alyssum/filesystem: add some mounts

alyssum/immich: reconfig binds
alyssum/immich: add binds
2026-06-20 20:39:58 +10:00 · 2026-06-20 20:26:10 +10:00 · 2026-06-20 20:20:36 +10:00 · 2026-06-20 19:38:31 +10:00 · 2026-06-20 19:26:13 +10:00 · 2026-06-20 19:08:55 +10:00
17 changed files with 154 additions and 3 deletions
--- a/containers/emerald/flake.nix
+++ b/containers/emerald/flake.nix
@ -39,7 +39,7 @@
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://[${client}]:4533";
-        listenAddresses = [ "100.67.2.1" ];
+        listenAddresses = config.me.localAddrs;
      };

      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
--- a/hosts/alyssum/default.nix
+++ b/hosts/alyssum/default.nix
@ -33,9 +33,12 @@

    ./filesystem.nix
    ./kernel.nix
-    ./networking.nix
    ./home.syncthing.nix
+    ./immich.nix
+    ./networking.nix
+    ./restic.nix
    ./samba.nix
+    ./snapper.nix

    ../../users/hana
  ];
--- a/hosts/alyssum/filesystem.nix
+++ b/hosts/alyssum/filesystem.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ gcSecrets, ... }:
 let
  bind = src: {
    depends = [ "/nix" ];
@ -32,4 +32,6 @@ in {
    "/persist/.snapshots" = submount "/snap/persist" false;
    "/var/log/journal" = bind "/persist/journal";
  };
+
+  me.binds."${gcSecrets.binds."navi/1a"}" = gcSecrets.binds."navi/1b";
 }
--- a/hosts/alyssum/immich.nix
+++ b/hosts/alyssum/immich.nix
@ -0,0 +1,37 @@
+{ config, gcSecrets, ... }:
+let
+  fqdn = "photos.lava.moe";
+  shareFqdn = "memo.lava.moe";
+in {
+  services.immich = {
+    enable = true;
+    accelerationDevices = null;
+    settings.server.externalDomain = "https://${shareFqdn}";
+  };
+
+  me.binds."/var/lib/immich" = "/flower/immich";
+  me.binds."/var/lib/immich/encoded-video" = "immich/encoded-video";
+  me.binds."/var/lib/immich/profile" = "immich/profile";
+  me.binds."/var/lib/immich/thumbs" = "immich/thumbs";
+  me.binds."/mnt/immich_external/1/1" = gcSecrets.binds."immich/external/1/1";
+  me.binds."/mnt/immich_external/1/2" = gcSecrets.binds."immich/external/1/2";
+  hardware.graphics.enable = true;
+  users.users.immich.extraGroups = [ "video" "render" ];
+
+  services.nginx.virtualHosts."${fqdn}" = {
+    useACMEHost = "lava.moe";
+    forceSSL = true;
+    listenAddresses = config.me.localAddrs;
+
+    locations."/" = {
+      proxyPass = "http://[::1]:${toString config.services.immich.port}";
+      proxyWebsockets = true;
+      extraConfig = ''
+        client_max_body_size 50000M;
+        proxy_read_timeout   600s;
+        proxy_send_timeout   600s;
+        send_timeout         600s;
+      '';
+    };
+  };
+}
--- a/hosts/alyssum/networking.nix
+++ b/hosts/alyssum/networking.nix
@ -12,4 +12,5 @@
    defaultGateway = "192.168.1.1";
    nameservers = [ "8.8.8.8" "8.8.4.4" ];
  };
+  me.localAddrs = [ "100.67.2.1" ];
 }
--- a/hosts/alyssum/restic.nix
+++ b/hosts/alyssum/restic.nix
@ -0,0 +1,31 @@
+{ config, lib, ... }: {
+  age.secrets.restic_env.file = ../../secrets/restic_env.age;
+  age.secrets.restic_pass.file = ../../secrets/restic_pass.age;
+  age.secrets.restic_url.file = ../../secrets/restic_url.age;
+
+  services.restic.backups."flower" = {
+    initialize = true;
+    createWrapper = true;
+    progressFps = 0.016666;
+
+    environmentFile = config.age.secrets.restic_env.path;
+    passwordFile = config.age.secrets.restic_pass.path;
+    repositoryFile = config.age.secrets.restic_url.path;
+
+    paths = ["/flower"];
+    exclude = ["/flower/.snapshots"]
+    ++ builtins.filter (x: lib.strings.hasPrefix "/flower" x) (builtins.attrNames config.me.binds);
+    timerConfig = {
+      # every 6 hours
+      OnCalendar = "*-*-* 00,06,12,18:00:00";
+      Persistent = true;
+    };
+    pruneOpts = [
+      "--keep-last 8"
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 12"
+      "--keep-yearly 75"
+    ];
+  };
+}
--- a/hosts/alyssum/snapper.nix
+++ b/hosts/alyssum/snapper.nix
@ -0,0 +1,19 @@
+{ ... }: {
+  services.snapper = {
+    cleanupInterval = "1h";
+    persistentTimer = true;
+    snapshotInterval = "*-*-* *:00,30:00";
+    configs.home = {
+      FSTYPE = "btrfs";
+      SUBVOLUME = "/flower";
+      TIMELINE_CLEANUP = true;
+      TIMELINE_CREATE = true;
+      TIMELINE_MIN_AGE = "86400";
+      TIMELINE_LIMIT_HOURLY = "24";
+      TIMELINE_LIMIT_DAILY = "7";
+      TIMELINE_LIMIT_WEEKLY = "5";
+      TIMELINE_LIMIT_MONTHLY = "3";
+      TIMELINE_LIMIT_YEARLY = "0";
+    };
+  };
+}
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -34,6 +34,7 @@

    ./filesystem.nix
    ./kernel.nix
+    ./immich-proxy.nix
    ./networking.nix
    ./nginx.nix

--- a/hosts/dandelion/immich-proxy.nix
+++ b/hosts/dandelion/immich-proxy.nix
@ -0,0 +1,26 @@
+{ config, ... }:
+let
+  fqdn = "photos.lava.moe";
+  shareFqdn = "memo.lava.moe";
+in {
+  services.immich-public-proxy = {
+    enable = true;
+    immichUrl = "https://${fqdn}";
+  };
+
+  services.nginx.virtualHosts."${shareFqdn}" = {
+    useACMEHost = "lava.moe";
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://[::1]:${toString config.services.immich-public-proxy.port}";
+      proxyWebsockets = true;
+      extraConfig = ''
+        client_max_body_size 50000M;
+        proxy_read_timeout   600s;
+        proxy_send_timeout   600s;
+        send_timeout         600s;
+      '';
+    };
+  };
+}
--- a/modules/options.nix
+++ b/modules/options.nix
@ -49,5 +49,9 @@ in {
      type = with lib.types; attrsOf str;
      default = {};
    };
+
+    localAddrs = lib.mkOption {
+      type = with lib.types; listOf str;
+    };
  };
 }
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@ -10,4 +10,7 @@
    openFirewall = true;
    useRoutingFeatures = if config.me.environment == "headless" then "both" else "client";
  };
+  systemd.services.tailscaled.serviceConfig.LogFilterPatterns = [
+    "~magicsock.*does not know about peer.*removing route"
+  ];
 }
--- a/modules/user/git.nix
+++ b/modules/user/git.nix
@ -11,6 +11,7 @@
      core.abbrev = 11;
      safe.directory = "/home/rin/Projects/flakes";
      init.defaultBranch = "master";
+      push.autoSetupRemote = true;
    };
  };
 }
--- a/secrets.gcrypt/shared.json
+++ b/secrets.gcrypt/shared.json
--- a/secrets.nix
+++ b/secrets.nix
@ -12,6 +12,10 @@ in {
  "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ];
  "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];

+  "secrets/restic_env.age".publicKeys = [ alyssum dandelion rin ];
+  "secrets/restic_pass.age".publicKeys = [ alyssum dandelion rin ];
+  "secrets/restic_url.age".publicKeys = [ alyssum dandelion rin ];
+
  "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];
  "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ];
  "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ];
--- a/secrets/restic_env.age
+++ b/secrets/restic_env.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw CYNG6K56RVMY5KP3vTczaCG9DVL3Ryv7QtqRzrdONh4
+VKH43RjHzP2TcyK8bEO8pZzZZeXqNXEDNq4JCkhMXlQ
+-> ssh-ed25519 bRFqeQ AmuEljYrO5qqhaJQONYxQZTlaid2qNt+kktiMRDSKl4
+u+KzYFuEx+UCBfdcpup0fbEp1vGMP24nE3MwvcjhTSc
+-> ssh-ed25519 U9FXlg IKN6gdqtD0FDOBk5vXuLD7AYuRtCGsIe5CYMJwyvcG4
+f5lkALvyjz1X94JmnG4u9kZ0S1TgZeBv+uxumFPChzQ
+--- 3LBfI6E7NfSK1F42/cQkUzrpry6OWCeW/67YOpZe00k
+8Ä<EFBFBD>gé†Òî9(<Ý9OT.L_C2ûXT¿1Lô‡=¨3ÓÞØWCÓo¾ze?4ƒsUÁ.Ã<zø¤ëI…ºèyŠÔÕ,bPü?žžå(Òb»¬?7„é„dÕƒU€*-<Ãòì¤¯aDÖ<44>‰±éþ^,?3¼Ü	ðE²ább«
+vHÇ
--- a/secrets/restic_pass.age
+++ b/secrets/restic_pass.age
--- a/secrets/restic_url.age
+++ b/secrets/restic_url.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw l9/BY4rhuzGl/MRKjJ6Hyz2AGpsIZlDojQhSzJ8IxzY
+tEGqxZOEWHZvTazrDoC4uTOyuT7fgRKXxumxpjdE89o
+-> ssh-ed25519 bRFqeQ XQ1wRRwOP1bIiEX/Dh4tkHB3vF1OdZcLNTtVVM1oWgU
+S6qXQsPNY0bGaUz+iLoJ0GBL26FtM4h/sgxqvIwOS3g
+-> ssh-ed25519 U9FXlg pmY+R/M38tLi1dq2ll9FDv6uaGv8XlkE99NoAemtlGY
+FGZodar5ESxmOZYDZ0F8P1FXNzkEpqT6jyJgzY5wLc0
+--- ig7eZey8XraBclyUEJRv1lJUyiOjqsfGc8Q+jjbAuvQ
+e˜Ä¶Š@‰zYþäö¶µtÒÁØ÷Vï4%s29>§íªéÿé–‡(<28>y8Â% ªj|PÓÑ¨:»©<C2BB>:å-˜Y´I±Òä )CÌ¹ÝI%yÙ¸:îLC¯f¨q_
Author	SHA1	Message	Date
Cilly Leang	912aafb196	alyssum/filesystem: add some mounts Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-20 20:39:58 +10:00
Cilly Leang	cc39c927d9	alyssum/immich: reconfig binds Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-20 20:26:10 +10:00
Cilly Leang	4e4781f5c4	alyssum/immich: add binds Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-20 20:20:36 +10:00
Cilly Leang	c148518a34	alyssum/immich: move public proxy to dandelion Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-20 19:38:31 +10:00
Cilly Leang	6c83cb4e67	alyssum/immich: enable public proxy Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-20 19:26:13 +10:00
Cilly Leang	59a6e63c6a	alyssum/immich: fixup paths Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-20 19:08:55 +10:00
Cilly Leang	fc880328bc	alyssum/immich: refine data directories Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-20 19:06:19 +10:00
Cilly Leang	aab4da94fa	alyssum/immich: init Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-20 18:47:01 +10:00
Cilly Leang	d2fbc73636	alyssum/restic: ignore all bind mounts Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-20 18:03:00 +10:00
Cilly Leang	4b2270e57a	alyssum/restic: ignore snapshots correctly Some checks failed CI / Build linux-lava for x86_64-linux (push) Has been cancelled Details	2026-06-19 10:46:10 +10:00
Cilly Leang	ac2690c973	alyssum/snapper: init Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-19 10:37:25 +10:00
Cilly Leang	985b617be1	system/tailscale: filter out derp warning spam	2026-06-19 10:26:14 +10:00
Cilly Leang	d64c23ce97	alyssum/restic: backup less frequently	2026-06-19 10:20:00 +10:00
Cilly Leang	3f175d1b96	alyssum/restic: use float for progressfps Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-19 09:59:59 +10:00
Cilly Leang	e8b675e606	alyssum/restic: use correct opt name Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details oopsie woopsie	2026-06-19 09:59:22 +10:00
Cilly Leang	9724f1d731	user/git: enable push.autoSetupRemote Some checks are pending CI / Build linux-lava for x86_64-linux (push) Waiting to run Details	2026-06-19 09:55:28 +10:00
Cilly Leang	49bc50ae39	alyssum/restic: init	2026-06-19 09:54:05 +10:00