immich

2025-06-01 20:39:11 -05:00 · 2025-06-01 20:39:11 -05:00 · e4dc04a7ff
commit e4dc04a7ff
parent 18caa32b2c
13 changed files with 516 additions and 181 deletions
--- a/nixos/consensus/configuration.nix
+++ b/nixos/consensus/configuration.nix
@ -1,41 +1,28 @@
-{pkgs, ...}: {
+{lib, pkgs, config, ...}: {
  imports = [
    ./hardware-configuration.nix
  ];
+  sops = {
+    defaultSopsFile = ../../secrets/cf-acme.yaml;
+    secrets = {
+      "env" = {};
+    };
+  };
+  documentation = {
+    enable = lib.mkDefault false;
+    info.enable = lib.mkDefault false;
+    man.enable = lib.mkDefault false;
+    nixos.enable = lib.mkDefault false;
+  };
  environment.systemPackages = with pkgs; [
    git
    nvim-pkg
    docker-compose
+    tmux
  ];
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = false;
-  swapDevices = [
-    {
-      device = "/var/swapfile";
-      size = 4 * 1024;
-    }
-  ];
-  virtualisation.docker.enable = true;
-  networking = {
-    hostName = "consensus";
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        22
-        2022
-        6443
-        25565
-        30001
-        30303
-      ];
-      allowedUDPPorts = [
-        30001
-        30303
-      ];
-      logRefusedConnections = true;
-    };
-  };
  services = {
+    zfs.autoScrub.enable = true;
+    zfs.autoSnapshot.enable = true;
    tailscale.enable = true;
    k3s = {
      enable = true;
@ -52,6 +39,67 @@
        PermitRootLogin = "prohibit-password";
      };
    };
+    immich = {
+      enable = true;
+      port = 2283;
+      host = "localhost";
+      openFirewall = true;
+      machine-learning.enable = false;
+      mediaLocation = "/rice/immich";
+    };
+  nginx = {
+      enable = true;
+      virtualHosts."img.10110110.xyz" = {
+        useACMEHost = "10110110.xyz";
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.immich.port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+          extraConfig = ''
+            client_max_body_size 50000M;
+            proxy_read_timeout   600s;
+            proxy_send_timeout   600s;
+            send_timeout         600s;
+          '';
+        };
+      };
+  };
+  };
+  boot = {
+    tmp.cleanOnBoot = true;
+    supportedFilesystems = ["zfs"];
+    zfs.forceImportRoot = false;
+    zfs.extraPools = ["rice"];
+  };
+  networking.hostId = "91238132";
+  zramSwap.enable = false;
+  swapDevices = [
+    {
+      device = "/var/swapfile";
+      size = 4 * 1024;
+    }
+  ];
+  virtualisation.docker.enable = true;
+  networking = {
+    hostName = "consensus";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22
+        443
+        2022
+        6443
+        25565
+        30001
+        30303
+      ];
+      allowedUDPPorts = [
+        30001
+        30303
+      ];
+      logRefusedConnections = true;
+    };
  };
  users.users = {
    root = {
@ -68,6 +116,18 @@
    };
  };
  security.sudo.wheelNeedsPassword = false;
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@10110110.xyz";
+    certs = {
+      "10110110.xyz" = {
+        domain = "*.10110110.xyz";
+        group = config.services.nginx.group;
+        dnsProvider = "cloudflare";
+        environmentFile = config.sops.secrets."env".path;
+      };
+    };
+  };
  nix.settings.trusted-users = ["e"];
  system.stateVersion = "23.11";
 }