ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:main
Branches Tags
ahuston-0:main ahuston-0:update-flake-lock ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:b4ba19f4883f8a613022ae4213e2e403f3251905
Branches Tags
ahuston-0:update-flake-lock ahuston-0:main ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes

1 Commits
main ... b4ba19f488

Author SHA1 Message Date
github-actions[bot]
b4ba19f488 automated: Update flake.lock
All checks were successful
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 8s
Details
Check Nix flake / Perform Nix flake checks (pull_request) Successful in 2m20s
Details 
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].

[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
 2026-04-14 12:09:10 +00:00
13 changed files with 108 additions and 579 deletions
Expand all files Collapse all files

18
.github/instructions/ai-doc-attribution.instructions.md vendored
View File

@@ -1,18 +0,0 @@
---
description: "Use when writing or updating documentation (Markdown, README, docs pages, guides). Require explicit top-of-document labeling when a document is fully AI-generated."
name: "AI Documentation Attribution"
applyTo: "**/*.md"
---
# AI Documentation Attribution
- When documentation is fully AI-generated, include an explicit attribution note.
- The attribution must be visible in the document body and easy to find by readers.
- Acceptable labels include one of:
1. "AI-generated documentation"
- Place the attribution at the top of the document by default.
- If only parts are AI-assisted, attribution is optional unless you want to disclose assistance.
- Do not imply fully human authorship for content produced by AI.
Example attribution lines:
- `> Note: This document was AI-generated and reviewed by a maintainer.`

11
.vscode/mcp.json vendored
View File

@@ -1 +1,10 @@
{} {
"servers": {
"nixos": {
"command": "uvx",
"args": [
"mcp-nixos"
]
}
}
}

2
README.md
View File

@@ -10,8 +10,6 @@ This repo supports `x86_64-linux` and (theorically) `aarch64-linux`.
Please see [our setup guide](./docs/setting-up.md) for more information on how Please see [our setup guide](./docs/setting-up.md) for more information on how
to onboard a new user or system. to onboard a new user or system.
For the media request stack on palatine-hill, see [the media stack guide](./docs/media-stack.md).
## For Those Interested ## For Those Interested
Although we are not actively looking for new members to join in on this repo, Although we are not actively looking for new members to join in on this repo,

422
docs/media-stack.md
View File

@@ -1,422 +0,0 @@
# Media Request Stack Setup
> Note: This is AI-generated documentation and was reviewed by a maintainer.
This page documents the setup needed to make media requests flow from Jellyseerr to the Starr apps to qBittorrent and finally into a Jellyfin library.
It is based on the services defined for palatine-hill in:
- `systems/palatine-hill/docker/arr.nix`
- `systems/palatine-hill/docker/torr.nix`
- `systems/palatine-hill/postgresql.nix`
- `systems/palatine-hill/vars.nix`
The guidance here follows the same hardlink principles used by TRaSH Guides: keep downloads and library folders separate, but make sure they live on the same filesystem and appear under the same container path.
## What Exists In This Repo
The media-request side currently defines these containers on palatine-hill:
- Jellyseerr on port `5055`
- Prowlarr on port `9696`
- Radarr on port `7878`
- Sonarr on port `8989`
- Lidarr on port `8686`
- Bazarr on port `6767`
- qBittorrent variants in `docker/torr.nix`
Related supporting details:
- The Starr apps and qBittorrent both mount `/data` from `vars.primary_torr`.
- PostgreSQL is enabled locally and used by the arr stack.
Two caveats matter before expecting the flow to work:
1. Jellyfin is not currently defined on palatine-hill in this repo, so this guide treats Jellyfin as the destination media server you will point at the finished library.
2. qBittorrent is using host-exposed or gluetun-attached networking rather than `arrnet`, so the Starr apps should connect to qBittorrent through the host and published port.
## Required Hardlink Layout
For hardlinks and atomic moves to work reliably, these rules need to be true:
- qBittorrent and the Starr apps must see the same underlying host filesystem and the same ZFS dataset.
- qBittorrent and the Starr apps should use the same in-container prefix, ideally `/data`.
- Downloads and the final library must be separate directories.
- Jellyfin should only read the final media library, not the download directories.
For ZFS specifically, sibling child datasets in the same pool are not enough. Hardlinks do not cross dataset boundaries, so `/data/torrents` and `/data/media` must be directories inside the same dataset.
Recommended logical layout inside containers:
```text
/data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
└── media
├── movies
├── music
└── tv
```
This repo draft uses one shared host root from `vars.primary_torr` and mounts that as `/data` for qBittorrent, Radarr, Sonarr, Lidarr, Bazarr, Unpackerr, and Notifiarr.
### What Matters
The exact host path is less important than this invariant:
```text
same host filesystem + same container path prefix + separate downloads/media folders
```
If you split torrents and media across different datasets, imports may still be made to work with copies or path fixes, but hardlinks and instant moves will not be dependable.
## Suggested Host Layout
Once you choose a shared host root, create a structure like this beneath it:
```text
data/
├── torrents/
│ ├── movies/
│ ├── music/
│ └── tv/
└── media/
├── movies/
├── music/
└── tv/
```
In this repo draft, the shared host root is `vars.primary_torr`, with container mounts set to `"${vars.primary_torr}/data:/data"`.
The matching container paths should then be:
- qBittorrent download root: `/data/torrents`
- Radarr root folder: `/data/media/movies`
- Sonarr root folder: `/data/media/tv`
- Lidarr root folder: `/data/media/music`
- Jellyfin library roots: `/data/media/movies`, `/data/media/tv`, `/data/media/music`
Do not point any Starr app root folder at `/data/torrents`.
## Service Roles
### Jellyseerr
Jellyseerr is the user-facing request layer. It should:
- connect to Jellyfin for users, authentication, and media availability
- connect to Radarr for movies
- connect to Sonarr for series
Jellyseerr does not talk directly to qBittorrent for normal request flow.
### Prowlarr Values
Prowlarr should be the single source of indexers. Configure indexers there, then sync them to:
- Radarr
- Sonarr
- Lidarr
This avoids duplicating indexer setup in every Starr app.
### Radarr, Sonarr, Lidarr
These apps should:
- receive requests from Jellyseerr
- search indexers via Prowlarr
- send downloads to qBittorrent
- import completed downloads from `/data/torrents/...` into `/data/media/...`
### qBittorrent
qBittorrent should only download into `/data/torrents/...` and should not write directly into `/data/media/...`.
### Jellyfin
Jellyfin should only read the final library under `/data/media/...`.
## Configuration Order
Set the stack up in this order:
1. Shared path layout
2. qBittorrent
3. Prowlarr
4. Radarr, Sonarr, Lidarr
5. Jellyfin
6. Jellyseerr
7. Bazarr
That order keeps each layer pointing at services that already exist.
## qBittorrent Setup
The repo defines these Web UI ports:
- `8082` for `qbit`
- `8081` for `qbitVPN`
- `8083` for `qbitPerm`
Choose one instance for the Starr apps to use and keep that consistent.
Recommended qBittorrent settings:
- Default save path: `/data/torrents`
- Category mode: enabled
- Automatic torrent management: enabled
- Incomplete directory: optional, but avoid a different filesystem if you want cheap moves
- Listening port: use the instance-specific torrent port if applicable
Recommended categories:
- `radarr` -> `/data/torrents/movies`
- `sonarr` -> `/data/torrents/tv`
- `lidarr` -> `/data/torrents/music`
This matches the TRaSH pattern and keeps imports predictable.
## Prowlarr Setup
In Prowlarr:
1. Add your indexers.
2. Add app connections for Radarr, Sonarr, and Lidarr.
3. Sync indexers from Prowlarr into each Starr app.
Use the container hostnames from the repo when apps share the `arrnet` network:
- `http://radarr:7878`
- `http://sonarr:8989`
- `http://lidarr:8686`
If you are configuring through host-exposed ports in a browser from outside Docker, use the server host and published ports instead.
## Radarr Setup
In Radarr:
1. Add a root folder: `/data/media/movies`
2. Add qBittorrent as the download client
3. Set the category to `radarr`
4. Prefer completed download handling on
5. Do not use a movie root inside the downloads tree
For qBittorrent, use the chosen instance endpoint.
Examples:
- preferred for this repo draft: `http://<server>:8082`
- VPN-backed alternative if you intentionally use that instance: `http://<server>:8081`
The important part is that the path qBittorrent writes must still be visible to Radarr as `/data/torrents/movies`.
## Sonarr Setup
In Sonarr:
1. Add a root folder: `/data/media/tv`
2. Add qBittorrent as the download client
3. Set the category to `sonarr`
4. Enable completed download handling
Keep the same shared-path rule: Sonarr must be able to see qBittorrent output directly at `/data/torrents/tv`.
## Lidarr Setup
In Lidarr:
1. Add a root folder: `/data/media/music`
2. Add qBittorrent as the download client
3. Set the category to `lidarr`
4. Enable completed download handling
## Jellyfin Setup
Jellyfin should be pointed only at the final library paths:
- Movies: `/data/media/movies`
- TV: `/data/media/tv`
- Music: `/data/media/music`
Do not add `/data/torrents` as a Jellyfin library.
If Jellyfin runs in Docker, mount only the media sub-tree if you want a tighter boundary:
- `host-shared-root/media:/data/media`
If Jellyfin runs directly on the host, point it at the equivalent host paths.
## Jellyseerr Setup
Jellyseerr in this repo runs on port `5055` and joins both `arrnet` and `haproxy-net`.
Configure it with:
1. Jellyfin server URL
2. Jellyfin API key
3. Radarr server URL and API key
4. Sonarr server URL and API key
Suggested internal URLs when services share `arrnet`:
- Radarr: `http://radarr:7878`
- Sonarr: `http://sonarr:8989`
Jellyseerr request defaults should map:
- Movies -> Radarr root `/data/media/movies`
- Series -> Sonarr root `/data/media/tv`
After that, user flow is:
1. User requests media in Jellyseerr
2. Jellyseerr hands the request to Radarr or Sonarr
3. The Starr app searches via Prowlarr indexers
4. The Starr app sends the download to qBittorrent with its category
5. qBittorrent writes into `/data/torrents/...`
6. The Starr app imports into `/data/media/...`
7. Jellyfin scans or detects the new item in the final library
## Bazarr Setup
Bazarr is optional for the request-to-library path, but it fits after Radarr and Sonarr are stable.
Point Bazarr at:
- Radarr
- Sonarr
- the final media library visible under `/data/media`
It does not need the download tree for ordinary subtitle management.
## Remote Path Mappings
If you align the mounts properly, you should not need remote path mappings.
That is the preferred setup.
Only use remote path mappings if the downloader and the importing app see different absolute paths for the same files.
In a Docker-only setup with shared `/data`, that is a sign the mounts are wrong rather than a feature you should rely on.
## ZFS Notes
For a hardlink-safe media layout on ZFS:
- Keep `/data/torrents` and `/data/media` in the same dataset.
- Do not split them into separate child datasets if you want hardlinks.
- It is fine to keep qBittorrent config, Jellyfin metadata, and other appdata in separate datasets because those do not need hardlinks with payload files.
For `ZFS-primary/torr`, a better baseline for bulk media than a small-record, high-compression profile is:
- `recordsize=1M`
- `compression=zstd-3` or `lz4`
- `sync=standard`
- `logbias=throughput`
- `primarycache=metadata`
- `dnodesize=auto`
These are new-write behavior settings. `recordsize` only affects newly written data.
## Repo-Specific Notes
- Arr containers use `PUID=600` and `PGID=100`.
- qBittorrent containers also use `PUID=600` and `PGID=100`.
- The arr stack uses the local PostgreSQL service via `/var/run/postgresql`.
- `jellyseerr` stores config under `${vars.primary_docker}/overseerr` even though the container is Jellyseerr.
- The hardlink draft in this repo chooses `vars.primary_torr` as the shared `/data` root.
- `systems/palatine-hill/docker/default.nix` imports `torr.nix`, so the downloader stack is part of the host configuration.
## Deployment Checklist (Exact Values)
Use this checklist when configuring the stack so every app matches the current draft.
### Shared Paths
- Shared container path for arr + downloader: `/data`
- Download root: `/data/torrents`
- Media roots:
- Movies: `/data/media/movies`
- TV: `/data/media/tv`
- Music: `/data/media/music`
### qBittorrent (Primary Instance)
- Web UI URL for Starr apps: `http://<server>:8082`
- Web UI port: `8082`
- Torrent port: `29432` (TCP/UDP)
- Default save path: `/data/torrents`
- Category save-path mode: enabled
- Automatic torrent management: enabled
Category paths:
- `radarr` -> `/data/torrents/movies`
- `sonarr` -> `/data/torrents/tv`
- `lidarr` -> `/data/torrents/music`
### Radarr
- URL: `http://radarr:7878` (inside arr network)
- Root folder: `/data/media/movies`
- Download client: qBittorrent at `http://<server>:8082`
- qBittorrent category: `radarr`
- Completed download handling: enabled
### Sonarr
- URL: `http://sonarr:8989` (inside arr network)
- Root folder: `/data/media/tv`
- Download client: qBittorrent at `http://<server>:8082`
- qBittorrent category: `sonarr`
- Completed download handling: enabled
### Lidarr
- URL: `http://lidarr:8686` (inside arr network)
- Root folder: `/data/media/music`
- Download client: qBittorrent at `http://<server>:8082`
- qBittorrent category: `lidarr`
- Completed download handling: enabled
### Prowlarr
- URL: `http://prowlarr:9696` (inside arr network)
- App sync targets:
- `http://radarr:7878`
- `http://sonarr:8989`
- `http://lidarr:8686`
### Jellyseerr Values
- URL: `http://jellyseerr:5055` (internal) or via your reverse proxy externally
- Radarr target: `http://radarr:7878`
- Sonarr target: `http://sonarr:8989`
- Request defaults:
- Movies root: `/data/media/movies`
- Series root: `/data/media/tv`
### Jellyfin Values
- Library roots only:
- `/data/media/movies`
- `/data/media/tv`
- `/data/media/music`
- Do not add `/data/torrents` as a library.
## Validation Checklist
Use this after setup:
1. qBittorrent can create files in `/data/torrents/movies`, `/data/torrents/tv`, and `/data/torrents/music`.
2. Radarr, Sonarr, and Lidarr can browse both `/data/torrents/...` and `/data/media/...`.
3. A test download lands in the expected category folder.
4. The corresponding Starr app imports the item into `/data/media/...` without copy-delete behavior.
5. Jellyfin can see the imported file in the final library.
6. Jellyseerr shows the item as available after import and scan.
If imports fail or hardlinks do not work, check the mount design before changing app logic.

36
flake.lock generated
View File

@@ -76,11 +76,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1776398575, "lastModified": 1776139376,
"narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=", "narHash": "sha256-rBykvCL5GRT6VmiY39XnxAR10cohBsLeAENP0+3JM/0=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30", "rev": "ccfaa2303117e22752bda4e1a1bb07d17f38ea2d",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@@ -240,11 +240,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776454077, "lastModified": 1776136611,
"narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=", "narHash": "sha256-b2pu3Pb28W0bJzQVP3OJHZC5+dgOOeqjlli2WVakKEU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "565e5349208fe7d0831ef959103c9bafbeac0681", "rev": "8a423e444b17dde406097328604a64fc7429e34e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -281,11 +281,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776426061, "lastModified": 1774778246,
"narHash": "sha256-3rROoGl8xBsIOM+5m+qZS4GJnsdQPAH3NJJe1OUfJ5o=", "narHash": "sha256-OX9Oba3/cHq1jMS1/ItCdxNuRBH3291Lg727nHOzYnc=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "contrib", "repo": "contrib",
"rev": "1f71628d86a7701fd5ba0f8aeabe15376f4c6afc", "rev": "ca3c381df6018e6c400ceac994066427c98fe323",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -500,11 +500,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1776169885, "lastModified": 1775710090,
"narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=", "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9", "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -594,11 +594,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776395632, "lastModified": 1776136407,
"narHash": "sha256-Mi1uF5f2FsdBIvy+v7MtsqxD3Xjhd0ARJdwoqqqPtJo=", "narHash": "sha256-Cp8XrVLGruSDBTRs8L4LmvaEcd76tHHU9esLk7Ysa4E=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "8087ff1f47fff983a1fba70fa88b759f2fd8ae97", "rev": "753568957a87312ed599cba5699e67126eded6c0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -647,11 +647,11 @@
"tinted-zed": "tinted-zed" "tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1776170745, "lastModified": 1776128773,
"narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=", "narHash": "sha256-aV7fNAdum23uirlIEgRNq+Tz0bn0+asbYqaA/pCV8No=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9", "rev": "43e20cee100e5578eb8e709bec960e26ce653adf",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
modules/update.nix
View File

@@ -13,7 +13,6 @@
enable = lib.mkDefault true; enable = lib.mkDefault true;
flags = [ "--accept-flake-config" ]; flags = [ "--accept-flake-config" ];
randomizedDelaySec = "1h"; randomizedDelaySec = "1h";
runGarbageCollection = true;
persistent = true; persistent = true;
flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git"; flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git";
}; };

3
systems/palatine-hill/configuration.nix
View File

@@ -34,7 +34,8 @@
loader.grub.device = "/dev/sda"; loader.grub.device = "/dev/sda";
useSystemdBoot = true; useSystemdBoot = true;
kernelParams = [ kernelParams = [
"xe.force_probe=56a5" "i915.force_probe=56a5"
"i915.enable_guc=2"
]; ];
kernel.sysctl = { kernel.sysctl = {
"vm.overcommit_memory" = lib.mkForce 1; "vm.overcommit_memory" = lib.mkForce 1;

13
systems/palatine-hill/docker/arr.nix
View File

@@ -5,7 +5,6 @@
}: }:
let let
vars = import ../vars.nix; vars = import ../vars.nix;
shared_data_path = "${vars.primary_torr}/data";
arr_postgres_config = arr_postgres_config =
container_type: container_type:
let let
@@ -63,7 +62,7 @@ in
]; ];
volumes = [ volumes = [
"${vars.primary_docker}/bazarr:/config" "${vars.primary_docker}/bazarr:/config"
"${shared_data_path}:/data" "${vars.primary_plex_storage}/data:/data"
"/var/run/postgresql:/var/run/postgresql" "/var/run/postgresql:/var/run/postgresql"
]; ];
extraOptions = [ extraOptions = [
@@ -111,7 +110,7 @@ in
]; ];
volumes = [ volumes = [
"${vars.primary_docker}/radarr:/config" "${vars.primary_docker}/radarr:/config"
"${shared_data_path}:/data" "${vars.primary_plex_storage}/data:/data"
"/var/run/postgresql:/var/run/postgresql" "/var/run/postgresql:/var/run/postgresql"
]; ];
extraOptions = [ extraOptions = [
@@ -135,7 +134,7 @@ in
]; ];
volumes = [ volumes = [
"${vars.primary_docker}/sonarr:/config" "${vars.primary_docker}/sonarr:/config"
"${shared_data_path}:/data" "${vars.primary_plex_storage}/data:/data"
"/var/run/postgresql:/var/run/postgresql" "/var/run/postgresql:/var/run/postgresql"
]; ];
extraOptions = [ extraOptions = [
@@ -159,7 +158,7 @@ in
]; ];
volumes = [ volumes = [
"${vars.primary_docker}/lidarr:/config" "${vars.primary_docker}/lidarr:/config"
"${shared_data_path}:/data" "${vars.primary_plex_storage}/data:/data"
"/var/run/postgresql:/var/run/postgresql" "/var/run/postgresql:/var/run/postgresql"
]; ];
extraOptions = [ extraOptions = [
@@ -177,7 +176,7 @@ in
}; };
volumes = [ volumes = [
"${vars.primary_docker}/unpackerr:/config" "${vars.primary_docker}/unpackerr:/config"
"${shared_data_path}:/data" "${vars.primary_plex_storage}:/data"
"/var/run/postgresql:/var/run/postgresql" "/var/run/postgresql:/var/run/postgresql"
]; ];
extraOptions = [ "--network=arrnet" ]; extraOptions = [ "--network=arrnet" ];
@@ -195,7 +194,7 @@ in
environmentFiles = [ config.sops.secrets."docker/notifiarr".path ]; environmentFiles = [ config.sops.secrets."docker/notifiarr".path ];
volumes = [ volumes = [
"${vars.primary_docker}/notifiarr:/config" "${vars.primary_docker}/notifiarr:/config"
"${shared_data_path}:/data" "${vars.primary_plex_storage}:/data"
"/var/run/postgresql:/var/run/postgresql" "/var/run/postgresql:/var/run/postgresql"
]; ];
extraOptions = [ "--network=arrnet" ]; extraOptions = [ "--network=arrnet" ];

9
systems/palatine-hill/docker/default.nix
View File

@@ -1,4 +1,9 @@
{ ... }: {
config,
lib,
pkgs,
...
}:
{ {
imports = [ imports = [
@@ -15,7 +20,7 @@
./nextcloud.nix ./nextcloud.nix
# ./postgres.nix # ./postgres.nix
# ./restic.nix # ./restic.nix
./torr.nix #./torr.nix
# ./unifi.nix # ./unifi.nix
]; ];

1
systems/palatine-hill/docker/nextcloud.nix
View File

@@ -58,7 +58,6 @@ in
volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ]; volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ];
extraOptions = [ extraOptions = [
"--device=/dev/dri:/dev/dri" "--device=/dev/dri:/dev/dri"
"--network=nextcloud_default"
]; ];
}; };
collabora-code = { collabora-code = {

1
systems/palatine-hill/mattermost.nix
View File

@@ -15,6 +15,5 @@ in
driver = "postgres"; driver = "postgres";
}; };
dataDir = "${vars.primary_mattermost}/mattermost"; dataDir = "${vars.primary_mattermost}/mattermost";
host = "0.0.0.0";
}; };
} }

167
systems/palatine-hill/zfs.nix
View File

@@ -12,107 +12,6 @@
options zfs zfs_arc_min=82463372083 options zfs zfs_arc_min=82463372083
options zfs zfs_arc_max=192414534860 options zfs zfs_arc_max=192414534860
''; '';
initrd.systemd.services = {
zfs-import-zfs-primary = {
description = "Import ZFS-primary pool in initrd";
wantedBy = [ "initrd-root-fs.target" ];
wants = [ "systemd-udev-settle.service" ];
after = [ "systemd-udev-settle.service" ];
before = [
"sysroot.mount"
"initrd-root-fs.target"
];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = with pkgs; [
coreutils
gawk
zfs
];
script = ''
ZFS_FORCE="-f"
msg=""
for o in $(cat /proc/cmdline); do
case "$o" in
zfs_force|zfs_force=1|zfs_force=y)
ZFS_FORCE="-f"
;;
esac
done
pool_ready() {
pool="$1"
state="$(zpool import -d /dev/disk/by-id/ 2>/dev/null | awk '/pool: '"$pool"'/ { found = 1 }; /state:/ { if (found == 1) { print $2; exit } }; END { if (found == 0) { print "MISSING" } }')"
if [ "$state" = "ONLINE" ]; then
return 0
fi
echo "Pool $pool in state $state, waiting"
return 1
}
pool_imported() {
pool="$1"
zpool list "$pool" >/dev/null 2>/dev/null
}
pool_import() {
pool="$1"
zpool import -d /dev/disk/by-id/ -N $ZFS_FORCE "$pool"
}
echo -n 'importing root ZFS pool "ZFS-primary"...'
# Loop until import succeeds, because by-id devices may not be discovered yet.
if ! pool_imported "ZFS-primary"; then
trial=1
while [ "$trial" -le 60 ]; do
if pool_ready "ZFS-primary" >/dev/null && msg="$(pool_import "ZFS-primary" 2>&1)"; then
break
fi
sleep 1
echo -n .
trial=$((trial + 1))
done
echo
if [ -n "$msg" ]; then
echo "$msg"
fi
pool_imported "ZFS-primary" || pool_import "ZFS-primary" # Try one last time, e.g. to import a degraded pool.
fi
'';
};
zfs-load-nix-key = {
description = "Load ZFS key for ZFS-primary/nix in initrd";
wantedBy = [ "initrd-fs.target" ];
requires = [
"sysroot.mount"
"zfs-import-zfs-primary.service"
];
after = [
"sysroot.mount"
"zfs-import-zfs-primary.service"
];
before = [
"initrd-fs.target"
"sysroot-nix.mount"
];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = with pkgs; [ zfs ];
script = ''
key_file="/sysroot/crypto/keys/zfs-nix-store-key"
zfs load-key -L "file://$key_file" "ZFS-primary/nix"
'';
};
};
}; };
services = { services = {
@@ -132,7 +31,6 @@
"ZFS-primary/docker".useTemplate = [ "production" ]; "ZFS-primary/docker".useTemplate = [ "production" ];
"ZFS-primary/hydra".useTemplate = [ "nix-prod" ]; "ZFS-primary/hydra".useTemplate = [ "nix-prod" ];
"ZFS-primary/nextcloud".useTemplate = [ "production" ]; "ZFS-primary/nextcloud".useTemplate = [ "production" ];
"ZFS-primary/mattermost".useTemplate = [ "production" ];
# all docker containers should have a bind mount if they expect lasting zfs snapshots # all docker containers should have a bind mount if they expect lasting zfs snapshots
"ZFS-primary/vardocker".useTemplate = [ "nix-prod" ]; "ZFS-primary/vardocker".useTemplate = [ "nix-prod" ];
"ZFS-primary/minio".useTemplate = [ "nix-prod" ]; "ZFS-primary/minio".useTemplate = [ "nix-prod" ];
@@ -183,4 +81,69 @@
}; };
}; };
# hack to make sure pool is imported before keys are loaded,
# and also keys are imported before things get mounted
# note to self: move zfs encryption over to luks lol
boot.initrd.postResumeCommands = ''
ZFS_FORCE="-f"
for o in $(cat /proc/cmdline); do
case $o in
zfs_force|zfs_force=1|zfs_force=y)
ZFS_FORCE="-f"
;;
esac
done
poolReady() {
pool="$1"
state="$("zpool" import -d "/dev/disk/by-id/" 2>/dev/null | "awk" "/pool: $pool/ { found = 1 }; /state:/ { if (found == 1) { print \$2; exit } }; END { if (found == 0) { print \"MISSING\" } }")"
if [[ "$state" = "ONLINE" ]]; then
return 0
else
echo "Pool $pool in state $state, waiting"
return 1
fi
}
poolImported() {
pool="$1"
"zpool" list "$pool" >/dev/null 2>/dev/null
}
poolImport() {
pool="$1"
"zpool" import -d "/dev/disk/by-id/" -N $ZFS_FORCE "$pool"
}
echo -n "importing root ZFS pool \"ZFS-primary\"..."
# Loop across the import until it succeeds, because the devices needed may not be discovered yet.
if ! poolImported "ZFS-primary"; then
for trial in `seq 1 60`; do
poolReady "ZFS-primary" > /dev/null && msg="$(poolImport "ZFS-primary" 2>&1)" && break
sleep 1
echo -n .
done
echo
if [[ -n "$msg" ]]; then
echo "$msg";
fi
poolImported "ZFS-primary" || poolImport "ZFS-primary" # Try one last time, e.g. to import a degraded pool.
fi
# let root mount and everything, then manually unlock stuff
load_zfs_nix() {
local device="/dev/disk/by-uuid/8bfaa32b-09dd-45c8-831e-05e80be82f9e"
local mountPoint="/"
local options="x-initrd.mount,noatime,nodiratime"
local fsType="ext4"
echo "manually mounting key location, then unmounting"
udevadm settle
mountFS "$device" "$(escapeFstab "$mountPoint")" "$(escapeFstab "$options")" "$fsType"
zfs load-key -L "file://$targetRoot/crypto/keys/zfs-nix-store-key" "ZFS-primary/nix"
umount "$targetRoot/"
}
load_zfs_nix
'';
} }

3
users/alice/non-server.nix
View File

@@ -282,8 +282,5 @@ in
pdf4qt pdf4qt
masterpdfeditor4 masterpdfeditor4
gitea-mcp-server
tea
]; ];
} }