mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 14:50:40 +02:00
Code Activity

chore: ente -> immich (large library >50k photos and videos has performance issues on ente, slow loading)

Browse source
This commit is contained in:
oddlama 2025-09-22 23:39:51 +02:00
parent 140dba323c
commit 5fc809f4d6
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
15 changed files with 2 additions and 764 deletions
Download patch file Download diff file Expand all files Collapse all files

11
hosts/sentinel/default.nix
View file

@ -58,15 +58,4 @@
# This node shall monitor the infrastructure
availableMonitoringNetworks = [ "internet" ];
};
services.ente.web = {
enable = true;
domains = {
api = "api.photos.${globals.domains.me}";
accounts = "accounts.photos.${globals.domains.me}";
albums = "albums.photos.${globals.domains.me}";
cast = "cast.photos.${globals.domains.me}";
photos = "photos.${globals.domains.me}";
};
};
}

6
hosts/sentinel/firezone.nix
View file

@ -12,12 +12,6 @@ let
# FIXME: new entry here? make new firezone gateway on ward entry too.
homeDomains = [
globals.services.grafana.domain
"accounts.photos.${globals.domains.me}"
"albums.photos.${globals.domains.me}"
"api.photos.${globals.domains.me}"
"cast.photos.${globals.domains.me}"
"photos.${globals.domains.me}"
"s3.photos.${globals.domains.me}"
globals.services.mealie.domain
globals.services.immich.domain
globals.services.influxdb.domain

4
hosts/sire/default.nix
View file

@ -150,9 +150,5 @@
}
// mkMicrovm "ai" { }
// mkMicrovm "minecraft" { }
// mkMicrovm "ente" {
enableStorageDataset = true;
}
#// mkMicrovm "fasten-health" {}
);
}

256
hosts/sire/guests/ente.nix
View file

@ -1,256 +0,0 @@
{
config,
globals,
lib,
pkgs,
...
}:
# NOTE: To increase storage for all users:
# $ runuser -u ente -- psql
# ente => UPDATE subscriptions SET storage = 6597069766656;
let
enteAccountsDomain = "accounts.photos.${globals.domains.me}";
enteAlbumsDomain = "albums.photos.${globals.domains.me}";
enteApiDomain = "api.photos.${globals.domains.me}";
enteCastDomain = "cast.photos.${globals.domains.me}";
entePhotosDomain = "photos.${globals.domains.me}";
s3Domain = "s3.photos.${globals.domains.me}";
proxyConfig = remoteAddr: nginxExtraConfig: {
upstreams.museum = {
servers."${remoteAddr}:8080" = { };
extraConfig = ''
zone museum 64k;
keepalive 20;
'';
monitoring = {
enable = true;
path = "/ping";
expectedStatus = 200;
};
};
upstreams.minio = {
servers."${remoteAddr}:9000" = { };
extraConfig = ''
zone minio 64k;
keepalive 20;
'';
monitoring = {
enable = true;
path = "/minio/health/live";
expectedStatus = 200;
};
};
virtualHosts = {
${enteApiDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/".proxyPass = "http://museum";
extraConfig = ''
client_max_body_size 4M;
${nginxExtraConfig}
'';
};
${s3Domain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/".proxyPass = "http://minio";
extraConfig = ''
client_max_body_size 32M;
proxy_buffering off;
proxy_request_buffering off;
${nginxExtraConfig}
'';
};
}
//
lib.genAttrs
[
enteAccountsDomain
enteAlbumsDomain
enteCastDomain
entePhotosDomain
]
(_domain: {
useACMEWildcardHost = true;
extraConfig = nginxExtraConfig;
});
};
in
{
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
[
8080
9000
];
globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
[
8080
9000
];
globals.services.ente.domain = entePhotosDomain;
# FIXME: also monitor from internal network
globals.monitoring.http.ente = {
url = "https://${entePhotosDomain}";
expectedBodyRegex = "Ente Photos";
network = "internet";
};
fileSystems."/storage".neededForBoot = true;
environment.persistence."/storage".directories = [
{
directory = "/var/lib/minio";
user = "minio";
group = "minio";
mode = "0750";
}
];
environment.persistence."/persist".directories = [
{
directory = "/var/lib/ente";
user = "ente";
group = "ente";
mode = "0750";
}
];
# NOTE: don't use the root user for access. In this case it doesn't matter
# since the whole minio server is only for ente anyway, but it would be a
# good practice.
age.secrets.minio-access-key = {
generator.script = "alnum";
mode = "440";
group = "ente";
};
age.secrets.minio-secret-key = {
generator.script = "alnum";
mode = "440";
group = "ente";
};
age.secrets.minio-root-credentials = {
generator.dependencies = [
config.age.secrets.minio-access-key
config.age.secrets.minio-secret-key
];
generator.script =
{
lib,
decrypt,
deps,
...
}:
''
echo -n "MINIO_ROOT_USER="
${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 0).file}
echo -n "MINIO_ROOT_PASSWORD="
${decrypt} ${lib.escapeShellArg (builtins.elemAt deps 1).file}
'';
mode = "440";
group = "minio";
};
# base64 (url)
age.secrets.ente-jwt = {
generator.script =
{ pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 32 | tr -d '\n' | tr '/+' '_-'";
mode = "440";
group = "ente";
};
# base64 (standard)
age.secrets.ente-encryption-key = {
generator.script = "base64";
mode = "440";
group = "ente";
};
# base64 (standard)
age.secrets.ente-hash-key = {
generator.script = { pkgs, ... }: "${pkgs.openssl}/bin/openssl rand -base64 64 | tr -d '\n'";
mode = "440";
group = "ente";
};
age.secrets.ente-smtp-password = {
generator.script = "alnum";
mode = "440";
group = "ente";
};
services.minio = {
enable = true;
rootCredentialsFile = config.age.secrets.minio-root-credentials.path;
};
systemd.services.minio = {
environment.MINIO_SERVER_URL = "https://${s3Domain}";
postStart = ''
# Wait until minio is up
${lib.getExe pkgs.curl} --retry 5 --retry-connrefused --fail --no-progress-meter -o /dev/null "http://localhost:9000/minio/health/live"
# Make sure bucket exists
mkdir -p ${lib.escapeShellArg config.services.minio.dataDir}/ente
'';
};
systemd.services.ente.after = [ "minio.service" ];
services.ente.api = {
enable = true;
enableLocalDB = true;
domain = enteApiDomain;
settings = {
apps = {
accounts = "https://${enteAccountsDomain}";
cast = "https://${enteCastDomain}";
public-albums = "https://${enteAlbumsDomain}";
};
webauthn = {
rpid = enteAccountsDomain;
rporigins = [ "https://${enteAccountsDomain}" ];
};
# FIXME: blocked on https://github.com/ente-io/ente/issues/5958
# smtp = {
# host = config.repo.secrets.local.ente.mail.host;
# port = 465;
# email = config.repo.secrets.local.ente.mail.from;
# username = config.repo.secrets.local.ente.mail.user;
# password._secret = config.age.secrets.ente-smtp-password.path;
# };
s3 = {
use_path_style_urls = true;
b2-eu-cen = {
endpoint = "https://${s3Domain}";
region = "us-east-1";
bucket = "ente";
key._secret = config.age.secrets.minio-access-key.path;
secret._secret = config.age.secrets.minio-secret-key.path;
};
};
jwt.secret._secret = config.age.secrets.ente-jwt.path;
key = {
encryption._secret = config.age.secrets.ente-encryption-key.path;
hash._secret = config.age.secrets.ente-hash-key.path;
};
};
};
# NOTE: services.ente.web is configured separately on both proxy servers!
nodes.sentinel.services.nginx =
proxyConfig globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
"";
nodes.ward-web-proxy.services.nginx =
proxyConfig globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
''
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
deny all;
'';
}

7
hosts/ward/default.nix
View file

@ -13,13 +13,6 @@ let
# FIXME: new entry here? make new firezone entry too.
homeDomains = [
globals.services.grafana.domain
# TODO: allow multiple domains per global service.
"accounts.photos.${globals.domains.me}"
"albums.photos.${globals.domains.me}"
"api.photos.${globals.domains.me}"
"cast.photos.${globals.domains.me}"
"photos.${globals.domains.me}"
"s3.photos.${globals.domains.me}"
globals.services.mealie.domain
globals.services.immich.domain
globals.services.influxdb.domain

6
hosts/ward/guests/adguardhome.nix
View file

@ -113,12 +113,6 @@ in
# FIXME: new entry here? make new firezone entry too.
# FIXME: new entry here? make new firezone gateway on ward entry too.
globals.services.grafana.domain
"accounts.photos.${globals.domains.me}"
"albums.photos.${globals.domains.me}"
"api.photos.${globals.domains.me}"
"cast.photos.${globals.domains.me}"
"photos.${globals.domains.me}"
"s3.photos.${globals.domains.me}"
globals.services.mealie.domain
globals.services.immich.domain
globals.services.influxdb.domain

11
hosts/ward/guests/web-proxy.nix
View file

@ -84,15 +84,4 @@ in
users.groups.acme.members = [ "nginx" ];
services.nginx.enable = true;
services.nginx.recommendedSetup = true;
services.ente.web = {
enable = true;
domains = {
api = "api.photos.${globals.domains.me}";
accounts = "accounts.photos.${globals.domains.me}";
albums = "albums.photos.${globals.domains.me}";
cast = "cast.photos.${globals.domains.me}";
photos = "photos.${globals.domains.me}";
};
};
}