diff --git a/.gitattributes b/.gitattributes index 5223e96..87c7f63 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,3 @@ #pattern filter=crypt diff=crypt merge=crypt features/server/services/forgejo-smtp.nix filter=crypt diff=crypt +features/server/services/nextcloud-network.nix filter=crypt diff=crypt diff --git a/features/server/caddy.nix b/features/server/caddy.nix index 23c1aab..101e08e 100644 --- a/features/server/caddy.nix +++ b/features/server/caddy.nix @@ -4,65 +4,57 @@ enable = true; virtualHosts = { - ":5050".extraConfig = '' - reverse_proxy :8083 - ''; - - "sisyphe.normandy.hypervirtual.world".extraConfig = '' + "http://sisyphe.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :8003 ''; - "git.hypervirtual.world".extraConfig = '' + "http://git.hypervirtual.world".extraConfig = '' reverse_proxy :3333 ''; - "photos.hypervirtual.world".extraConfig = '' - reverse_proxy :2342 - ''; - - "books.hypervirtual.world".extraConfig = '' + "http://books.hypervirtual.world".extraConfig = '' reverse_proxy :8083 ''; - "fish.hypervirtual.world".extraConfig = '' + "http://fish.hypervirtual.world".extraConfig = '' reverse_proxy :3030 ''; - ":2344".extraConfig = '' - reverse_proxy :2342 - ''; - - "jellyfin.sisyphe.normandy.hypervirtual.world".extraConfig = '' + "http://jellyfin.sisyphe.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :8096 ''; - "slskd.sisyphe.normandy.hypervirtual.world".extraConfig = '' + "http://slskd.sisyphe.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :5030 ''; - "radarr.sisyphe.normandy.hypervirtual.world".extraConfig = '' + "http://radarr.sisyphe.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :7878 ''; - "sonarr.sisyphe.normandy.hypervirtual.world".extraConfig = '' + "http://sonarr.sisyphe.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :8989 ''; - "sonarr-anime.sisyphe.normandy.hypervirtual.world".extraConfig = '' + "http://sonarr-anime.sisyphe.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :8999 ''; - "prowlarr.sisyphe.normandy.hypervirtual.world".extraConfig = '' + "http://prowlarr.sisyphe.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :9696 ''; - "grafana.sisyphe.normandy.hypervirtual.world".extraConfig = '' + "http://grafana.sisyphe.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :3000 ''; - "status.normandy.hypervirtual.world".extraConfig = '' + "http://status.normandy.hypervirtual.world".extraConfig = '' reverse_proxy :4000 ''; + + "http://transmission.normandy.hypervirtual.world".extraConfig = '' + reverse_proxy :9091 + ''; }; }; diff --git a/features/server/default.nix b/features/server/default.nix index cae3333..519f317 100644 --- a/features/server/default.nix +++ b/features/server/default.nix @@ -28,5 +28,6 @@ ethtool networkd-dispatcher transcrypt + libressl_3_8 ]; } diff --git a/features/server/multimedia/jellyfin.nix b/features/server/multimedia/jellyfin.nix index f7b847e..5024104 100644 --- a/features/server/multimedia/jellyfin.nix +++ b/features/server/multimedia/jellyfin.nix @@ -1,5 +1,21 @@ -{ config, ... }: +{ pkgs, config, ... }: { + # 1. enable vaapi on OS-level + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + + hardware.opengl = { + # hardware.opengl in 24.05 + enable = true; + extraPackages = with pkgs; [ + intel-media-driver + intel-vaapi-driver # previously vaapiIntel + vaapiVdpau + intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) + intel-media-sdk # QSV up to 11th gen + ]; + }; services.jellyfin = { enable = true; openFirewall = true; diff --git a/features/server/services/default.nix b/features/server/services/default.nix index 4601715..9c31a01 100644 --- a/features/server/services/default.nix +++ b/features/server/services/default.nix @@ -1,9 +1,9 @@ -{config, ...}: +{ config, ... }: { imports = [ ./homelab-dashboard.nix ./nextcloud.nix - ./photoprism.nix + # ./photoprism.nix ./grafana.nix ./forgejo.nix ./synapse-matrix.nix diff --git a/features/server/services/forgejo-smtp.nix b/features/server/services/forgejo-smtp.nix index 0000234..837585b 100644 --- a/features/server/services/forgejo-smtp.nix +++ b/features/server/services/forgejo-smtp.nix @@ -1,5 +1,5 @@ -U2FsdGVkX18oY3efQYeXqacnpNaOkre/hn/Ck1shbtZiKPQbD7G+tdQBjxPdZxIL -7oZi2qay/Z6ZKgjmd5zMW+jFejxl9/PSbDFbydn3nADkOCgPO5QSjN2QX+cswV/T -MlSQovYhJzhBgy37cPNU4oZBM8u5ZyRKLgBdUcbaKOJShyzirwKaKdn4abN0QC9B -nPIRIY5INzJPDHJEi/hgOfp4PLeiJTOvrGjvKF2N65f4Uyi8BOW3NSDK+qp6VcUI -tfF/C6r6XQF4w3p9GD2Zxw== +U2FsdGVkX1+OxQJs9k/4JL1g9iZi/V4LYrvEhkf6JFwvTFhv+sIYDI9YFXpGFk2f +DxWy76EO2LgRWZxTeBAQWTyinbDpYM2Efr3EqJvZmocBsrzrAIOfUyQ5gX9a3f9v +QHIYSPSwapr9qVEkl92bbdLKw8aQExz7SLG4viIouIb8sXShq7HGeajwrXgpj8F9 +UsFVRnrsWznu5Ubg5X40Q7EQy3vswzACkL65MeeT1AlF//vbPs/CAqa9zyc1pkoa +QGHEinlNI/0Rb/RJ7rzmuEU28Z8M24tMajQWt5JmJ6Y= diff --git a/features/server/services/forgejo.nix b/features/server/services/forgejo.nix index 9e774b3..708d1c6 100644 --- a/features/server/services/forgejo.nix +++ b/features/server/services/forgejo.nix @@ -1,10 +1,16 @@ -{ config, ... }: +{ config, lib, ... }: { imports = [ ./forgejo-smtp.nix ]; sops.secrets.smtp_address = { }; sops.secrets.smtp_password = { owner = "forgejo"; }; + sops.secrets.forgejoInitialMail = { + owner = "forgejo"; + }; + sops.secrets.forgejoInitialPassword = { + owner = "forgejo"; + }; services.forgejo = { enable = true; @@ -15,7 +21,7 @@ settings = { server = { DOMAIN = "git.hypervirtual.world"; - ROOT_URL = "https://hypervirtual.world"; + ROOT_URL = "https://git.hypervirtual.world"; HTTP_PORT = 3333; }; actions = { @@ -29,4 +35,9 @@ }; mailerPasswordFile = config.sops.secrets.smtp_password.path; }; + + systemd.services.forgejo.preStart = '' + create="${lib.getExe config.services.forgejo.package} admin user create" + $create --admin --email "`cat ${config.sops.secrets.forgejoInitialMail.path}`" --username you --password "`cat ${config.sops.secrets.forgejoInitialPassword.path}`" &>/dev/null || true + ''; } diff --git a/features/server/services/nextcloud-network.nix b/features/server/services/nextcloud-network.nix new file mode 100644 index 0000000..c307036 --- /dev/null +++ b/features/server/services/nextcloud-network.nix @@ -0,0 +1,3 @@ +U2FsdGVkX18gq8c8sLObTxZnVycdd9qBcE6mzuVR+7ff6J7ntoPxlWdeNWTSnWiI +cVRz0XEH9+DX7EyUbuwQcDtzepoJONsGowXM6Hs+N1A5feaku0J+jGFoMtXX1kv8 +SXpR3emmKFbtNmwCqW0++DLolU9R/pdRlWFlQiABlMc= diff --git a/features/server/services/nextcloud.nix b/features/server/services/nextcloud.nix index 5d45a89..c8b7fa1 100644 --- a/features/server/services/nextcloud.nix +++ b/features/server/services/nextcloud.nix @@ -1,4 +1,9 @@ -{ config, ... }: +{ + config, + pkgs, + lib, + ... +}: { imports = [ "${ @@ -7,6 +12,7 @@ sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs"; } }/nextcloud-extras.nix" + ./nextcloud-network.nix ]; # adding caddy support sops.secrets.adminNextcloudPass = { @@ -23,18 +29,68 @@ dbtype = "pgsql"; adminpassFile = config.sops.secrets.adminNextcloudPass.path; }; - settings.enabledPreviewProviders = [ - "OC\\Preview\\BMP" - "OC\\Preview\\GIF" - "OC\\Preview\\JPEG" - "OC\\Preview\\Krita" - "OC\\Preview\\MarkDown" - "OC\\Preview\\MP3" - "OC\\Preview\\OpenDocument" - "OC\\Preview\\PNG" - "OC\\Preview\\TXT" - "OC\\Preview\\XBitmap" - "OC\\Preview\\HEIC" + + settings = { + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; + + trustedDomains = [ "cloud.hypervirtual.world" ]; + overwriteprotocol = "https"; + log_type = "file"; # temporary fix for https://nixos.org/manual/nixos/stable/#module-services-nextcloud-warning-logreader + default_phone_region = "FR"; + default_locale = "fr_FR"; + default_language = "fr"; + default_timezone = "Europe/Paris"; + }; + + phpExtraExtensions = all: [ + all.pdlib + all.redis + all.bz2 ]; + phpOptions."opcache.interned_strings_buffer" = "23"; + extraApps = { + inherit (config.services.nextcloud.package.packages.apps) + contacts + calendar + previewgenerator + twofactor_nextcloud_notification + ; + + memories = pkgs.fetchNextcloudApp { + sha256 = "sha256-DJPskJ4rTECTaO1XJFeOD1EfA3TQR4YXqG+NIti0UPE="; + url = "https://github.com/pulsejet/memories/releases/download/v7.3.1/memories.tar.gz"; + license = "agpl3Only"; + }; + /* + not useful for me + registration = pkgs.fetchNextcloudApp { + sha256 = "sha256-dDaQHyHdkkd8ZammLdck2HNGqqfEaunwevdPzbWzB8Y="; + url = "https://github.com/nextcloud-releases/registration/releases/download/v2.4.0/registration-v2.4.0.tar.gz"; + license = "agpl3Only"; + }; + */ + facerecognition = pkgs.fetchNextcloudApp { + sha256 = "1dfpmnyyrjyn7wbjfj3w072rzfl7zwm8ppphgsg8ampw2dy7y6yk"; + url = "https://github.com/matiasdelellis/facerecognition/releases/download/v0.9.51/facerecognition.tar.gz"; + license = "agpl3Only"; + }; + + }; + extraAppsEnable = true; + appstoreEnable = true; # why i would want appstore to be disabled ??? + autoUpdateApps.enable = true; + extraOptions."memories.exiftool" = "${lib.getExe pkgs.exiftool}"; }; } diff --git a/features/server/services/photoprism.nix b/features/server/services/photoprism.nix index 9639d4d..4d8cda7 100644 --- a/features/server/services/photoprism.nix +++ b/features/server/services/photoprism.nix @@ -3,10 +3,15 @@ sops.secrets.photoprismAdmin = { }; sops.secrets.photoprismPassword = { }; + environment.systemPackages = with pkgs; [ + photoprism + ]; + services.photoprism = { enable = true; port = 2342; originalsPath = "/srv/cloud/photoprism/originals"; + importPath = "/srv/cloud/photoprism/imports"; settings = { PHOTOPRISM_ADMIN_USER = "admin"; PHOTOPRISM_DEFAULT_LOCALE = "fr"; @@ -19,4 +24,9 @@ }; passwordFile = config.sops.secrets.photoprismPassword.path; }; + + systemd.tmpfiles.rules = [ + "d /srv/cloud/photoprism/originals 0755 photoprism photoprism -" + "d /srv/cloud/photoprism/imports 0755 photoprism photoprism -" + ]; } diff --git a/features/server/services/synapse-matrix.nix b/features/server/services/synapse-matrix.nix index 19630b4..d5b552a 100644 --- a/features/server/services/synapse-matrix.nix +++ b/features/server/services/synapse-matrix.nix @@ -21,6 +21,7 @@ in server_name = "hypervirtual.world"; public_baseurl = baseUrl; enable_registration = false; + enable_metrics = true; listeners = [ { port = 8008; @@ -36,7 +37,6 @@ in names = [ "client" "federation" - "metrics" ]; compress = true; } @@ -48,7 +48,7 @@ in tls = false; bind_addresses = [ "::1" - "0.0.0.0" + "127.0.0.1" ]; resources = [ ]; } @@ -87,7 +87,6 @@ in }; }; - */ } diff --git a/features/server/tailscale.nix b/features/server/tailscale.nix index 7df0312..31e9dc1 100644 --- a/features/server/tailscale.nix +++ b/features/server/tailscale.nix @@ -2,16 +2,18 @@ { services.tailscale = { enable = true; - useRoutingFeatures = "server"; + # useRoutingFeatures = "server"; }; - services.networkd-dispatcher = { - enable = true; - rules."50-tailscale" = { - onState = [ "routable" ]; - script = '' - ${pkgs.ethtool}/bin/ethtool -K ens18 rx-udp-gro-forwarding on rx-gro-list off - ''; + /* + services.networkd-dispatcher = { + enable = true; + rules."50-tailscale" = { + onState = [ "routable" ]; + script = '' + ${pkgs.ethtool}/bin/ethtool -K ens18 rx-udp-gro-forwarding on rx-gro-list off + ''; + }; }; - }; + */ } diff --git a/hosts/sisyphe/server-configuration.nix b/hosts/sisyphe/server-configuration.nix index ce8855b..c673d69 100644 --- a/hosts/sisyphe/server-configuration.nix +++ b/hosts/sisyphe/server-configuration.nix @@ -38,12 +38,6 @@ in 22 # ssh 8008 # matrix-synapse 8448 # matrix-synapse - 3030 - 3333 - 2344 - 4000 - 5050 # calibre-web - 9091 # transmission ]; allowedUDPPorts = [ ]; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 456aded..1c6e367 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,6 +1,8 @@ borgRepoPassword: ENC[AES256_GCM,data:pgaBumNDhis8ftypaz5MdQfY467ToUJLYUs=,iv:rE0kAaAC1NEQgCvEl7f8hnSk0N6jZOAMABrErDudRMQ=,tag:58ZlN1lseFwQFq/T2gLB2g==,type:str] photoprismAdmin: ENC[AES256_GCM,data:kSFgrZKGGMA=,iv:fFkWYgUBfCg3lVLQMTFkabQzJvJ2IsciEiyOkObOL4k=,tag:AylOeAP5Vllx/vlOKAPqsA==,type:str] photoprismPassword: ENC[AES256_GCM,data:3zUZhRZElMmpsBF4zBGz43dci2JC5bc=,iv:qj5wpKHxeu67R3KTDfyjfVbP7Hvydyh7Oxd/FY8YOg0=,tag:bCAQ57eG8CmBdF8oobo3Vg==,type:str] +forgejoInitialMail: ENC[AES256_GCM,data:kcUIZMQYl5Ast0v/,iv:g+feK0H41ufxUwGbY8euCh2+/Bz45m4CUPlHVI8yY90=,tag:n6bRu2iz/VO1y5jGxtIIwA==,type:str] +forgejoInitialPassword: ENC[AES256_GCM,data:L6moUxZbEpeNStsEM5HMSOcCURxJZ58uvdI=,iv:2rXOsQM+jgSdEawKiwFqQWK5LZXvwNbKiO+BysOtQZE=,tag:B+ZP16gFQLpZXj+WALwktg==,type:str] smtp_address: ENC[AES256_GCM,data:HjF8aPPE6FqdM09lqXLyRQ==,iv:fTgefhxOL4FJ4pKD+Lfox1a27GPlsC+QtMixVOUjQZU=,tag:ridCBcd3ZqswKswackFfTg==,type:str] smtp_password: ENC[AES256_GCM,data:mgQlrXLfLnl2nv7/cdfo0lQz02s4ccunmCJenURA5j2xjX+Ef/vQAacKYofCxCwe3lo=,iv:t1tKu6OFsboovdobb4xHhtC/Fy3R6GoFT2SkUf9Vk3s=,tag:L2cMIBg2LeEu4P1a7Z1y/Q==,type:str] matrix_data: ENC[AES256_GCM,data:VinMt0TvPACJ6iz+9nnjf9SsZhUIkRVbvYHqlpEeIhvuYmjRtnO3frJ46uwYpNcTE+fpYcWu,iv:yc/EKM4UFe23wAe6fuGrmPtdIpEZ5XSW/9YzZY3P7yw=,tag:5qZiO4kmnsYHIsINB00gBQ==,type:str] @@ -33,8 +35,8 @@ sops: UTYrZ1dWUG5ka1p0b3JrREZXUzZiWlEKBFn4I/U3bwyurfa8gyfy7D3wYAwOtDw7 K0jQE5SeExD9kluwH0gyGDZbk/DWn+ppWoMNqQKDmICrUQpns6GJnQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-12T15:57:34Z" - mac: ENC[AES256_GCM,data:Y4MEQSgqvALcP0K92TlAaqFylk5YRTHXLRSUJmKV3ShFrdHg/iQdpcZndpX0qEynGnLooKJHfc2XpNuNVn+Z4r8jKNbI0veHdyDUWR342na9nQ3iQhccNrPxNLQ/QtOrHx4RDMv65n91XDqdWOpbzDG5gaNvk5t+hPLRY+cDUas=,iv:9qdunFsspOKcJOYdlQuAcGR16oWKCe4uzLcmwEgCy78=,tag:SSO/6Y0YTmz332ysQeP55A==,type:str] + lastmodified: "2024-08-17T13:12:06Z" + mac: ENC[AES256_GCM,data:Ojux0nJZptl1sZ0/TppLF/fiE6Iq9hh+s6ywqe3ulOGCVznzygfXcGjQTKsdJJEcRU4I0bdq38mWfFADPj2j86MUPQq9kBYjpwGSNyndIWBpGHf0XEBCMEXNHAtGr1xIBRfYZ6L61hcKNCjdCOBDcnAfM2HLNx4qFI2mqPDf+eg=,iv:QrKqh9lwP+K3rVNKJFw/Hi7WcDgXIzROwy0Q6wE83DE=,tag:ae5DgEKQ0qktNv3FZHn/2w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0