From cb67bc6a2888d4ad93f0a1fdec7b012cf86f8df1 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sun, 7 Jul 2024 19:42:04 -0400 Subject: [PATCH 1/2] Tandoor the nix way --- modules/hosts/nixos/nixnuc/default.nix | 30 +++++++++++++++++++++++++ modules/hosts/nixos/nixnuc/secrets.yaml | 6 +++-- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index c9269d4..0ae0a79 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -350,6 +350,32 @@ in { "/orico/jellyfin/staging/downloaded-files" "/var/backup/postgresql" ]; + tandoor-recipes = { + enable = true; + address = "0.0.0.0"; + extraConfig = { + #ALLOWED_HOSTS=* + #COMMENT_PREF_DEFAULT=1 + DB_ENGINE = "django.db.backends.postgresql"; + #DEBUG=0 + #DEBUG_TOOLBAR=0 + #FRACTION_PREF_DEFAULT=0 + #GUNICORN_MEDIA=0 + POSTGRES_DB = "tandoor"; + POSTGRES_HOST = "127.0.0.1"; + # This sucks, but this module doesn't support pulling the password from a file + POSTGRES_PASSWORD = "yummy-flat-bread-with-garlic"; + POSTGRES_PORT = 5432; + POSTGRES_USER = "tandoor"; + #REMOTE_USER_AUTH=0 + SECRET_KEY_FILE = config.sops.secrets.tandoor_secret_key.path; + #SHOPPING_MIN_AUTOSYNC_INTERVAL=5 + #SQL_DEBUG=0 + + MEDIA_ROOT = "/orico/tandoor-recipes/mediafiles"; + }; + port = 8080; + }; zfs.autoScrub.enable = true; }; @@ -366,6 +392,10 @@ in { path = "/home/${username}/.private-env"; }; nextcloud_admin_pass.owner = config.users.users.nextcloud.name; + tandoor_db_pass.mode = "0444"; + tandoor_db_pass.path = "/orico/tandoor-recipes/.dbpass"; + tandoor_secret_key.mode = "0444"; + tandoor_secret_key.path = "/orico/tandoor-recipes/.skey"; }; }; diff --git a/modules/hosts/nixos/nixnuc/secrets.yaml b/modules/hosts/nixos/nixnuc/secrets.yaml index e7fb60e..174ffef 100644 --- a/modules/hosts/nixos/nixnuc/secrets.yaml +++ b/modules/hosts/nixos/nixnuc/secrets.yaml @@ -3,6 +3,8 @@ local_git_config: ENC[AES256_GCM,data:Nqwog5C4wnRzNoS4oqaYQ4J1DIj7fUL1y/nXESquR0 local_private_env: ENC[AES256_GCM,data:qOPXTS2uo/1jyVEKCtBvuK/dzZaPf1K5tHuSVF2hBg4fdPYIsDPkM108cGVxJviebB3xVZejn/JVOdUDXQj6,iv:TtyMTOJXaPUrbSaAdtMaGPBlwLl/Y/IBYVCzhhiZozY=,tag:hUyVL8xk3w1iMwNAZw5QUw==,type:str] nextcloud_admin_pass: ENC[AES256_GCM,data:KztB3Tkqlt73PEO41lthGYElrbwVdfqQgT6f,iv:kRwXqGJO4AUOMq+uYzndGhscaJiyvG4ANKabHHd78YM=,tag:dP3PgKafDTv8x7huKJGDqA==,type:str] psitransfer_dot_env: ENC[AES256_GCM,data:bhvU0AOCjecZ62BtLw4H1DdkLeatI+uUl6L7UkdDRkBF3sayO45Z1eR4q60tflXucyTGhT8WgKFz53I+C2dn265wzojIRc3Xr4TBLyWpfJ7/dct40SckgUiRvOnrefiriWQ=,iv:DGMhDkzgeupzzTJnCdVWDPUSo2wxI3MAypKQwVfHExE=,tag:KbteGqrkqgj2XB1lvlk/yQ==,type:str] +tandoor_db_pass: ENC[AES256_GCM,data:X0unx5jquLsUXadbF6xLjjeGY+f8Ec4kdc15JQ==,iv:XptlJHfAkF+3jbgJTqxhVReYjuVVdk3NzfPepP78DRI=,tag:3RG5P9QGCJ/fjdxWpY1xWA==,type:str] +tandoor_secret_key: ENC[AES256_GCM,data:aSQRdtWUZQzy5rvQBPAvYFvwTqyu16UGrvUayxqi2WdsTOfqOyxQ7ywNEy/g/qPqSbwM,iv:kbct/gvfYhU6GOhkomY80o/Sx5mr9FY9SAFJGNrj3Ow=,tag:v+LKQ9UM5nzzd77By7TnGg==,type:str] sops: kms: [] gcp_kms: [] @@ -18,8 +20,8 @@ sops: bHZlNTZDV2NYU1hQQy9mem80SFF6TFkKfmjkJBfTdh0vTtGaVx1t3tHJvSsAwdYD PF025X9U+yG2oIopwXEVBkxcD70eyuJn3OqH0xoVLBkbhNM9i8LHrA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-30T17:57:48Z" - mac: ENC[AES256_GCM,data:FqpNhClCyAjZvxt0bXOULwr9GqpR+vMg7l0wTdqGUllGUffsb/IO2rnP3J8KNhsnVVyHWndYwVTv3u7lzkKfgSIFJ1Qi5q05w6Hy1fPkPw5ycxz7H1Tq0Ck1mOmkQfM459+lue4QJAqPI0OOBZ/15MB2NH3++7rdltmBwlsRfSI=,iv:9mMKldTd5zhZX7iX/M2MRzHq7fbVPzRIbiMFLdjTowY=,tag:zKUsu9k72E+hmQ0TFC4cbw==,type:str] + lastmodified: "2024-07-04T21:34:21Z" + mac: ENC[AES256_GCM,data:gL7TbCjZNu3yF8oyEcFr367XymzSYRvltGJPG5jK/nbztKFV72Fl2gpdprch+P67dDxDFoJL1NvDDmHt6yM0WfdDPJS/ivMlgi9Sg5ZG2S5OyBBUxDbkp/6BXwJQ9eY72ee3SmufE+cTjUNF0ANxueznHpFhXLp/1Fj9TixgHM4=,iv:s2cE9lrjNvuYT96WXOJZaAomt3VWIzHFQqPncZyydhk=,tag:MGI4OmNfEDSB8jE7wxDamQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From fcedca9777eb759702a558e6f7ad3096b8f99f4b Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sun, 7 Jul 2024 19:43:28 -0400 Subject: [PATCH 2/2] Immich via Docker Compose This is how they strongly encourage it to be setup and its not in nixpkgs yet. --- modules/hosts/nixos/nixnuc/default.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index 0ae0a79..a72add9 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -283,6 +283,20 @@ in { forceSSL = true; locations."/".proxyPass = "http://${mini_watcher}:9999"; }; + "immich.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${backend_ip}:2283"; + locations."/".proxyWebsockets = true; + extraConfig = '' + client_max_body_size 0; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; "nc.${home_domain}" = { listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; enableACME = true; @@ -329,6 +343,7 @@ in { acmeRoot = null; forceSSL = true; locations."/".proxyPass = "http://${backend_ip}:8080"; + locations."/media/".alias = "/orico/tandoor-recipes/"; }; }; }; @@ -419,6 +434,7 @@ in { # Compose based apps were crashing with podman compose, so back to Docker... virtualisation.docker.enable = true; + virtualisation.docker.package = pkgs.docker_26; virtualisation.podman = { enable = true;