Merge remote-tracking branch 'origin/master' into nixos-21.11

hosts/architect/bazarr.nix

@@ -3,8 +3,9 @@
 let
   domain = "htbaz.giugl.io";
   network = import ./network.nix;
-  auth_block = (import ./openid.nix).openresty_oidc_block;
+  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
-in {
+in
+{
   services = {
     bazarr = {
       enable = true;
@@ -15,12 +16,9 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:6767";
+        proxyPass = "http://127.0.0.1:6767";
         extraConfig = auth_block {
-          realm = "master";
+          access_role = "bazarr";
-          client_id = "bazarr";
-          client_secret = "OPn4Mmto2m3dDPji1cjPfHy9W55M9JFq";
-          redirect_uri = "https://${domain}";
         };
       };
     };

hosts/architect/calibre.nix

@@ -18,7 +18,7 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:8083";
+        proxyPass = "http://127.0.0.1:8083";
         extraConfig = ''
           client_max_body_size 500M;
         '';

hosts/architect/default.nix

@@ -23,27 +23,24 @@ in {
     ./matrix.nix
     ./fail2ban.nix
     ./dns.nix
-    #    ./minecraft.nix
+    ./minecraft.nix
     ./prowlarr.nix
-    #    ./plex.nix
-    #./githubrunner.nix
     ./libreddit.nix
     ./invidious.nix
     ./nitter.nix
-    ./ccache.nix
     ./lidarr.nix
-#    ./navidrome.nix
+    ./navidrome.nix
     ./jellyfin.nix
     ./prosody.nix
     ./deluge.nix
-    #    ./calibre.nix
+    ./calibre.nix
     ../../cachix.nix
     ./docker.nix
+    ./keycloak.nix
   ];
 
-  nixpkgs.config.permittedInsecurePackages = [ "nodejs-12.22.12" ];
   time.timeZone = "Europe/Rome";
-  system.stateVersion = "21.11"; # Did you read the comment?
+  system.stateVersion = "21.11";
   users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
   boot = {
     initrd = {
@@ -56,13 +53,6 @@ in {
           hostKeys = [ /secrets/ssh_host_rsa_key ];
           authorizedKeys = pubkeys;
         };
-
-       # postCommands = ''
-       #   zpool import backedpool -f
-       #   zpool import zpool -f
-
-       #   echo "zfs load-key -ar; killall zfs" >> /root/.profile
-       # '';
       };
     };
   };
@@ -88,7 +78,7 @@ in {
 
     supportedFilesystems = [ "zfs" ];
     zfs.requestEncryptionCredentials = true;
-    tmpOnTmpfsSize = "80%";
+    tmpOnTmpfsSize = "50%";
   };
 
   networking = {
@@ -133,7 +123,7 @@ in {
     '';
   };
 
-  environment.systemPackages = with pkgs; [ cudatoolkit cachix ];
+  environment.systemPackages = with pkgs; [ cachix ];
 
   hardware = {
     opengl.enable = true;

hosts/architect/deluge.nix

@@ -3,7 +3,7 @@
 let
   domain = "htdel.giugl.io";
   network = import ./network.nix;
-  auth_block = (import ./openid.nix).openresty_oidc_block;
+  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in {
   services = {
     deluge = {
@@ -22,7 +22,7 @@ in {
         max_active_seeding = 100;
         max_connections_global = 1000;
         max_active_limit = 100;
-        max_active_downloading =  100;
+        max_active_downloading = 100;
         listen_ports = [ 51413 51414 ];
         random_port = false;
         enabled_plugins = [ "Label" "Extractor" ];
@@ -37,12 +37,9 @@ in {
       enableACME = true;
 
       locations."/" = {
-        proxyPass = "http://localhost:8112";
+        proxyPass = "http://127.0.0.1:8112";
         extraConfig = auth_block {
-          realm = "master";
+          access_role = "deluge";
-          client_id = "deluge";
-          client_secret = "AGa1U9S1zkaM3TJVxtyx4Er76DBk1APR";
-          redirect_uri = "https://${domain}";
         };
       };
     };

hosts/architect/docker.nix

@@ -1,10 +1,10 @@
 {
-#  virtualisation.docker = {
+  virtualisation.docker = {
-#    enable = true;
+    enable = true;
-#    extraOptions = ''
+    extraOptions = ''
-#      --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker
+      --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker
-#    '';
+    '';
-#    enableOnBoot = false;
+    enableOnBoot = false;
-#  };
+  };
   users.users.giulio.extraGroups = [ "docker" ];
 }

hosts/architect/gitea.nix

@@ -18,7 +18,7 @@ in {
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://localhost:3000";
+      proxyPass = "http://127.0.0.1:3000";
       extraConfig = ''
         allow 127.0.0.1;
         allow 10.0.0.0/24;

hosts/architect/hardware.nix.bk

@@ -1,50 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  boot.initrd.availableKernelModules =
-    [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" = {
-    device = "zpool/nixos/root";
-    fsType = "zfs";
-  };
-
-  fileSystems."/home" = {
-    device = "zpool/data/home";
-    fsType = "zfs";
-  };
-
-  fileSystems."/media" = {
-    device = "datapool/media";
-    fsType = "zfs";
-  };
-
-  fileSystems."/secrets" = {
-    device = "backedpool/secrets";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/lib" = {
-    device = "backedpool/services";
-    fsType = "zfs";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/AF19-5616";
-    fsType = "vfat";
-  };
-
-#  swapDevices = [{
-#    device = "/dev/sdc1";
-#    size = 10000;
-#  }];
-
-}

hosts/architect/invidious.nix

@@ -1,19 +1,21 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 
 let
   domain = "tube.giugl.io";
   network = import ./network.nix;
-in {
+in
+{
   services = {
     invidious = {
       enable = true;
       port = 9092;
+      package = pkgs.unstable.invidious;
     };
 
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      locations."/" = { proxyPass = "http://localhost:9092"; };
+      locations."/" = { proxyPass = "http://127.0.0.1:9092"; };
     };
   };
 

hosts/architect/jellyfin.nix

@@ -25,7 +25,7 @@ in {
       '';
 
       locations."/" = {
-        proxyPass = "http://localhost:8096";
+        proxyPass = "http://127.0.0.1:8096";
 #        extraConfig = ''
 #          allow 10.0.0.0/24;
 #          allow 10.3.0.0/24;
@@ -34,7 +34,7 @@ in {
       };
 
       locations."/socket" = {
-        proxyPass = "http://localhost:8096";
+        proxyPass = "http://127.0.0.1:8096";
         proxyWebsockets = true;
 #        extraConfig = ''
 #          allow 10.0.0.0/24;

hosts/architect/libreddit.nix

@@ -3,7 +3,8 @@
 let
   domain = "reddit.giugl.io";
   network = import ./network.nix;
-in {
+in
+{
   services = {
     libreddit = {
       enable = true;
@@ -13,7 +14,7 @@ in {
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      locations."/" = { proxyPass = "http://localhost:9090"; };
+      locations."/" = { proxyPass = "http://127.0.0.1:9090"; };
     };
   };
 

hosts/architect/lidarr.nix

@@ -3,7 +3,7 @@
 let
   domain = "htlid.giugl.io";
   network = import ./network.nix;
-  auth_block = (import ./openid.nix).openresty_oidc_block;
+  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in {
   services = {
     lidarr = {
@@ -15,12 +15,9 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:8686";
+        proxyPass = "http://127.0.0.1:8686";
         extraConfig = auth_block {
-          realm = "master";
+          access_role = "lidarr";
-          client_id = "lidarr";
-          client_secret = "7s4dd1SEi84F4fUFsqRaQmSSucZhyTco";
-          redirect_uri = "https://${domain}";
         };
       };
     };

hosts/architect/matrix.nix

@@ -25,7 +25,7 @@ in {
         ];
         listeners = [{
           port = 8008;
-          bind_addresses = [ "::1" ];
+          bind_addresses = [ "127.0.0.1" ];
           type = "http";
           tls = false;
           x_forwarded = true;
@@ -86,7 +86,7 @@ in {
 
         # forward all Matrix API calls to the synapse Matrix homeserver
         locations."/_matrix" = {
-          proxyPass = "http://[::1]:8008"; # without a trailing /
+          proxyPass = "http://127.0.0.1:8008"; # without a trailing /
         };
       };
 

hosts/architect/minio.nix

@@ -11,7 +11,7 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:9000";
+        proxyPass = "http://127.0.0.1:9000";
         extraConfig = ''
           allow 10.0.0.0/24;
           ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}

hosts/architect/navidrome.nix

@@ -26,7 +26,7 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:4533";
+        proxyPass = "http://127.0.0.1:4533";
         #        extraConfig = ''
         #          allow 10.0.0.0/24;
         #          ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}

hosts/architect/nextcloud.nix

@@ -23,7 +23,7 @@ in {
       enable = true;
       hostName = domain;
       https = true;
-      package = pkgs.unstable.nextcloud24;
+      package = pkgs.unstable.nextcloud25;
 
       caching = {
         redis = true;

hosts/architect/nitter.nix

@@ -7,6 +7,7 @@ in {
   services = {
     nitter = {
       enable = true;
+      redisCreateLocally = false;
       server = {
         port = 9093;
         hostname = domain;
@@ -21,7 +22,7 @@ in {
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      locations."/" = { proxyPass = "http://localhost:9093"; };
+      locations."/" = { proxyPass = "http://127.0.0.1:9093"; };
     };
   };
 

hosts/architect/nzbget.nix

@@ -3,7 +3,7 @@
 let
   domain = "htnzb.giugl.io";
   network = import ./network.nix;
-  auth_block = (import ./openid.nix).openresty_oidc_block;
+  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in {
   services = {
     nzbget = {
@@ -15,12 +15,9 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:6789";
+        proxyPass = "http://127.0.0.1:6789";
         extraConfig = auth_block {
-          realm = "master";
+          access_role = "nzbget";
-          client_id = "nzbget";
-          client_secret = "tkjzdqnUoWTlGUYah5tgMqVPFMlOUvk9";
-          redirect_uri = "https://${domain}";
         };
       };
     };

hosts/architect/openid.nix

@@ -2,12 +2,12 @@
 
 {
   openresty_oidc_block =
-    { realm, client_id, client_secret, redirect_uri, access_role ? "" }: ''
+    { access_role ? "" }: ''
       access_by_lua_block {
         local opts = {
-          discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
+          discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
-          client_id = "${client_id}",
+          client_id = "nginx",
-          client_secret = "${client_secret}",
+          client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
           logout_path = "/logout",
           redirect_after_logout_uri = "/",
           redirect_uri = "/redirect_uri",

hosts/architect/plex.nix

@@ -77,7 +77,7 @@ in {
           proxy_redirect off;
           proxy_buffering off;
       '';
-      locations."/" = { proxyPass = "http://localhost:32400"; };
+      locations."/" = { proxyPass = "http://127.0.0.1:32400"; };
     };
   };
 

hosts/architect/prowlarr.nix

@@ -11,7 +11,7 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:9696";
+        proxyPass = "http://127.0.0.1:9696";
         extraConfig = ''
           allow 10.0.0.0/24;
           ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}

hosts/architect/radarr.nix

@@ -3,7 +3,7 @@
 let
   domain = "htrad.giugl.io";
   network = import ./network.nix;
-  auth_block = (import ./openid.nix).openresty_oidc_block;
+  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in {
   services = {
     radarr = {
@@ -15,12 +15,9 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:7878";
+        proxyPass = "http://127.0.0.1:7878";
         extraConfig = auth_block {
-          realm = "master";
+          access_role = "radarr";
-          client_id = "radarr";
-          client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
-          redirect_uri = "https://${domain}";
         };
       };
     };

hosts/architect/sonarr.nix

@@ -3,7 +3,7 @@
 let
   domain = "htson.giugl.io";
   network = import ./network.nix;
-  auth_block = (import ./openid.nix).openresty_oidc_block;
+  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in {
   services = {
     sonarr = {
@@ -15,12 +15,9 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:8989";
+        proxyPass = "http://127.0.0.1:8989";
         extraConfig = auth_block {
-          realm = "master";
+          access_role = "sonarr";
-          client_id = "sonarr";
-          client_secret = "d36ehMSPCI3xLfOGNcnSUKZWQblyGumi";
-          redirect_uri = "https://${domain}";
         };
       };
     };

hosts/architect/transmission.nix

@@ -24,7 +24,7 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://localhost:9091";
+        proxyPass = "http://127.0.0.1:9091";
         extraConfig = ''
           allow 10.0.0.0/24;
           ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}