penal-colony/nixos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

.

Browse source
This commit is contained in:
ashisgreat22 2026-01-28 19:47:52 +01:00
parent faf14881a3
commit f4760f39da
20 changed files with 305 additions and 869 deletions
Download patch file Download diff file Expand all files Collapse all files

53
capture_arr_user.sh
View file

@ -1,53 +0,0 @@
#!/usr/bin/env bash
set -e
# Output file for the declarative script
OUTPUT_SCRIPT="/home/ashie/nixos/ensure_arr_users.sh"
echo "Capturing user from Sonarr..."
# Extract the first user row (assuming it's the admin)
# Format: ID|Identifier|Username|Password|Salt|Iterations
USER_ROW=$(nix run nixpkgs#sqlite -- /var/lib/nixarr/sonarr/sonarr.db "SELECT Identifier, Username, Password, Salt, Iterations FROM Users LIMIT 1;")
if [ -z "$USER_ROW" ]; then
echo "No user found in Sonarr DB! Please create a user in the Web UI first."
exit 1
fi
IFS='|' read -r IDENTIFIER USERNAME PASSWORD SALT ITERATIONS <<< "$USER_ROW"
echo "Found User: $USERNAME"
# Generate the script
cat <<EOF > "$OUTPUT_SCRIPT"
#!/usr/bin/env bash
set -e
# Function to ensure user exists
ensure_user() {
SERVICE=\$1
DB_PATH=\$2
echo "Ensuring user '$USERNAME' exists in \$SERVICE..."
# Check if user exists
COUNT=\$(nix run nixpkgs#sqlite -- "\$DB_PATH" "SELECT count(*) FROM Users WHERE Username='$USERNAME';")
if [ "\$COUNT" -eq "0" ]; then
echo "Creating user '$USERNAME'..."
nix run nixpkgs#sqlite -- "\$DB_PATH" "INSERT INTO Users (Identifier, Username, Password, Salt, Iterations) VALUES ('$IDENTIFIER', '$USERNAME', '$PASSWORD', '$SALT', '$ITERATIONS');"
else
echo "User '$USERNAME' already exists."
fi
}
ensure_user "Sonarr" "/var/lib/nixarr/sonarr/sonarr.db"
ensure_user "Radarr" "/var/lib/nixarr/radarr/radarr.db"
ensure_user "Prowlarr" "/var/lib/nixarr/prowlarr/prowlarr.db"
# Jellyseerr uses a different DB structure, skipping for now (it likely synced via Jellyfin or has its own auth)
EOF
chmod +x "$OUTPUT_SCRIPT"
echo "Generated $OUTPUT_SCRIPT. You can now use this to ensure the user exists."

50
enable_arr_auth.sh
View file

@ -1,50 +0,0 @@
#!/usr/bin/env bash
set -e
echo "Stopping services..."
systemctl stop sonarr radarr prowlarr
# Function to enable auth
enable_auth() {
SERVICE=$1
CONFIG_FILE=$2
if [ -f "$CONFIG_FILE" ]; then
echo "Enabling Forms Auth for $SERVICE..."
cp "$CONFIG_FILE" "$CONFIG_FILE.bak"
# Set AuthenticationMethod to Forms
if grep -q "<AuthenticationMethod>" "$CONFIG_FILE"; then
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>Forms</AuthenticationMethod>|g' "$CONFIG_FILE"
else
# Insert if missing (unlikely, but inside <Config> usually)
sed -i 's|<Config>|<Config>\n <AuthenticationMethod>Forms</AuthenticationMethod>|g' "$CONFIG_FILE"
fi
# Set AuthenticationRequired to Enabled (Correct Enum Value)
if grep -q "<AuthenticationRequired>" "$CONFIG_FILE"; then
sed -i 's|<AuthenticationRequired>.*</AuthenticationRequired>|<AuthenticationRequired>Enabled</AuthenticationRequired>|g' "$CONFIG_FILE"
else
# Insert
sed -i 's|<Config>|<Config>\n <AuthenticationRequired>Enabled</AuthenticationRequired>|g' "$CONFIG_FILE"
fi
echo "$SERVICE updated."
else
echo "Config for $SERVICE not found at $CONFIG_FILE"
fi
}
enable_auth "Sonarr" "/var/lib/nixarr/sonarr/config.xml"
enable_auth "Radarr" "/var/lib/nixarr/radarr/config.xml"
enable_auth "Prowlarr" "/var/lib/nixarr/prowlarr/config.xml"
# Jellyseerr usually enforces login by default if users exist.
# Its config is in database, not easily scriptable via settings.json for auth mode.
echo "Restarting services..."
systemctl start sonarr radarr prowlarr
echo "Authentication enabled!"
echo "WARNING: If you do not have a user created in these apps, you may be locked out."
echo "If locked out, edit the config.xml file manually and set AuthenticationMethod back to 'None'."

2
flake.nix
View file

@ -5,7 +5,7 @@
nixpkgs.url = "nixpkgs/nixos-unstable"; nixpkgs.url = "nixpkgs/nixos-unstable";
nix-cachyos-kernel = { nix-cachyos-kernel = {
url = "github:xddxdd/nix-cachyos-kernel"; url = "github:xddxdd/nix-cachyos-kernel?shallow=1";
}; };
sops-nix = { sops-nix = {

271
generate.log
View file

@ -1,271 +0,0 @@
HOSTCC scripts/basic/fixdep
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/confdata.o
HOSTCC scripts/kconfig/expr.o
LEX scripts/kconfig/lexer.lex.c
YACC scripts/kconfig/parser.tab.[ch]
HOSTCC scripts/kconfig/lexer.lex.o
HOSTCC scripts/kconfig/menu.o
HOSTCC scripts/kconfig/parser.tab.o
HOSTCC scripts/kconfig/preprocess.o
HOSTCC scripts/kconfig/symbol.o
HOSTCC scripts/kconfig/util.o
HOSTLD scripts/kconfig/conf
using config: '.config'
razerkbd config not found!!
razermouse config not found!!
vendor_reset config not found!!
razerkraken config not found!!
*
* Restart config...
*
*
* Scheduler features
*
Enable utilization clamping for RT/FAIR tasks (UCLAMP_TASK) [Y/n/?] y
Number of supported utilization clamp buckets (UCLAMP_BUCKETS_COUNT) [5] 5
Proxy Execution (SCHED_PROXY_EXEC) [N/y/?] (NEW)
*
* Binary Emulations
*
IA32 Emulation (IA32_EMULATION) [Y/n/?] y
IA32 emulation disabled by default (IA32_EMULATION_DEFAULT_DISABLED) [N/y/?] n
x32 ABI for 64-bit mode (X86_X32_ABI) [N/y/?] (NEW)
*
* GCC plugins
*
GCC plugins (GCC_PLUGINS) [Y/n/?] (NEW)
Generate some entropy during boot and runtime (GCC_PLUGIN_LATENT_ENTROPY) [N/y/?] (NEW)
*
* PCI GPIO expanders
*
AMD 8111 GPIO driver (GPIO_AMD8111) [N/m/y/?] n
BT8XX GPIO abuser (GPIO_BT8XX) [N/m/y/?] (NEW)
OKI SEMICONDUCTOR ML7213 IOH GPIO support (GPIO_ML_IOH) [N/m/y/?] n
ACCES PCI-IDIO-16 GPIO support (GPIO_PCI_IDIO_16) [N/m/y/?] n
ACCES PCIe-IDIO-24 GPIO support (GPIO_PCIE_IDIO_24) [N/m/y/?] n
RDC R-321x GPIO support (GPIO_RDC321X) [N/m/y/?] n
Intel Sodaville GPIO support (GPIO_SODAVILLE) [N/y/?] n
*
* Voltage and Current Regulator Support
*
Voltage and Current Regulator Support (REGULATOR) [Y/n/?] y
Regulator debug support (REGULATOR_DEBUG) [N/y/?] n
Fixed voltage regulator support (REGULATOR_FIXED_VOLTAGE) [N/m/y/?] n
Virtual regulator consumer support (REGULATOR_VIRTUAL_CONSUMER) [N/m/y/?] n
Userspace regulator consumer support (REGULATOR_USERSPACE_CONSUMER) [N/m/y/?] n
Enable support for receiving regulator events via netlink (REGULATOR_NETLINK_EVENTS) [Y/n/?] y
Marvell 88PG86X voltage regulators (REGULATOR_88PG86X) [N/m/y/?] n
Marvell 88PM8607 Power regulators (REGULATOR_88PM8607) [N/m/y/?] n
Active-semi act8865 voltage regulator (REGULATOR_ACT8865) [N/m/y/?] n
Analog Devices AD5398/AD5821 regulators (REGULATOR_AD5398) [N/m/y/?] n
Analog Devices ADP5055 Triple Buck Regulator (REGULATOR_ADP5055) [N/m/y/?] n
AnalogicTech AAT2870 Regulators (REGULATOR_AAT2870) [N/m/y/?] n
AS3711 PMIC (REGULATOR_AS3711) [N/m/y/?] n
Awinic AW37503 Dual Output Power regulators (REGULATOR_AW37503) [N/m/y/?] n
Dialog Semiconductor DA9030/DA9034 regulators (REGULATOR_DA903X) [N/m/y/?] (NEW)
Dialog Semiconductor DA9052/DA9053 regulators (REGULATOR_DA9052) [N/m/y/?] n
Dialog Semiconductor DA9055 regulators (REGULATOR_DA9055) [N/m/y/?] n
Dialog Semiconductor DA9121/DA9122/DA9220/DA9217/DA9130/DA9131/DA9132 regulator (REGULATOR_DA9121) [N/m/y/?] n
Dialog Semiconductor DA9210 regulator (REGULATOR_DA9210) [N/m/y/?] n
Dialog Semiconductor DA9211/DA9212/DA9213/DA9223/DA9214/DA9224/DA9215/DA9225 regulator (REGULATOR_DA9211) [N/m/y/?] n
Fairchild FAN53555 Regulator (REGULATOR_FAN53555) [N/m/y/?] n
Fairchild FAN53880 Regulator (REGULATOR_FAN53880) [N/m/y/?] n
GPIO regulator support (REGULATOR_GPIO) [N/m/y/?] n
Intersil ISL9305 regulator (REGULATOR_ISL9305) [N/m/y/?] n
Intersil ISL6271A Power regulator (REGULATOR_ISL6271A) [N/m/y/?] n
National Semiconductors LP3971 PMIC regulator driver (REGULATOR_LP3971) [N/m/y/?] n
National Semiconductors LP3972 PMIC regulator driver (REGULATOR_LP3972) [N/m/y/?] n
TI/National Semiconductor LP8720/LP8725 voltage regulators (REGULATOR_LP872X) [N/m/y/?] n
TI LP8755 High Performance PMU driver (REGULATOR_LP8755) [N/m/y/?] n
TI LP8788 Power Regulators (REGULATOR_LP8788) [N/m/y/?] n
LTC3589 8-output voltage regulator (REGULATOR_LTC3589) [N/m/y/?] n
LTC3676 8-output voltage regulator (REGULATOR_LTC3676) [N/m/y/?] n
Maxim 1586/1587 voltage regulator (REGULATOR_MAX1586) [N/m/y/?] n
Analog Devices MAX77503 Regulator (REGULATOR_MAX77503) [N/m/y/?] n
ADI MAX77857/MAX77831 regulator support (REGULATOR_MAX77857) [N/m/y/?] n
Maxim 8649 voltage regulator (REGULATOR_MAX8649) [N/m/y/?] n
Maxim 8660/8661 voltage regulator (REGULATOR_MAX8660) [N/m/y/?] n
Maxim 8893 voltage regulator (REGULATOR_MAX8893) [N/m/y/?] n
Maxim MAX8925 Power Management IC (REGULATOR_MAX8925) [N/m/y/?] n
Maxim MAX8952 Power Management IC (REGULATOR_MAX8952) [N/m/y/?] n
Maxim MAX8973A voltage regulator (REGULATOR_MAX8973) [N/m/y/?] n
Maxim 8997/8966 regulator (REGULATOR_MAX8997) [N/m/y/?] n
Maxim 8998 voltage regulator (REGULATOR_MAX8998) [N/m/y/?] n
Maxim MAX20086-MAX20089 Camera Power Protectors (REGULATOR_MAX20086) [N/m/y/?] n
Maxim MAX20411 High-Efficiency Single Step-Down Converter (REGULATOR_MAX20411) [N/m/y/?] n
Maxim 77693/77843 regulator (REGULATOR_MAX77693) [N/m/y/?] n
Maxim 77826 regulator (REGULATOR_MAX77826) [N/m/y/?] n
Maxim 77838 regulator (REGULATOR_MAX77838) [N/m/y/?] n
Microchip MCP16502 PMIC (REGULATOR_MCP16502) [N/m/y/?] n
Monolithic MP5416 PMIC (REGULATOR_MP5416) [N/m/y/?] n
MPS MP8859 regulator driver (REGULATOR_MP8859) [N/m/y/?] n
MPS MP8869 regulator driver (REGULATOR_MP886X) [N/m/y/?] n
Monolithic MPQ7920 PMIC (REGULATOR_MPQ7920) [N/m/y/?] n
MediaTek MT6311 PMIC (REGULATOR_MT6311) [N/m/y/?] n
NXP PCA9450A/PCA9450B/PCA9450C regulator driver (REGULATOR_PCA9450) [N/m/y/?] n
NXP PF9453 regulator driver (REGULATOR_PF9453) [N/m/y/?] n
Motorola PCAP2 regulator driver (REGULATOR_PCAP) [N/m/y/?] n
NXP PF0900/PF0901/PF09XX regulator driver (REGULATOR_PF0900) [N/m/y/?] n
NXP PF5300/PF5301/PF5302 regulator driver (REGULATOR_PF530X) [N/m/y/?] n
NXP PF8100/PF8121A/PF8200 regulator driver (REGULATOR_PF8X00) [N/m/y/?] n
Freescale PFUZE100/200/3000/3001 regulator driver (REGULATOR_PFUZE100) [N/m/y/?] n
Powerventure Semiconductor PV88060 regulator (REGULATOR_PV88060) [N/m/y/?] n
Powerventure Semiconductor PV88080 regulator (REGULATOR_PV88080) [N/m/y/?] n
Powerventure Semiconductor PV88090 regulator (REGULATOR_PV88090) [N/m/y/?] n
PWM voltage regulator (REGULATOR_PWM) [N/m/y/?] n
Renesas RAA215300 driver (REGULATOR_RAA215300) [N/m/y/?] n
Raspberry Pi 7-inch touchscreen panel ATTINY regulator (REGULATOR_RASPBERRYPI_TOUCHSCREEN_ATTINY) [N/m/y/?] n
Raspberry Pi 7-inch touchscreen panel V2 regulator (REGULATOR_RASPBERRYPI_TOUCHSCREEN_V2) [N/m/y/?] n
RICOH RC5T583 Power regulators (REGULATOR_RC5T583) [N/m/y/?] n
Richtek RT4801 Regulators (REGULATOR_RT4801) [N/m/y/?] n
Richtek RT4803 boost regulator (REGULATOR_RT4803) [N/m/y/?] n
Richtek RT5133 PMIC Regulators (REGULATOR_RT5133) [N/m/y/?] n
Richtek RT5190A PMIC (REGULATOR_RT5190A) [N/m/y/?] n
Richtek RT5739 Regulator (REGULATOR_RT5739) [N/m/y/?] n
Richtek RT5759 Regulator (REGULATOR_RT5759) [N/m/y/?] n
Richtek RT6160 BuckBoost voltage regulator (REGULATOR_RT6160) [N/m/y/?] n
Richtek RT6190 4-Switch BuckBoost controller (REGULATOR_RT6190) [N/m/y/?] n
Richtek RT6245 voltage regulator (REGULATOR_RT6245) [N/m/y/?] n
Richtek RTQ2134 SubPMIC Regulator (REGULATOR_RTQ2134) [N/m/y/?] n
Richtek RTMV20 Laser Diode Regulator (REGULATOR_RTMV20) [N/m/y/?] n
Richtek RTQ6752 TFT LCD voltage regulator (REGULATOR_RTQ6752) [N/m/y/?] n
Richtek RTQ2208 SubPMIC Regulator (REGULATOR_RTQ2208) [N/m/y/?] n
Dialog Semiconductor SLG51000 regulators (REGULATOR_SLG51000) [N/m/y/?] n
Silergy SY8106A regulator (REGULATOR_SY8106A) [N/m/y/?] n
Silergy SY8824C/SY8824E regulator (REGULATOR_SY8824X) [N/m/y/?] n
Silergy SY8827N regulator (REGULATOR_SY8827N) [N/m/y/?] n
TI TPS51632 Power Regulator (REGULATOR_TPS51632) [N/m/y/?] n
TI TPS6236x Power Regulator (REGULATOR_TPS62360) [N/m/y/?] n
TI TPS6286x Power Regulator (REGULATOR_TPS6286X) [N/m/y/?] n
TI TPS6287x Power Regulator (REGULATOR_TPS6287X) [N/m/y/?] n
TI TPS65023 Power regulators (REGULATOR_TPS65023) [N/m/y/?] n
TI TPS6507X Power regulators (REGULATOR_TPS6507X) [N/m/y/?] n
TI TPS65090 Power regulator (REGULATOR_TPS65090) [N/m/y/?] n
TI TPS65132 Dual Output Power regulators (REGULATOR_TPS65132) [N/m/y/?] n
TI TPS6524X Power regulators (REGULATOR_TPS6524X) [N/m/y/?] n
TI TPS6586X Power regulators (REGULATOR_TPS6586X) [N/m/y/?] n
TI TPS65910/TPS65911 Power Regulators (REGULATOR_TPS65910) [N/m/y/?] n
TI TWL4030/TWL5030/TWL6030/TPS659x0 PMIC (REGULATOR_TWL4030) [N/m/y/?] n
Voltage controlled regulators (REGULATOR_VCTRL) [N/m/y/?] n
Wolfson Microelectronics WM831x PMIC regulators (REGULATOR_WM831X) [N/m/y/?] n
Wolfson Microelectronics WM8350 AudioPlus PMIC (REGULATOR_WM8350) [N/m/y/?] n
Wolfson Microelectronics WM8400 AudioPlus PMIC (REGULATOR_WM8400) [N/m/y/?] n
*
* Video encoders
*
Analog Devices ADV7170 video encoder (VIDEO_ADV7170) [N/m/?] n
Analog Devices ADV7175 video encoder (VIDEO_ADV7175) [N/m/?] n
ADV7343 video encoder (VIDEO_ADV7343) [N/m/?] n
ADV7393 video encoder (VIDEO_ADV7393) [N/m/?] n
Analog Devices ADV7511 encoder (VIDEO_ADV7511) [N/m/?] (NEW)
AK8813/AK8814 video encoders (VIDEO_AK881X) [N/m/?] n
Philips SAA7127/9 digital video encoders (VIDEO_SAA7127) [N/m/?] n
Philips SAA7185 video encoder (VIDEO_SAA7185) [N/m/?] n
Texas Instruments THS8200 video encoder (VIDEO_THS8200) [N/m/?] n
*
* PCI sound devices
*
PCI sound devices (SND_PCI) [Y/n/?] y
Analog Devices AD1889 (SND_AD1889) [N/m/?] n
Avance Logic ALS300/ALS300+ (SND_ALS300) [N/m/?] n
Avance Logic ALS4000 (SND_ALS4000) [N/m/?] n
ALi M5451 PCI Audio Controller (SND_ALI5451) [N/m/?] n
AudioScience ASIxxxx (SND_ASIHPI) [N/m/?] n
ATI IXP AC97 Controller (SND_ATIIXP) [N/m/?] n
ATI IXP Modem (SND_ATIIXP_MODEM) [N/m/?] n
Aureal Advantage (SND_AU8810) [N/m/?] n
Aureal Vortex (SND_AU8820) [N/m/?] n
Aureal Vortex 2 (SND_AU8830) [N/m/?] n
Emagic Audiowerk 2 (SND_AW2) [N/m/?] n
Aztech AZF3328 / PCI168 (SND_AZT3328) [N/m/?] n
Bt87x Audio Capture (SND_BT87X) [N/m/?] n
SB Audigy LS / Live 24bit (SND_CA0106) [N/m/?] n
C-Media 8338, 8738, 8768, 8770 (SND_CMIPCI) [N/m/?] n
C-Media 8786, 8787, 8788 (Oxygen) (SND_OXYGEN) [N/m/?] n
Cirrus Logic (Sound Fusion) CS4281 (SND_CS4281) [N/m/?] n
Cirrus Logic (Sound Fusion) CS4280/CS461x/CS462x/CS463x (SND_CS46XX) [N/m/?] n
Creative Sound Blaster X-Fi (SND_CTXFI) [N/m/?] n
(Echoaudio) Darla20 (SND_DARLA20) [N/m/?] n
(Echoaudio) Gina20 (SND_GINA20) [N/m/?] n
(Echoaudio) Layla20 (SND_LAYLA20) [N/m/?] n
(Echoaudio) Darla24 (SND_DARLA24) [N/m/?] n
(Echoaudio) Gina24 (SND_GINA24) [N/m/?] n
(Echoaudio) Layla24 (SND_LAYLA24) [N/m/?] n
(Echoaudio) Mona (SND_MONA) [N/m/?] n
(Echoaudio) Mia (SND_MIA) [N/m/?] n
(Echoaudio) 3G cards (SND_ECHO3G) [N/m/?] n
(Echoaudio) Indigo (SND_INDIGO) [N/m/?] n
(Echoaudio) Indigo IO (SND_INDIGOIO) [N/m/?] n
(Echoaudio) Indigo DJ (SND_INDIGODJ) [N/m/?] n
(Echoaudio) Indigo IOx (SND_INDIGOIOX) [N/m/?] n
(Echoaudio) Indigo DJx (SND_INDIGODJX) [N/m/?] n
Emu10k1 (SB Live!, Audigy, E-MU APS/0404/1010/1212/1616/1820) (SND_EMU10K1) [N/m/?] n
Emu10k1X (Dell OEM Version) (SND_EMU10K1X) [N/m/?] n
(Creative) Ensoniq AudioPCI 1370 (SND_ENS1370) [N/m/?] n
(Creative) Ensoniq AudioPCI 1371/1373 (SND_ENS1371) [N/m/?] n
ESS ES1938/1946/1969 (Solo-1) (SND_ES1938) [N/m/?] n
ESS ES1968/1978 (Maestro-1/2/2E) (SND_ES1968) [N/m/?] n
ForteMedia FM801 (SND_FM801) [N/m/?] n
RME Hammerfall DSP Audio (SND_HDSP) [N/m/?] n
RME Hammerfall DSP MADI/RayDAT/AIO (SND_HDSPM) [N/m/?] n
ICEnsemble ICE1712 (Envy24) (SND_ICE1712) [N/m/?] n
ICE/VT1724/1720 (Envy24HT/PT) (SND_ICE1724) [N/m/?] n
Intel/SiS/nVidia/AMD/ALi AC97 Controller (SND_INTEL8X0) [N/m/?] n
Intel/SiS/nVidia/AMD MC97 Modem (SND_INTEL8X0M) [N/m/?] n
Korg 1212 IO (SND_KORG1212) [N/m/?] n
Digigram Lola (SND_LOLA) [N/m/?] n
Digigram LX6464ES (SND_LX6464ES) [N/m/?] n
ESS Allegro/Maestro3 (SND_MAESTRO3) [N/m/?] n
Digigram miXart (SND_MIXART) [N/m/?] n
NeoMagic NM256AV/ZX (SND_NM256) [N/m/?] n
Digigram PCXHR (SND_PCXHR) [N/m/?] n
Conexant Riptide (SND_RIPTIDE) [N/m/?] n
RME Digi32, 32/8, 32 PRO (SND_RME32) [N/m/?] n
RME Digi96, 96/8, 96/8 PRO (SND_RME96) [N/m/?] n
RME Digi9652 (Hammerfall) (SND_RME9652) [N/m/?] n
Studio Evolution SE6X (SND_SE6X) [N/m/?] (NEW)
S3 SonicVibes (SND_SONICVIBES) [N/m/?] n
Trident 4D-Wave DX/NX; SiS 7018 (SND_TRIDENT) [N/m/?] n
VIA 82C686A/B, 8233/8235 AC97 Controller (SND_VIA82XX) [N/m/?] n
VIA 82C686A/B, 8233 based Modems (SND_VIA82XX_MODEM) [N/m/?] n
Asus Virtuoso 66/100/200 (Xonar) (SND_VIRTUOSO) [N/m/?] n
Digigram VX222 (SND_VX222) [N/m/?] n
Yamaha YMF724/740/744/754 (SND_YMFPCI) [N/m/?] n
*
* Kernel hardening options
*
Randomize layout of sensitive kernel structures
> 1. Disable structure layout randomization (RANDSTRUCT_NONE)
2. Fully randomize structure layout (RANDSTRUCT_FULL)
3. Limit randomization of structure layout to cache-lines (RANDSTRUCT_PERFORMANCE) (NEW)
choice[1-3?]:
*
* Compile-time checks and compiler options
*
Debug information
1. Disable debug information (DEBUG_INFO_NONE)
> 2. Rely on the toolchain's implicit default DWARF version (DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT)
3. Generate DWARF Version 4 debuginfo (DEBUG_INFO_DWARF4)
4. Generate DWARF Version 5 debuginfo (DEBUG_INFO_DWARF5)
choice[1-4?]: 2
Reduce debugging information (DEBUG_INFO_REDUCED) [N/y/?] n
Compressed Debug information
> 1. Don't compress debug information (DEBUG_INFO_COMPRESSED_NONE)
2. Compress debugging information with zlib (DEBUG_INFO_COMPRESSED_ZLIB)
choice[1-2?]: 1
Produce split debuginfo in .dwo files (DEBUG_INFO_SPLIT) [N/y/?] n
Provide GDB scripts for kernel debugging (GDB_SCRIPTS) [Y/n/?] y
Warn for stack frames larger than (FRAME_WARN) [2048] 2048
Strip assembler-generated symbols during link (STRIP_ASM_SYMS) [Y/n/?] y
Generate readable assembler code (READABLE_ASM) [N/y/?] (NEW)
Install uapi headers to usr/include (HEADERS_INSTALL) [N/y/?] n
Enable full Section mismatch analysis (DEBUG_SECTION_MISMATCH) [N/y/?] (NEW)
Make section mismatch errors non-fatal (SECTION_MISMATCH_WARN_ONLY) [Y/n/?] y
Force all function address 64B aligned (DEBUG_FORCE_FUNCTION_ALIGN_64B) [N/y/?] n
Upgrade objtool warnings to errors (OBJTOOL_WERROR) [N/y/?] n
Generate vmlinux.map file when linking (VMLINUX_MAP) [N/y/?] n
Force weak per-cpu definitions (DEBUG_FORCE_WEAK_PER_CPU) [N/y/?] n
#
# configuration written to .config
#

0
home/fastfetch.nix Normal file
View file

3
hosts/nixos/configuration.nix
View file

@ -53,8 +53,9 @@
./system/compatibility.nix # Compatibility layers (nix-ld) ./system/compatibility.nix # Compatibility layers (nix-ld)
./system/game-drive.nix ./system/game-drive.nix
./system/vpn-namespace.nix # Isolated VPN Namespace ./system/vpn-namespace.nix # Isolated VPN Namespace
./system/authelia.nix # SSO/2FA #./system/authelia.nix # SSO/2FA
../../modules/nixos/media.nix # Arr Stack ../../modules/nixos/media.nix # Arr Stack
../../modules/nixos/steam-gamemode.nix # Steam GameMode Session
]; ];
nixpkgs.config.allowUnfreePredicate = nixpkgs.config.allowUnfreePredicate =

6
hosts/nixos/default.nix
View file

@ -56,8 +56,8 @@
allowLocalTraffic = true; allowLocalTraffic = true;
enablePodmanWorkaround = true; enablePodmanWorkaround = true;
publicPorts = [ publicPorts = [
80
443 443
80
]; ];
restrictedPorts = [ ]; restrictedPorts = [ ];
}; };
@ -93,6 +93,10 @@
enable = true; enable = true;
port = 8888; port = 8888;
domain = "search.ashisgreat.xyz"; domain = "search.ashisgreat.xyz";
donations = {
"Monero" =
"https://trocador.app/en/anonpay/?ticker_to=xmr&network_to=Mainnet&address=86piV4MV8wqSCTv3innkL1cMP54oShHfmVhq6QcFgvtuFTJqw6FkMgm4hgTaxV3reqXVmfGW5h5ffZanLM5XzW4nHUReno4&donation=True&simple_mode=True&amount=1.1e-05&name=Ashie&bgcolor=00000000";
};
}; };
}; };
} }

1
hosts/nixos/home.nix
View file

@ -26,6 +26,7 @@
home.packages = [ home.packages = [
pkgs.mimalloc pkgs.mimalloc
pkgs.jellyfin-media-player pkgs.jellyfin-media-player
pkgs.joplin-desktop
pkgs.bemoji pkgs.bemoji
pkgs.wtype pkgs.wtype
(pkgs.writeShellScriptBin "opencode" '' (pkgs.writeShellScriptBin "opencode" ''

6
hosts/nixos/home/kitty.nix
View file

@ -3,14 +3,10 @@
{ {
programs.kitty = { programs.kitty = {
enable = true; enable = true;
themeFile = "Catppuccin-Mocha"; # Updated option name themeFile = "Catppuccin-Mocha";
settings = { settings = {
confirm_os_window_close = 0; confirm_os_window_close = 0;
cursor_shape = "beam"; cursor_shape = "beam";
}; };
# extraConfig = ''
# include current-theme.conf
# '';
}; };
} }

2
hosts/nixos/system/authelia.nix
View file

@ -7,7 +7,7 @@
{ {
services.authelia.instances.main = { services.authelia.instances.main = {
enable = true; enable = false;
# Secrets # Secrets
secrets = { secrets = {

20
hosts/nixos/system/secrets.nix
View file

@ -6,7 +6,7 @@
}: }:
{ {
sops.defaultSopsFile = ../secrets/secrets.yaml; sops.defaultSopsFile = ../../../secrets/secrets.yaml;
sops.defaultSopsFormat = "yaml"; sops.defaultSopsFormat = "yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
@ -96,13 +96,13 @@
sops.secrets.prowlarr_api_key = { }; sops.secrets.prowlarr_api_key = { };
# Authelia Secrets # Authelia Secrets
sops.secrets.authelia_jwt_secret = { # sops.secrets.authelia_jwt_secret = {
owner = "authelia-main"; # owner = "authelia-main";
}; # };
sops.secrets.authelia_session_secret = { # sops.secrets.authelia_session_secret = {
owner = "authelia-main"; # owner = "authelia-main";
}; # };
sops.secrets.authelia_storage_encryption_key = { # sops.secrets.authelia_storage_encryption_key = {
owner = "authelia-main"; # owner = "authelia-main";
}; # };
} }

33
hosts/nixos/system/services.nix
View file

@ -71,9 +71,22 @@
myModules.nginx.enable = true; myModules.nginx.enable = true;
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"_" = {
default = true;
useACMEHost = "ashisgreat.xyz";
forceSSL = true;
locations."/".return = "444";
};
"search.ashisgreat.xyz" = { "search.ashisgreat.xyz" = {
useACMEHost = "ashisgreat.xyz"; useACMEHost = "ashisgreat.xyz";
forceSSL = true; forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; frame-src 'self'; base-uri 'self'; form-action 'self';";
'';
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8888"; proxyPass = "http://127.0.0.1:8888";
proxyWebsockets = true; proxyWebsockets = true;
@ -84,7 +97,10 @@
useACMEHost = "ashisgreat.xyz"; useACMEHost = "ashisgreat.xyz";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header X-Frame-Options "DENY"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Frame-Options "DENY" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;"; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;";
''; '';
locations."/" = { locations."/" = {
@ -97,6 +113,10 @@
useACMEHost = "ashisgreat.xyz"; useACMEHost = "ashisgreat.xyz";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' data:; connect-src 'self' wss: https:; worker-src 'self' blob:;"; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' data:; connect-src 'self' wss: https:; worker-src 'self' blob:;";
''; '';
locations."/" = { locations."/" = {
@ -121,6 +141,10 @@
useACMEHost = "ashisgreat.xyz"; useACMEHost = "ashisgreat.xyz";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Access-Control-Allow-Origin "https://stream.ashisgreat.xyz"; add_header Access-Control-Allow-Origin "https://stream.ashisgreat.xyz";
''; '';
locations."/" = { locations."/" = {
@ -177,6 +201,13 @@
"jellyfin.ashisgreat.xyz" = { "jellyfin.ashisgreat.xyz" = {
useACMEHost = "ashisgreat.xyz"; useACMEHost = "ashisgreat.xyz";
forceSSL = true; forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/accentlist.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/base.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/bottombarprogress.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/fixes.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/jf_font.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/overlayprogress.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/rounding.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/rounding_circlehover.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/smallercast.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/rounding_circlehover.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/cornerindicator/indicator_floating.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/cornerindicator/indicator_corner.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/effects/glassy.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/effects/pan-animation.css https://ctalvio.github.io/Monochromic/backdrop-hack_style.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/effects/hoverglow.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/effects/scrollfade.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/episodelist/episodes_compactlist.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/episodelist/episodes_grid.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/fields/fields_border.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/fields/fields_noborder.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/header/header_transparent.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/header/header_transparent-dashboard.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/login/login_frame.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/login/login_minimalistic.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/login/login_frame.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/presets/monochromic_preset.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/presets/kaleidochromic_preset.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/presets/novachromic_preset.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/titlepage/title_banner.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/titlepage/title_banner-logo.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/titlepage/title_simple.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/titlepage/title_simple-logo.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/type/light.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/type/dark.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/type/colorful.css https://cdn.jsdelivr.net/gh/CTalvio/Ultrachromic/type/dark_withaccent.css https://fonts.googleapis.com/css2; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
'';
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8096"; proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true; proxyWebsockets = true;

3
modules/home-manager/antigravity2api.nix
View file

@ -40,6 +40,7 @@ in
}; };
Service = { Service = {
WorkingDirectory = workDir;
ExecStartPre = pkgs.writeShellScript "antigravity2api-init" '' ExecStartPre = pkgs.writeShellScript "antigravity2api-init" ''
export PATH="${pkgs.coreutils}/bin:$PATH" export PATH="${pkgs.coreutils}/bin:$PATH"
mkdir -p "${workDir}" mkdir -p "${workDir}"
@ -54,7 +55,7 @@ in
ExecStart = '' ExecStart = ''
${pkgs.podman}/bin/podman run --replace --rm --name antigravity2api \ ${pkgs.podman}/bin/podman run --replace --rm --name antigravity2api \
-p 8045:8045 \ -p 127.0.0.1:8045:8045 \
-v ${workDir}/data:/app/data \ -v ${workDir}/data:/app/data \
-v ${workDir}/public/images:/app/public/images \ -v ${workDir}/public/images:/app/public/images \
-v ${workDir}/.env:/app/.env \ -v ${workDir}/.env:/app/.env \

8
modules/nixos/lutris-sandboxed.nix
View file

@ -9,11 +9,9 @@
}: }:
let let
# Apply the bwrapper overlay to get mkBwrapper
bwrapperPkgs = pkgs.extend inputs.nix-bwrapper.overlays.default; bwrapperPkgs = pkgs.extend inputs.nix-bwrapper.overlays.default;
in in
{ {
# Provide the sandboxed Lutris package
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: prev: { (final: prev: {
lutris-sandboxed = bwrapperPkgs.mkBwrapper { lutris-sandboxed = bwrapperPkgs.mkBwrapper {
@ -34,13 +32,12 @@ in
pkgs.vulkan-tools pkgs.vulkan-tools
pkgs.unzip pkgs.unzip
pkgs.cabextract pkgs.cabextract
pkgs.xorg.xrandr
pkgs.pciutils pkgs.pciutils
pkgs.gamemode.lib pkgs.gamemode.lib
pkgs.xdg-utils pkgs.xdg-utils
]; ];
}; };
isFhsenv = true; # Lutris uses buildFHSEnv isFhsenv = true;
id = "net.lutris.Lutris"; id = "net.lutris.Lutris";
env = { env = {
WEBKIT_DISABLE_DMABUF_RENDERER = 1; WEBKIT_DISABLE_DMABUF_RENDERER = 1;
@ -51,7 +48,6 @@ in
XDG_CURRENT_DESKTOP = "niri"; XDG_CURRENT_DESKTOP = "niri";
XDG_SESSION_TYPE = "wayland"; XDG_SESSION_TYPE = "wayland";
DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus"; DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus";
# Ensure Vulkan loader finds the drivers
VK_ICD_FILENAMES = "/run/opengl-driver/share/vulkan/icd.d/radeon_icd.x86_64.json:/run/opengl-driver-32/share/vulkan/icd.d/radeon_icd.i686.json"; VK_ICD_FILENAMES = "/run/opengl-driver/share/vulkan/icd.d/radeon_icd.x86_64.json:/run/opengl-driver-32/share/vulkan/icd.d/radeon_icd.i686.json";
}; };
}; };
@ -69,10 +65,10 @@ in
"$HOME/.config/kdedefaults" "$HOME/.config/kdedefaults"
"$HOME/.local/share/color-schemes" "$HOME/.local/share/color-schemes"
"$HOME/.local/share/Steam/compatibilitytools.d" "$HOME/.local/share/Steam/compatibilitytools.d"
# GTK Theming
"$HOME/.config/gtk-3.0" "$HOME/.config/gtk-3.0"
"$HOME/.config/gtk-4.0" "$HOME/.config/gtk-4.0"
"$HOME/.icons" "$HOME/.icons"
"/data/Torrents/Games" # Repack installers
]; ];
readWrite = [ readWrite = [

501
modules/nixos/media.nix
View file

@ -5,294 +5,69 @@
... ...
}: }:
{ let
# Define the user and group consistently
user = "ashie";
group = "users";
puid = "1000";
pgid = "100";
# Nixarr Configuration # Common env vars to avoid repetition
# Replaces OCI containers with native NixOS services commonEnv = {
# Nixflix Configuration PUID = puid;
nixflix = { PGID = pgid;
enable = false; # Disabled to revert to Podman TZ = "Europe/Berlin";
stateDir = "/var/lib/nixflix";
mediaDir = "/data";
sonarr.enable = false;
radarr.enable = false;
prowlarr.enable = false;
jellyfin.enable = false;
jellyseerr.enable = false;
# We use external OCI containers for these
sabnzbd.enable = false;
mullvad.enable = false;
# Jellyseerr defaults to VPN=true, but we disabled Mullvad, so we must disable VPN here too.
jellyseerr.vpn.enable = false;
}; };
in
# Homepage Dashboard {
services.homepage-dashboard = { # 1. Enable Podman (required backend)
virtualisation = {
podman = {
enable = true; enable = true;
listenPort = 8082; autoPrune.enable = true;
# Custom settings for better visual appearance
settings = {
title = "Media Dashboard";
theme = "dark";
color = "slate";
headerStyle = "boxed";
layout = {
"Media" = {
style = "row";
columns = 2;
};
"Automation" = {
style = "row";
columns = 3;
};
"Downloads" = {
style = "row";
columns = 2;
};
}; };
oci-containers.backend = "podman";
}; };
services = [ # 2. Container Definitions
{
"Media" = [
{
"Jellyfin" = {
icon = "jellyfin.png";
href = "http://localhost:8096";
description = "Media Server";
widget = {
type = "jellyfin";
url = "http://localhost:8096";
key = "{{HOMEPAGE_VAR_JELLYFIN_API_KEY}}";
enableBlocks = true;
enableNowPlaying = true;
};
};
}
{
"Jellyseerr" = {
icon = "jellyseerr.png";
href = "http://localhost:5055";
description = "Media Requests";
widget = {
type = "jellyseerr";
url = "http://localhost:5055";
key = "{{HOMEPAGE_VAR_JELLYSEERR_API_KEY}}";
};
};
}
];
}
{
"Automation" = [
{
"Sonarr" = {
icon = "sonarr.png";
href = "http://localhost:8989";
description = "TV Series";
widget = {
type = "sonarr";
url = "http://localhost:8989";
key = "{{HOMEPAGE_VAR_SONARR_API_KEY}}";
enableQueue = true;
};
};
}
{
"Radarr" = {
icon = "radarr.png";
href = "http://localhost:7878";
description = "Movies";
widget = {
type = "radarr";
url = "http://localhost:7878";
key = "{{HOMEPAGE_VAR_RADARR_API_KEY}}";
enableQueue = true;
};
};
}
{
"Prowlarr" = {
icon = "prowlarr.png";
href = "http://localhost:9696";
description = "Indexer Manager";
widget = {
type = "prowlarr";
url = "http://localhost:9696";
key = "{{HOMEPAGE_VAR_PROWLARR_API_KEY}}";
};
};
}
];
}
{
"Downloads" = [
{
"qBittorrent" = {
icon = "qbittorrent.png";
href = "http://localhost:8080";
description = "Torrent Client";
widget = {
type = "qbittorrent";
url = "http://localhost:8080";
username = "{{HOMEPAGE_VAR_QBITTORRENT_USERNAME}}";
password = "{{HOMEPAGE_VAR_QBITTORRENT_PASSWORD}}";
};
};
}
];
}
];
bookmarks = [
{
"Dev" = [
{
"GitHub" = [
{
abbr = "GH";
href = "https://github.com";
}
];
}
{
"NixOS Search" = [
{
abbr = "NO";
href = "https://search.nixos.org";
}
];
}
{
"Home Manager" = [
{
abbr = "HM";
href = "https://nix-community.github.io/home-manager/options.xhtml";
}
];
}
];
}
{
"Media" = [
{
"Trakt" = [
{
abbr = "TR";
href = "https://trakt.tv";
}
];
}
{
"IMDb" = [
{
abbr = "IM";
href = "https://imdb.com";
}
];
}
];
}
];
widgets = [
{
resources = {
cpu = true;
disk = "/";
memory = true;
uptime = true;
};
}
{
search = {
provider = "duckduckgo";
target = "_blank";
};
}
{
datetime = {
text_size = "xl";
format = {
dateStyle = "long";
timeStyle = "short";
hour12 = false;
};
};
}
{
openmeteo = {
label = "Berlin";
latitude = 52.52;
longitude = 13.405;
units = "metric";
cache = 5;
};
}
];
};
# SOPS Secrets for Homepage
sops.templates."homepage.env" = {
content = ''
HOMEPAGE_VAR_JELLYFIN_API_KEY=
HOMEPAGE_VAR_JELLYSEERR_API_KEY=
HOMEPAGE_VAR_SONARR_API_KEY=${config.sops.placeholder.sonarr_api_key}
HOMEPAGE_VAR_RADARR_API_KEY=${config.sops.placeholder.radarr_api_key}
HOMEPAGE_VAR_PROWLARR_API_KEY=${config.sops.placeholder.prowlarr_api_key}
HOMEPAGE_VAR_QBITTORRENT_USERNAME=
HOMEPAGE_VAR_QBITTORRENT_PASSWORD=
'';
};
# Inject secrets into Homepage service
systemd.services.homepage-dashboard = {
serviceConfig = {
EnvironmentFile = lib.mkForce config.sops.templates."homepage.env".path;
};
};
# OCI Containers for Media Stack
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
# VPN (Gluetun)
# --- VPN Gateway ---
vpn = { vpn = {
image = "docker.io/qmcgaw/gluetun"; image = "docker.io/qmcgaw/gluetun";
# The VPN manages the ports for the attached containers
ports = [ ports = [
"8080:8080" # qBittorrent WebUI "8080:8080" # qBittorrent WebUI
"36630:36630" # Torrent Port TCP "36630:36630" # Torrent Port TCP
"36630:36630/udp" # Torrent Port UDP "36630:36630/udp"
"9696:9696" # Prowlarr
"8191:8191" # Flaresolverr
]; ];
environmentFiles = [ config.sops.templates."gluetun.env".path ]; environmentFiles = [ config.sops.templates."gluetun.env".path ];
environment = { environment = {
TZ = "Europe/Berlin"; TZ = "Europe/Berlin";
DOT = "off"; DOT = "off"; # DNS over TLS off (optional)
# DNS_ADDRESS = "1.1.1.1"; FIREWALL_OUTBOUND_SUBNETS = "10.89.0.0/24"; # Allow access to local docker network
WIREGUARD_MTU = "1420";
# Allow access to local Podman network (for Prowlarr/Jellyseerr)
FIREWALL_OUTBOUND_SUBNETS = "10.88.0.0/16";
}; };
extraOptions = [ extraOptions = [
"--cap-add=NET_ADMIN" "--cap-add=NET_ADMIN"
"--cap-add=NET_RAW" "--cap-add=NET_RAW"
"--device=/dev/net/tun:/dev/net/tun" "--device=/dev/net/tun:/dev/net/tun"
"--network=media" # Join the shared media network "--network=media" # It joins the bridge so others can talk to it
"--network-alias=prowlarr" # Allow other containers to reach Prowlarr via VPN
"--network-alias=flaresolverr" # Allow other containers to reach Flaresolverr via VPN
"--add-host=sonarr:10.89.0.50" # Allow Prowlarr to reach Sonarr
"--add-host=radarr:10.89.0.51" # Allow Prowlarr to reach Radarr
]; ];
}; };
# qBittorrent (Networked via VPN) # --- Torrent Client (Routed via VPN) ---
torrent = { torrent = {
image = "lscr.io/linuxserver/qbittorrent:latest"; image = "lscr.io/linuxserver/qbittorrent:latest";
# VITAL: Reuse the VPN container's network stack
extraOptions = [ "--network=container:vpn" ]; extraOptions = [ "--network=container:vpn" ];
dependsOn = [ "vpn" ]; dependsOn = [ "vpn" ];
environment = { environment = commonEnv // {
PUID = "1000"; # ashie
PGID = "100"; # users
TZ = "Europe/Berlin";
WEBUI_PORT = "8080"; WEBUI_PORT = "8080";
}; };
volumes = [ volumes = [
@ -301,97 +76,80 @@
]; ];
}; };
# Flaresolverr (Direct connection) # --- The Arr Stack ---
flaresolverr = {
image = "ghcr.io/flaresolverr/flaresolverr:latest";
extraOptions = [ "--network=media" ];
ports = [ "8191:8191" ];
environment = {
TZ = "Europe/Berlin";
};
};
# Prowlarr (Direct connection)
prowlarr = { prowlarr = {
image = "lscr.io/linuxserver/prowlarr:latest"; image = "lscr.io/linuxserver/prowlarr:latest";
extraOptions = [ "--network=media" ]; extraOptions = [
ports = [ "9696:9696" ]; "--network=container:vpn"
environment = {
PUID = "1000";
PGID = "100";
TZ = "Europe/Berlin";
};
volumes = [
"/var/lib/nixarr/prowlarr:/config"
]; ];
dependsOn = [ "vpn" ];
environment = commonEnv;
volumes = [ "/var/lib/nixarr/prowlarr:/config" ];
}; };
# Sonarr (Direct connection)
sonarr = { sonarr = {
image = "lscr.io/linuxserver/sonarr:latest"; image = "lscr.io/linuxserver/sonarr:latest";
extraOptions = [ "--network=media" ]; extraOptions = [
"--network=media"
"--ip=10.89.0.50"
];
ports = [ "8989:8989" ]; ports = [ "8989:8989" ];
environment = { environment = commonEnv;
PUID = "1000";
PGID = "100";
TZ = "Europe/Berlin";
};
volumes = [ volumes = [
"/var/lib/nixarr/sonarr:/config" "/var/lib/nixarr/sonarr:/config"
"/data:/data" "/data:/data"
]; ];
}; };
# Radarr (Direct connection)
radarr = { radarr = {
image = "lscr.io/linuxserver/radarr:latest"; image = "lscr.io/linuxserver/radarr:latest";
extraOptions = [ "--network=media" ]; extraOptions = [
"--network=media"
"--ip=10.89.0.51"
];
ports = [ "7878:7878" ]; ports = [ "7878:7878" ];
environment = { environment = commonEnv;
PUID = "1000";
PGID = "100";
TZ = "Europe/Berlin";
};
volumes = [ volumes = [
"/var/lib/nixarr/radarr:/config" "/var/lib/nixarr/radarr:/config"
"/data:/data" "/data:/data"
]; ];
}; };
# Jellyfin (Direct connection) # --- Media Server ---
jellyfin = { jellyfin = {
image = "lscr.io/linuxserver/jellyfin:latest"; image = "lscr.io/linuxserver/jellyfin:latest";
extraOptions = [ "--network=media" ]; extraOptions = [
"--network=media"
"--device=/dev/dri:/dev/dri"
];
ports = [ "8096:8096" ]; ports = [ "8096:8096" ];
environment = { environment = commonEnv;
PUID = "1000";
PGID = "100";
TZ = "Europe/Berlin";
};
volumes = [ volumes = [
"/var/lib/nixarr/jellyfin:/config" "/var/lib/nixarr/jellyfin:/config"
"/data:/data" "/data:/data"
]; ];
}; };
# Jellyseerr (Direct connection)
jellyseerr = { jellyseerr = {
image = "ghcr.io/fallenbagel/jellyseerr:latest"; image = "ghcr.io/fallenbagel/jellyseerr:latest";
extraOptions = [ "--network=media" ]; extraOptions = [ "--network=media" ];
ports = [ "5055:5055" ]; ports = [ "5055:5055" ];
environment = commonEnv;
volumes = [ "/var/lib/nixarr/jellyseerr:/app/config" ];
};
flaresolverr = {
image = "ghcr.io/flaresolverr/flaresolverr:latest";
extraOptions = [ "--network=container:vpn" ];
dependsOn = [ "vpn" ];
environment = { environment = {
PUID = "1000";
PGID = "100";
TZ = "Europe/Berlin"; TZ = "Europe/Berlin";
}; };
volumes = [ };
"/var/lib/nixarr/jellyseerr:/app/config"
];
}; };
}; # 3. Network Setup (Fixed)
# Ensure the network is created before ANY container starts
# Define the dedicated media network
systemd.services.create-media-network = { systemd.services.create-media-network = {
script = '' script = ''
${pkgs.podman}/bin/podman network exists media || ${pkgs.podman}/bin/podman network create media ${pkgs.podman}/bin/podman network exists media || ${pkgs.podman}/bin/podman network create media
@ -400,113 +158,44 @@
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
User = "ashie"; # Removed 'User = ashie' -> Networks created by root are visible to root services
}; };
}; };
# Ensure the /data directory exists (Nixarr uses it) # Ensure containers wait for the network
systemd.services."podman-vpn".requires = [ "create-media-network.service" ];
systemd.services."podman-vpn".after = [ "create-media-network.service" ];
# (Repeat for others if they don't depend on VPN, but usually unnecessary if they all join 'media')
# 4. Permissions
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
# Data directory: owned by ashie:media so both qBittorrent (ashie) and others can access "d /data 0775 ${user} media - -"
"d /data 0775 ashie media - -" "d /var/lib/nixarr/prowlarr 0755 ${user} ${group} - -"
"d /var/lib/nixarr/sonarr 0755 ${user} ${group} - -"
# Ensure config directories exist with correct permissions "d /var/lib/nixarr/radarr 0755 ${user} ${group} - -"
"d /var/lib/nixarr/prowlarr 0755 ashie users - -" "d /var/lib/nixarr/jellyfin 0755 ${user} ${group} - -"
"d /var/lib/nixarr/sonarr 0755 ashie users - -" "d /var/lib/nixarr/jellyseerr 0755 ${user} ${group} - -"
"d /var/lib/nixarr/radarr 0755 ashie users - -" "d /var/lib/qbittorrent 0755 ${user} ${group} - -"
"d /var/lib/nixarr/jellyfin 0755 ashie users - -"
"d /var/lib/nixarr/jellyseerr 0755 ashie users - -"
# qBittorrent directory
"d /var/lib/qbittorrent 0755 ashie users - -"
]; ];
# Add ashie to media group to ensure access to /data users.users.${user}.extraGroups = [ "media" ];
users.users.ashie.extraGroups = [ "media" ];
# Firewall rules # 5. Firewall
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 # HTTP 80
443 # HTTPS 443
9696 # Prowlarr 9696
8989 # Sonarr 8989
7878 # Radarr 7878
8096 # Jellyfin 8096
5055 # Jellyseerr 5055
8080 # qBittorrent WebUI 8080
36630 # Torrent 36630
8082
8082 # Homepage 8191
]; ];
networking.firewall.allowedUDPPorts = [ networking.firewall.allowedUDPPorts = [
36630 36630
443 443
]; ];
# Rootless Container Overrides
# Force these containers to run as user 'ashie'
systemd.services."podman-vpn".serviceConfig.User = lib.mkForce "ashie";
systemd.services."podman-vpn".environment = {
HOME = "/home/ashie";
XDG_RUNTIME_DIR = "/run/user/1000";
};
systemd.services."podman-vpn".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-vpn".serviceConfig.Delegate = true;
systemd.services."podman-torrent".serviceConfig.User = lib.mkForce "ashie";
systemd.services."podman-torrent".environment = {
HOME = "/home/ashie";
XDG_RUNTIME_DIR = "/run/user/1000";
};
systemd.services."podman-torrent".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-torrent".serviceConfig.Delegate = true;
systemd.services."podman-flaresolverr".serviceConfig.User = lib.mkForce "ashie";
systemd.services."podman-flaresolverr".environment = {
HOME = "/home/ashie";
XDG_RUNTIME_DIR = "/run/user/1000";
};
systemd.services."podman-flaresolverr".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-flaresolverr".serviceConfig.Delegate = true;
systemd.services."podman-prowlarr".serviceConfig.User = lib.mkForce "ashie";
systemd.services."podman-prowlarr".environment = {
HOME = "/home/ashie";
XDG_RUNTIME_DIR = "/run/user/1000";
};
systemd.services."podman-prowlarr".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-prowlarr".serviceConfig.Delegate = true;
systemd.services."podman-sonarr".serviceConfig.User = lib.mkForce "ashie";
systemd.services."podman-sonarr".environment = {
HOME = "/home/ashie";
XDG_RUNTIME_DIR = "/run/user/1000";
};
systemd.services."podman-sonarr".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-sonarr".serviceConfig.Delegate = true;
systemd.services."podman-radarr".serviceConfig.User = lib.mkForce "ashie";
systemd.services."podman-radarr".environment = {
HOME = "/home/ashie";
XDG_RUNTIME_DIR = "/run/user/1000";
};
systemd.services."podman-radarr".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-radarr".serviceConfig.Delegate = true;
systemd.services."podman-jellyfin".serviceConfig.User = lib.mkForce "ashie";
systemd.services."podman-jellyfin".environment = {
HOME = "/home/ashie";
XDG_RUNTIME_DIR = "/run/user/1000";
};
systemd.services."podman-jellyfin".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-jellyfin".serviceConfig.Delegate = true;
systemd.services."podman-jellyseerr".serviceConfig.User = lib.mkForce "ashie";
systemd.services."podman-jellyseerr".environment = {
HOME = "/home/ashie";
XDG_RUNTIME_DIR = "/run/user/1000";
};
systemd.services."podman-jellyseerr".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-jellyseerr".serviceConfig.Delegate = true;
} }

4
modules/nixos/nginx.nix
View file

@ -40,8 +40,8 @@ in
recommendedTlsSettings = true; recommendedTlsSettings = true;
# SSL Hardening # SSL Hardening
sslProtocols = "TLSv1.2 TLSv1.3"; # sslProtocols = "TLSv1.2 TLSv1.3";
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; # sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
# Use the wildcard cert by default for these domains # Use the wildcard cert by default for these domains
commonHttpConfig = '' commonHttpConfig = ''

90
modules/nixos/searxng.nix
View file

@ -215,32 +215,59 @@ in
default = "search.ashisgreat.xyz"; default = "search.ashisgreat.xyz";
description = "Public domain name for SearXNG"; description = "Public domain name for SearXNG";
}; };
donations = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = { };
description = "Map of donation platform names to URLs (e.g. { patreon = '...'; })";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# Ensure Podman is enabled # Ensure Podman is enabled
myModules.podman.enable = true; myModules.podman.enable = true;
# 1. Redis Container (Cache/Limiter) # ... (rest of config) ...
virtualisation.oci-containers.containers."searxng-redis" = {
image = "docker.io/library/redis:alpine"; # 1. Create Bridge Network
systemd.services."create-searxng-network" = {
serviceConfig.Type = "oneshot";
serviceConfig.User = "ashie";
serviceConfig.RemainAfterExit = true;
after = [ "user-runtime-dir@1000.service" ];
requires = [ "user-runtime-dir@1000.service" ];
path = [ pkgs.podman ];
script = ''
export XDG_RUNTIME_DIR="/run/user/1000"
export HOME="/home/ashie"
podman network create searxng-net --ignore
'';
};
# 2. Valkey Container (Cache/Limiter)
virtualisation.oci-containers.containers."searxng-valkey" = {
image = "docker.io/valkey/valkey:alpine";
cmd = [ cmd = [
"redis-server" "valkey-server"
"--save" "--save"
"" ""
"--appendonly" "--appendonly"
"no" "no"
]; # Ephemeral cache, no persistence needed ]; # Ephemeral cache, no persistence needed
ports = [ "127.0.0.1:6379:6379" ]; extraOptions = [
"--network=searxng-net"
"--network-alias=valkey"
];
# No ports published to host for security
}; };
# 2. SearXNG Container # 3. SearXNG Container
virtualisation.oci-containers.containers."searxng" = { virtualisation.oci-containers.containers."searxng" = {
image = "ghcr.io/searxng/searxng:latest"; image = "ghcr.io/searxng/searxng:latest";
ports = [ "127.0.0.1:${toString cfg.port}:8080" ]; ports = [ "127.0.0.1:${toString cfg.port}:8080" ];
environment = { environment = {
"SEARXNG_BASE_URL" = "https://${cfg.domain}"; "SEARXNG_BASE_URL" = "https://${cfg.domain}";
"SEARXNG_REDIS_URL" = "redis://searxng-redis:6379"; # Talk to Redis directly via container DNS "SEARXNG_REDIS_URL" = "valkey://valkey:6379"; # Talk to Valkey via alias
"SEARXNG_URL_BASE" = "https://${cfg.domain}"; "SEARXNG_URL_BASE" = "https://${cfg.domain}";
}; };
environmentFiles = [ environmentFiles = [
@ -248,35 +275,41 @@ in
config.sops.templates."searxng.env".path config.sops.templates."searxng.env".path
]; ];
extraOptions = [ extraOptions = [
"--network=searxng-net"
"--cap-drop=ALL" "--cap-drop=ALL"
"--cap-add=CHOWN" "--cap-add=CHOWN"
"--cap-add=SETGID" "--cap-add=SETGID"
"--cap-add=SETUID" "--cap-add=SETUID"
"--cap-add=DAC_OVERRIDE" "--cap-add=DAC_OVERRIDE"
"--add-host=host.containers.internal:host-gateway"
]; ];
volumes = [ volumes = [
"${config.sops.templates."searxng_settings.yml".path}:/etc/searxng/settings.yml:ro" "${config.sops.templates."searxng_settings.yml".path}:/etc/searxng/settings.yml:ro"
"${catppuccinCss}:/etc/searxng/custom.css:ro" "${catppuccinCss}:/etc/searxng/custom.css:ro"
]; ];
dependsOn = [ "searxng-valkey" ];
}; };
# 3. Secrets Configuration sops.templates."searxng.env" = {
# We generate the settings.yml dynamically using sops templates to inject secrets if needed, owner = "ashie";
# or just to manage the config declaratively. content = ''
sops.templates."searxng.env".content = ''
SEARXNG_SECRET_KEY=${config.sops.placeholder.searxng_secret_key} SEARXNG_SECRET_KEY=${config.sops.placeholder.searxng_secret_key}
''; '';
};
sops.templates."searxng_settings.yml".content = '' sops.templates."searxng_settings.yml" = {
owner = "ashie";
content = ''
use_default_settings: true use_default_settings: true
general: general:
debug: false debug: false
instance_name: "Ashie Search" instance_name: "Ashie Search"
donation_url: ${if cfg.donations ? "Monero" then "\"${cfg.donations.Monero}\"" else "false"}
donations: donations:
patreon: false ${lib.concatStringsSep "\n " (
buymeacoffee: false lib.mapAttrsToList (name: url: "${name}: \"${url}\"") cfg.donations
)}
search: search:
safe_search: 0 safe_search: 0
@ -300,8 +333,9 @@ in
simple_style: "auto" simple_style: "auto"
redis: redis:
url: redis://searxng-redis:6379/0 url: valkey://valkey:6379/0
''; '';
};
# Placeholder secret definition (User must add this to secrets.yaml!) # Placeholder secret definition (User must add this to secrets.yaml!)
sops.secrets.searxng_secret_key = { }; sops.secrets.searxng_secret_key = { };
@ -314,13 +348,29 @@ in
}; };
systemd.services."podman-searxng".serviceConfig.Type = lib.mkForce "simple"; systemd.services."podman-searxng".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-searxng".serviceConfig.Delegate = true; systemd.services."podman-searxng".serviceConfig.Delegate = true;
systemd.services."podman-searxng".after = [
"create-searxng-network.service"
"user-runtime-dir@1000.service"
];
systemd.services."podman-searxng".requires = [
"create-searxng-network.service"
"user-runtime-dir@1000.service"
];
systemd.services."podman-searxng-redis".serviceConfig.User = lib.mkForce "ashie"; systemd.services."podman-searxng-valkey".serviceConfig.User = lib.mkForce "ashie";
systemd.services."podman-searxng-redis".environment = { systemd.services."podman-searxng-valkey".environment = {
HOME = "/home/ashie"; HOME = "/home/ashie";
XDG_RUNTIME_DIR = "/run/user/1000"; XDG_RUNTIME_DIR = "/run/user/1000";
}; };
systemd.services."podman-searxng-redis".serviceConfig.Type = lib.mkForce "simple"; systemd.services."podman-searxng-valkey".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-searxng-redis".serviceConfig.Delegate = true; systemd.services."podman-searxng-valkey".serviceConfig.Delegate = true;
systemd.services."podman-searxng-valkey".after = [
"create-searxng-network.service"
"user-runtime-dir@1000.service"
];
systemd.services."podman-searxng-valkey".requires = [
"create-searxng-network.service"
"user-runtime-dir@1000.service"
];
}; };
} }

50
modules/nixos/steam-gamemode.nix Normal file
View file

@ -0,0 +1,50 @@
{
pkgs,
...
}:
{
programs.gamescope = {
enable = true;
capSysNice = true;
};
services.displayManager.sessionPackages = [
(pkgs.writeTextFile {
name = "steam-gamemode-session";
destination = "/share/wayland-sessions/steam-gamemode.desktop";
text = ''
[Desktop Entry]
Name=Steam GameMode
Comment=Launch Steam in GameMode with Gamescope
Exec=${pkgs.writeShellScript "steam-gamemode-start" ''
# Load system environment
. /etc/profile
# Ensure we are in the user's home directory
cd "$HOME" || exit 1
exec >/tmp/steam-gamemode.log 2>&1
echo "Starting Steam GameMode Session at $(date)"
echo "User: $(whoami)"
echo "PATH: $PATH"
echo "Gamescope path: ${pkgs.gamescope}/bin/gamescope"
# Check for steam binary
if ! command -v steam >/dev/null; then
echo "ERROR: steam command not found in PATH"
exit 1
fi
echo "Launching gamescope..."
exec ${pkgs.gamescope}/bin/gamescope -f -e -- steam -gamepadui
''}
Type=Application
'';
derivationArgs = {
passthru = {
providedSessions = [ "steam-gamemode" ];
};
};
})
];
}

1
modules/nixos/steam-sandboxed.nix
View file

@ -128,6 +128,7 @@ in
''--talk="org.freedesktop.portal.*"'' ''--talk="org.freedesktop.portal.*"''
''--own="com.valvesoftware.Steam"'' ''--own="com.valvesoftware.Steam"''
''--own="com.valvesoftware.Steam.*"'' ''--own="com.valvesoftware.Steam.*"''
''--own="com.steampowered.PressureVessel.*"''
]; ];
}; };

10
secrets/authelia_users_template.yml
View file

@ -1,10 +0,0 @@
users:
admin:
displayname: Admin
# Password: password
# Hash generated with: --memory 16384 --iterations 1 --parallelism 1
password: "$argon2id$v=19$m=16384,t=1,p=1$ygXlX9Am6U1CnfvXK/B0Xw$YspmBrCGnq987Z1QYjgSrA+oMkLCks7g8m/jKUtMKEg"
email: admin@ashisgreat.xyz
groups:
- admins
- dev