upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-08 05:49:25 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

test: setting up nas structure

Browse source
This commit is contained in:
Nick 2025-12-07 01:38:13 -06:00
parent b5614b006f
commit 2fdadf15f0
17 changed files with 662 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/nixos/nas/microvms/firefly-iii/default.nix
View file

@ -1,3 +0,0 @@
{
}

3
modules/nixos/nas/microvms/glance/default.nix
View file

@ -1,3 +0,0 @@
{
}

3
modules/nixos/nas/microvms/paperless/default.nix
View file

@ -1,3 +0,0 @@
{
}

3
modules/nixos/nas/microvms/photoprism/default.nix
View file

@ -1,3 +0,0 @@
{
}

3
modules/nixos/nas/microvms/syncthing/default.nix
View file

@ -1,3 +0,0 @@
{
}

3
modules/nixos/nas/microvms/vaultwarden/default.nix
View file

@ -1,3 +0,0 @@
{
}

0
modules/nixos/nas/default.nix → modules/nixos/nas/onlyoffice/default.nix
View file

187
modules/nixos/nas/opencloud/config/default.nix Normal file
View file

@ -0,0 +1,187 @@
{
flake,
pkgs,
...
}:
let
inherit (flake.config.people) user0;
serviceCfg = {
name = "opencloud";
};
in
{
opencloudVM =
{
user,
ip,
mac,
userMac,
ssh,
host,
}:
{
microvm.vms = {
"${serviceCfg.name}-${user}" = {
autostart = true;
restartIfChanged = true;
config = {
system.stateVersion = "24.05";
time.timeZone = "America/Winnipeg";
users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
services = {
opencloud = {
enable = true;
url = "https://${host}";
port = 9200;
address = "0.0.0.0";
stateDir = "/var/lib/${serviceCfg.name}";
environmentFile = "/run/secrets/${user}-env";
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
};
networking.firewall.allowedTCPPorts = [
22
587
9200
];
systemd = {
services = {
systemd-networkd.wantedBy = [ "multi-user.target" ];
opencloud = {
path = [ pkgs.inotify-tools ];
};
opencloud-fix-permissions = {
description = "Fix OpenCloud storage permissions";
after = [ "opencloud.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "fix-perms" ''
echo "Starting permission fix..."
OPENCLOUD_UID=$(id -u opencloud)
echo "OpenCloud UID: $OPENCLOUD_UID"
find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do
echo "Fixing file: $file"
chown opencloud:opencloud "$file" 2>/dev/null || true
done
find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do
echo "Fixing dir: $dir"
chown opencloud:opencloud "$dir" 2>/dev/null || true
done
echo "Permission fix complete"
'';
User = "root";
};
};
};
timers.opencloud-fix-permissions = {
description = "Periodically fix OpenCloud storage permissions";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "30s";
OnUnitActiveSec = "2min";
Unit = "opencloud-fix-permissions.service";
};
};
network = {
enable = true;
networks."20-lan" = {
matchConfig.Name = "enp0s6";
addresses = [
{ Address = "${ip}/24"; }
];
routes = [
{
Destination = "0.0.0.0/0";
Gateway = "192.168.50.1";
}
];
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
tmpfiles.rules = [
"d /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -"
];
};
microvm = {
vcpu = 1;
mem = 512;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = "vm-oc-${user}";
mac = mac;
}
{
type = "user";
id = "vmuser-cloud";
mac = userMac;
}
];
forwardPorts = [
{
from = "host";
host.port = ssh;
guest.port = 22;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = "/var/lib/${serviceCfg.name}";
proto = "virtiofs";
source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}/data";
tag = "${serviceCfg.name}_${user}_data";
}
{
mountPoint = "/etc/${serviceCfg.name}";
proto = "virtiofs";
source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}/config";
tag = "${serviceCfg.name}_${user}_config";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
source = "/run/secrets/${serviceCfg.name}";
tag = "host_secrets";
}
];
};
environment.systemPackages = builtins.attrValues {
inherit (pkgs)
inotify-tools
opencloud
;
};
};
};
};
systemd.tmpfiles.rules = [
"d /mnt/storage/users/${user}/guests/${serviceCfg.name} 0751 microvm wheel - -"
"d /mnt/storage/users/${user}/guests/${serviceCfg.name}/config 0751 microvm wheel - -"
"d /mnt/storage/users/${user}/guests/${serviceCfg.name}/data 0751 microvm wheel - -"
];
sops.secrets = {
"${serviceCfg.name}/${user}-env" = {
owner = "root";
mode = "0600";
};
};
};
}

34
modules/nixos/nas/opencloud/default.nix Normal file
View file

@ -0,0 +1,34 @@
{ flake, ... }:
let
inherit (import ./config) opencloudVM;
inherit (flake.config.people) user0;
opencloudNick = opencloudVM {
user = user0;
ip = "192.168.50.67";
mac = "02:00:00:00:57:67";
userMac = "02:00:00:00:00:67";
ssh = 2507;
host = "";
};
opencloudStacie = opencloudVM {
user = "stacie";
ip = "192.168.50.68";
mac = "02:00:00:00:58:68";
userMac = "02:00:00:00:00:68";
ssh = 2508;
host = "";
};
opencloudGarnet = opencloudVM {
user = "garnet";
ip = "192.168.50.69";
mac = "02:00:00:00:59:69";
userMac = "02:00:00:00:00:69";
ssh = 2509;
host = "";
};
in
opencloudNick // opencloudStacie // opencloudGarnet

157
modules/nixos/nas/photoprism/config/default.nix Normal file
View file

@ -0,0 +1,157 @@
{
config,
flake,
...
}:
let
inherit (flake.config.people) user0;
serviceCfg = {
name = "photoprism";
};
in
{
photoprismVM =
{
user,
ip,
mac,
userMac,
ssh,
}:
{
microvm.vms = {
"${serviceCfg.name}-${user}" = {
autostart = true;
restartIfChanged = true;
config = {
system.stateVersion = "24.05";
time.timeZone = "America/Winnipeg";
users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
services = {
${serviceCfg.name} = {
enable = true;
settings = {
PHOTOPRISM_ADMIN_USER = user;
PHOTOPRISM_DEFAULT_LOCAL = "en";
};
passwordFile = "/run/secrets/${user}-pass";
originalsPath = "/var/lib/${serviceCfg.name}-media";
importPath = "photos";
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
};
networking.firewall.allowedTCPPorts = [
22
2342
];
systemd = {
services = {
systemd-networkd.wantedBy = [
"multi-user.target"
];
};
network = {
enable = true;
networks."20-lan" = {
matchConfig.Name = "enp0s5";
addresses = [
{ Address = "${ip}/24"; }
];
routes = [
{
Destination = "0.0.0.0/0";
Gateway = "192.168.50.1";
}
];
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
tmpfiles.rules = [
"Z /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"d /var/lib/${serviceCfg.name}-media 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"d /var/lib/${serviceCfg.name}-media/photos 0755 ${serviceCfg.name} ${serviceCfg.name} -"
];
};
microvm = {
vcpu = 1;
mem = 512;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = "vm-pp-${user}";
mac = mac;
}
{
type = "user";
id = "vmuser-photo";
mac = userMac;
}
];
forwardPorts = [
{
from = "host";
host.port = ssh;
guest.port = 22;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = "/var/lib/${serviceCfg.name}";
proto = "virtiofs";
source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}";
tag = "${serviceCfg.name}_${user}_data";
}
{
mountPoint = "/var/lib/${serviceCfg.name}-media";
proto = "virtiofs";
source = "/mnt/storage/users/${user}/home/media";
tag = "${serviceCfg.name}_${user}_media";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
source = "/run/secrets/${serviceCfg.name}";
tag = "host_secrets";
}
];
};
};
};
};
systemd.tmpfiles.rules = [
"d /mnt/storage/users/${user}/guests/${serviceCfg.name} 0751 microvm wheel - -"
"d /mnt/storage/users/${user}/home/media/photos 0751 microvm wheel - -"
];
sops.secrets = {
"${serviceCfg.name}/${user}-pass" = {
owner = "root";
mode = "0600";
};
};
};
}

31
modules/nixos/nas/photoprism/default.nix Normal file
View file

@ -0,0 +1,31 @@
{ flake, ... }:
let
inherit (import ./config) photoprismVM;
inherit (flake.config.people) user0;
photoprismNick = photoprismVM {
user = user0;
ip = "192.168.50.64";
mac = "02:00:00:00:54:64";
userMac = "02:00:00:00:00:64";
ssh = 2504;
};
photoprismStacie = photoprismVM {
user = "stacie";
ip = "192.168.50.65";
mac = "02:00:00:00:55:65";
userMac = "02:00:00:00:00:65";
ssh = 2505;
};
photoprismGarnet = photoprismVM {
user = "garnet";
ip = "192.168.50.66";
mac = "02:00:00:00:56:66";
userMac = "02:00:00:00:00:66";
ssh = 2506;
};
in
photoprismNick // photoprismStacie // photoprismGarnet

3
modules/nixos/nas/shared/frigate/default.nix
View file

@ -1,3 +0,0 @@
{
}

3
modules/nixos/nas/shared/homeAssistant/default.nix
View file

@ -1,3 +0,0 @@
{
}

206
modules/nixos/nas/syncthing/config/default.nix Normal file
View file

@ -0,0 +1,206 @@
{
flake,
...
}:
let
inherit (flake.config.people) user0;
inherit (flake.config.services) instances;
serviceCfg = instances.syncthing;
in
{
syncthingVM =
{
user,
ip,
mac,
userMac,
ssh,
syncID,
deviceIP,
}:
{
microvm.vms = {
"${serviceCfg.name}-${user}" = {
autostart = true;
restartIfChanged = true;
config = {
system.stateVersion = "24.05";
time.timeZone = "America/Winnipeg";
users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
services = {
syncthing = {
enable = true;
overrideDevices = false;
overrideFolders = false;
openDefaultPorts = true;
systemService = true;
guiAddress = "0.0.0.0:${toString serviceCfg.ports.port0}";
settings = {
folders = {
docs = {
enable = true;
id = "docs";
path = "/var/lib/${serviceCfg.name}/docs";
devices = [
"${user}Phone"
];
};
media = {
enable = true;
id = "media";
path = "/var/lib/${serviceCfg.name}/media";
devices = [
"${user}Phone"
];
};
misc = {
enable = true;
id = "misc";
path = "/var/lib/${serviceCfg.name}/misc";
devices = [
"${user}Phone"
];
};
};
devices = {
"${user}Phone" = {
autoAcceptFolders = true;
name = "${user}Phone";
addresses = [
"tcp://${deviceIP}:${toString serviceCfg.ports.port2}"
];
id = syncID;
};
};
};
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
};
networking.firewall.allowedTCPPorts = [
22
serviceCfg.ports.port0
serviceCfg.ports.port1
serviceCfg.ports.port2
];
systemd = {
services = {
systemd-networkd.wantedBy = [
"multi-user.target"
];
};
network = {
enable = true;
networks."20-lan" = {
matchConfig.Name = "enp0s5";
addresses = [
{ Address = "${ip}/24"; }
];
routes = [
{
Destination = "0.0.0.0/0";
Gateway = "192.168.50.1";
}
];
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
tmpfiles.rules = [
"d /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"d /var/lib/${serviceCfg.name}/docs 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"d /var/lib/${serviceCfg.name}/media 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"d /var/lib/${serviceCfg.name}/misc 0755 ${serviceCfg.name} ${serviceCfg.name} -"
];
};
microvm = {
vcpu = 1;
mem = 512;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = "vm-st-${user}";
mac = mac;
}
{
type = "user";
id = "vm-sync";
mac = userMac;
}
];
forwardPorts = [
{
from = "host";
host.port = ssh;
guest.port = 22;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = "/var/lib/${serviceCfg.name}";
proto = "virtiofs";
source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}";
tag = "${serviceCfg.name}_${user}_data";
}
{
mountPoint = "/var/lib/${serviceCfg.name}/docs";
proto = "virtiofs";
source = "/mnt/storage/users/${user}/home/docs";
tag = "${serviceCfg.name}_${user}_docs";
}
{
mountPoint = "/var/lib/${serviceCfg.name}/media";
proto = "virtiofs";
source = "/mnt/storage/users/${user}/home/media";
tag = "${serviceCfg.name}_${user}_media";
}
{
mountPoint = "/var/lib/${serviceCfg.name}/misc";
proto = "virtiofs";
source = "/mnt/storage/users/${user}/home/misc";
tag = "${serviceCfg.name}_${user}_misc";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
source = "/run/secrets/${serviceCfg.name}";
tag = "host_secrets";
}
];
};
};
};
};
systemd.tmpfiles.rules = [
"d /mnt/storage/users/${user}/guests/${serviceCfg.name} 0751 microvm wheel - -"
];
sops.secrets = {
"${serviceCfg.name}/${user}-pass" = {
owner = "root";
mode = "0600";
};
};
};
}

38
modules/nixos/nas/syncthing/default.nix Executable file
View file

@ -0,0 +1,38 @@
{ flake, ... }:
let
inherit (import ./config) syncthingVM;
inherit (flake.config.people) user0;
syncthingNick = syncthingVM {
user = user0;
ip = "192.168.50.61";
mac = "02:00:00:00:51:61";
userMac = "02:00:00:00:00:61";
ssh = 2501;
syncID = "RMDKNJY-BTX6FYF-G6SR332-WS6HARI-PF74SC6-VPBSGRQ-MKVQZEQ-KSIB6QV";
deviceIP = "192.168.50.8";
};
syncthingStacie = syncthingVM {
user = "stacie";
ip = "192.168.50.62";
mac = "02:00:00:00:52:62";
userMac = "02:00:00:00:00:62";
ssh = 2502;
syncID = "";
deviceIP = "";
};
syncthingGarnet = syncthingVM {
user = "garnet";
ip = "192.168.50.63";
mac = "02:00:00:00:53:63";
userMac = "02:00:00:00:00:63";
ssh = 2503;
syncID = "";
deviceIP = "";
};
in
syncthingNick
# // syncthingStacie // syncthingGarnet

67
modules/nixos/services/syncthing/default.nix
View file

@ -1,67 +0,0 @@
{ flake, config, ... }:
let
inherit (flake.config.machines.devices)
phone
mars
ceres
;
inherit (flake.config.services)
instances
;
service = instances.syncthing;
hostname = config.networking.hostName;
localhost = instances.web.localhost.address1;
postgres = instances.postgresql;
forgejo = instances.forgejo;
vaultwarden = instances.vaultwarden;
backupPath = "${service.paths.path1}";
syncDevices = {
phoneSync = {
${phone.name} = {
autoAcceptFolders = true;
name = phone.name;
addresses = [
"tcp://${phone.ip.address0}:${toString service.ports.port2}"
];
id = phone.sync.address0;
};
};
};
in
{
services = {
syncthing = {
enable = true;
overrideDevices = false;
overrideFolders = false;
openDefaultPorts = true;
systemService = true;
guiAddress = "${localhost}:${toString service.ports.port0}";
settings = {
devices = if hostname == mars.name then syncDevices.phoneSync else { };
};
};
};
systemd.tmpfiles.rules = [
# Main syncthing directory - use Z to fix existing permissions
"z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
# Backup directories
"d ${backupPath} 0755 ${service.name} ${service.name} -"
"d ${backupPath}/${postgres.name} 0750 ${postgres.name} ${service.name} -"
"d ${backupPath}/${forgejo.name} 0750 ${forgejo.name} ${service.name} -"
"d ${backupPath}/${vaultwarden.name} 0750 ${vaultwarden.name} ${service.name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
service.ports.port2
];
};
};
}