upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-06 21:17:14 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: upRootNutrition:2fc17f3539be102852320c5842b7290aecc86795
Branches Tags
upRootNutrition:main
...
compare: upRootNutrition:6c010d9f106e0b1a6aeb067b4b68662ea6c23126
Branches Tags
upRootNutrition:main

2 commits
2fc17f3539 ... 6c010d9f10

Author SHA1 Message Date
Nick
6c010d9f10 feat: spun up firefly-iii 2025-11-17 05:46:55 -06:00
Nick
83aab0bc63 feat: finally got mastodon working 2025-11-17 02:26:07 -06:00
5 changed files with 1489 additions and 936 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/nixos/default.nix
View file

@ -53,7 +53,7 @@ in
caddy
comfyui
# filesorter
# firefly-iii
firefly-iii
forgejo
# glance
jellyfin

82
modules/nixos/guests/firefly-iii/default.nix
View file

@ -1,6 +1,6 @@
{
config,
flake,
config,
...
}:
let
@ -12,8 +12,8 @@ let
smtpCfg = instances.smtp;
hostCfg = instances.web;
host = serviceCfg.domains.url0;
dns0 = instances.web.dns.provider0;
dns0Path = "dns/${dns0}";
dns = instances.web.dns.provider0;
dnsPath = "dns/${dns}";
in
{
microvm.vms = {
@ -27,7 +27,6 @@ in
services = {
firefly-iii = {
enable = true;
# dataDir = serviceCfg.varPaths.path0;
enableNginx = false;
poolConfig = {
"listen.owner" = config.services.caddy.user;
@ -40,18 +39,18 @@ in
};
settings = {
APP_URL = "https://${host}";
APP_KEY_FILE = "/run/secrets/pass";
# DB_PASSWORD_FILE = "/run/secrets/data";
# DB_CONNECTION = "pgsql";
# DB_HOST = "db";
# DB_DATABASE = "firefly";
# DB_USERNAME = "firefly";
APP_KEY_FILE = "/etc/firefly-secrets/pass";
DB_PASSWORD_FILE = "/etc/firefly-secrets/data";
DB_CONNECTION = "pgsql";
DB_HOST = "/run/postgresql";
DB_DATABASE = "firefly-iii";
DB_USERNAME = "firefly-iii";
MAIL_MAILER = smtpCfg.name;
MAIL_HOST = smtpCfg.hostname;
MAIL_PORT = smtpCfg.ports.port0;
MAIL_FROM = smtpCfg.email.address0;
MAIL_USERNAME = smtpCfg.email.address0;
MAIL_PASSWORD_FILE = "/run/secrets/smtp";
MAIL_PASSWORD_FILE = "/etc/firefly-secrets/smtp";
MAIL_ENCRYPTION = "tls";
SITE_OWNER = email.address2;
};
@ -63,7 +62,7 @@ in
caddy = {
enable = true;
virtualHosts."${serviceCfg.interface.ip}" = {
virtualHosts.":80" = {
extraConfig = ''
root * ${config.services.firefly-iii.package}/public
@ -76,16 +75,16 @@ in
};
};
# postgresql = {
# enable = true;
# ensureDatabases = [ "firefly" ];
# ensureUsers = [
# {
# name = "firefly";
# ensureDBOwnership = true;
# }
# ];
# };
postgresql = {
enable = true;
ensureDatabases = [ "firefly-iii" ];
ensureUsers = [
{
name = "firefly-iii";
ensureDBOwnership = true;
}
];
};
openssh = {
enable = true;
@ -117,10 +116,12 @@ in
RemainAfterExit = true;
};
script = ''
chown root:firefly-iii /run/secrets/pass
chown root:firefly-iii /run/secrets/smtp
chmod 0640 /run/secrets/pass
chmod 0640 /run/secrets/smtp
mkdir -p /etc/firefly-secrets
cp /run/secrets/pass /etc/firefly-secrets/pass
cp /run/secrets/data /etc/firefly-secrets/data
cp /run/secrets/smtp /etc/firefly-secrets/smtp
chmod 755 /etc/firefly-secrets
chmod 644 /etc/firefly-secrets/*
'';
};
systemd-networkd.wantedBy = [ "multi-user.target" ];
@ -128,7 +129,7 @@ in
network = {
enable = true;
networks."20-lan" = {
matchConfig.Name = "enp0s5";
matchConfig.Name = "enp0s6";
addresses = [
{ Address = "${serviceCfg.interface.ip}/24"; }
];
@ -183,15 +184,15 @@ in
{
mountPoint = "/var/lib/${serviceCfg.name}";
proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}";
source = "${serviceCfg.mntPaths.path0}/data";
tag = "${serviceCfg.name}_data";
}
# {
# mountPoint = "/var/lib/postgresql";
# proto = "virtiofs";
# source = "${serviceCfg.mntPaths.path0}/database";
# tag = "${serviceCfg.name}_database";
# }
{
mountPoint = "/var/lib/postgresql";
proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}/database";
tag = "${serviceCfg.name}_database";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
@ -207,15 +208,15 @@ in
users.users.caddy.extraGroups = [ "acme" ];
security.acme.certs."${host}" = {
dnsProvider = dns0;
environmentFile = config.sops.secrets.${dns0Path}.path;
dnsProvider = dns;
environmentFile = config.sops.secrets.${dnsPath}.path;
group = "caddy";
};
systemd.tmpfiles.rules = [
"d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
# "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -"
# "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -"
"d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -"
"d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -"
];
sops = {
@ -225,7 +226,8 @@ in
name = "${serviceCfg.name}/${secret}";
value = {
owner = "root";
mode = "600";
group = "root";
mode = "0644";
};
})
[
@ -237,7 +239,7 @@ in
};
services.caddy.virtualHosts."${host}" = {
extraConfig = ''
reverse_proxy ${serviceCfg.interface.ip}:80
reverse_proxy http://${serviceCfg.interface.ip}:80
tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}

2177
modules/nixos/guests/mastodon/config/twitter.txt
View file

File diff suppressed because one or more lines are too long

121
modules/nixos/guests/mastodon/default.nix
View file

@ -52,16 +52,16 @@ in
${serviceCfg.name} = {
enable = true;
localDomain = host;
secretKeyBaseFile = "/run/mastodon-secrets/pass";
secretKeyBaseFile = "/etc/mastodon-secrets/pass";
streamingProcesses = 7;
trustedProxy = hostCfg.localhost.address1;
trustedProxy = hostCfg.localhost.address0;
automaticMigrations = true;
database = {
createLocally = true;
name = serviceCfg.name;
host = "/run/postgresql";
user = serviceCfg.name;
passwordFile = "/run/mastodon-secrets/database";
passwordFile = "/etc/mastodon-secrets/database";
};
extraConfig = {
SINGLE_USER_MODE = "true";
@ -116,7 +116,7 @@ in
createLocally = false;
fromAddress = "upRootNutrition <${smtpCfg.email.address1}>";
host = smtpCfg.hostname;
passwordFile = "/run/mastodon-secrets/smtp";
passwordFile = "/etc/mastodon-secrets/smtp";
port = smtpCfg.ports.port1;
user = smtpCfg.email.address1;
};
@ -134,7 +134,10 @@ in
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming.socket
reverse_proxy unix//run/mastodon-streaming/streaming.socket {
header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host}
}
}
route * {
@ -142,7 +145,10 @@ in
root ${pkgs.mastodon}/public
pass_thru
}
reverse_proxy * unix//run/mastodon-web/web.socket
reverse_proxy * unix//run/mastodon-web/web.socket {
header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host}
}
}
handle_errors {
@ -198,57 +204,52 @@ in
systemd = {
services = {
systemd-networkd.wantedBy = [ "multi-user.target" ];
mastodon-web.wantedBy = [ "multi-user.target" ];
mastodon-streaming-1.wantedBy = [ "multi-user.target" ];
mastodon-streaming-2.wantedBy = [ "multi-user.target" ];
mastodon-streaming-3.wantedBy = [ "multi-user.target" ];
mastodon-streaming-4.wantedBy = [ "multi-user.target" ];
mastodon-streaming-5.wantedBy = [ "multi-user.target" ];
mastodon-streaming-6.wantedBy = [ "multi-user.target" ];
mastodon-streaming-7.wantedBy = [ "multi-user.target" ];
mastodon-sidekiq-all.wantedBy = [ "multi-user.target" ];
mastodon-sidekiq-default.wantedBy = [ "multi-user.target" ];
mastodon-sidekiq-ingress.wantedBy = [ "multi-user.target" ];
mastodon-sidekiq-mailers.wantedBy = [ "multi-user.target" ];
mastodon-sidekiq-push-pull.wantedBy = [ "multi-user.target" ];
mastodon-init-db = {
environment = {
DISABLE_BOOTSNAP = "1";
};
mastodon-init-dirs = {
serviceConfig = {
TimeoutStartSec = "10min";
PrivateMounts = lib.mkForce false;
};
};
copy-secrets-to-tmpfs = {
description = "Copy secrets from virtiofs to tmpfs";
wantedBy = [ "multi-user.target" ];
mastodon-web = {
serviceConfig = {
PrivateMounts = lib.mkForce false;
};
};
mastodon-streaming-1 = {
serviceConfig = {
PrivateMounts = lib.mkForce false;
};
};
mastodon-streaming-2.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-streaming-3.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-streaming-4.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-streaming-5.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-streaming-6.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-streaming-7.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-sidekiq-all.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-sidekiq-default.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-sidekiq-ingress.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-sidekiq-mailers.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-sidekiq-push-pull.serviceConfig.PrivateMounts = lib.mkForce false;
mastodon-copy-secrets = {
description = "Copy secrets from virtiofs to local filesystem";
before = [ "mastodon-init-dirs.service" ];
requiredBy = [ "mastodon-init-dirs.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p /run/mastodon-secrets
mkdir -p /run/mastodon-web
cp /run/secrets/pass /run/mastodon-secrets/pass
cp /run/secrets/smtp /run/mastodon-secrets/smtp
cp /run/secrets/database /run/mastodon-secrets/database
cp /run/secrets/redis /run/mastodon-secrets/redis
chown root:mastodon /run/mastodon-secrets/*
chmod 0640 /run/mastodon-secrets/*
chown mastodon:mastodon /run/mastodon-web
chmod 0755 /run/mastodon-web
mkdir -p /etc/mastodon-secrets
cp /run/secrets/pass /etc/mastodon-secrets/pass
cp /run/secrets/database /etc/mastodon-secrets/database
cp /run/secrets/redis /etc/mastodon-secrets/redis
cp /run/secrets/smtp /etc/mastodon-secrets/smtp
chmod 755 /etc/mastodon-secrets
chmod 644 /etc/mastodon-secrets/*
'';
};
caddy = {
after = [ "copy-secrets-to-tmpfs.service" ];
requires = [ "copy-secrets-to-tmpfs.service" ];
serviceConfig.ReadWriteDirectories = lib.mkForce [
"/var/lib/caddy"
"/run/mastodon-web"
];
};
};
network = {
enable = true;
@ -267,10 +268,24 @@ in
];
};
};
services = {
mastodon-init-db = {
serviceConfig = {
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
};
};
systemd-tmpfiles-setup.after = [ "var-lib-mastodon.mount" ];
};
tmpfiles.rules = [
"Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"d /var/lib/mastodon 0755 mastodon mastodon -"
"Z /var/lib/mastodon 0755 mastodon mastodon -"
"Z /var/lib/postgresql 0755 postgres postgres -"
"d /var/cache/mastodon/precompile 0755 mastodon mastodon -"
"d /var/lib/mastodon/public-system 0755 mastodon mastodon -"
"d /var/lib/mastodon/public-system/accounts 0755 mastodon mastodon -"
"d /var/lib/mastodon/public-system/media_attachments 0755 mastodon mastodon -"
"d /var/lib/mastodon/public-system/media_attachments/files 0755 mastodon mastodon -"
"d /var/lib/mastodon/public-system/site_uploads 0755 mastodon mastodon -"
];
};
@ -335,7 +350,8 @@ in
name = "${serviceCfg.name}/${secret}";
value = {
owner = "root";
mode = "0600";
group = "root";
mode = "0644";
};
})
[
@ -351,12 +367,15 @@ in
"d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
"d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -"
"d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -"
];
services.caddy.virtualHosts."${host}" = {
extraConfig = ''
reverse_proxy http://${serviceCfg.interface.ip}:80
reverse_proxy http://${serviceCfg.interface.ip}:80 {
header_up X-Forwarded-Proto {scheme}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
}
tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}

43
modules/nixos/services/owncast/default.nix
View file

@ -1,43 +0,0 @@
{ flake, ... }:
let
inherit (flake.config.services.instances)
owncast
web
;
service = owncast;
localhost = web.localhost.address1;
host = service.domains.url0;
in
{
services = {
owncast = {
enable = true;
listen = localhost;
port = service.ports.port0;
openFirewall = true;
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
];
};
};
# OBS Server rtmp://192.168.50.140:1935/live
}