Compare commits

...

7 commits

Author SHA1 Message Date
Bruno BELANYI 27673d7892 hosts: nixos: porthos: services: enable pdf-edit
All checks were successful
ci/woodpecker/push/check Pipeline was successful
2024-09-05 10:36:31 +00:00
Bruno BELANYI a70b23cc3f hosts: nixos: porthos: secrets: add pdf-edit 2024-09-05 10:36:31 +00:00
Bruno BELANYI b7cc942613 nixos: services: add pdf-edit 2024-09-05 10:36:31 +00:00
Bruno BELANYI 6f00036b79 overlays: add 'downgrade-transmission'
The 4.0.6 release is buggy and widely blacklisted.
2024-09-05 10:36:31 +00:00
Bruno BELANYI 52197a4f96 nixos: services: pirate: add readarr 2024-09-05 10:36:31 +00:00
Bruno BELANYI fb4047b2b3 nixos: services: nginx: sso: align with upstream
This aligns with the PR I opened on nixpkgs [1].

[1]: https://github.com/NixOS/nixpkgs/pull/325838
2024-09-05 10:36:31 +00:00
Bruno BELANYI 445cb43cb4 nixos: services: nix-cache: fix deprecated config
All checks were successful
ci/woodpecker/push/check Pipeline was successful
2024-09-04 10:35:10 +00:00
9 changed files with 114 additions and 8 deletions

View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 cKojmg VYlHgHSLpfKb5bn1XA3aCpfX7M23DgbraLxxOfo9PDk
Rj+mDvAsWX3WwpuhTrOubmo17j/aud5+P87df5bosBA
-> ssh-ed25519 jPowng o9ZFaYrITZ6DjWw07Vk/+TkuU187/ytlEK4sw7G32G4
zmxlpDvDDEgQFqBVARXeX1ABhvfJ4uAHfa6mIxXzjAY
--- k/d9FWW8/OSo8EllwOBV74pZyX918u54jEljGk3ATUc
ü4+ø2{hE7!Ò­GA`×<>_@Íß—´¡R_ý§6J„ñL4v,6%ô‡øó#^® Ù¹ åB­§OøF|7ܽÉL]œÙj
BþóÛ¾éaòs]xS<78>Î pbÞo#¬J1QŸ=t}5Õ>Oï{+¼. M"7e»yý÷—

View file

@ -77,6 +77,8 @@ in
"paperless/password.age".publicKeys = all; "paperless/password.age".publicKeys = all;
"paperless/secret-key.age".publicKeys = all; "paperless/secret-key.age".publicKeys = all;
"pdf-edit/login.age".publicKeys = all;
"podgrab/password.age".publicKeys = all; "podgrab/password.age".publicKeys = all;
"pyload/credentials.age".publicKeys = all; "pyload/credentials.age".publicKeys = all;

View file

@ -127,6 +127,11 @@ in
passwordFile = secrets."paperless/password".path; passwordFile = secrets."paperless/password".path;
secretKeyFile = secrets."paperless/secret-key".path; secretKeyFile = secrets."paperless/secret-key".path;
}; };
# Sometimes, editing PDFs is useful
pdf-edit = {
enable = true;
loginFile = secrets."pdf-edit/login".path;
};
# The whole *arr software suite # The whole *arr software suite
pirate = { pirate = {
enable = true; enable = true;

View file

@ -26,6 +26,7 @@
./nginx ./nginx
./nix-cache ./nix-cache
./paperless ./paperless
./pdf-edit
./pirate ./pirate
./podgrab ./podgrab
./postgresql ./postgresql

View file

@ -59,15 +59,10 @@ in
StateDirectory = "nginx-sso"; StateDirectory = "nginx-sso";
WorkingDirectory = "/var/lib/nginx-sso"; WorkingDirectory = "/var/lib/nginx-sso";
# The files to be merged might not have the correct permissions # The files to be merged might not have the correct permissions
ExecStartPre = ''+${pkgs.writeShellScript "merge-nginx-sso-config" '' ExecStartPre = pkgs.writeShellScript "merge-nginx-sso-config" ''
rm -f '${confPath}' rm -f '${confPath}'
${utils.genJqSecretsReplacementSnippet cfg.configuration confPath} ${utils.genJqSecretsReplacementSnippet cfg.configuration confPath}
'';
# Fix permissions
chown nginx-sso:nginx-sso ${confPath}
chmod 0600 ${confPath}
''
}'';
ExecStart = lib.mkForce '' ExecStart = lib.mkForce ''
${lib.getExe pkg} \ ${lib.getExe pkg} \
--config ${confPath} \ --config ${confPath} \

View file

@ -40,7 +40,7 @@ in
inherit (cfg) priority; inherit (cfg) priority;
}; };
signKeyPath = cfg.secretKeyFile; signKeyPaths = [ cfg.secretKeyFile ];
}; };
my.services.nginx.virtualHosts = { my.services.nginx.virtualHosts = {

View file

@ -0,0 +1,73 @@
{ config, lib, ... }:
let
cfg = config.my.services.pdf-edit;
in
{
options.my.services.pdf-edit = with lib; {
enable = mkEnableOption "PDF edition service";
port = mkOption {
type = types.port;
default = 8089;
example = 8080;
description = "Internal port for webui";
};
loginFile = mkOption {
type = types.str;
example = "/run/secrets/pdf-edit/login.env";
description = ''
`SECURITY_INITIALLOGIN_USERNAME` and `SECURITY_INITIALLOGIN_PASSWORD`
defined in the format of 'EnvironmentFile' (see `systemd.exec(5)`).
'';
};
};
config = lib.mkIf cfg.enable {
services.stirling-pdf = lib.mkIf cfg.enable {
enable = true;
environment = {
SERVER_PORT = cfg.port;
SECURITY_CSRFDISABLED = "false";
SYSTEM_SHOWUPDATE = "false"; # We don't care about update notifications
INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true"; # Installed by the module
SECURITY_ENABLELOGIN = "true";
SECURITY_LOGINATTEMPTCOUNT = "-1"; # Rely on fail2ban instead
};
environmentFiles = [ cfg.loginFile ];
};
my.services.nginx.virtualHosts = {
pdf-edit = {
inherit (cfg) port;
extraConfig = {
# Allow upload of PDF files up to 1G
locations."/".extraConfig = ''
client_max_body_size 1G;
'';
};
};
};
services.fail2ban.jails = {
stirling-pdf = ''
enabled = true
filter = stirling-pdf
port = http,https
'';
};
environment.etc = {
"fail2ban/filter.d/stirling-pdf.conf".text = ''
[Definition]
failregex = ^.*Failed login attempt from IP: <HOST>$
journalmatch = _SYSTEMD_UNIT=stirling-pdf.service
'';
};
};
}

View file

@ -10,6 +10,7 @@ let
bazarr = 6767; bazarr = 6767;
lidarr = 8686; lidarr = 8686;
radarr = 7878; radarr = 7878;
readarr = 8787;
sonarr = 8989; sonarr = 8989;
}; };
@ -67,6 +68,10 @@ in
enable = lib.my.mkDisableOption "Radarr"; enable = lib.my.mkDisableOption "Radarr";
}; };
readarr = {
enable = lib.my.mkDisableOption "Readarr";
};
sonarr = { sonarr = {
enable = lib.my.mkDisableOption "Sonarr"; enable = lib.my.mkDisableOption "Sonarr";
}; };
@ -85,6 +90,9 @@ in
# Radarr for movies # Radarr for movies
(mkFullConfig "radarr") (mkFullConfig "radarr")
(mkFail2Ban "radarr") (mkFail2Ban "radarr")
# Readarr for books
(mkFullConfig "readarr")
(mkFail2Ban "readarr")
# Sonarr for shows # Sonarr for shows
(mkFullConfig "sonarr") (mkFullConfig "sonarr")
(mkFail2Ban "sonarr") (mkFail2Ban "sonarr")

View file

@ -0,0 +1,14 @@
self: prev:
{
transmission_4 = prev.transmission_4.overrideAttrs (_: {
version = "4.0.5";
src = self.fetchFromGitHub {
owner = "transmission";
repo = "transmission";
rev = "4.0.5";
hash = "sha256-gd1LGAhMuSyC/19wxkoE2mqVozjGPfupIPGojKY0Hn4=";
fetchSubmodules = true;
};
});
}