From 502ffabbaa0d74bb9c7582687b34a62daaac5546 Mon Sep 17 00:00:00 2001 From: Stefan Kempinger Date: Tue, 25 Nov 2025 11:50:31 +0100 Subject: [PATCH] move services into config; set up immich --- configuration.nix | 186 ++++++++++++++++++++++++++++++++++++++++++---- flake.lock | 6 +- services.nix | 123 ------------------------------ 3 files changed, 175 insertions(+), 140 deletions(-) delete mode 100644 services.nix diff --git a/configuration.nix b/configuration.nix index 539b66f..be38af3 100644 --- a/configuration.nix +++ b/configuration.nix @@ -14,7 +14,6 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ./services.nix specialArgs.inputs.vscode-server.nixosModules.default ]; @@ -61,6 +60,9 @@ 2222 # forgejo ssh 3000 # forgejo frontend 8123 # homeassistant + 5580 # homeassistant matter + 2283 # immich + 3003 # immich ml 9000 ]; @@ -70,22 +72,14 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at" ]; }; + + users.users.immich.extraGroups = [ + "video" + "render" + ]; # Security # security.sudo.wheelNeedsPassword = false; - # Enable SSH for root - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = "prohibit-password"; # Allow root with SSH keys only - }; - }; - - hardware.bluetooth.enable = true; - services.blueman.enable = true; - # Packages environment.systemPackages = with pkgs; [ vim @@ -98,9 +92,173 @@ nixd nixfmt systemd + inetutils nil ]; + # Enable SSH for root + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "prohibit-password"; # Allow root with SSH keys only + }; + }; + + hardware.bluetooth.enable = true; + services.blueman.enable = true; + + + security.acme = { + acceptTerms = true; + defaults.email = "mail@kempinger.xyz"; + certs."kempinger.at".domain = "*.kempinger.at"; + }; + + services.resolved.enable = true; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts."192.168.69.69" = { + default = true; + root = "/srv/website/public_html"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."kempinger.at" = { + root = "/srv/website/public_html"; + locations."/" = { + index = "index.html"; + }; + forceSSL = true; + enableACME = true; + }; + virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = + "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + virtualHosts."bilder.kempinger.at" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.immich.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; + }; + + services.forgejo = { + enable = true; + database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "git.kempinger.at"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/"; + HTTP_PORT = 3000; + DISABLE_SSH = false; + SSH_PORT = 2222; + START_SSH_SERVER = true; + }; + + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + # Sending emails is completely optional + # You can send a test email from the web UI at: + # Profile Picture > Site Administration > Configuration > Mailer Configuration + # mailer = { + # ENABLED = true; + # SMTP_ADDR = "mail.kempinger.at"; + # FROM = "noreply@${srv.DOMAIN}"; + # USER = "noreply@${srv.DOMAIN}"; + # }; + }; + }; + + # systemd.services.forgejo.preStart = + # '' + # ${lib.getExe cfg.package} admin user create --admin --email "root@localhost" --username crazychaoz --password temp123 || true + # ''; + + # Virtualisation + virtualisation = { + containers.enable = true; + podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other. + }; + }; + + #services.matter-server.enable = true; + + virtualisation.oci-containers = { + backend = "podman"; + containers.homeassistant = { + #autoStart = true; + volumes = [ + "home-assistant:/config" + "/run/dbus:/run/dbus:ro" + ]; + environment.TZ = "Europe/Berlin"; + # Note: The image will not be updated on rebuilds, unless the version label changes + image = "ghcr.io/home-assistant/home-assistant:stable"; + extraOptions = [ + # Use the host network namespace for all sockets + "--network=host" + # Pass devices into the container, so Home Assistant can discover and make use of them + #"--device=/dev/ttyACM0:/dev/ttyACM0" + "--privileged" + ]; + }; + containers.matter-server = { + #autoStart = true; + volumes = [ + "matter-server:/config" + "/run/dbus:/run/dbus:ro" + ]; + environment.TZ = "Europe/Berlin"; + # Note: The image will not be updated on rebuilds, unless the version label changes + image = "ghcr.io/home-assistant-libs/python-matter-server:stable"; + extraOptions = [ + "--network=host" + "--privileged" + ]; + }; + }; + + services.immich = { + enable = true; + accelerationDevices = null; + port = 2283; + #host = "immich.kempinger.at"; + #openFirewall = true; + }; # Nix settings nix.settings.experimental-features = [ diff --git a/flake.lock b/flake.lock index e7b1b8c..13ac270 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1762977756, - "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", + "lastModified": 1763835633, + "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", + "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", "type": "github" }, "original": { diff --git a/services.nix b/services.nix deleted file mode 100644 index 8924639..0000000 --- a/services.nix +++ /dev/null @@ -1,123 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -let - cfg = config.services.forgejo; - srv = cfg.settings.server; -in -{ - - security.acme = { - acceptTerms = true; - defaults.email = "mail@kempinger.xyz"; - certs."kempinger.at".domain = "*.kempinger.at"; - }; - - services.resolved.enable = true; - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts."192.168.69.69" = { - default = true; - root = "/srv/website/public_html"; - locations."/" = { - index = "index.html"; - }; - }; - virtualHosts."kempinger.at" = { - root = "/srv/website/public_html"; - locations."/" = { - index = "index.html"; - }; - forceSSL = true; - enableACME = true; - }; - virtualHosts.${cfg.settings.server.DOMAIN} = { - forceSSL = true; - enableACME = true; - extraConfig = '' - client_max_body_size 512M; - ''; - locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; - }; - }; - services.forgejo = { - enable = true; - database.type = "postgres"; - # Enable support for Git Large File Storage - lfs.enable = true; - settings = { - server = { - DOMAIN = "git.kempinger.at"; - # You need to specify this to remove the port from URLs in the web UI. - ROOT_URL = "https://${srv.DOMAIN}/"; - HTTP_PORT = 3000; - DISABLE_SSH = false; - SSH_PORT = 2222; - START_SSH_SERVER=true; - }; - - # You can temporarily allow registration to create an admin user. - service.DISABLE_REGISTRATION = true; - # Add support for actions, based on act: https://github.com/nektos/act - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - # Sending emails is completely optional - # You can send a test email from the web UI at: - # Profile Picture > Site Administration > Configuration > Mailer Configuration - # mailer = { - # ENABLED = true; - # SMTP_ADDR = "mail.kempinger.at"; - # FROM = "noreply@${srv.DOMAIN}"; - # USER = "noreply@${srv.DOMAIN}"; - # }; - }; - }; - - # systemd.services.forgejo.preStart = - # '' - # ${lib.getExe cfg.package} admin user create --admin --email "root@localhost" --username crazychaoz --password temp123 || true - # ''; - - #services.vscode-server.enable = true; - - # Virtualisation - virtualisation = { - containers.enable = true; - podman = { - enable = true; - dockerCompat = true; - defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other. - }; - }; - - virtualisation.oci-containers = { - backend = "podman"; - containers.homeassistant = { - #autoStart = true; - volumes = [ - "home-assistant:/config" - "/run/dbus:/run/dbus:ro" - ]; - environment.TZ = "Europe/Berlin"; - # Note: The image will not be updated on rebuilds, unless the version label changes - image = "ghcr.io/home-assistant/home-assistant:stable"; - extraOptions = [ - # Use the host network namespace for all sockets - "--network=host" - # Pass devices into the container, so Home Assistant can discover and make use of them - #"--device=/dev/ttyACM0:/dev/ttyACM0" - "--privileged" - ]; - }; - }; -}