From dec853d164819d5cc98fe1c1c248e1bacb14bc97 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 30 Jan 2024 12:22:04 +0100 Subject: [PATCH 01/10] nixos: services: paperless: fix classifier hangs This is an experimental fix to try and get around an issue with the default BLAS/LAPACK implementation. See [1] for more details. [1]: https://github.com/NixOS/nixpkgs/issues/240591 --- modules/nixos/services/paperless/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix index f528ad7..eaf39b7 100644 --- a/modules/nixos/services/paperless/default.nix +++ b/modules/nixos/services/paperless/default.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let cfg = config.my.services.paperless; in @@ -80,6 +80,9 @@ in # Misc PAPERLESS_TIME_ZONE = config.time.timeZone; PAPERLESS_ADMIN_USER = cfg.username; + + # Fix classifier hangs + LD_LIBRARY_PATH = "${lib.getLib pkgs.lapack-reference}/lib"; }; # Admin password From caa4cf6b12da6a24304e4eb3769f7832c38fb58f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 30 Jan 2024 12:38:48 +0100 Subject: [PATCH 02/10] flake: bump inputs --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index acf6c48..7714038 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ ] }, "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "lastModified": 1706569497, + "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "rev": "60c614008eed1d0383d21daac177a3e036192ed8", "type": "github" }, "original": { @@ -136,11 +136,11 @@ ] }, "locked": { - "lastModified": 1705879479, - "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=", + "lastModified": 1706473109, + "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=", "owner": "nix-community", "repo": "home-manager", - "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913", + "rev": "d634c3abafa454551f2083b054cd95c3f287be61", "type": "github" }, "original": { @@ -152,11 +152,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "lastModified": 1706371002, + "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006", "type": "github" }, "original": { @@ -168,11 +168,11 @@ }, "nur": { "locked": { - "lastModified": 1705927265, - "narHash": "sha256-eUUIBb3qYMrQB0ONGEj2kzKN8yzqwDmR4+Ct5/dvJcs=", + "lastModified": 1706613454, + "narHash": "sha256-oekBAKlWhNgs4MCORSrZnswYTwD5h7HQkDDFf6INAZs=", "owner": "nix-community", "repo": "NUR", - "rev": "a29c6f71063d0ce903e927fa7885651c00abd33b", + "rev": "ce9c09fbd09d8cccb7353fe32bdfbd39ff3cb7be", "type": "github" }, "original": { @@ -197,11 +197,11 @@ ] }, "locked": { - "lastModified": 1705757126, - "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=", + "lastModified": 1706424699, + "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc", + "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf", "type": "github" }, "original": { From 0290dcdca7e1c630474e9f88227fc92e7a0f31e5 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 30 Jan 2024 13:21:50 +0100 Subject: [PATCH 03/10] nixos: services: nextcloud: fix renamed option --- modules/nixos/services/nextcloud/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index 580e9ea..51195df 100644 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -45,7 +45,7 @@ in https = true; - extraOptions = { + settings = { overwriteprotocol = "https"; # Nginx only allows SSL }; From 60ad815d48615dbdadcc6d9d0aae1f4d3c57fed0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Dec 2023 23:27:04 +0100 Subject: [PATCH 04/10] nixos: services: add aria --- modules/nixos/services/aria/default.nix | 76 +++++++++++++++++++++++++ modules/nixos/services/default.nix | 1 + 2 files changed, 77 insertions(+) create mode 100644 modules/nixos/services/aria/default.nix diff --git a/modules/nixos/services/aria/default.nix b/modules/nixos/services/aria/default.nix new file mode 100644 index 0000000..2d1b3e2 --- /dev/null +++ b/modules/nixos/services/aria/default.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.my.services.aria; +in +{ + options.my.services.aria = with lib; { + enable = mkEnableOption ""; + + rpcSecretFile = mkOption { + type = types.str; + example = "/run/secrets/aria-secret.txt"; + description = '' + File containing the RPC secret. + ''; + }; + + rpcPort = mkOption { + type = types.port; + default = 6800; + example = 8080; + description = "RPC port"; + }; + + downloadDir = mkOption { + type = types.str; + default = "/data/downloads"; + example = "/var/lib/transmission/download"; + description = "Download directory"; + }; + }; + + config = lib.mkIf cfg.enable { + services.aria2 = { + enable = true; + + inherit (cfg) downloadDir rpcSecretFile; + + rpcListenPort = cfg.rpcPort; + openPorts = false; # I don't want to expose the RPC port + }; + + # Expose DHT ports + networking.firewall = { + # FIXME: check for overlap? + allowedUDPPortRanges = config.services.aria2.listenPortRange; + }; + + # Set-up media group + users.groups.media = { }; + + systemd.services.aria2 = { + serviceConfig = { + Group = lib.mkForce "media"; # Use 'media' group + }; + }; + + my.services.nginx.virtualHosts = { + aria = { + root = "${pkgs.ariang}/share/ariang"; + # For paranoia, don't allow anybody to use the UI unauthenticated + sso = { + enable = true; + }; + }; + aria-rpc = { + port = cfg.rpcPort; + # Proxy websockets for RPC + extraConfig = { + locations."/".proxyWebsockets = true; + }; + }; + }; + + # NOTE: unfortunately aria2 does not log connection failures for fail2ban + }; +} diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix index b27570d..3e2b3c8 100644 --- a/modules/nixos/services/default.nix +++ b/modules/nixos/services/default.nix @@ -3,6 +3,7 @@ { imports = [ ./adblock + ./aria ./backup ./blog ./calibre-web From 07fbdfd51950e19a203b6e5b86adb31ced16314f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 30 Jan 2024 13:37:26 +0100 Subject: [PATCH 05/10] hosts: nixos: porthos: secrets: add aria RPC token --- hosts/nixos/porthos/secrets/aria/rpc-token.age | 7 +++++++ hosts/nixos/porthos/secrets/secrets.nix | 2 ++ 2 files changed, 9 insertions(+) create mode 100644 hosts/nixos/porthos/secrets/aria/rpc-token.age diff --git a/hosts/nixos/porthos/secrets/aria/rpc-token.age b/hosts/nixos/porthos/secrets/aria/rpc-token.age new file mode 100644 index 0000000..e6a42c5 --- /dev/null +++ b/hosts/nixos/porthos/secrets/aria/rpc-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg fpiyZo1AR5hCfk/KtbgWCTzz+05/VOUnnaHhWgXQRwc +d2w9IX/kq/T6OwQ1zImsCmzIX2yfFD8hQDbs0IW3ZIA +-> ssh-ed25519 jPowng E9R7p9NCubUQrymjnrNfEjSNIIAXrBQLogNkWsOx8xc +MrWEE5LNtOqAjnwA6byfSa1udnbUtqBy4FhdxipuA+g +--- fKgerjgGs+brvNKnrWdpmOadl34LipMT6Msqse2g3E0 +E9flKYRL-Ƿ\EK{7oXGxT)˜6%LOT**8\@G \ No newline at end of file diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix index ed6c2fd..7dd34df 100644 --- a/hosts/nixos/porthos/secrets/secrets.nix +++ b/hosts/nixos/porthos/secrets/secrets.nix @@ -12,6 +12,8 @@ in { "acme/dns-key.age".publicKeys = all; + "aria/rpc-token.age".publicKeys = all; + "backup/password.age".publicKeys = all; "backup/credentials.age".publicKeys = all; From e2ec4d3032ee3d3dc3be935b0e2af9ad7ff0c511 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 30 Jan 2024 12:22:04 +0100 Subject: [PATCH 06/10] nixos: services: paperless: fix classifier hangs This is an experimental fix to try and get around an issue with the default BLAS/LAPACK implementation. See [1] for more details. [1]: https://github.com/NixOS/nixpkgs/issues/240591 --- modules/nixos/services/paperless/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix index f528ad7..f62879a 100644 --- a/modules/nixos/services/paperless/default.nix +++ b/modules/nixos/services/paperless/default.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let cfg = config.my.services.paperless; in @@ -80,6 +80,9 @@ in # Misc PAPERLESS_TIME_ZONE = config.time.timeZone; PAPERLESS_ADMIN_USER = cfg.username; + + # Fix classifier hangs + LD_LIBRARY_PATH = "${lib.getLib pkgs.mkl}/lib"; }; # Admin password From 1655afcedf07197fc1ba25c945a2a4fcfb60cf6a Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 30 Jan 2024 12:38:48 +0100 Subject: [PATCH 07/10] flake: bump inputs --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index acf6c48..7714038 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ ] }, "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "lastModified": 1706569497, + "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "rev": "60c614008eed1d0383d21daac177a3e036192ed8", "type": "github" }, "original": { @@ -136,11 +136,11 @@ ] }, "locked": { - "lastModified": 1705879479, - "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=", + "lastModified": 1706473109, + "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=", "owner": "nix-community", "repo": "home-manager", - "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913", + "rev": "d634c3abafa454551f2083b054cd95c3f287be61", "type": "github" }, "original": { @@ -152,11 +152,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "lastModified": 1706371002, + "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006", "type": "github" }, "original": { @@ -168,11 +168,11 @@ }, "nur": { "locked": { - "lastModified": 1705927265, - "narHash": "sha256-eUUIBb3qYMrQB0ONGEj2kzKN8yzqwDmR4+Ct5/dvJcs=", + "lastModified": 1706613454, + "narHash": "sha256-oekBAKlWhNgs4MCORSrZnswYTwD5h7HQkDDFf6INAZs=", "owner": "nix-community", "repo": "NUR", - "rev": "a29c6f71063d0ce903e927fa7885651c00abd33b", + "rev": "ce9c09fbd09d8cccb7353fe32bdfbd39ff3cb7be", "type": "github" }, "original": { @@ -197,11 +197,11 @@ ] }, "locked": { - "lastModified": 1705757126, - "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=", + "lastModified": 1706424699, + "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc", + "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf", "type": "github" }, "original": { From 02412f2578eabbc030b9a34d6458d2f42070e84d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 30 Jan 2024 13:21:50 +0100 Subject: [PATCH 08/10] nixos: services: nextcloud: fix renamed option --- modules/nixos/services/nextcloud/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index 580e9ea..51195df 100644 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -45,7 +45,7 @@ in https = true; - extraOptions = { + settings = { overwriteprotocol = "https"; # Nginx only allows SSL }; From cc029f7933b73785c5a64aaed02188498b277fb2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Dec 2023 23:27:04 +0100 Subject: [PATCH 09/10] nixos: services: add aria --- modules/nixos/services/aria/default.nix | 76 +++++++++++++++++++++++++ modules/nixos/services/default.nix | 1 + 2 files changed, 77 insertions(+) create mode 100644 modules/nixos/services/aria/default.nix diff --git a/modules/nixos/services/aria/default.nix b/modules/nixos/services/aria/default.nix new file mode 100644 index 0000000..2d1b3e2 --- /dev/null +++ b/modules/nixos/services/aria/default.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.my.services.aria; +in +{ + options.my.services.aria = with lib; { + enable = mkEnableOption ""; + + rpcSecretFile = mkOption { + type = types.str; + example = "/run/secrets/aria-secret.txt"; + description = '' + File containing the RPC secret. + ''; + }; + + rpcPort = mkOption { + type = types.port; + default = 6800; + example = 8080; + description = "RPC port"; + }; + + downloadDir = mkOption { + type = types.str; + default = "/data/downloads"; + example = "/var/lib/transmission/download"; + description = "Download directory"; + }; + }; + + config = lib.mkIf cfg.enable { + services.aria2 = { + enable = true; + + inherit (cfg) downloadDir rpcSecretFile; + + rpcListenPort = cfg.rpcPort; + openPorts = false; # I don't want to expose the RPC port + }; + + # Expose DHT ports + networking.firewall = { + # FIXME: check for overlap? + allowedUDPPortRanges = config.services.aria2.listenPortRange; + }; + + # Set-up media group + users.groups.media = { }; + + systemd.services.aria2 = { + serviceConfig = { + Group = lib.mkForce "media"; # Use 'media' group + }; + }; + + my.services.nginx.virtualHosts = { + aria = { + root = "${pkgs.ariang}/share/ariang"; + # For paranoia, don't allow anybody to use the UI unauthenticated + sso = { + enable = true; + }; + }; + aria-rpc = { + port = cfg.rpcPort; + # Proxy websockets for RPC + extraConfig = { + locations."/".proxyWebsockets = true; + }; + }; + }; + + # NOTE: unfortunately aria2 does not log connection failures for fail2ban + }; +} diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix index b27570d..3e2b3c8 100644 --- a/modules/nixos/services/default.nix +++ b/modules/nixos/services/default.nix @@ -3,6 +3,7 @@ { imports = [ ./adblock + ./aria ./backup ./blog ./calibre-web From 16f98f144eaf68b024090d60c1db2e7e29b7aa04 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 30 Jan 2024 13:37:26 +0100 Subject: [PATCH 10/10] hosts: nixos: porthos: secrets: add aria RPC token --- hosts/nixos/porthos/secrets/aria/rpc-token.age | 7 +++++++ hosts/nixos/porthos/secrets/secrets.nix | 2 ++ 2 files changed, 9 insertions(+) create mode 100644 hosts/nixos/porthos/secrets/aria/rpc-token.age diff --git a/hosts/nixos/porthos/secrets/aria/rpc-token.age b/hosts/nixos/porthos/secrets/aria/rpc-token.age new file mode 100644 index 0000000..e6a42c5 --- /dev/null +++ b/hosts/nixos/porthos/secrets/aria/rpc-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg fpiyZo1AR5hCfk/KtbgWCTzz+05/VOUnnaHhWgXQRwc +d2w9IX/kq/T6OwQ1zImsCmzIX2yfFD8hQDbs0IW3ZIA +-> ssh-ed25519 jPowng E9R7p9NCubUQrymjnrNfEjSNIIAXrBQLogNkWsOx8xc +MrWEE5LNtOqAjnwA6byfSa1udnbUtqBy4FhdxipuA+g +--- fKgerjgGs+brvNKnrWdpmOadl34LipMT6Msqse2g3E0 +E9flKYRL-Ƿ\EK{7oXGxT)˜6%LOT**8\@G \ No newline at end of file diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix index ed6c2fd..7dd34df 100644 --- a/hosts/nixos/porthos/secrets/secrets.nix +++ b/hosts/nixos/porthos/secrets/secrets.nix @@ -12,6 +12,8 @@ in { "acme/dns-key.age".publicKeys = all; + "aria/rpc-token.age".publicKeys = all; + "backup/password.age".publicKeys = all; "backup/credentials.age".publicKeys = all;