From 49bc50ae3992ea0b15be7ddfed7b8157751deb29 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 09:54:05 +1000 Subject: [PATCH 01/17] alyssum/restic: init --- hosts/alyssum/default.nix | 3 ++- hosts/alyssum/restic.nix | 30 ++++++++++++++++++++++++++++++ secrets.nix | 4 ++++ secrets/restic_env.age | 10 ++++++++++ secrets/restic_pass.age | Bin 0 -> 497 bytes secrets/restic_url.age | 9 +++++++++ 6 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 hosts/alyssum/restic.nix create mode 100644 secrets/restic_env.age create mode 100644 secrets/restic_pass.age create mode 100644 secrets/restic_url.age diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 06c415f..255380a 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -33,8 +33,9 @@ ./filesystem.nix ./kernel.nix - ./networking.nix ./home.syncthing.nix + ./networking.nix + ./restic.nix ./samba.nix ../../users/hana diff --git a/hosts/alyssum/restic.nix b/hosts/alyssum/restic.nix new file mode 100644 index 0000000..081bf72 --- /dev/null +++ b/hosts/alyssum/restic.nix @@ -0,0 +1,30 @@ +{ config, ... }: { + age.secrets.restic_env.file = ../../secrets/restic_env.age; + age.secrets.restic_pass.file = ../../secrets/restic_pass.age; + age.secrets.restic_url.file = ../../secrets/restic_url.age; + + services.restic.backups."flower" = { + initialize = true; + createWrapper = true; + progressFps = "0.016666"; + + environmentFile = config.age.secrets.restic_env.path; + passwordFile = config.age.secrets.restic_pass.path; + repositoryFile = config.age.secrets.restic_url.path; + + paths = ["/flower"]; + timerConfig = { + # every 30mns + OnCalendar = "*-*-* *:00,30:00"; + Persistent = true; + }; + bleh = [ + "--keep-last 24" + "--keep-hourly 24" + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; +} diff --git a/secrets.nix b/secrets.nix index b1f55e5..d7ac2cc 100644 --- a/secrets.nix +++ b/secrets.nix @@ -12,6 +12,10 @@ in { "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ]; "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; + "secrets/restic_env.age".publicKeys = [ alyssum dandelion rin ]; + "secrets/restic_pass.age".publicKeys = [ alyssum dandelion rin ]; + "secrets/restic_url.age".publicKeys = [ alyssum dandelion rin ]; + "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ]; "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; diff --git a/secrets/restic_env.age b/secrets/restic_env.age new file mode 100644 index 0000000..1917eef --- /dev/null +++ b/secrets/restic_env.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 kOMSPw CYNG6K56RVMY5KP3vTczaCG9DVL3Ryv7QtqRzrdONh4 +VKH43RjHzP2TcyK8bEO8pZzZZeXqNXEDNq4JCkhMXlQ +-> ssh-ed25519 bRFqeQ AmuEljYrO5qqhaJQONYxQZTlaid2qNt+kktiMRDSKl4 +u+KzYFuEx+UCBfdcpup0fbEp1vGMP24nE3MwvcjhTSc +-> ssh-ed25519 U9FXlg IKN6gdqtD0FDOBk5vXuLD7AYuRtCGsIe5CYMJwyvcG4 +f5lkALvyjz1X94JmnG4u9kZ0S1TgZeBv+uxumFPChzQ +--- 3LBfI6E7NfSK1F42/cQkUzrpry6OWCeW/67YOpZe00k +8ĝg9(<9OT.L_C2XT 1L=3WCoze?4sU.<zIy,bP?(b?7dՃU*-<줯aD֐^,?3 Ebb +vH \ No newline at end of file diff --git a/secrets/restic_pass.age b/secrets/restic_pass.age new file mode 100644 index 0000000000000000000000000000000000000000..d9a68892045a9c441c4e19722d877707602d15e1 GIT binary patch literal 497 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7_V*1AC|58|DonJj zbPG(&OU|><&q_>o3rg|y%+vSGF>?2|^hj}wEU66g2sKO(_2tUVC<)JZ_eu3n%c%;~ zFHSY^FfjMhcMVF@_78EZFxS@hu&Bx|Do8BNaYeT+DafrbHBdp{)6gW}+&41K%OIr4 zx60WxH^oceBex(iw4f}*D9yt!B_OrH#7y7c$b`$!uO!#4BsnC?v7$W1FF(8>GATK+ zBCE_PB`VBOKQhhKurMRbFVQ&D%mCfCP)oOnoOFfK!eZl+tlV_hoCsIn@(edK1GixF z0>>(&{4{sp ssh-ed25519 kOMSPw l9/BY4rhuzGl/MRKjJ6Hyz2AGpsIZlDojQhSzJ8IxzY +tEGqxZOEWHZvTazrDoC4uTOyuT7fgRKXxumxpjdE89o +-> ssh-ed25519 bRFqeQ XQ1wRRwOP1bIiEX/Dh4tkHB3vF1OdZcLNTtVVM1oWgU +S6qXQsPNY0bGaUz+iLoJ0GBL26FtM4h/sgxqvIwOS3g +-> ssh-ed25519 U9FXlg pmY+R/M38tLi1dq2ll9FDv6uaGv8XlkE99NoAemtlGY +FGZodar5ESxmOZYDZ0F8P1FXNzkEpqT6jyJgzY5wLc0 +--- ig7eZey8XraBclyUEJRv1lJUyiOjqsfGc8Q+jjbAuvQ +eĶ@zYtV4%s29>閇(y8% j|PѨ::-YI)C̹I%yٸ:LCfq_ \ No newline at end of file From 9724f1d7317d4b06f731a00ca53853b593c9ed97 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 09:55:28 +1000 Subject: [PATCH 02/17] user/git: enable push.autoSetupRemote --- modules/user/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/user/git.nix b/modules/user/git.nix index ca2762e..77f6b72 100644 --- a/modules/user/git.nix +++ b/modules/user/git.nix @@ -11,6 +11,7 @@ core.abbrev = 11; safe.directory = "/home/rin/Projects/flakes"; init.defaultBranch = "master"; + push.autoSetupRemote = true; }; }; } From e8b675e60656935839a4c901254a286494dea81d Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 09:59:22 +1000 Subject: [PATCH 03/17] alyssum/restic: use correct opt name oopsie woopsie --- hosts/alyssum/restic.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/alyssum/restic.nix b/hosts/alyssum/restic.nix index 081bf72..2ef946d 100644 --- a/hosts/alyssum/restic.nix +++ b/hosts/alyssum/restic.nix @@ -18,7 +18,7 @@ OnCalendar = "*-*-* *:00,30:00"; Persistent = true; }; - bleh = [ + pruneOpts = [ "--keep-last 24" "--keep-hourly 24" "--keep-daily 7" From 3f175d1b96d4ddabc11353640f605d1941e0cab8 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 09:59:59 +1000 Subject: [PATCH 04/17] alyssum/restic: use float for progressfps --- hosts/alyssum/restic.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/alyssum/restic.nix b/hosts/alyssum/restic.nix index 2ef946d..cfbea11 100644 --- a/hosts/alyssum/restic.nix +++ b/hosts/alyssum/restic.nix @@ -6,7 +6,7 @@ services.restic.backups."flower" = { initialize = true; createWrapper = true; - progressFps = "0.016666"; + progressFps = 0.016666; environmentFile = config.age.secrets.restic_env.path; passwordFile = config.age.secrets.restic_pass.path; From d64c23ce975d341c07f80c39398a349ebb798956 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 10:20:00 +1000 Subject: [PATCH 05/17] alyssum/restic: backup less frequently --- hosts/alyssum/restic.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/hosts/alyssum/restic.nix b/hosts/alyssum/restic.nix index cfbea11..b355589 100644 --- a/hosts/alyssum/restic.nix +++ b/hosts/alyssum/restic.nix @@ -14,13 +14,12 @@ paths = ["/flower"]; timerConfig = { - # every 30mns - OnCalendar = "*-*-* *:00,30:00"; + # every 6 hours + OnCalendar = "*-*-* 00,06,12,18:00:00"; Persistent = true; }; pruneOpts = [ - "--keep-last 24" - "--keep-hourly 24" + "--keep-last 8" "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" From 985b617be1dd0e61882d884ba56034594c8748df Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 10:26:14 +1000 Subject: [PATCH 06/17] system/tailscale: filter out derp warning spam --- modules/system/tailscale.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 5e3e044..16205f9 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -10,4 +10,7 @@ openFirewall = true; useRoutingFeatures = if config.me.environment == "headless" then "both" else "client"; }; + systemd.services.tailscaled.serviceConfig.LogFilterPatterns = [ + "~magicsock.*does not know about peer.*removing route" + ]; } From ac2690c9738a51f0e7dc5b85d9ad4e8731120f5b Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 10:37:25 +1000 Subject: [PATCH 07/17] alyssum/snapper: init --- hosts/alyssum/default.nix | 1 + hosts/alyssum/restic.nix | 1 + hosts/alyssum/snapper.nix | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 hosts/alyssum/snapper.nix diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 255380a..870915a 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -37,6 +37,7 @@ ./networking.nix ./restic.nix ./samba.nix + ./snapper.nix ../../users/hana ]; diff --git a/hosts/alyssum/restic.nix b/hosts/alyssum/restic.nix index b355589..f5268b7 100644 --- a/hosts/alyssum/restic.nix +++ b/hosts/alyssum/restic.nix @@ -13,6 +13,7 @@ repositoryFile = config.age.secrets.restic_url.path; paths = ["/flower"]; + exclude = ["/.snapshots"]; timerConfig = { # every 6 hours OnCalendar = "*-*-* 00,06,12,18:00:00"; diff --git a/hosts/alyssum/snapper.nix b/hosts/alyssum/snapper.nix new file mode 100644 index 0000000..0196fe6 --- /dev/null +++ b/hosts/alyssum/snapper.nix @@ -0,0 +1,19 @@ +{ ... }: { + services.snapper = { + cleanupInterval = "1h"; + persistentTimer = true; + snapshotInterval = "*-*-* *:00,30:00"; + configs.home = { + FSTYPE = "btrfs"; + SUBVOLUME = "/flower"; + TIMELINE_CLEANUP = true; + TIMELINE_CREATE = true; + TIMELINE_MIN_AGE = "86400"; + TIMELINE_LIMIT_HOURLY = "24"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "5"; + TIMELINE_LIMIT_MONTHLY = "3"; + TIMELINE_LIMIT_YEARLY = "0"; + }; + }; +} From 4b2270e57aac31a021d644f55a64087f82485e96 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Fri, 19 Jun 2026 10:46:10 +1000 Subject: [PATCH 08/17] alyssum/restic: ignore snapshots correctly --- hosts/alyssum/restic.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/alyssum/restic.nix b/hosts/alyssum/restic.nix index f5268b7..d84489c 100644 --- a/hosts/alyssum/restic.nix +++ b/hosts/alyssum/restic.nix @@ -13,7 +13,7 @@ repositoryFile = config.age.secrets.restic_url.path; paths = ["/flower"]; - exclude = ["/.snapshots"]; + exclude = ["/flower/.snapshots"]; timerConfig = { # every 6 hours OnCalendar = "*-*-* 00,06,12,18:00:00"; From d2fbc73636788a4f4629177c4cde90928ba18754 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 20 Jun 2026 18:03:00 +1000 Subject: [PATCH 09/17] alyssum/restic: ignore all bind mounts --- hosts/alyssum/restic.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hosts/alyssum/restic.nix b/hosts/alyssum/restic.nix index d84489c..eec0979 100644 --- a/hosts/alyssum/restic.nix +++ b/hosts/alyssum/restic.nix @@ -1,4 +1,4 @@ -{ config, ... }: { +{ config, lib, ... }: { age.secrets.restic_env.file = ../../secrets/restic_env.age; age.secrets.restic_pass.file = ../../secrets/restic_pass.age; age.secrets.restic_url.file = ../../secrets/restic_url.age; @@ -13,7 +13,8 @@ repositoryFile = config.age.secrets.restic_url.path; paths = ["/flower"]; - exclude = ["/flower/.snapshots"]; + exclude = ["/flower/.snapshots"] + ++ builtins.filter (x: lib.strings.hasPrefix "/flower" x) (builtins.attrNames config.me.binds); timerConfig = { # every 6 hours OnCalendar = "*-*-* 00,06,12,18:00:00"; From aab4da94fa342f82f6a948f12c5a0f2ac8f65683 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 20 Jun 2026 18:47:01 +1000 Subject: [PATCH 10/17] alyssum/immich: init --- containers/emerald/flake.nix | 2 +- hosts/alyssum/default.nix | 1 + hosts/alyssum/immich.nix | 28 ++++++++++++++++++++++++++++ hosts/alyssum/networking.nix | 1 + modules/options.nix | 4 ++++ 5 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 hosts/alyssum/immich.nix diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 5ee69e4..38a52b2 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -39,7 +39,7 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:4533"; - listenAddresses = [ "100.67.2.1" ]; + listenAddresses = config.me.localAddrs; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 870915a..eedcc2c 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -34,6 +34,7 @@ ./filesystem.nix ./kernel.nix ./home.syncthing.nix + ./immich.nix ./networking.nix ./restic.nix ./samba.nix diff --git a/hosts/alyssum/immich.nix b/hosts/alyssum/immich.nix new file mode 100644 index 0000000..f6767ba --- /dev/null +++ b/hosts/alyssum/immich.nix @@ -0,0 +1,28 @@ +{ config, ... }: { + services.immich = { + enable = true; + accelerationDevices = null; + settings.server.externalDomain = "https://photos.lava.moe"; + }; + + me.binds."/var/lib/immich" = "immich"; + hardware.graphics.enable = true; + users.users.immich.extraGroups = [ "video" "render" ]; + + services.nginx.virtualHosts."photos.lava.moe" = { + useACMEHost = "lava.moe"; + forceSSL = true; + listenAddresses = config.me.localAddrs; + + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.immich.port}"; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; +} diff --git a/hosts/alyssum/networking.nix b/hosts/alyssum/networking.nix index 281cbb6..c25c21f 100644 --- a/hosts/alyssum/networking.nix +++ b/hosts/alyssum/networking.nix @@ -12,4 +12,5 @@ defaultGateway = "192.168.1.1"; nameservers = [ "8.8.8.8" "8.8.4.4" ]; }; + me.localAddrs = [ "100.67.2.1" ]; } diff --git a/modules/options.nix b/modules/options.nix index e861c12..0ec037f 100644 --- a/modules/options.nix +++ b/modules/options.nix @@ -49,5 +49,9 @@ in { type = with lib.types; attrsOf str; default = {}; }; + + localAddrs = lib.mkOption { + type = with lib.types; listOf str; + }; }; } From fc880328bcc37a41d466063fe5c494988a526936 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 20 Jun 2026 19:06:19 +1000 Subject: [PATCH 11/17] alyssum/immich: refine data directories --- hosts/alyssum/immich.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/alyssum/immich.nix b/hosts/alyssum/immich.nix index f6767ba..e806916 100644 --- a/hosts/alyssum/immich.nix +++ b/hosts/alyssum/immich.nix @@ -5,7 +5,10 @@ settings.server.externalDomain = "https://photos.lava.moe"; }; - me.binds."/var/lib/immich" = "immich"; + me.binds."/var/lib/immich" = "/flower/immich"; + me.binds."/flower/immich/encoded-video" = "immich/encoded-video"; + me.binds."/flower/immich/profile" = "immich/profile"; + me.binds."/flower/immich/thumbs" = "immich/thumbs"; hardware.graphics.enable = true; users.users.immich.extraGroups = [ "video" "render" ]; From 59a6e63c6a243849107be7227f730cce5c83cc4e Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 20 Jun 2026 19:08:55 +1000 Subject: [PATCH 12/17] alyssum/immich: fixup paths --- hosts/alyssum/immich.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/alyssum/immich.nix b/hosts/alyssum/immich.nix index e806916..dbf6761 100644 --- a/hosts/alyssum/immich.nix +++ b/hosts/alyssum/immich.nix @@ -6,9 +6,9 @@ }; me.binds."/var/lib/immich" = "/flower/immich"; - me.binds."/flower/immich/encoded-video" = "immich/encoded-video"; - me.binds."/flower/immich/profile" = "immich/profile"; - me.binds."/flower/immich/thumbs" = "immich/thumbs"; + me.binds."/var/lib/immich/encoded-video" = "immich/encoded-video"; + me.binds."/var/lib/immich/profile" = "immich/profile"; + me.binds."/var/lib/immich/thumbs" = "immich/thumbs"; hardware.graphics.enable = true; users.users.immich.extraGroups = [ "video" "render" ]; From 6c83cb4e67620b4fce2b150cd05dfe7cb7027106 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 20 Jun 2026 19:26:13 +1000 Subject: [PATCH 13/17] alyssum/immich: enable public proxy --- hosts/alyssum/immich.nix | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/hosts/alyssum/immich.nix b/hosts/alyssum/immich.nix index dbf6761..8da6b00 100644 --- a/hosts/alyssum/immich.nix +++ b/hosts/alyssum/immich.nix @@ -1,8 +1,17 @@ -{ config, ... }: { +{ config, ... }: +let + fqdn = "photos.lava.moe"; + shareFqdn = "memo.lava.moe"; +in { services.immich = { enable = true; accelerationDevices = null; - settings.server.externalDomain = "https://photos.lava.moe"; + settings.server.externalDomain = "https://${shareFqdn}"; + }; + + services.immich-public-proxy = { + enable = true; + immichUrl = "https://${fqdn}"; }; me.binds."/var/lib/immich" = "/flower/immich"; @@ -12,7 +21,7 @@ hardware.graphics.enable = true; users.users.immich.extraGroups = [ "video" "render" ]; - services.nginx.virtualHosts."photos.lava.moe" = { + services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; listenAddresses = config.me.localAddrs; @@ -28,4 +37,20 @@ ''; }; }; + + services.nginx.virtualHosts."${shareFqdn}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.immich-public-proxy.port}"; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; } From c148518a34751e172ddaaefc2e51209696f677f2 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 20 Jun 2026 19:38:31 +1000 Subject: [PATCH 14/17] alyssum/immich: move public proxy to dandelion --- hosts/alyssum/immich.nix | 21 --------------------- hosts/dandelion/default.nix | 1 + hosts/dandelion/immich-proxy.nix | 26 ++++++++++++++++++++++++++ 3 files changed, 27 insertions(+), 21 deletions(-) create mode 100644 hosts/dandelion/immich-proxy.nix diff --git a/hosts/alyssum/immich.nix b/hosts/alyssum/immich.nix index 8da6b00..555da39 100644 --- a/hosts/alyssum/immich.nix +++ b/hosts/alyssum/immich.nix @@ -9,11 +9,6 @@ in { settings.server.externalDomain = "https://${shareFqdn}"; }; - services.immich-public-proxy = { - enable = true; - immichUrl = "https://${fqdn}"; - }; - me.binds."/var/lib/immich" = "/flower/immich"; me.binds."/var/lib/immich/encoded-video" = "immich/encoded-video"; me.binds."/var/lib/immich/profile" = "immich/profile"; @@ -37,20 +32,4 @@ in { ''; }; }; - - services.nginx.virtualHosts."${shareFqdn}" = { - useACMEHost = "lava.moe"; - forceSSL = true; - - locations."/" = { - proxyPass = "http://[::1]:${toString config.services.immich-public-proxy.port}"; - proxyWebsockets = true; - extraConfig = '' - client_max_body_size 50000M; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - ''; - }; - }; } diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index f65dfd1..37f2f14 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -34,6 +34,7 @@ ./filesystem.nix ./kernel.nix + ./immich-proxy.nix ./networking.nix ./nginx.nix diff --git a/hosts/dandelion/immich-proxy.nix b/hosts/dandelion/immich-proxy.nix new file mode 100644 index 0000000..037cb08 --- /dev/null +++ b/hosts/dandelion/immich-proxy.nix @@ -0,0 +1,26 @@ +{ config, ... }: +let + fqdn = "photos.lava.moe"; + shareFqdn = "memo.lava.moe"; +in { + services.immich-public-proxy = { + enable = true; + immichUrl = "https://${fqdn}"; + }; + + services.nginx.virtualHosts."${shareFqdn}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.immich-public-proxy.port}"; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; +} From 4e4781f5c4797b5cd554b4fcadc95baf2d125819 Mon Sep 17 00:00:00 2001 From: Cilly Leang Date: Sat, 20 Jun 2026 20:20:36 +1000 Subject: [PATCH 15/17] alyssum/immich: add binds --- hosts/alyssum/immich.nix | 4 +++- secrets.gcrypt/shared.json | Bin 327 -> 591 bytes 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts/alyssum/immich.nix b/hosts/alyssum/immich.nix index 555da39..1808857 100644 --- a/hosts/alyssum/immich.nix +++ b/hosts/alyssum/immich.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, gcSecrets, ... }: let fqdn = "photos.lava.moe"; shareFqdn = "memo.lava.moe"; @@ -13,6 +13,8 @@ in { me.binds."/var/lib/immich/encoded-video" = "immich/encoded-video"; me.binds."/var/lib/immich/profile" = "immich/profile"; me.binds."/var/lib/immich/thumbs" = "immich/thumbs"; + me.binds."/var/lib/immich/external/1" = gcSecrets.binds."immich/external/1"; + me.binds."/var/lib/immich/external/2" = gcSecrets.binds."immich/external/2"; hardware.graphics.enable = true; users.users.immich.extraGroups = [ "video" "render" ]; diff --git a/secrets.gcrypt/shared.json b/secrets.gcrypt/shared.json index 21378e76b52316e7dbd9edcc0a2a90ede9921f9a..9ae51609dad901a146577b26cd55d4f540d8b129 100644 GIT binary patch literal 591 zcmZQ@_Y83kiVO&0aDTS_ENj>DQ!}y(o;*3#vx8@|NPfBOm!2}a(+@TM_Ucyn{)n*r z-xzjLdfQ^7T(-v4FPneKm49x^@jb^RwPSkRH)ffGzINTw)l4g2^FK3Or1`+{w(6Hz zg3E5s(^9j$RQrF?vzGK^L>s&OJ zD&(qiIfnl~d&JCW`&&WDTBeMSC_$?mk$3M(-0=Us&WsK z(w=`c6H52+^3S=oZ2Kh6n)4@*f6RQ#Y1#5+Y2C7i%$px2ZjWV>)x1&N@v`E;n-D=R z)dL1KRmW{BALL8(X%xR{+c#6GDyFD>a&HT<= zMY3nf*(s<8u=Brn@qStFufp+irtvl>!=U9iUwo7N+Z&OlqVA*e*HPCnXr|t&#uWR6 zxRW8Rl3gngl{Sc5D5?K?uQ$tMo5KHNn~s)CN3^O}o?ctKP1G>oNaDibht~E>R@(1K z-1)ldR%*3R)i zDs)(HWwnO#^F`}2;`^WfTh8}(!jjjsbJ%&xmWuoin&Edm%O%st^?=`&xf~L=dHwwq z9sludnZDYsXRmA9X}gpy-92j0njXt3e+#UV-*qB%{(b)$hy9oN_Dt5Au|+KI^bd*6 zEqA=`-%)fqK3o2EALrGCJ^r*V((Q^;^pjctI5#f+$~4EqRZ#ZQj%O>^EMwlp_r*zqAHIE7=GJtstopT-;r*kA{w+T Date: Sat, 20 Jun 2026 20:26:10 +1000 Subject: [PATCH 16/17] alyssum/immich: reconfig binds --- hosts/alyssum/immich.nix | 4 ++-- secrets.gcrypt/shared.json | Bin 591 -> 595 bytes 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/alyssum/immich.nix b/hosts/alyssum/immich.nix index 1808857..06515bb 100644 --- a/hosts/alyssum/immich.nix +++ b/hosts/alyssum/immich.nix @@ -13,8 +13,8 @@ in { me.binds."/var/lib/immich/encoded-video" = "immich/encoded-video"; me.binds."/var/lib/immich/profile" = "immich/profile"; me.binds."/var/lib/immich/thumbs" = "immich/thumbs"; - me.binds."/var/lib/immich/external/1" = gcSecrets.binds."immich/external/1"; - me.binds."/var/lib/immich/external/2" = gcSecrets.binds."immich/external/2"; + me.binds."/mnt/immich_external/1/1" = gcSecrets.binds."immich/external/1/1"; + me.binds."/mnt/immich_external/1/2" = gcSecrets.binds."immich/external/1/2"; hardware.graphics.enable = true; users.users.immich.extraGroups = [ "video" "render" ]; diff --git a/secrets.gcrypt/shared.json b/secrets.gcrypt/shared.json index 9ae51609dad901a146577b26cd55d4f540d8b129..824e57e4ac27ed312fa4ce8b657c2463cc71c35e 100644 GIT binary patch literal 595 zcmZQ@_Y83kiVO&0ND_T}y4tJoo73}8kSgIyGnLPPR>NWRAYC@tb`QPE*B{y zi5K5YbpXvT3wRA7l&{3ec@juTDSb=751_(;v$+Cw_Q2B zp(pRG{&J7ZxxNoW^aK8XUF>##=K8t!I&T^lhDaU?xt4L_Yxb;JZ(HUte?0%Mb4_5g z5_eZOcl)i!Dz^)3zh=6eXgU0DnTmMZJyq_I6s0vT9DKVn&&|+ZGpFCqL&5p)Kb3$$ zhJVc`Q!mH=$QF0oxGR344HNqX=0$b79nn|PpQz3*GCwutk#pAk9RZW)w#hUum^8y! zXIAh<<{K^yLi+^DYBHqPm9EuGvpD$PUOncJXd%y$FAIgA&-!q0Nz@Bpy+=i}nib#3 z#@u<$wm;V6exIv+WXiuK*Msy8d4E1w?wo$~_S>9V&w}J8i!J+D=30jB|J>TM$v?qO z-8uQfok{;0W_mB4%zNf*J^wYineIul%s!KkPn+hFKJVfF++VxB`&j#PuJbXj?vxgZ z+DQ!}y(o;*3#vx8@|NPfBOm!2}a(+@TM_Ucyn{)n*r z-xzjLdfQ^7T(-v4FPneKm49x^@jb^RwPSkRH)ffGzINTw)l4g2^FK3Or1`+{w(6Hz zg3E5s(^9j$RQrF?vzGK^L>s&OJ zD&(qiIfnl~d&JCW`&&WDTBeMSC_$?mk$3M(-0=Us&WsK z(w=`c6H52+^3S=oZ2Kh6n)4@*f6RQ#Y1#5+Y2C7i%$px2ZjWV>)x1&N@v`E;n-D=R z)dL1KRmW{BALL8(X%xR{+c#6GDyFD>a&HT<= zMY3nf*(s<8u=Brn@qStFufp+irtvl>!=U9iUwo7N+Z&OlqVA*e*HPCnXr|t&#uWR6 zxRW8Rl3gngl{Sc5D5?K?uQ$tMo5KHNn~s)CN3^O}o?ctKP1G>oNaDibht~E>R@(1K z-1)ldR Date: Sat, 20 Jun 2026 20:39:58 +1000 Subject: [PATCH 17/17] alyssum/filesystem: add some mounts --- hosts/alyssum/filesystem.nix | 4 +++- secrets.gcrypt/shared.json | Bin 595 -> 765 bytes 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts/alyssum/filesystem.nix b/hosts/alyssum/filesystem.nix index bdea423..c40d2b2 100644 --- a/hosts/alyssum/filesystem.nix +++ b/hosts/alyssum/filesystem.nix @@ -1,4 +1,4 @@ -{ ... }: +{ gcSecrets, ... }: let bind = src: { depends = [ "/nix" ]; @@ -32,4 +32,6 @@ in { "/persist/.snapshots" = submount "/snap/persist" false; "/var/log/journal" = bind "/persist/journal"; }; + + me.binds."${gcSecrets.binds."navi/1a"}" = gcSecrets.binds."navi/1b"; } diff --git a/secrets.gcrypt/shared.json b/secrets.gcrypt/shared.json index 824e57e4ac27ed312fa4ce8b657c2463cc71c35e..b4338c2ddcc55465800cca2ca83aac16852d438a 100644 GIT binary patch literal 765 zcmZQ@_Y83kiVO&0NDZCE&+DXi&bv@3v2pTJf2~|g^R)7U_a_hQhr47~KXhBRaz)Ia z8*Hac=fde#cR$jyyv4 zKRz9|7GEYIXnn-7#F1y4zfOUMm}Jl4>f2E-XTLTp;9pVOu|76gV8MFLb5(nmHrf1o z?w@csTE}gX$njf8zG*y};XCo1K|aUz>51-(&d+bFe4~{2V0ZCN?>Dx4?%8`~>^LSY zv;V4tof7N!uT?GXf~xsSXA?KMah~&ja9M4t(z&#AXCvzcEEYv1t6F_9{}wOz+zaT>3!d?S07ip&)!(5-DCjYaBPs0{@32c{r zHR02tqb%PXs@GizmAj+3Eo$|vng3SY6IyL_(z$uPKHDslqglQ${MN`Bu;#cae%D<5 zw267~X3Gsb*0);g`!RhzGVhsnh}Vo*?0cVY8?E7sn8vcoY^l%#SgIyGnLPPR>NWRAYC@tb`QPE*B{y zi5K5YbpXvT3wRA7l&{3ec@juTDSb=751_(;v$+Cw_Q2B zp(pRG{&J7ZxxNoW^aK8XUF>##=K8t!I&T^lhDaU?xt4L_Yxb;JZ(HUte?0%Mb4_5g z5_eZOcl)i!Dz^)3zh=6eXgU0DnTmMZJyq_I6s0vT9DKVn&&|+ZGpFCqL&5p)Kb3$$ zhJVc`Q!mH=$QF0oxGR344HNqX=0$b79nn|PpQz3*GCwutk#pAk9RZW)w#hUum^8y! zXIAh<<{K^yLi+^DYBHqPm9EuGvpD$PUOncJXd%y$FAIgA&-!q0Nz@Bpy+=i}nib#3 z#@u<$wm;V6exIv+WXiuK*Msy8d4E1w?wo$~_S>9V&w}J8i!J+D=30jB|J>TM$v?qO z-8uQfok{;0W_mB4%zNf*J^wYineIul%s!KkPn+hFKJVfF++VxB`&j#PuJbXj?vxgZ z+