci-containers.containers.grafana = { image = "grafana/grafana-oss:latest"; - extraOptions = [ "--network=podman" "--network=db-net" ]; + extraOptions = [ + "--network=podman" + "--network=db-net" + ]; volumes = let ini = pkgs.writeText "grafana.ini" '' @@ -178,7 +219,7 @@ in allow_sign_up = false auto_assign_org = true auto_assign_org_role = Editor - + [auth.proxy] enabled = true headers = Name:X-Authentik-Username Email:X-Authentik-Email Groups:X-Authentik-Groups @@ -201,7 +242,10 @@ in }; virtualisation.oci-containers.containers.node-red = { image = "nodered/node-red:latest"; - extraOptions = [ "--network=podman" "--network=db-net" ]; + extraOptions = [ + "--network=podman" + "--network=db-net" + ]; volumes = [ "nodered-data:/data" ]; @@ -209,7 +253,11 @@ in virtualisation.oci-containers.containers.jellyfin = { image = "jellyfin/jellyfin:latest"; user = "1000:100"; - extraOptions = [ "--network=podman" "--mount" "type=bind,source=/data/media,destination=/media,ro=true,relabel=private" ]; + extraOptions = [ + "--network=podman" + "--mount" + "type=bind,source=/data/media,destination=/media,ro=true,relabel=private" + ]; volumes = [ "jellyfin-config:/config" "jellyfin-cache:/cache" @@ -226,8 +274,8 @@ in environment = { ALLOWED_HOSTS = "*"; # set this to the hostname(s) you're going to serve the site from! CSRF_TRUSTED_ORIGINS = "https://archive.hailsatan.eu"; # you MUST set this to the server's URL for admin login and the REST API to work - REVERSE_PROXY_USER_HEADER="X-Authentik-Username"; - REVERSE_PROXY_WHITELIST="10.88.0.1/32"; + REVERSE_PROXY_USER_HEADER = "X-Authentik-Username"; + REVERSE_PROXY_WHITELIST = "10.88.0.1/32"; PUBLIC_INDEX = "False"; # set to False to prevent anonymous users from viewing snapshot list PUBLIC_SNAPSHOTS = "False"; # set to False to prevent anonymous users from viewing snapshot content PUBLIC_ADD_VIEW = "False"; # set to True to allow anonymous users to submit new URLs to archive @@ -235,14 +283,22 @@ in SEARCH_BACKEND_HOST_NAME = "archivebox_sonic"; SEARCH_BACKEND_PASSWORD = "SomeSecretPassword"; }; - extraOptions = [ "--network=archivebox-net" "--network=podman" ]; + extraOptions = [ + "--network=archivebox-net" + "--network=podman" + ]; volumes = [ "/data/media/archivebox:/data" ]; }; virtualisation.oci-containers.containers.archivebox_scheduler = { image = "archivebox/archivebox:latest"; - cmd = [ "schedule" "--foreground" "--update" "--every=day" ]; + cmd = [ + "schedule" + "--foreground" + "--update" + "--every=day" + ]; environment = { TIMEOUT = "120"; ALLOWED_HOSTS = "*"; # set this to the hostname(s) you're going to serve the site from! @@ -254,7 +310,10 @@ in SEARCH_BACKEND_HOST_NAME = "archivebox_sonic"; SEARCH_BACKEND_PASSWORD = "SomeSecretPassword"; }; - extraOptions = [ "--network=archivebox-net" "--network=podman" ]; + extraOptions = [ + "--network=archivebox-net" + "--network=podman" + ]; volumes = [ "/data/media/archivebox:/data" ]; @@ -304,9 +363,95 @@ in # "/nix/store:/nix/store" ]; }; + virtualisation.oci-containers.containers.copyparty = { + image = "docker.io/copyparty/ac:latest"; + extraOptions = [ "--network=podman" ]; + ports = []; + volumes = let copypartyCfg = '' + [global] + xff-src: 10.88.0.1/24 + idp-h-usr: X-Authentik-Username + idp-h-grp: X-Copyparty-Group + e2dsa # enable file indexing and filesystem scanning + e2ts # enable multimedia indexing + ansi # enable colors in log messages + re-maxage: 3600 # rescan every something + hist: /data/media/copyparty/cache + name: the gayest storage in the west + no-robots + shr: /shr + shr-adm: @admin + [/] + /data/media/copyparty/srv + accs: + A: @admin + [/noauth] # accessible without auth public + /data/media/copyparty/srv/noauth + accs: + A: @admin + g: * + [/dump] + /data/media/copyparty/srv/dump + flags: + dedup + accs: + A: @admin + w: * + [/pub] + /data/media/copyparty/srv/pub + flags: + dedup + accs: + A: @admin + rw: * + [/tv] + /data/media/tv + flags: + hist: /data/media/copyparty/hist/tv + accs: + r: * + [/movies] + /data/media/movies + flags: + hist: /data/media/copyparty/hist/movies + accs: + r: * + [/books] + /data/media/books + flags: + hist: /data/media/copyparty/hist/books + accs: + r: * + [/audiobooks] + /data/media/audiobooks + flags: + hist: /data/media/copyparty/hist/audiobooks + accs: + r: * + [/music] + /data/media/music + flags: + hist: /data/media/copyparty/hist/music + accs: + r: * + [/games] + /data/media/games + flags: + hist: /data/media/copyparty/hist/games + accs: + r: * + ''; cpp = pkgs.writeText "copyparty.conf" copypartyCfg; in + [ - - - + "/data/media/tv:/data/media/tv:ro" + "/data/media/movies:/data/media/movies:ro" + "/data/media/audiobooks:/data/media/audiobooks:ro" + "/data/media/books:/data/media/books:ro" + "/data/media/beets:/data/media/music:ro" + "/data/media/copyparty:/data/media/copyparty" + "/data/media/copyparty/cfg:/cfg" + "${cpp}:/cfg/copyparty.conf" + ]; + }; } diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix index e3835871..ebf59908 100644 --- a/hosts/ds9/default.nix +++ b/hosts/ds9/default.nix @@ -180,7 +180,7 @@ in resolvers 10.88.0.1 # podman dns } uri /outpost.goauthentik.io/auth/caddy - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version + copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version } reverse_proxy {args[:]} { transport http { @@ -241,6 +241,22 @@ in import podmanRedirWithAuth http://archivebox:8000 } } + @copyparty host c.hailsatan.eu + handle @copyparty { + handle /shr/* { + import podmanRedir http://copyparty:3923 + } + @noauth { + method GET OPTIONS HEAD + path /noauth/* + } + handle @noauth { + import podmanRedir http://copyparty:3923 + } + handle { + import podmanRedirWithAuth http://copyparty:3923 + } + } handle { import podmanRedirWithAuth http://127.0.0.1:8001 }