diff --git a/maskiner/node/configuration.nix b/maskiner/node/configuration.nix index 2320e3d..bf54dda 100644 --- a/maskiner/node/configuration.nix +++ b/maskiner/node/configuration.nix @@ -33,6 +33,7 @@ in (modulesDirectory + /services/glance) (modulesDirectory + /services/gotify) (modulesDirectory + /services/kanboard) + (modulesDirectory + /services/immich) ]; sops.defaultSopsFile = ../../secrets/sops.yaml; @@ -62,7 +63,7 @@ in }; }; - mpd = { + immich = { enable = true; }; kanboard = { diff --git a/moduler/programs.nix b/moduler/programs.nix index 4eeb050..dd812ae 100644 --- a/moduler/programs.nix +++ b/moduler/programs.nix @@ -65,6 +65,9 @@ evince spotify firefox + ipcalc + + dbeaver-bin # ansible # freecad-wayland diff --git a/moduler/services/immich/default.nix b/moduler/services/immich/default.nix new file mode 100644 index 0000000..c2b5928 --- /dev/null +++ b/moduler/services/immich/default.nix @@ -0,0 +1,63 @@ +{ + lib, + pkgs, + config, + myhost, + ... +}: +let + cfg = config.services.immich; + srv = cfg.settings.server; +in +with lib; +{ + options = { + immich = { + enable = mkEnableOption "enables immich"; + domain = lib.mkOption { + type = lib.types.str; + default = "immich.wastring.com"; + description = "The hostname that Immich is served on."; + }; + port = lib.mkOption { + type = lib.types.int; + default = 8000; + description = "The port that Immich is served on."; + }; + }; + }; + config = mkMerge [ + (mkIf config.immich.enable { + services.nginx = { + virtualHosts.${config.immich.domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.immich.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; + }; + + sops.secrets.immich-secrets-file = { }; + + services.immich = { + enable = true; + port = config.immich.port; + settings = { + server.externalDomain = "https://${toString config.immich.domain}"; + }; + secretsFile = config.sops.secrets.immich-secrets-file.path; + }; + + }) + ]; + +} diff --git a/moduler/services/nextcloud/default.nix b/moduler/services/nextcloud/default.nix index 62a56c9..9b231bd 100644 --- a/moduler/services/nextcloud/default.nix +++ b/moduler/services/nextcloud/default.nix @@ -11,23 +11,29 @@ let in with lib; { + imports = [ + "${ + fetchTarball { + url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz"; + sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs"; + } + }/nextcloud-extras.nix" + ]; options = { nextcloud = { enable = mkEnableOption "enables nextcloud"; - port = lib.mkOption { - type = lib.types.int; - default = 8003; - description = "The port that Nextcloud is served on."; - }; domain = lib.mkOption { type = lib.types.str; default = "files.wastring.com"; description = "The hostname that Nextcloud is served on."; }; + fail2ban = { + enable = mkEnableOption "enables fail2ban integration"; + }; }; }; config = mkMerge [ - (mkIf config.nextloud.enable { + (mkIf config.nextcloud.enable { services.nginx = { virtualHosts.${config.nextcloud.domain} = { forceSSL = true; @@ -38,6 +44,7 @@ with lib; sops.secrets.nextcloud-admin-password = { }; sops.secrets.nextcloud-fw-password = { }; sops.secrets.nextcloud-disa-password = { }; + sops.secrets.nextcloud-database-password = { }; services.nextcloud = { enable = true; @@ -45,8 +52,10 @@ with lib; hostName = config.nextcloud.domain; https = true; configureRedis = true; - config.adminpassFile = config.sops.secrets.nextcloud-admin-password.path; - config.dbtype = "sqlite"; + config = { + adminpassFile = config.sops.secrets.nextcloud-admin-password.path; + dbtype = "sqlite"; + }; ensureUsers = { fw = { email = "fredrik@wastring.com"; @@ -79,7 +88,8 @@ with lib; "OC\\Preview\\HEIC" ]; }; - + }) + (mkIf config.nextcloud.fail2ban.enable { services.fail2ban = { enable = true; jails = { @@ -96,6 +106,7 @@ with lib; }; }; }; + }) ]; diff --git a/moduler/users.nix b/moduler/users.nix index 369153c..cc8b6f5 100644 --- a/moduler/users.nix +++ b/moduler/users.nix @@ -4,13 +4,13 @@ ... }: { -# sops.secrets.user-password = { }; + # sops.secrets.user-password = { }; users = { defaultUserShell = pkgs.bash; users = { fw = { # hashedPasswordFile = config.sops.secrets.user-password.path; - initialPassword = "password"; + initialPassword = "password"; isNormalUser = true; description = "Fredrik Wastring"; extraGroups = [ diff --git a/secrets/sops.yaml b/secrets/sops.yaml index 78e5b6e..3f04d1e 100644 --- a/secrets/sops.yaml +++ b/secrets/sops.yaml @@ -6,7 +6,8 @@ smtp_password: ENC[AES256_GCM,data:h1K973qeehIIATdoqFhrLiY7XiU=,iv:ltrsG9KZ8rQuS forgejo-admin-password: ENC[AES256_GCM,data:FuDfqjeQ2T5KcOO1BQ==,iv:ueX7XjbiChuwfYm1B/MJvJaYdWbCmoIs91lj9h9uFYE=,tag:qUszDTRZklwSKrS0PpJhTA==,type:str] forgejo-runner-token: ENC[AES256_GCM,data:1AUeTy5Sqoa4u5L/TGjt/v69p2xF/mp0oXVv08TA+squzRVW9/t40xfY2yD8HQ==,iv:uWf9jKIIsajh362vY2NBw8od+iOFGfIQ7NJVFgjWlBw=,tag:hCOzvSKoDbKCGceqNkRx7g==,type:str] gotify_password: ENC[AES256_GCM,data:Tl9T9yxKSyiemmc5B7kCdwYYHB9anenBg8epFNGqu7sa8YfaZNH9HfTdBtqELIcAkkyfoJUj9tOhxcfa1lDasahJC/8VF0jx6tjsgmTJORAwQa/8,iv:bEtG/ICTqqK3E+YXysDLV/uyawoeILKH+mQXTLOcWpk=,tag:dPqm74eH/Gt9Eg0lv2ptEw==,type:str] -user-password: ENC[AES256_GCM,data:AHgYvhSrFgbhKWPJ/SX7MSXZXUbl9Yl8swv5q4wK9vZOdpisXsCIoV5f09exa1wkK5qDhC/LXpFmuOBuJ8lWittJJjF7QtLUYl1zGOPWvMX542eiDc9hACynXYE9iHC69kKk19obmNnyKQ==,iv:ZT/JN1aPCKbkxqehjNd7BrlyYtmYWKWsb54YKTaWQpU=,tag:ai8ycC0ymscD88bPjaYwPA==,type:str] +user-password: ENC[AES256_GCM,data:cngHqB2IQXVvSMwm5KJeq6wOQMQ4z/DWap3YMyahq2fz8R2CKHackaNY4K3dltXKSLv5zdelyHMf4u7gzuPTMO1yNRIG99C9Yg==,iv:6WZ/dUQwn6+TPXnSEvDVS0DZz0oz7vMvKAioqYzvf0c=,tag:xVoCF0L490nZi/xYTI0klw==,type:str] +immich-secrets-file: ENC[AES256_GCM,data:aUSQr5k7uqZzBvpSAFgpfStcuEPbf3U2GED+biU56UBi02MgQzckmK4kKJ7XIF6UyBvxLw==,iv:mep3JNp86YjsIJSONYNLeEYsSN/ERao7hs7O5cnHF9s=,tag:m6sulZTYMnTpxgPGFXITTg==,type:str] sops: age: - recipient: age1jeyw96795qu52swmtkjqgr2w3g4vxc43ckc5r4hlwpje23ptnfwsheah0s @@ -45,7 +46,7 @@ sops: ay84Q2w0NFlVb0FaNkxKN2t1UDVhejgKx+0w5vbpNzCRRaT/wQRO3JGkIbmn+NvE ZI78XtBJvAwAY6P0tm01rC1wRDGA86wCu52CaOH7cro2zDk/ipZe5g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-23T21:17:26Z" - mac: ENC[AES256_GCM,data:9urXnnJZ0LVtlsLGjCHhOQ9Aa+GzE91xkP4IvNrcMUPF/sNbX+bDWb8yrjAvc8b4txl6lQXUgjIPzfYhXcXA18f+izj5O/7BeLYAqxeeBoEk7NAbuEJnhyA0KqcJGIblTW3rJW5vM4FhS85lcg6Vaq0Nu2zS3uKf7Yufllomn9E=,iv:cOINahNQ7JHJXiuZ4CGr/pwxpKihLee6+qA9w7uJvLY=,tag:7hhid5XJIMY6+xsV588XWw==,type:str] + lastmodified: "2025-11-26T16:56:51Z" + mac: ENC[AES256_GCM,data:T1rSA5Bd3hH5M3zdu3rFY9qP2o0OmLTvL2ztOdu3bV5Z7Hf/UIXUOLgH2XOS0Jg0Imssjaer86PSRSzSm1bdxw15YEGAwVUltgFApKO4vRfp25kHxMhokAVwReucyhfj0nA5cjleZrZhTrj6786XGQuHd8zG5Yt1bRz4bRARITU=,iv:fjIHDuHKqYUZr4CPEKLAOSY4BkeCJNpnuR0wRXygsvE=,tag:CjX2Jqci96JR0ewtnewmXA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0