feat: update flake and add actual

2024-10-11 01:49:04 +02:00 · 2024-10-11 01:49:04 +02:00 · f535c8d557
commit f535c8d557
parent 4cbbd2f871
36 changed files with 845 additions and 208 deletions
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -26,6 +26,7 @@
  nixpkgs.hostPlatform = "x86_64-linux";
  boot.mode = "efi";
  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "e1000e" "alx"];
+  systemd.units."dev-tpmrm0.device".enable = false; # https://github.com/systemd/systemd/issues/33412

  meta.promtail = {
    enable = true;
@ -121,6 +122,7 @@
  in
    lib.mkIf (!minimal) (
      {}
+      // mkMicrovm "actual" {}
      // mkMicrovm "samba" {
        enableStorageDataset = true;
        enableBunkerDataset = true;
--- a/hosts/sire/guests/actual.nix
+++ b/hosts/sire/guests/actual.nix
@ -0,0 +1,66 @@
+{
+  config,
+  globals,
+  nodes,
+  ...
+}: let
+  actualDomain = "finance.${globals.domains.me}";
+in {
+  wireguard.proxy-sentinel = {
+    client.via = "sentinel";
+    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.actual.settings.port];
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/actual";
+      mode = "0700";
+      user = "actual";
+      group = "actual";
+    }
+  ];
+
+  services.actual = {
+    enable = true;
+    settings.trustedProxies = [nodes.sentinel.config.wireguard.proxy-sentinel.ipv4];
+  };
+
+  globals.services.actual.domain = actualDomain;
+  globals.monitoring.http.actual = {
+    url = "https://${actualDomain}/";
+    expectedBodyRegex = "Actual";
+    network = "internet";
+  };
+
+  nodes.sentinel = {
+    services.nginx = {
+      upstreams.actual = {
+        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.actual.settings.port}" = {};
+        extraConfig = ''
+          zone actual 64k;
+          keepalive 2;
+        '';
+        monitoring = {
+          enable = true;
+          expectedBodyRegex = "Actual";
+        };
+      };
+      virtualHosts.${actualDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        # oauth2 = {
+        #   enable = true;
+        #   allowedGroups = ["access_openwebui"];
+        #   X-Email = "\${upstream_http_x_auth_request_preferred_username}@${globals.domains.personal}";
+        # };
+        extraConfig = ''
+          client_max_body_size 256M;
+        '';
+        locations."/" = {
+          proxyPass = "http://actual";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -111,7 +111,7 @@

  processedConfigFile = "/run/agenix/immich.config.json";

-  version = "v1.114.0";
+  version = "v1.117.0";
  environment = {
    DB_DATABASE_NAME = "immich";
    DB_HOSTNAME = ipImmichPostgres;
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@ -70,6 +70,9 @@
      }
    );
 in {
+  # For influxdb communication channel
+  wireguard.proxy-home.client.via = "ward";
+
  age.secrets."samba-passdb.tdb" = {
    rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age";
    mode = "600";
@ -145,72 +148,76 @@ in {

    # Disable Samba's nmbd, because we don't want to reply to NetBIOS over IP
    # requests, since all of our clients hardcode the server shares.
-    enableNmbd = false;
+    nmbd.enable = false;
    # Disable Samba's winbindd, which provides a number of services to the Name
    # Service Switch capability found in most modern C libraries, to arbitrary
    # applications via PAM and ntlm_auth and to Samba itself.
-    enableWinbindd = false;
-    extraConfig = lib.concatLines [
-      # Show the server host name in the printer comment box in print manager
-      # and next to the IPC connection in net view.
-      "server string = SambaOelig"
-      # Set the NetBIOS name by which the Samba server is known.
-      "netbios name = SambaOelig"
-      # Disable netbios support. We don't need to support browsing since all
-      # clients hardcode the host and share names.
-      "disable netbios = yes"
-      # Deny access to all hosts by default.
-      "hosts deny = 0.0.0.0/0"
-      # Allow access to local network and TODO: wireguard
-      "hosts allow = ${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}"
-      # Don't advertise inaccessible shares to users
-      "access based share enum = yes"
+    winbindd.enable = false;
+    settings = lib.mkMerge ([
+        {
+          global = {
+            # Show the server host name in the printer comment box in print manager
+            # and next to the IPC connection in net view.
+            "server string" = "SambaOelig";
+            # Set the NetBIOS name by which the Samba server is known.
+            "netbios name" = "SambaOelig";
+            # Disable netbios support. We don't need to support browsing since all
+            # clients hardcode the host and share names.
+            "disable netbios" = "yes";
+            # Deny access to all hosts by default.
+            "hosts deny" = "0.0.0.0/0";
+            # Allow access to local network and TODO: wireguard
+            "hosts allow" = "${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}";
+            # Don't advertise inaccessible shares to users
+            "access based share enum" = "yes";

-      # Set sane logging options
-      "log level = 0 auth:2 passdb:2"
-      "log file = /dev/null"
-      "max log size = 0"
-      "logging = systemd"
+            # Set sane logging options
+            "log level" = "0 auth:2 passdb:2";
+            "log file" = "/dev/null";
+            "max log size" = "0";
+            "logging" = "systemd";

-      # TODO: allow based on wireguard ip without username and password
-      # Users always have to login with an account and are never mapped
-      # to a guest account.
-      "passdb backend = tdbsam:${config.age.secrets."samba-passdb.tdb".path}"
-      "server role = standalone"
-      "guest account = nobody"
-      "map to guest = never"
+            # TODO: allow based on wireguard ip without username and password
+            # Users always have to login with an account and are never mapped
+            # to a guest account.
+            "passdb backend" = "tdbsam:${config.age.secrets."samba-passdb.tdb".path}";
+            "server role" = "standalone";
+            "guest account" = "nobody";
+            "map to guest" = "never";

-      # Clients should only connect using the latest SMB3 protocol (e.g., on
-      # clients running Windows 8 and later).
-      "server min protocol = SMB3_11"
-      # Require native SMB transport encryption by default.
-      "server smb encrypt = required"
+            # Clients should only connect using the latest SMB3 protocol (e.g., on
+            # clients running Windows 8 and later).
+            "server min protocol" = "SMB3_11";
+            # Require native SMB transport encryption by default.
+            "server smb encrypt" = "required";

-      # Never map anything to the excutable bit.
-      "map archive = no"
-      "map system = no"
-      "map hidden = no"
+            # Never map anything to the excutable bit.
+            "map archive" = "no";
+            "map system" = "no";
+            "map hidden" = "no";

-      # Disable printer sharing. By default Samba shares printers configured
-      # using CUPS.
-      "load printers = no"
-      "printing = bsd"
-      "printcap name = /dev/null"
-      "disable spoolss = yes"
-      "show add printer wizard = no"
+            # Disable printer sharing. By default Samba shares printers configured
+            # using CUPS.
+            "load printers" = "no";
+            "printing" = "bsd";
+            "printcap name" = "/dev/null";
+            "disable spoolss" = "yes";
+            "show add printer wizard" = "no";

-      # Load in modules (order is critical!) and enable AAPL extensions.
-      "vfs objects = catia fruit streams_xattr"
-      # Enable Apple's SMB2+ extension.
-      "fruit:aapl = yes"
-      # Clean up unused or empty files created by the OS or Samba.
-      "fruit:wipe_intentionally_left_blank_rfork = yes"
-      "fruit:delete_empty_adfiles = yes"
-    ];
-    shares = lib.mkMerge (lib.flatten (
-      lib.mapAttrsToList mkUserShares smbUsers
-      ++ lib.mapAttrsToList mkGroupShares smbGroups
-    ));
+            # Load in modules (order is critical!) and enable AAPL extensions.
+            "vfs objects" = "catia fruit streams_xattr";
+            # Enable Apple's SMB2+ extension.
+            "fruit:aapl" = "yes";
+            # Clean up unused or empty files created by the OS or Samba.
+            "fruit:wipe_intentionally_left_blank_rfork" = "yes";
+            "fruit:delete_empty_adfiles" = "yes";
+          };
+        }
+      ]
+      ++ lib.flatten (
+        lib.mapAttrsToList mkUserShares smbUsers
+        ++ lib.mapAttrsToList mkGroupShares smbGroups
+      ));
  };

  systemd.tmpfiles.settings = lib.mkMerge (
--- a/hosts/sire/secrets/actual/host.pub
+++ b/hosts/sire/secrets/actual/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARJ59yifkMFmcWWM4sAwhQN6u+H4Bv+VVboPBslHqZj
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARJ59yifkMFmcWWM4sAwhQN6u+H4Bv+VVboPBslHqZj`