immich

nixos/configuration.nix

@@ -1,40 +1,46 @@
 {
-  pkgs,
-  host,
-  ...
-}: {
-  users.groups.plugdev = {}; # Create plugdev group
+host,
+...
+}: { # Create plugdev group
   networking.hostName = host.hostName;
-  users.groups.${host.username} = {};
-  users.users.${host.username} = {
-    isNormalUser = true;
-    group = "${host.username}";
-    extraGroups = [
-      "wheel"
-      "plugdev"
-      "video"
-      "adbusers"
-    ];
-  };
-  environment.systemPackages = with pkgs; [vim];
-  programs.nix-index.enableBashIntegration = false;
-  programs.nix-index.enableZshIntegration = false;
-  programs.nix-index-database.comma.enable = true;
   time.timeZone = "America/Chicago";
+  users = {
+    groups.plugdev = {};
+    groups.${host.username} = {};
+    users.${host.username} = {
+      isNormalUser = true;
+      group = "${host.username}";
+      extraGroups = [
+        "wheel"
+        "plugdev"
+        "video"
+        "adbusers"
+      ];
+    };
+  };
+  programs = {
+    nix-index = {
+      enableBashIntegration = false;
+      enableZshIntegration = false;
+    };
+    nix-index-database.comma.enable = true;
+  };
 
   # Enable flakes and unfree packages
-  nix.settings = {
-    auto-optimise-store = true;
-    substituters = ["https://nix-community.cachix.org"];
-    trusted-public-keys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-    ];
-    trusted-users = [host.username];
-    experimental-features = ["nix-command" "flakes"];
-  };
-  nix.gc = {
-    automatic = true;
-    dates = "00:00";
-    options = "--delete-older-than 14d";
+  nix = {
+    settings = {
+      auto-optimise-store = true;
+      substituters = ["https://nix-community.cachix.org"];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      trusted-users = [host.username];
+      experimental-features = ["nix-command" "flakes"];
+    };
+    gc = {
+      automatic = true;
+      dates = "00:00";
+      options = "--delete-older-than 14d";
+    };
   };
 }

nixos/consensus/configuration.nix

@@ -1,41 +1,28 @@
-{pkgs, ...}: {
+{lib, pkgs, config, ...}: {
   imports = [
     ./hardware-configuration.nix
   ];
+  sops = {
+    defaultSopsFile = ../../secrets/cf-acme.yaml;
+    secrets = {
+      "env" = {};
+    };
+  };
+  documentation = {
+    enable = lib.mkDefault false;
+    info.enable = lib.mkDefault false;
+    man.enable = lib.mkDefault false;
+    nixos.enable = lib.mkDefault false;
+  };
   environment.systemPackages = with pkgs; [
     git
     nvim-pkg
     docker-compose
+    tmux
   ];
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = false;
-  swapDevices = [
-    {
-      device = "/var/swapfile";
-      size = 4 * 1024;
-    }
-  ];
-  virtualisation.docker.enable = true;
-  networking = {
-    hostName = "consensus";
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        22
-        2022
-        6443
-        25565
-        30001
-        30303
-      ];
-      allowedUDPPorts = [
-        30001
-        30303
-      ];
-      logRefusedConnections = true;
-    };
-  };
   services = {
+    zfs.autoScrub.enable = true;
+    zfs.autoSnapshot.enable = true;
     tailscale.enable = true;
     k3s = {
       enable = true;
@@ -52,6 +39,67 @@
         PermitRootLogin = "prohibit-password";
       };
     };
+    immich = {
+      enable = true;
+      port = 2283;
+      host = "localhost";
+      openFirewall = true;
+      machine-learning.enable = false;
+      mediaLocation = "/rice/immich";
+    };
+  nginx = {
+      enable = true;
+      virtualHosts."img.10110110.xyz" = {
+        useACMEHost = "10110110.xyz";
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.immich.port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+          extraConfig = ''
+            client_max_body_size 50000M;
+            proxy_read_timeout   600s;
+            proxy_send_timeout   600s;
+            send_timeout         600s;
+          '';
+        };
+      };
+  };
+  };
+  boot = {
+    tmp.cleanOnBoot = true;
+    supportedFilesystems = ["zfs"];
+    zfs.forceImportRoot = false;
+    zfs.extraPools = ["rice"];
+  };
+  networking.hostId = "91238132";
+  zramSwap.enable = false;
+  swapDevices = [
+    {
+      device = "/var/swapfile";
+      size = 4 * 1024;
+    }
+  ];
+  virtualisation.docker.enable = true;
+  networking = {
+    hostName = "consensus";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22
+        443
+        2022
+        6443
+        25565
+        30001
+        30303
+      ];
+      allowedUDPPorts = [
+        30001
+        30303
+      ];
+      logRefusedConnections = true;
+    };
   };
   users.users = {
     root = {
@@ -68,6 +116,18 @@
     };
   };
   security.sudo.wheelNeedsPassword = false;
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@10110110.xyz";
+    certs = {
+      "10110110.xyz" = {
+        domain = "*.10110110.xyz";
+        group = config.services.nginx.group;
+        dnsProvider = "cloudflare";
+        environmentFile = config.sops.secrets."env".path;
+      };
+    };
+  };
   nix.settings.trusted-users = ["e"];
   system.stateVersion = "23.11";
 }

nixos/t14/configuration.nix

@@ -1,7 +1,7 @@
 {
-  pkgs,
-  attrs,
-  ...
+pkgs,
+attrs,
+...
 }: let
   # Horrid workaround for https://github.com/nix-community/home-manager/issues/1011
   homeManagerSessionVars = "/etc/profiles/per-user/${attrs.username}/etc/profile.d/hm-session-vars.sh";
@@ -10,12 +10,14 @@ in {
     ./hardware-configuration.nix
     ./backups.nix
   ];
-  environment.systemPackages = with pkgs; [
-    cryptsetup
-    nfs-utils
-    nerdctl
-  ];
-  environment.extraInit = "[[ -f ${homeManagerSessionVars} ]] && source ${homeManagerSessionVars} && echo 'x' > /tmp/test";
+  environment = {
+    systemPackages = with pkgs; [
+      cryptsetup
+      nfs-utils
+      nerdctl
+    ];
+    extraInit = "[[ -f ${homeManagerSessionVars} ]] && source ${homeManagerSessionVars} && echo 'x' > /tmp/test";
+  };
 
   boot = {
     loader.systemd-boot.enable = true;
@@ -60,7 +62,27 @@ in {
     };
     steam.enable = true;
     adb.enable = true;
-    fish.enable = true;
+    fish.enable = true; #enable vendor completions
+  };
+
+  # workaround for wait-online killing nixos build
+  systemd.services.NetworkManager-wait-online = {
+    serviceConfig = {
+      ExecStart = ["" "${pkgs.networkmanager}/bin/nm-online -q"];
+    };
+  };
+
+  hardware = {
+    graphics = {
+      enable = true;
+      enable32Bit = true;
+      extraPackages = [
+        pkgs.mesa
+        pkgs.amdvlk
+        pkgs.libGL
+      ];
+    };
+    ledger.enable = true;
   };
   services = {
     resolved = {
@@ -70,7 +92,6 @@ in {
       ];
     };
     tailscale.enable = true;
-    avahi.enable = true; # chromecast
     pipewire = {
       enable = true;
       alsa.enable = true;
@@ -117,33 +138,17 @@ in {
       pkgs.ledger-udev-rules
       pkgs.trezor-udev-rules
     ];
-  };
 
-  # workaround for wait-online killing nixos build
-  systemd.services.NetworkManager-wait-online = {
-    serviceConfig = {
-      ExecStart = ["" "${pkgs.networkmanager}/bin/nm-online -q"];
-    };
+    trezord.enable = true;
+    udisks2.enable = true; # kindle
   };
-
-  hardware.graphics = {
-    enable = true;
-    enable32Bit = true;
-    extraPackages = [
-      pkgs.mesa
-      pkgs.amdvlk
-      pkgs.libGL
+  fonts = {
+    # Set a sane system-wide default font
+    packages = with pkgs; [
+      nerd-fonts.ubuntu-mono
+      spleen
     ];
+    fontconfig.defaultFonts.monospace = ["UbuntuMono"];
   };
-  hardware.ledger.enable = true;
-  services.trezord.enable = true;
-  services.udisks2.enable = true; # kindle
-
-  # Set a sane system-wide default font
-  fonts.packages = with pkgs; [
-    nerd-fonts.ubuntu-mono
-    spleen
-  ];
-  fonts.fontconfig.defaultFonts.monospace = ["UbuntuMono"];
   system.stateVersion = "22.11";
 }