From 07750838d032c35202a3718cc58ba6af63dff6a9 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Mon, 16 Dec 2024 19:51:18 +0000 Subject: [PATCH 01/28] feat: add gitea service to sv1 --- modules/sv1.nix | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 3060e3e..0a2ceec 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -152,6 +152,7 @@ networking = { hostName = "sv1"; networkmanager.enable = true; + firewall.allowedTCPPorts = [3000]; }; time.timeZone = "Europe/London"; @@ -179,9 +180,14 @@ }; }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "without-password"; + services = { + openssh = { + enable = true; + settings.PermitRootLogin = "without-password"; + }; + gitea = { + enable = true; + }; }; nixpkgs.overlays = [lib.overlays.pkgs]; From 2002c2895aa46d9967b4ad851c906a9c84196259 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 17:31:14 +0000 Subject: [PATCH 02/28] feat: update gitea settings and add nginx reverse proxy for gitea to sv1 --- modules/sv1.nix | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 0a2ceec..fc49be7 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -152,7 +152,6 @@ networking = { hostName = "sv1"; networkmanager.enable = true; - firewall.allowedTCPPorts = [3000]; }; time.timeZone = "Europe/London"; @@ -187,6 +186,27 @@ }; gitea = { enable = true; + settings = { + server.DOMAIN = "gitea.dylanblades.com"; + ui.DEFAULT_THEME = "gitea-dark"; + }; + }; + nginx = { + enable = true; + virtualHosts."gitea.dylanblades.com" = { + locations."/" = { + proxyPass = "http://localhost:3000"; + extraConfig = '' + client_max_body_size 512M; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; }; }; From 1b44c0e3ab1e0b1c350a3e3195b12e4e52ec0d4f Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 20:58:53 +0000 Subject: [PATCH 03/28] fix: allow tcp ports 80 and 443 on sv1 --- modules/sv1.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index fc49be7..76b7152 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -152,6 +152,10 @@ networking = { hostName = "sv1"; networkmanager.enable = true; + firewall.allowedTCPPorts = [ + 80 + 443 + ]; }; time.timeZone = "Europe/London"; From 80d4030a4c43c54d4c212ca08578ad3941a824dc Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 21:18:00 +0000 Subject: [PATCH 04/28] feat: add ssl to nginx on sv1 --- modules/sv1.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index 76b7152..e9cf914 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -158,6 +158,11 @@ ]; }; + security.acme = { + acceptTerms = true; + defaults.email = "acme.evict519@simplelogin.com"; + }; + time.timeZone = "Europe/London"; i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; @@ -198,6 +203,8 @@ nginx = { enable = true; virtualHosts."gitea.dylanblades.com" = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:3000"; extraConfig = '' From 6c4d35c9fe018e87ed94b63e574a17a1e2139e74 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 21:42:32 +0000 Subject: [PATCH 05/28] fix: centralise with one ssl certificate --- modules/sv1.nix | 36 ++++++++++++++++++++++-------------- packages/default.nix | 1 + packages/my-site/default.nix | 2 ++ 3 files changed, 25 insertions(+), 14 deletions(-) create mode 100644 packages/my-site/default.nix diff --git a/modules/sv1.nix b/modules/sv1.nix index e9cf914..36aa488 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -202,20 +202,28 @@ }; nginx = { enable = true; - virtualHosts."gitea.dylanblades.com" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:3000"; - extraConfig = '' - client_max_body_size 512M; - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - ''; + virtualHosts = { + "dylanblades.com" = { + forceSSL = true; + enableACME = true; + serverAliases = ["*.dylanblades.com"]; + root = pkgs.my-site; + }; + "gitea.dylanblades.com" = { + forceSSL = true; + useACMEHost = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + extraConfig = '' + client_max_body_size 512M; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; }; }; }; diff --git a/packages/default.nix b/packages/default.nix index 20fc436..aad8295 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -1,3 +1,4 @@ {pkgs}: { my-vim = pkgs.callPackage ./my-vim {}; + my-site = pkgs.callPackage ./my-site {}; } diff --git a/packages/my-site/default.nix b/packages/my-site/default.nix new file mode 100644 index 0000000..50b1ec5 --- /dev/null +++ b/packages/my-site/default.nix @@ -0,0 +1,2 @@ +{writeTextDir}: +writeTextDir "index.html" "my-site" From 9f108910813610a0bf2db89105f3debe5e4d558b Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 21:48:24 +0000 Subject: [PATCH 06/28] fix: set useACMEHost of gitea.dylanblades.com to dylanblades.com --- modules/sv1.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 36aa488..8f5292d 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -211,7 +211,7 @@ }; "gitea.dylanblades.com" = { forceSSL = true; - useACMEHost = true; + useACMEHost = "dylanblades.com"; locations."/" = { proxyPass = "http://localhost:3000"; extraConfig = '' From 1f4068967a653859153e150e961ddd2c7196f6bf Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 21:53:59 +0000 Subject: [PATCH 07/28] fix: add *.dylanblades.com domain to dylanblades.com cert --- modules/sv1.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index 8f5292d..928ee99 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -161,6 +161,7 @@ security.acme = { acceptTerms = true; defaults.email = "acme.evict519@simplelogin.com"; + certs."dylanblades.com".extraDomainNames = ["*.dylanblades.com"]; }; time.timeZone = "Europe/London"; From 1d40e399401c377bddafd4a79415dc64c5a15ffd Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 21:56:17 +0000 Subject: [PATCH 08/28] fix: check if a all subdomains are caught by default --- modules/sv1.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 928ee99..5998bf0 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -161,7 +161,7 @@ security.acme = { acceptTerms = true; defaults.email = "acme.evict519@simplelogin.com"; - certs."dylanblades.com".extraDomainNames = ["*.dylanblades.com"]; + #certs."dylanblades.com".extraDomainNames = ["*.dylanblades.com"]; }; time.timeZone = "Europe/London"; @@ -207,7 +207,7 @@ "dylanblades.com" = { forceSSL = true; enableACME = true; - serverAliases = ["*.dylanblades.com"]; + #serverAliases = ["*.dylanblades.com"]; root = pkgs.my-site; }; "gitea.dylanblades.com" = { From bf18e63d694a8aad3dffa83f4793d333024eb22f Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 21:58:51 +0000 Subject: [PATCH 09/28] fix: check that explicit subdomains as aliases can be used in the cert --- modules/sv1.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index 5998bf0..7f2c4d2 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -208,6 +208,7 @@ forceSSL = true; enableACME = true; #serverAliases = ["*.dylanblades.com"]; + serverAliases = ["gitea.dylanblades.com"]; root = pkgs.my-site; }; "gitea.dylanblades.com" = { From 9a5408da009c3dbf229c4c0d8665cd059c66b2db Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 22:02:01 +0000 Subject: [PATCH 10/28] fix: add wildcard domain in one place only --- modules/sv1.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 7f2c4d2..4f4b5e6 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -161,7 +161,7 @@ security.acme = { acceptTerms = true; defaults.email = "acme.evict519@simplelogin.com"; - #certs."dylanblades.com".extraDomainNames = ["*.dylanblades.com"]; + certs."dylanblades.com".extraDomainNames = ["*.dylanblades.com"]; }; time.timeZone = "Europe/London"; @@ -208,7 +208,7 @@ forceSSL = true; enableACME = true; #serverAliases = ["*.dylanblades.com"]; - serverAliases = ["gitea.dylanblades.com"]; + #serverAliases = ["gitea.dylanblades.com"]; root = pkgs.my-site; }; "gitea.dylanblades.com" = { From 5da4049240fef4d3b4d9dc2a5178eaffc53bae0a Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 22:04:19 +0000 Subject: [PATCH 11/28] fix: use explicit subdomain --- modules/sv1.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 4f4b5e6..a87ebc0 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -161,7 +161,7 @@ security.acme = { acceptTerms = true; defaults.email = "acme.evict519@simplelogin.com"; - certs."dylanblades.com".extraDomainNames = ["*.dylanblades.com"]; + certs."dylanblades.com".extraDomainNames = ["gitea.dylanblades.com"]; }; time.timeZone = "Europe/London"; From 71a43ffb430569be6949c0cba967ac21451c4598 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 22:07:19 +0000 Subject: [PATCH 12/28] feat: update gitea name --- modules/sv1.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index a87ebc0..c552206 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -196,6 +196,7 @@ }; gitea = { enable = true; + appName = "Gitea"; settings = { server.DOMAIN = "gitea.dylanblades.com"; ui.DEFAULT_THEME = "gitea-dark"; From 2b2f5b223d3ebba3fb8a016264e6f283d56d894f Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 22:22:12 +0000 Subject: [PATCH 13/28] chore: remove commented-out lines --- modules/sv1.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index c552206..3f869d5 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -208,8 +208,6 @@ "dylanblades.com" = { forceSSL = true; enableACME = true; - #serverAliases = ["*.dylanblades.com"]; - #serverAliases = ["gitea.dylanblades.com"]; root = pkgs.my-site; }; "gitea.dylanblades.com" = { From e7b194948b1c41fb83c4f2144db607bbe40bf090 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Tue, 17 Dec 2024 22:27:43 +0000 Subject: [PATCH 14/28] feat: persist gitea --- modules/sv1.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 3f869d5..1586610 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -234,7 +234,10 @@ environment = { persistence."/persist" = { hideMounts = true; - directories = ["/var/lib/nixos"]; + directories = [ + "/var/lib/nixos" + "/var/lib/gitea" + ]; }; systemPackages = with pkgs; [ git From 33719aee21f57e73211d980a6144c377e6ce8d93 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Wed, 18 Dec 2024 20:19:54 +0000 Subject: [PATCH 15/28] fix: override gitea public url --- modules/sv1.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 1586610..9b59e51 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -198,7 +198,10 @@ enable = true; appName = "Gitea"; settings = { - server.DOMAIN = "gitea.dylanblades.com"; + server = { + DOMAIN = "gitea.dylanblades.com"; + ROOT_URL = "https://gitea.dylanblades.com/"; + }; ui.DEFAULT_THEME = "gitea-dark"; }; }; From 549168386797abca49e89fa72f6f41169474f4f2 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Wed, 18 Dec 2024 21:34:29 +0000 Subject: [PATCH 16/28] fix: disable gitea registration --- modules/sv1.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index 9b59e51..2f37e7b 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -196,8 +196,10 @@ }; gitea = { enable = true; + useWizard = true; appName = "Gitea"; settings = { + service.DISABLE_REGISTRATION = true; server = { DOMAIN = "gitea.dylanblades.com"; ROOT_URL = "https://gitea.dylanblades.com/"; From 59e4df3e02313cc0464cd587c0c575bb51a1c4a5 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Thu, 19 Dec 2024 16:25:03 +0000 Subject: [PATCH 17/28] feat: add jellyfin service to sv1 --- modules/sv1.nix | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 2f37e7b..0c03a12 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -161,7 +161,10 @@ security.acme = { acceptTerms = true; defaults.email = "acme.evict519@simplelogin.com"; - certs."dylanblades.com".extraDomainNames = ["gitea.dylanblades.com"]; + certs."dylanblades.com".extraDomainNames = [ + "gitea.dylanblades.com" + "jellyfin.dylanblades.com" + ]; }; time.timeZone = "Europe/London"; @@ -207,6 +210,7 @@ ui.DEFAULT_THEME = "gitea-dark"; }; }; + jellyfin.enable = true; nginx = { enable = true; virtualHosts = { @@ -231,6 +235,23 @@ ''; }; }; + "jellyfin.dylanblades.com" = { + forceSSL = true; + useACMEHost = "dylanblades.com"; + locations."/" = { + proxyPass = "http://localhost:8096"; + extraConfig = '' + client_max_body_size 20M; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_buffering off; + ''; + }; + }; }; }; }; @@ -242,6 +263,7 @@ directories = [ "/var/lib/nixos" "/var/lib/gitea" + "/var/lib/jellyfin" ]; }; systemPackages = with pkgs; [ From cf90449047815def80beb267122c4b67045469b0 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Thu, 19 Dec 2024 23:38:14 +0000 Subject: [PATCH 18/28] fix: set gitea and jellyfin directory permissions --- modules/sv1.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 0c03a12..842a920 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -262,8 +262,16 @@ hideMounts = true; directories = [ "/var/lib/nixos" - "/var/lib/gitea" - "/var/lib/jellyfin" + { + directory = "/var/lib/gitea"; + user = "gitea"; + group = "gitea"; + } + { + directory = "/var/lib/jellyfin"; + user = "jellyfin"; + group = "jellyfin"; + } ]; }; systemPackages = with pkgs; [ From f9839cf4852c6aacde6ddf16faf14f1acc840769 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Thu, 19 Dec 2024 23:50:00 +0000 Subject: [PATCH 19/28] fix: open port 8096 for jellyfin --- modules/sv1.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index 842a920..54c7e85 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -155,6 +155,7 @@ firewall.allowedTCPPorts = [ 80 443 + 8096 ]; }; From 5f37f63af2761b251c07fd4b14d3ee2b3f63273b Mon Sep 17 00:00:00 2001 From: Bladesy Date: Fri, 20 Dec 2024 23:54:19 +0000 Subject: [PATCH 20/28] fix: close port 8096 and explicitly specify persistent directory permissions --- modules/sv1.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 54c7e85..0415c72 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -155,7 +155,6 @@ firewall.allowedTCPPorts = [ 80 443 - 8096 ]; }; @@ -262,16 +261,23 @@ persistence."/persist" = { hideMounts = true; directories = [ - "/var/lib/nixos" + { + directory = "/var/lib/nixos"; + user = "root"; + group = "root"; + mode = "u=rwx,g=rx,o=rx"; + } { directory = "/var/lib/gitea"; user = "gitea"; group = "gitea"; + mode = "u=rwx,g=rx,o="; } { directory = "/var/lib/jellyfin"; user = "jellyfin"; group = "jellyfin"; + mode = "u=rwx,g=rx,o="; } ]; }; From 00872d2086cc94b6389beb18e4f419f41fc12436 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Wed, 1 Jan 2025 22:36:57 +0000 Subject: [PATCH 21/28] feat: add sb1 to sv1 --- .sops.yaml | 7 +++++++ library/default.nix | 1 + library/secrets/default.nix | 3 +++ library/secrets/sb1.yaml | 22 ++++++++++++++++++++++ modules/sv1.nix | 26 ++++++++++++++++++++++++++ 5 files changed, 59 insertions(+) create mode 100644 .sops.yaml create mode 100644 library/secrets/default.nix create mode 100644 library/secrets/sb1.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..1f12d95 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &sv1 age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug +creation_rules: + - path_regex: library/secrets/.*.yaml + key_groups: + - age: + - *sv1 diff --git a/library/default.nix b/library/default.nix index cb0edbd..4974732 100644 --- a/library/default.nix +++ b/library/default.nix @@ -3,4 +3,5 @@ nixosSystems = lib.callFragment ./nixosSystems.nix {}; sshKeys = lib.callFragment ./sshKeys.nix {}; + secrets = lib.callFragment ./secrets.nix {}; } diff --git a/library/secrets/default.nix b/library/secrets/default.nix new file mode 100644 index 0000000..fc449b3 --- /dev/null +++ b/library/secrets/default.nix @@ -0,0 +1,3 @@ +{ + sb1 = ./sb1.yaml; +} diff --git a/library/secrets/sb1.yaml b/library/secrets/sb1.yaml new file mode 100644 index 0000000..52ba84f --- /dev/null +++ b/library/secrets/sb1.yaml @@ -0,0 +1,22 @@ +sb1-username: ENC[AES256_GCM,data:c5Myt2AdnA==,iv:q36larVwGrBiCHBaUu54QdJggeL22QzOwkfiJfQjsVE=,tag:qsVj/akHjHZwjvnvaJRBEw==,type:str] +sb1-password: ENC[AES256_GCM,data:766xhD3hcwFM9pyu53uYMg==,iv:HYtfnUvl46N/z5UUTIz337rq/kAHJcvgAcMbVnluik0=,tag:1oSSB1UqQIWmh7PJGO+YfQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdlpSYXhOdndtS0Y0QTRz + N2pxczhIQVBWSnV1dnY3WDVVRlErYnh4OWdnClRUSjVXeWMrTmxWVEVGT0V6YUMr + V2ovSVhpcmRIN3ljWUx0cmJnSnBzMzAKLS0tIHBNalN3emcrbjZZcytoVFgyQTh2 + elREcXRxeGdVTW1TZGtKelVURkdlWW8KSWpXIAL0Vb1a3un8WIcjMNbIbR41VcK2 + 604AZYjooB6OzX2sOkGOOAIvB17S2nesL/nQUobWkM8bQSuH/TgR5g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-01T22:35:24Z" + mac: ENC[AES256_GCM,data:PH0lfE79d1ZuE0YyMZuWhpZNu1OHh+9JMNbr66RJoRRPpLa134Y6mQE+PzZXOZ0PR2mT+VOrkNhNRhzEhr79oScM0d3ahBfKVY8VcNpvP34Llb9PQWPAZpQ5moa9o6g850bLrXl3XolLPEMpZg4BVa5EzFjo9BXNbuSY/zoW2x0=,iv:my+mb+qbjDs3iHdmaEptylgHbNu7a6zwHx2NEhlwi1Q=,tag:YfEYhl4QOulNbKALLB8ylg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/sv1.nix b/modules/sv1.nix index 0415c72..11cbad0 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -6,6 +6,7 @@ imports = with lib.nixosModules; [ disko impermanence + sops ]; disko.devices.disk.NixOS = { @@ -98,6 +99,31 @@ fileSystems = { "/persist".neededForBoot = true; "/var/log".neededForBoot = true; + "/mnt/sb1" = { + device = "//u424050.your-storagebox.de/backup"; + fsType = "cifs"; + options = [ + "noauto" + "x-systemd.automount" + "credentials=${config.sops.templates.sb1-credentials.path}" + ]; + }; + }; + + sops = { + gnupg.sshKeyPaths = []; + age = { + sshKeyPaths = []; + keyFile = "/persist/sops.age"; + }; + secrets = { + sb1-username.sopsFile = lib.secrets.sb1; + sb1-password.sopsFile = lib.secrets.sb1; + }; + templates.sb1-credentials.content = '' + username="${config.sops.placeholder.sb1-username}" + password="${config.sops.placeholder.sb1-password}" + ''; }; boot = { From a73ed533e0cc3bc2000e020fac9b1a6d9cb1d36b Mon Sep 17 00:00:00 2001 From: Bladesy Date: Wed, 1 Jan 2025 22:40:55 +0000 Subject: [PATCH 22/28] fix: add config parameter to sv1 --- modules/sv1.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index 11cbad0..d4cb4f9 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -1,5 +1,6 @@ { lib, + config, pkgs, ... }: { From 2e8acf636ae907a7bbad074fc4ab50ae256f5a16 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Wed, 1 Jan 2025 22:44:04 +0000 Subject: [PATCH 23/28] fix: correct library.secrets path --- library/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/default.nix b/library/default.nix index 4974732..fce3287 100644 --- a/library/default.nix +++ b/library/default.nix @@ -3,5 +3,5 @@ nixosSystems = lib.callFragment ./nixosSystems.nix {}; sshKeys = lib.callFragment ./sshKeys.nix {}; - secrets = lib.callFragment ./secrets.nix {}; + secrets = lib.callFragment ./secrets {}; } From 03a427740c3586658b48ede872554d37bee3de46 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Wed, 1 Jan 2025 23:54:46 +0000 Subject: [PATCH 24/28] fix: add cifs-utils package to sv1 --- modules/sv1.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index d4cb4f9..f879cd4 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -309,6 +309,7 @@ ]; }; systemPackages = with pkgs; [ + cifs-utils git my-vim ]; From 5dddb763fb5c876a320003aa2950941fd8848740 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Thu, 2 Jan 2025 00:23:33 +0000 Subject: [PATCH 25/28] fix: test sb1 mount with new options and without secrets --- modules/sv1.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/sv1.nix b/modules/sv1.nix index f879cd4..cdd1c1c 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -103,11 +103,20 @@ "/mnt/sb1" = { device = "//u424050.your-storagebox.de/backup"; fsType = "cifs"; + options = [ + ( + "x-systemd.automount,noauto,x-systemd.idle-timeout=60," + + "x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s," + + "credentials=/persist/sb1-credentials" + ) + ]; + /* options = [ "noauto" "x-systemd.automount" "credentials=${config.sops.templates.sb1-credentials.path}" ]; + */ }; }; From 507194e35bc331c3209fc9d4ff9eb573529631ae Mon Sep 17 00:00:00 2001 From: Bladesy Date: Thu, 2 Jan 2025 00:38:21 +0000 Subject: [PATCH 26/28] fix: remove double quotes from secret sb1-credentials and reformat sb1 mount options --- modules/sv1.nix | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index cdd1c1c..e0d6d50 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -104,19 +104,14 @@ device = "//u424050.your-storagebox.de/backup"; fsType = "cifs"; options = [ - ( - "x-systemd.automount,noauto,x-systemd.idle-timeout=60," - + "x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s," - + "credentials=/persist/sb1-credentials" - ) - ]; - /* - options = [ - "noauto" "x-systemd.automount" + "noauto" + "x-systemd" + "idle-timeout=60" + "x-systemd.device-timeout=5s" + "x-systemd.mount-timeout=5s" "credentials=${config.sops.templates.sb1-credentials.path}" ]; - */ }; }; @@ -131,8 +126,8 @@ sb1-password.sopsFile = lib.secrets.sb1; }; templates.sb1-credentials.content = '' - username="${config.sops.placeholder.sb1-username}" - password="${config.sops.placeholder.sb1-password}" + username=${config.sops.placeholder.sb1-username} + password=${config.sops.placeholder.sb1-password} ''; }; From 3b78176d1e6cc57402d3ae39d1d4febab7f98056 Mon Sep 17 00:00:00 2001 From: Bladesy Date: Thu, 2 Jan 2025 00:48:43 +0000 Subject: [PATCH 27/28] fix: correct sb1 idle-timeout mount option --- modules/sv1.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index e0d6d50..691bd36 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -106,8 +106,7 @@ options = [ "x-systemd.automount" "noauto" - "x-systemd" - "idle-timeout=60" + "x-systemd.idle-timeout=60" "x-systemd.device-timeout=5s" "x-systemd.mount-timeout=5s" "credentials=${config.sops.templates.sb1-credentials.path}" From 39043efd37ceab022c83b43e7839b6080bac406a Mon Sep 17 00:00:00 2001 From: Bladesy Date: Sun, 5 Jan 2025 20:24:26 +0000 Subject: [PATCH 28/28] feat: enable websockets support on jellyfin --- modules/sv1.nix | 41 +++++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/modules/sv1.nix b/modules/sv1.nix index 691bd36..85a5ab0 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -268,18 +268,35 @@ "jellyfin.dylanblades.com" = { forceSSL = true; useACMEHost = "dylanblades.com"; - locations."/" = { - proxyPass = "http://localhost:8096"; - extraConfig = '' - client_max_body_size 20M; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Protocol $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_buffering off; - ''; + locations = { + "/" = { + proxyPass = "http://localhost:8096"; + extraConfig = '' + client_max_body_size 20M; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_buffering off; + ''; + }; + "/socket" = { + proxyPass = "http://localhost:8096"; + extraConfig = '' + client_max_body_size 20M; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + ''; + }; }; }; };