From a5c1974e86362362be7a35854d35dade33422d07 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:39:34 +0100 Subject: [PATCH 01/19] feat(photo01): init --- machines/photo01/_configuration.nix | 97 ++++++++++++++++++++ machines/photo01/_hardware-configuration.nix | 16 ++++ machines/photo01/immich.nix | 16 ++++ machines/photo01/photoprism.nix | 53 +++++++++++ meta/nodes.nix | 10 +- 5 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 machines/photo01/_configuration.nix create mode 100644 machines/photo01/_hardware-configuration.nix create mode 100644 machines/photo01/immich.nix create mode 100644 machines/photo01/photoprism.nix diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix new file mode 100644 index 0000000..18363b9 --- /dev/null +++ b/machines/photo01/_configuration.nix @@ -0,0 +1,97 @@ +# TODO: revamp to use the same framework as the other VMs +{ lib, pkgs, inputs, ... }: + +let address = "129.199.146.101"; +in +{ + imports = [ + ./hardware.nix + + # NOTE: For now, only deploy the bare minimum + ./photoprism.nix + ./immich.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + + networking.hostName = "photoprism"; + + disko.devices = import ./disko.nix; + + deployment.targetHost = address; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + environment.systemPackages = with pkgs; [ neovim ]; + + services.openssh = { + enable = true; + settings = { PasswordAuthentication = false; }; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270" + ]; + + security.acme.acceptTerms = true; + security.acme.defaults.email = "webmaster@nixos.org"; + + networking.firewall.allowedTCPPorts = [ 22 80 443 8007 ]; + networking.firewall.allowedUDPPorts = [ ]; + + networking.useNetworkd = true; + + systemd.network = { + config.routeTables = { + he = 100; + mwan = 110; + }; + networks = { + "10-ens18" = { + name = "ens18"; + + networkConfig = { + Description = "ENS uplink"; + Address = [ "129.199.146.101/24" ]; + Gateway = "129.199.146.254"; + LLDP = true; + }; + }; + }; + }; + + # TODO: switch to unixsockets if supported + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + clientMaxBodySize = "500m"; + }; + + nix = { + settings = { + trusted-users = [ "@wheel" "root" "nix-ssh" ]; + auto-optimise-store = true; + }; + #package = pkgs.nixUnstable; + extraOptions = let + empty_registry = builtins.toFile "empty-flake-registry.json" + ''{"flakes":[],"version":2}''; + in '' + experimental-features = nix-command flakes + flake-registry = ${empty_registry} + builders-use-substitutes = true + ''; + registry.nixpkgs.flake = inputs.nixpkgs; + nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; + }; + + + system.stateVersion = "24.05"; +} + diff --git a/machines/photo01/_hardware-configuration.nix b/machines/photo01/_hardware-configuration.nix new file mode 100644 index 0000000..9ce9955 --- /dev/null +++ b/machines/photo01/_hardware-configuration.nix @@ -0,0 +1,16 @@ +{ lib, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + networking.useDHCP = lib.mkDefault false; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} + diff --git a/machines/photo01/immich.nix b/machines/photo01/immich.nix new file mode 100644 index 0000000..e252ce9 --- /dev/null +++ b/machines/photo01/immich.nix @@ -0,0 +1,16 @@ +{ + services.immich = { + enable = true; + # default port: 3001 + machine-learning.enable = true; + host = "localhost"; + }; + + services.nginx.virtualHosts."immich.cgiga.fr" = { + enableACME = true; + forceSSL = true; + serverAliases = []; + locations."/".proxyPass = "http://localhost:2283/"; + }; +} + diff --git a/machines/photo01/photoprism.nix b/machines/photo01/photoprism.nix new file mode 100644 index 0000000..0ee31da --- /dev/null +++ b/machines/photo01/photoprism.nix @@ -0,0 +1,53 @@ +{ lib, modulesPath, pkgs, ... }: + +let port = 2342; +in +{ + services.photoprism = { + enable = true; + port = port; + settings = { + PHOTOPRISM_DEFAULT_LOCALE = "fr"; + PHOTOPRISM_ADMIN_USERNAME = "admin"; + PHOHOPRISM_SITE_URL = "https://photoprism.cgiga.fr"; + PHOTOPRISM_SITE_CAPTION = "PhotoPrism"; + + # DB access config + PHOTOPRISM_DATABASE_DRIVER = "mysql"; + PHOTOPRISM_DATABASE_NAME = "photoprism"; + PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; + PHOTOPRISM_DATABASE_USER = "photoprism"; + }; + + originalsPath = "/data/photos"; + + address = "localhost"; + + #importPath = "/photoprism/imports"; + passwordFile = "/passwords/photoprism"; + }; + + services.mysql = { + enable = true; + dataDir = "/data/mysql"; + package = pkgs.mariadb; + ensureDatabases = [ "photoprism" ]; + ensureUsers = [{ + name = "photoprism"; + ensurePermissions = { + "photoprism.*" = "ALL PRIVILEGES"; + }; + }]; + }; + + services.nginx.virtualHosts."photoprism.cgiga.fr" = { + enableACME = true; + forceSSL = true; + serverAliases = []; + locations."/" = { + proxyPass = "http://localhost:${toString port}/"; + proxyWebsockets = true; + }; + }; +} + diff --git a/meta/nodes.nix b/meta/nodes.nix index 1479f4e..03bc7d0 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -19,7 +19,6 @@ - luj01 -> VM de Luj */ { - krz01 = { site = "pav01"; @@ -36,6 +35,15 @@ stateVersion = "24.05"; nixpkgs = "24.05"; }; + photo01 = { + site = "pav01"; + + # TODO + hashedPassword = "$y$j9T$aFhOWa05W7VKeKt3Nc.nA1$uBOvG4wf7/yWjwOxO8NLf9ipCsAkS1.5cD2EJpLx57A"; + + stateVersion = "24.05"; + nixpkgs = "24.05"; + }; router02 = { site = "pav01"; -- 2.47.1 From 271fa9ec359f4f4041633452134bd5f7d6f49871 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:40:50 +0100 Subject: [PATCH 02/19] fix: fmt --- machines/photo01/_configuration.nix | 45 +++++++++++++------- machines/photo01/_hardware-configuration.nix | 11 +++-- machines/photo01/immich.nix | 3 +- machines/photo01/photoprism.nix | 25 ++++++----- 4 files changed, 54 insertions(+), 30 deletions(-) diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index 18363b9..821a18c 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -1,7 +1,12 @@ # TODO: revamp to use the same framework as the other VMs -{ lib, pkgs, inputs, ... }: +{ + pkgs, + inputs, + ... +}: -let address = "129.199.146.101"; +let + address = "129.199.146.101"; in { imports = [ @@ -28,7 +33,9 @@ in services.openssh = { enable = true; - settings = { PasswordAuthentication = false; }; + settings = { + PasswordAuthentication = false; + }; }; users.users.root.openssh.authorizedKeys.keys = [ @@ -39,7 +46,12 @@ in security.acme.acceptTerms = true; security.acme.defaults.email = "webmaster@nixos.org"; - networking.firewall.allowedTCPPorts = [ 22 80 443 8007 ]; + networking.firewall.allowedTCPPorts = [ + 22 + 80 + 443 + 8007 + ]; networking.firewall.allowedUDPPorts = [ ]; networking.useNetworkd = true; @@ -75,23 +87,26 @@ in nix = { settings = { - trusted-users = [ "@wheel" "root" "nix-ssh" ]; + trusted-users = [ + "@wheel" + "root" + "nix-ssh" + ]; auto-optimise-store = true; }; #package = pkgs.nixUnstable; - extraOptions = let - empty_registry = builtins.toFile "empty-flake-registry.json" - ''{"flakes":[],"version":2}''; - in '' - experimental-features = nix-command flakes - flake-registry = ${empty_registry} - builders-use-substitutes = true - ''; + extraOptions = + let + empty_registry = builtins.toFile "empty-flake-registry.json" ''{"flakes":[],"version":2}''; + in + '' + experimental-features = nix-command flakes + flake-registry = ${empty_registry} + builders-use-substitutes = true + ''; registry.nixpkgs.flake = inputs.nixpkgs; nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; }; - system.stateVersion = "24.05"; } - diff --git a/machines/photo01/_hardware-configuration.nix b/machines/photo01/_hardware-configuration.nix index 9ce9955..d9ffbf4 100644 --- a/machines/photo01/_hardware-configuration.nix +++ b/machines/photo01/_hardware-configuration.nix @@ -3,8 +3,14 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; @@ -13,4 +19,3 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } - diff --git a/machines/photo01/immich.nix b/machines/photo01/immich.nix index e252ce9..d19721c 100644 --- a/machines/photo01/immich.nix +++ b/machines/photo01/immich.nix @@ -9,8 +9,7 @@ services.nginx.virtualHosts."immich.cgiga.fr" = { enableACME = true; forceSSL = true; - serverAliases = []; + serverAliases = [ ]; locations."/".proxyPass = "http://localhost:2283/"; }; } - diff --git a/machines/photo01/photoprism.nix b/machines/photo01/photoprism.nix index 0ee31da..5398c5d 100644 --- a/machines/photo01/photoprism.nix +++ b/machines/photo01/photoprism.nix @@ -1,6 +1,10 @@ -{ lib, modulesPath, pkgs, ... }: +{ + pkgs, + ... +}: -let port = 2342; +let + port = 2342; in { services.photoprism = { @@ -32,22 +36,23 @@ in dataDir = "/data/mysql"; package = pkgs.mariadb; ensureDatabases = [ "photoprism" ]; - ensureUsers = [{ - name = "photoprism"; - ensurePermissions = { - "photoprism.*" = "ALL PRIVILEGES"; - }; - }]; + ensureUsers = [ + { + name = "photoprism"; + ensurePermissions = { + "photoprism.*" = "ALL PRIVILEGES"; + }; + } + ]; }; services.nginx.virtualHosts."photoprism.cgiga.fr" = { enableACME = true; forceSSL = true; - serverAliases = []; + serverAliases = [ ]; locations."/" = { proxyPass = "http://localhost:${toString port}/"; proxyWebsockets = true; }; }; } - -- 2.47.1 From 997e0e71dbf2479bc67f7cd8054cf8eab9782066 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:41:54 +0100 Subject: [PATCH 03/19] fix: fmt --- machines/photo01/_configuration.nix | 30 ++++++++++++++--------------- machines/photo01/photoprism.nix | 5 +---- 2 files changed, 16 insertions(+), 19 deletions(-) diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index 821a18c..0f385bd 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -1,9 +1,5 @@ # TODO: revamp to use the same framework as the other VMs -{ - pkgs, - inputs, - ... -}: +{ pkgs, inputs, ... }: let address = "129.199.146.101"; @@ -20,7 +16,20 @@ in # Bootloader. boot.loader.systemd-boot.enable = true; - networking.hostName = "photoprism"; + networking = { + hostName = "photoprism"; + + firewall.allowedTCPPorts = [ + 22 + 80 + 443 + 8007 + ]; + firewall.allowedUDPPorts = [ ]; + + useNetworkd = true; + }; + disko.devices = import ./disko.nix; @@ -46,15 +55,6 @@ in security.acme.acceptTerms = true; security.acme.defaults.email = "webmaster@nixos.org"; - networking.firewall.allowedTCPPorts = [ - 22 - 80 - 443 - 8007 - ]; - networking.firewall.allowedUDPPorts = [ ]; - - networking.useNetworkd = true; systemd.network = { config.routeTables = { diff --git a/machines/photo01/photoprism.nix b/machines/photo01/photoprism.nix index 5398c5d..661a913 100644 --- a/machines/photo01/photoprism.nix +++ b/machines/photo01/photoprism.nix @@ -1,7 +1,4 @@ -{ - pkgs, - ... -}: +{ pkgs, ... }: let port = 2342; -- 2.47.1 From c2875a70f85435c41e9350c470fe139b4189b14a Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:43:16 +0100 Subject: [PATCH 04/19] fix: fmt --- machines/photo01/_configuration.nix | 21 +++++++++----------- machines/photo01/_hardware-configuration.nix | 12 +++++++---- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index 0f385bd..f414ad6 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -14,23 +14,21 @@ in ]; # Bootloader. - boot.loader.systemd-boot.enable = true; networking = { - hostName = "photoprism"; + hostName = "photoprism"; - firewall.allowedTCPPorts = [ - 22 - 80 - 443 - 8007 - ]; - firewall.allowedUDPPorts = [ ]; + firewall.allowedTCPPorts = [ + 22 + 80 + 443 + 8007 + ]; + firewall.allowedUDPPorts = [ ]; - useNetworkd = true; + useNetworkd = true; }; - disko.devices = import ./disko.nix; deployment.targetHost = address; @@ -55,7 +53,6 @@ in security.acme.acceptTerms = true; security.acme.defaults.email = "webmaster@nixos.org"; - systemd.network = { config.routeTables = { he = 100; diff --git a/machines/photo01/_hardware-configuration.nix b/machines/photo01/_hardware-configuration.nix index d9ffbf4..e081e13 100644 --- a/machines/photo01/_hardware-configuration.nix +++ b/machines/photo01/_hardware-configuration.nix @@ -3,7 +3,12 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ + boot = { + loader.systemd-boot.enable = true; + initrd.kernelModules = [ ]; + kernelModules = [ ]; + extraModulePackages = [ ]; + initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" @@ -11,9 +16,8 @@ "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + + }; networking.useDHCP = lib.mkDefault false; -- 2.47.1 From a81b8de9cc23a86c5f54b16bfd3b14019ba36f80 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:44:54 +0100 Subject: [PATCH 05/19] fix(photo01): split services into modules --- machines/photo01/_configuration.nix | 15 ------------ machines/photo01/_hardware-configuration.nix | 24 ++++++++++---------- machines/photo01/nginx.nix | 13 +++++++++++ machines/photo01/openssh.nix | 11 +++++++++ 4 files changed, 36 insertions(+), 27 deletions(-) create mode 100644 machines/photo01/nginx.nix create mode 100644 machines/photo01/openssh.nix diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index f414ad6..08e2fb4 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -38,13 +38,6 @@ in environment.systemPackages = with pkgs; [ neovim ]; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - }; - }; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270" @@ -73,14 +66,6 @@ in }; # TODO: switch to unixsockets if supported - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - clientMaxBodySize = "500m"; - }; nix = { settings = { diff --git a/machines/photo01/_hardware-configuration.nix b/machines/photo01/_hardware-configuration.nix index e081e13..6fd864e 100644 --- a/machines/photo01/_hardware-configuration.nix +++ b/machines/photo01/_hardware-configuration.nix @@ -4,18 +4,18 @@ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot = { - loader.systemd-boot.enable = true; - initrd.kernelModules = [ ]; - kernelModules = [ ]; - extraModulePackages = [ ]; - initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; + loader.systemd-boot.enable = true; + initrd.kernelModules = [ ]; + kernelModules = [ ]; + extraModulePackages = [ ]; + initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; }; diff --git a/machines/photo01/nginx.nix b/machines/photo01/nginx.nix new file mode 100644 index 0000000..a87afd8 --- /dev/null +++ b/machines/photo01/nginx.nix @@ -0,0 +1,13 @@ +{ ... }: + +{ + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + clientMaxBodySize = "500m"; + }; +} diff --git a/machines/photo01/openssh.nix b/machines/photo01/openssh.nix new file mode 100644 index 0000000..c60bd67 --- /dev/null +++ b/machines/photo01/openssh.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + }; + }; + +} -- 2.47.1 From abf9f2d2f510fad8535409886e0c9997c5b04836 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:46:03 +0100 Subject: [PATCH 06/19] fix: fmt --- machines/photo01/photoprism.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/machines/photo01/photoprism.nix b/machines/photo01/photoprism.nix index 661a913..7464a49 100644 --- a/machines/photo01/photoprism.nix +++ b/machines/photo01/photoprism.nix @@ -4,7 +4,8 @@ let port = 2342; in { - services.photoprism = { + services = { + photoprism = { enable = true; port = port; settings = { @@ -28,7 +29,7 @@ in passwordFile = "/passwords/photoprism"; }; - services.mysql = { + mysql = { enable = true; dataDir = "/data/mysql"; package = pkgs.mariadb; @@ -52,4 +53,5 @@ in proxyWebsockets = true; }; }; +}; } -- 2.47.1 From 2aa758ae94d2bc19c9249f364bb6aad71c719c6d Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:47:17 +0100 Subject: [PATCH 07/19] style(photo01): "..." -> "" in module inputs --- machines/photo01/nginx.nix | 2 +- machines/photo01/openssh.nix | 2 +- machines/photo01/photoprism.nix | 87 ++++++++++++++++----------------- 3 files changed, 44 insertions(+), 47 deletions(-) diff --git a/machines/photo01/nginx.nix b/machines/photo01/nginx.nix index a87afd8..c955e54 100644 --- a/machines/photo01/nginx.nix +++ b/machines/photo01/nginx.nix @@ -1,4 +1,4 @@ -{ ... }: +{ }: { diff --git a/machines/photo01/openssh.nix b/machines/photo01/openssh.nix index c60bd67..ffdc319 100644 --- a/machines/photo01/openssh.nix +++ b/machines/photo01/openssh.nix @@ -1,4 +1,4 @@ -{ ... }: +{ _ }: { services.openssh = { diff --git a/machines/photo01/photoprism.nix b/machines/photo01/photoprism.nix index 7464a49..e0a7139 100644 --- a/machines/photo01/photoprism.nix +++ b/machines/photo01/photoprism.nix @@ -1,57 +1,54 @@ { pkgs, ... }: -let - port = 2342; -in { services = { photoprism = { - enable = true; - port = port; - settings = { - PHOTOPRISM_DEFAULT_LOCALE = "fr"; - PHOTOPRISM_ADMIN_USERNAME = "admin"; - PHOHOPRISM_SITE_URL = "https://photoprism.cgiga.fr"; - PHOTOPRISM_SITE_CAPTION = "PhotoPrism"; + enable = true; + port = 2342; + settings = { + PHOTOPRISM_DEFAULT_LOCALE = "fr"; + PHOTOPRISM_ADMIN_USERNAME = "admin"; + PHOHOPRISM_SITE_URL = "https://photoprism.cgiga.fr"; + PHOTOPRISM_SITE_CAPTION = "PhotoPrism"; - # DB access config - PHOTOPRISM_DATABASE_DRIVER = "mysql"; - PHOTOPRISM_DATABASE_NAME = "photoprism"; - PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; - PHOTOPRISM_DATABASE_USER = "photoprism"; + # DB access config + PHOTOPRISM_DATABASE_DRIVER = "mysql"; + PHOTOPRISM_DATABASE_NAME = "photoprism"; + PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; + PHOTOPRISM_DATABASE_USER = "photoprism"; + }; + + originalsPath = "/data/photos"; + + address = "localhost"; + + #importPath = "/photoprism/imports"; + passwordFile = "/passwords/photoprism"; }; - originalsPath = "/data/photos"; + mysql = { + enable = true; + dataDir = "/data/mysql"; + package = pkgs.mariadb; + ensureDatabases = [ "photoprism" ]; + ensureUsers = [ + { + name = "photoprism"; + ensurePermissions = { + "photoprism.*" = "ALL PRIVILEGES"; + }; + } + ]; + }; - address = "localhost"; - - #importPath = "/photoprism/imports"; - passwordFile = "/passwords/photoprism"; - }; - - mysql = { - enable = true; - dataDir = "/data/mysql"; - package = pkgs.mariadb; - ensureDatabases = [ "photoprism" ]; - ensureUsers = [ - { - name = "photoprism"; - ensurePermissions = { - "photoprism.*" = "ALL PRIVILEGES"; - }; - } - ]; - }; - - services.nginx.virtualHosts."photoprism.cgiga.fr" = { - enableACME = true; - forceSSL = true; - serverAliases = [ ]; - locations."/" = { - proxyPass = "http://localhost:${toString port}/"; - proxyWebsockets = true; + services.nginx.virtualHosts."photoprism.cgiga.fr" = { + enableACME = true; + forceSSL = true; + serverAliases = [ ]; + locations."/" = { + proxyPass = "http://localhost:${toString port}/"; + proxyWebsockets = true; + }; }; }; -}; } -- 2.47.1 From b478879fe821602d3ef1ec3b3750060a03c98be3 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:48:02 +0100 Subject: [PATCH 08/19] style(photo01): "" -> "_" --- machines/photo01/nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/photo01/nginx.nix b/machines/photo01/nginx.nix index c955e54..cd65d4e 100644 --- a/machines/photo01/nginx.nix +++ b/machines/photo01/nginx.nix @@ -1,4 +1,4 @@ -{ }: +{ _ }: { -- 2.47.1 From e1f1054d675437171a06377798c223a18c2207ab Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:49:13 +0100 Subject: [PATCH 09/19] style(photo01): remove lambda instance --- machines/photo01/nginx.nix | 3 --- machines/photo01/openssh.nix | 3 --- 2 files changed, 6 deletions(-) diff --git a/machines/photo01/nginx.nix b/machines/photo01/nginx.nix index cd65d4e..b44aeaa 100644 --- a/machines/photo01/nginx.nix +++ b/machines/photo01/nginx.nix @@ -1,7 +1,4 @@ -{ _ }: - { - services.nginx = { enable = true; recommendedTlsSettings = true; diff --git a/machines/photo01/openssh.nix b/machines/photo01/openssh.nix index ffdc319..5f4aeb2 100644 --- a/machines/photo01/openssh.nix +++ b/machines/photo01/openssh.nix @@ -1,5 +1,3 @@ -{ _ }: - { services.openssh = { enable = true; @@ -7,5 +5,4 @@ PasswordAuthentication = false; }; }; - } -- 2.47.1 From 91eea5d17195656fdfcf102b2e48487e9dbae45e Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:52:45 +0100 Subject: [PATCH 10/19] feat(photo01): add to meta --- meta/network.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/meta/network.nix b/meta/network.nix index 61e8875..ca31c69 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -49,4 +49,11 @@ hostId = "144d0f7a"; }; + photo01 = { + interfaces = { }; + + addresses.ipv4 = [ "129.199.146.101" ]; + + hostId = "bcf8ff03"; + }; } -- 2.47.1 From 73741a3f9130b1268de8085cebea49cba0d41e89 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:55:16 +0100 Subject: [PATCH 11/19] feat(photo01): switch to unstable nixpkgs --- meta/nodes.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/nodes.nix b/meta/nodes.nix index 03bc7d0..f3fca44 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -42,7 +42,7 @@ hashedPassword = "$y$j9T$aFhOWa05W7VKeKt3Nc.nA1$uBOvG4wf7/yWjwOxO8NLf9ipCsAkS1.5cD2EJpLx57A"; stateVersion = "24.05"; - nixpkgs = "24.05"; + nixpkgs = "unstable"; }; router02 = { site = "pav01"; -- 2.47.1 From b19fba8f0b44c02f54902cf5e5a6bc80876dfe1e Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:59:21 +0100 Subject: [PATCH 12/19] fix(photo01): module name missmatch --- machines/photo01/_configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index 08e2fb4..a2bc088 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -6,7 +6,7 @@ let in { imports = [ - ./hardware.nix + ./_hardware-configuration.nix # NOTE: For now, only deploy the bare minimum ./photoprism.nix -- 2.47.1 From f6fcdf21a7576685d1a4ddc0ef417c1214730b46 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 18:59:56 +0100 Subject: [PATCH 13/19] fix(photo01): unbound variable name --- machines/photo01/photoprism.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/photo01/photoprism.nix b/machines/photo01/photoprism.nix index e0a7139..e589e93 100644 --- a/machines/photo01/photoprism.nix +++ b/machines/photo01/photoprism.nix @@ -46,7 +46,7 @@ forceSSL = true; serverAliases = [ ]; locations."/" = { - proxyPass = "http://localhost:${toString port}/"; + proxyPass = "http://localhost:2342/"; proxyWebsockets = true; }; }; -- 2.47.1 From f35d4950730f55dedc1af1f86bea883b12dab86f Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 19:02:40 +0100 Subject: [PATCH 14/19] fix(photo01): nginx invocation --- machines/photo01/_configuration.nix | 14 +------------- machines/photo01/photoprism.nix | 2 +- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index a2bc088..2333eaa 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -12,12 +12,10 @@ in ./photoprism.nix ./immich.nix ]; - - # Bootloader. + deployment.targetHost = address; networking = { hostName = "photoprism"; - firewall.allowedTCPPorts = [ 22 80 @@ -25,19 +23,11 @@ in 8007 ]; firewall.allowedUDPPorts = [ ]; - useNetworkd = true; }; - disko.devices = import ./disko.nix; - - deployment.targetHost = address; - - # Set your time zone. time.timeZone = "Europe/Paris"; - environment.systemPackages = with pkgs; [ neovim ]; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270" @@ -89,6 +79,4 @@ in registry.nixpkgs.flake = inputs.nixpkgs; nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; }; - - system.stateVersion = "24.05"; } diff --git a/machines/photo01/photoprism.nix b/machines/photo01/photoprism.nix index e589e93..644e406 100644 --- a/machines/photo01/photoprism.nix +++ b/machines/photo01/photoprism.nix @@ -41,7 +41,7 @@ ]; }; - services.nginx.virtualHosts."photoprism.cgiga.fr" = { + nginx.virtualHosts."photoprism.cgiga.fr" = { enableACME = true; forceSSL = true; serverAliases = [ ]; -- 2.47.1 From 375eae9f4da1ecb84c0de7eb4535ab0389ef0f63 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 19:04:20 +0100 Subject: [PATCH 15/19] feat(photo01): add empty secrets db --- machines/photo01/secrets/secrets.nix | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 machines/photo01/secrets/secrets.nix diff --git a/machines/photo01/secrets/secrets.nix b/machines/photo01/secrets/secrets.nix new file mode 100644 index 0000000..9be5034 --- /dev/null +++ b/machines/photo01/secrets/secrets.nix @@ -0,0 +1,4 @@ +(import ../../../keys).mkSecrets [ "photo01" ] [ + # List of secrets for router02 +] + -- 2.47.1 From 055fdb9fcf99ce1c2203aa16775b3c83450e849b Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 19:08:49 +0100 Subject: [PATCH 16/19] feat(photo01): secrets and disk config --- machines/photo01/_configuration.nix | 1 - machines/photo01/_hardware-configuration.nix | 10 ++++++++++ machines/photo01/secrets/secrets.nix | 1 - 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index 2333eaa..5faeb18 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -15,7 +15,6 @@ in deployment.targetHost = address; networking = { - hostName = "photoprism"; firewall.allowedTCPPorts = [ 22 80 diff --git a/machines/photo01/_hardware-configuration.nix b/machines/photo01/_hardware-configuration.nix index 6fd864e..e87eb0d 100644 --- a/machines/photo01/_hardware-configuration.nix +++ b/machines/photo01/_hardware-configuration.nix @@ -19,6 +19,16 @@ }; + fileSystems."/" = { + device = "/dev/disk/by-partlabel/disk-sda-root"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-partlabel/disk-sda-ESP"; + fsType = "vfat"; + }; + networking.useDHCP = lib.mkDefault false; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/machines/photo01/secrets/secrets.nix b/machines/photo01/secrets/secrets.nix index 9be5034..4f61be6 100644 --- a/machines/photo01/secrets/secrets.nix +++ b/machines/photo01/secrets/secrets.nix @@ -1,4 +1,3 @@ (import ../../../keys).mkSecrets [ "photo01" ] [ # List of secrets for router02 ] - -- 2.47.1 From dc2842a807cf40ba7f62af298b01022198eb73d2 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 19:38:29 +0100 Subject: [PATCH 17/19] fix(photo01): reenable nginx --- machines/photo01/_configuration.nix | 28 ++-------------------------- 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index 5faeb18..f6c08a7 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -9,8 +9,9 @@ in ./_hardware-configuration.nix # NOTE: For now, only deploy the bare minimum - ./photoprism.nix ./immich.nix + ./nginx.nix + ./photoprism.nix ]; deployment.targetHost = address; @@ -53,29 +54,4 @@ in }; }; }; - - # TODO: switch to unixsockets if supported - - nix = { - settings = { - trusted-users = [ - "@wheel" - "root" - "nix-ssh" - ]; - auto-optimise-store = true; - }; - #package = pkgs.nixUnstable; - extraOptions = - let - empty_registry = builtins.toFile "empty-flake-registry.json" ''{"flakes":[],"version":2}''; - in - '' - experimental-features = nix-command flakes - flake-registry = ${empty_registry} - builders-use-substitutes = true - ''; - registry.nixpkgs.flake = inputs.nixpkgs; - nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; - }; } -- 2.47.1 From b391255aa96edd8eb3fd1a25a1ac35e8caafdd10 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 19:43:51 +0100 Subject: [PATCH 18/19] fix(photo01): fix immich port --- machines/photo01/_configuration.nix | 1 - machines/photo01/immich.nix | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index f6c08a7..c9acf28 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -34,7 +34,6 @@ in ]; security.acme.acceptTerms = true; - security.acme.defaults.email = "webmaster@nixos.org"; systemd.network = { config.routeTables = { diff --git a/machines/photo01/immich.nix b/machines/photo01/immich.nix index d19721c..3d1f0c9 100644 --- a/machines/photo01/immich.nix +++ b/machines/photo01/immich.nix @@ -1,7 +1,8 @@ { services.immich = { enable = true; - # default port: 3001 + # NOTE: default port changes in a later version + port = 3001; machine-learning.enable = true; host = "localhost"; }; @@ -10,6 +11,6 @@ enableACME = true; forceSSL = true; serverAliases = [ ]; - locations."/".proxyPass = "http://localhost:2283/"; + locations."/".proxyPass = "http://localhost:3001/"; }; } -- 2.47.1 From e54ef96b2a2fb68ec87c809d4316dcb196d4f3d8 Mon Sep 17 00:00:00 2001 From: Constantin Gierczak--Galle Date: Thu, 21 Nov 2024 19:44:43 +0100 Subject: [PATCH 19/19] fix(photo01): fmt --- machines/photo01/_configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix index c9acf28..4da2284 100644 --- a/machines/photo01/_configuration.nix +++ b/machines/photo01/_configuration.nix @@ -1,5 +1,5 @@ # TODO: revamp to use the same framework as the other VMs -{ pkgs, inputs, ... }: +{ pkgs, ... }: let address = "129.199.146.101"; -- 2.47.1