nix-config/machines/porthos/services.nix
Bruno BELANYI 0f2c20e51d modules: services: paperless: use 'secretKeyFile'
In preparation for the migration to agenix.
2021-09-26 23:09:32 +02:00

149 lines
3.9 KiB
Nix

# Deployed services
{ config, ... }:
let
my = config.my;
in
{
# List services that you want to enable:
my.services = {
# Hosts-based adblock using unbound
adblock = {
enable = true;
};
# Backblaze B2 backup
backup = {
enable = true;
repository = "b2:porthos-backup";
# Backup every 6 hours
timerConfig = {
OnActiveSec = "6h";
OnUnitActiveSec = "6h";
};
# Insecure, I don't care.
passwordFile =
builtins.toFile "password.txt" my.secrets.backup.password;
credentialsFile =
builtins.toFile "creds.env" my.secrets.backup.credentials;
};
# My blog and related hosts
blog.enable = true;
calibre-web = {
enable = true;
libraryPath = "/data/media/library";
};
drone = {
enable = true;
runners = [ "docker" "exec" ];
# Insecure, I don't care.
secretFile =
builtins.toFile "gitea.env" my.secrets.drone.gitea;
sharedSecretFile =
builtins.toFile "rpc.env" my.secrets.drone.secret;
};
# Flood UI for transmission
flood = {
enable = true;
};
# Gitea forge
gitea.enable = true;
# Meta-indexers
indexers = {
jackett.enable = true;
nzbhydra.enable = true;
};
# Jellyfin media server
jellyfin.enable = true;
# Gitea mirrorig service
lohr = {
enable = true;
sharedSecretFile =
let
content = "LOHR_SECRET=${my.secrets.lohr.secret}";
in
builtins.toFile "lohr-secret.env" content;
};
# Matrix backend and Element chat front-end
matrix = {
enable = true;
mail = my.secrets.matrix.mail;
secret = my.secrets.matrix.secret;
};
miniflux = {
enable = true;
credentialsFiles = builtins.toFile "miniflux-creds.txt" ''
ADMIN_USERNAME=Ambroisie
ADMIN_PASSWORD=${my.secrets.miniflux.password}
'';
};
# Various monitoring dashboards
monitoring = {
enable = true;
grafana = {
passwordFile =
builtins.toFile "grafana.txt" my.secrets.monitoring.password; # Insecure, I don't care
};
};
# FLOSS music streaming server
navidrome = {
enable = true;
musicFolder = "/data/media/music";
};
# Nextcloud self-hosted cloud
nextcloud = {
enable = true;
passwordFile =
builtins.toFile "nextcloud-pass.txt" my.secrets.nextcloud.password;
};
nginx = {
enable = true;
};
paperless = {
enable = true;
documentPath = "/data/media/paperless";
# Insecure, I don't care
passwordFile =
builtins.toFile "paperless.env" my.secrets.paperless.password;
secretKeyFile = builtins.toFile "paperless-key.env" ''
PAPERLESS_SECRET_KEY=${my.secrets.paperless.secretKey}
'';
};
# The whole *arr software suite
pirate.enable = true;
# Podcast automatic downloader
podgrab = {
enable = true;
passwordFile =
let
contents = "PASSWORD=${my.secrets.podgrab.password}";
in
builtins.toFile "podgrab.env" contents;
port = 9598;
};
# Regular backups
postgresql-backup.enable = true;
# An IRC client daemon
quassel.enable = true;
# RSS provider for websites that do not provide any feeds
rss-bridge.enable = true;
# Usenet client
sabnzbd.enable = true;
# Because I stilll need to play sysadmin
ssh-server.enable = true;
# Torrent client and webui
transmission = {
enable = true;
credentialsFile = builtins.toFile "transmission-creds.txt" ''
{
"rpc-username": "Ambroisie",
"rpc-password": "${my.secrets.transmission.password}"
}
'';
};
# Simple, in-kernel VPN
wireguard = {
enable = true;
startAtBoot = true; # Server must be started to ensure clients can connect
};
};
}