xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

simplify some things and remove some unused code

Browse source
This commit is contained in:
xunuwu 2025-01-12 15:16:01 +01:00
parent 931efc7518
commit 6cf86a3827
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
144 changed files with 251 additions and 3912 deletions
Download patch file Download diff file Expand all files Collapse all files

223
nix/machines/default.nix
View file

@ -7,46 +7,30 @@
config,
...
}: let
inherit (inputs.nixpkgs.lib) nixosSystem;
specialArgs = {
inherit inputs self;
};
source = inputs.haumea.lib.load {
inputs = {inherit inputs lib;};
src = "${self}/nix";
};
systemProfiles = source.systemProfiles;
in {
flake.colmena = {
meta = {
nixpkgs = import inputs.nixpkgs {
system = "x86_64-linux";
};
inherit specialArgs;
};
kidney = {
deployment = {
allowLocalDeployment = true;
};
imports = lib.flatten [
flake.nixosConfigurations = {
kidney = nixosSystem {
modules = [
./kidney
(with systemProfiles; [
core.tools
core.users
core.locale
programs.tools
programs.zsh
programs.home-manager
hardware.graphics
../systemProfiles/core/tools.nix
../systemProfiles/core/users.nix
../systemProfiles/core/locale.nix
services.flatpak
services.xdg-portals
../systemProfiles/programs/tools.nix
../systemProfiles/programs/zsh.nix
../systemProfiles/programs/home-manager.nix
../systemProfiles/hardware/graphics.nix
nix.default
nix.gc
])
../systemProfiles/services/flatpak.nix
../systemProfiles/services/xdg-portals.nix
../systemProfiles/nix/default.nix
../systemProfiles/nix/gc.nix
{
home-manager = {
users.xun.imports = homeImports."xun@kidney";
@ -54,83 +38,72 @@ in {
};
}
];
inherit specialArgs;
};
nixdesk = {
deployment = {
allowLocalDeployment = true;
targetUser = "xun";
targetHost = "nixdesk.local";
};
imports = lib.flatten [
nixdesk = nixosSystem {
modules = [
./nixdesk
inputs.stylix.nixosModules.stylix
(with systemProfiles; [
secrets.default
secrets.nixdesk.default
../systemProfiles/secrets/default.nix
../systemProfiles/secrets/nixdesk/default.nix
core.security
core.users
core.ssh
core.locale
nix.default
programs.zsh
core.tools
core.compat
core.boot
core.docs
core.gvfs
../systemProfiles/core/security.nix
../systemProfiles/core/users.nix
../systemProfiles/core/ssh.nix
../systemProfiles/core/locale.nix
../systemProfiles/nix/default.nix
../systemProfiles/programs/zsh.nix
../systemProfiles/core/tools.nix
../systemProfiles/core/compat.nix
../systemProfiles/core/boot.nix
../systemProfiles/core/docs.nix
../systemProfiles/core/gvfs.nix
nix.gc
../systemProfiles/nix/gc.nix
hardware.graphics
hardware.steam-hardware
hardware.bluetooth
hardware.qmk
../systemProfiles/hardware/graphics.nix
../systemProfiles/hardware/steam-hardware.nix
../systemProfiles/hardware/bluetooth.nix
../systemProfiles/hardware/qmk.nix
network.networkd
network.avahi
network.localsend
network.tailscale
network.goldberg
../systemProfiles/network/networkd.nix
../systemProfiles/network/avahi.nix
../systemProfiles/network/localsend.nix
../systemProfiles/network/tailscale.nix
../systemProfiles/network/goldberg.nix
desktop.ly
desktop.awesome
desktop.sway
#desktop.hyprland
../systemProfiles/desktop/sway.nix
programs.dconf
programs.fonts
programs.home-manager
# programs.qt
programs.adb
programs.kanidm
programs.openrgb
programs.tools
programs.thunar
programs.corectrl
../systemProfiles/programs/dconf.nix
../systemProfiles/programs/fonts.nix
../systemProfiles/programs/home-manager.nix
# ../systemProfiles/programs/qt.nix
../systemProfiles/programs/adb.nix
../systemProfiles/programs/kanidm.nix
../systemProfiles/programs/openrgb.nix
../systemProfiles/programs/tools.nix
../systemProfiles/programs/thunar.nix
../systemProfiles/programs/corectrl.nix
services.default
services.pipewire
services.flatpak
../systemProfiles/services/default.nix
../systemProfiles/services/pipewire.nix
../systemProfiles/services/flatpak.nix
services.syncthing
services.virt.waydroid
services.virt.virt-manager
services.sunshine
#network.wifi
#services.ollama
desktop.x11.nosleep
../systemProfiles/services/syncthing.nix
../systemProfiles/services/virt/waydroid.nix
../systemProfiles/services/virt/virt-manager.nix
../systemProfiles/services/sunshine.nix
# ../systemProfiles/network/wifi.nix
themes.dark
# themes.xundark
../systemProfiles/themes/dark.nix
programs.gamemode
programs.gamescope
programs.steam
programs.RE.default
])
../systemProfiles/programs/gamemode.nix
../systemProfiles/programs/gamescope.nix
../systemProfiles/programs/steam.nix
../systemProfiles/programs/RE/default.nix
{
home-manager = {
@ -140,58 +113,30 @@ in {
};
}
];
inherit specialArgs;
};
hopper = {
deployment = {
targetUser = "xun";
targetHost = "hopper.local";
};
imports = lib.flatten [
hopper = nixosSystem {
modules = [
./hopper
(with systemProfiles; [
secrets.default
secrets.hopper.default
../systemProfiles/secrets/default.nix
../systemProfiles/secrets/hopper/default.nix
core.security
core.locale
core.tools
core.ssh
core.deploy
nix.default # TODO slim this down
../systemProfiles/core/security.nix
../systemProfiles/core/locale.nix
../systemProfiles/core/tools.nix
../systemProfiles/core/ssh.nix
../systemProfiles/core/deploy.nix
../systemProfiles/nix/default.nix # TODO slim this down
network.tailscale
network.avahi
network.networkd
# services.syncthing # TODO make syncthing not rely on having "xun" user
#network.avahi
#network.networkd
#network.tailscale
#services.syncthing
])
../systemProfiles/network/tailscale.nix
../systemProfiles/network/avahi.nix
../systemProfiles/network/networkd.nix
# services.syncthing # TODO make syncthing not rely on having "xun" user
];
};
liveiso = {
deployment.targetHost = null;
imports = lib.flatten [
./liveiso
(with systemProfiles; [
nix.default
core.security
services.default
])
];
inherit specialArgs;
};
};
flake.nixosConfigurations = let
l = inputs.nixpkgs.lib;
in
builtins.mapAttrs (_: v:
l.nixosSystem {
inherit specialArgs;
modules = v.imports;
}) (l.filterAttrs (n: _: n != "meta") self.colmena);
}

1
nix/machines/hopper/default.nix
View file

@ -3,7 +3,6 @@
common-cpu-intel
inputs.vpn-confinement.nixosModules.default
inputs.authentik-nix.nixosModules.default
./hardware.nix
./newlab.nix

305
nix/machines/hopper/lab.nix
View file

@ -1,305 +0,0 @@
## TODO look into sops-nix placeholders
## reference: https://github.com/javigomezo/nixos/blob/b3ebe8d570ea9b37aea8bb3a343f6e16e054e322/services/network/authelia/user_database.nix
{
pkgs,
inputs,
config,
lib,
...
}: let
domain = "xunuwu.xyz";
caddyPort = 8336;
autheliaPort = 24637;
in {
## TODO use impermanence
## TODO setup fail2ban mayb
imports = [inputs.vpn-confinement.nixosModules.default];
security.acme = {
acceptTerms = true;
certs.${domain} = {
domain = "*.${domain}";
dnsProvider = "cloudflare";
email = "xunuwu@gmail.com";
reloadServices = ["caddy.service"];
credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
extraDomainNames = [domain];
};
};
vpnNamespaces."wg" = {
enable = true;
wireguardConfigFile = config.sops.secrets.wireguard-config.path;
accessibleFrom = [
"192.168.0.0/24"
];
# Forwarded to my vpn, for making things accessible from outside
openVPNPorts = [
{
port = caddyPort;
protocol = "tcp";
}
];
# From inside of the vpn namespace to outside of it, for making things inside accessible to LAN
portMappings = [
{
to = caddyPort;
from = caddyPort;
}
{
to = 7359; # Jellyfin auto-discovery
from = 7359;
}
{
to = 1900; # Jellyfin auto-discovery, TODO check if this actually works and dont forward these if it doesnt
from = 1900;
}
];
};
networking.firewall = {
allowedTCPPorts = [config.services.navidrome.settings.Port];
allowedUDPPorts = [1900 7359]; # Jellyfin auto-discovery
};
systemd.services.caddy.vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
services.caddy = {
enable = true;
# extraConfig = let
# gensub = x: "${x}.${domain}:${toString caddyPort}";
# tls = "tls /var/lib/acme/${domain}/cert.pem /var/lib/acme/${domain}/key.pem";
# rpPort = port: "reverse_proxy localhost:${toString port}";
# in ''
# ${gensub "navidrome"} {
# ${tls}
# ${rpPort config.services.navidrome.settings.Port}
# }
# '';
virtualHosts = let
authelia = "localhost:${toString autheliaPort}";
in
builtins.mapAttrs (n: v:
{
useACMEHost = domain;
hostName = "${n}.${domain}:${toString caddyPort}";
}
// v) {
navidrome.extraConfig = ''
reverse_proxy localhost:${toString config.services.navidrome.settings.Port}
'';
auth.extraConfig = "reverse_proxy ${authelia}";
#jellyfin.extraConfig = "reverse_proxy localhost:8096"; # TODO tmp off since i dont have proper auth yet
other = {
hostName = ":${toString caddyPort}";
extraConfig = ''
respond 404 {
body "no such route you dummy"
}
'';
};
};
};
systemd.services.navidrome = {
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
serviceConfig = {
PrivateTmp = true;
NoNewPrivileges = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
};
};
## TODO might be unnecessary with authelia but specifying a custom PasswordEncryptionKey is recommended
services.navidrome = {
enable = true;
settings = {
Address = "localhost";
MusicFolder = "/media/library/music";
ReverseProxyWhitelist = "0.0.0.0/0"; # cant be accessed from outside since the navidrome port isnt mapped to outside of the wireguard namespace
};
};
systemd.services.authelia-main = {
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
# serviceConfig.LoadCredential = [
# "users.yaml:${}"
# ];
};
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path;
storageEncryptionKeyFile = config.sops.secrets.authelia_encryption_key.path;
sessionSecretFile = config.sops.secrets.authelia_session_secret.path;
};
settings = {
# might change this to info in the future, for now its nice seeing debug messages if something goes wrong
log.level = "debug";
access_control = {
default_policy = "deny";
rules = [
{
domain = "*.${domain}";
policy = "one_factor"; # using totp requires me to set up smtp support :(
}
];
};
theme = "auto";
default_2fa_method = "totp";
## use ldap backend, not yaml file
## https://www.authelia.com/configuration/first-factor/ldap/
# default_redirection_url = "https://auth.${domain}/";
notifier.filesystem.filename = "/tmp/authelia-notifier.txt"; ## TODO change this to something reasonable
authentication_backend = {
password_reset.disable = true;
file.path = pkgs.writers.writeYAML "users.yaml" {
users.xun = {
disabled = false;
displayname = "xun";
password = "$argon2id$v=19$m=65536,t=3,p=4$cwYrForToKZn7+urMrSXuQ$PStkqPlo/7/GZ+hMsJXfOyZ0WijNtuZpaHWyZUuBWBY";
email = "xunuwu@gmail.com";
groups = ["admin"];
};
};
};
storage.postgres = {
address = "unix:///run/postgresql";
database = "authelia-main";
# this isnt used, ensureDBOwnership allows us to auth to postgres using unix users
username = "authelia-main";
password = "unused";
};
session.cookies = [
{
domain = domain;
authelia_url = "https://auth.${domain}";
default_redirection_url = "https://invalid.${domain}"; # TODO replace with overview thing mayb
}
];
## TODO: https://www.authelia.com/integration/proxies/forwarded-headers/#cloudflare
server = {
address = "127.0.0.1:${toString autheliaPort}";
endpoints.authz.forward-auth.implementation = "ForwardAuth";
};
};
};
services.postgresql = let
databases = ["authelia-main"];
in {
enable = true;
ensureDatabases = databases;
ensureUsers = lib.singleton {
name = "authelia-main";
ensureDBOwnership = true;
};
};
systemd.services.jellyfin.vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
services.jellyfin = {
enable = true;
};
services.prometheus = {
enable = true;
port = 9001;
extraFlags = ["--storage.tsdb.retention.time=30d"];
scrapeConfigs = [
{
job_name = config.networking.hostName;
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
];
};
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
};
};
# services.grafana = {
# enable = true;
# domain = "grafana.hopper";
# addr = "127.0.0.1";
# security = {
# adminUser = "admin";
# adminPasswordFile = config.sops.secrets.grafana-pass.path;
# };
# };
## TODO: add forgejo
## ignore this its cringe and ill prob remove it later idk, its also pasted from someone else, idk who tho ##
systemd.services.vpn-test-service = {
enable = true;
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
script = "${pkgs.writeShellApplication {
name = "vpn-test";
runtimeInputs = with pkgs; [util-linux unixtools.ping coreutils curl bash libressl netcat-gnu openresolv dig];
text = ''
cd "$(mktemp -d)"
# DNS information
dig google.com
# Print resolv.conf
echo "/etc/resolv.conf contains:"
cat /etc/resolv.conf
# Query resolvconf
# echo "resolvconf output:"
# resolvconf -l
# echo ""
# Get ip
echo "Getting IP:"
curl -s ipinfo.io
echo -ne "DNS leak test:"
curl -s https://raw.githubusercontent.com/macvk/dnsleaktest/b03ab54d574adbe322ca48cbcb0523be720ad38d/dnsleaktest.sh -o dnsleaktest.sh
chmod +x dnsleaktest.sh
./dnsleaktest.sh
'';
}}/bin/vpn-test";
};
}

18
nix/machines/liveiso/default.nix
View file

@ -1,18 +0,0 @@
{pkgs, ...}: {
imports = [
./tools.nix
./sway.nix
];
environment.systemPackages = with pkgs; [
firefox
];
isoImage.edition = "sway-custom";
networking.hostName = "liveiso";
nixpkgs.hostPlatform = "x86_64-linux";
system.stateVersion = "23.11";
}

17
nix/machines/liveiso/sway.nix
View file

@ -1,17 +0,0 @@
{modulesPath, ...}: {
imports = [
"${modulesPath}/installer/cd-dvd/installation-cd-graphical-base.nix"
];
programs.sway = {
enable = true;
};
services.displayManager = {
sddm.enable = true;
autoLogin = {
enable = true;
user = "nixos";
};
};
}

7
nix/machines/liveiso/tools.nix
View file

@ -1,7 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
neovim
parted
gparted
];
}

94
nix/machines/nixdesk/jellyfin.nix
View file

@ -1,94 +0,0 @@
{config, ...}: {
security.acme = {
acceptTerms = true;
defaults = {
email = "xunuwu@gmail.com";
reloadServices = ["podman-caddy.service"];
};
certs = {
"xun.cam" = {
dnsProvider = "cloudflare";
credentialFiles = {
CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
};
extraDomainNames = ["jellyfin.desktop.xun.cam"];
};
};
};
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerSocket.enable = true;
};
systemd.tmpfiles.rules = [
"d /media/config/caddy/data 0750 root root -"
"d /media/config/caddy/config 0750 root root -"
"d /media/config/jellyfin/config 0750 root root -"
"d /media/config/jellyfin/cache 0750 root root -"
"d /media/library 0750 root root -"
];
virtualisation.oci-containers = {
backend = "podman";
containers = {
gluetun = {
image = "qmcgaw/gluetun:v3";
volumes = [
"${config.sops.secrets.wireguard.path}:/gluetun/wireguard/wg0.conf"
];
ports = [
## This bypasses the firewall
## use 127.0.0.1:XXXX:XXXX if you only want it to be accessible locally
"8096:8096" # jellyfin local network
"60926:60926" # jellyfin
];
environment = {
VPN_SERVICE_PROVIDER = "airvpn";
VPN_TYPE = "wireguard";
SERVER_COUNTRIES = "Netherlands";
FIREWALL_VPN_INPUT_PORTS = "60926";
};
extraOptions = [
"--cap-add=NET_ADMIN"
"--device=/dev/net/tun:/dev/net/tun"
];
};
jellyfin = {
image = "jellyfin/jellyfin";
volumes = [
"/media/config/jellyfin/config:/config"
"/media/config/jellyfin/cache:/cache"
"/media/library:/library"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
"--device=/dev/dri:/dev/dri"
];
};
caddy = {
image = "caddy";
volumes = [
"${builtins.toFile "Caddyfile" ''
https://jellyfin.desktop.xun.cam:60926 {
tls /etc/ssl/certs/xun.cam/cert.pem /etc/ssl/certs/xun.cam/key.pem
reverse_proxy localhost:8096
}
''}:/etc/caddy/Caddyfile"
"/var/lib/acme/xun.cam:/etc/ssl/certs/xun.cam"
"/media/config/caddy/data:/data"
"/media/config/caddy/config:/config"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
};
};
}

1
nix/sshKeys/xun_nixdesk.nix
View file

@ -1 +0,0 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqW5ZkBV2XCdF/ZhwC1DOfrgiLxCC2ym6BO7miHi05M xun@nixdesk"

6
nix/systemProfiles/core/compat.nix
View file

@ -1,8 +1,4 @@
{
self,
super,
root,
}: {pkgs, ...}: let
{pkgs, ...}: let
list-of-libraries = with pkgs; [
alsa-lib
at-spi2-atk

10
nix/systemProfiles/core/deploy.nix
View file

@ -1,8 +1,4 @@
{
self,
super,
root,
}: {lib, ...}: {
{lib, ...}: {
nix.settings.trusted-users = ["deploy"]; # trust closures created by our user
users.groups.deploy = {};
@ -18,8 +14,8 @@
password = lib.mkForce null;
passwordFile = lib.mkForce null;
openssh.authorizedKeys.keys = with root.sshKeys; [
xun_nixdesk
openssh.authorizedKeys.keyFiles = [
../../../sshKeys/xun_nixdesk
];
};
}

6
nix/systemProfiles/core/docs.nix
View file

@ -1,8 +1,4 @@
{
self,
super,
root,
}: {pkgs, ...}: {
{pkgs, ...}: {
documentation = {
dev.enable = true;
# man.generateCaches = true; # this does slow down builds by quite a lot

2
nix/systemProfiles/core/locale.nix
View file

@ -1,4 +1,4 @@
_: {lib, ...}: {
{lib, ...}: {
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [

2
nix/systemProfiles/core/tools.nix
View file

@ -1,4 +1,4 @@
{...}: {pkgs, ...}: {
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
htop
btop

2
nix/systemProfiles/core/users.nix
View file

@ -1,4 +1,4 @@
_: {pkgs, ...}: {
{pkgs, ...}: {
users.users.xun = {
isNormalUser = true;
initialPassword = "nixos";

9
nix/systemProfiles/desktop/awesome.nix
View file

@ -1,9 +0,0 @@
{
imports = [
./x11
];
services.xserver = {
enable = true;
windowManager.awesome.enable = true;
};
}

5
nix/systemProfiles/desktop/hyprland.nix
View file

@ -1,5 +0,0 @@
{
programs.hyprland = {
enable = true;
};
}

3
nix/systemProfiles/desktop/ly.nix
View file

@ -1,3 +0,0 @@
{
services.displayManager.ly.enable = true;
}

5
nix/systemProfiles/desktop/x11/default.nix
View file

@ -1,5 +0,0 @@
{...}: {
imports = [
./xclip.nix
];
}

8
nix/systemProfiles/desktop/x11/nosleep.nix
View file

@ -1,8 +0,0 @@
{
services.xserver.serverFlagsSection = ''
Option "BlankTime" "0"
Option "StandbyTime" "0"
Option "SuspendTime" "0"
Option "OffTime" "0"
'';
}

3
nix/systemProfiles/desktop/x11/xclip.nix
View file

@ -1,3 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [xclip];
}

6
nix/systemProfiles/network/localsend.nix
View file

@ -1,8 +1,4 @@
{
self,
super,
root,
}: {pkgs, ...}: {
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
localsend
];

4
nix/systemProfiles/network/tailscale.nix
View file

@ -1,8 +1,4 @@
{
self,
super,
root,
}: {config, ...}: {
services.tailscale = {
enable = true;
openFirewall = true;

6
nix/systemProfiles/nix/default.nix
View file

@ -1,8 +1,4 @@
{
self,
super,
root,
}: {
config,
pkgs,
inputs,
@ -10,7 +6,7 @@
...
}: {
imports = [
super.substituters
./substituters.nix
];
# git is needed for flakes

4
nix/systemProfiles/nix/substituters.nix
View file

@ -1,8 +1,4 @@
{
self,
super,
root,
}: {
nix.settings = {
substituters = [
# high priority since it's almost always used

4
nix/systemProfiles/programs/RE/default.nix
View file

@ -1,9 +1,5 @@
# patchelf --replace-needed libbinaryninjacore.so.1 ${symlinkJoin} $out/opt/binaryninja
{
self,
super,
root,
}: {
pkgs,
self,
...

2
nix/systemProfiles/programs/fonts.nix
View file

@ -1,4 +1,4 @@
_: {
{
pkgs,
self,
...

2
nix/systemProfiles/programs/home-manager.nix
View file

@ -1,4 +1,4 @@
{...}: {inputs, ...}: {
{inputs, ...}: {
imports = [
inputs.home-manager.nixosModules.default
];

2
nix/systemProfiles/programs/kanidm.nix
View file

@ -1,4 +1,4 @@
_: {pkgs, ...}: {
{pkgs, ...}: {
services.kanidm = {
enableClient = true;
package = pkgs.kanidm_1_4;

2
nix/systemProfiles/programs/steam.nix
View file

@ -1,4 +1,4 @@
_: {pkgs, ...}: {
{pkgs, ...}: {
programs.steam = {
enable = true;
remotePlay.openFirewall = true;

2
nix/systemProfiles/programs/thunar.nix
View file

@ -1,4 +1,4 @@
_: {pkgs, ...}: {
{pkgs, ...}: {
services.tumbler.enable = true; # image thumbnails
programs.thunar = {
enable = true;

6
nix/systemProfiles/programs/tools.nix
View file

@ -1,8 +1,4 @@
{...}: {
pkgs,
config,
...
}: {
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
vim
htop

2
nix/systemProfiles/secrets/default.nix
View file

@ -1,4 +1,4 @@
_: {inputs, ...}: {
{inputs, ...}: {
imports = [
inputs.sops-nix.nixosModules.sops
./global

2
nix/systemProfiles/secrets/hopper/default.nix
View file

@ -1,5 +1,5 @@
## TODO use defaultSopsFile mayb
_: {config, ...}: let
{config, ...}: let
# autheliaUser = config.services.authelia.instances.main.user;
in {
sops.secrets = {

92
nix/systemProfiles/services/containers/experimental/beets.yaml
View file

@ -1,92 +0,0 @@
include:
- secrets.yaml
library: library.db
directory: /music
statefile: state.pickle
threaded: yes
import:
write: yes
copy: yes
link: no
move: no
incremental: no
paths:
default: /$albumartist/$album %aunique{}/$track $title %aunique{}
singleton: /$albumartist/$artist %aunique{}/$track $title %aunique{}
comp: /Compilation/$album %aunique{}/$track $title %aunique{}
albumtype:soundtrack: Soundtracks/$album %aunique{}/$track $title %aunique{}
clutter: ["Thumbs.DB", ".DS_Store"]
plugins: [
embedart,
fetchart,
discogs,
advancedrewrite,
#lyrics,
spotify,
scrub,
duplicates,
unimported,
missing,
]
genres: yes
unimported:
ignore_extensions: jpg png
spotify:
source_weight: 0.7
embedart:
auto: yes
ifempty: no
remove_art_file: no
fetchart:
auto: yes
cautious: yes
minwidth: 500
maxwidth: 1200
cover_format: jpeg
sources:
- coverart: release
- coverart: releasegroup
- albumart
- amazon
- google
- itunes
- fanarttv
- lastfm
- wikipedia
#lyrics:
# fallback: '''
# sources: musixmatch google
replace:
'[\\]': '''
'[_]': '-'
'[/]': '-'
'^\.': '''
'[\x00-\x1f]': '''
'[<>:"\?\*\|]': '''
'\.$': '''
'\s+$': '''
'^\s+': '''
'^-': '''
'': "'"
'': "'"
'″': '''
'': '-'
aunique:
keys: albumartist albumtype year album
disambuguators: format mastering media label albumdisambig releasegroupdisambig
bracket: '[]'

183
nix/systemProfiles/services/containers/experimental/default.nix
View file

@ -1,183 +0,0 @@
{config, ...}: {
imports = [
#./smbshare.nix
];
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerSocket.enable = true;
};
security.acme = {
acceptTerms = true;
defaults = {
email = "xunuwu@gmail.com";
reloadServices = ["podman-caddy.service"];
};
certs = {
"xunuwu.xyz" = {
dnsProvider = "cloudflare";
credentialFiles = {
CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
};
extraDomainNames = [
"jellyfin.xunuwu.xyz"
"wakapi.xunuwu.xyz"
];
};
};
};
virtualisation.oci-containers = {
backend = "podman";
containers = {
gluetun = {
image = "qmcgaw/gluetun:v3";
volumes = [
"${config.sops.secrets.wireguard.path}:/gluetun/wireguard/wg0.conf"
];
ports = [
## This bypasses the firewall
## use 127.0.0.1:XXXX:XXXX if you only want it to be accessible locally
"127.0.0.1:8191:8191" # flaresolverr
"9117:9117" # jackett
"8080:8080" # qbittorrent webui
"5030:5030" # slskd
"8096:8096" # jellyfin
"8336:8336" # jellyfin
];
environment = {
VPN_SERVICE_PROVIDER = "airvpn";
VPN_TYPE = "wireguard";
SERVER_COUNTRIES = "Netherlands";
FIREWALL_VPN_INPUT_PORTS = "11936,8336,14795";
};
extraOptions = [
"--cap-add=NET_ADMIN"
"--device=/dev/net/tun:/dev/net/tun"
];
};
qbittorrent = {
image = "lscr.io/linuxserver/qbittorrent:latest";
environment = {
WEBUI_PORT = "8080";
TORRENTING_PORT = "11936";
};
volumes = [
"/media/config/qbittorrent:/config"
"${config.sops.secrets.jackett.path}:/config/qBittorrent/nova3/engines/jackett.json"
"/media/downloads:/downloads"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
flaresolverr = {
image = "flaresolverr/flaresolverr";
environment = {
LOG_LEVEL = "info";
};
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
jellyfin = {
image = "jellyfin/jellyfin:2024052005";
volumes = [
"/media/config/jellyfin/config:/config"
"/media/config/jellyfin/cache:/cache"
"/media/library:/library"
"/media/downloads:/library/downloads"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
jackett = {
image = "lscr.io/linuxserver/jackett:latest";
volumes = [
"/media/config/jackett:/config"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
slskd = {
image = "slskd/slskd";
volumes = [
"/var/lib/slskd:/app"
"/media/slskd/downloads:/downloads"
"/media/slskd/incomplete:/incomplete"
"/media/library/music:/shares/music"
"${config.sops.secrets.slskd.path}:/app/slskd.yml"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
caddy = {
image = "caddy";
volumes = [
"${builtins.toFile "Caddyfile" ''
https://jellyfin.xunuwu.xyz:8336 {
tls /etc/ssl/certs/xunuwu.xyz/cert.pem /etc/ssl/certs/xunuwu.xyz/key.pem
reverse_proxy localhost:8096
}
https://wakapi.xunuwu.xyz:8336 {
tls /etc/ssl/certs/xunuwu.xyz/cert.pem /etc/ssl/certs/xunuwu.xyz/key.pem
reverse_proxy localhost:3000
}
''}:/etc/caddy/Caddyfile"
"/var/lib/acme/xunuwu.xyz:/etc/ssl/certs/xunuwu.xyz"
"/media/config/caddy/data:/data"
"/media/config/caddy/config:/config"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
betanin = {
image = "sentriz/betanin";
environment = {
UID = "1000";
GID = "1000";
};
ports = ["9393:9393"];
volumes = [
"/media/config/betanin/data:/b/.local/share/betanin"
"/media/config/betanin/config:/b/.config/betanin"
"/media/config/betanin/beets:/b/.config/beets"
"${config.sops.secrets.betanin.path}:/b/.config/beets/secrets.yaml"
"${./beets.yaml}:/b/.config/beets/config.yaml"
"/media/library/music:/music"
"/media/slskd/downloads:/downloads/slskd"
"/media/downloads/music:/downloads/torrent"
"/media/config/betanin/import:/downloads/import"
];
};
wakapi = {
image = "ghcr.io/muety/wakapi:latest";
volumes = [
"${config.sops.secrets.wakapi.path}:/app/config.yml"
"/media/config/wakapi:/data" # needs to be chown 1000:1000
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
};
};
}

27
nix/systemProfiles/services/containers/experimental/smbshare.nix
View file

@ -1,27 +0,0 @@
{pkgs, ...}: {
services.samba = {
enable = true;
package = pkgs.samba4Full;
openFirewall = true;
shares = {
"torrent" = {
path = "/media/downloads";
browseable = "yes";
"guest ok" = "yes";
"read only" = "yes";
"write list" = "xun";
};
"library" = {
path = "/media/library";
browseable = "yes";
"guest ok" = "yes";
"read only" = "yes";
"write list" = "xun";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
}

707
nix/systemProfiles/services/containers/server/default.nix
View file

@ -1,707 +0,0 @@
{
config,
pkgs,
...
}: {
imports = [
#./statistics
];
### temp disabled
###services.samba = {
### enable = true;
### package = pkgs.samba4Full;
### openFirewall = true;
### shares."torrent-downloads" = {
### path = "/media/downloads/complete";
### browseable = "yes";
### "read only" = "yes";
### "guest ok" = "no";
### };
### #shares."decky-cloud-save" = {
### # path = "/media/gamesaves";
### # browseable = "yes";
### # "read only" = "no";
### # "guest ok" = "no";
### #};
### extraConfig = ''
### server smb encrypt = required
### server min protocol = SMB3_00
### '';
###};
###services.samba-wsdd = {
### # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued
### enable = true;
### openFirewall = true;
###};
#virtualisation.docker = {
# enable = true;
# enableOnBoot = true;
# autoPrune.enable = true;
#};
systemd.tmpfiles.rules = [
"d /var/lib/code-server 0750 root root -"
"d /var/lib/slskd 0750 root root -"
];
users.groups."media" = {}; # create media group
# this needs to be done manually since transmission is in a docker container
users.users."media" = {
isSystemUser = true;
group = "media";
};
systemd.services."${config.virtualisation.oci-containers.backend}-transmission".serviceConfig = {
StateDirectory = [
"${config.virtualisation.oci-containers.backend}/transmission/downloads"
"${config.virtualisation.oci-containers.backend}/transmission/config"
"${config.virtualisation.oci-containers.backend}/transmission/watch"
];
};
#security.acme = {
# acceptTerms = true;
# defaults.email = "xunuwu@gmail.com";
# certs."air.xun.cam" = {
# dnsProvider = "cloudflare";
# credentialsFile = config.sops.secrets.cloudflare.path;
# };
#};
#systemd.services."${config.virtualisation.oci-containers.backend}-jellyfin".serviceConfig = {
# StateDirectory = [
# "${config.virtualisation.oci-containers.backend}/jellyfin/config"
# "${config.virtualisation.oci-containers.backend}/jellyfin/cache"
# "${config.virtualisation.oci-containers.backend}/jellyfin/media"
# ];
#};
#services.jellyfin = {
# enable = true;
# openFirewall = true;
# group = "media";
#};
#services.radarr = {
# enable = true;
# group = "media";
# openFirewall = true; # 7878
#};
#services.sonarr = {
# enable = true;
# group = "media";
# openFirewall = true; # 8989
#};
#services.prowlarr = {
# enable = true;
# openFirewall = true; # 9696
#};
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerSocket.enable = true;
};
virtualisation.oci-containers = {
backend = "podman";
containers = {
gluetun = {
image = "qmcgaw/gluetun:v3";
volumes = [
"${config.sops.secrets.wireguard.path}:/gluetun/wireguard/wg0.conf"
];
ports = [
# Transmission port
## This bypasses the firewall, use 127.0.0.1:XXXX:XXXX
## if you only want it to be accessible locally
"9091:9091"
"127.0.0.1:8191:8191" # flaresolverr
"9696:9696" # prowlarr
"8989:8989" # sonarr
"7878:7878" # radarr
#"8443:8443" # code-server
"5030:5030" # slskd
"5031:5031" # slskd https
"8096:8096" # jellyfin
"8920:8920" # jellyfin https
"8080:8080" # qbittorrent webui
];
environment = {
VPN_SERVICE_PROVIDER = "airvpn";
VPN_TYPE = "wireguard";
SERVER_COUNTRIES = "Netherlands";
FIREWALL_VPN_INPUT_PORTS = "11936,8096,14795";
};
extraOptions = [
"--cap-add=NET_ADMIN"
"--device=/dev/net/tun:/dev/net/tun"
];
};
slskd = {
image = "slskd/slskd";
volumes = [
"/var/lib/slskd:/app"
"/media/slskd/downloads:/downloads"
"/media/slskd/incomplete:/incomplete"
"/media/library/music:/shares/music"
"${config.sops.secrets.slskd.path}:/app/slskd.yml"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
beets = {
image = "lscr.io/linuxserver/beets:latest";
volumes = [
"/media/config/beets:/config"
"/media/library/music:/music"
"/media/slskd/downloads:/downloads"
];
};
jellyfin = {
image = "jellyfin/jellyfin";
volumes = [
"/media/config/jellyfin/config:/config"
"/media/config/jellyfin/cache:/cache"
"/media/library:/library"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
#betanin = {
# image = "sentriz/betanin";
# ports = [
# "9393:9393"
# ];
# volumes = [
# "/media/config/betanin/data:/b/.local/share/betanin"
# "/media/config/betanin/config:/b/.config/betanin"
# "/media/config/betanin/beets:/b/.config/beets/"
# "${pkgs.writeText "config.yaml" ''
# # --------------- Main ---------------
#
# library: library.db
# directory: /music
# statefile: state.pickle
#
# # --------------- Plugins ---------------
#
# plugins: []
# pluginpath: []
#
# # --------------- Import ---------------
#
# clutter: ["Thumbs.DB", ".DS_Store"]
# ignore: [".*", "*~", "System Volume Information", "lost+found"]
# ignore_hidden: yes
#
# import:
# # common options
# write: yes
# copy: yes
# move: no
# timid: no
# quiet: no
# log:
# # other options
# default_action: apply
# languages: []
# quiet_fallback: skip
# none_rec_action: ask
# # rare options
# link: no
# hardlink: no
# reflink: no
# delete: no
# resume: ask
# incremental: no
# incremental_skip_later: no
# from_scratch: no
# autotag: yes
# singletons: no
# detail: no
# flat: no
# group_albums: no
# pretend: false
# search_ids: []
# duplicate_keys:
# album: albumartist album
# item: artist title
# duplicate_action: ask
# duplicate_verbose_prompt: no
# bell: no
# set_fields: {}
# ignored_alias_types: []
# singleton_album_disambig: yes
#
# # --------------- Paths ---------------
#
# path_sep_replace: _
# drive_sep_replace: _
# asciify_paths: false
# art_filename: cover
# max_filename_length: 0
# replace:
# # Replace bad characters with _
# # prohibited in many filesystem paths
# '[<>:\?\*\|]': _
# # double quotation mark "
# '\"': _
# # path separators: \ or /
# '[\\/]': _
# # starting and closing periods
# '^\.': _
# '\.$': _
# # control characters
# '[\x00-\x1f]': _
# # dash at the start of a filename (causes command line ambiguity)
# '^-': _
# # Replace bad characters with nothing
# # starting and closing whitespace
# '\s+$': ''\'''\'
# '^\s+': ''\'''\'
#
# aunique:
# keys: albumartist album
# disambiguators: albumtype year label catalognum albumdisambig releasegroupdisambig
# bracket: '[]'
#
# sunique:
# keys: artist title
# disambiguators: year trackdisambig
# bracket: '[]'
#
# # --------------- Tagging ---------------
#
# per_disc_numbering: no
# original_date: no
# artist_credit: no
# id3v23: no
# va_name: "Various Artists"
# paths:
# default: $albumartist/$album%aunique{}/$track $title
# singleton: Non-Album/$artist/$title
# comp: Compilations/$album%aunique{}/$track $title
#
# # --------------- Performance ---------------
#
# threaded: yes
# timeout: 5.0
#
# # --------------- UI ---------------
#
# verbose: 0
# terminal_encoding:
#
# ui:
# terminal_width: 80
# length_diff_thresh: 10.0
# color: yes
# colors:
# text_success: ['bold', 'green']
# text_warning: ['bold', 'yellow']
# text_error: ['bold', 'red']
# text_highlight: ['bold', 'red']
# text_highlight_minor: ['white']
# action_default: ['bold', 'cyan']
# action: ['bold', 'cyan']
# # New Colors
# text: ['normal']
# text_faint: ['faint']
# import_path: ['bold', 'blue']
# import_path_items: ['bold', 'blue']
# added: ['green']
# removed: ['red']
# changed: ['yellow']
# added_highlight: ['bold', 'green']
# removed_highlight: ['bold', 'red']
# changed_highlight: ['bold', 'yellow']
# text_diff_added: ['bold', 'red']
# text_diff_removed: ['bold', 'red']
# text_diff_changed: ['bold', 'red']
# action_description: ['white']
# import:
# indentation:
# match_header: 2
# match_details: 2
# match_tracklist: 5
# layout: column
#
# # --------------- Search ---------------
#
# format_item: $artist - $album - $title
# format_album: $albumartist - $album
# time_format: '%Y-%m-%d %H:%M:%S'
# format_raw_length: no
#
# sort_album: albumartist+ album+
# sort_item: artist+ album+ disc+ track+
# sort_case_insensitive: yes
#
# # --------------- Autotagger ---------------
#
# overwrite_null:
# album: []
# track: []
# musicbrainz:
# enabled: yes
# host: musicbrainz.org
# https: no
# ratelimit: 1
# ratelimit_interval: 1.0
# searchlimit: 5
# extra_tags: []
# genres: no
# external_ids:
# discogs: no
# bandcamp: no
# spotify: no
# deezer: no
# beatport: no
# tidal: no
#
# match:
# strong_rec_thresh: 0.04
# medium_rec_thresh: 0.25
# rec_gap_thresh: 0.25
# max_rec:
# missing_tracks: medium
# unmatched_tracks: medium
# distance_weights:
# source: 2.0
# artist: 3.0
# album: 3.0
# media: 1.0
# mediums: 1.0
# year: 1.0
# country: 0.5
# label: 0.5
# catalognum: 0.5
# albumdisambig: 0.5
# album_id: 5.0
# tracks: 2.0
# missing_tracks: 0.9
# unmatched_tracks: 0.6
# track_title: 3.0
# track_artist: 2.0
# track_index: 1.0
# track_length: 2.0
# track_id: 5.0
# preferred:
# countries: []
# media: []
# original_year: no
# ignored: []
# required: []
# ignored_media: []
# ignore_data_tracks: yes
# ignore_video_tracks: yes
# track_length_grace: 10
# track_length_max: 30
# album_disambig_fields: data_source media year country label catalognum albumdisambig
# singleton_disambig_fields: data_source index track_alt album
# ''}:/b/.config/beets/config.yaml"
# "/media/music:/music"
# "/media/slskd/downloads:/downloads"
# ];
#};
#beets = {
# image = "lscr.io/linuxserver/beets:latest";
# volumes = [
# "/media/config/beets:/config"
# "/media/music:/music"
# "/media/slskd/downloads:/downloads"
# ];
#};
code-server = {
image = "lscr.io/linuxserver/code-server:latest";
volumes = [
"/var/lib/code-server:/config"
];
environmentFiles = [
config.sops.secrets.code-server.path
];
dependsOn = ["gluetun"];
extraOptions = [
#"--group-add ${config.security.acme.defaults.group}"
"--network=container:gluetun"
];
};
#jellyseerr = {
# image = "fallenbagel/jellyseerr:latest";
# ports = [
# "5055:5055"
# ];
# volumes = [
# "/media/config/jellyseerr:/app/config"
# ];
# extraOptions = [
# "--network=host"
# ];
#};
recyclarr = {
image = "ghcr.io/recyclarr/recyclarr";
volumes = [
#"/media/config/recyclarr:/config"
"${pkgs.writeText "recyclarr.yml" ''
sonarr:
sonarr-main:
base_url: http://localhost:8989
api_key: !env_var SONARR_API_KEY
delete_old_custom_formats: true
replace_existing_custom_formats: true
quality_definition:
type: series
custom_formats:
- trash_ids:
# Unwanted
- 85c61753df5da1fb2aab6f2a47426b09 # BR-DISK
- 9c11cd3f07101cdba90a2d81cf0e56b4 # LQ
- 47435ece6b99a0b477caf360e79ba0bb # x265
# Misc
- ec8fa7296b64e8cd390a1600981f3923 # Repack/Proper
- eb3d5cc0a2be0db205fb823640db6a3c # Repack v2
- 44e7c4de10ae50265753082e5dc76047 # Repack v3
# Streaming Services
- d660701077794679fd59e8bdf4ce3a29 # AMZN
- f67c9ca88f463a48346062e8ad07713f # ATVP
- 36b72f59f4ea20aad9316f475f2d9fbb # DCU
- 89358767a60cc28783cdc3d0be9388a4 # DNSP
- 7a235133c87f7da4c8cccceca7e3c7a6 # HBO
- a880d6abc21e7c16884f3ae393f84179 # HMAX
- f6cce30f1733d5c8194222a7507909bb # HULU
- 0ac24a2a68a9700bcb7eeca8e5cd644c # iT
- d34870697c9db575f17700212167be23 # NF
- b2b980877494b560443631eb1f473867 # NLZ
- 1656adc6d7bb2c8cca6acfb6592db421 # PCOK
- c67a75ae4a1715f2bb4d492755ba4195 # PMTP
- 3ac5d84fce98bab1b531393e9c82f467 # QIBI
- c30d2958827d1867c73318a5a2957eb1 # RED
- ae58039e1319178e6be73caab5c42166 # SHO
- 1efe8da11bfd74fbbcd4d8117ddb9213 # STAN
- 5d2317d99af813b6529c7ebf01c83533 # VDL
- 77a7b25585c18af08f60b1547bb9b4fb # CC
# HQ Source Groups
- e6258996055b9fbab7e9cb2f75819294 # WEB Tier 01
- 58790d4e2fdcd9733aa7ae68ba2bb503 # WEB Tier 02
- d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
- d0c516558625b04b363fa6c5c2c7cfd4 # WEB Scene
quality_profiles:
- name: TRaSH 720/1080
- trash_ids:
- 949c16fe0a8147f50ba82cc2df9411c9 # Anime BD Tier 01 (Top SeaDex Muxers)
- ed7f1e315e000aef424a58517fa48727 # Anime BD Tier 02 (SeaDex Muxers)
- 096e406c92baa713da4a72d88030b815 # Anime BD Tier 03 (SeaDex Muxers)
- 30feba9da3030c5ed1e0f7d610bcadc4 # Anime BD Tier 04 (SeaDex Muxers)
- 545a76b14ddc349b8b185a6344e28b04 # Anime BD Tier 05 (Remuxes)
- 25d2afecab632b1582eaf03b63055f72 # Anime BD Tier 06 (FanSubs)
- 0329044e3d9137b08502a9f84a7e58db # Anime BD Tier 07 (P2P/Scene)
- c81bbfb47fed3d5a3ad027d077f889de # Anime BD Tier 08 (Mini Encodes)
- e0014372773c8f0e1bef8824f00c7dc4 # Anime Web Tier 01 (Muxers)
- 19180499de5ef2b84b6ec59aae444696 # Anime Web Tier 02 (Top FanSubs)
- e6258996055b9fbab7e9cb2f75819294 # WEB Tier 01
- 58790d4e2fdcd9733aa7ae68ba2bb503 # WEB Tier 02
- c27f2ae6a4e82373b0f1da094e2489ad # Anime Web Tier 03 (Official Subs)
- d84935abd3f8556dcd51d4f27e22d0a6 # WEB Tier 03
- 4fd5528a3a8024e6b49f9c67053ea5f3 # Anime Web Tier 04 (Official Subs)
- 29c2a13d091144f63307e4a8ce963a39 # Anime Web Tier 05 (FanSubs)
- dc262f88d74c651b12e9d90b39f6c753 # Anime Web Tier 06 (FanSubs)
# Unwanted
- b4a1b3d705159cdca36d71e57ca86871 # Anime Raws
- e3515e519f3b1360cbfc17651944354c # Anime LQ Groups
- 15a05bc7c1a36e2b57fd628f8977e2fc # AV1
- 026d5aadd1a6b4e550b134cb6c72b3ca # Uncensored
- d2d7b8a9d39413da5f44054080e028a3 # v0
- 9c14d194486c4014d422adc64092d794 # Dubs Only
- 07a32f77690263bb9fda1842db7e273f # VOSTFR
# Optionals
- 273bd326df95955e1b6c26527d1df89b # v1
- 228b8ee9aa0a609463efca874524a6b8 # v2
- 0e5833d3af2cc5fa96a0c29cd4477feb # v3
- 4fc15eeb8f2f9a749f918217d4234ad8 # v4
- b2550eb333d27b75833e25b8c2557b38 # 10bit
# Streaming Services
- d660701077794679fd59e8bdf4ce3a29 # AMZN
- 7dd31f3dee6d2ef8eeaa156e23c3857e # B-Global
- 4c67ff059210182b59cdd41697b8cb08 # Bilibili
- 3e0b26604165f463f3e8e192261e7284 # CR
- 89358767a60cc28783cdc3d0be9388a4 # DSNP
- 1284d18e693de8efe0fe7d6b3e0b9170 # FUNi
- 570b03b3145a25011bf073274a407259 # HIDIVE
- d34870697c9db575f17700212167be23 # NF
- 44a8ee6403071dd7b8a3a8dd3fe8cb20 # VRV
quality_profiles:
- name: TRaSH Anime
- trash_ids:
- 418f50b10f1907201b6cfdf881f467b7 # Anime Dual Audio
quality_profiles:
- name: TRaSH Anime
score: 2000
radarr:
radarr-main:
base_url: http://localhost:7878
api_key: !env_var RADARR_API_KEY
quality_definition:
type: movie
delete_old_custom_formats: true
replace_existing_custom_formats: true
custom_formats:
- trash_ids:
# HD Bluray + WEB
# Movie Versions
- 0f12c086e289cf966fa5948eac571f44 # Hybrid
- 570bc9ebecd92723d2d21500f4be314c # Remaster
- eca37840c13c6ef2dd0262b141a5482f # 4K Remaster
- e0c07d59beb37348e975a930d5e50319 # Criterion Collection
- 9d27d9d2181838f76dee150882bdc58c # Masters of Cinema
- 957d0f44b592285f26449575e8b1167e # Special Edition
- eecf3a857724171f968a66cb5719e152 # IMAX
- 9f6cbff8cfe4ebbc1bde14c7b7bec0de # IMAX Enhanced
# HQ Release Groups
- ed27ebfef2f323e964fb1f61391bcb35 # HD Bluray Tier 01
- c20c8647f2746a1f4c4262b0fbbeeeae # HD Bluray Tier 02
- c20f169ef63c5f40c2def54abaf4438e # WEB Tier 01
- 403816d65392c79236dcb6dd591aeda4 # WEB Tier 02
- af94e0fe497124d1f9ce732069ec8c3b # WEB Tier 03
# Misc
- e7718d7a3ce595f289bfee26adc178f5 # Repack/Proper
- ae43b294509409a6a13919dedd4764c4 # Repack2
# Unwanted
- ed38b889b31be83fda192888e2286d83 # BR-DISK
- 90a6f9a284dff5103f6346090e6280c8 # LQ
- dc98083864ea246d05a42df0d05f81cc # x265
- b8cd450cbfa689c0259a01d9e29ba3d6 # 3D
# Streaming Services
- b3b3a6ac74ecbd56bcdbefa4799fb9df # AMZN
- 40e9380490e748672c2522eaaeb692f7 # ATVP
- cc5e51a9e85a6296ceefe097a77f12f4 # BCORE
- 84272245b2988854bfb76a16e60baea5 # DNSP
- 509e5f41146e278f9eab1ddaceb34515 # DBO
- 5763d1b0ce84aff3b21038eea8e9b8ad # HMAX
- 526d445d4c16214309f0fd2b3be18a89 # Hulu
- 2a6039655313bf5dab1e43523b62c374 # MA
- 170b1d363bd8516fbf3a3eb05d4faff6 # NF
- bf7e73dd1d85b12cc527dc619761c840 # Pathe
- c9fd353f8f5f1baf56dc601c4cb29920 # PCOK
- e36a0ba1bc902b26ee40818a1d59b8bd # PMTP
- c2863d2a50c9acad1fb50e53ece60817 # STAN
quality_profiles:
- name: TRaSH 720/1080
''}:/config/recyclarr.yml"
];
environmentFiles = [
config.sops.secrets.serverenv.path
];
environment = {
PUID = toString config.users.users."media".uid;
PGID = toString config.users.groups."media".gid;
};
extraOptions = [
"--network=host"
];
};
prowlarr = {
image = "lscr.io/linuxserver/prowlarr:latest";
volumes = [
"/media/config/prowlarr:/config"
];
environment = {
PUID = toString config.users.users."media".uid;
PGID = toString config.users.groups."media".gid;
};
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
sonarr = {
image = "lscr.io/linuxserver/sonarr:latest";
volumes = [
"/media/config/sonarr:/config"
"/media/library/tvseries:/tv"
"/media/downloads:/downloads"
];
environment = {
PUID = toString config.users.users."media".uid;
PGID = toString config.users.groups."media".gid;
};
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
radarr = {
image = "lscr.io/linuxserver/radarr:latest";
volumes = [
"/media/config/radarr:/config"
"/media/library/movies:/movies"
"/media/downloads:/downloads"
];
environment = {
PUID = toString config.users.users."media".uid;
PGID = toString config.users.groups."media".gid;
};
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
flaresolverr = {
image = "flaresolverr/flaresolverr";
environment = {
LOG_LEVEL = "info";
};
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
transmission = {
image = "linuxserver/transmission:latest";
volumes = [
"/media/downloads:/downloads"
"/media/config/transmission/config:/config"
"/media/config/transmission/watch:/watch"
];
environment = {
PUID = toString config.users.users."media".uid;
PGID = toString config.users.groups."media".gid;
PEERPORT = "11936";
USER = "xun";
PASS = "password123";
};
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
};
};
}

146
nix/systemProfiles/services/containers/server/statistics/default.nix
View file

@ -1,146 +0,0 @@
{config, ...}: {
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "0.0.0.0";
};
};
};
services.loki = {
enable = true;
configuration = {
server.http_listen_port = 3030;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
schema_config = {
configs = [
{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v11";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
chunk_store_config = {
max_look_back_period = "0s";
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
shared_store = "filesystem";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "${config.networking.hostName}";
};
};
relabel_configs = [
{
source_labels = ["__journal__systemd_unit"];
target_label = "unit";
}
];
}
];
};
# extraFlags
};
services.prometheus = {
enable = true;
port = 9001;
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
};
};
scrapeConfigs = [
{
job_name = "${config.networking.hostName}";
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
];
};
}

48
nix/systemProfiles/services/containers/server/statistics/loki.yaml
View file

@ -1,48 +0,0 @@
auth_enabled: false
server:
http_listen_port: 3100
ingester:
lifecycler:
address: 0.0.0.0
ring:
kvstore:
store: inmemory
replication_factor: 1
final_sleep: 0s
chunk_idle_period: 1h # Any chunk not receiving new logs in this time will be flushed
max_chunk_age: 1h # All chunks will be flushed when they hit this age, default is 1h
chunk_target_size: 1048576 # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
chunk_retain_period: 30s # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
max_transfer_retries: 0 # Chunk transfers disabled
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
storage_config:
boltdb_shipper:
active_index_directory: /var/lib/loki/boltdb-shipper-active
cache_location: /var/lib/loki/boltdb-shipper-cache
cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space
shared_store: filesystem
filesystem:
directory: /var/lib/loki/chunks
limits_config:
reject_old_samples: true
reject_old_samples_max_age: 168h
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: false
retention_period: 0s

0
nix/systemProfiles/services/gamemode.nix
View file

6
nix/systemProfiles/services/ollama.nix
View file

@ -1,6 +0,0 @@
{
services.ollama = {
enable = true;
rocmOverrideGfx = "10.3.0";
};
}

6
nix/systemProfiles/services/syncthing.nix
View file

@ -1,8 +1,4 @@
{
self,
super,
root,
}: {config, ...}: let
let
devices = {
"nixdesk" = {
id = "XXABQZC-CO6OM2E-EMB3QIJ-NF5I3WU-CCQPPRY-7BX4ZSS-WIU4WW2-WXFWVQR";

2
nix/systemProfiles/services/virt/virt-manager.nix
View file

@ -1,4 +1,4 @@
_: {pkgs, ...}: {
{pkgs, ...}: {
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
boot.kernelParams = ["amd_iommu=on" "iommu=pt"];

2
nix/systemProfiles/services/xdg-portals.nix
View file

@ -1,4 +1,4 @@
{...}: {pkgs, ...}: {
{pkgs, ...}: {
xdg.portal = {
enable = true;
extraPortals = with pkgs; [

2
nix/systemProfiles/themes/dark.nix
View file

@ -1,4 +1,4 @@
_: {
{
pkgs,
self,
...

2
nix/systemProfiles/themes/xundark.nix
View file

@ -1,2 +0,0 @@
_: {pkgs, ...}: {
}