squibid/flake-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Forgot to use branches, remember kids: use protection

Browse source 
I'd like less generations please side note:
it's a bit weird that you can't specify how many generations you'd like
to keep, like what if I want 3 generations to stay available?
This commit is contained in:
Squibid 2025-12-03 23:06:12 -05:00
parent fcbbf4b8e4
commit e20755851c
Signed by: squibid
GPG key ID: BECE5684D3C4005D
13 changed files with 345 additions and 110 deletions
Download patch file Download diff file Expand all files Collapse all files

51
hosts/blob/actual.nix Normal file
View file

@ -0,0 +1,51 @@
# that name actually sucks ass
# but it manages my money pretty well
#
# see https://github.com/miniluz/nixos-config/blob/8f0e417e34fa5bbb97b13215ee4843f85c6033be/modules/nixos/selfhosting/actual.nix#L13
# for a good config
# and https://github.com/Jonas-Sander/actual-backup for backups
{ lib, config, ... }:
{
options.actual.enable = lib.mkEnableOption "enable money management";
config = lib.mkIf config.actual.enable {
services.gatus.settings.endpoints = [
{
name = "actual";
group = "local";
url = "https://localhost:3000/";
interval = "30s";
client.insecure = true;
conditions = [
"[connected] == true"
"[CERTIFICATE_EXPIRATION] > 48h"
];
}
];
users.users.actual = {
isSystemUser = true;
group = "actual";
};
users.groups.actual = {};
sops.secrets."actual/key".owner = config.users.users.actual.name;
sops.secrets."actual/cert".owner = config.users.users.actual.name;
services.actual = {
enable = true;
openFirewall = true;
settings = {
https = {
# for people trying to re-create my setup the key and cert were
# generated using the following command:
# openssl req -newkey rsa:4096 -x509 -days 36500 -sha512 -nodes -out certificate.pem -keyout privatekey.pem
# I've set the days to 36500 because I don't intend on being around
# after November 2125, and renewing certs is a pain in the ass on a
# local (and trusted) network
key = config.sops.secrets."actual/key".path;
cert = config.sops.secrets."actual/cert".path;
};
};
};
};
}

6
hosts/blob/default.nix
View file

@ -9,6 +9,8 @@
./jellyfin.nix
./minecraft.nix
./gatus.nix
./actual.nix
./git.nix
./ai.nix
];
@ -16,8 +18,10 @@
boot.loader.efi.canTouchEfiVariables = true;
# ai.enable = true;
jellyfin.enable = true;
jellyfin.enable = false;
minecraft.enable = true;
actual.enable = true;
git.enable = true;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database

101
hosts/blob/git.nix Normal file
View file

@ -0,0 +1,101 @@
{ pkgs, config, lib, ... }:
{
options.git = {
enable = lib.mkEnableOption "enable git server";
user = lib.mkOption {
type = lib.types.str;
default = "git";
};
group = lib.mkOption {
type = lib.types.str;
default = "git";
};
cgit = {
name = lib.mkOption {
type = lib.types.str;
default = "home";
};
port = lib.mkOption {
type = lib.types.int;
default = 8091;
};
};
};
config = lib.mkIf config.git.enable {
services.gatus.settings.endpoints = [
{
name = "cgit site";
group = "local";
url = "http://localhost:" + builtins.toString config.git.cgit.port;
interval = "5m";
conditions = [ "[connected] == true" "[RESPONSE_TIME] < 300" ];
}
];
users.users.${config.git.user} = let
git-shell-wrap = pkgs.writeShellScriptBin "git-shell-wrap" ''
set -euo pipefail
cmd=$1; repo=$2
# get the repo normalize, and create it only if the client is sending
# us stuff
if echo "$repo" | grep -q git-receive-pack; then
repo=$(echo "$repo" | cut -d"'" -f 2 | sed 's/\.git$//').git
# Make sure the repo exists on the server
repos=${config.users.users.${config.git.user}.home}
path=$repos/$repo
if [ ! -d "$path" ]; then
git init --bare "$path" >/dev/null 2>&1
fi
fi
# Run git-shell with the original args
exec ${pkgs.git}/bin/git-shell "$@"
'';
in {
isSystemUser = true;
inherit (config.git) group;
home = "/var/lib/git-server";
createHome = true;
openssh.authorizedKeys.keys = config.ssh.keys;
packages = [ git-shell-wrap ];
shell = "${git-shell-wrap}/bin/git-shell-wrap";
};
users.groups.${config.git.group} = {};
networking.firewall.allowedTCPPorts = [ config.git.cgit.port ];
services = {
cgit.${config.git.cgit.name} = {
enable = true;
inherit (config.git) user group;
scanPath = config.users.users.${config.git.user}.home;
gitHttpBackend.checkExportOkFiles = false;
settings = {
root-desc = "local git repo store path: ${config.users.users.${config.git.user}.home}";
snapshots = "all";
enable-commit-graph = true;
enable-follow-links = true;
enable-http-clone = true;
enable-remote-branches = true;
};
};
nginx.virtualHosts.${config.git.cgit.name}.listen = [{
addr = "0.0.0.0";
port = config.git.cgit.port;
}];
openssh = {
enable = true;
extraConfig = ''
Match user git
AllowTcpForwarding no
AllowAgentForwarding no
PasswordAuthentication no
PermitTTY no
X11Forwarding no
'';
};
};
};
}

139
hosts/blob/jellyfin.nix
View file

@ -18,61 +18,94 @@
}
];
services.declarative-jellyfin = {
sops.secrets."jellyfin/jellarr-env".owner = config.services.jellarr.user;
sops.secrets."jellyfin/zachary".owner = config.services.jellarr.user;
services.jellarr = {
enable = true;
environmentFile = config.sops.secrets."jellyfin/jellarr-env".path;
config = {
version = 1;
base_url = "http://localhost:8096";
startup = {
completeStartupWizard = true;
};
encoding = {
allowAv1Encoding = false;
allowHevcEncoding = false;
enableDecodingColorDepth10Hevc = true;
enableDecodingColorDepth10HevcRext = true;
enableDecodingColorDepth12HevcRext = true;
enableDecodingColorDepth10Vp9 = true;
enableHardwareEncoding = true;
hardwareAccelerationType = "vaapi";
hardwareDecodingCodecs = [
"h264"
"hevc"
"mpeg2video"
"vc1"
"vp8"
"vp9"
"av1"
];
vaapiDevice = "/dev/dri/renderD128";
};
system = {
quickConnectAvailable = false;
trickplayOptions = {
enableHwAcceleration = true;
enableHwEncoding = true;
};
pluginRepositories = [
{
content.Name = "Jellyfin Stable";
content.Url = "https://repo.jellyfin.org/files/plugin/manifest.json";
tag = "RepositoryInfo"; # Needed to generate the correct XML
}
{
content.Name = "Intro Skipper";
content.Url = "https://intro-skipper.org/manifest.json";
tag = "RepositoryInfo"; # Needed to generate the correct XML
}
];
};
libraries = {
virtualFolders = [
{
name = "Movies";
collectionType = "movies";
pathInfos = [{ path = "/mnt/media/movies"; }];
}
{
name = "Shows";
collectionType = "tvshows";
pathInfos = [{ path = "/mnt/media/shows"; }];
}
];
};
users = [
{
name = "zachary";
passwordFile = config.sops.secrets."jellyfin/zachary".path;
policy = {
isAdministrator = true;
};
}
];
};
bootstrap = {
enable = true;
apiKeyFile = config.sops.secrets."jellyfin/jellarr-env".path;
};
};
services.jellyfin = {
enable = true;
openFirewall = true;
serverId = "0ba4e888503b4524a90285b7ad500256"; # could be anything
system = {
serverName = config.networking.hostName;
trickplayOptions = {
enableHwAcceleration = true;
enableHwEncoding = true;
};
pluginRepositories = [
{
content.Name = "Jellyfin Stable";
content.Url = "https://repo.jellyfin.org/files/plugin/manifest.json";
tag = "RepositoryInfo"; # Needed to generate the correct XML
}
{
content.Name = "Intro Skipper";
content.Url = "https://intro-skipper.org/manifest.json";
tag = "RepositoryInfo"; # Needed to generate the correct XML
}
];
};
users.zachary = {
mutable = false;
permissions.isAdministrator = true;
hashedPasswordFile = config.sops.secrets."jellyfin/zachary".path;
};
libraries = {
Movies = {
enabled = true;
contentType = "movies";
pathInfos = ["/mnt/media/movies"];
};
Shows = {
enabled = true;
contentType = "tvshows";
pathInfos = ["/mnt/media/shows"];
};
};
encoding = {
enableHardwareEncoding = true;
hardwareAccelerationType = "vaapi";
enableDecodingColorDepth10Hevc = true; # enable if your system supports
allowHevcEncoding = true; # enable if your system supports
allowAv1Encoding = true; # enable if your system supports
hardwareDecodingCodecs = [ # enable the codecs your system supports
"h264"
"hevc"
"mpeg2video"
"vc1"
"vp9"
"av1"
];
};
};
};
}