Merge branch 'main' of github.com:harryssecret/homelab-nix

.gitattributes

@@ -1,2 +1,3 @@
 #pattern  filter=crypt diff=crypt merge=crypt
 features/server/services/forgejo-smtp.nix filter=crypt diff=crypt 
+features/server/services/nextcloud-network.nix filter=crypt diff=crypt 

features/server/caddy.nix

@@ -4,65 +4,57 @@
     enable = true;
 
     virtualHosts = {
-      ":5050".extraConfig = ''
-        reverse_proxy :8083
-      '';
-
-      "sisyphe.normandy.hypervirtual.world".extraConfig = ''
+      "http://sisyphe.normandy.hypervirtual.world".extraConfig = ''
         reverse_proxy :8003
       '';
 
-      "git.hypervirtual.world".extraConfig = ''
+      "http://git.hypervirtual.world".extraConfig = ''
         reverse_proxy :3333
       '';
 
-      "photos.hypervirtual.world".extraConfig = ''
-        reverse_proxy :2342
-      '';
-
-      "books.hypervirtual.world".extraConfig = ''
+      "http://books.hypervirtual.world".extraConfig = ''
         reverse_proxy :8083
       '';
 
-      "fish.hypervirtual.world".extraConfig = ''
+      "http://fish.hypervirtual.world".extraConfig = ''
         reverse_proxy :3030
       '';
 
-      ":2344".extraConfig = ''
-        reverse_proxy :2342
-      '';
-
-      "jellyfin.sisyphe.normandy.hypervirtual.world".extraConfig = ''
+      "http://jellyfin.sisyphe.normandy.hypervirtual.world".extraConfig = ''
         reverse_proxy :8096
       '';
 
-      "slskd.sisyphe.normandy.hypervirtual.world".extraConfig = ''
+      "http://slskd.sisyphe.normandy.hypervirtual.world".extraConfig = ''
         reverse_proxy :5030
       '';
 
-      "radarr.sisyphe.normandy.hypervirtual.world".extraConfig = ''
+      "http://radarr.sisyphe.normandy.hypervirtual.world".extraConfig = ''
         reverse_proxy :7878
       '';
 
-      "sonarr.sisyphe.normandy.hypervirtual.world".extraConfig = ''
+      "http://sonarr.sisyphe.normandy.hypervirtual.world".extraConfig = ''
         reverse_proxy :8989
       '';
 
-      "sonarr-anime.sisyphe.normandy.hypervirtual.world".extraConfig = ''
+      "http://sonarr-anime.sisyphe.normandy.hypervirtual.world".extraConfig = ''
         reverse_proxy :8999
       '';
 
-      "prowlarr.sisyphe.normandy.hypervirtual.world".extraConfig = ''
+      "http://prowlarr.sisyphe.normandy.hypervirtual.world".extraConfig = ''
         reverse_proxy :9696
       '';
 
-      "grafana.sisyphe.normandy.hypervirtual.world".extraConfig = ''
+      "http://grafana.sisyphe.normandy.hypervirtual.world".extraConfig = ''
         reverse_proxy :3000
       '';
 
-      "status.normandy.hypervirtual.world".extraConfig = ''
+      "http://status.normandy.hypervirtual.world".extraConfig = ''
         reverse_proxy :4000
       '';
+
+      "http://transmission.normandy.hypervirtual.world".extraConfig = ''
+        reverse_proxy :9091
+      '';
     };
   };
 

features/server/default.nix

@@ -28,5 +28,6 @@
     ethtool
     networkd-dispatcher
     transcrypt
+    libressl_3_8
   ];
 }

features/server/multimedia/jellyfin.nix

@@ -1,5 +1,21 @@
-{ config, ... }:
+{ pkgs, config, ... }:
 {
+  # 1. enable vaapi on OS-level
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+
+  hardware.opengl = {
+    # hardware.opengl in 24.05
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-vaapi-driver # previously vaapiIntel
+      vaapiVdpau
+      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+      intel-media-sdk # QSV up to 11th gen
+    ];
+  };
   services.jellyfin = {
     enable = true;
     openFirewall = true;

features/server/services/default.nix

@@ -1,9 +1,9 @@
-{config, ...}:
+{ config, ... }:
 {
   imports = [
     ./homelab-dashboard.nix
     ./nextcloud.nix
-    ./photoprism.nix
+    # ./photoprism.nix
     ./grafana.nix
     ./forgejo.nix
     ./synapse-matrix.nix

features/server/services/forgejo-smtp.nix

@@ -1,5 +1,5 @@
-U2FsdGVkX18oY3efQYeXqacnpNaOkre/hn/Ck1shbtZiKPQbD7G+tdQBjxPdZxIL
-7oZi2qay/Z6ZKgjmd5zMW+jFejxl9/PSbDFbydn3nADkOCgPO5QSjN2QX+cswV/T
-MlSQovYhJzhBgy37cPNU4oZBM8u5ZyRKLgBdUcbaKOJShyzirwKaKdn4abN0QC9B
-nPIRIY5INzJPDHJEi/hgOfp4PLeiJTOvrGjvKF2N65f4Uyi8BOW3NSDK+qp6VcUI
-tfF/C6r6XQF4w3p9GD2Zxw==
+U2FsdGVkX1+OxQJs9k/4JL1g9iZi/V4LYrvEhkf6JFwvTFhv+sIYDI9YFXpGFk2f
+DxWy76EO2LgRWZxTeBAQWTyinbDpYM2Efr3EqJvZmocBsrzrAIOfUyQ5gX9a3f9v
+QHIYSPSwapr9qVEkl92bbdLKw8aQExz7SLG4viIouIb8sXShq7HGeajwrXgpj8F9
+UsFVRnrsWznu5Ubg5X40Q7EQy3vswzACkL65MeeT1AlF//vbPs/CAqa9zyc1pkoa
+QGHEinlNI/0Rb/RJ7rzmuEU28Z8M24tMajQWt5JmJ6Y=

features/server/services/forgejo.nix

@@ -1,10 +1,16 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
   imports = [ ./forgejo-smtp.nix ];
   sops.secrets.smtp_address = { };
   sops.secrets.smtp_password = {
     owner = "forgejo";
   };
+  sops.secrets.forgejoInitialMail = {
+    owner = "forgejo";
+  };
+  sops.secrets.forgejoInitialPassword = {
+    owner = "forgejo";
+  };
 
   services.forgejo = {
     enable = true;
@@ -15,7 +21,7 @@
     settings = {
       server = {
         DOMAIN = "git.hypervirtual.world";
-        ROOT_URL = "https://hypervirtual.world";
+        ROOT_URL = "https://git.hypervirtual.world";
         HTTP_PORT = 3333;
       };
       actions = {
@@ -29,4 +35,9 @@
     };
     mailerPasswordFile = config.sops.secrets.smtp_password.path;
   };
+
+  systemd.services.forgejo.preStart = ''
+    create="${lib.getExe config.services.forgejo.package} admin user create"
+    $create --admin --email "`cat ${config.sops.secrets.forgejoInitialMail.path}`" --username you --password "`cat ${config.sops.secrets.forgejoInitialPassword.path}`" &>/dev/null || true
+  '';
 }

features/server/services/nextcloud-network.nix

@@ -0,0 +1,3 @@
+U2FsdGVkX18gq8c8sLObTxZnVycdd9qBcE6mzuVR+7ff6J7ntoPxlWdeNWTSnWiI
+cVRz0XEH9+DX7EyUbuwQcDtzepoJONsGowXM6Hs+N1A5feaku0J+jGFoMtXX1kv8
+SXpR3emmKFbtNmwCqW0++DLolU9R/pdRlWFlQiABlMc=

features/server/services/nextcloud.nix

@@ -1,4 +1,9 @@
-{ config, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 {
   imports = [
     "${
@@ -7,6 +12,7 @@
         sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
       }
     }/nextcloud-extras.nix"
+    ./nextcloud-network.nix
   ]; # adding caddy support
 
   sops.secrets.adminNextcloudPass = {
@@ -23,18 +29,68 @@
       dbtype = "pgsql";
       adminpassFile = config.sops.secrets.adminNextcloudPass.path;
     };
-    settings.enabledPreviewProviders = [
-      "OC\\Preview\\BMP"
-      "OC\\Preview\\GIF"
-      "OC\\Preview\\JPEG"
-      "OC\\Preview\\Krita"
-      "OC\\Preview\\MarkDown"
-      "OC\\Preview\\MP3"
-      "OC\\Preview\\OpenDocument"
-      "OC\\Preview\\PNG"
-      "OC\\Preview\\TXT"
-      "OC\\Preview\\XBitmap"
-      "OC\\Preview\\HEIC"
+
+    settings = {
+      enabledPreviewProviders = [
+        "OC\\Preview\\BMP"
+        "OC\\Preview\\GIF"
+        "OC\\Preview\\JPEG"
+        "OC\\Preview\\Krita"
+        "OC\\Preview\\MarkDown"
+        "OC\\Preview\\MP3"
+        "OC\\Preview\\OpenDocument"
+        "OC\\Preview\\PNG"
+        "OC\\Preview\\TXT"
+        "OC\\Preview\\XBitmap"
+        "OC\\Preview\\HEIC"
+      ];
+
+      trustedDomains = [ "cloud.hypervirtual.world" ];
+      overwriteprotocol = "https";
+      log_type = "file"; # temporary fix for https://nixos.org/manual/nixos/stable/#module-services-nextcloud-warning-logreader
+      default_phone_region = "FR";
+      default_locale = "fr_FR";
+      default_language = "fr";
+      default_timezone = "Europe/Paris";
+    };
+
+    phpExtraExtensions = all: [
+      all.pdlib
+      all.redis
+      all.bz2
     ];
+    phpOptions."opcache.interned_strings_buffer" = "23";
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps)
+        contacts
+        calendar
+        previewgenerator
+        twofactor_nextcloud_notification
+        ;
+
+      memories = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-DJPskJ4rTECTaO1XJFeOD1EfA3TQR4YXqG+NIti0UPE=";
+        url = "https://github.com/pulsejet/memories/releases/download/v7.3.1/memories.tar.gz";
+        license = "agpl3Only";
+      };
+      /*
+        not useful for me
+           registration = pkgs.fetchNextcloudApp {
+             sha256 = "sha256-dDaQHyHdkkd8ZammLdck2HNGqqfEaunwevdPzbWzB8Y=";
+             url = "https://github.com/nextcloud-releases/registration/releases/download/v2.4.0/registration-v2.4.0.tar.gz";
+             license = "agpl3Only";
+           };
+      */
+      facerecognition = pkgs.fetchNextcloudApp {
+        sha256 = "1dfpmnyyrjyn7wbjfj3w072rzfl7zwm8ppphgsg8ampw2dy7y6yk";
+        url = "https://github.com/matiasdelellis/facerecognition/releases/download/v0.9.51/facerecognition.tar.gz";
+        license = "agpl3Only";
+      };
+
+    };
+    extraAppsEnable = true;
+    appstoreEnable = true; # why i would want appstore to be disabled ???
+    autoUpdateApps.enable = true;
+    extraOptions."memories.exiftool" = "${lib.getExe pkgs.exiftool}";
   };
 }

features/server/services/photoprism.nix

@@ -3,10 +3,15 @@
   sops.secrets.photoprismAdmin = { };
   sops.secrets.photoprismPassword = { };
 
+  environment.systemPackages = with pkgs; [
+    photoprism
+  ];
+
   services.photoprism = {
     enable = true;
     port = 2342;
     originalsPath = "/srv/cloud/photoprism/originals";
+    importPath = "/srv/cloud/photoprism/imports";
     settings = {
       PHOTOPRISM_ADMIN_USER = "admin";
       PHOTOPRISM_DEFAULT_LOCALE = "fr";
@@ -19,4 +24,9 @@
     };
     passwordFile = config.sops.secrets.photoprismPassword.path;
   };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/cloud/photoprism/originals 0755 photoprism photoprism -"
+    "d /srv/cloud/photoprism/imports 0755 photoprism photoprism -"
+  ];
 }

features/server/services/synapse-matrix.nix

@@ -21,6 +21,7 @@ in
       server_name = "hypervirtual.world";
       public_baseurl = baseUrl;
       enable_registration = false;
+      enable_metrics = true;
       listeners = [
         {
           port = 8008;
@@ -36,7 +37,6 @@ in
               names = [
                 "client"
                 "federation"
-                "metrics"
               ];
               compress = true;
             }
@@ -48,7 +48,7 @@ in
           tls = false;
           bind_addresses = [
             "::1"
-            "0.0.0.0"
+            "127.0.0.1"
           ];
           resources = [ ];
         }
@@ -87,7 +87,6 @@ in
 
       };
     };
-
   */
 
 }

features/server/tailscale.nix

@@ -2,16 +2,18 @@
 {
   services.tailscale = {
     enable = true;
-    useRoutingFeatures = "server";
+    # useRoutingFeatures = "server";
   };
 
-  services.networkd-dispatcher = {
-    enable = true;
-    rules."50-tailscale" = {
-      onState = [ "routable" ];
-      script = ''
-        ${pkgs.ethtool}/bin/ethtool -K ens18 rx-udp-gro-forwarding on rx-gro-list off
-      '';
+  /*
+    services.networkd-dispatcher = {
+      enable = true;
+      rules."50-tailscale" = {
+        onState = [ "routable" ];
+        script = ''
+          ${pkgs.ethtool}/bin/ethtool -K ens18 rx-udp-gro-forwarding on rx-gro-list off
+        '';
+      };
     };
-  };
+  */
 }

hosts/sisyphe/server-configuration.nix

@@ -38,12 +38,6 @@ in
         22 # ssh
         8008 # matrix-synapse
         8448 # matrix-synapse
-        3030
-        3333
-        2344
-        4000
-        5050 # calibre-web
-        9091 # transmission
       ];
       allowedUDPPorts = [ ];
     };

secrets/secrets.yaml

@@ -1,6 +1,8 @@
 borgRepoPassword: ENC[AES256_GCM,data:pgaBumNDhis8ftypaz5MdQfY467ToUJLYUs=,iv:rE0kAaAC1NEQgCvEl7f8hnSk0N6jZOAMABrErDudRMQ=,tag:58ZlN1lseFwQFq/T2gLB2g==,type:str]
 photoprismAdmin: ENC[AES256_GCM,data:kSFgrZKGGMA=,iv:fFkWYgUBfCg3lVLQMTFkabQzJvJ2IsciEiyOkObOL4k=,tag:AylOeAP5Vllx/vlOKAPqsA==,type:str]
 photoprismPassword: ENC[AES256_GCM,data:3zUZhRZElMmpsBF4zBGz43dci2JC5bc=,iv:qj5wpKHxeu67R3KTDfyjfVbP7Hvydyh7Oxd/FY8YOg0=,tag:bCAQ57eG8CmBdF8oobo3Vg==,type:str]
+forgejoInitialMail: ENC[AES256_GCM,data:kcUIZMQYl5Ast0v/,iv:g+feK0H41ufxUwGbY8euCh2+/Bz45m4CUPlHVI8yY90=,tag:n6bRu2iz/VO1y5jGxtIIwA==,type:str]
+forgejoInitialPassword: ENC[AES256_GCM,data:L6moUxZbEpeNStsEM5HMSOcCURxJZ58uvdI=,iv:2rXOsQM+jgSdEawKiwFqQWK5LZXvwNbKiO+BysOtQZE=,tag:B+ZP16gFQLpZXj+WALwktg==,type:str]
 smtp_address: ENC[AES256_GCM,data:HjF8aPPE6FqdM09lqXLyRQ==,iv:fTgefhxOL4FJ4pKD+Lfox1a27GPlsC+QtMixVOUjQZU=,tag:ridCBcd3ZqswKswackFfTg==,type:str]
 smtp_password: ENC[AES256_GCM,data:mgQlrXLfLnl2nv7/cdfo0lQz02s4ccunmCJenURA5j2xjX+Ef/vQAacKYofCxCwe3lo=,iv:t1tKu6OFsboovdobb4xHhtC/Fy3R6GoFT2SkUf9Vk3s=,tag:L2cMIBg2LeEu4P1a7Z1y/Q==,type:str]
 matrix_data: ENC[AES256_GCM,data:VinMt0TvPACJ6iz+9nnjf9SsZhUIkRVbvYHqlpEeIhvuYmjRtnO3frJ46uwYpNcTE+fpYcWu,iv:yc/EKM4UFe23wAe6fuGrmPtdIpEZ5XSW/9YzZY3P7yw=,tag:5qZiO4kmnsYHIsINB00gBQ==,type:str]
@@ -33,8 +35,8 @@ sops:
             UTYrZ1dWUG5ka1p0b3JrREZXUzZiWlEKBFn4I/U3bwyurfa8gyfy7D3wYAwOtDw7
             K0jQE5SeExD9kluwH0gyGDZbk/DWn+ppWoMNqQKDmICrUQpns6GJnQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-12T15:57:34Z"
-    mac: ENC[AES256_GCM,data:Y4MEQSgqvALcP0K92TlAaqFylk5YRTHXLRSUJmKV3ShFrdHg/iQdpcZndpX0qEynGnLooKJHfc2XpNuNVn+Z4r8jKNbI0veHdyDUWR342na9nQ3iQhccNrPxNLQ/QtOrHx4RDMv65n91XDqdWOpbzDG5gaNvk5t+hPLRY+cDUas=,iv:9qdunFsspOKcJOYdlQuAcGR16oWKCe4uzLcmwEgCy78=,tag:SSO/6Y0YTmz332ysQeP55A==,type:str]
+    lastmodified: "2024-08-17T13:12:06Z"
+    mac: ENC[AES256_GCM,data:Ojux0nJZptl1sZ0/TppLF/fiE6Iq9hh+s6ywqe3ulOGCVznzygfXcGjQTKsdJJEcRU4I0bdq38mWfFADPj2j86MUPQq9kBYjpwGSNyndIWBpGHf0XEBCMEXNHAtGr1xIBRfYZ6L61hcKNCjdCOBDcnAfM2HLNx4qFI2mqPDf+eg=,iv:QrKqh9lwP+K3rVNKJFw/Hi7WcDgXIzROwy0Q6wE83DE=,tag:ae5DgEKQ0qktNv3FZHn/2w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0