diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index 9a2f5ab..52e8324 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -157,5 +157,5 @@ in { }; }; - systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes + systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute } diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index 5ccf41c..3cfa3a8 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -116,7 +116,7 @@ processedConfigFile = "/run/agenix/immich.config.json"; - version = "v1.93.3"; + version = "v1.98.2"; environment = { DB_DATABASE_NAME = "immich"; DB_HOSTNAME = ipImmichPostgres; @@ -269,7 +269,7 @@ in { ]; }; virtualisation.oci-containers.containers."immich_postgres" = { - image = "tensorchord/pgvecto-rs:pg14-v0.1.11@sha256:0335a1a22f8c5dd1b697f14f079934f5152eaaa216c09b61e293be285491f8ee"; + image = "tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; environment = { POSTGRES_DB = environment.DB_DATABASE_NAME; POSTGRES_PASSWORD_FILE = environment.DB_PASSWORD_FILE; @@ -288,7 +288,7 @@ in { }; systemd.services."podman-immich_postgres" = serviceConfig; virtualisation.oci-containers.containers."immich_redis" = { - image = "redis:6.2-alpine@sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc"; + image = "redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5"; log-driver = "journald"; extraOptions = [ "--network-alias=immich_redis" diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index f241b71..f5cb93e 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -97,5 +97,5 @@ in { environment.systemPackages = [pkgs.influxdb2-cli]; - systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes + systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute } diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix index 542d779..44a19f7 100644 --- a/hosts/sire/guests/loki.nix +++ b/hosts/sire/guests/loki.nix @@ -131,5 +131,5 @@ in { }; }; - systemd.services.loki.serviceConfig.RestartSec = "600"; # Retry every 10 minutes + systemd.services.loki.serviceConfig.RestartSec = "60"; # Retry every minute } diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index cc96bb9..375ccf9 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -102,7 +102,7 @@ in { }; }; - systemd.services.paperless.serviceConfig.RestartSec = "600"; # Retry every 10 minutes + systemd.services.paperless.serviceConfig.RestartSec = "60"; # Retry every minute systemd.tmpfiles.settings."10-paperless".${paperlessBackupDir}.d = { inherit (config.services.paperless) user; diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 8da43d9..a3fe823 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -110,6 +110,6 @@ in { INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show lan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+") sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml" ''; - serviceConfig.RestartSec = lib.mkForce "600"; # Retry every 10 minutes + serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute }; } diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix index 8d89481..fbf2aa3 100644 --- a/hosts/ward/guests/forgejo.nix +++ b/hosts/ward/guests/forgejo.nix @@ -167,7 +167,7 @@ in { }; systemd.services.forgejo = { - serviceConfig.RestartSec = "600"; # Retry every 10 minutes + serviceConfig.RestartSec = "60"; # Retry every minute preStart = let exe = lib.getExe config.services.forgejo.package; providerName = "kanidm"; diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index e319c30..ee73899 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -124,6 +124,8 @@ in { basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; preferShortUsername = true; # XXX: PKCE is currently not supported by immich + # XXX: Also RS256 is used instead of ES256 so additionally needed: + # kanidm system oauth2 warning-enable-legacy-crypto immich allowInsecureClientDisablePkce = true; scopeMaps."immich.access" = ["openid" "email" "profile"]; }; @@ -137,6 +139,7 @@ in { displayName = "Grafana"; originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path; + preferShortUsername = true; scopeMaps."grafana.access" = ["openid" "email" "profile"]; claimMaps.groups = { joinType = "array"; @@ -174,6 +177,7 @@ in { displayName = "Web Sentinel"; originUrl = "https://oauth2.${domains.me}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path; + preferShortUsername = true; scopeMaps."web-sentinel.access" = ["openid" "email"]; claimMaps.groups = { joinType = "array"; diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix index bb66532..3c1bdfb 100644 --- a/hosts/ward/guests/radicale.nix +++ b/hosts/ward/guests/radicale.nix @@ -76,7 +76,7 @@ in { }; }; - systemd.services.radicale.serviceConfig.RestartSec = "600"; # Retry every 10 minutes + systemd.services.radicale.serviceConfig.RestartSec = "60"; # Retry every minute backups.storageBoxes.dusk = { subuser = "radicale"; diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix index a1f40d5..5dde224 100644 --- a/hosts/ward/guests/vaultwarden.nix +++ b/hosts/ward/guests/vaultwarden.nix @@ -79,7 +79,7 @@ in { systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden"; systemd.services.vaultwarden.serviceConfig = { StateDirectory = lib.mkForce "vaultwarden"; - RestartSec = "600"; # Retry every 10 minutes + RestartSec = "60"; # Retry every minute }; # Needed so we don't run out of tmpfs space for large backups. diff --git a/modules/oauth2-proxy.nix b/modules/oauth2-proxy.nix index f3dbd87..42e6309 100644 --- a/modules/oauth2-proxy.nix +++ b/modules/oauth2-proxy.nix @@ -120,7 +120,7 @@ in { RuntimeDirectory = "oauth2_proxy"; RuntimeDirectoryMode = "0750"; UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed - RestartSec = "600"; # Retry every 10 minutes + RestartSec = "60"; # Retry every minute }; users.groups.oauth2_proxy.members = ["nginx"]; diff --git a/modules/promtail.nix b/modules/promtail.nix index a2be18b..7d7373c 100644 --- a/modules/promtail.nix +++ b/modules/promtail.nix @@ -145,6 +145,6 @@ in { }; }; - systemd.services.promtail.serviceConfig.RestartSec = "600"; # Retry every 10 minutes + systemd.services.promtail.serviceConfig.RestartSec = "60"; # Retry every minute }; } diff --git a/modules/telegraf.nix b/modules/telegraf.nix index b4a82d0..81af00f 100644 --- a/modules/telegraf.nix +++ b/modules/telegraf.nix @@ -212,7 +212,7 @@ in { ]; # For wireguard statistics AmbientCapabilities = ["CAP_NET_ADMIN"]; - RestartSec = "600"; # Retry every 10 minutes + RestartSec = "60"; # Retry every minute }; }; };