diff --git a/flake.lock b/flake.lock index 8a54c50..ad01b76 100644 --- a/flake.lock +++ b/flake.lock @@ -14,11 +14,11 @@ ] }, "locked": { - "lastModified": 1736955230, - "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -36,11 +36,11 @@ ] }, "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", "type": "github" }, "original": { @@ -73,11 +73,11 @@ ] }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1751413152, + "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", "type": "github" }, "original": { @@ -117,11 +117,11 @@ ] }, "locked": { - "lastModified": 1742649964, - "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "type": "github" }, "original": { @@ -159,11 +159,11 @@ ] }, "locked": { - "lastModified": 1743869639, - "narHash": "sha256-Xhe3whfRW/Ay05z9m1EZ1/AkbV1yo0tm1CbgjtCi4rQ=", + "lastModified": 1752467539, + "narHash": "sha256-4kaR+xmng9YPASckfvIgl5flF/1nAZOplM+Wp9I5SMI=", "owner": "nix-community", "repo": "home-manager", - "rev": "d094c6763c6ddb860580e7d3b4201f8f496a6836", + "rev": "1e54837569e0b80797c47be4720fab19e0db1616", "type": "github" }, "original": { @@ -183,11 +183,11 @@ ] }, "locked": { - "lastModified": 1713543440, - "narHash": "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=", + "lastModified": 1752054764, + "narHash": "sha256-Ob/HuUhANoDs+nvYqyTKrkcPXf4ZgXoqMTQoCK0RFgQ=", "owner": "nix-community", "repo": "nixGL", - "rev": "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a", + "rev": "a8e1ce7d49a149ed70df676785b07f63288f53c5", "type": "github" }, "original": { @@ -199,11 +199,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1743689281, - "narHash": "sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ+VoVdg=", + "lastModified": 1752644555, + "narHash": "sha256-oeRcp4VEyZ/3ZgfRRoq60/08l2zy0K53l8MdfSIYd24=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2bfc080955153be0be56724be6fa5477b4eefabb", + "rev": "9100a4f6bf446603b9575927c8585162f9ec9aa6", "type": "github" }, "original": { diff --git a/flake/home-manager.nix b/flake/home-manager.nix index 093ae8c..88a74e8 100644 --- a/flake/home-manager.nix +++ b/flake/home-manager.nix @@ -22,10 +22,6 @@ let ]; mkHome = name: system: inputs.home-manager.lib.homeManagerConfiguration { - # Work-around for home-manager - # * not letting me set `lib` as an extraSpecialArgs - # * not respecting `nixpkgs.overlays` [1] - # [1]: https://github.com/nix-community/home-manager/issues/2954 pkgs = inputs.nixpkgs.legacyPackages.${system}; modules = defaultModules ++ [ diff --git a/flake/nixos.nix b/flake/nixos.nix index bf9eac8..0fbd3a6 100644 --- a/flake/nixos.nix +++ b/flake/nixos.nix @@ -15,8 +15,10 @@ let ]; buildHost = name: system: lib.nixosSystem { - inherit system; modules = defaultModules ++ [ + { + nixpkgs.hostPlatform = system; + } "${self}/hosts/nixos/${name}" ]; specialArgs = { diff --git a/hosts/homes/ambroisie@bazin/default.nix b/hosts/homes/ambroisie@bazin/default.nix index f52fbce..365b70d 100644 --- a/hosts/homes/ambroisie@bazin/default.nix +++ b/hosts/homes/ambroisie@bazin/default.nix @@ -4,6 +4,20 @@ services.gpg-agent.enable = lib.mkForce false; my.home = { + atuin = { + package = pkgs.stdenv.mkDerivation { + pname = "atuin"; + version = "18.4.0"; + + buildCommand = '' + mkdir -p $out/bin + ln -s /usr/bin/atuin $out/bin/atuin + ''; + + meta.mainProgram = "atuin"; + }; + }; + git = { package = pkgs.emptyDirectory; }; diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix index 37884d7..1383618 100644 --- a/hosts/homes/ambroisie@mousqueton/default.nix +++ b/hosts/homes/ambroisie@mousqueton/default.nix @@ -7,6 +7,20 @@ services.gpg-agent.enable = lib.mkForce false; my.home = { + atuin = { + package = pkgs.stdenv.mkDerivation { + pname = "atuin"; + version = "18.4.0"; + + buildCommand = '' + mkdir -p $out/bin + ln -s /usr/bin/atuin $out/bin/atuin + ''; + + meta.mainProgram = "atuin"; + }; + }; + git = { package = pkgs.emptyDirectory; }; diff --git a/hosts/nixos/aramis/home.nix b/hosts/nixos/aramis/home.nix index 64b63ce..221b1ea 100644 --- a/hosts/nixos/aramis/home.nix +++ b/hosts/nixos/aramis/home.nix @@ -20,7 +20,7 @@ element-desktop # Matrix client jellyfin-media-player # Wraps the webui and mpv together pavucontrol # Audio mixer GUI - transgui # Transmission remote + trgui-ng # Transmission remote ]; # Minimal video player mpv.enable = true; diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix index 425756c..b3812b4 100644 --- a/hosts/nixos/porthos/secrets/secrets.nix +++ b/hosts/nixos/porthos/secrets/secrets.nix @@ -81,6 +81,7 @@ in "pyload/credentials.age".publicKeys = all; "servarr/autobrr/session-secret.age".publicKeys = all; + "servarr/cross-seed/configuration.json.age".publicKeys = all; "sso/auth-key.age" = { owner = "nginx-sso"; diff --git a/hosts/nixos/porthos/secrets/servarr/cross-seed/configuration.json.age b/hosts/nixos/porthos/secrets/servarr/cross-seed/configuration.json.age new file mode 100644 index 0000000..e319f3a Binary files /dev/null and b/hosts/nixos/porthos/secrets/servarr/cross-seed/configuration.json.age differ diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix index 784eb31..96f15d3 100644 --- a/hosts/nixos/porthos/services.nix +++ b/hosts/nixos/porthos/services.nix @@ -51,6 +51,10 @@ in passwordFile = secrets."forgejo/mail-password".path; }; }; + # Home inventory + homebox = { + enable = true; + }; # Jellyfin media server jellyfin.enable = true; # Gitea mirrorig service @@ -144,6 +148,9 @@ in autobrr = { sessionSecretFile = secrets."servarr/autobrr/session-secret".path; }; + cross-seed = { + secretSettingsFile = secrets."servarr/cross-seed/configuration.json".path; + }; # ... But not Lidarr because I don't care for music that much lidarr = { enable = false; diff --git a/modules/home/atuin/default.nix b/modules/home/atuin/default.nix index 3f06263..dbd9690 100644 --- a/modules/home/atuin/default.nix +++ b/modules/home/atuin/default.nix @@ -8,6 +8,10 @@ in # I want the full experience by default package = mkPackageOption pkgs "atuin" { }; + + daemon = { + enable = my.mkDisableOption "atuin daemon"; + }; }; config = lib.mkIf cfg.enable { @@ -15,12 +19,18 @@ in enable = true; inherit (cfg) package; + daemon = lib.mkIf cfg.daemon.enable { + enable = true; + }; + flags = [ # I *despise* this hijacking of the up key, even though I use Ctrl-p "--disable-up-arrow" ]; settings = { + # Reasonable date format + dialect = "uk"; # The package is managed by Nix update_check = false; # I don't care for the fancy display diff --git a/modules/home/default.nix b/modules/home/default.nix index dd3e3cb..c85e34f 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -8,6 +8,7 @@ ./bluetooth ./calibre ./comma + ./delta ./dircolors ./direnv ./discord @@ -51,9 +52,6 @@ # First sane reproducible version home.stateVersion = "20.09"; - # Who am I? - home.username = "ambroisie"; - # Start services automatically systemd.user.startServices = "sd-switch"; } diff --git a/modules/home/delta/default.nix b/modules/home/delta/default.nix new file mode 100644 index 0000000..58ee031 --- /dev/null +++ b/modules/home/delta/default.nix @@ -0,0 +1,68 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.my.home.delta; +in +{ + options.my.home.delta = with lib; { + enable = my.mkDisableOption "delta configuration"; + + package = mkPackageOption pkgs "delta" { }; + + git = { + enable = my.mkDisableOption "git integration"; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + # For its configuration + assertion = cfg.enable -> cfg.git.enable; + message = '' + `config.my.home.delta` must enable `config.my.home.delta.git` to be + properly configured. + ''; + } + { + assertion = cfg.enable -> config.programs.git.enable; + message = '' + `config.my.home.delta` relies on `config.programs.git` to be + enabled. + ''; + } + ]; + + home.packages = [ cfg.package ]; + + programs.git = lib.mkIf cfg.git.enable { + delta = { + enable = true; + inherit (cfg) package; + + options = { + features = "diff-highlight decorations"; + + # Less jarring style for `diff-highlight` emulation + diff-highlight = { + minus-style = "red"; + minus-non-emph-style = "red"; + minus-emph-style = "bold red 52"; + + plus-style = "green"; + plus-non-emph-style = "green"; + plus-emph-style = "bold green 22"; + + whitespace-error-style = "reverse red"; + }; + + # Personal preference for easier reading + decorations = { + commit-style = "raw"; # Do not recolor meta information + keep-plus-minus-markers = true; + paging = "always"; + }; + }; + }; + }; + }; +} diff --git a/modules/home/direnv/lib/python.sh b/modules/home/direnv/lib/python.sh index b4b2bce..b1be8a9 100644 --- a/modules/home/direnv/lib/python.sh +++ b/modules/home/direnv/lib/python.sh @@ -46,7 +46,7 @@ layout_uv() { fi # create venv if it doesn't exist - uv venv -q + uv venv -q --allow-existing export VIRTUAL_ENV export UV_ACTIVE=1 diff --git a/modules/home/firefox/tridactyl/default.nix b/modules/home/firefox/tridactyl/default.nix index 35b58c2..26ddfad 100644 --- a/modules/home/firefox/tridactyl/default.nix +++ b/modules/home/firefox/tridactyl/default.nix @@ -12,9 +12,7 @@ let in { config = lib.mkIf cfg.enable { - xdg.configFile."tridactyl/tridactylrc".source = pkgs.substituteAll { - src = ./tridactylrc; - + xdg.configFile."tridactyl/tridactylrc".source = pkgs.replaceVars ./tridactylrc { editorcmd = lib.concatStringsSep " " [ # Use my configured terminal term diff --git a/modules/home/git/default.nix b/modules/home/git/default.nix index c88008f..ca59a5f 100644 --- a/modules/home/git/default.nix +++ b/modules/home/git/default.nix @@ -42,34 +42,6 @@ in lfs.enable = true; - delta = { - enable = true; - - options = { - features = "diff-highlight decorations"; - - # Less jarring style for `diff-highlight` emulation - diff-highlight = { - minus-style = "red"; - minus-non-emph-style = "red"; - minus-emph-style = "bold red 52"; - - plus-style = "green"; - plus-non-emph-style = "green"; - plus-emph-style = "bold green 22"; - - whitespace-error-style = "reverse red"; - }; - - # Personal preference for easier reading - decorations = { - commit-style = "raw"; # Do not recolor meta information - keep-plus-minus-markers = true; - paging = "always"; - }; - }; - }; - # There's more extraConfig = { # Makes it a bit more readable diff --git a/modules/home/gpg/default.nix b/modules/home/gpg/default.nix index 51c865a..2a00baf 100644 --- a/modules/home/gpg/default.nix +++ b/modules/home/gpg/default.nix @@ -17,7 +17,7 @@ in services.gpg-agent = { enable = true; enableSshSupport = true; # One agent to rule them all - pinentryPackage = cfg.pinentry; + pinentry.package = cfg.pinentry; extraConfig = '' allow-loopback-pinentry ''; diff --git a/modules/home/tmux/default.nix b/modules/home/tmux/default.nix index 08b9202..3ea047a 100644 --- a/modules/home/tmux/default.nix +++ b/modules/home/tmux/default.nix @@ -6,7 +6,7 @@ let (config.my.home.wm.windowManager != null) ]; - mkTerminalFlags = opt: flag: + mkTerminalFeature = opt: flag: let mkFlag = term: ''set -as terminal-features ",${term}:${flag}"''; enabledTerminals = lib.filterAttrs (_: v: v.${opt}) cfg.terminalFeatures; @@ -48,7 +48,7 @@ in keyMode = "vi"; # Home-row keys and other niceties clock24 = true; # I'm one of those heathens escapeTime = 0; # Let vim do its thing instead - historyLimit = 100000; # Bigger buffer + historyLimit = 1000000; # Bigger buffer mouse = false; # I dislike mouse support focusEvents = true; # Report focus events terminal = "tmux-256color"; # I want accurate termcap info @@ -123,9 +123,9 @@ in } # Force OSC8 hyperlinks for each relevant $TERM - ${mkTerminalFlags "hyperlinks" "hyperlinks"} + ${mkTerminalFeature "hyperlinks" "hyperlinks"} # Force 24-bit color for each relevant $TERM - ${mkTerminalFlags "trueColor" "RGB"} + ${mkTerminalFeature "trueColor" "RGB"} ''; }; } diff --git a/modules/home/vim/after/queries/gitcommit/highlights.scm b/modules/home/vim/after/queries/gitcommit/highlights.scm new file mode 100644 index 0000000..05162c9 --- /dev/null +++ b/modules/home/vim/after/queries/gitcommit/highlights.scm @@ -0,0 +1,6 @@ +; extends + +; Highlight over-extended subject lines (rely on wrapping for message body) +((subject) @comment.error + (#vim-match? @comment.error ".\{50,}") + (#offset! @comment.error 0 50 0 0)) diff --git a/modules/home/vim/default.nix b/modules/home/vim/default.nix index 20a74ff..930a853 100644 --- a/modules/home/vim/default.nix +++ b/modules/home/vim/default.nix @@ -80,7 +80,6 @@ in nvim-surround # Deal with pairs, now in Lua oil-nvim # Better alternative to NetrW telescope-fzf-native-nvim # Use 'fzf' fuzzy matching algorithm - telescope-lsp-handlers-nvim # Use 'telescope' for various LSP actions telescope-nvim # Fuzzy finder interface which-key-nvim # Show available mappings ]; diff --git a/modules/home/vim/lua/ambroisie/lsp.lua b/modules/home/vim/lua/ambroisie/lsp.lua index e48de12..fef0487 100644 --- a/modules/home/vim/lua/ambroisie/lsp.lua +++ b/modules/home/vim/lua/ambroisie/lsp.lua @@ -53,6 +53,10 @@ M.on_attach = function(client, bufnr) vim.diagnostic.open_float(nil, { scope = "buffer" }) end + local function toggle_inlay_hints() + vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled()) + end + local keys = { buffer = bufnr, -- LSP navigation @@ -67,6 +71,7 @@ M.on_attach = function(client, bufnr) { "ca", vim.lsp.buf.code_action, desc = "Code actions" }, { "cd", cycle_diagnostics_display, desc = "Cycle diagnostics display" }, { "cD", show_buffer_diagnostics, desc = "Show buffer diagnostics" }, + { "ch", toggle_inlay_hints, desc = "Toggle inlay hints" }, { "cr", vim.lsp.buf.rename, desc = "Rename symbol" }, { "cs", vim.lsp.buf.signature_help, desc = "Show signature" }, { "ct", vim.lsp.buf.type_definition, desc = "Go to type definition" }, diff --git a/modules/home/vim/plugin/numbertoggle.lua b/modules/home/vim/plugin/numbertoggle.lua index 8042710..b1e3df2 100644 --- a/modules/home/vim/plugin/numbertoggle.lua +++ b/modules/home/vim/plugin/numbertoggle.lua @@ -22,13 +22,3 @@ vim.api.nvim_create_autocmd({ "BufLeave", "FocusLost", "InsertEnter", "WinLeave" end end, }) - --- Never show the sign column in a terminal buffer -vim.api.nvim_create_autocmd({ "TermOpen" }, { - pattern = "*", - group = numbertoggle, - callback = function() - vim.opt.number = false - vim.opt.relativenumber = false - end, -}) diff --git a/modules/home/vim/plugin/settings/telescope.lua b/modules/home/vim/plugin/settings/telescope.lua index 1a23928..810d51c 100644 --- a/modules/home/vim/plugin/settings/telescope.lua +++ b/modules/home/vim/plugin/settings/telescope.lua @@ -23,7 +23,6 @@ telescope.setup({ }) telescope.load_extension("fzf") -telescope.load_extension("lsp_handlers") local keys = { { "f", group = "Fuzzy finder" }, diff --git a/modules/home/vim/plugin/signtoggle.lua b/modules/home/vim/plugin/signtoggle.lua index 9765a81..3deca34 100644 --- a/modules/home/vim/plugin/signtoggle.lua +++ b/modules/home/vim/plugin/signtoggle.lua @@ -1,26 +1,21 @@ local signtoggle = vim.api.nvim_create_augroup("signtoggle", { clear = true }) --- Only show sign column for the currently focused buffer +-- Only show sign column for the currently focused buffer, if it has a number column vim.api.nvim_create_autocmd({ "BufEnter", "FocusGained", "WinEnter" }, { pattern = "*", group = signtoggle, callback = function() - vim.opt.signcolumn = "yes" + if vim.opt.number:get() then + vim.opt.signcolumn = "yes" + end end, }) vim.api.nvim_create_autocmd({ "BufLeave", "FocusLost", "WinLeave" }, { pattern = "*", group = signtoggle, callback = function() - vim.opt.signcolumn = "no" - end, -}) - --- Never show the sign column in a terminal buffer -vim.api.nvim_create_autocmd({ "TermOpen" }, { - pattern = "*", - group = signtoggle, - callback = function() - vim.opt.signcolumn = "no" + if vim.opt.number:get() then + vim.opt.signcolumn = "no" + end end, }) diff --git a/modules/home/wm/i3/default.nix b/modules/home/wm/i3/default.nix index 029a14b..5f22bbe 100644 --- a/modules/home/wm/i3/default.nix +++ b/modules/home/wm/i3/default.nix @@ -127,6 +127,7 @@ in { class = "^Blueman-.*$"; } { title = "^htop$"; } { class = "^Thunderbird$"; instance = "Mailnews"; window_role = "filterlist"; } + { class = "^firefox$"; instance = "Places"; window_role = "Organizer"; } { class = "^pavucontrol.*$"; } { class = "^Arandr$"; } { class = "^\\.blueman-manager-wrapped$"; } diff --git a/modules/nixos/profiles/wm/default.nix b/modules/nixos/profiles/wm/default.nix index c227328..bca4d70 100644 --- a/modules/nixos/profiles/wm/default.nix +++ b/modules/nixos/profiles/wm/default.nix @@ -24,6 +24,8 @@ in my.home.udiskie.enable = true; # udiskie fails if it can't find this dbus service services.udisks2.enable = true; + # Ensure i3lock can actually unlock the session + security.pam.services.i3lock.enable = true; }) ]; } diff --git a/modules/nixos/services/drone/server/default.nix b/modules/nixos/services/drone/server/default.nix index a3a1e49..d6148f4 100644 --- a/modules/nixos/services/drone/server/default.nix +++ b/modules/nixos/services/drone/server/default.nix @@ -6,8 +6,8 @@ in config = lib.mkIf cfg.enable { systemd.services.drone-server = { wantedBy = [ "multi-user.target" ]; - after = [ "postgresql.service" ]; - requires = [ "postgresql.service" ]; + after = [ "postgresql.target" ]; + requires = [ "postgresql.target" ]; serviceConfig = { EnvironmentFile = [ cfg.secretFile diff --git a/modules/nixos/services/homebox/default.nix b/modules/nixos/services/homebox/default.nix index d79e331..8ed5d77 100644 --- a/modules/nixos/services/homebox/default.nix +++ b/modules/nixos/services/homebox/default.nix @@ -19,6 +19,11 @@ in services.homebox = { enable = true; + # Automatic PostgreSQL provisioning + database = { + createLocally = true; + }; + settings = { # FIXME: mailer? HBOX_WEB_PORT = toString cfg.port; @@ -28,6 +33,7 @@ in my.services.nginx.virtualHosts = { homebox = { inherit (cfg) port; + websocketsLocations = [ "/api" ]; }; }; diff --git a/modules/nixos/services/mealie/default.nix b/modules/nixos/services/mealie/default.nix index 664d5ba..8c02398 100644 --- a/modules/nixos/services/mealie/default.nix +++ b/modules/nixos/services/mealie/default.nix @@ -32,33 +32,14 @@ in BASE_URL = "https://mealie.${config.networking.domain}"; TZ = config.time.timeZone; ALLOw_SIGNUP = "false"; - - # Use PostgreSQL - DB_ENGINE = "postgres"; - # Make it work with socket auth - POSTGRES_URL_OVERRIDE = "postgresql://mealie:@/mealie?host=/run/postgresql"; }; - }; - systemd.services = { - mealie = { - after = [ "postgresql.service" ]; - requires = [ "postgresql.service" ]; + # Automatic PostgreSQL provisioning + database = { + createLocally = true; }; }; - # Set-up database - services.postgresql = { - enable = true; - ensureDatabases = [ "mealie" ]; - ensureUsers = [ - { - name = "mealie"; - ensureDBOwnership = true; - } - ]; - }; - my.services.nginx.virtualHosts = { mealie = { inherit (cfg) port; diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index cf1b876..d8d4fce 100644 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -44,11 +44,15 @@ in adminuser = cfg.admin; adminpassFile = cfg.passwordFile; dbtype = "pgsql"; - dbhost = "/run/postgresql"; }; https = true; + # Automatic PostgreSQL provisioning + database = { + createLocally = true; + }; + settings = { overwriteprotocol = "https"; # Nginx only allows SSL }; @@ -60,22 +64,6 @@ in }; }; - services.postgresql = { - enable = true; - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [ - { - name = "nextcloud"; - ensureDBOwnership = true; - } - ]; - }; - - systemd.services."nextcloud-setup" = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - }; - # The service above configures the domain, no need for my wrapper services.nginx.virtualHosts."nextcloud.${config.networking.domain}" = { forceSSL = true; diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix index 63f456b..1195977 100644 --- a/modules/nixos/services/paperless/default.nix +++ b/modules/nixos/services/paperless/default.nix @@ -52,30 +52,28 @@ in mediaDir = lib.mkIf (cfg.documentPath != null) cfg.documentPath; - settings = - let - paperlessDomain = "paperless.${config.networking.domain}"; - in - { - # Use SSO - PAPERLESS_ENABLE_HTTP_REMOTE_USER = true; - PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_USER"; + settings = { + # Use SSO + PAPERLESS_ENABLE_HTTP_REMOTE_USER = true; + PAPERLESS_ENABLE_HTTP_REMOTE_USER_API = true; + PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_USER"; - # Security settings - PAPERLESS_ALLOWED_HOSTS = paperlessDomain; - PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}"; + # Security settings + PAPERLESS_URL = "https://paperless.${config.networking.domain}"; + PAPERLESS_USE_X_FORWARD_HOST = true; + PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ]; - # OCR settings - PAPERLESS_OCR_LANGUAGE = "fra+eng"; + # OCR settings + PAPERLESS_OCR_LANGUAGE = "fra+eng"; - # Workers - PAPERLESS_TASK_WORKERS = 3; - PAPERLESS_THREADS_PER_WORKER = 4; + # Workers + PAPERLESS_TASK_WORKERS = 3; + PAPERLESS_THREADS_PER_WORKER = 4; - # Misc - PAPERLESS_TIME_ZONE = config.time.timeZone; - PAPERLESS_ADMIN_USER = cfg.username; - }; + # Misc + PAPERLESS_TIME_ZONE = config.time.timeZone; + PAPERLESS_ADMIN_USER = cfg.username; + }; # Admin password passwordFile = cfg.passwordFile; diff --git a/modules/nixos/services/servarr/autobrr.nix b/modules/nixos/services/servarr/autobrr.nix index afb07f4..c3370cb 100644 --- a/modules/nixos/services/servarr/autobrr.nix +++ b/modules/nixos/services/servarr/autobrr.nix @@ -1,4 +1,4 @@ -# IRC-based +# IRC-based indexer { config, lib, ... }: let cfg = config.my.services.servarr.autobrr; @@ -40,6 +40,7 @@ in my.services.nginx.virtualHosts = { autobrr = { inherit (cfg) port; + websocketsLocations = [ "/api" ]; }; }; @@ -54,7 +55,7 @@ in environment.etc = { "fail2ban/filter.d/autobrr.conf".text = '' [Definition] - failregex = ^.*Auth: invalid login \[.*\] from: $ + failregex = "message":"Auth: Failed login attempt username: \[.*\] ip: " journalmatch = _SYSTEMD_UNIT=autobrr.service ''; }; diff --git a/modules/nixos/services/servarr/cross-seed.nix b/modules/nixos/services/servarr/cross-seed.nix new file mode 100644 index 0000000..74f216a --- /dev/null +++ b/modules/nixos/services/servarr/cross-seed.nix @@ -0,0 +1,96 @@ +# Automatic cross-seeding for video media +{ config, lib, ... }: +let + cfg = config.my.services.servarr.cross-seed; +in +{ + options.my.services.servarr.cross-seed = with lib; { + enable = mkEnableOption "cross-seed daemon" // { + default = config.my.services.servarr.enableAll; + }; + + port = mkOption { + type = types.port; + default = 2468; + example = 8080; + description = "Internal port for daemon"; + }; + + linkDirectory = mkOption { + type = types.str; + default = "/data/downloads/complete/links"; + example = "/var/lib/cross-seed/links"; + description = "Link directory"; + }; + + secretSettingsFile = mkOption { + type = types.str; + example = "/run/secrets/cross-seed-secrets.json"; + description = '' + File containing secret settings. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.cross-seed = { + enable = true; + group = "media"; + + # Rely on recommended defaults for tracker snatches etc... + useGenConfigDefaults = true; + + settings = { + inherit (cfg) port; + host = "127.0.0.1"; + + # Inject torrents to client directly + action = "inject"; + # Query the client for torrents to match + useClientTorrents = true; + # Use hardlinks + linkType = "hardlink"; + # Use configured link directory + linkDirs = [ cfg.linkDirectory ]; + # Match as many torrents as possible + matchMode = "partial"; + # Cross-seed full season if at least 50% of episodes are already downloaded + seasonFromEpisodes = 0.5; + }; + + settingsFile = cfg.secretSettingsFile; + }; + + systemd.services.cross-seed = { + serviceConfig = { + # Loose umask to make cross-seed links readable by `media` + UMask = "0002"; + }; + }; + + # Set-up media group + users.groups.media = { }; + + my.services.nginx.virtualHosts = { + cross-seed = { + inherit (cfg) port; + }; + }; + + services.fail2ban.jails = { + cross-seed = '' + enabled = true + filter = cross-seed + action = iptables-allports + ''; + }; + + environment.etc = { + "fail2ban/filter.d/cross-seed.conf".text = '' + [Definition] + failregex = ^.*Unauthorized API access attempt to .* from $ + journalmatch = _SYSTEMD_UNIT=cross-seed.service + ''; + }; + }; +} diff --git a/modules/nixos/services/servarr/default.nix b/modules/nixos/services/servarr/default.nix index 409fcdc..dca57cf 100644 --- a/modules/nixos/services/servarr/default.nix +++ b/modules/nixos/services/servarr/default.nix @@ -7,6 +7,7 @@ imports = [ ./autobrr.nix ./bazarr.nix + ./cross-seed.nix ./jackett.nix ./nzbhydra.nix ./prowlarr.nix diff --git a/modules/nixos/services/tandoor-recipes/default.nix b/modules/nixos/services/tandoor-recipes/default.nix index 3447bee..4b4ed1a 100644 --- a/modules/nixos/services/tandoor-recipes/default.nix +++ b/modules/nixos/services/tandoor-recipes/default.nix @@ -26,18 +26,16 @@ in services.tandoor-recipes = { enable = true; + database = { + createLocally = true; + }; + port = cfg.port; extraConfig = let tandoorRecipesDomain = "recipes.${config.networking.domain}"; in { - # Use PostgreSQL - DB_ENGINE = "django.db.backends.postgresql"; - POSTGRES_HOST = "/run/postgresql"; - POSTGRES_USER = "tandoor_recipes"; - POSTGRES_DB = "tandoor_recipes"; - # Security settings ALLOWED_HOSTS = tandoorRecipesDomain; CSRF_TRUSTED_ORIGINS = "https://${tandoorRecipesDomain}"; @@ -49,27 +47,12 @@ in systemd.services = { tandoor-recipes = { - after = [ "postgresql.service" ]; - requires = [ "postgresql.service" ]; - serviceConfig = { EnvironmentFile = cfg.secretKeyFile; }; }; }; - # Set-up database - services.postgresql = { - enable = true; - ensureDatabases = [ "tandoor_recipes" ]; - ensureUsers = [ - { - name = "tandoor_recipes"; - ensureDBOwnership = true; - } - ]; - }; - my.services.nginx.virtualHosts = { recipes = { inherit (cfg) port; diff --git a/modules/nixos/services/transmission/default.nix b/modules/nixos/services/transmission/default.nix index ac8b24d..ddd77d4 100644 --- a/modules/nixos/services/transmission/default.nix +++ b/modules/nixos/services/transmission/default.nix @@ -47,6 +47,7 @@ in enable = true; package = pkgs.transmission_4; group = "media"; + webHome = pkgs.trgui-ng-web; downloadDirPermissions = "775"; @@ -65,6 +66,8 @@ in # Proxied behind Nginx. rpc-whitelist-enabled = true; rpc-whitelist = "127.0.0.1"; + + umask = "002"; # To go with `downloadDirPermissions` }; }; diff --git a/modules/nixos/services/woodpecker/server/default.nix b/modules/nixos/services/woodpecker/server/default.nix index adf533e..caf0179 100644 --- a/modules/nixos/services/woodpecker/server/default.nix +++ b/modules/nixos/services/woodpecker/server/default.nix @@ -24,8 +24,8 @@ in }; systemd.services.woodpecker-server = { - after = [ "postgresql.service" ]; - requires = [ "postgresql.service" ]; + after = [ "postgresql.target" ]; + requires = [ "postgresql.target" ]; serviceConfig = { # Set username for DB access