swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 05:09:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat[server]: storage migration finished
Some checks are pending
Build and Deploy / build (push) Waiting to run
Details
Build and Deploy / deploy (push) Blocked by required conditions
Details
Flake check / Check flake (push) Waiting to run
Details

Browse source
This commit is contained in:
Leon Schwarzäugl 2026-01-19 17:43:30 +01:00
parent c6539ed484
commit 3422a39da5
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
94 changed files with 1963 additions and 1626 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.sops.yaml
View file

@ -37,7 +37,6 @@ keys:
- &summers-monitoring age1vn6ya0japzpgc256jg57fldsqe4udmq50sj5hmkywn7rxfnskevsx2q96u
- &summers-nextcloud age1t7zagjfddns4yltupk7nx8xps4gh7mupyz85uuys0wd22cxj5qsq2hw0p7
- &summers-paperless age1rn0pxluh7m8dyeshek06d7scejqlrcewlk8xmyrwt5e5nev2dc2s3s78vq
- &summers-postgresql age12jh5836w3cmazec8ql652p9h3a3xn6quztztzqxg4n0kz7r96dnqqlhxxw
- &summers-radicale age1gxg2peektn8x36kk3nsgmeawl73e54kaadqd649ygwrv43kkvejq2cw64z
- &summers-storage age1kn34ny229gm0rg7wlcvxmcyjtz4gka6f2vd958fde6vmuzrxcvcsufra90
- &summers-transmission age1y69f2elvmq39lc3t3ucq9y7wt675520n7rvug88qg368qsmmk47qvwrtny
@ -79,7 +78,6 @@ creation_rules:
- *summers-monitoring
- *summers-nextcloud
- *summers-paperless
- *summers-postgresql
- *summers-radicale
- *summers-storage
- *summers-transmission
@ -322,14 +320,6 @@ creation_rules:
- *summers
- *summers-paperless
- path_regex: hosts/nixos/x86_64-linux/summers/secrets/postgresql/[^/]+\.(yaml|json|env|ini|enc)$
key_groups:
- pgp:
- *swarsel
age:
- *summers
- *summers-postgresql
- path_regex: hosts/nixos/x86_64-linux/summers/secrets/radicale/[^/]+\.(yaml|json|env|ini|enc)$
key_groups:
- pgp:

2400
SwarselSystems.org
View file

File diff suppressed because it is too large Load diff

12
hosts/nixos/aarch64-linux/moonside/default.nix
View file

@ -82,11 +82,13 @@ in
serverName = "twothreetunnel";
};
};
restic = {
bucketName = "SwarselMoonside";
paths = [
"/persist/opt/minecraft"
];
restic.targets = {
SwarselMoonside = {
repository = config.repo.secrets.local.resticRepoState;
paths = [
"/persist/opt/minecraft"
];
};
};
};
syncthing = {

6
hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc
View file

@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:t3En0FAhzVnLIv9tuvrTtmYMGeKvZ5e3FoVZHlEbHsmvUlVl+t1Po2uANatzIeKX3HRZJ1mURXMKh7Xk9O9DsKssadBYa2YqZTugU5m9o4+xESQlqHlnnKALaiyfSXFlhAZ6X50e8nfPCDLicjKzQnk7S/0XMaFB7XN9T4SfonVLElHSZtmOC+85WgAn4uAyfPq44UDVw116g7ogpjztsCG3deqTxP/mcY5trtk+SCEEHLHO6AiEe+Jz628Z+t+3YttQMKQulrakUzzvP07jQhW4m8X1cQOfX2xeTVTwNiqEq75Pt7g+mycKO952BVmMPYIvQAU2xUNC3YIqaFHUDS2QbooAeSJq8TT/s/zM/tjXXLsA7EsFTcduDKDGXhBFt7AlicruhymgtuGv2IwQLeprytRpwz2wcWFGLeiOKp/Zdqwf/3yhGeYlOEv+yhCXI2oZxS+8q4Vu0ejDkTtSeGzm5EtTrxzmS4X2psq2In+9Jb70TrkutAA6F50VyKJV6WQX7Q9yFU6Z6URHlxpwOUzwpto4Z3gxOn9Hm9VyrhTSJZ7sjd9sYf0WO4CJpUYrTu5/ZRcdy8i6Wu2GA/ylt+XXsG1yicgPxDvUcWSg6VfD5/tSTEHtUUVD/sAf7xl/sPcd76Z1DFfgkfA/s4BbbyZKzaZpAz1WYTuhambFpKWDY8YKCoLZdSCahP0jupm3OcnNw7ZCYu43k2JHp4X1mW0gb4TPvIGOcpC+pJvLsa2Q4AUAt4eUmlMCogJ7R89LPLy3fTYDeQV9ly6Z54N70kfsJVCuzrqOjFS4WxqJPZZ4HcRth4JmFE0mcCDsWQVOGJdJmShFxr7kijEoAyfrrZeRG29PgU+2CCcm2dvswJ8DdEtI4E8i/tOwQlHpUmWAM5dFFvKWZjxd89tofYyB/mrAQwXhD7+9Yu4KJM1C3v2IbrvkOgaSMVL7Ekn5YqU+g2BfGYQbkCYMM3DLpllTMGjiMFeOLgvHPAhA3ozR0KxJUaUVZe5B5XscA1xaKedl3hDxR6A9r/g1EQvv7F0n1rWpJvMVSZ3oo8YmzO2DKDwsfKglkR3TrmvQyPvwO/F5wnKMb2+GWh0EmeQLcxHldB6j5CpAj6O1AqfOZjZNcFc8/RfAdLS+OMXgNaWvahVjlPKqI17zLTSJCaCF8KP/T9Chj90l5XqgPsV0t6bPDueOrBOrieQD8UKOjQHR/fgSunjZQrVfYgDBTilb3UyGJ3sqlL9zcTjTgLkNSkNd41EmnCm6SdB3RpQb1fcXfzuCp4bD5Ty01PU380YWXXkAinXDP8961uexWryckhsCqkfbdDnjti3CPfEOBWc6u1R9cI6oLZRw34NpY/4z/fuLAnxgjEgwLAQLG0am/tT1ySH/Cmfy,iv:aa5FNi/z0WnPHFsLUk3odDnghUq7YyA9U6nI71ug4fI=,tag:kd3TDY3mWiEEXsB9RopnUg==,type:str]",
"data": "ENC[AES256_GCM,data:MeJM7Y4TN0doXAHHxa5y+ZuatVyEsx4HL5sMBGJ77J6VIuqS1GvY9D2p+/JETZx5iwEf+oJ5CMUD4/PQtXbUM7RKzhyzU9AjCdfNos4ZTEyLUhmHgAup2AP0yVO/Qb7dYjDPwbT5wycAAQUx+3xc1GKX93MqsKfNVUqIHWAr20s5ct0RxBylvPWeZA6eNDmcdgNaA5QgKoEDrZtfK3inTg1UmhQZrvw7MWzFN68DdC7FRxeDxSdn1ctucGTJW8k1LT5MdwGCA7nX08vAMG7VBIuj61ZXXU3zFtNRtdHBiyzlqjgInHRWevajK7L/Vjxpy3ffBRAFFQYZi6jVaui5acOywSvCvvrzVKN6Z2Rzc72KfC/np0NElJBrTAqBfQ+8tXrjjd8uaTQXbcXc3qk/y6+kfjOcYB8lk0opA/r33xUR7QkMElu7zuw1+u5ClKTOIZSqkdqrEbTCnw+hn5fL2VH0bShEACXQal6z/XnJSULmzxE5YfSK7qsJxakVux+Ksz3E5EHYgyyMCNk5WEyJtFz5FFBV0+FDbar9ChdLPvY/SEGLGS7ekx6aA/PQGQtb/xsk5pylt5Ie6vxL4YBDAxgm1ss4ciK3HfoAZJnQbfa6kkqm1rfAvzr2rM4WH/Vyocakpqxv16QH4AtbX0A02Y4lwMhxTz+8XRFxLOm4CBXYBddKSMKEaW0VCMEl3U3g4e7vPRg2tp+1WxouJSjbejgnVeq/A026j6ZwQ44xADkWjG+4lCvIO0NLZIv5uE3Sb3a4sW4dphqrQPWMaiOmtzxxZWbO0GTnQ5/U2U6DCdyspGjFEFAGOxduFTBMhIeDzWfHLty/S17Hjaxp+v3qEnOs7aMznIzV/LmzAxMp0CVA6I7ehtzbHVNdaY4DfrrNZJgYzkoUG1F0De5in+Bk6g22UecAXBW2sLugmxPwV14sa0iD4IpAvrGE4LwdnGOFAXWunYvOK2zsn92v7ymESayGj9PqH9srL/yaB/RZuJ3VtwLNgPTc+Ly9G6PL3XMInjWdmI9+wIuBaDyWdUxLZhhlH+njc9Bc/rxQWbXHlggrTFQw+rLlQtw0w6rS+avbC+KDpnhhTKDV4gQZsvY8PpKlsmvgN8g6BKrY25JE9sLBMMxmzSbLfIUDGgfUi7BM9p0l4wpdWrHB+rBQtoULDXCWR3LRD4SnyBoNSgXhoXxMaelUVpfOlY105sLLYxMzkzSijQ+OJ1pST1ED+XEnjddcLJtJ+1zIQ5aRZCYDcRr0FGvLcfW+M2yORIc03r/RI/wKTASezuydtMGibUUwBq1jjb5ZDGQEVdABPCEdqBgubDllFm3JdkyPV6V0EoQ4Qq+dv021exQqclentdBqK/A/LJ+h1QQyg7+wDdeC0sJF0EHP,iv:5u/hx1/P7QsLpx/tXceGMjI2Hh5crdguiI30+HJfd/w=,tag:8k5G2WALcjD8S8lZ30EWGw==,type:str]",
"sops": {
"age": [
{
@ -7,8 +7,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-12-04T23:10:31Z",
"mac": "ENC[AES256_GCM,data:gNsVWFrs92csjnRvhtXcKLuZUiHo9dxpFRLwjWz7VQSLeOBL4iv+Hq3SNyx4F69AC2nr9HL1QTLzX+444EhDYot0jLqOH6xz/FaQPf6OXKHg+Nr05MUe8X2QsLjodOW81Vv7HqIMypU5dyt0FBr74++9oEz6072AuFl5JAUWIvo=,iv:tGX+wUKvWYOnxVCTqhra7tg+r+TT8tyAr1tlRP2FkWA=,tag:WI5D0FTguiCJcrQh47qJow==,type:str]",
"lastmodified": "2026-01-19T14:14:55Z",
"mac": "ENC[AES256_GCM,data:tNJ4mSS9ulh3sQ1X5ccoswadbnQVm0+3bbyai486ljw59IBkGbf3mo35Dc1PHZJB+zXoiAj7d+hhY7YGJNz7CJjunI0o4+Aj38aEMUa/VpdO0LX+7xTz+r2wX3zaDYbAI16klElXJ30Z8PyVSoGosbz5DbPAKFED7silxVfiPbc=,iv:KOWA4/+jKqbrghw+LW91UQj5+IWSYx2RSi76ew7uNZ4=,tag:znrx6hMqFu+lykXu3DCHMQ==,type:str]",
"pgp": [
{
"created_at": "2025-06-13T20:12:55Z",

10
hosts/nixos/aarch64-linux/moonside/secrets/secrets.yaml
View file

@ -16,9 +16,9 @@ microbin-uploader-password: ENC[AES256_GCM,data:20QOWTMLS7iTS/Q=,iv:EuUYcY1l4ykK
#ENC[AES256_GCM,data:ZnMVMv6M,iv:z53BHIVvMUfYseftc6DTU9Mlb9ywEvNHv24TvIZiMFI=,tag:QdeWjrw0pmJsXYobADzA1A==,type:comment]
shlink-api: ENC[AES256_GCM,data:XdfDJMjyhJyeqVB4RKgCdkWT2nYC/Pw21D8H/JzkGLuwGx8Q,iv:zucJGNLX8018gD34NL/BwTe0fPFucqpBtMCYXd3IGHs=,tag:/sN/ayEhUaCPmu6fS+mMHQ==,type:str]
#ENC[AES256_GCM,data:R5mm4WAJww==,iv:6Uyb7Qtl6vt7nur/NLBlrVtKoPkF3ZjXdAhT24HW/ug=,tag:6X9b1zZbpHoEZmaYb9NQSw==,type:comment]
resticpw: ENC[AES256_GCM,data:PcrDphqR5Pin2hM=,iv:lnMlqwyCvbH75qbL2eJYblmuFOaVMmbPHjZ5l0n2Glw=,tag:YUxadLufJ2VPghLded851A==,type:str]
resticaccesskey: ENC[AES256_GCM,data:DOp2cFy1Y5HyXcsQ5O3nsrEOQBtlQQ3P8Q==,iv:0X6HF9kbPNDmhtENHgFeOSHln6xlCf5DNJfqavucDWI=,tag:+THGH00yBT9RhvJtENco2Q==,type:str]
resticsecretaccesskey: ENC[AES256_GCM,data:qpPTWx16Z92cup6ACh2KQPeIk8KPasQB4e/SwxUxfA==,iv:EqWTKXXA7wyArlF+D33tKF37tz8/ORsjsWjRPYBWPqg=,tag:F21+4cL/cozDIene7UQcyA==,type:str]
resticpw-SwarselMoonside: ENC[AES256_GCM,data:+kPee07ZmnAv4V0=,iv:gi7sdKO+WE8qTuYb3wbjgmVzRvmF8hd1h5vV9QDx+6Q=,tag:0/azZWAqeXcXCsmx2HkFmQ==,type:str]
resticaccesskey-SwarselMoonside: ENC[AES256_GCM,data:R9yj4NFFeZ/iU8Jwp5r3BwnZDy1eSWsebQ==,iv:8C05b7pxA7fJC1Mh5oAH1A5LtNYhZaZnQfAjZMURGtc=,tag:pSGpJrOy/i9Iq22OQPtU9g==,type:str]
resticsecretaccesskey-SwarselMoonside: ENC[AES256_GCM,data:8dp2FGgoJa5TBy2HFITO2to8Z4xoowzhLrCZVDLrAA==,iv:2t3CoVp/4+8xZvSjuMnq4d4nFugnL53HPv1r/odKGvM=,tag:I5zxggxsNHVovq8bcRs0Pw==,type:str]
sops:
age:
- recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
@ -30,8 +30,8 @@ sops:
bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK
Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-28T17:44:47Z"
mac: ENC[AES256_GCM,data:h3skmRhVfBa/W6GB35O3sHdDLmo/4VQ3rgFbltdweDP+9qbQv+6tduRGknGiQjnyuaGGVyPlEOqfLKzYjP8Jsx+XnprblNfD75yiGckBFQaBKhd8l+hfcYVRNTrKCWkFUrYXIfCWgbrXNmq47SHn0+TBedXRw+9LoSyqsRdIJOk=,iv:Js2C7XfOD4d5fF+Otn7xJxBw0Nfh1cB7oLjyCrUA9es=,tag:4flxdWSlXyslNErlEFM2VA==,type:str]
lastmodified: "2026-01-19T14:13:20Z"
mac: ENC[AES256_GCM,data:XKsR8Gp6UHhAfoOdRozMxoGtdhfV7b6ogsqlqiAfTsuUayVVK6fRIgy5no5jcNnyyN8zveH/QZS1kGpNSY24N0l4gBA3u5ay5fsS0HjfW5b7mNpasOttqCrm6RpY2ZDdTUmsk3F25QEsdc28fajURJKOazZSs78dbdNq1LdJK1s=,iv:TgLuYGZtxx0ZPPeR1M/NgV1Wt7f5V89KEFOpKSjBxws=,tag:I/CGHZcT6n9X8R2EYRbOYw==,type:str]
pgp:
- created_at: "2025-06-13T21:18:31Z"
enc: |-

18
hosts/nixos/aarch64-linux/twothreetunnel/default.nix
View file

@ -37,6 +37,24 @@
"moonside"
"winters"
"summers"
"summers-ankisync"
"summers-atuin"
"summers-audio"
"summers-firefly"
"summers-forgejo"
"summers-freshrss"
"summers-homebox"
"summers-immich"
"summers-jellyfin"
"summers-kanidm"
"summers-kavita"
"summers-koillection"
"summers-matrix"
"summers-monitoring"
"summers-nextcloud"
"summers-paperless"
"summers-radicale"
"summers-storage"
"belchsfactory"
"eagleland"
"hintbooth-adguardhome"

21
hosts/nixos/x86_64-linux/hintbooth/default.nix
View file

@ -27,7 +27,7 @@
info = "HUNSN RM02, 8GB RAM";
flakePath = "/root/.dotfiles";
isImpermanence = true;
isSecureBoot = false;
isSecureBoot = true;
isCrypted = true;
isBtrfs = true;
isLinux = true;
@ -46,6 +46,25 @@
"hintbooth-adguardhome"
"hintbooth-nginx"
"summers"
"summers-ankisync"
"summers-atuin"
"summers-audio"
"summers-firefly"
"summers-forgejo"
"summers-freshrss"
"summers-homebox"
"summers-immich"
"summers-jellyfin"
"summers-kanidm"
"summers-kavita"
"summers-koillection"
"summers-matrix"
"summers-monitoring"
"summers-nextcloud"
"summers-paperless"
"summers-radicale"
"summers-storage"
"summers-transmission"
"winters"
];
};

88
hosts/nixos/x86_64-linux/summers/default.nix
View file

@ -53,19 +53,19 @@
serverName = "hintbooth";
};
};
restic = {
bucketName = "SwarselWinters";
paths = [
"/Vault/data/paperless"
"/Vault/data/koillection"
"/Vault/data/postgresql"
"/Vault/data/firefly-iii"
"/Vault/data/radicale"
"/Vault/data/matrix-synapse"
"/Vault/Eternor/Paperless"
"/Vault/Eternor/Bilder"
"/Vault/Eternor/Immich"
];
restic.targets = {
SwarselState = {
repository = config.repo.secrets.local.resticRepoState;
# nextcloud stores all data in state dir and has no data that needs backup
paths = lib.map (guest: "/Vault/guests/${guest}/state") (builtins.filter (name: name != "nextcloud") (builtins.attrNames config.guests));
};
SwarselStorage = {
repository = config.repo.secrets.local.resticRepoStorage;
paths = [
"/Vault/Eternor/Pictures"
"/Vault/Eternor/Documents/paperless"
];
};
};
};
};
@ -78,59 +78,31 @@
swarselmodules.server = {
wireguard = true;
nginx = true; # for php stuff
acme = false; # cert handled by proxy
nfs = true;
# kavita = true;
restic = true;
jellyfin = true;
navidrome = true;
spotifyd = true;
mpd = true;
postgresql = true;
matrix = true;
nextcloud = true;
immich = true;
paperless = true;
transmission = true;
syncthing = true;
grafana = true;
freshrss = true;
kanidm = true;
firefly-iii = true;
koillection = true;
radicale = true;
atuin = true;
forgejo = true;
ankisync = true;
homebox = true;
opkssh = true;
};
guests = lib.mkIf (!minimal && config.swarselsystems.withMicroVMs) (
{ }
// confLib.mkMicrovm "kavita" { withZfs = true; }
// confLib.mkMicrovm "jellyfin" { withZfs = true; }
// confLib.mkMicrovm "audio" { withZfs = true; }
// confLib.mkMicrovm "postgresql" { withZfs = true; }
// confLib.mkMicrovm "matrix" { withZfs = true; }
// confLib.mkMicrovm "nextcloud" { withZfs = true; }
// confLib.mkMicrovm "immich" { withZfs = true; }
// confLib.mkMicrovm "paperless" { withZfs = true; }
// confLib.mkMicrovm "transmission" { withZfs = true; }
// confLib.mkMicrovm "storage" { withZfs = true; }
// confLib.mkMicrovm "monitoring" { withZfs = true; }
// confLib.mkMicrovm "freshrss" { withZfs = true; }
// confLib.mkMicrovm "kanidm" { withZfs = true; }
// confLib.mkMicrovm "firefly" { withZfs = true; }
// confLib.mkMicrovm "koillection" { withZfs = true; }
// confLib.mkMicrovm "radicale" { withZfs = true; }
// confLib.mkMicrovm "atuin" { withZfs = true; }
// confLib.mkMicrovm "forgejo" { withZfs = true; }
// confLib.mkMicrovm "ankisync" { withZfs = true; }
// confLib.mkMicrovm "atuin" { withZfs = true; }
// confLib.mkMicrovm "audio" { withZfs = true; eternorPaths = [ "Music" ]; }
// confLib.mkMicrovm "firefly" { withZfs = true; }
// confLib.mkMicrovm "forgejo" { withZfs = true; }
// confLib.mkMicrovm "freshrss" { withZfs = true; }
// confLib.mkMicrovm "homebox" { withZfs = true; }
// confLib.mkMicrovm "immich" { withZfs = true; eternorPaths = [ "Pictures" ]; }
// confLib.mkMicrovm "jellyfin" { withZfs = true; eternorPaths = [ "Videos" ]; }
// confLib.mkMicrovm "kanidm" { withZfs = true; }
// confLib.mkMicrovm "kavita" { withZfs = true; eternorPaths = [ "Books" ]; }
// confLib.mkMicrovm "koillection" { withZfs = true; }
// confLib.mkMicrovm "matrix" { withZfs = true; }
// confLib.mkMicrovm "monitoring" { withZfs = true; }
// confLib.mkMicrovm "nextcloud" { withZfs = true; }
// confLib.mkMicrovm "paperless" { withZfs = true; eternorPaths = [ "Documents" ]; }
// confLib.mkMicrovm "radicale" { withZfs = true; }
// confLib.mkMicrovm "storage" { withZfs = true; eternorPaths = [ "Books" "Videos" "Music" "Pictures" "Software" "Documents" ]; }
// confLib.mkMicrovm "transmission" { withZfs = true; eternorPaths = [ "Books" "Videos" "Music" "Software" ]; }
);
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" "bmc" ];

2
hosts/nixos/x86_64-linux/summers/guests/ankisync/default.nix
View file

@ -36,7 +36,7 @@
};
swarselmodules.server = {
# ankisync = true;
ankisync = true;
};
}

2
hosts/nixos/x86_64-linux/summers/guests/atuin/default.nix
View file

@ -36,7 +36,7 @@
};
swarselmodules.server = {
# atuin = true;
atuin = true;
};
}

6
hosts/nixos/x86_64-linux/summers/guests/audio/default.nix
View file

@ -36,9 +36,9 @@
};
swarselmodules.server = {
# navidrome = true;
# spotifyd = true;
# mpd = true;
navidrome = true;
spotifyd = true;
mpd = true;
};
}

6
hosts/nixos/x86_64-linux/summers/guests/firefly/default.nix
View file

@ -36,9 +36,9 @@
};
swarselmodules.server = {
# firefly-iii = true;
# nginx = true;
# acme = true;
firefly-iii = true;
nginx = true;
acme = false;
};
}

2
hosts/nixos/x86_64-linux/summers/guests/forgejo/default.nix
View file

@ -36,7 +36,7 @@
};
swarselmodules.server = {
# forgejo = true;
forgejo = true;
};
}

6
hosts/nixos/x86_64-linux/summers/guests/freshrss/default.nix
View file

@ -36,9 +36,9 @@
};
swarselmodules.server = {
# freshrss = true;
# nginx = true;
# acme = true;
freshrss = true;
nginx = true;
acme = false;
};
}

2
hosts/nixos/x86_64-linux/summers/guests/homebox/default.nix
View file

@ -36,7 +36,7 @@
};
swarselmodules.server = {
# homebox = true;
homebox = true;
};
}

6
hosts/nixos/x86_64-linux/summers/guests/immich/default.nix
View file

@ -27,8 +27,8 @@
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 8;
vcpu = 8;
mem = 1024 * 16;
vcpu = 14;
};
swarselprofiles = {
@ -36,7 +36,7 @@
};
swarselmodules.server = {
# immich = true;
immich = true;
};
}

4
hosts/nixos/x86_64-linux/summers/guests/jellyfin/default.nix
View file

@ -28,7 +28,7 @@
microvm = {
mem = 1024 * 3;
vcpu = 1;
vcpu = 4;
};
swarselprofiles = {
@ -36,7 +36,7 @@
};
swarselmodules.server = {
# jellyfin = true;
jellyfin = true;
};
}

4
hosts/nixos/x86_64-linux/summers/guests/kanidm/default.nix
View file

@ -28,7 +28,7 @@
microvm = {
mem = 1024 * 4;
vcpu = 1;
vcpu = 2;
};
swarselprofiles = {
@ -36,7 +36,7 @@
};
swarselmodules.server = {
# kanidm = true;
kanidm = true;
};
}

4
hosts/nixos/x86_64-linux/summers/guests/kavita/default.nix
View file

@ -28,7 +28,7 @@
microvm = {
mem = 1024 * 1;
vcpu = 1;
vcpu = 2;
};
@ -37,7 +37,7 @@
};
swarselmodules.server = {
# kavita = true;
kavita = true;
};
}

2
hosts/nixos/x86_64-linux/summers/guests/koillection/default.nix
View file

@ -36,7 +36,7 @@
};
swarselmodules.server = {
# koillection = true;
koillection = true;
};
}

4
hosts/nixos/x86_64-linux/summers/guests/matrix/default.nix
View file

@ -27,7 +27,7 @@
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
mem = 1024 * 6;
vcpu = 2;
};
@ -36,7 +36,7 @@
};
swarselmodules.server = {
# matrix = true;
matrix = true;
};
}

2
hosts/nixos/x86_64-linux/summers/guests/monitoring/default.nix
View file

@ -36,7 +36,7 @@
};
swarselmodules.server = {
# grafana = true;
grafana = true;
};
}

6
hosts/nixos/x86_64-linux/summers/guests/nextcloud/default.nix
View file

@ -36,9 +36,9 @@
};
swarselmodules.server = {
# nextcloud = true;
# nginx = true;
# acme = true;
nextcloud = true;
nginx = true;
acme = false;
};
}

4
hosts/nixos/x86_64-linux/summers/guests/paperless/default.nix
View file

@ -27,7 +27,7 @@
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 4;
mem = 1024 * 8;
vcpu = 4;
};
@ -36,7 +36,7 @@
};
swarselmodules.server = {
# paperless = true;
paperless = true;
};
}

42
hosts/nixos/x86_64-linux/summers/guests/postgresql/default.nix
View file

@ -1,42 +0,0 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
# postgresql = true;
};
}

2
hosts/nixos/x86_64-linux/summers/guests/radicale/default.nix
View file

@ -36,7 +36,7 @@
};
swarselmodules.server = {
# radicale = true;
radicale = true;
};
}

4
hosts/nixos/x86_64-linux/summers/guests/storage/default.nix
View file

@ -36,8 +36,8 @@
};
swarselmodules.server = {
# nfs = true;
# syncthing = true;
nfs = true;
syncthing = true;
};
}

7
hosts/nixos/x86_64-linux/summers/guests/transmission/default.nix
View file

@ -8,17 +8,12 @@
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
@ -36,7 +31,7 @@
};
swarselmodules.server = {
# transmission = true;
transmission = true;
};
}

6
hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc
View file

@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:l0LIC8IP4wVA8wI5Ef1yKYfvJw4b4izz7HemWgoKjx34GWLnVYKYqrsXuGD8QN0GzbK9ZAPsWXYa3VejnVXv8Qe1B9GPEJbPtP//ExZ9lDYoKICLpy/yLxSiG85xSQQ46UcipCpA5ZjJPnmYeimTlW+PH5BmuL3LD/OteGVcIwRVznBaQwQ/DnzxE7eBOyF3l0apIIzk4paMswF5OSh0+0EfIS0wKJ1zBLW3OfVc9N1npC7nn7x01X/fde9k4s0gt2XjPQ/Qo5HdBfEfqzzOTu1jiYuvuoiQ4KmlME75HWfLoGLjCYCespoEnH0v45vJALiKNk6wBbHwidY00HH8DSxRujYxl23IuW+r6x5B/rpXUanrHzfKmQyx3crYqDl3URHwycW49GXxWBy8PPE49SGmWMh25ceuLjIgqQaGppza1X/V3RV7tvA96/L/kAIvmoDaYJMncFv89Q+fi0obp1YqVNkxsdGuBawOnCzyL2RAhf9t1no2ak7zJnMqaiHY6BU0Sg2OSwWEJQEEBzmj4P5k9SXqVBF/MUL65sp76hq7Wk6mqtofHvzY0ugLw/b2G4+RlWNAyDQnb3dSmldSc/U7bLZ+2Z6IFlMrRGg0niZd8g2283CQACvNBSonZ9v1SMfgN6ChG2U8ry6McYwsrO0dDshiFyyyvy1GxPAzc8nf/n40i0ipnTydJ3vxlaPq3rKZPfsXQdfiqDDu5tGiF+7JpdBtoJQ2Pp8pRKkS6sVPIY2OsTdu/ZQ34aW9aBKLfGMB/YPm9vid1Nlp/5TSbmbXfC9Lwz5s3I50N/iLI9F8W+hhR4RpOQLufkS0+neFqK1N38s6P/lXAfIrDdq9+QNZvSE61bZqjx7oxl6QKJKvZCFmkTIZOP/xANrSe17f2MZ1ugh1MBMb/5/Zh9BznJBEjNMsaCdEEBe8Anbum0oO9CXlldFMqUf+LufI1VDWj/68oBjNmHgHFVzUofxD7q4EZ/8HTtfTWOivVLg0F2l4fR6JIdTqKEk/g1tVll2gWfH9H/xNrdZQ9PQI/XKiSa6LIWEdlPz3TuH2Fw6bo6UC1YfVMvoWPUQsUhqrCBv0eb7snvYBkUJg+/BWhWelL9W8FD0gce3WrJfAe12TXqgWb0zSHtPk9C9E0+UkXEM/SAciBJTSowR0edM8QyPzT8nP/9qrHz390V8EIbENWU9AYDuo6o5fh0E34FHNCuX/+toq9VrZZLVUR1pb+o4=,iv:o6qAis1FnoabxGMQDDXrubSFHIgP0XHkjO4Usx+eQoM=,tag:rC+nrChrFNfT/3C71szrfg==,type:str]",
"data": "ENC[AES256_GCM,data:F3RDXp9c69ZGzLlhWHDGDse6s3qYDbUjGQZi0iSS1J9Bb+K2SToOyxIg51UUp7K3TMQCiwj1OnwdP3FJlaA7CHpKYYEX+hL5/msA+ITs0dWNiuSaI7Hd0HE7kplU+jHVEOoFP36e6sdVlsUO1H2ICUTCIPU6zjQ9FqQkHBeKg9jPnOYkI1AV638F8261nqsfsmrN4yDS4bWgI7WsXBGAZJQ9nuvHIMUBXkLNOGI9o45vOZXW3LZmWLLJUddal8TNeitQ3tzJXnO+4pZbvlHhVxbkwB40Fc3mt/ZYqHfRK9W70dEDa63zYIVoyai8BlXmWl5mScxPerhvt05+NUeswV/yXf4UpsdAUttzNXuWenN7I9bIMrEODFocdPvELB/N/26smXaRFbtakSTeyDSuqwOefUashiZ+LyNB9lLpKyUXUiLxsOusucQIrL9kiMTvr2atPAXfEGJYC25uxNGOghffcwquitcMAKtGyLAMfnI606FkFE1MZxPc60OZo2y1yHhqV/QVFjoAwkFW5sSNUbe5DLoijuoNT+MZGxypwDUhgzCqWXzwz300jzpV3dla2tKeOjcJZk1JmlfXOrPsCNGkL1MtC5kRXFjA9HUV25fSHzrChDiyBek4fTCtZNphJz0yGBbNfX30vpY=,iv:w/D7rqHWsvBxUJaY4D2b3+aJRfoSfDwwU5L3facXFtY=,tag:3pwiviZYNiKe0FwteR7CxA==,type:str]",
"sops": {
"age": [
{
@ -7,8 +7,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcWF5cDZnWlZBYko2UFV2\nNGRMNlNzejVGR3hJSXNjaFQrWk1FWU9WZDM4CjZBRW9PbG9XY0V2T0dZTVhGU1Nn\nOXpXSWdaeHRNbmd5S0xuUkVuLzlidTgKLS0tIGNXckVXK0d6R2dNKzFzYTNPZWVW\nT0QzY0kvNEJvSC9CWExaRjBsQjdVYU0KavAD19+DC502a44wxbtz8fbxwIgpgE2c\nU4LlkgvkrhtTTiu6d/LiAKfqM9PrSajBdO8YrTpFxkqYgfi1tMoC8w==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-01-10T11:23:49Z",
"mac": "ENC[AES256_GCM,data:p/kSeOGsEFw1NxehT0UVNOrf20K+YEK/heZakNf+X4C4GabctvCTyGouoRDDq3ea/O7TeTT+uVRiveZ6TOE7S7rKwFX5yTuB1wKDqsFLjDgFidwzicHIBmfceB3XolU/l0cIkEH4UcYYOelfiHr5gtjLefnCUojttlUhRZz9CD4=,iv:2QDqwkwlaKZwtnuzfkmBDYmTTvt7FN2op6/O8JcHSBA=,tag:cOgrxorAFDwpBF2NfxxuVw==,type:str]",
"lastmodified": "2026-01-19T14:24:03Z",
"mac": "ENC[AES256_GCM,data:b87qyAxWtLycdtKTN2x+k9+CQB+JBUarfjDdrIiKBSaBwC0Gg05W5t2j1TRqi5NjA8GITYRRIHkzS0jx37zoLSmrJZqzSg4hTlbMDdjeGZiJt+zi7rDSv1HRSoOHz6CoG8XQYULNri1qcLzjBOCcdIFISh9EhXOTNbrwJ8uF/Eo=,iv:sFefD/bK514/SJ3PWJgL5a5Z4UHj6NKvJkLi0HhqpxI=,tag:v6CvJ1o8lKAAx1CApW6sdw==,type:str]",
"pgp": [
{
"created_at": "2026-01-10T00:38:26Z",

57
hosts/nixos/x86_64-linux/summers/secrets/postgresql/secrets.yaml
View file

@ -1,57 +0,0 @@
wireguard-private-key: ENC[AES256_GCM,data:iSjQO7EUVOYgh3378FTGPOf7fUFLBoA7KhxroPv3iyWfbDI8r0yB/ewoMOI=,iv:Z9KlHucjpU44VvYWkq443njeSs0TREKTIeq65ieUXv4=,tag:6fjf3Ce/tuvK4vHvBaQn4A==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NlJITGlYcExUSStpOVA3
b0t1ZklHciszOWlVNlJZN0d6a2dHWDlmb0JrClFpODdacW1nMDFySmUzd0pVSWNl
MGdSSTQ5ZFpGM1J0VjRIMmZVVjU3UVUKLS0tIGJPVWRPYzVPY2YvT2NrSU5BRDF0
Nm1RY0dVUDJZbGY2TU9paHNWaVVsMHcKCPcHSSMjzPHBgj7LIFcGnQT/74nGgc78
yfX67XYz1Ybdy23C9mddR8XtEy+g24MUEd4RoM9zziIG/Qt6+hl6rg==
-----END AGE ENCRYPTED FILE-----
- recipient: age12jh5836w3cmazec8ql652p9h3a3xn6quztztzqxg4n0kz7r96dnqqlhxxw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Q0eU1lUDJZZENQYS85
U1RzTU5XUEkxcnNwNGEwb3Z3UVA2YjkrcEUwCm1FNXM5czZxM2pDUk9pQkpOODFz
WW1ZWlJZeEJMNksvV0lGM2xvUW8vVUEKLS0tIGNidlRrSS9mb3VwWnJjRHFlZS9y
anoxVlpVcU1ZczBKQUZob1ZNNEcyYUEKrBDXe8EnozMy5nfGDV5Gcy10Q8q+CS+f
9jOpiFBnK3wRpjS5n7aHtg8j+CHxDIV4ERH1XvuAsMPvaZpuY4TKMQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-07T13:36:49Z"
mac: ENC[AES256_GCM,data:FVo2l0qd8E0G4252lmbPqhBKBu1WRXdqD5iYNJ5VTcFwM2ErC1RXVFFzX5jnBdq8yPUozS5/Vjm5p4B+N1bxwDe8nmKUJcXFy5AdMMgrVmXySPqEF6+uMQM5Mfh5yLgLnxscpCo6SV0kESfD86TeHI/HJ73EL4L8tD5V0tiDcSg=,iv:igf9D+MLI0rhagUP6IZLe6sP2HL5UpT5Z0DtLbXVq50=,tag:c0CGV69zbtIUxZMRJHh8yg==,type:str]
pgp:
- created_at: "2026-01-12T22:05:38Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/8Cqj7NrbjiXvyZIeZJsxy3Tv+T8u7muMMCWGb0eUuiyCG
w037NfXNVc4j36DNIpzFaSa6Y0ZD6A8yoHZ794qNngxghe/M71UHgivTXayVhiqH
ViPFmET/LIBZhX32bf++3yS3FYthvs8Uyn+sRCtypSFH8IaRwSdZO0tRkJMJOybm
z2O6ktQYWfzsAzJtqXShhe4W2egl+rUfbIxM7/GcqImQPrCyUc7mHn9S4+tUPWgF
AhDRx12l3KmleixY/xtrRE9Z0TkQ3BezmZzacAmKfPjR/DcJ5zBEzHADh3AgxmBU
up6IvhqAkm7XsxgyHo+6iK8OkMF/ac0sA+Fk74lyvPfVBPW9lVwMvXo/BvFzbGPb
DL6rQP82vWX2WGhRM4g8FO0PIETNRs75yn4NmDWd1Kz1ENgKxhRaoDyrMBM8jw3n
MbHNPif66KrUWB5kbiRVGW367o8O7dCizRnwDdXHOFrjYjCM0tcXMFIeC7AcjQoX
LfC63ctDSJVrRqs2AT7xUVCGHpZWSHMlmukNAS4Nld5nrvzzL7CeizfDi/c/q9Ss
DEMVVzi6FL0u0psXvNcGIJ41pN2RhfcDRDpv4QmI5LIy3fUtDMCrIsY3s8B9rxWA
bSYZt7PQB+BFuA7tnXmnIFthj56rv24aUe8yC5uNmusMQ530WAoGHd0xEvY5f/WF
AgwDC9FRLmchgYQBD/9NYLTJOXjofuNQz21M5Akvap/5/TnQbQSN8/P/wdYZ1fBS
/JTxPsjgNRG8h6sa+RFyZla+iRISkRqIz91OG/Vm+UKqnkh8JB7hHsZ22+ZKgu0Y
85QZyA1lXCmfXbPjQdBGwJhZN4t8u4y+GAwQydHL8AiTsFB+A+v1tsBodeOd6AZO
njj0LjMJflaFm37y50UTobVhuHi4FnKbnvdonc2k26ZgJRndyKiop/tV21mh49mQ
VwMETXOhFijw+OfVdsZWepP6Zz43WgUE2KFERXtI/mQuHFXm+R9SXWM2tpWpKbqh
TXCy4IW0VaYz4bHU4dvLTngtMvKZdw1DiCTkGjl3oS8LGEHObJmfaptd895QnKjW
UsSSZuU4QtXpPWkfDO/0q2HMLr8OgHuTegeeADnOrrw3DQQnaJgEzkr80tnAyZgD
Bjeg3SUnWilPY01sEs1LQ/BIvqMG8Kcc96wuuzw+8vRppuLovb4g7WpSlKwNq2G3
oqPnuuZaKTtsKinv8PXm5o/BOxAlP7sWt98Z36pFaXhGWCX9pARK62JsLntoYYuz
+uWY2vmjrMGABxLioZmfdfYWlPmecu7Rd6K4u20PJiGSPkjakHUMjAYP9C08J4UM
52RibILrAVQJVtlmspiigl2ia46P5J3sEN6ro6iKpMrhFrXC26b0YSM0rCh0RtJe
AbHXr5XqUZJcrdoaSQ/N2klHjqozYPwDE9ppivf4yMY9bv6dX1VgQg/pB1v8Z3ea
xgGWOZLo52h/WZEAr6D2+rEjeEVCNOswcBmqU7mPv4YcyrIwBLJ6vw/+5Hyo8Q==
=1Usp
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

68
hosts/nixos/x86_64-linux/summers/secrets/secrets.yaml
View file

@ -1,62 +1,10 @@
resticpw: ENC[AES256_GCM,data:duM1dMkCRdckaOg=,iv:mPRxC5KgBMHRUcgHJQTfLA9P5EfGwnbnfzCp8CNIr9o=,tag:VZlFcaVnm4eay+JM0Sd7cA==,type:str]
resticaccesskey: ENC[AES256_GCM,data:Jt4uKdD7WqjaRjnKLeJhYoFSTtpwqPuARw==,iv:s1Ff5h2uKVxZY0hIZObZLXDlxgoUIFTYSiO17JKPUWY=,tag:DenvTp2ny8i+XjgTF3MPNA==,type:str]
resticsecretaccesskey: ENC[AES256_GCM,data:ijvux8Uldkct48gqVIC+jtfJ8m2oQ8ZbIZUZbyY79A==,iv:BxC2CZ87hxZhf35xqLe4ArGO8EnsYCABmiN+OM7t6tk=,tag:I61Ne5ztK5CUDUu+yvBcig==,type:str]
resticpw-SwarselState: ENC[AES256_GCM,data:rJrpeiNxdGZ3NF0=,iv:NHf5tp9h9lHDzTNogFkzhyBXgJVSbawT45sSvlSn27c=,tag:D36aXm3Q09cFiaNuJjL9SQ==,type:str]
resticpw-SwarselStorage: ENC[AES256_GCM,data:uj8smcKXrOzm+Sc=,iv:ASXoj5ZDgW26ri4LpxtbyUbPoc1IvxIYxjMcM/waLus=,tag:sP1Q3561lMKXYzuDkPC3HQ==,type:str]
resticaccesskey-SwarselState: ENC[AES256_GCM,data:boY2ai1iHwjaEUXFrpQK3Jpi47GhhTF+5A==,iv:qcYJE2BidxvesBOBJU/KI0PqXCpb9Fa5fr9gRcE4ox8=,tag:XAArkrmA6n0hGxU4+3OSGA==,type:str]
resticaccesskey-SwarselStorage: ENC[AES256_GCM,data:b3pHjKJP8+pNwoR/0nj8kidtKZcqUHAkkQ==,iv:MKEV6AkkTgbZrc63DipIxPvm4pl5/elInY6N0ewl3ac=,tag:OZVUdGBq5HYCX/NL7RJgrA==,type:str]
resticsecretaccesskey-SwarselState: ENC[AES256_GCM,data:2tC7RKRQM55dekqc6DLsgZqIBQbmWJySIXCOyUjTMw==,iv:a0bjCwmFTUZcJlz9WMp2vorwm9dUxg/7ulKWtL14LiU=,tag:7jbl6AGx7dguM8GmTD6MHw==,type:str]
resticsecretaccesskey-SwarselStorage: ENC[AES256_GCM,data:yjhLY7AuW3m5tOqfiAt6IbVHTnGkzSGzjkoqWD3wvQ==,iv:+2/dSke3LlWQpWa8adNS65M2sbfNw7DbiFCruMHnBRU=,tag:XgV4J9/c5yg0X1eBN1myXQ==,type:str]
wireguard-private-key: ENC[AES256_GCM,data:lP5wnI1YUSb2PJUo8LvCogz0gfwwnqgYtNEly2i8P4geQVGnsxCz2c0ZKgM=,iv:55gjJ2K15EB8i9iwNNsuKwzHZsX3RvsTKNAnr+Ac4to=,tag:GPscRLTJSj+TNJ/15pM1mw==,type:str]
#ENC[AES256_GCM,data:D3AMwX0rBg==,iv:4AaUSc9Swp4RJIqeNzTW7MvAi5cZ3c53alWY3P4wS5U=,tag:IUzpcX38+495WM3O7L0uGQ==,type:comment]
kavita-token: ENC[AES256_GCM,data:coBAnDN4tWB0b05z+SRv8tGau+KrvMbEBICpPPYrjAqS/jVIrsKfpiVp+jJ2ruKnrwFnE8aVzWMB423fFk/GzpLDJZHF7oPjlr5QQVsGQ+NP7Ls7lAu6/A==,iv:pk+sZqRcx+WgS0Nwa4z4I2RmTobL7QME8E77bYdlcsw=,tag:XJ46v//ploErgSNLlUfPBg==,type:str]
#ENC[AES256_GCM,data:KxuybG2VSA==,iv:5HnK8dQsTW+shG+EzGh9BomfoBGl5cdSQpZjD4OF8y4=,tag:S2EgHIoHyXpxpU48hWiiYQ==,type:comment]
matrix-shared-secret: ENC[AES256_GCM,data:wCDMXzV18aFk4h1tf60N61K8j+gRJxIfbQLvqbfoDWPH2gbuNsg3SfDyFgDZQUzAzfaYC+jcbUAFOPm7ZD6axQ==,iv:9Rpx5jHyxqoyLSD39zPopj7m5ZZcPIhiRTh9tZXIero=,tag:JQg1uOorQvN3m7Cm6fT0vA==,type:str]
mautrix-telegram-as-token: ENC[AES256_GCM,data:/34XoVkm/8o84PUDXGWzFphEu+0LyvfEo+HOEbEB5GfrHzJmPpWgdGmedAYLpupvOzWWjODXgNk0zC3l4a+4gQ==,iv:7AdLQ3/SCJM9VxEFOBZnmVWKeSDTKyFLq+dysahlErI=,tag:NP/iV6aVZLy4RFOK1OqOPA==,type:str]
mautrix-telegram-hs-token: ENC[AES256_GCM,data:6je3dFrFAoNCbUuZD7C+kMoQpNeqBxoUusEJBFM0IYcVAqsmclMktHWLFDerkfzgGmKverqnf+rINDVEX8Df5A==,iv:iDqeYSsw1OTxu4K+zAEU+eUz+TLnXSzXbr6J4cLp7KQ=,tag:PBHqaqJEVEN8nk5hmIVEpQ==,type:str]
mautrix-telegram-api-id: ENC[AES256_GCM,data:R6C4gFh+NQ==,iv:30LZQR0CRmtAxqXVu/GOihdvdsWqGqiLMQJAM1yaSg0=,tag:9QM9VlCqSFuDo2k0WJx7/w==,type:str]
mautrix-telegram-api-hash: ENC[AES256_GCM,data:m6RhyLX2wNtMG/rZtLtwPVYiF9rD6bqsulJTE4tNkeA=,iv:aGq8TGQCOVlf55XfM4A9V0eDF75E8Rg8Jg+Vc72NJ00=,tag:J2fJ+Q7KToQirY87t4mvzQ==,type:str]
#ENC[AES256_GCM,data:6lE2jJal,iv:n6GbM2CZy9KSVRPJvnYYhcN81P77TUoy9ZJwplbtPLg=,tag:UaI3x5tu9meuZc2Wj+s82w==,type:comment]
acme-dns-token: ENC[AES256_GCM,data:Q5rGOFLYvCQ0h8BZKC3JlcWHp2q3ucIoE1E3NujEGoBltdUj3RpY3Q==,iv:T38LtQ02/11zlJUUahIeDNXyd9fQ7MYAOYgAY5ioLMw=,tag:5G0emN3Oje+Otl4uBxe8Ow==,type:str]
#ENC[AES256_GCM,data:XTHlwp41c52pmg==,iv:P82FtV4f+KziNF5QNca/xx8ZvdeZu+4tQmtePvjhKGU=,tag:AdVhiRLboyDT3jaSBjD0Mw==,type:comment]
paperless-admin-pw: ENC[AES256_GCM,data:mfk+N/cxddgUiandSNIYvbt0X1nDLaWOzw==,iv:CbHsz5ldL4sdnMCghh5DFbIBeR7e7c8ftuB3cTRBXBQ=,tag:SGk6QsUO7+H30Mi8fFuaRQ==,type:str]
kanidm-paperless-client: ENC[AES256_GCM,data:9mqdKyyuPyezSiNIVBe4/ViHydfkfZmAiA==,iv:frksTnlKbIHG1XdXUTQwKHLtlpRdZeQOOCBFRQ9DY1o=,tag:DBUy4xV0drIxXL9IxV30/w==,type:str]
#ENC[AES256_GCM,data:4n9xtQ==,iv:Qa+X5jJ/PQLkEB/EdRoB6pic642twVkt8zTIkHLOGz8=,tag:cZP9TyLPNACeHRMqTsRnlw==,type:comment]
mpd-pw: ENC[AES256_GCM,data:umt4fAgqaLBIXLhLLGUAay/YbSKC2r4uZA==,iv:yBOe8MpJZGrko30+zmP6LYI7uPJvQUf9+KhZAsSKk90=,tag:JWpGwG5trY/kLyQo707jDQ==,type:str]
#ENC[AES256_GCM,data:mHqhDMd0XorN,iv:LFGTMK375H8QenyYVSSF0IfummbSa6XPSCrrQryy0/8=,tag:r7qqAYPVfVkgZXObQLYMGQ==,type:comment]
nextcloud-admin-pw: ENC[AES256_GCM,data:WIS+dK+6sNa8l9sfqILcVXpI,iv:pAOX6uUusKKOGrzHzij6tNOHJkacxyac/YFbU8ZmFhY=,tag:NQByvZhCu1qf1Qb/Eor0sA==,type:str]
kanidm-nextcloud-client: ENC[AES256_GCM,data:qEamdf1+i9Je6l2uswgDfrc/KkbLDDnZ/Q==,iv:T9g7V86o9sTIWZ6MwRg2Li2ntpR5B+DgvXbrM/pBHo0=,tag:OH4FKB6qgsdAEVb8wdkKCg==,type:str]
#ENC[AES256_GCM,data:mRjlEtwcsjs=,iv:l+6IJr+nyIUF45vhNAw84eVoypF+grcKvXa3Z4mDntI=,tag:A8guEoZcPnAzlvsbQGI1NQ==,type:comment]
grafana-admin-pw: ENC[AES256_GCM,data:OZRhYLC8mKGT1dLpYNA=,iv:JWLDUXsHEgISVX5qPOY/SyEyMbd1wBPRcX4aB9V1VY4=,tag:UnM7Ki9rqcv+QKEkbD5geQ==,type:str]
prometheus-admin-pw: ENC[AES256_GCM,data:zKtPGDIDN/pJxdRuQthIOkvVgjmx+FrEcA==,iv:M/gY7JGCcf3qOR3abTOhW4oK+cEZ+qrA7Ej1dXXWXnU=,tag:LD4faKNGJnJSPv0w2UtCqw==,type:str]
kanidm-grafana-client: ENC[AES256_GCM,data:wIPvYpMuT3cJKImJ/NrvfZg4u841DQNjow==,iv:BMIrNgd5p5kaQOqC7GyCz6tF76HOx7GHJ5TcWL/Qeaw=,tag:pfhys3Q1WBzv8lcaz4gSZA==,type:str]
#ENC[AES256_GCM,data:jWNwieXkgftTIg==,iv:3fYUvETktHqHxg1MR2ZK6Bkz4DGjILS7gIU7taGj534=,tag:cLIde4jkQUo2kZ1nxACQ2A==,type:comment]
freshrss-pw: ENC[AES256_GCM,data:+jKVUjkpNCjGSgE=,iv:SZu/AZxue9Y4xEdrAEHkwzuoL7THI6MS8YQFwcoRPMI=,tag:M/iBUKcKe1d6gW1cUpeBew==,type:str]
freshrss-oidc-crypto-key: ENC[AES256_GCM,data:bsnB53+pm+1AlPx6kvQ46GUtocDZJW2+MyJDC7tuSbgY3hnFOhmbbQ==,iv:9gF7OLOTxva4znYIEsdvrfI9JFPhuFucuH3oK9Rj3f8=,tag:TY7QfUpI1GmkNYXDNyl4zQ==,type:str]
kanidm-freshrss-client: ENC[AES256_GCM,data:7CO/LL3uKxQHFjfC3VR4JfL13hT7T/OG5w==,iv:Q5BZSrxMgUM5dXKKLeTXG/kWUgFb1RCmUQSg+B0H32w=,tag:gX2O/2l9XFk2r9HfGzWliA==,type:str]
#ENC[AES256_GCM,data:fs3hYmSnPA==,iv:AO/BtxZ//pNQESSDYSUZzSWc1daj6aa2vXteC04HivI=,tag:HfRZ2YUWO2XNtjN8IZMmvQ==,type:comment]
kanidm-admin-pw: ENC[AES256_GCM,data:OF7rhjmg0I7V5qc2nWfQzSAIMlowXapbvg==,iv:I3Ig16YFPP2BeoAdYmRLQe8fqdV/MC+GW3T61kNiftY=,tag:n/WcJsNejgoZIK4GmnaPlA==,type:str]
kanidm-idm-admin-pw: ENC[AES256_GCM,data:UdGmzkgeDVWzFR+jqmwzxB2U0yjbOMf5ZQ==,iv:dB1rS0d7/hgA4UGSu/P2OIu43PHZbif3UkNd9vZ962Y=,tag:6mYDZUcobB0Vi/sZ+nOt/g==,type:str]
kanidm-immich: ENC[AES256_GCM,data:9vIcSVknbeitmmj5SVWcfOkji+0tTyvEJA==,iv:cMorkTF7swSLShonZqkuPl2RfrGBOQVnR2XTFr8Rwy0=,tag:BK4QRnCsxNPpdqQk03ghMw==,type:str]
kanidm-paperless: ENC[AES256_GCM,data:IjB3ZySYVS3OZU3pq4dE4qzm4F3enTEwYw==,iv:UZyYN5zyyvsAwLf55mAw32/CdygYbtfZvQY6BBzlchE=,tag:Tz3TOqf7oIyw1j414bvHDw==,type:str]
kanidm-forgejo: ENC[AES256_GCM,data:hDPeC5CPg2yHvxtw5Z6uIwr9TtiJM+PjGg==,iv:+pEDpmePUbbH9H5edZ5IPPXY1g2Daw8lLgyDM+h/0Zc=,tag:tugJxGP2LTYrHnNKb4/wgg==,type:str]
kanidm-grafana: ENC[AES256_GCM,data:+tfJr1mrfD7Kza9R26av7G+QgzzQhjeUmw==,iv:StWa8qivQZFhA1V5pSskeXL2IF8QkZd/tdOdAmWJLL8=,tag:U5A137+ACOWl1LdmLwb+xA==,type:str]
kanidm-nextcloud: ENC[AES256_GCM,data:yTBSlSN7O+ywGB6j8dvORE8C3xabayg3NA==,iv:kprbm7NR/ukczINENzdLOgBl2fwSs1CWkW+XFmLYxTw=,tag:U1fwlVRwcJBMbxCPAqovBg==,type:str]
kanidm-oauth2-proxy: ENC[AES256_GCM,data:Wj+tqtfxI/JDZwM8dFKvWaq6P5xrdPeszw==,iv:9WNcoLs4zMzVgGAMIanS8IAJKZU/IV9AY4YXw8gsl4c=,tag:JTZMI7xmzlVbpoN7T35bJA==,type:str]
kanidm-freshrss: ENC[AES256_GCM,data:pO6j+ZAD8NXUiHMZ5jg1Dsu6OcFr8BUIfQ==,iv:2vxDhyGqafbOBLsmQFuiBVN/2H4h2ZIJfG7h4iV/dIE=,tag:cYO2ANzUMAwVBiq87SQ0wA==,type:str]
kanidm-firezone: ENC[AES256_GCM,data:5QcRJy1kn1bk8zBqPznyq6vHHukmIIQpiQ==,iv:GL0QkqhsgRIeE+1rIDqVuC+UyIKPJTu5AHALBMZq2Yg=,tag:+kF/HQexEgg6JJyv3LeGvw==,type:str]
#ENC[AES256_GCM,data:nkfK+2JT/zAFEN5r,iv:zhequNAlsknCC1ROXYm+tzaUy6mN6XmuqS13Q6HU0a0=,tag:FQw0dwMR/yitjGSFWW6/RQ==,type:comment]
firefly-iii-app-key: ENC[AES256_GCM,data:1jLFVD8tMVF9hYiNeUZn1ZpPcKuvpYEZxLJcylg415PXl7ngmDa6H3ruYKFk/rt0sjh7,iv:uFBKrNOa5NdHWsLW5knd16tF0HQH7j4nsoF2TGEcrl0=,tag:X61hLERJNS//sSkhtkBEwA==,type:str]
#ENC[AES256_GCM,data:ZeR7BLj26KJabuQx,iv:Fp8Etgu5tg9xmqT421n7vvQvL27evPslZmVgIiGCGDs=,tag:DjirUtjNCh09D2JGJXqaYQ==,type:comment]
koillection-env-file: ENC[AES256_GCM,data:G/Nwzw5wQAr7aUfM+JclpmXaVwLKr9DV4M0F69Sya1U=,iv:gAYrD2XFKl0gWyU0wQ2JU0Vrn9bXVLJf5p1HdunZxqw=,tag:y64flWvqJ2KGETBnnnSDOw==,type:str]
koillection-db-password: ENC[AES256_GCM,data:vKHnmcvSOKhHOt6Mdbw+uT7GdM8=,iv:/pHI4ficUG81gkAUTATUt1SLDxiWYZoONqXUrIuEjcM=,tag:2kRNBut9P8qSGvy1D5mJzA==,type:str]
#ENC[AES256_GCM,data:QgzAs3Xq1wgb10RNZzl0uJA=,iv:oCIr3yh3iiaskY1en7QPZvRGhC4wmzGI2MQ9qJ1FoW0=,tag:Fjcr+5Xz3gmEckizaUczgQ==,type:comment]
anki-pw: ENC[AES256_GCM,data:TGKLFfBD9UEZlvc=,iv:8GsOAxr7DI4uEsGREfsbRPA6p6/7Jl9oUXWpCmobBZ4=,tag:ZpmubPgfwmLw817sMpHRcg==,type:str]
#ENC[AES256_GCM,data:g1yoM9Q8wfA=,iv:Gj/srSIg6aI0lybHMQGu8wu2KfvzdKJ3XetoTaZwJpg=,tag:N1lqDLoqhiT7YNu4hyvwmw==,type:comment]
kanidm-forgejo-client: ENC[AES256_GCM,data:eQwwaqdWAHQ+1HgfKtx9v/5kT1rzbFfUhA==,iv:HKylHTkifgSIuq4tKPIsyOzDCn5ynl66/PLDyWW/pEQ=,tag:k3ZjA0BvdLvpbogq+e9JUQ==,type:str]
#ENC[AES256_GCM,data:7ZIGRjWPgI9l,iv:YXDxvRZ9SPO9cJBsGQ2T1i5DojjaghrlF5h53ECgukE=,tag:uXvmB3kINl4jg+18OoSpHA==,type:comment]
radicale-user: ENC[AES256_GCM,data:jsrSPQ9bk5IPSaw=,iv:4o4BYlQlWONCv5M51C1EhgbxGvg8Bir/rIdMjGO+yeo=,tag:oxrSuJS9LKRQurSM+0gfYg==,type:str]
#ENC[AES256_GCM,data:MiKHFUmTDvnrjhw=,iv:Y72pVFthqLq+LVj5bmy7dNDvXMxvTtFPEHSAfB1Dcoo=,tag:802/jEiC4zWXmvjXPwSYEw==,type:comment]
prometheus-admin-hash: ENC[AES256_GCM,data:Zp2yXBiFudvD75Yupi5mjQwL5wai+atnJ0ltzM+TnzFNzFgYv8hdilsxYSD0VDo6CZJWhEtp9ozfiETs,iv:jidoobYusa5RfAZfcdVSNj5yKBJvlRRCfcN7MYkN6Ko=,tag:2tYV/SFajv9VE+lIOuH/5w==,type:str]
snipe-it-appkey: ENC[AES256_GCM,data:6nsXRMr2Fr7e0b/0WJS7ntlg5HEedGMCGe/69kwfyb6llSp4Pn1H4eQc0Mk=,iv:ZtL9tTNZhUT+YL7Ps7ZyUBKd5W0i7ZZAeqyZbJB6ELs=,tag:nJnqHXg6OhQhRnRtraW3bA==,type:str]
snipe-it-db-password: ENC[AES256_GCM,data:Jpk3Ka4/Fk3CMdUZDf1SbaUbGbmkYl1L2YvEpGR/H4kq32Q=,iv:7t4bM8c2huTEYxUJDxu72dTueiGNOzwFjoedcQK5hdY=,tag:IHXqtICjjd4O/9MqqCyu2Q==,type:str]
#ENC[AES256_GCM,data:Z2MArzHJ5g==,iv:5IFG5SSmOOQU8hUiwLXG2UBRbPmgeq09/XU7UcPqoDc=,tag:93YLtbQgBMdDWCSl5BUVvw==,type:comment]
garage-admin-token: ENC[AES256_GCM,data:XZ4OVmqy4O2+NBqV+TlVCYb9Lk5bNoKFLcCNaNIRv0YEKcIgAlnL3bTuIaw=,iv:KvYTpvnmupx5DIVIh/EkKPkX3yr/3eLMzWB1vA5KM9k=,tag:L+kMrGSHXUsEqH0oFuBB2Q==,type:str]
garage-rpc-secret: ENC[AES256_GCM,data:uTLsZv1viatNX3f1qdDvFDKfVRgDDLv2+AUHCPo3lx/cUiB9HMcuUHJoNP8sLeuX77WXon29ZKMd5fKnydo77g==,iv:IJgDZZkA4QQfOWTWh7OLtWRZi0yE4dKE0BoJCqopWl8=,tag:wh9aWZhEehHx0nQ8UBBNKg==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
@ -68,8 +16,8 @@ sops:
cUpZZzBOZHlZdzRoS0l4SkRER1JQeTQKBeYA2sVQab9moaYlT0jE7/zMJvOJoC7V
QwHXwnkjZCavAC5HIn82PzJ0DNrMKSZ136AgA+F99X0ZFyFnEIFZCQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-10T11:56:45Z"
mac: ENC[AES256_GCM,data:3Y124JX/6MsyIeOv9t0DPSv6YUICgvQn688LpXvW2jSWYRuJCbSWG67cPQHCNYP3NjFWXuASlKhDRJQicwgamh3WrE7gC7QxtqCVtwL0FTfZeOQ+vRoIejWIldcKC3YK6vKYW/O//Uhd+5rG8ah2b7XqRvgv8bwIdUKFUQqG0EA=,iv:VfsIS6+QTbv4WhykReXOGkGul7dWj0Voux2vrkv6Ecw=,tag:h7zZqbe4NAZ0PlcWBq0r2w==,type:str]
lastmodified: "2026-01-19T14:12:00Z"
mac: ENC[AES256_GCM,data:VsZDoY88nMtY6S87Odi641VrenfVOraWDgfGuKVKKrcUJtTTF4hkwI5b8dZ4Qz/9g4IxW0Siht8qodqAEnA5bvDbMlabIgIRrbO4hAJjPYEtD3Q+J2n8PVvWLU94DusgN0A4rHXbEq1Am2bUjcXKWOg2FpkUGrkJyYfj6R4l6kk=,iv:ZPMPs71eoiEddKTDwIZbYUziKDVknXGMyw062i3X3oU=,tag:IiXOOiJzuN4M1jU6dZdTJg==,type:str]
pgp:
- created_at: "2026-01-10T00:38:27Z"
enc: |-

49
hosts/nixos/x86_64-linux/winters/default.nix
View file

@ -41,26 +41,6 @@
serverName = "hintbooth";
};
};
restic = {
bucketName = "SwarselWinters";
paths = [
"/Vault/data/paperless"
"/Vault/data/koillection"
"/Vault/data/postgresql"
"/Vault/data/firefly-iii"
"/Vault/data/radicale"
"/Vault/data/matrix-synapse"
"/Vault/Eternor/Paperless"
"/Vault/Eternor/Bilder"
"/Vault/Eternor/Immich"
];
};
garage = {
data_dir = {
capacity = "200G";
path = "/Vault/data/garage/data";
};
};
};
};
@ -72,35 +52,6 @@
swarselmodules.server = {
diskEncryption = lib.mkForce false;
# nginx = true; # for php stuff
# acme = false; # cert handled by proxy
# wireguard = true;
# nfs = true;
# kavita = true;
# restic = true;
# jellyfin = true;
# navidrome = true;
# spotifyd = true;
# mpd = true;
# postgresql = true;
# matrix = true;
# nextcloud = true;
# immich = true;
# paperless = true;
# transmission = true;
# syncthing = true;
# grafana = true;
# freshrss = true;
# kanidm = true;
# firefly-iii = true;
# koillection = true;
# radicale = true;
# atuin = true;
# forgejo = true;
# ankisync = true;
# homebox = true;
# opkssh = true;
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" "enp3s0" ];

37
modules/nixos/client/uwsm.nix
View file

@ -1,6 +1,7 @@
{ lib, config, ... }:
{ lib, config, pkgs, ... }:
let
moduleName = "uwsm";
cfg = config.programs.uwsm;
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
@ -20,5 +21,39 @@ in
};
};
};
services.displayManager.sessionPackages =
let
mk_uwsm_desktop_entry =
opts:
(pkgs.writeTextFile {
name = "${opts.name}-uwsm";
text = ''
[Desktop Entry]
Name=${opts.prettyName} (UWSM)
Comment=${opts.comment}
Exec=${lib.getExe cfg.package} start -F -- ${opts.binPath} ${lib.strings.escapeShellArgs opts.extraArgs}
Type=Application
'';
destination = "/share/wayland-sessions/${opts.name}-uwsm.desktop";
derivationArgs = {
passthru.providedSessions = [ "${opts.name}-uwsm" ];
};
});
in
lib.mkForce (lib.mapAttrsToList
(
name: value:
mk_uwsm_desktop_entry {
inherit name;
inherit (value)
prettyName
comment
binPath
extraArgs
;
}
)
cfg.waylandCompositors);
};
}

12
modules/nixos/common/users.nix
View file

@ -15,6 +15,18 @@
isNormalUser = true;
uid = 1000;
autoSubUidGidRange = false;
subUidRanges = [
{
count = 65534;
startUid = 100001;
}
];
subGidRanges = [
{
count = 999;
startGid = 1001;
}
];
description = "Leon S";
password = lib.mkIf (minimal || config.swarselsystems.isPublic) "setup";
hashedPasswordFile = lib.mkIf (!minimal && !config.swarselsystems.isPublic) config.sops.secrets.main-user-hashed-pw.path;

2
modules/nixos/optional/microvm-guest.nix
View file

@ -32,8 +32,6 @@
# NOTE: this is needed, we dont import sevrer network module for microvms
globals.hosts.${config.node.name}.isHome = true;
fileSystems."/persist".neededForBoot = lib.mkForce true;
systemd.network.networks."10-vlan-services" = {
dhcpV6Config = {
WithoutRA = "solicit";

4
modules/nixos/server/ankisync.nix
View file

@ -36,6 +36,10 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/private/${serviceName}"; }];
};
services.anki-sync-server = {
enable = true;
port = servicePort;

4
modules/nixos/server/atuin.nix
View file

@ -7,6 +7,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselmodules.server = {
postgresql = true;
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals = {

6
modules/nixos/server/firefly-iii.nix
View file

@ -42,12 +42,16 @@ in
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services = {
${serviceName} = {
enable = true;
user = serviceUser;
group = if cfg.enableNginx then nginxGroup else serviceGroup;
dataDir = "/Vault/data/${serviceName}";
dataDir = "/var/lib/${serviceName}";
settings = {
TZ = config.repo.secrets.common.location.timezone;
APP_URL = "https://${serviceDomain}";

6
modules/nixos/server/forgejo.nix
View file

@ -44,9 +44,13 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.${serviceName} = {
enable = true;
stateDir = "/Vault/data/${serviceName}";
stateDir = "/var/lib/${serviceName}";
user = serviceUser;
group = serviceGroup;
lfs.enable = lib.mkDefault true;

6
modules/nixos/server/freshrss.nix
View file

@ -61,6 +61,10 @@ in
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.${serviceName} =
let
inherit (config.repo.secrets.local.freshrss) defaultUser;
@ -71,7 +75,7 @@ in
virtualHost = serviceDomain;
baseUrl = "https://${serviceDomain}";
authType = "form";
dataDir = "/Vault/data/tt-rss";
dataDir = "/var/lib/freshrss";
passwordFile = config.sops.secrets.freshrss-pw.path;
};

16
modules/nixos/server/homebox.nix
View file

@ -1,6 +1,6 @@
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
in
{
@ -13,6 +13,10 @@ in
icon = "${self}/files/topology-images/${serviceName}.png";
};
swarselmodules.server = {
postgresql = true;
};
users.persistentIds = {
homebox = confLib.mkIds 981;
};
@ -33,14 +37,14 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
systemd.services.homebox = {
environment = {
TMPDIR = "/var/lib/homebox/.tmp";
};
serviceConfig = {
# ReadWritePaths = "/var/lib/homebox";
RuntimeDirectory = "homebox";
BindPaths = "/run/homebox:/var/lib/homebox/.tmp";
HOME = "/var/lib/homebox";
};
};

102
modules/nixos/server/id.nix
View file

@ -15,59 +15,61 @@ in
{
options = {
swarselmodules.server.ids = lib.mkEnableOption "enable persistent ids on server";
users.persistentIds = mkOption {
default = { };
description = ''
Maps a user or group name to its expected uid/gid values. If a user/group is
used on the system without specifying a uid/gid, this module will assign the
corresponding ids defined here, or show an error if the definition is missing.
'';
type = types.attrsOf (
types.submodule {
options = {
uid = mkOption {
type = types.nullOr types.int;
default = null;
description = "The uid to assign if it is missing in `users.users.<name>`.";
users = {
persistentIds = mkOption {
default = { };
description = ''
Maps a user or group name to its expected uid/gid values. If a user/group is
used on the system without specifying a uid/gid, this module will assign the
corresponding ids defined here, or show an error if the definition is missing.
'';
type = types.attrsOf (
types.submodule {
options = {
uid = mkOption {
type = types.nullOr types.int;
default = null;
description = "The uid to assign if it is missing in `users.users.<name>`.";
};
gid = mkOption {
type = types.nullOr types.int;
default = null;
description = "The gid to assign if it is missing in `users.groups.<name>`.";
};
};
gid = mkOption {
type = types.nullOr types.int;
default = null;
description = "The gid to assign if it is missing in `users.groups.<name>`.";
};
};
}
);
};
users.users = mkOption {
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
config.uid =
let
persistentUid = cfg.${name}.uid or null;
in
mkIf (persistentUid != null) (mkDefault persistentUid);
}
)
);
};
);
};
users.groups = mkOption {
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
config.gid =
let
persistentGid = cfg.${name}.gid or null;
in
mkIf (persistentGid != null) (mkDefault persistentGid);
}
)
);
users = mkOption {
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
config.uid =
let
persistentUid = cfg.${name}.uid or null;
in
mkIf (persistentUid != null) (mkDefault persistentUid);
}
)
);
};
groups = mkOption {
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
config.gid =
let
persistentGid = cfg.${name}.gid or null;
in
mkIf (persistentGid != null) (mkDefault persistentGid);
}
)
);
};
};
};
config = lib.mkIf config.swarselmodules.server.ids {

16
modules/nixos/server/immich.nix
View file

@ -1,12 +1,16 @@
{ lib, pkgs, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselmodules.server = {
postgresql = true;
};
users = {
persistentIds = {
immich = confLib.mkIds 989;
@ -36,13 +40,21 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/cache/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/redis-${serviceName}"; user = "redis-${serviceUser}"; group = "redis-${serviceGroup}"; }
];
};
services.${serviceName} = {
enable = true;
package = pkgs.immich;
host = "0.0.0.0";
port = servicePort;
# openFirewall = true;
mediaLocation = "/Vault/Eternor/Immich"; # dataDir
mediaLocation = "/storage/Pictures/${serviceName}"; # dataDir
environment = {
IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
};

9
modules/nixos/server/jellyfin.nix
View file

@ -1,6 +1,6 @@
{ pkgs, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
in
{
@ -51,6 +51,13 @@ in
# openFirewall = true; # this works only for the default ports
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/cache/${serviceName}"; user = serviceUser; group = serviceGroup; }
];
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;

8
modules/nixos/server/jenkins.nix
View file

@ -1,6 +1,6 @@
{ pkgs, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
in
{
@ -23,13 +23,17 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.jenkins = {
enable = true;
withCLI = true;
port = servicePort;
packages = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ];
listenAddress = "0.0.0.0";
home = "/Vault/apps/${serviceName}";
home = "/var/lib/${serviceName}";
};
nodes = {

17
modules/nixos/server/kanidm.nix
View file

@ -80,12 +80,19 @@ in
};
};
environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [
certPathBase
keyPathBase
];
environment.persistence = {
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [
certPathBase
keyPathBase
];
};
"/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
};
systemd.services."generateSSLCert-${serviceName}" =
let
daysValid = 3650;

8
modules/nixos/server/kavita.nix
View file

@ -2,7 +2,7 @@
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
in
{
@ -29,6 +29,10 @@ in
icon = "${self}/files/topology-images/${serviceName}.png";
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
@ -50,7 +54,7 @@ in
user = serviceUser;
settings.Port = servicePort;
tokenKeyFile = config.sops.secrets.kavita-token.path;
dataDir = "/Vault/data/${serviceName}";
dataDir = "/var/lib/${serviceName}";
};
nodes = {

6
modules/nixos/server/koillection.nix
View file

@ -1,6 +1,6 @@
{ self, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/var/lib/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
serviceDB = "koillection";
@ -46,6 +46,10 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; }];
};
virtualisation.oci-containers.containers = {
koillection = {
image = "koillection/koillection@${containerRev}";

2
modules/nixos/server/mailserver.nix
View file

@ -1,7 +1,7 @@
{ self, lib, config, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 80; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 alias2_3 user3;
baseDomain = globals.domains.main;

19
modules/nixos/server/matrix.nix
View file

@ -1,7 +1,7 @@
{ self, lib, config, pkgs, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
federationPort = 8448;
@ -21,6 +21,10 @@ in
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselmodules.server = {
postgresql = true;
};
environment.systemPackages = with pkgs; [
matrix-synapse
lottieconverter
@ -118,9 +122,18 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/matrix-synapse"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/mautrix-whatsapp"; user = "mautrix-whatsapp"; group = "mautrix-whatsapp"; }
{ directory = "/var/lib/mautrix-telegram"; user = "mautrix-telegram"; group = "mautrix-telegram"; }
{ directory = "/var/lib/mautrix-signal"; user = "mautrix-signal"; group = "mautrix-signal"; }
];
};
services = {
postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
@ -147,7 +160,7 @@ in
matrix-synapse = {
enable = true;
dataDir = "/Vault/data/matrix-synapse";
dataDir = "/var/lib/matrix-synapse";
settings = {
app_service_config_files =
let

11
modules/nixos/server/monitoring.nix
View file

@ -47,8 +47,10 @@ in
node-exporter = confLib.mkIds 987;
grafana = confLib.mkIds 974;
};
groups.nextcloud-exporter = { };
users = {
nextcloud-exporter = {
group = "nextcloud-exporter";
extraGroups = [ "nextcloud" ];
};
@ -78,10 +80,17 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/prometheus2"; user = prometheusUser; group = prometheusGroup; }
];
};
services = {
${serviceName} = {
enable = true;
dataDir = "/Vault/data/${serviceName}";
dataDir = "/var/lib/${serviceName}";
provision = {
enable = true;
datasources.settings = {

6
modules/nixos/server/mpd.nix
View file

@ -36,9 +36,13 @@ in
icon = "${self}/files/topology-images/${serviceName}.png";
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = "mpd"; group = "mpd"; }];
};
services.${serviceName} = {
enable = true;
musicDirectory = "/media";
musicDirectory = "/storage/Music";
user = serviceUser;
group = serviceGroup;
network = {

6
modules/nixos/server/navidrome.nix
View file

@ -76,6 +76,10 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.${serviceName} = {
enable = true;
# openFirewall = true;
@ -83,7 +87,7 @@ in
LogLevel = "debug";
Address = "0.0.0.0";
Port = servicePort;
MusicFolder = "/Vault/Eternor/Music";
MusicFolder = "/storage/Music";
PlaylistsPath = "./Playlists";
AutoImportPlaylists = false;
EnableSharing = true;

11
modules/nixos/server/nextcloud.nix
View file

@ -27,6 +27,13 @@ in
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/redis-${serviceName}"; user = serviceUser; group = serviceGroup; }
];
};
services = {
${serviceName} = {
enable = true;
@ -36,8 +43,8 @@ in
};
package = pkgs."nextcloud${nextcloudVersion}";
hostName = serviceDomain;
home = "/Vault/data/${serviceName}";
datadir = "/Vault/data/${serviceName}";
home = "/var/lib/${serviceName}";
datadir = "/var/lib/${serviceName}";
https = true;
configureRedis = true;
maxUploadSize = "4G";

8
modules/nixos/server/nfs.nix
View file

@ -10,6 +10,12 @@ in
avahi = confLib.mkIds 978;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/cache/samba"; }
];
};
services = {
# add a user with sudo smbpasswd -a <user>
samba = {
@ -35,7 +41,7 @@ in
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
path = "/Vault/Eternor";
path = "/storage";
writable = "true";
comment = "Eternor";
"valid users" = nfsUser;

11
modules/nixos/server/nginx.nix
View file

@ -84,8 +84,15 @@ in
networking.firewall.allowedTCPPorts = [ 80 443 ];
environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [ dhParamsPathBase ];
environment.persistence = {
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [ dhParamsPathBase ];
};
"/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/cache/nginx"; user = "nginx"; group = "nginx"; }
];
};
};
services.nginx = {

4
modules/nixos/server/oauth2-proxy.nix
View file

@ -139,6 +139,10 @@ in
};
};
users = {
persistentIds.oauth2-proxy = confLib.mkIds 966;
};
# needed for homeWebProxy
networking.firewall.allowedTCPPorts = [ servicePort ];

4
modules/nixos/server/opkssh.nix
View file

@ -5,7 +5,7 @@ let
kanidmDomain = globals.services.kanidm.domain;
inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.local) persons;
mailAddress = config.repo.secrets.common.mail.address4;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -29,7 +29,7 @@ in
authorizations = [
{
user = mainUser;
principal = builtins.head persons.${mainUser}.mailAddresses;
principal = mailAddress;
inherit (config.services.opkssh.providers.kanidm) issuer;
}
];

14
modules/nixos/server/paperless.nix
View file

@ -44,11 +44,21 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/redis-${serviceName}"; user = "redis-${serviceUser}"; group = "redis-${serviceGroup}"; }
{ directory = "/var/lib/private/tika"; }
{ directory = "/var/cache/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/cache/private/tika"; }
];
};
services = {
${serviceName} = {
enable = true;
mediaDir = "/Vault/Eternor/Paperless";
dataDir = "/Vault/data/${serviceName}";
mediaDir = "/storage/Documents/${serviceName}";
dataDir = "/var/lib/${serviceName}";
user = serviceUser;
port = servicePort;
passwordFile = config.sops.secrets.paperless-admin-pw.path;

4
modules/nixos/server/pipewire.nix
View file

@ -6,6 +6,10 @@
users.persistentIds.rtkit = confLib.mkIds 996;
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/pipewire"; user = "pipewire"; group = "pipewire"; }];
};
services.pipewire = {
enable = true;
pulse.enable = true;

6
modules/nixos/server/podman.nix
View file

@ -15,6 +15,12 @@ in
oci-containers.backend = "podman";
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/containers"; }
];
};
networking.nftables.firewall = lib.mkIf config.networking.nftables.enable {
zones.podman = {

13
modules/nixos/server/postgresql.nix
View file

@ -2,7 +2,7 @@
let
inherit (confLib.gen { name = "postgresql"; port = 3254; }) serviceName;
postgresVersion = 14;
postgresDirPrefix = if config.swarselsystems.isCloud then "/var/lib" else "/Vault/data";
postgresDirPrefix = "/var/lib";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -22,9 +22,14 @@ in
dataDir = "${postgresDirPrefix}/${serviceName}/${builtins.toString postgresVersion}";
};
};
environment.persistence."/persist".directories = lib.mkIf (config.swarselsystems.isImpermanence && config.swarselsystems.isCloud) [
{ directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
];
environment.persistence = {
"/persist".directories = lib.mkIf (config.swarselsystems.isImpermanence && config.swarselsystems.isCloud) [
{ directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
];
"/state".directories = lib.mkIf config.swarselsystems.isMicroVM [
{ directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
];
};
};
}

6
modules/nixos/server/radicale.nix
View file

@ -35,6 +35,10 @@ in
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
@ -67,7 +71,7 @@ in
htpasswd_encryption = "autodetect";
};
storage = {
filesystem_folder = "/Vault/data/radicale/collections";
filesystem_folder = "/var/lib/radicale/collections";
};
};
rights = {

95
modules/nixos/server/restic.nix
View file

@ -1,65 +1,88 @@
{ lib, pkgs, config, ... }:
let
inherit (config.swarselsystems) sopsFile;
targets = config.swarselsystems.server.restic.targets;
in
{
options.swarselmodules.server.restic = lib.mkEnableOption "enable restic backups on server";
options.swarselsystems.server.restic = {
bucketName = lib.mkOption {
type = lib.types.str;
};
paths = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
withPostgres = lib.mkOption {
type = lib.types.bool;
default = false;
targets = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
bucketName = lib.mkOption {
type = lib.types.str;
default = name;
};
repository = lib.mkOption {
type = lib.types.str;
};
paths = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
withPostgres = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
}));
default = { };
};
};
config = lib.mkIf config.swarselmodules.server.restic {
sops = {
secrets = {
resticpw = { inherit sopsFile; };
resticaccesskey = { inherit sopsFile; };
resticsecretaccesskey = { inherit sopsFile; };
};
templates = {
"restic-env".content = ''
AWS_ACCESS_KEY_ID=${config.sops.placeholder.resticaccesskey}
AWS_SECRET_ACCESS_KEY=${config.sops.placeholder.resticsecretaccesskey}
'';
};
secrets =
lib.mkMerge (lib.mapAttrsToList
(name: _: {
"resticpw-${name}" = { inherit sopsFile; };
"resticaccesskey-${name}" = { inherit sopsFile; };
"resticsecretaccesskey-${name}" = { inherit sopsFile; };
})
targets);
templates =
lib.mkMerge (lib.mapAttrsToList
(name: _: {
"restic-env-${name}".content = ''
AWS_ACCESS_KEY_ID=${config.sops.placeholder."resticaccesskey-${name}"}
AWS_SECRET_ACCESS_KEY=${config.sops.placeholder."resticsecretaccesskey-${name}"}
'';
})
targets);
};
services.restic =
let
inherit (config.repo.secrets.local) resticRepo;
in
{
backups = {
"${config.swarselsystems.server.restic.bucketName}" = {
environmentFile = config.sops.templates."restic-env".path;
passwordFile = config.sops.secrets.resticpw.path;
inherit (config.swarselsystems.server.restic) paths;
services.restic.backups =
lib.mapAttrs'
(name: target:
lib.nameValuePair target.bucketName {
environmentFile =
config.sops.templates."restic-env-${name}".path;
passwordFile =
config.sops.secrets."resticpw-${name}".path;
inherit (target) paths repository;
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 2"
"--keep-monthly 3"
"--keep-yearly 100"
];
backupPrepareCommand = ''
${pkgs.restic}/bin/restic prune
'';
repository = "${resticRepo}";
initialize = true;
timerConfig = {
OnCalendar = "03:00";
};
};
};
};
}
)
targets;
};
}

8
modules/nixos/server/router.nix
View file

@ -7,6 +7,8 @@ let
})
globals.networks.home-lan.vlans;
selectVLANs = vlans: map (vlan: { VLAN = globals.networks.home-lan.vlans.${vlan}.id; }) vlans;
lan1VLANs = selectVLANs [ "home" "devices" "guests" ];
lan2VLANs = selectVLANs [ "home" "devices" "services" ];
lan3VLANs = selectVLANs [ "home" "devices" "services" ];
lan4VLANs = lan3VLANs;
lan5VLANs = selectVLANs [ "home" "devices" "guests" ];
@ -186,9 +188,9 @@ in
Bridge = "br";
ConfigureWithoutCarrier = true;
};
inherit bridgeVLANs;
bridgeVLANs = lan1VLANs;
};
# wifi
# winters
"30-lan2" = {
matchConfig.MACAddress = config.repo.secrets.local.networking.networks.lan2.mac;
linkConfig.RequiredForOnline = "enslaved";
@ -196,7 +198,7 @@ in
Bridge = "br";
ConfigureWithoutCarrier = true;
};
inherit bridgeVLANs;
bridgeVLANs = lan2VLANs;
};
# summers
"30-lan3" = {

2
modules/nixos/server/snipe-it.nix
View file

@ -44,7 +44,7 @@ in
hostName = serviceDomain;
user = serviceUser;
group = serviceGroup;
dataDir = "/Vault/data/snipeit";
dataDir = "/var/lib/snipeit";
database = {
user = serviceUser;
port = mysqlPort;

6
modules/nixos/server/spotifyd.nix
View file

@ -27,6 +27,12 @@ in
# when another user connects, the service will crash and the new user will login
systemd.services.spotifyd.serviceConfig.RestartSec = lib.mkForce 1;
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/cache/private/spotifyd"; }
];
};
services.spotifyd = {
enable = true;
settings = {

8
modules/nixos/server/syncthing.nix
View file

@ -75,12 +75,16 @@ in
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.${serviceName} = rec {
enable = true;
user = serviceUser;
group = serviceGroup;
dataDir = lib.mkDefault "/Vault/data/${serviceName}";
configDir = "${cfg.dataDir}/.config/${serviceName}";
dataDir = if config.swarselsystems.isMicroVM then "/storage/Documents/syncthing" else (lib.mkDefault "/var/lib/${serviceName}");
configDir = if config.swarselsystems.isMicroVM then "/var/lib/syncthing/.config/syncthing" else "${cfg.dataDir}/.config/${serviceName}";
guiAddress = "0.0.0.0:${builtins.toString servicePort}";
openDefaultPorts = lib.mkIf (!isProxied) true; # opens ports TCP/UDP 22000 and UDP 21027 for discovery
relay.enable = false;

71
modules/nixos/server/transmission.nix
View file

@ -1,7 +1,7 @@
{ self, pkgs, lib, config, confLib, ... }:
let
inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain;
inherit (confLib.static) isHome;
inherit (confLib.gen { name = "transmission"; port = 9091; }) serviceName servicePort serviceDomain;
inherit (confLib.static) isHome homeServiceAddress homeWebProxy nginxAccessRules;
lidarrUser = "lidarr";
lidarrGroup = lidarrUser;
@ -96,6 +96,16 @@ in
inherit isHome;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/radarr"; user = radarrUser; group = radarrGroup; }
{ directory = "/var/lib/readarr"; user = readarrUser; group = readarrGroup; }
{ directory = "/var/lib/sonarr"; user = sonarrUser; group = sonarrGroup; }
{ directory = "/var/lib/lidarr"; user = lidarrUser; group = lidarrGroup; }
{ directory = "/var/lib/private/prowlarr"; user = prowlarrUser; group = prowlarrGroup; }
];
};
services = {
radarr = {
enable = true;
@ -103,7 +113,7 @@ in
group = radarrGroup;
settings.server.port = radarrPort;
openFirewall = true;
dataDir = "/Vault/data/radarr";
dataDir = "/var/lib/radarr";
};
readarr = {
enable = true;
@ -111,7 +121,7 @@ in
group = readarrGroup;
settings.server.port = readarrPort;
openFirewall = true;
dataDir = "/Vault/data/readarr";
dataDir = "/var/lib/readarr";
};
sonarr = {
enable = true;
@ -119,7 +129,7 @@ in
group = sonarrGroup;
settings.server.port = sonarrPort;
openFirewall = true;
dataDir = "/Vault/data/sonarr";
dataDir = "/var/lib/sonarr";
};
lidarr = {
enable = true;
@ -127,53 +137,88 @@ in
group = lidarrGroup;
settings.server.port = lidarrPort;
openFirewall = true;
dataDir = "/Vault/data/lidarr";
dataDir = "/var/lib/lidarr";
};
prowlarr = {
enable = true;
settings.server.port = prowlarrPort;
openFirewall = true;
};
};
nginx = {
nodes = {
${homeWebProxy}.services.nginx = {
upstreams = {
transmission = {
servers = {
"${homeServiceAddress}:${builtins.toString servicePort}" = { };
};
};
radarr = {
servers = {
"${homeServiceAddress}:${builtins.toString radarrPort}" = { };
};
};
readarr = {
servers = {
"${homeServiceAddress}:${builtins.toString readarrPort}" = { };
};
};
sonarr = {
servers = {
"${homeServiceAddress}:${builtins.toString sonarrPort}" = { };
};
};
lidarr = {
servers = {
"${homeServiceAddress}:${builtins.toString lidarrPort}" = { };
};
};
prowlarr = {
servers = {
"${homeServiceAddress}:${builtins.toString prowlarrPort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
enableACME = false;
forceSSL = false;
acmeRoot = null;
extraConfig = nginxAccessRules;
locations = {
"/" = {
proxyPass = "http://localhost:9091";
proxyPass = "http://transmission";
extraConfig = ''
client_max_body_size 0;
'';
};
"/radarr" = {
proxyPass = "http://localhost:${builtins.toString radarrPort}";
proxyPass = "http://radarr";
extraConfig = ''
client_max_body_size 0;
'';
};
"/readarr" = {
proxyPass = "http://localhost:${builtins.toString readarrPort}";
proxyPass = "http://readarr";
extraConfig = ''
client_max_body_size 0;
'';
};
"/sonarr" = {
proxyPass = "http://localhost:${builtins.toString sonarrPort}";
proxyPass = "http://sonarr";
extraConfig = ''
client_max_body_size 0;
'';
};
"/lidarr" = {
proxyPass = "http://localhost:${builtins.toString lidarrPort}";
proxyPass = "http://lidarr";
extraConfig = ''
client_max_body_size 0;
'';
};
"/prowlarr" = {
proxyPass = "http://localhost:${builtins.toString prowlarrPort}";
proxyPass = "http://prowlarr";
extraConfig = ''
client_max_body_size 0;
'';

117
modules/shared/config-lib.nix
View file

@ -21,7 +21,7 @@ in
confLib = rec {
getConfig = if nixosConfig == null then config else nixosConfig;
gen = { name ? "n/a", user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec {
gen = { name ? "n/a", user ? name, group ? user, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec {
servicePort = port;
serviceName = name;
specificServiceName = "${name}-${config.node.name}";
@ -88,65 +88,76 @@ in
mkMicrovm =
if config.swarselsystems.withMicroVMs then
(guestName:
{ enableStorage ? false
{ eternorPaths ? [ ]
, withZfs ? false
, ...
}:
{
${guestName} = {
backend = "microvm";
autostart = true;
zfs = lib.mkIf withZfs {
# stateful config that should be backed up
"/state" = {
pool = "Vault";
dataset = "guests/${guestName}/state";
};
# data that should be backed up
"/storage" = lib.mkIf enableStorage {
pool = "Vault";
dataset = "guests/${guestName}/storage";
};
# other stuff that should only reside on disk, not backed up
"/persist" = {
pool = "Vault";
dataset = "guests/${guestName}/persist";
};
};
modules = [
(config.node.configDir + /guests/${guestName}/default.nix)
{
node.secretsDir = config.node.configDir + /secrets/${guestName};
node.configDir = config.node.configDir + /guests/${guestName};
networking.nftables.firewall = {
zones.untrusted.interfaces = lib.mkIf
(
lib.length config.guests.${guestName}.networking.links == 1
)
config.guests.${guestName}.networking.links;
};
}
"${self}/modules/nixos/optional/microvm-guest.nix"
"${self}/modules/nixos/optional/systemd-networkd-base.nix"
];
microvm = {
system = config.node.arch;
baseMac = config.repo.secrets.local.networking.networks.lan.mac;
interfaces.vlan-services = {
mac = lib.mkForce "02:${lib.substring 3 5 config.guests.${guestName}.microvm.baseMac}:${mkDeviceMac globals.networks.home-lan.vlans.services.hosts."${config.node.name}-${guestName}".id}";
${guestName} =
{
backend = "microvm";
autostart = true;
zfs = lib.mkIf withZfs
({
# stateful config usually bind-mounted to /var/lib/ that should be backed up remotely
"/state" = {
pool = "Vault";
dataset = "guests/${guestName}/state";
};
# other stuff that should only reside on zfs, not backed up remotely
"/persist" = {
pool = "Vault";
dataset = "guests/${guestName}/persist";
};
} // lib.optionalAttrs (eternorPaths != [ ])
(lib.listToAttrs (map
# data that is pulled in externally by services, some of which is backed up externally
(eternorPath:
lib.nameValuePair "/storage/${eternorPath}" {
pool = "Vault";
dataset = "Eternor/${eternorPath}";
})
eternorPaths)));
modules = [
(config.node.configDir + /guests/${guestName}/default.nix)
{
node.secretsDir = config.node.configDir + /secrets/${guestName};
node.configDir = config.node.configDir + /guests/${guestName};
networking.nftables.firewall = {
zones.untrusted.interfaces = lib.mkIf
(
lib.length config.guests.${guestName}.networking.links == 1
)
config.guests.${guestName}.networking.links;
};
fileSystems = {
"/persist".neededForBoot = true;
} // lib.optionalAttrs withZfs {
"/state".neededForBoot = true;
};
}
"${self}/modules/nixos/optional/microvm-guest.nix"
"${self}/modules/nixos/optional/systemd-networkd-base.nix"
];
microvm = {
system = config.node.arch;
baseMac = config.repo.secrets.local.networking.networks.lan.mac;
interfaces.vlan-services = {
mac = lib.mkForce "02:${lib.substring 3 5 config.guests.${guestName}.microvm.baseMac}:${mkDeviceMac globals.networks.home-lan.vlans.services.hosts."${config.node.name}-${guestName}".id}";
};
};
extraSpecialArgs = {
inherit (inputs.self) nodes;
inherit (inputs.self.pkgs.${config.node.arch}) lib;
inherit inputs outputs minimal;
inherit (inputs) self;
withHomeManager = false;
microVMParent = config.node.name;
globals = inputs.self.globals.${config.node.arch};
};
};
extraSpecialArgs = {
inherit (inputs.self) nodes;
inherit (inputs.self.pkgs.${config.node.arch}) lib;
inherit inputs outputs minimal;
inherit (inputs) self;
withHomeManager = false;
microVMParent = config.node.name;
globals = inputs.self.globals.${config.node.arch};
};
};
}) else
(_: {
_ = { };

13
nix/hosts.nix
View file

@ -176,7 +176,7 @@
configurationsPerArch = type: minimal: mkConfigurationsPerArch type minimal;
in
{
rec {
nixosConfigurations = configurationsPerArch "nixos" false;
nixosConfigurationsMinimal = configurationsPerArch "nixos" true;
darwinConfigurations = configurationsPerArch "darwin" false;
@ -198,6 +198,17 @@
// config.darwinConfigurations
// config.guestConfigurations;
guestResources = lib.mapAttrs
(name: _:
let
f = arg: lib.foldr (base: acc: base + acc) 0 (map (node: nodes."${name}-${node}".config.microvm.${arg}) (builtins.attrNames nodes.${name}.config.guests));
in
{
mem = f "mem";
vcpu = f "vcpu";
})
nodes;
"@" = lib.mapAttrs (_: v: v.config.system.build.toplevel) config.nodes;
};
}

16
nix/packages.nix
View file

@ -25,7 +25,21 @@
# see https://flake.parts/module-arguments.html?highlight=modulewith#persystem-module-parameters
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfree = true;
config = {
allowUnfree = true;
permittedInsecurePackages = [
# matrix
"olm-3.2.16"
# sonarr
"aspnetcore-runtime-wrapped-6.0.36"
"aspnetcore-runtime-6.0.36"
"dotnet-sdk-wrapped-6.0.428"
"dotnet-sdk-6.0.428"
#
"SDL_ttf-2.0.11"
];
};
overlays = [
self.overlays.default
];

1
profiles/nixos/microvm/default.nix
View file

@ -23,6 +23,7 @@
ssh = lib.mkDefault true;
wireguard = lib.mkDefault true;
dns-home = lib.mkDefault true;
opkssh = true;
};
};
};

0
secrets/public/wg/ankisync.pub → secrets/public/wg/summers-ankisync.pub
View file

0
secrets/public/wg/atuin.pub → secrets/public/wg/summers-atuin.pub
View file

0
secrets/public/wg/audio.pub → secrets/public/wg/summers-audio.pub
View file

0
secrets/public/wg/firefly.pub → secrets/public/wg/summers-firefly.pub
View file

0
secrets/public/wg/forgejo.pub → secrets/public/wg/summers-forgejo.pub
View file

0
secrets/public/wg/freshrss.pub → secrets/public/wg/summers-freshrss.pub
View file

0
secrets/public/wg/homebox.pub → secrets/public/wg/summers-homebox.pub
View file

0
secrets/public/wg/immich.pub → secrets/public/wg/summers-immich.pub
View file

0
secrets/public/wg/jellyfin.pub → secrets/public/wg/summers-jellyfin.pub
View file

0
secrets/public/wg/kanidm.pub → secrets/public/wg/summers-kanidm.pub
View file

0
secrets/public/wg/kavita.pub → secrets/public/wg/summers-kavita.pub
View file

0
secrets/public/wg/koillection.pub → secrets/public/wg/summers-koillection.pub
View file

0
secrets/public/wg/matrix.pub → secrets/public/wg/summers-matrix.pub
View file

0
secrets/public/wg/monitoring.pub → secrets/public/wg/summers-monitoring.pub
View file

0
secrets/public/wg/nextcloud.pub → secrets/public/wg/summers-nextcloud.pub
View file

0
secrets/public/wg/paperless.pub → secrets/public/wg/summers-paperless.pub
View file

0
secrets/public/wg/postgresql.pub → secrets/public/wg/summers-postgresql.pub
View file

0
secrets/public/wg/radicale.pub → secrets/public/wg/summers-radicale.pub
View file

0
secrets/public/wg/storage.pub → secrets/public/wg/summers-storage.pub
View file

0
secrets/public/wg/transmission.pub → secrets/public/wg/summers-transmission.pub
View file

6
secrets/repo/globals.nix.enc
View file

File diff suppressed because one or more lines are too long