diff --git a/flake.lock b/flake.lock index 0aa2836..286adb5 100644 --- a/flake.lock +++ b/flake.lock @@ -39,6 +39,27 @@ "type": "gitlab" } }, + "copyparty": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1768696246, + "narHash": "sha256-IuoFZtPL/M0lNN4V+MOZT0eyTfh1FvUj9Ubo7yvhYPU=", + "owner": "9001", + "repo": "copyparty", + "rev": "d9255538100f5196a7e4ffdd78661f68d77cdb4f", + "type": "github" + }, + "original": { + "owner": "9001", + "repo": "copyparty", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -133,6 +154,21 @@ "type": "github" } }, + "flake-utils": { + "locked": { + "lastModified": 1678901627, + "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "git-hooks": { "inputs": { "flake-compat": [ @@ -209,11 +245,11 @@ ] }, "locked": { - "lastModified": 1768434960, - "narHash": "sha256-cJbFn17oyg6qAraLr+NVeNJrXsrzJdrudkzI4H2iTcg=", + "lastModified": 1768703115, + "narHash": "sha256-JAXjGiDWlQJSwniCYlnEwU/2KjI0bJ/lV0gpyD9UjxE=", "owner": "nix-community", "repo": "home-manager", - "rev": "b4d88c9ac42ae1a745283f6547701da43b6e9f9b", + "rev": "05fd3bababe5924f9a6128285e7cf6c67d45f3c0", "type": "github" }, "original": { @@ -299,11 +335,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1768397375, - "narHash": "sha256-7QqbFi3ERvKjEdAzEYPv7iSGwpUKSrQW5wPLMFq45AQ=", + "lastModified": 1768584846, + "narHash": "sha256-IRPmIOV2tPwxbhP/I9M5AmwhTC0lMPtoPStC+8T6xl0=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "efe2094529d69a3f54892771b6be8ee4a0ebef0f", + "rev": "cce68f4a54fa4e3d633358364477f5cc1d782440", "type": "github" }, "original": { @@ -347,11 +383,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1768305791, - "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=", + "lastModified": 1768564909, + "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e", + "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f", "type": "github" }, "original": { @@ -379,11 +415,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1768305791, - "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=", + "lastModified": 1768564909, + "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e", + "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f", "type": "github" }, "original": { @@ -428,6 +464,7 @@ "root": { "inputs": { "agenix": "agenix", + "copyparty": "copyparty", "deploy-rs": "deploy-rs", "disko": "disko", "home-manager": "home-manager_2", @@ -496,11 +533,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1768379550, - "narHash": "sha256-z94S29l5V86h11LZbPIMbHTJyksDG63aqISsZkTTuJY=", + "lastModified": 1768638486, + "narHash": "sha256-+LC0wOiliUXbIj6zT2hCoOQ0zn33BD2NxGoy0QqP3Eo=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "06f61b4e4f4f6ba8027c96a5611c63dc0db12b90", + "rev": "76bbc35c59419b8b0616fb779ce5600e85edab11", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 958f4ff..ab9195c 100644 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,11 @@ mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + copyparty = { + url = "github:9001/copyparty"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; @@ -35,7 +40,7 @@ pin-factorio.url = "github:NixOS/nixpkgs?rev=c5ae371f1a6a7fd27823bc500d9390b38c05fa55"; }; - outputs = { self, nixpkgs, mailserver, deploy-rs, ... }@inputs: { + outputs = { self, nixpkgs, mailserver, copyparty, deploy-rs, ... }@inputs: { nixosConfigurations = { # Framework Computer piaf = nixpkgs.lib.nixosSystem { @@ -51,6 +56,7 @@ modules = [ ./hosts/zora mailserver.nixosModules.default + copyparty.nixosModules.default ]; }; diff --git a/hosts/zora/default.nix b/hosts/zora/default.nix index 59e3951..6d3d543 100644 --- a/hosts/zora/default.nix +++ b/hosts/zora/default.nix @@ -16,6 +16,7 @@ ../../modules ../../modules/server + ../../modules/server/agraf ../../modules/server/baba ../../modules/server/biggoron ../../modules/server/biggoron/runner.nix diff --git a/hosts/zora/reverse-proxy.nix b/hosts/zora/reverse-proxy.nix index 647ec11..5c597fd 100644 --- a/hosts/zora/reverse-proxy.nix +++ b/hosts/zora/reverse-proxy.nix @@ -91,12 +91,14 @@ enableACME = true; locations."/" = { proxyPass = "http://${config.networking.vpn-netns.vethIP}:${toString config.services.qbittorrent.webuiPort}"; - # extraConfig = '' - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # ''; + }; + }; + # 44305 + "files.lyes.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.copyparty.settings.p}"; }; }; diff --git a/modules/desktop/networking.nix b/modules/desktop/networking.nix index 07220d5..17479e8 100644 --- a/modules/desktop/networking.nix +++ b/modules/desktop/networking.nix @@ -30,9 +30,9 @@ "2620:fe::fe" "2620:fe::9" ]; - extraConfig = '' - DNSOverTLS=yes - ''; + settings.Resolve = { + DNSOverTLS = true; + }; }; environment.systemPackages = with pkgs; [ wireguard-tools ]; diff --git a/modules/server/README.md b/modules/server/README.md index 1169d49..f9df551 100644 --- a/modules/server/README.md +++ b/modules/server/README.md @@ -1,3 +1,4 @@ +- `agraf` : Copyparty (`files.lyes.eu`) - `baba` : Nextcloud (`cloud.lyes.eu`) - `biggoron` : Forgejo (`git.lyes.eu`) - `giovanni` : Vaultwarden (`vault.lyes.eu`) diff --git a/modules/server/agraf/default.nix b/modules/server/agraf/default.nix new file mode 100644 index 0000000..f22e363 --- /dev/null +++ b/modules/server/agraf/default.nix @@ -0,0 +1,172 @@ +{ config, copyparty, ... }: + +{ + services.copyparty = { + enable = true; + + package = copyparty.packages."x86_64-linux".copyparty.override { + withBasicAudioMetadata = true; + withFTPS = true; + }; + + # package = pkgs.copyparty-most; + + user = "copyparty"; + group = "copyparty"; + + # Order by order of appearence in help text: + # https://ocv.me/copyparty/helptext.html + settings = { + # General options + ed = true; # See hidden files (starting with a dot) + name = "zora"; # Server name + name-url = "https://files.lyes.eu"; # Server URL + j = 4; # Max jobs (CPU usage) + + # Network options + i = "127.0.0.1"; # Bind IP address + p = "44305"; # Listening port + rproxy = -1; + xff-src = "lan"; # List of trusted reverse-proxy + + # IdP options + # idp-h-usr = "x-username"; + # idp-h-grp = "x-groups"; + # TODO: check for LDAP integration in copyparty + + # Share options + shr = "/share"; # Path where will be available + + # Upload options + dotpart = true; # Puts incomplete uploads in dotfiles + dedup = true; # Symlink duplicate files + safe-dedup = 50; # Verify file contents have not been altered for dedups + hardlink = true; # Use hardlink for dedup when possible + + # General DB options + e2d = true; # up2k DB (file search, upload-undo, better dedup) + e2dsa = true; # Scan all folders on startup + + # Metadata DB options + e2t = true; # Metadata indexing + e2ts = true; # Scan new files for metadata on startup + no-mtag-ff = true; # Nevert use FFprobe + + # Transcoding options + q-opus = 320; # Target bitrate for transcoding to OPUS + q-mp3 = "320k"; # Target bitrate for transcoding to MP3 + allow-wav = true; # Allow transcoding to WAV + allow-flac = true; # Allow transcoding to FLAC + + # FTP options + ftps = 3990; # Enable FTPS on PORT + ftp-no-ow = false; # Reject upload if overwrite + + # WebDAV options + daw = true; + # dav-inf = true; + dav-auth = true; + + # OPDS options + opds = true; # Allow e-book readers to browse and download files + + # Safety options + ls = "**,*,ln,p,r"; # Sanity check on startup + xvol = true; # Never follow symlink leaving the volume root + force-js = true; # Slight protection against web crawlers ignoring robots.txt + no-robots = true; # Set a robot.txt rejecting everything + dont-ban = "auth"; + + # Grafana / Prometheus metrics endpoint + # stats = true; # Enable openmetrics + + # UI options + localtime = true; # Use local timezone + lang = "fra"; # UI language + theme = 2; + + # Logging options + ansi = true; # Force colors + }; + + # globalExtraConfig = "-lo=cpp-%Y-%m%d-%H%M%S.txt.xz"; + + accounts = { + root.passwordFile = config.age.secrets.agraf-root-pass.path; + + lyes.passwordFile = config.age.secrets.agraf-lyes-pass.path; + }; + + groups = { + su = [ "root" ]; + }; + + volumes = + let + root = "/var/data/files"; + in + { + "/u/\${u}" = { + path = "${root}/u/\${u}"; + access = { + "rwmd." = [ "\${u}" ]; + }; + }; + + "/u/\${u}/public" = { + path = "${root}/u/\${u}/public"; + access = { + r = [ "*" ]; + "rwmd." = [ "\${u}" ]; + }; + }; + + "/u/\${u}/depot" = { + path = "${root}/u/\${u}/depot"; + access = { + w = [ "*" ]; + "rwmd." = [ "\${u}" ]; + }; + }; + + "/~\${u}" = { + path = "${root}/u/\${u}/web"; + access = { + h = [ "*" ]; + "rwmd." = [ "\${u}" ]; + }; + }; + + "/" = { + path = "${root}"; + access = { + A = [ "@su" ]; + "rwmd." = [ "@acct" ]; + }; + }; + + "/public" = { + path = "${root}/public"; + access = { + A = [ "@su" ]; + "rwmd." = [ "@acct" ]; + r = [ "*" ]; + }; + }; + }; + + openFilesLimit = 65536; + }; + + age.secrets = { + agraf-root-pass = { + file = ../../../secrets/zora/services/agraf-root-pass.age; + owner = "copyparty"; + }; + agraf-lyes-pass = { + file = ../../../secrets/zora/services/agraf-lyes-pass.age; + owner = "copyparty"; + }; + }; +} + diff --git a/modules/server/biggoron/runner.nix b/modules/server/biggoron/runner.nix index 10eef13..4c8a5a8 100644 --- a/modules/server/biggoron/runner.nix +++ b/modules/server/biggoron/runner.nix @@ -12,6 +12,9 @@ "podman*" ]; + users.users.gitea-runner.isSystemUser = true; + users.users.gitea-runner.group = "gitea-runner"; + users.groups.gitea-runner = {}; services.gitea-actions-runner = { package = pkgs.forgejo-runner; @@ -37,5 +40,6 @@ age.secrets.ptigoron-token = { file = ../../../secrets/zora/services/ptigoron-token.age; owner = "gitea-runner"; + group = "gitea-runner"; }; } diff --git a/secrets.nix b/secrets.nix index 6a048ab..be69f5d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -25,4 +25,6 @@ in "secrets/zora/services/mogma-privatekey.age".publicKeys = all; "secrets/zora/services/tetra-pass.age".publicKeys = all; "secrets/zora/services/lanayru-pass.age".publicKeys = all; + "secrets/zora/services/agraf-root-pass.age".publicKeys = all; + "secrets/zora/services/agraf-lyes-pass.age".publicKeys = all; } diff --git a/secrets/zora/services/agraf-lyes-pass.age b/secrets/zora/services/agraf-lyes-pass.age new file mode 100644 index 0000000..05b726f --- /dev/null +++ b/secrets/zora/services/agraf-lyes-pass.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 whuRpQ lYyPg6IxJ6FET84KEAJ8kFRykUU0X0k5Lob49RCR52E +t7fJ1o3nMhtFCM9RpEG8DvTgQHtazjpYxxevx4Cloe8 +-> ssh-ed25519 TFqgIg DoOo4VX+QG/5itpb7gComQrFvEe/s25ol248KXAJBzQ +Xb+xyGfZb0MS7DAYOBhrhr9AUn4xUpEsQbdy/wtSlQE +--- 1as+tbVwIlYCEZJGRsmkt/pG7haXRIb82IYILMg1gGI +J_ΚyiwS Ɩ5ȠYQJM?O !hTqz]YD +~ \ No newline at end of file diff --git a/secrets/zora/services/agraf-root-pass.age b/secrets/zora/services/agraf-root-pass.age new file mode 100644 index 0000000..04a3f8a --- /dev/null +++ b/secrets/zora/services/agraf-root-pass.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 whuRpQ /PMUWkh9LQks8Gf8VALPn6SuKBcitEkG1lFeCPLcf3E +J1+3l3CWUFBiqHJ2hizUEAWN4Mineotjm3Qf/pEviRk +-> ssh-ed25519 TFqgIg PRR72I27NZq0RyEI8AWOQf/E8DjmCAsz9awmQcJN5Ho +8jzH/Zr01wpk7X84sZSZUT7ob7a5kvdkwV2yQXx+VX8 +--- A4VPCOCifeXXEVLERs7KFt3QHMtATMfD9uYldbUuixQ +C1#ڙrQ=9q.!8E=o#r 19S8ŕ%ad7i \ No newline at end of file