diff --git a/capture_arr_user.sh b/capture_arr_user.sh deleted file mode 100644 index bf60254..0000000 --- a/capture_arr_user.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env bash -set -e - -# Output file for the declarative script -OUTPUT_SCRIPT="/home/ashie/nixos/ensure_arr_users.sh" - -echo "Capturing user from Sonarr..." - -# Extract the first user row (assuming it's the admin) -# Format: ID|Identifier|Username|Password|Salt|Iterations -USER_ROW=$(nix run nixpkgs#sqlite -- /var/lib/nixarr/sonarr/sonarr.db "SELECT Identifier, Username, Password, Salt, Iterations FROM Users LIMIT 1;") - -if [ -z "$USER_ROW" ]; then - echo "No user found in Sonarr DB! Please create a user in the Web UI first." - exit 1 -fi - -IFS='|' read -r IDENTIFIER USERNAME PASSWORD SALT ITERATIONS <<< "$USER_ROW" - -echo "Found User: $USERNAME" - -# Generate the script -cat < "$OUTPUT_SCRIPT" -#!/usr/bin/env bash -set -e - -# Function to ensure user exists -ensure_user() { - SERVICE=\$1 - DB_PATH=\$2 - - echo "Ensuring user '$USERNAME' exists in \$SERVICE..." - - # Check if user exists - COUNT=\$(nix run nixpkgs#sqlite -- "\$DB_PATH" "SELECT count(*) FROM Users WHERE Username='$USERNAME';") - - if [ "\$COUNT" -eq "0" ]; then - echo "Creating user '$USERNAME'..." - nix run nixpkgs#sqlite -- "\$DB_PATH" "INSERT INTO Users (Identifier, Username, Password, Salt, Iterations) VALUES ('$IDENTIFIER', '$USERNAME', '$PASSWORD', '$SALT', '$ITERATIONS');" - else - echo "User '$USERNAME' already exists." - fi -} - -ensure_user "Sonarr" "/var/lib/nixarr/sonarr/sonarr.db" -ensure_user "Radarr" "/var/lib/nixarr/radarr/radarr.db" -ensure_user "Prowlarr" "/var/lib/nixarr/prowlarr/prowlarr.db" -# Jellyseerr uses a different DB structure, skipping for now (it likely synced via Jellyfin or has its own auth) - -EOF - -chmod +x "$OUTPUT_SCRIPT" -echo "Generated $OUTPUT_SCRIPT. You can now use this to ensure the user exists." diff --git a/enable_arr_auth.sh b/enable_arr_auth.sh deleted file mode 100644 index 68194c0..0000000 --- a/enable_arr_auth.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env bash -set -e - -echo "Stopping services..." -systemctl stop sonarr radarr prowlarr - -# Function to enable auth -enable_auth() { - SERVICE=$1 - CONFIG_FILE=$2 - - if [ -f "$CONFIG_FILE" ]; then - echo "Enabling Forms Auth for $SERVICE..." - cp "$CONFIG_FILE" "$CONFIG_FILE.bak" - - # Set AuthenticationMethod to Forms - if grep -q "" "$CONFIG_FILE"; then - sed -i 's|.*|Forms|g' "$CONFIG_FILE" - else - # Insert if missing (unlikely, but inside usually) - sed -i 's||\n Forms|g' "$CONFIG_FILE" - fi - - # Set AuthenticationRequired to Enabled (Correct Enum Value) - if grep -q "" "$CONFIG_FILE"; then - sed -i 's|.*|Enabled|g' "$CONFIG_FILE" - else - # Insert - sed -i 's||\n Enabled|g' "$CONFIG_FILE" - fi - - echo "$SERVICE updated." - else - echo "Config for $SERVICE not found at $CONFIG_FILE" - fi -} - -enable_auth "Sonarr" "/var/lib/nixarr/sonarr/config.xml" -enable_auth "Radarr" "/var/lib/nixarr/radarr/config.xml" -enable_auth "Prowlarr" "/var/lib/nixarr/prowlarr/config.xml" - -# Jellyseerr usually enforces login by default if users exist. -# Its config is in database, not easily scriptable via settings.json for auth mode. - -echo "Restarting services..." -systemctl start sonarr radarr prowlarr - -echo "Authentication enabled!" -echo "WARNING: If you do not have a user created in these apps, you may be locked out." -echo "If locked out, edit the config.xml file manually and set AuthenticationMethod back to 'None'." diff --git a/flake.nix b/flake.nix index db3d9df..8b8c265 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ nixpkgs.url = "nixpkgs/nixos-unstable"; nix-cachyos-kernel = { - url = "github:xddxdd/nix-cachyos-kernel"; + url = "github:xddxdd/nix-cachyos-kernel?shallow=1"; }; sops-nix = { diff --git a/generate.log b/generate.log deleted file mode 100644 index 97d9e86..0000000 --- a/generate.log +++ /dev/null @@ -1,271 +0,0 @@ - HOSTCC scripts/basic/fixdep - HOSTCC scripts/kconfig/conf.o - HOSTCC scripts/kconfig/confdata.o - HOSTCC scripts/kconfig/expr.o - LEX scripts/kconfig/lexer.lex.c - YACC scripts/kconfig/parser.tab.[ch] - HOSTCC scripts/kconfig/lexer.lex.o - HOSTCC scripts/kconfig/menu.o - HOSTCC scripts/kconfig/parser.tab.o - HOSTCC scripts/kconfig/preprocess.o - HOSTCC scripts/kconfig/symbol.o - HOSTCC scripts/kconfig/util.o - HOSTLD scripts/kconfig/conf -using config: '.config' -razerkbd config not found!! -razermouse config not found!! -vendor_reset config not found!! -razerkraken config not found!! -* -* Restart config... -* -* -* Scheduler features -* -Enable utilization clamping for RT/FAIR tasks (UCLAMP_TASK) [Y/n/?] y - Number of supported utilization clamp buckets (UCLAMP_BUCKETS_COUNT) [5] 5 -Proxy Execution (SCHED_PROXY_EXEC) [N/y/?] (NEW) -* -* Binary Emulations -* -IA32 Emulation (IA32_EMULATION) [Y/n/?] y - IA32 emulation disabled by default (IA32_EMULATION_DEFAULT_DISABLED) [N/y/?] n -x32 ABI for 64-bit mode (X86_X32_ABI) [N/y/?] (NEW) -* -* GCC plugins -* -GCC plugins (GCC_PLUGINS) [Y/n/?] (NEW) - Generate some entropy during boot and runtime (GCC_PLUGIN_LATENT_ENTROPY) [N/y/?] (NEW) -* -* PCI GPIO expanders -* -AMD 8111 GPIO driver (GPIO_AMD8111) [N/m/y/?] n -BT8XX GPIO abuser (GPIO_BT8XX) [N/m/y/?] (NEW) -OKI SEMICONDUCTOR ML7213 IOH GPIO support (GPIO_ML_IOH) [N/m/y/?] n -ACCES PCI-IDIO-16 GPIO support (GPIO_PCI_IDIO_16) [N/m/y/?] n -ACCES PCIe-IDIO-24 GPIO support (GPIO_PCIE_IDIO_24) [N/m/y/?] n -RDC R-321x GPIO support (GPIO_RDC321X) [N/m/y/?] n -Intel Sodaville GPIO support (GPIO_SODAVILLE) [N/y/?] n -* -* Voltage and Current Regulator Support -* -Voltage and Current Regulator Support (REGULATOR) [Y/n/?] y - Regulator debug support (REGULATOR_DEBUG) [N/y/?] n - Fixed voltage regulator support (REGULATOR_FIXED_VOLTAGE) [N/m/y/?] n - Virtual regulator consumer support (REGULATOR_VIRTUAL_CONSUMER) [N/m/y/?] n - Userspace regulator consumer support (REGULATOR_USERSPACE_CONSUMER) [N/m/y/?] n - Enable support for receiving regulator events via netlink (REGULATOR_NETLINK_EVENTS) [Y/n/?] y - Marvell 88PG86X voltage regulators (REGULATOR_88PG86X) [N/m/y/?] n - Marvell 88PM8607 Power regulators (REGULATOR_88PM8607) [N/m/y/?] n - Active-semi act8865 voltage regulator (REGULATOR_ACT8865) [N/m/y/?] n - Analog Devices AD5398/AD5821 regulators (REGULATOR_AD5398) [N/m/y/?] n - Analog Devices ADP5055 Triple Buck Regulator (REGULATOR_ADP5055) [N/m/y/?] n - AnalogicTech AAT2870 Regulators (REGULATOR_AAT2870) [N/m/y/?] n - AS3711 PMIC (REGULATOR_AS3711) [N/m/y/?] n - Awinic AW37503 Dual Output Power regulators (REGULATOR_AW37503) [N/m/y/?] n - Dialog Semiconductor DA9030/DA9034 regulators (REGULATOR_DA903X) [N/m/y/?] (NEW) - Dialog Semiconductor DA9052/DA9053 regulators (REGULATOR_DA9052) [N/m/y/?] n - Dialog Semiconductor DA9055 regulators (REGULATOR_DA9055) [N/m/y/?] n - Dialog Semiconductor DA9121/DA9122/DA9220/DA9217/DA9130/DA9131/DA9132 regulator (REGULATOR_DA9121) [N/m/y/?] n - Dialog Semiconductor DA9210 regulator (REGULATOR_DA9210) [N/m/y/?] n - Dialog Semiconductor DA9211/DA9212/DA9213/DA9223/DA9214/DA9224/DA9215/DA9225 regulator (REGULATOR_DA9211) [N/m/y/?] n - Fairchild FAN53555 Regulator (REGULATOR_FAN53555) [N/m/y/?] n - Fairchild FAN53880 Regulator (REGULATOR_FAN53880) [N/m/y/?] n - GPIO regulator support (REGULATOR_GPIO) [N/m/y/?] n - Intersil ISL9305 regulator (REGULATOR_ISL9305) [N/m/y/?] n - Intersil ISL6271A Power regulator (REGULATOR_ISL6271A) [N/m/y/?] n - National Semiconductors LP3971 PMIC regulator driver (REGULATOR_LP3971) [N/m/y/?] n - National Semiconductors LP3972 PMIC regulator driver (REGULATOR_LP3972) [N/m/y/?] n - TI/National Semiconductor LP8720/LP8725 voltage regulators (REGULATOR_LP872X) [N/m/y/?] n - TI LP8755 High Performance PMU driver (REGULATOR_LP8755) [N/m/y/?] n - TI LP8788 Power Regulators (REGULATOR_LP8788) [N/m/y/?] n - LTC3589 8-output voltage regulator (REGULATOR_LTC3589) [N/m/y/?] n - LTC3676 8-output voltage regulator (REGULATOR_LTC3676) [N/m/y/?] n - Maxim 1586/1587 voltage regulator (REGULATOR_MAX1586) [N/m/y/?] n - Analog Devices MAX77503 Regulator (REGULATOR_MAX77503) [N/m/y/?] n - ADI MAX77857/MAX77831 regulator support (REGULATOR_MAX77857) [N/m/y/?] n - Maxim 8649 voltage regulator (REGULATOR_MAX8649) [N/m/y/?] n - Maxim 8660/8661 voltage regulator (REGULATOR_MAX8660) [N/m/y/?] n - Maxim 8893 voltage regulator (REGULATOR_MAX8893) [N/m/y/?] n - Maxim MAX8925 Power Management IC (REGULATOR_MAX8925) [N/m/y/?] n - Maxim MAX8952 Power Management IC (REGULATOR_MAX8952) [N/m/y/?] n - Maxim MAX8973A voltage regulator (REGULATOR_MAX8973) [N/m/y/?] n - Maxim 8997/8966 regulator (REGULATOR_MAX8997) [N/m/y/?] n - Maxim 8998 voltage regulator (REGULATOR_MAX8998) [N/m/y/?] n - Maxim MAX20086-MAX20089 Camera Power Protectors (REGULATOR_MAX20086) [N/m/y/?] n - Maxim MAX20411 High-Efficiency Single Step-Down Converter (REGULATOR_MAX20411) [N/m/y/?] n - Maxim 77693/77843 regulator (REGULATOR_MAX77693) [N/m/y/?] n - Maxim 77826 regulator (REGULATOR_MAX77826) [N/m/y/?] n - Maxim 77838 regulator (REGULATOR_MAX77838) [N/m/y/?] n - Microchip MCP16502 PMIC (REGULATOR_MCP16502) [N/m/y/?] n - Monolithic MP5416 PMIC (REGULATOR_MP5416) [N/m/y/?] n - MPS MP8859 regulator driver (REGULATOR_MP8859) [N/m/y/?] n - MPS MP8869 regulator driver (REGULATOR_MP886X) [N/m/y/?] n - Monolithic MPQ7920 PMIC (REGULATOR_MPQ7920) [N/m/y/?] n - MediaTek MT6311 PMIC (REGULATOR_MT6311) [N/m/y/?] n - NXP PCA9450A/PCA9450B/PCA9450C regulator driver (REGULATOR_PCA9450) [N/m/y/?] n - NXP PF9453 regulator driver (REGULATOR_PF9453) [N/m/y/?] n - Motorola PCAP2 regulator driver (REGULATOR_PCAP) [N/m/y/?] n - NXP PF0900/PF0901/PF09XX regulator driver (REGULATOR_PF0900) [N/m/y/?] n - NXP PF5300/PF5301/PF5302 regulator driver (REGULATOR_PF530X) [N/m/y/?] n - NXP PF8100/PF8121A/PF8200 regulator driver (REGULATOR_PF8X00) [N/m/y/?] n - Freescale PFUZE100/200/3000/3001 regulator driver (REGULATOR_PFUZE100) [N/m/y/?] n - Powerventure Semiconductor PV88060 regulator (REGULATOR_PV88060) [N/m/y/?] n - Powerventure Semiconductor PV88080 regulator (REGULATOR_PV88080) [N/m/y/?] n - Powerventure Semiconductor PV88090 regulator (REGULATOR_PV88090) [N/m/y/?] n - PWM voltage regulator (REGULATOR_PWM) [N/m/y/?] n - Renesas RAA215300 driver (REGULATOR_RAA215300) [N/m/y/?] n - Raspberry Pi 7-inch touchscreen panel ATTINY regulator (REGULATOR_RASPBERRYPI_TOUCHSCREEN_ATTINY) [N/m/y/?] n - Raspberry Pi 7-inch touchscreen panel V2 regulator (REGULATOR_RASPBERRYPI_TOUCHSCREEN_V2) [N/m/y/?] n - RICOH RC5T583 Power regulators (REGULATOR_RC5T583) [N/m/y/?] n - Richtek RT4801 Regulators (REGULATOR_RT4801) [N/m/y/?] n - Richtek RT4803 boost regulator (REGULATOR_RT4803) [N/m/y/?] n - Richtek RT5133 PMIC Regulators (REGULATOR_RT5133) [N/m/y/?] n - Richtek RT5190A PMIC (REGULATOR_RT5190A) [N/m/y/?] n - Richtek RT5739 Regulator (REGULATOR_RT5739) [N/m/y/?] n - Richtek RT5759 Regulator (REGULATOR_RT5759) [N/m/y/?] n - Richtek RT6160 BuckBoost voltage regulator (REGULATOR_RT6160) [N/m/y/?] n - Richtek RT6190 4-Switch BuckBoost controller (REGULATOR_RT6190) [N/m/y/?] n - Richtek RT6245 voltage regulator (REGULATOR_RT6245) [N/m/y/?] n - Richtek RTQ2134 SubPMIC Regulator (REGULATOR_RTQ2134) [N/m/y/?] n - Richtek RTMV20 Laser Diode Regulator (REGULATOR_RTMV20) [N/m/y/?] n - Richtek RTQ6752 TFT LCD voltage regulator (REGULATOR_RTQ6752) [N/m/y/?] n - Richtek RTQ2208 SubPMIC Regulator (REGULATOR_RTQ2208) [N/m/y/?] n - Dialog Semiconductor SLG51000 regulators (REGULATOR_SLG51000) [N/m/y/?] n - Silergy SY8106A regulator (REGULATOR_SY8106A) [N/m/y/?] n - Silergy SY8824C/SY8824E regulator (REGULATOR_SY8824X) [N/m/y/?] n - Silergy SY8827N regulator (REGULATOR_SY8827N) [N/m/y/?] n - TI TPS51632 Power Regulator (REGULATOR_TPS51632) [N/m/y/?] n - TI TPS6236x Power Regulator (REGULATOR_TPS62360) [N/m/y/?] n - TI TPS6286x Power Regulator (REGULATOR_TPS6286X) [N/m/y/?] n - TI TPS6287x Power Regulator (REGULATOR_TPS6287X) [N/m/y/?] n - TI TPS65023 Power regulators (REGULATOR_TPS65023) [N/m/y/?] n - TI TPS6507X Power regulators (REGULATOR_TPS6507X) [N/m/y/?] n - TI TPS65090 Power regulator (REGULATOR_TPS65090) [N/m/y/?] n - TI TPS65132 Dual Output Power regulators (REGULATOR_TPS65132) [N/m/y/?] n - TI TPS6524X Power regulators (REGULATOR_TPS6524X) [N/m/y/?] n - TI TPS6586X Power regulators (REGULATOR_TPS6586X) [N/m/y/?] n - TI TPS65910/TPS65911 Power Regulators (REGULATOR_TPS65910) [N/m/y/?] n - TI TWL4030/TWL5030/TWL6030/TPS659x0 PMIC (REGULATOR_TWL4030) [N/m/y/?] n - Voltage controlled regulators (REGULATOR_VCTRL) [N/m/y/?] n - Wolfson Microelectronics WM831x PMIC regulators (REGULATOR_WM831X) [N/m/y/?] n - Wolfson Microelectronics WM8350 AudioPlus PMIC (REGULATOR_WM8350) [N/m/y/?] n - Wolfson Microelectronics WM8400 AudioPlus PMIC (REGULATOR_WM8400) [N/m/y/?] n -* -* Video encoders -* -Analog Devices ADV7170 video encoder (VIDEO_ADV7170) [N/m/?] n -Analog Devices ADV7175 video encoder (VIDEO_ADV7175) [N/m/?] n -ADV7343 video encoder (VIDEO_ADV7343) [N/m/?] n -ADV7393 video encoder (VIDEO_ADV7393) [N/m/?] n -Analog Devices ADV7511 encoder (VIDEO_ADV7511) [N/m/?] (NEW) -AK8813/AK8814 video encoders (VIDEO_AK881X) [N/m/?] n -Philips SAA7127/9 digital video encoders (VIDEO_SAA7127) [N/m/?] n -Philips SAA7185 video encoder (VIDEO_SAA7185) [N/m/?] n -Texas Instruments THS8200 video encoder (VIDEO_THS8200) [N/m/?] n -* -* PCI sound devices -* -PCI sound devices (SND_PCI) [Y/n/?] y - Analog Devices AD1889 (SND_AD1889) [N/m/?] n - Avance Logic ALS300/ALS300+ (SND_ALS300) [N/m/?] n - Avance Logic ALS4000 (SND_ALS4000) [N/m/?] n - ALi M5451 PCI Audio Controller (SND_ALI5451) [N/m/?] n - AudioScience ASIxxxx (SND_ASIHPI) [N/m/?] n - ATI IXP AC97 Controller (SND_ATIIXP) [N/m/?] n - ATI IXP Modem (SND_ATIIXP_MODEM) [N/m/?] n - Aureal Advantage (SND_AU8810) [N/m/?] n - Aureal Vortex (SND_AU8820) [N/m/?] n - Aureal Vortex 2 (SND_AU8830) [N/m/?] n - Emagic Audiowerk 2 (SND_AW2) [N/m/?] n - Aztech AZF3328 / PCI168 (SND_AZT3328) [N/m/?] n - Bt87x Audio Capture (SND_BT87X) [N/m/?] n - SB Audigy LS / Live 24bit (SND_CA0106) [N/m/?] n - C-Media 8338, 8738, 8768, 8770 (SND_CMIPCI) [N/m/?] n - C-Media 8786, 8787, 8788 (Oxygen) (SND_OXYGEN) [N/m/?] n - Cirrus Logic (Sound Fusion) CS4281 (SND_CS4281) [N/m/?] n - Cirrus Logic (Sound Fusion) CS4280/CS461x/CS462x/CS463x (SND_CS46XX) [N/m/?] n - Creative Sound Blaster X-Fi (SND_CTXFI) [N/m/?] n - (Echoaudio) Darla20 (SND_DARLA20) [N/m/?] n - (Echoaudio) Gina20 (SND_GINA20) [N/m/?] n - (Echoaudio) Layla20 (SND_LAYLA20) [N/m/?] n - (Echoaudio) Darla24 (SND_DARLA24) [N/m/?] n - (Echoaudio) Gina24 (SND_GINA24) [N/m/?] n - (Echoaudio) Layla24 (SND_LAYLA24) [N/m/?] n - (Echoaudio) Mona (SND_MONA) [N/m/?] n - (Echoaudio) Mia (SND_MIA) [N/m/?] n - (Echoaudio) 3G cards (SND_ECHO3G) [N/m/?] n - (Echoaudio) Indigo (SND_INDIGO) [N/m/?] n - (Echoaudio) Indigo IO (SND_INDIGOIO) [N/m/?] n - (Echoaudio) Indigo DJ (SND_INDIGODJ) [N/m/?] n - (Echoaudio) Indigo IOx (SND_INDIGOIOX) [N/m/?] n - (Echoaudio) Indigo DJx (SND_INDIGODJX) [N/m/?] n - Emu10k1 (SB Live!, Audigy, E-MU APS/0404/1010/1212/1616/1820) (SND_EMU10K1) [N/m/?] n - Emu10k1X (Dell OEM Version) (SND_EMU10K1X) [N/m/?] n - (Creative) Ensoniq AudioPCI 1370 (SND_ENS1370) [N/m/?] n - (Creative) Ensoniq AudioPCI 1371/1373 (SND_ENS1371) [N/m/?] n - ESS ES1938/1946/1969 (Solo-1) (SND_ES1938) [N/m/?] n - ESS ES1968/1978 (Maestro-1/2/2E) (SND_ES1968) [N/m/?] n - ForteMedia FM801 (SND_FM801) [N/m/?] n - RME Hammerfall DSP Audio (SND_HDSP) [N/m/?] n - RME Hammerfall DSP MADI/RayDAT/AIO (SND_HDSPM) [N/m/?] n - ICEnsemble ICE1712 (Envy24) (SND_ICE1712) [N/m/?] n - ICE/VT1724/1720 (Envy24HT/PT) (SND_ICE1724) [N/m/?] n - Intel/SiS/nVidia/AMD/ALi AC97 Controller (SND_INTEL8X0) [N/m/?] n - Intel/SiS/nVidia/AMD MC97 Modem (SND_INTEL8X0M) [N/m/?] n - Korg 1212 IO (SND_KORG1212) [N/m/?] n - Digigram Lola (SND_LOLA) [N/m/?] n - Digigram LX6464ES (SND_LX6464ES) [N/m/?] n - ESS Allegro/Maestro3 (SND_MAESTRO3) [N/m/?] n - Digigram miXart (SND_MIXART) [N/m/?] n - NeoMagic NM256AV/ZX (SND_NM256) [N/m/?] n - Digigram PCXHR (SND_PCXHR) [N/m/?] n - Conexant Riptide (SND_RIPTIDE) [N/m/?] n - RME Digi32, 32/8, 32 PRO (SND_RME32) [N/m/?] n - RME Digi96, 96/8, 96/8 PRO (SND_RME96) [N/m/?] n - RME Digi9652 (Hammerfall) (SND_RME9652) [N/m/?] n - Studio Evolution SE6X (SND_SE6X) [N/m/?] (NEW) - S3 SonicVibes (SND_SONICVIBES) [N/m/?] n - Trident 4D-Wave DX/NX; SiS 7018 (SND_TRIDENT) [N/m/?] n - VIA 82C686A/B, 8233/8235 AC97 Controller (SND_VIA82XX) [N/m/?] n - VIA 82C686A/B, 8233 based Modems (SND_VIA82XX_MODEM) [N/m/?] n - Asus Virtuoso 66/100/200 (Xonar) (SND_VIRTUOSO) [N/m/?] n - Digigram VX222 (SND_VX222) [N/m/?] n - Yamaha YMF724/740/744/754 (SND_YMFPCI) [N/m/?] n -* -* Kernel hardening options -* -Randomize layout of sensitive kernel structures -> 1. Disable structure layout randomization (RANDSTRUCT_NONE) - 2. Fully randomize structure layout (RANDSTRUCT_FULL) - 3. Limit randomization of structure layout to cache-lines (RANDSTRUCT_PERFORMANCE) (NEW) -choice[1-3?]: -* -* Compile-time checks and compiler options -* -Debug information - 1. Disable debug information (DEBUG_INFO_NONE) -> 2. Rely on the toolchain's implicit default DWARF version (DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT) - 3. Generate DWARF Version 4 debuginfo (DEBUG_INFO_DWARF4) - 4. Generate DWARF Version 5 debuginfo (DEBUG_INFO_DWARF5) -choice[1-4?]: 2 -Reduce debugging information (DEBUG_INFO_REDUCED) [N/y/?] n -Compressed Debug information -> 1. Don't compress debug information (DEBUG_INFO_COMPRESSED_NONE) - 2. Compress debugging information with zlib (DEBUG_INFO_COMPRESSED_ZLIB) -choice[1-2?]: 1 -Produce split debuginfo in .dwo files (DEBUG_INFO_SPLIT) [N/y/?] n -Provide GDB scripts for kernel debugging (GDB_SCRIPTS) [Y/n/?] y -Warn for stack frames larger than (FRAME_WARN) [2048] 2048 -Strip assembler-generated symbols during link (STRIP_ASM_SYMS) [Y/n/?] y -Generate readable assembler code (READABLE_ASM) [N/y/?] (NEW) -Install uapi headers to usr/include (HEADERS_INSTALL) [N/y/?] n -Enable full Section mismatch analysis (DEBUG_SECTION_MISMATCH) [N/y/?] (NEW) -Make section mismatch errors non-fatal (SECTION_MISMATCH_WARN_ONLY) [Y/n/?] y -Force all function address 64B aligned (DEBUG_FORCE_FUNCTION_ALIGN_64B) [N/y/?] n -Upgrade objtool warnings to errors (OBJTOOL_WERROR) [N/y/?] n -Generate vmlinux.map file when linking (VMLINUX_MAP) [N/y/?] n -Force weak per-cpu definitions (DEBUG_FORCE_WEAK_PER_CPU) [N/y/?] n -# -# configuration written to .config -# diff --git a/home/fastfetch.nix b/home/fastfetch.nix new file mode 100644 index 0000000..e69de29 diff --git a/hosts/nixos/configuration.nix b/hosts/nixos/configuration.nix index 1c58eea..a3940fc 100644 --- a/hosts/nixos/configuration.nix +++ b/hosts/nixos/configuration.nix @@ -53,8 +53,9 @@ ./system/compatibility.nix # Compatibility layers (nix-ld) ./system/game-drive.nix ./system/vpn-namespace.nix # Isolated VPN Namespace - ./system/authelia.nix # SSO/2FA + #./system/authelia.nix # SSO/2FA ../../modules/nixos/media.nix # Arr Stack + ../../modules/nixos/steam-gamemode.nix # Steam GameMode Session ]; nixpkgs.config.allowUnfreePredicate = diff --git a/hosts/nixos/default.nix b/hosts/nixos/default.nix index 5755eaf..925e9ce 100644 --- a/hosts/nixos/default.nix +++ b/hosts/nixos/default.nix @@ -56,8 +56,8 @@ allowLocalTraffic = true; enablePodmanWorkaround = true; publicPorts = [ - 80 443 + 80 ]; restrictedPorts = [ ]; }; @@ -93,6 +93,10 @@ enable = true; port = 8888; domain = "search.ashisgreat.xyz"; + donations = { + "Monero" = + "https://trocador.app/en/anonpay/?ticker_to=xmr&network_to=Mainnet&address=86piV4MV8wqSCTv3innkL1cMP54oShHfmVhq6QcFgvtuFTJqw6FkMgm4hgTaxV3reqXVmfGW5h5ffZanLM5XzW4nHUReno4&donation=True&simple_mode=True&amount=1.1e-05&name=Ashie&bgcolor=00000000"; + }; }; }; } diff --git a/hosts/nixos/home.nix b/hosts/nixos/home.nix index f669082..3b41224 100644 --- a/hosts/nixos/home.nix +++ b/hosts/nixos/home.nix @@ -26,6 +26,7 @@ home.packages = [ pkgs.mimalloc pkgs.jellyfin-media-player + pkgs.joplin-desktop pkgs.bemoji pkgs.wtype (pkgs.writeShellScriptBin "opencode" '' diff --git a/hosts/nixos/home/kitty.nix b/hosts/nixos/home/kitty.nix index f422fe5..1ec8f6c 100644 --- a/hosts/nixos/home/kitty.nix +++ b/hosts/nixos/home/kitty.nix @@ -3,14 +3,10 @@ { programs.kitty = { enable = true; - themeFile = "Catppuccin-Mocha"; # Updated option name + themeFile = "Catppuccin-Mocha"; settings = { confirm_os_window_close = 0; cursor_shape = "beam"; }; - - # extraConfig = '' - # include current-theme.conf - # ''; }; } diff --git a/hosts/nixos/system/authelia.nix b/hosts/nixos/system/authelia.nix index e444bee..11259b3 100644 --- a/hosts/nixos/system/authelia.nix +++ b/hosts/nixos/system/authelia.nix @@ -7,7 +7,7 @@ { services.authelia.instances.main = { - enable = true; + enable = false; # Secrets secrets = { diff --git a/hosts/nixos/system/secrets.nix b/hosts/nixos/system/secrets.nix index 735811b..06b1ca6 100644 --- a/hosts/nixos/system/secrets.nix +++ b/hosts/nixos/system/secrets.nix @@ -6,7 +6,7 @@ }: { - sops.defaultSopsFile = ../secrets/secrets.yaml; + sops.defaultSopsFile = ../../../secrets/secrets.yaml; sops.defaultSopsFormat = "yaml"; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; @@ -96,13 +96,13 @@ sops.secrets.prowlarr_api_key = { }; # Authelia Secrets - sops.secrets.authelia_jwt_secret = { - owner = "authelia-main"; - }; - sops.secrets.authelia_session_secret = { - owner = "authelia-main"; - }; - sops.secrets.authelia_storage_encryption_key = { - owner = "authelia-main"; - }; + # sops.secrets.authelia_jwt_secret = { + # owner = "authelia-main"; + # }; + # sops.secrets.authelia_session_secret = { + # owner = "authelia-main"; + # }; + # sops.secrets.authelia_storage_encryption_key = { + # owner = "authelia-main"; + # }; } diff --git a/hosts/nixos/system/services.nix b/hosts/nixos/system/services.nix index 2e15f89..dae1c8b 100644 --- a/hosts/nixos/system/services.nix +++ b/hosts/nixos/system/services.nix @@ -71,9 +71,22 @@ myModules.nginx.enable = true; services.nginx.virtualHosts = { + "_" = { + default = true; + useACMEHost = "ashisgreat.xyz"; + forceSSL = true; + locations."/".return = "444"; + }; "search.ashisgreat.xyz" = { useACMEHost = "ashisgreat.xyz"; forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; frame-src 'self'; base-uri 'self'; form-action 'self';"; + ''; locations."/" = { proxyPass = "http://127.0.0.1:8888"; proxyWebsockets = true; @@ -84,7 +97,10 @@ useACMEHost = "ashisgreat.xyz"; forceSSL = true; extraConfig = '' - add_header X-Frame-Options "DENY"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header X-Frame-Options "DENY" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;"; ''; locations."/" = { @@ -97,6 +113,10 @@ useACMEHost = "ashisgreat.xyz"; forceSSL = true; extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' data:; connect-src 'self' wss: https:; worker-src 'self' blob:;"; ''; locations."/" = { @@ -121,6 +141,10 @@ useACMEHost = "ashisgreat.xyz"; forceSSL = true; extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Access-Control-Allow-Origin "https://stream.ashisgreat.xyz"; ''; locations."/" = { @@ -177,6 +201,13 @@ "jellyfin.ashisgreat.xyz" = { useACMEHost = "ashisgreat.xyz"; forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/accentlist.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/base.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/bottombarprogress.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/fixes.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/jf_font.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/overlayprogress.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/rounding.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/rounding_circlehover.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/smallercast.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/rounding_circlehover.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/cornerindicator/indicator_floating.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/cornerindicator/indicator_corner.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/effects/glassy.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/effects/pan-animation.css https://ctalvio.github.io/Monochromic/backdrop-hack_style.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/effects/hoverglow.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/effects/scrollfade.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/episodelist/episodes_compactlist.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/episodelist/episodes_grid.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/fields/fields_border.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/fields/fields_noborder.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/header/header_transparent.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/header/header_transparent-dashboard.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/login/login_frame.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/login/login_minimalistic.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/login/login_frame.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/presets/monochromic_preset.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/presets/kaleidochromic_preset.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/presets/novachromic_preset.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/titlepage/title_banner.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/titlepage/title_banner-logo.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/titlepage/title_simple.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/titlepage/title_simple-logo.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/type/light.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/type/dark.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/type/colorful.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/type/dark_withaccent.css https://fonts.googleapis.com/css2; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; + ''; locations."/" = { proxyPass = "http://127.0.0.1:8096"; proxyWebsockets = true; diff --git a/modules/home-manager/antigravity2api.nix b/modules/home-manager/antigravity2api.nix index 93f0581..e233576 100644 --- a/modules/home-manager/antigravity2api.nix +++ b/modules/home-manager/antigravity2api.nix @@ -40,6 +40,7 @@ in }; Service = { + WorkingDirectory = workDir; ExecStartPre = pkgs.writeShellScript "antigravity2api-init" '' export PATH="${pkgs.coreutils}/bin:$PATH" mkdir -p "${workDir}" @@ -54,7 +55,7 @@ in ExecStart = '' ${pkgs.podman}/bin/podman run --replace --rm --name antigravity2api \ - -p 8045:8045 \ + -p 127.0.0.1:8045:8045 \ -v ${workDir}/data:/app/data \ -v ${workDir}/public/images:/app/public/images \ -v ${workDir}/.env:/app/.env \ diff --git a/modules/nixos/lutris-sandboxed.nix b/modules/nixos/lutris-sandboxed.nix index 6ab1c77..3221163 100644 --- a/modules/nixos/lutris-sandboxed.nix +++ b/modules/nixos/lutris-sandboxed.nix @@ -9,11 +9,9 @@ }: let - # Apply the bwrapper overlay to get mkBwrapper bwrapperPkgs = pkgs.extend inputs.nix-bwrapper.overlays.default; in { - # Provide the sandboxed Lutris package nixpkgs.overlays = [ (final: prev: { lutris-sandboxed = bwrapperPkgs.mkBwrapper { @@ -34,13 +32,12 @@ in pkgs.vulkan-tools pkgs.unzip pkgs.cabextract - pkgs.xorg.xrandr pkgs.pciutils pkgs.gamemode.lib pkgs.xdg-utils ]; }; - isFhsenv = true; # Lutris uses buildFHSEnv + isFhsenv = true; id = "net.lutris.Lutris"; env = { WEBKIT_DISABLE_DMABUF_RENDERER = 1; @@ -51,7 +48,6 @@ in XDG_CURRENT_DESKTOP = "niri"; XDG_SESSION_TYPE = "wayland"; DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus"; - # Ensure Vulkan loader finds the drivers VK_ICD_FILENAMES = "/run/opengl-driver/share/vulkan/icd.d/radeon_icd.x86_64.json:/run/opengl-driver-32/share/vulkan/icd.d/radeon_icd.i686.json"; }; }; @@ -69,10 +65,10 @@ in "$HOME/.config/kdedefaults" "$HOME/.local/share/color-schemes" "$HOME/.local/share/Steam/compatibilitytools.d" - # GTK Theming "$HOME/.config/gtk-3.0" "$HOME/.config/gtk-4.0" "$HOME/.icons" + "/data/Torrents/Games" # Repack installers ]; readWrite = [ diff --git a/modules/nixos/media.nix b/modules/nixos/media.nix index c6ea2e9..23146ba 100644 --- a/modules/nixos/media.nix +++ b/modules/nixos/media.nix @@ -5,294 +5,69 @@ ... }: +let + # Define the user and group consistently + user = "ashie"; + group = "users"; + puid = "1000"; + pgid = "100"; + + # Common env vars to avoid repetition + commonEnv = { + PUID = puid; + PGID = pgid; + TZ = "Europe/Berlin"; + }; +in { - - # Nixarr Configuration - # Replaces OCI containers with native NixOS services - # Nixflix Configuration - nixflix = { - enable = false; # Disabled to revert to Podman - stateDir = "/var/lib/nixflix"; - mediaDir = "/data"; - - sonarr.enable = false; - radarr.enable = false; - prowlarr.enable = false; - jellyfin.enable = false; - jellyseerr.enable = false; - - # We use external OCI containers for these - sabnzbd.enable = false; - mullvad.enable = false; - - # Jellyseerr defaults to VPN=true, but we disabled Mullvad, so we must disable VPN here too. - jellyseerr.vpn.enable = false; - }; - - # Homepage Dashboard - services.homepage-dashboard = { - enable = true; - listenPort = 8082; - - # Custom settings for better visual appearance - settings = { - title = "Media Dashboard"; - theme = "dark"; - color = "slate"; - headerStyle = "boxed"; - layout = { - "Media" = { - style = "row"; - columns = 2; - }; - "Automation" = { - style = "row"; - columns = 3; - }; - "Downloads" = { - style = "row"; - columns = 2; - }; - }; + # 1. Enable Podman (required backend) + virtualisation = { + podman = { + enable = true; + autoPrune.enable = true; }; - - services = [ - { - "Media" = [ - { - "Jellyfin" = { - icon = "jellyfin.png"; - href = "http://localhost:8096"; - description = "Media Server"; - widget = { - type = "jellyfin"; - url = "http://localhost:8096"; - key = "{{HOMEPAGE_VAR_JELLYFIN_API_KEY}}"; - enableBlocks = true; - enableNowPlaying = true; - }; - }; - } - { - "Jellyseerr" = { - icon = "jellyseerr.png"; - href = "http://localhost:5055"; - description = "Media Requests"; - widget = { - type = "jellyseerr"; - url = "http://localhost:5055"; - key = "{{HOMEPAGE_VAR_JELLYSEERR_API_KEY}}"; - }; - }; - } - ]; - } - - { - "Automation" = [ - { - "Sonarr" = { - icon = "sonarr.png"; - href = "http://localhost:8989"; - description = "TV Series"; - widget = { - type = "sonarr"; - url = "http://localhost:8989"; - key = "{{HOMEPAGE_VAR_SONARR_API_KEY}}"; - enableQueue = true; - }; - }; - } - { - "Radarr" = { - icon = "radarr.png"; - href = "http://localhost:7878"; - description = "Movies"; - widget = { - type = "radarr"; - url = "http://localhost:7878"; - key = "{{HOMEPAGE_VAR_RADARR_API_KEY}}"; - enableQueue = true; - }; - }; - } - { - "Prowlarr" = { - icon = "prowlarr.png"; - href = "http://localhost:9696"; - description = "Indexer Manager"; - widget = { - type = "prowlarr"; - url = "http://localhost:9696"; - key = "{{HOMEPAGE_VAR_PROWLARR_API_KEY}}"; - }; - }; - } - ]; - } - { - "Downloads" = [ - { - "qBittorrent" = { - icon = "qbittorrent.png"; - href = "http://localhost:8080"; - description = "Torrent Client"; - widget = { - type = "qbittorrent"; - url = "http://localhost:8080"; - username = "{{HOMEPAGE_VAR_QBITTORRENT_USERNAME}}"; - password = "{{HOMEPAGE_VAR_QBITTORRENT_PASSWORD}}"; - }; - }; - } - ]; - } - ]; - - bookmarks = [ - { - "Dev" = [ - { - "GitHub" = [ - { - abbr = "GH"; - href = "https://github.com"; - } - ]; - } - { - "NixOS Search" = [ - { - abbr = "NO"; - href = "https://search.nixos.org"; - } - ]; - } - { - "Home Manager" = [ - { - abbr = "HM"; - href = "https://nix-community.github.io/home-manager/options.xhtml"; - } - ]; - } - ]; - } - { - "Media" = [ - { - "Trakt" = [ - { - abbr = "TR"; - href = "https://trakt.tv"; - } - ]; - } - { - "IMDb" = [ - { - abbr = "IM"; - href = "https://imdb.com"; - } - ]; - } - ]; - } - ]; - - widgets = [ - { - resources = { - cpu = true; - disk = "/"; - memory = true; - uptime = true; - }; - } - { - search = { - provider = "duckduckgo"; - target = "_blank"; - }; - } - { - datetime = { - text_size = "xl"; - format = { - dateStyle = "long"; - timeStyle = "short"; - hour12 = false; - }; - }; - } - { - openmeteo = { - label = "Berlin"; - latitude = 52.52; - longitude = 13.405; - units = "metric"; - cache = 5; - }; - } - ]; + oci-containers.backend = "podman"; }; - # SOPS Secrets for Homepage - sops.templates."homepage.env" = { - content = '' - HOMEPAGE_VAR_JELLYFIN_API_KEY= - HOMEPAGE_VAR_JELLYSEERR_API_KEY= - HOMEPAGE_VAR_SONARR_API_KEY=${config.sops.placeholder.sonarr_api_key} - HOMEPAGE_VAR_RADARR_API_KEY=${config.sops.placeholder.radarr_api_key} - HOMEPAGE_VAR_PROWLARR_API_KEY=${config.sops.placeholder.prowlarr_api_key} - HOMEPAGE_VAR_QBITTORRENT_USERNAME= - HOMEPAGE_VAR_QBITTORRENT_PASSWORD= - ''; - }; - - # Inject secrets into Homepage service - systemd.services.homepage-dashboard = { - serviceConfig = { - EnvironmentFile = lib.mkForce config.sops.templates."homepage.env".path; - }; - }; - - # OCI Containers for Media Stack + # 2. Container Definitions virtualisation.oci-containers.containers = { - # VPN (Gluetun) + + # --- VPN Gateway --- vpn = { image = "docker.io/qmcgaw/gluetun"; + # The VPN manages the ports for the attached containers ports = [ "8080:8080" # qBittorrent WebUI "36630:36630" # Torrent Port TCP - "36630:36630/udp" # Torrent Port UDP + "36630:36630/udp" + "9696:9696" # Prowlarr + "8191:8191" # Flaresolverr ]; environmentFiles = [ config.sops.templates."gluetun.env".path ]; environment = { TZ = "Europe/Berlin"; - DOT = "off"; - # DNS_ADDRESS = "1.1.1.1"; - WIREGUARD_MTU = "1420"; - # Allow access to local Podman network (for Prowlarr/Jellyseerr) - FIREWALL_OUTBOUND_SUBNETS = "10.88.0.0/16"; + DOT = "off"; # DNS over TLS off (optional) + FIREWALL_OUTBOUND_SUBNETS = "10.89.0.0/24"; # Allow access to local docker network }; extraOptions = [ "--cap-add=NET_ADMIN" "--cap-add=NET_RAW" "--device=/dev/net/tun:/dev/net/tun" - "--network=media" # Join the shared media network + "--network=media" # It joins the bridge so others can talk to it + "--network-alias=prowlarr" # Allow other containers to reach Prowlarr via VPN + "--network-alias=flaresolverr" # Allow other containers to reach Flaresolverr via VPN + "--add-host=sonarr:10.89.0.50" # Allow Prowlarr to reach Sonarr + "--add-host=radarr:10.89.0.51" # Allow Prowlarr to reach Radarr ]; }; - # qBittorrent (Networked via VPN) + # --- Torrent Client (Routed via VPN) --- torrent = { image = "lscr.io/linuxserver/qbittorrent:latest"; + # VITAL: Reuse the VPN container's network stack extraOptions = [ "--network=container:vpn" ]; dependsOn = [ "vpn" ]; - environment = { - PUID = "1000"; # ashie - PGID = "100"; # users - TZ = "Europe/Berlin"; + environment = commonEnv // { WEBUI_PORT = "8080"; }; volumes = [ @@ -301,97 +76,80 @@ ]; }; - # Flaresolverr (Direct connection) - flaresolverr = { - image = "ghcr.io/flaresolverr/flaresolverr:latest"; - extraOptions = [ "--network=media" ]; - ports = [ "8191:8191" ]; - environment = { - TZ = "Europe/Berlin"; - }; - }; - - # Prowlarr (Direct connection) + # --- The Arr Stack --- prowlarr = { image = "lscr.io/linuxserver/prowlarr:latest"; - extraOptions = [ "--network=media" ]; - ports = [ "9696:9696" ]; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - }; - volumes = [ - "/var/lib/nixarr/prowlarr:/config" + extraOptions = [ + "--network=container:vpn" ]; + dependsOn = [ "vpn" ]; + environment = commonEnv; + volumes = [ "/var/lib/nixarr/prowlarr:/config" ]; }; - # Sonarr (Direct connection) sonarr = { image = "lscr.io/linuxserver/sonarr:latest"; - extraOptions = [ "--network=media" ]; + extraOptions = [ + "--network=media" + "--ip=10.89.0.50" + ]; ports = [ "8989:8989" ]; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - }; + environment = commonEnv; volumes = [ "/var/lib/nixarr/sonarr:/config" "/data:/data" ]; }; - # Radarr (Direct connection) radarr = { image = "lscr.io/linuxserver/radarr:latest"; - extraOptions = [ "--network=media" ]; + extraOptions = [ + "--network=media" + "--ip=10.89.0.51" + ]; ports = [ "7878:7878" ]; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - }; + environment = commonEnv; volumes = [ "/var/lib/nixarr/radarr:/config" "/data:/data" ]; }; - # Jellyfin (Direct connection) + # --- Media Server --- jellyfin = { image = "lscr.io/linuxserver/jellyfin:latest"; - extraOptions = [ "--network=media" ]; + extraOptions = [ + "--network=media" + "--device=/dev/dri:/dev/dri" + ]; ports = [ "8096:8096" ]; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - }; + environment = commonEnv; volumes = [ "/var/lib/nixarr/jellyfin:/config" "/data:/data" ]; }; - # Jellyseerr (Direct connection) jellyseerr = { image = "ghcr.io/fallenbagel/jellyseerr:latest"; extraOptions = [ "--network=media" ]; ports = [ "5055:5055" ]; - environment = { - PUID = "1000"; - PGID = "100"; - TZ = "Europe/Berlin"; - }; - volumes = [ - "/var/lib/nixarr/jellyseerr:/app/config" - ]; + environment = commonEnv; + volumes = [ "/var/lib/nixarr/jellyseerr:/app/config" ]; }; + flaresolverr = { + image = "ghcr.io/flaresolverr/flaresolverr:latest"; + extraOptions = [ "--network=container:vpn" ]; + dependsOn = [ "vpn" ]; + environment = { + TZ = "Europe/Berlin"; + }; + }; }; - # Define the dedicated media network + # 3. Network Setup (Fixed) + # Ensure the network is created before ANY container starts systemd.services.create-media-network = { script = '' ${pkgs.podman}/bin/podman network exists media || ${pkgs.podman}/bin/podman network create media @@ -400,113 +158,44 @@ serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - User = "ashie"; + # Removed 'User = ashie' -> Networks created by root are visible to root services }; }; - # Ensure the /data directory exists (Nixarr uses it) + # Ensure containers wait for the network + systemd.services."podman-vpn".requires = [ "create-media-network.service" ]; + systemd.services."podman-vpn".after = [ "create-media-network.service" ]; + # (Repeat for others if they don't depend on VPN, but usually unnecessary if they all join 'media') + + # 4. Permissions systemd.tmpfiles.rules = [ - # Data directory: owned by ashie:media so both qBittorrent (ashie) and others can access - "d /data 0775 ashie media - -" - - # Ensure config directories exist with correct permissions - "d /var/lib/nixarr/prowlarr 0755 ashie users - -" - "d /var/lib/nixarr/sonarr 0755 ashie users - -" - "d /var/lib/nixarr/radarr 0755 ashie users - -" - "d /var/lib/nixarr/jellyfin 0755 ashie users - -" - "d /var/lib/nixarr/jellyseerr 0755 ashie users - -" - - # qBittorrent directory - "d /var/lib/qbittorrent 0755 ashie users - -" - + "d /data 0775 ${user} media - -" + "d /var/lib/nixarr/prowlarr 0755 ${user} ${group} - -" + "d /var/lib/nixarr/sonarr 0755 ${user} ${group} - -" + "d /var/lib/nixarr/radarr 0755 ${user} ${group} - -" + "d /var/lib/nixarr/jellyfin 0755 ${user} ${group} - -" + "d /var/lib/nixarr/jellyseerr 0755 ${user} ${group} - -" + "d /var/lib/qbittorrent 0755 ${user} ${group} - -" ]; - # Add ashie to media group to ensure access to /data - users.users.ashie.extraGroups = [ "media" ]; + users.users.${user}.extraGroups = [ "media" ]; - # Firewall rules + # 5. Firewall networking.firewall.allowedTCPPorts = [ - 80 # HTTP - 443 # HTTPS - 9696 # Prowlarr - 8989 # Sonarr - 7878 # Radarr - 8096 # Jellyfin - 5055 # Jellyseerr - 8080 # qBittorrent WebUI - 36630 # Torrent - - 8082 # Homepage - + 80 + 443 + 9696 + 8989 + 7878 + 8096 + 5055 + 8080 + 36630 + 8082 + 8191 ]; networking.firewall.allowedUDPPorts = [ 36630 443 ]; - - # Rootless Container Overrides - # Force these containers to run as user 'ashie' - systemd.services."podman-vpn".serviceConfig.User = lib.mkForce "ashie"; - systemd.services."podman-vpn".environment = { - HOME = "/home/ashie"; - XDG_RUNTIME_DIR = "/run/user/1000"; - }; - systemd.services."podman-vpn".serviceConfig.Type = lib.mkForce "simple"; - systemd.services."podman-vpn".serviceConfig.Delegate = true; - - systemd.services."podman-torrent".serviceConfig.User = lib.mkForce "ashie"; - systemd.services."podman-torrent".environment = { - HOME = "/home/ashie"; - XDG_RUNTIME_DIR = "/run/user/1000"; - }; - systemd.services."podman-torrent".serviceConfig.Type = lib.mkForce "simple"; - systemd.services."podman-torrent".serviceConfig.Delegate = true; - - systemd.services."podman-flaresolverr".serviceConfig.User = lib.mkForce "ashie"; - systemd.services."podman-flaresolverr".environment = { - HOME = "/home/ashie"; - XDG_RUNTIME_DIR = "/run/user/1000"; - }; - systemd.services."podman-flaresolverr".serviceConfig.Type = lib.mkForce "simple"; - systemd.services."podman-flaresolverr".serviceConfig.Delegate = true; - - systemd.services."podman-prowlarr".serviceConfig.User = lib.mkForce "ashie"; - systemd.services."podman-prowlarr".environment = { - HOME = "/home/ashie"; - XDG_RUNTIME_DIR = "/run/user/1000"; - }; - systemd.services."podman-prowlarr".serviceConfig.Type = lib.mkForce "simple"; - systemd.services."podman-prowlarr".serviceConfig.Delegate = true; - - systemd.services."podman-sonarr".serviceConfig.User = lib.mkForce "ashie"; - systemd.services."podman-sonarr".environment = { - HOME = "/home/ashie"; - XDG_RUNTIME_DIR = "/run/user/1000"; - }; - systemd.services."podman-sonarr".serviceConfig.Type = lib.mkForce "simple"; - systemd.services."podman-sonarr".serviceConfig.Delegate = true; - - systemd.services."podman-radarr".serviceConfig.User = lib.mkForce "ashie"; - systemd.services."podman-radarr".environment = { - HOME = "/home/ashie"; - XDG_RUNTIME_DIR = "/run/user/1000"; - }; - systemd.services."podman-radarr".serviceConfig.Type = lib.mkForce "simple"; - systemd.services."podman-radarr".serviceConfig.Delegate = true; - - systemd.services."podman-jellyfin".serviceConfig.User = lib.mkForce "ashie"; - systemd.services."podman-jellyfin".environment = { - HOME = "/home/ashie"; - XDG_RUNTIME_DIR = "/run/user/1000"; - }; - systemd.services."podman-jellyfin".serviceConfig.Type = lib.mkForce "simple"; - systemd.services."podman-jellyfin".serviceConfig.Delegate = true; - - systemd.services."podman-jellyseerr".serviceConfig.User = lib.mkForce "ashie"; - systemd.services."podman-jellyseerr".environment = { - HOME = "/home/ashie"; - XDG_RUNTIME_DIR = "/run/user/1000"; - }; - systemd.services."podman-jellyseerr".serviceConfig.Type = lib.mkForce "simple"; - systemd.services."podman-jellyseerr".serviceConfig.Delegate = true; } diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix index cf4129c..cfb9fac 100644 --- a/modules/nixos/nginx.nix +++ b/modules/nixos/nginx.nix @@ -40,8 +40,8 @@ in recommendedTlsSettings = true; # SSL Hardening - sslProtocols = "TLSv1.2 TLSv1.3"; - sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + # sslProtocols = "TLSv1.2 TLSv1.3"; + # sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; # Use the wildcard cert by default for these domains commonHttpConfig = '' diff --git a/modules/nixos/searxng.nix b/modules/nixos/searxng.nix index a5466ea..ffd2b3e 100644 --- a/modules/nixos/searxng.nix +++ b/modules/nixos/searxng.nix @@ -215,32 +215,59 @@ in default = "search.ashisgreat.xyz"; description = "Public domain name for SearXNG"; }; + + donations = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + default = { }; + description = "Map of donation platform names to URLs (e.g. { patreon = '...'; })"; + }; }; config = lib.mkIf cfg.enable { # Ensure Podman is enabled myModules.podman.enable = true; - # 1. Redis Container (Cache/Limiter) - virtualisation.oci-containers.containers."searxng-redis" = { - image = "docker.io/library/redis:alpine"; + # ... (rest of config) ... + + # 1. Create Bridge Network + systemd.services."create-searxng-network" = { + serviceConfig.Type = "oneshot"; + serviceConfig.User = "ashie"; + serviceConfig.RemainAfterExit = true; + after = [ "user-runtime-dir@1000.service" ]; + requires = [ "user-runtime-dir@1000.service" ]; + path = [ pkgs.podman ]; + script = '' + export XDG_RUNTIME_DIR="/run/user/1000" + export HOME="/home/ashie" + podman network create searxng-net --ignore + ''; + }; + + # 2. Valkey Container (Cache/Limiter) + virtualisation.oci-containers.containers."searxng-valkey" = { + image = "docker.io/valkey/valkey:alpine"; cmd = [ - "redis-server" + "valkey-server" "--save" "" "--appendonly" "no" ]; # Ephemeral cache, no persistence needed - ports = [ "127.0.0.1:6379:6379" ]; + extraOptions = [ + "--network=searxng-net" + "--network-alias=valkey" + ]; + # No ports published to host for security }; - # 2. SearXNG Container + # 3. SearXNG Container virtualisation.oci-containers.containers."searxng" = { image = "ghcr.io/searxng/searxng:latest"; ports = [ "127.0.0.1:${toString cfg.port}:8080" ]; environment = { "SEARXNG_BASE_URL" = "https://${cfg.domain}"; - "SEARXNG_REDIS_URL" = "redis://searxng-redis:6379"; # Talk to Redis directly via container DNS + "SEARXNG_REDIS_URL" = "valkey://valkey:6379"; # Talk to Valkey via alias "SEARXNG_URL_BASE" = "https://${cfg.domain}"; }; environmentFiles = [ @@ -248,60 +275,67 @@ in config.sops.templates."searxng.env".path ]; extraOptions = [ + "--network=searxng-net" "--cap-drop=ALL" "--cap-add=CHOWN" "--cap-add=SETGID" "--cap-add=SETUID" "--cap-add=DAC_OVERRIDE" - "--add-host=host.containers.internal:host-gateway" ]; volumes = [ "${config.sops.templates."searxng_settings.yml".path}:/etc/searxng/settings.yml:ro" "${catppuccinCss}:/etc/searxng/custom.css:ro" ]; + dependsOn = [ "searxng-valkey" ]; }; - # 3. Secrets Configuration - # We generate the settings.yml dynamically using sops templates to inject secrets if needed, - # or just to manage the config declaratively. - sops.templates."searxng.env".content = '' - SEARXNG_SECRET_KEY=${config.sops.placeholder.searxng_secret_key} - ''; + sops.templates."searxng.env" = { + owner = "ashie"; + content = '' + SEARXNG_SECRET_KEY=${config.sops.placeholder.searxng_secret_key} + ''; + }; - sops.templates."searxng_settings.yml".content = '' - use_default_settings: true + sops.templates."searxng_settings.yml" = { + owner = "ashie"; + content = '' + use_default_settings: true - general: - debug: false - instance_name: "Ashie Search" - donations: - patreon: false - buymeacoffee: false + general: + debug: false + instance_name: "Ashie Search" + donation_url: ${if cfg.donations ? "Monero" then "\"${cfg.donations.Monero}\"" else "false"} + donations: + ${lib.concatStringsSep "\n " ( + lib.mapAttrsToList (name: url: "${name}: \"${url}\"") cfg.donations + )} - search: - safe_search: 0 - autocomplete: "google" - default_lang: "en-US" - formats: - - html - - json - server: - port: 8080 - bind_address: "0.0.0.0" - secret_key: "${config.sops.placeholder.searxng_secret_key}" - limiter: true - image_proxy: true + search: + safe_search: 0 + autocomplete: "google" + default_lang: "en-US" + formats: + - html + - json - ui: - static_use_hash: true - custom_css: custom.css - theme_args: - simple_style: "auto" + server: + port: 8080 + bind_address: "0.0.0.0" + secret_key: "${config.sops.placeholder.searxng_secret_key}" + limiter: true + image_proxy: true - redis: - url: redis://searxng-redis:6379/0 - ''; + ui: + static_use_hash: true + custom_css: custom.css + theme_args: + simple_style: "auto" + + redis: + url: valkey://valkey:6379/0 + ''; + }; # Placeholder secret definition (User must add this to secrets.yaml!) sops.secrets.searxng_secret_key = { }; @@ -314,13 +348,29 @@ in }; systemd.services."podman-searxng".serviceConfig.Type = lib.mkForce "simple"; systemd.services."podman-searxng".serviceConfig.Delegate = true; + systemd.services."podman-searxng".after = [ + "create-searxng-network.service" + "user-runtime-dir@1000.service" + ]; + systemd.services."podman-searxng".requires = [ + "create-searxng-network.service" + "user-runtime-dir@1000.service" + ]; - systemd.services."podman-searxng-redis".serviceConfig.User = lib.mkForce "ashie"; - systemd.services."podman-searxng-redis".environment = { + systemd.services."podman-searxng-valkey".serviceConfig.User = lib.mkForce "ashie"; + systemd.services."podman-searxng-valkey".environment = { HOME = "/home/ashie"; XDG_RUNTIME_DIR = "/run/user/1000"; }; - systemd.services."podman-searxng-redis".serviceConfig.Type = lib.mkForce "simple"; - systemd.services."podman-searxng-redis".serviceConfig.Delegate = true; + systemd.services."podman-searxng-valkey".serviceConfig.Type = lib.mkForce "simple"; + systemd.services."podman-searxng-valkey".serviceConfig.Delegate = true; + systemd.services."podman-searxng-valkey".after = [ + "create-searxng-network.service" + "user-runtime-dir@1000.service" + ]; + systemd.services."podman-searxng-valkey".requires = [ + "create-searxng-network.service" + "user-runtime-dir@1000.service" + ]; }; } diff --git a/modules/nixos/steam-gamemode.nix b/modules/nixos/steam-gamemode.nix new file mode 100644 index 0000000..b94aa97 --- /dev/null +++ b/modules/nixos/steam-gamemode.nix @@ -0,0 +1,50 @@ +{ + pkgs, + ... +}: +{ + programs.gamescope = { + enable = true; + capSysNice = true; + }; + + services.displayManager.sessionPackages = [ + (pkgs.writeTextFile { + name = "steam-gamemode-session"; + destination = "/share/wayland-sessions/steam-gamemode.desktop"; + text = '' + [Desktop Entry] + Name=Steam GameMode + Comment=Launch Steam in GameMode with Gamescope + Exec=${pkgs.writeShellScript "steam-gamemode-start" '' + # Load system environment + . /etc/profile + + # Ensure we are in the user's home directory + cd "$HOME" || exit 1 + + exec >/tmp/steam-gamemode.log 2>&1 + echo "Starting Steam GameMode Session at $(date)" + echo "User: $(whoami)" + echo "PATH: $PATH" + echo "Gamescope path: ${pkgs.gamescope}/bin/gamescope" + + # Check for steam binary + if ! command -v steam >/dev/null; then + echo "ERROR: steam command not found in PATH" + exit 1 + fi + + echo "Launching gamescope..." + exec ${pkgs.gamescope}/bin/gamescope -f -e -- steam -gamepadui + ''} + Type=Application + ''; + derivationArgs = { + passthru = { + providedSessions = [ "steam-gamemode" ]; + }; + }; + }) + ]; +} diff --git a/modules/nixos/steam-sandboxed.nix b/modules/nixos/steam-sandboxed.nix index 4a871af..74b3545 100644 --- a/modules/nixos/steam-sandboxed.nix +++ b/modules/nixos/steam-sandboxed.nix @@ -128,6 +128,7 @@ in ''--talk="org.freedesktop.portal.*"'' ''--own="com.valvesoftware.Steam"'' ''--own="com.valvesoftware.Steam.*"'' + ''--own="com.steampowered.PressureVessel.*"'' ]; }; diff --git a/secrets/authelia_users_template.yml b/secrets/authelia_users_template.yml deleted file mode 100644 index c250092..0000000 --- a/secrets/authelia_users_template.yml +++ /dev/null @@ -1,10 +0,0 @@ -users: - admin: - displayname: Admin - # Password: password - # Hash generated with: --memory 16384 --iterations 1 --parallelism 1 - password: "$argon2id$v=19$m=16384,t=1,p=1$ygXlX9Am6U1CnfvXK/B0Xw$YspmBrCGnq987Z1QYjgSrA+oMkLCks7g8m/jKUtMKEg" - email: admin@ashisgreat.xyz - groups: - - admins - - dev