diff --git a/machines/photo01/_configuration.nix b/machines/photo01/_configuration.nix new file mode 100644 index 0000000..4da2284 --- /dev/null +++ b/machines/photo01/_configuration.nix @@ -0,0 +1,56 @@ +# TODO: revamp to use the same framework as the other VMs +{ pkgs, ... }: + +let + address = "129.199.146.101"; +in +{ + imports = [ + ./_hardware-configuration.nix + + # NOTE: For now, only deploy the bare minimum + ./immich.nix + ./nginx.nix + ./photoprism.nix + ]; + deployment.targetHost = address; + + networking = { + firewall.allowedTCPPorts = [ + 22 + 80 + 443 + 8007 + ]; + firewall.allowedUDPPorts = [ ]; + useNetworkd = true; + }; + + time.timeZone = "Europe/Paris"; + environment.systemPackages = with pkgs; [ neovim ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270" + ]; + + security.acme.acceptTerms = true; + + systemd.network = { + config.routeTables = { + he = 100; + mwan = 110; + }; + networks = { + "10-ens18" = { + name = "ens18"; + + networkConfig = { + Description = "ENS uplink"; + Address = [ "129.199.146.101/24" ]; + Gateway = "129.199.146.254"; + LLDP = true; + }; + }; + }; + }; +} diff --git a/machines/photo01/_hardware-configuration.nix b/machines/photo01/_hardware-configuration.nix new file mode 100644 index 0000000..e87eb0d --- /dev/null +++ b/machines/photo01/_hardware-configuration.nix @@ -0,0 +1,35 @@ +{ lib, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + loader.systemd-boot.enable = true; + initrd.kernelModules = [ ]; + kernelModules = [ ]; + extraModulePackages = [ ]; + initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + + }; + + fileSystems."/" = { + device = "/dev/disk/by-partlabel/disk-sda-root"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-partlabel/disk-sda-ESP"; + fsType = "vfat"; + }; + + networking.useDHCP = lib.mkDefault false; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machines/photo01/immich.nix b/machines/photo01/immich.nix new file mode 100644 index 0000000..3d1f0c9 --- /dev/null +++ b/machines/photo01/immich.nix @@ -0,0 +1,16 @@ +{ + services.immich = { + enable = true; + # NOTE: default port changes in a later version + port = 3001; + machine-learning.enable = true; + host = "localhost"; + }; + + services.nginx.virtualHosts."immich.cgiga.fr" = { + enableACME = true; + forceSSL = true; + serverAliases = [ ]; + locations."/".proxyPass = "http://localhost:3001/"; + }; +} diff --git a/machines/photo01/nginx.nix b/machines/photo01/nginx.nix new file mode 100644 index 0000000..b44aeaa --- /dev/null +++ b/machines/photo01/nginx.nix @@ -0,0 +1,10 @@ +{ + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + clientMaxBodySize = "500m"; + }; +} diff --git a/machines/photo01/openssh.nix b/machines/photo01/openssh.nix new file mode 100644 index 0000000..5f4aeb2 --- /dev/null +++ b/machines/photo01/openssh.nix @@ -0,0 +1,8 @@ +{ + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + }; + }; +} diff --git a/machines/photo01/photoprism.nix b/machines/photo01/photoprism.nix new file mode 100644 index 0000000..644e406 --- /dev/null +++ b/machines/photo01/photoprism.nix @@ -0,0 +1,54 @@ +{ pkgs, ... }: + +{ + services = { + photoprism = { + enable = true; + port = 2342; + settings = { + PHOTOPRISM_DEFAULT_LOCALE = "fr"; + PHOTOPRISM_ADMIN_USERNAME = "admin"; + PHOHOPRISM_SITE_URL = "https://photoprism.cgiga.fr"; + PHOTOPRISM_SITE_CAPTION = "PhotoPrism"; + + # DB access config + PHOTOPRISM_DATABASE_DRIVER = "mysql"; + PHOTOPRISM_DATABASE_NAME = "photoprism"; + PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; + PHOTOPRISM_DATABASE_USER = "photoprism"; + }; + + originalsPath = "/data/photos"; + + address = "localhost"; + + #importPath = "/photoprism/imports"; + passwordFile = "/passwords/photoprism"; + }; + + mysql = { + enable = true; + dataDir = "/data/mysql"; + package = pkgs.mariadb; + ensureDatabases = [ "photoprism" ]; + ensureUsers = [ + { + name = "photoprism"; + ensurePermissions = { + "photoprism.*" = "ALL PRIVILEGES"; + }; + } + ]; + }; + + nginx.virtualHosts."photoprism.cgiga.fr" = { + enableACME = true; + forceSSL = true; + serverAliases = [ ]; + locations."/" = { + proxyPass = "http://localhost:2342/"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/machines/photo01/secrets/secrets.nix b/machines/photo01/secrets/secrets.nix new file mode 100644 index 0000000..4f61be6 --- /dev/null +++ b/machines/photo01/secrets/secrets.nix @@ -0,0 +1,3 @@ +(import ../../../keys).mkSecrets [ "photo01" ] [ + # List of secrets for router02 +] diff --git a/meta/network.nix b/meta/network.nix index 61e8875..ca31c69 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -49,4 +49,11 @@ hostId = "144d0f7a"; }; + photo01 = { + interfaces = { }; + + addresses.ipv4 = [ "129.199.146.101" ]; + + hostId = "bcf8ff03"; + }; } diff --git a/meta/nodes.nix b/meta/nodes.nix index 1479f4e..f3fca44 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -19,7 +19,6 @@ - luj01 -> VM de Luj */ { - krz01 = { site = "pav01"; @@ -36,6 +35,15 @@ stateVersion = "24.05"; nixpkgs = "24.05"; }; + photo01 = { + site = "pav01"; + + # TODO + hashedPassword = "$y$j9T$aFhOWa05W7VKeKt3Nc.nA1$uBOvG4wf7/yWjwOxO8NLf9ipCsAkS1.5cD2EJpLx57A"; + + stateVersion = "24.05"; + nixpkgs = "unstable"; + }; router02 = { site = "pav01";