xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add cp

Browse source
This commit is contained in:
Lucy Hochkamp 2025-03-21 15:38:56 +01:00
parent cfa803bc82
commit 73a1c0b1e9
No known key found for this signature in database
2 changed files with 184 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

189
hosts/ds9/containers.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
postgres-multi-db = pkgs.writeText "postgres-multiple-db.sh" '' postgres-multi-db = pkgs.writeText "postgres-multiple-db.sh" ''
#!/usr/bin/env bash #!/usr/bin/env bash
@ -22,9 +27,15 @@ let
''; '';
in in
{ {
imports = [ ./authentik.nix ./part-db.nix ]; imports = [
./authentik.nix
./part-db.nix
];
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
networking.firewall.interfaces."podman+".allowedTCPPorts = [ 12300 3001 ]; networking.firewall.interfaces."podman+".allowedTCPPorts = [
12300
3001
];
fileSystems."/var/lib/containers" = { fileSystems."/var/lib/containers" = {
device = "spool/safe/containers"; device = "spool/safe/containers";
fsType = "zfs"; fsType = "zfs";
@ -58,7 +69,11 @@ in
}; };
virtualisation.oci-containers.containers.postgres = { virtualisation.oci-containers.containers.postgres = {
image = "docker.io/tensorchord/pgvecto-rs:pg16-v0.2.1"; image = "docker.io/tensorchord/pgvecto-rs:pg16-v0.2.1";
extraOptions = [ "--network=db-net" "--health-cmd" "pg_isready -U postgres" ]; extraOptions = [
"--network=db-net"
"--health-cmd"
"pg_isready -U postgres"
];
dependsOn = [ "db-network" ]; dependsOn = [ "db-network" ];
environment = { environment = {
POSTGRES_INITDB_ARGS = "--data-checksums"; POSTGRES_INITDB_ARGS = "--data-checksums";
@ -83,7 +98,11 @@ in
virtualisation.oci-containers.containers.immich-redis = { virtualisation.oci-containers.containers.immich-redis = {
image = "docker.io/valkey/valkey:7.2.6-alpine"; image = "docker.io/valkey/valkey:7.2.6-alpine";
environment.TZ = "Europe/Berlin"; environment.TZ = "Europe/Berlin";
extraOptions = [ "--health-cmd" "valkey-cli ping || exit 1" "--network=immich-net" ]; extraOptions = [
"--health-cmd"
"valkey-cli ping || exit 1"
"--network=immich-net"
];
environmentFiles = [ environmentFiles = [
config.age.secrets.ds9ImmichEnv.path config.age.secrets.ds9ImmichEnv.path
]; ];
@ -92,8 +111,16 @@ in
virtualisation.oci-containers.containers.immich-server = { virtualisation.oci-containers.containers.immich-server = {
user = "1000:100"; user = "1000:100";
image = "ghcr.io/immich-app/immich-server:release"; image = "ghcr.io/immich-app/immich-server:release";
extraOptions = [ "--network=podman" "--network=immich-net" "--network=db-net" ]; extraOptions = [
dependsOn = [ "immich-network" "immich-redis" "postgres" ]; "--network=podman"
"--network=immich-net"
"--network=db-net"
];
dependsOn = [
"immich-network"
"immich-redis"
"postgres"
];
ports = [ "8765:3001" ]; ports = [ "8765:3001" ];
volumes = [ volumes = [
"/data/immich:/usr/src/app/upload" "/data/immich:/usr/src/app/upload"
@ -111,8 +138,16 @@ in
virtualisation.oci-containers.containers.immich-machine-learning = { virtualisation.oci-containers.containers.immich-machine-learning = {
user = "1000:100"; user = "1000:100";
image = "ghcr.io/immich-app/immich-machine-learning:release"; image = "ghcr.io/immich-app/immich-machine-learning:release";
extraOptions = [ "--network=immich-net" "--network=db-net" "--network=podman" ]; extraOptions = [
dependsOn = [ "immich-network" "immich-redis" "postgres" ]; "--network=immich-net"
"--network=db-net"
"--network=podman"
];
dependsOn = [
"immich-network"
"immich-redis"
"postgres"
];
volumes = [ volumes = [
"immich-model-cache:/cache" "immich-model-cache:/cache"
]; ];
@ -162,7 +197,10 @@ in
virtualisation.oci-containers.containers.changedetection = { virtualisation.oci-containers.containers.changedetection = {
image = "dgtlmoon/changedetection.io"; image = "dgtlmoon/changedetection.io";
extraOptions = [ "--network=podman" "--network=cd-net" ]; extraOptions = [
"--network=podman"
"--network=cd-net"
];
volumes = [ volumes = [
"changedetection-data:/datastore" "changedetection-data:/datastore"
]; ];
@ -170,7 +208,10 @@ in
virtualisation.oci-containers.containers.grafana = { virtualisation.oci-containers.containers.grafana = {
image = "grafana/grafana-oss:latest"; image = "grafana/grafana-oss:latest";
extraOptions = [ "--network=podman" "--network=db-net" ]; extraOptions = [
"--network=podman"
"--network=db-net"
];
volumes = volumes =
let let
ini = pkgs.writeText "grafana.ini" '' ini = pkgs.writeText "grafana.ini" ''
@ -178,7 +219,7 @@ in
allow_sign_up = false allow_sign_up = false
auto_assign_org = true auto_assign_org = true
auto_assign_org_role = Editor auto_assign_org_role = Editor
[auth.proxy] [auth.proxy]
enabled = true enabled = true
headers = Name:X-Authentik-Username Email:X-Authentik-Email Groups:X-Authentik-Groups headers = Name:X-Authentik-Username Email:X-Authentik-Email Groups:X-Authentik-Groups
@ -201,7 +242,10 @@ in
}; };
virtualisation.oci-containers.containers.node-red = { virtualisation.oci-containers.containers.node-red = {
image = "nodered/node-red:latest"; image = "nodered/node-red:latest";
extraOptions = [ "--network=podman" "--network=db-net" ]; extraOptions = [
"--network=podman"
"--network=db-net"
];
volumes = [ volumes = [
"nodered-data:/data" "nodered-data:/data"
]; ];
@ -209,7 +253,11 @@ in
virtualisation.oci-containers.containers.jellyfin = { virtualisation.oci-containers.containers.jellyfin = {
image = "jellyfin/jellyfin:latest"; image = "jellyfin/jellyfin:latest";
user = "1000:100"; user = "1000:100";
extraOptions = [ "--network=podman" "--mount" "type=bind,source=/data/media,destination=/media,ro=true,relabel=private" ]; extraOptions = [
"--network=podman"
"--mount"
"type=bind,source=/data/media,destination=/media,ro=true,relabel=private"
];
volumes = [ volumes = [
"jellyfin-config:/config" "jellyfin-config:/config"
"jellyfin-cache:/cache" "jellyfin-cache:/cache"
@ -226,8 +274,8 @@ in
environment = { environment = {
ALLOWED_HOSTS = "*"; # set this to the hostname(s) you're going to serve the site from! ALLOWED_HOSTS = "*"; # set this to the hostname(s) you're going to serve the site from!
CSRF_TRUSTED_ORIGINS = "https://archive.hailsatan.eu"; # you MUST set this to the server's URL for admin login and the REST API to work CSRF_TRUSTED_ORIGINS = "https://archive.hailsatan.eu"; # you MUST set this to the server's URL for admin login and the REST API to work
REVERSE_PROXY_USER_HEADER="X-Authentik-Username"; REVERSE_PROXY_USER_HEADER = "X-Authentik-Username";
REVERSE_PROXY_WHITELIST="10.88.0.1/32"; REVERSE_PROXY_WHITELIST = "10.88.0.1/32";
PUBLIC_INDEX = "False"; # set to False to prevent anonymous users from viewing snapshot list PUBLIC_INDEX = "False"; # set to False to prevent anonymous users from viewing snapshot list
PUBLIC_SNAPSHOTS = "False"; # set to False to prevent anonymous users from viewing snapshot content PUBLIC_SNAPSHOTS = "False"; # set to False to prevent anonymous users from viewing snapshot content
PUBLIC_ADD_VIEW = "False"; # set to True to allow anonymous users to submit new URLs to archive PUBLIC_ADD_VIEW = "False"; # set to True to allow anonymous users to submit new URLs to archive
@ -235,14 +283,22 @@ in
SEARCH_BACKEND_HOST_NAME = "archivebox_sonic"; SEARCH_BACKEND_HOST_NAME = "archivebox_sonic";
SEARCH_BACKEND_PASSWORD = "SomeSecretPassword"; SEARCH_BACKEND_PASSWORD = "SomeSecretPassword";
}; };
extraOptions = [ "--network=archivebox-net" "--network=podman" ]; extraOptions = [
"--network=archivebox-net"
"--network=podman"
];
volumes = [ volumes = [
"/data/media/archivebox:/data" "/data/media/archivebox:/data"
]; ];
}; };
virtualisation.oci-containers.containers.archivebox_scheduler = { virtualisation.oci-containers.containers.archivebox_scheduler = {
image = "archivebox/archivebox:latest"; image = "archivebox/archivebox:latest";
cmd = [ "schedule" "--foreground" "--update" "--every=day" ]; cmd = [
"schedule"
"--foreground"
"--update"
"--every=day"
];
environment = { environment = {
TIMEOUT = "120"; TIMEOUT = "120";
ALLOWED_HOSTS = "*"; # set this to the hostname(s) you're going to serve the site from! ALLOWED_HOSTS = "*"; # set this to the hostname(s) you're going to serve the site from!
@ -254,7 +310,10 @@ in
SEARCH_BACKEND_HOST_NAME = "archivebox_sonic"; SEARCH_BACKEND_HOST_NAME = "archivebox_sonic";
SEARCH_BACKEND_PASSWORD = "SomeSecretPassword"; SEARCH_BACKEND_PASSWORD = "SomeSecretPassword";
}; };
extraOptions = [ "--network=archivebox-net" "--network=podman" ]; extraOptions = [
"--network=archivebox-net"
"--network=podman"
];
volumes = [ volumes = [
"/data/media/archivebox:/data" "/data/media/archivebox:/data"
]; ];
@ -304,9 +363,95 @@ in
# "/nix/store:/nix/store" # "/nix/store:/nix/store"
]; ];
}; };
virtualisation.oci-containers.containers.copyparty = {
image = "docker.io/copyparty/ac:latest";
extraOptions = [ "--network=podman" ];
ports = [];
volumes = let copypartyCfg = ''
[global]
xff-src: 10.88.0.1/24
idp-h-usr: X-Authentik-Username
idp-h-grp: X-Copyparty-Group
e2dsa # enable file indexing and filesystem scanning
e2ts # enable multimedia indexing
ansi # enable colors in log messages
re-maxage: 3600 # rescan every something
hist: /data/media/copyparty/cache
name: the gayest storage in the west
no-robots
shr: /shr
shr-adm: @admin
[/]
/data/media/copyparty/srv
accs:
A: @admin
[/noauth] # accessible without auth public
/data/media/copyparty/srv/noauth
accs:
A: @admin
g: *
[/dump]
/data/media/copyparty/srv/dump
flags:
dedup
accs:
A: @admin
w: *
[/pub]
/data/media/copyparty/srv/pub
flags:
dedup
accs:
A: @admin
rw: *
[/tv]
/data/media/tv
flags:
hist: /data/media/copyparty/hist/tv
accs:
r: *
[/movies]
/data/media/movies
flags:
hist: /data/media/copyparty/hist/movies
accs:
r: *
[/books]
/data/media/books
flags:
hist: /data/media/copyparty/hist/books
accs:
r: *
[/audiobooks]
/data/media/audiobooks
flags:
hist: /data/media/copyparty/hist/audiobooks
accs:
r: *
[/music]
/data/media/music
flags:
hist: /data/media/copyparty/hist/music
accs:
r: *
[/games]
/data/media/games
flags:
hist: /data/media/copyparty/hist/games
accs:
r: *
''; cpp = pkgs.writeText "copyparty.conf" copypartyCfg; in
[
"/data/media/tv:/data/media/tv:ro"
"/data/media/movies:/data/media/movies:ro"
"/data/media/audiobooks:/data/media/audiobooks:ro"
"/data/media/books:/data/media/books:ro"
"/data/media/beets:/data/media/music:ro"
"/data/media/copyparty:/data/media/copyparty"
"/data/media/copyparty/cfg:/cfg"
"${cpp}:/cfg/copyparty.conf"
];
};
} }

18
hosts/ds9/default.nix
View file

@ -180,7 +180,7 @@ in
resolvers 10.88.0.1 # podman dns resolvers 10.88.0.1 # podman dns
} }
uri /outpost.goauthentik.io/auth/caddy uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
} }
reverse_proxy {args[:]} { reverse_proxy {args[:]} {
transport http { transport http {
@ -241,6 +241,22 @@ in
import podmanRedirWithAuth http://archivebox:8000 import podmanRedirWithAuth http://archivebox:8000
} }
} }
@copyparty host c.hailsatan.eu
handle @copyparty {
handle /shr/* {
import podmanRedir http://copyparty:3923
}
@noauth {
method GET OPTIONS HEAD
path /noauth/*
}
handle @noauth {
import podmanRedir http://copyparty:3923
}
handle {
import podmanRedirWithAuth http://copyparty:3923
}
}
handle { handle {
import podmanRedirWithAuth http://127.0.0.1:8001 import podmanRedirWithAuth http://127.0.0.1:8001
} }