feat: update immich; decrease restart timer between failed attempts for all services to 60 seconds

2024-03-12 21:06:01 +01:00 · 2024-03-12 21:06:01 +01:00 · 605aee0a67
commit 605aee0a67
parent dfe0345888
13 changed files with 18 additions and 14 deletions
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -110,6 +110,6 @@ in {
      INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show lan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
      sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"
    '';
-    serviceConfig.RestartSec = lib.mkForce "600"; # Retry every 10 minutes
+    serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute
  };
 }
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@ -167,7 +167,7 @@ in {
  };

  systemd.services.forgejo = {
-    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+    serviceConfig.RestartSec = "60"; # Retry every minute
    preStart = let
      exe = lib.getExe config.services.forgejo.package;
      providerName = "kanidm";
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -124,6 +124,8 @@ in {
        basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
        preferShortUsername = true;
        # XXX: PKCE is currently not supported by immich
+        # XXX: Also RS256 is used instead of ES256 so additionally needed:
+        # kanidm system oauth2 warning-enable-legacy-crypto immich
        allowInsecureClientDisablePkce = true;
        scopeMaps."immich.access" = ["openid" "email" "profile"];
      };
@ -137,6 +139,7 @@ in {
        displayName = "Grafana";
        originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
        basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
+        preferShortUsername = true;
        scopeMaps."grafana.access" = ["openid" "email" "profile"];
        claimMaps.groups = {
          joinType = "array";
@ -174,6 +177,7 @@ in {
        displayName = "Web Sentinel";
        originUrl = "https://oauth2.${domains.me}/";
        basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
+        preferShortUsername = true;
        scopeMaps."web-sentinel.access" = ["openid" "email"];
        claimMaps.groups = {
          joinType = "array";
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@ -76,7 +76,7 @@ in {
    };
  };

-  systemd.services.radicale.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  systemd.services.radicale.serviceConfig.RestartSec = "60"; # Retry every minute

  backups.storageBoxes.dusk = {
    subuser = "radicale";
--- a/hosts/ward/guests/vaultwarden.nix
+++ b/hosts/ward/guests/vaultwarden.nix
@ -79,7 +79,7 @@ in {
  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
  systemd.services.vaultwarden.serviceConfig = {
    StateDirectory = lib.mkForce "vaultwarden";
-    RestartSec = "600"; # Retry every 10 minutes
+    RestartSec = "60"; # Retry every minute
  };

  # Needed so we don't run out of tmpfs space for large backups.