From 2a44e5c81e2d46766ed095d5e94c5fafbd5d85fa Mon Sep 17 00:00:00 2001 From: Grisha Shipunov Date: Wed, 11 Jun 2025 22:53:22 +0200 Subject: [PATCH 1/5] deploy stream (navidrome) microvm --- .sops.yaml | 7 ++++ flake.nix | 1 + hosts/cloud/proxy/default.nix | 32 +++++++++++++++ hosts/stream/default.nix | 76 +++++++++++++++++++++++++++++++++++ hosts/stream/navidrome.nix | 16 ++++++++ hosts/stream/secrets.yaml | 38 ++++++++++++++++++ modules/wg/proxy.nix | 8 ++++ 7 files changed, 178 insertions(+) create mode 100644 hosts/stream/default.nix create mode 100644 hosts/stream/navidrome.nix create mode 100644 hosts/stream/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index dd882ca..649c351 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,6 +11,7 @@ keys: - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c + - &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj creation_rules: - path_regex: hosts/toaster/[^/]+\.yaml$ key_groups: @@ -66,3 +67,9 @@ creation_rules: - *admin_oxa age: - *conduwuit + - path_regex: hosts/stream/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + age: + - *stream diff --git a/flake.nix b/flake.nix index ddde63b..2b085bc 100644 --- a/flake.nix +++ b/flake.nix @@ -71,6 +71,7 @@ "forgejo" "miniflux" "radicale" + "stream" ]; microvm-unstable-list = [ "auth" diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix index 9994da4..6cf0151 100644 --- a/hosts/cloud/proxy/default.nix +++ b/hosts/cloud/proxy/default.nix @@ -60,5 +60,37 @@ in ''; virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080"; + + virtualHosts."music.oxapentane.com".extraConfig = '' + route { + reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000 + + @protected not path /share/* /rest/* + forward_auth @protected 10.89.88.11:9000 { + uri /outpost.goauthentik.io/auth/caddy + copy_headers X-Authentik-Username>Remote-User + trusted_proxies 10.89.88.11 fd31:185d:722f::11 + } + + + @subsonic path /rest/* + forward_auth @subsonic 10.89.88.11:9000 { + uri /outpost.goauthentik.io/auth/caddy + copy_headers X-Authentik-Username>Remote-User + @error status 1xx 3xx 4xx 5xx + handle_response @error { + respond < + + + SUBSONICERR 200 + } + trusted_proxies 10.89.88.11 fd31:185d:722f::11 + } + } + reverse_proxy 10.89.88.17:4533 + + ''; + }; } diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix new file mode 100644 index 0000000..4543466 --- /dev/null +++ b/hosts/stream/default.nix @@ -0,0 +1,76 @@ +{ config, lib, ... }: +let + mac = "02:00:00:00:00:07"; +in +{ + imports = [ + ./navidrome.nix + ]; + + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets = { + "wg/0xa-proxy" = { + owner = config.users.users.systemd-network.name; + }; + }; + + microvm = { + hypervisor = "qemu"; + mem = 4 * 1024; + vcpu = 3; + interfaces = [ + { + type = "tap"; + id = "uvm-stream"; + mac = mac; + } + ]; + shares = + [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + } + ] + ++ map + (dir: { + source = dir; + mountPoint = "/${dir}"; + tag = dir; + proto = "virtiofs"; + }) + [ + "etc" + "var" + "home" + ]; + }; + + networking.useNetworkd = true; + networking.firewall.enable = lib.mkForce false; # firewalling done by the host + + systemd.network = { + enable = true; + networks."11-host" = { + matchConfig.MACAddress = mac; + networkConfig = { + Address = "10.99.99.17/24"; + DHCP = "no"; + }; + routes = [ + { + Gateway = "10.99.99.1"; + Destination = "0.0.0.0/0"; + Metric = 1024; + } + ]; + }; + }; + + networking.hostName = "stream"; + system.stateVersion = "25.05"; +} diff --git a/hosts/stream/navidrome.nix b/hosts/stream/navidrome.nix new file mode 100644 index 0000000..0b1cd07 --- /dev/null +++ b/hosts/stream/navidrome.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + services.navidrome = { + enable = true; + settings = { + Address = "10.89.88.17"; + BaseUrl = "/"; + EnableExternalServices = false; + MusicFolder = "/var/lib/navidrome/music"; + Port = 4533; + ScanSchedule = "@every 11m"; + TranscodingCacheSize = "11GiB"; + ReverseProxyWhitelist = "10.89.88.1/24"; + }; + }; +} diff --git a/hosts/stream/secrets.yaml b/hosts/stream/secrets.yaml new file mode 100644 index 0000000..a75b120 --- /dev/null +++ b/hosts/stream/secrets.yaml @@ -0,0 +1,38 @@ +wg: + 0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str] +sops: + age: + - recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3 + QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5 + S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5 + K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE + WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-12T22:54:11Z" + mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str] + pgp: + - created_at: "2025-06-12T22:51:49Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6 + th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH + HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn + vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B + WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/ + uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s + DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/ + bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp + lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J + A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg + GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS + XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6 + ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU= + =fEVm + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix index 3b92b8d..7427829 100644 --- a/modules/wg/proxy.nix +++ b/modules/wg/proxy.nix @@ -71,6 +71,14 @@ publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y="; privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; }; + "stream" = { + address = [ + "10.89.88.17/24" + "fd31:185d:722f::17/48" + ]; + publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4="; + privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; + }; }; } ]; From 22d7c181e3d15bc66712ed0850f34476df274545 Mon Sep 17 00:00:00 2001 From: Grisha Shipunov Date: Sat, 14 Jun 2025 21:01:52 +0200 Subject: [PATCH 2/5] software changes --- hosts/toaster/default.nix | 2 +- modules/desktop-software.nix | 1 + modules/devtools.nix | 2 +- modules/gnupg.nix | 2 -- 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix index 2b8577b..7e78114 100644 --- a/hosts/toaster/default.nix +++ b/hosts/toaster/default.nix @@ -66,7 +66,7 @@ home = "/home/0xa"; isNormalUser = true; uid = 1000; - shell = pkgs.zsh; + shell = pkgs.fish; }; # This value determines the NixOS release from which the default diff --git a/modules/desktop-software.nix b/modules/desktop-software.nix index cbfba71..998c953 100644 --- a/modules/desktop-software.nix +++ b/modules/desktop-software.nix @@ -17,6 +17,7 @@ mpv obs-studio qbittorrent + transmission_4-gtk signal-desktop spotify telegram-desktop diff --git a/modules/devtools.nix b/modules/devtools.nix index a003e6e..04dfd87 100644 --- a/modules/devtools.nix +++ b/modules/devtools.nix @@ -31,7 +31,7 @@ nix-index kicad kikit - freecad-wayland + freecad-qt6 imhex python3Full nixfmt-rfc-style diff --git a/modules/gnupg.nix b/modules/gnupg.nix index 07b1eef..4cb173c 100644 --- a/modules/gnupg.nix +++ b/modules/gnupg.nix @@ -4,8 +4,6 @@ environment.systemPackages = with pkgs; [ gnupg opensc - - yubikey-personalization-gui ]; # smartcard support From efd0790d4fcab0d7ffad7e4cca390fc0f110ed5b Mon Sep 17 00:00:00 2001 From: Grisha Shipunov Date: Sat, 14 Jun 2025 21:02:03 +0200 Subject: [PATCH 3/5] bump lock --- flake.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index e15b51f..357df38 100644 --- a/flake.lock +++ b/flake.lock @@ -253,11 +253,11 @@ "lix": { "flake": false, "locked": { - "lastModified": 1749682763, - "narHash": "sha256-DDhns3NS6L5OlYR0mSX03I5D7uGLyyd3MZegd1wTCyc=", - "rev": "ee0655240270480d7f6063dcf12ec47f04d2ded6", + "lastModified": 1749838547, + "narHash": "sha256-4qJy0n+6P13/XAHPlcjcWK6MDNYd38PkFdI8iCiJYYo=", + "rev": "1e34c3747779a82d59ef27b351d4ed02fb372a2a", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ee0655240270480d7f6063dcf12ec47f04d2ded6.tar.gz?rev=ee0655240270480d7f6063dcf12ec47f04d2ded6" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1e34c3747779a82d59ef27b351d4ed02fb372a2a.tar.gz?rev=1e34c3747779a82d59ef27b351d4ed02fb372a2a" }, "original": { "type": "tarball", @@ -339,11 +339,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1749195551, - "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=", + "lastModified": 1749832440, + "narHash": "sha256-lfxhuxAaHlYFGr8yOrAXZqdMt8PrFLzjVqH9v3lQaoY=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4602f7e1d3f197b3cb540d5accf5669121629628", + "rev": "db030f62a449568345372bd62ed8c5be4824fa49", "type": "github" }, "original": { @@ -402,11 +402,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1749285348, - "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", + "lastModified": 1749794982, + "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", + "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81", "type": "github" }, "original": { From fee7a194db6b6de6c9f2172973bf33dca60bd8d4 Mon Sep 17 00:00:00 2001 From: Grisha Shipunov Date: Sat, 14 Jun 2025 21:02:20 +0200 Subject: [PATCH 4/5] plasma still krashes --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 2b085bc..df8420d 100644 --- a/flake.nix +++ b/flake.nix @@ -122,7 +122,7 @@ ./modules/emacs.nix ./modules/gnupg.nix ./modules/mail - ./modules/plasma.nix + ./modules/gnome.nix ./modules/radio.nix ./modules/science.nix ./modules/tlp.nix From e23db8a0b43fccdcb30abdc610a41a2d4b63afdd Mon Sep 17 00:00:00 2001 From: Grisha Shipunov Date: Sat, 14 Jun 2025 21:02:32 +0200 Subject: [PATCH 5/5] make branch spec uniform in inputs --- flake.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index df8420d..0c04048 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05"; flake-utils.url = "github:numtide/flake-utils"; @@ -10,7 +10,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master"; microvm = { url = "github:astro/microvm.nix"; @@ -21,7 +21,7 @@ }; lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.2"; + url = "github:nix-community/lanzaboote?ref=v0.4.2"; inputs.nixpkgs.follows = "nixpkgs-unstable"; };