Add immich module

Flake lock file updates:

• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/3867348fa92bc892eba5d9ddb2d7a97b9e127a8a' (2024-06-12)
  → 'github:serokell/deploy-rs/aa07eb05537d4cd025e2310397a6adcedfe72c76' (2024-09-27)
• Updated input 'disko':
    'github:nix-community/disko/c1c472f4cd91e4b0703e02810a8c7ed30186b6fa' (2024-09-25)
  → 'github:nix-community/disko/67dc29be3036cc888f0b9d4f0a788ee0f6768700' (2024-09-26)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/d0cb432a9d28218df11cbd77d984a2a46caeb5ac' (2024-09-22)
  → 'github:NixOS/nixos-hardware/d830ad47cc992b4a46b342bbc79694cbd0e980b2' (2024-09-27)

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1722339003,
+        "lastModified": 1723293904,
-        "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=",
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1718194053,
+        "lastModified": 1727447169,
-        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
         "type": "github"
       },
       "original": {
@@ -107,11 +107,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723080788,
+        "lastModified": 1727359191,
-        "narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=",
+        "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed",
+        "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700",
         "type": "github"
       },
       "original": {
@@ -206,11 +206,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722555600,
+        "lastModified": 1725234343,
-        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+        "rev": "567b938d64d4b4112ee253b9274472dc3a346eb6",
         "type": "github"
       },
       "original": {
@@ -233,11 +233,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722857853,
+        "lastModified": 1724857454,
-        "narHash": "sha256-3Zx53oz/MSIyevuWO/SumxABkrIvojnB7g9cimxkhiE=",
+        "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "06939f6b7ec4d4f465bf3132a05367cccbbf64da",
+        "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6",
         "type": "github"
       },
       "original": {
@@ -313,11 +313,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720042825,
+        "lastModified": 1726989464,
-        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
+        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
+        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
         "type": "github"
       },
       "original": {
@@ -373,11 +373,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722924007,
+        "lastModified": 1725189302,
-        "narHash": "sha256-+CQDamNwqO33REJLft8c26NbUi2Td083hq6SvAm2xkU=",
+        "narHash": "sha256-IhXok/kwQqtusPsoguQLCHA+h6gKvgdCrkhIaN+kByA=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "91010a5613ffd7ee23ee9263213157a1c422b705",
+        "rev": "7c4b53a7d9f3a3df902b3fddf2ae245ef20ebcda",
         "type": "github"
       },
       "original": {
@@ -388,11 +388,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1723149858,
+        "lastModified": 1727437159,
-        "narHash": "sha256-3u51s7jdhavmEL1ggtd8wqrTH2clTy5yaZmhLvAXTqc=",
+        "narHash": "sha256-v4qLwEw5OmprgQZTT7KZMNU7JjXJzRypw8+Cw6++fWk=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "107bb46eef1f05e86fc485ee8af9b637e5157988",
+        "rev": "d830ad47cc992b4a46b342bbc79694cbd0e980b2",
         "type": "github"
       },
       "original": {
@@ -459,11 +459,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1722813957,
+        "lastModified": 1727122398,
-        "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
+        "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
+        "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093",
         "type": "github"
       },
       "original": {
@@ -490,11 +490,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1722987190,
+        "lastModified": 1727264057,
-        "narHash": "sha256-68hmex5efCiM2aZlAAEcQgmFI4ZwWt8a80vOeB/5w3A=",
+        "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "21cc704b5e918c5fbf4f9fff22b4ac2681706d90",
+        "rev": "759537f06e6999e141588ff1c9be7f3a5c060106",
         "type": "github"
       },
       "original": {
@@ -517,11 +517,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1722925293,
+        "lastModified": 1725350106,
-        "narHash": "sha256-saXm5dd/e3PMsYTEcp1Qbzifm3KsZtNFkrWjmLhXHGE=",
+        "narHash": "sha256-TaMMlI2KPJ3wCyxJk6AShOLhNuTeabHCnvYRkLBlEFs=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "170df9814c3e41d5a4d6e3339e611801b1f02ce2",
+        "rev": "0f2c31e6a57a83ed4e6fa3adc76749620231055d",
         "type": "github"
       },
       "original": {
@@ -541,11 +541,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723232379,
+        "lastModified": 1727210241,
-        "narHash": "sha256-F4Y3f9305aHGWKqAd3s2GyNRONdpDBuNuK4TCSdaHz8=",
+        "narHash": "sha256-lufS6uzSbSrggNCSgubymMQWnQMh7PvQ+lRZ8qH9Uoc=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "22bea90404c5ff6457913a03c1a54a3caa5b1c57",
+        "rev": "a02fef2ece8084aff0b41700bb57d24d73574cd1",
         "type": "github"
       },
       "original": {
@@ -576,11 +576,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1722712220,
+        "lastModified": 1724093899,
-        "narHash": "sha256-gEmbk/DROfVZ+v/BAZHDloHzS0KdqIzxtW7z9g2eH4Y=",
+        "narHash": "sha256-VohYwTIBq7NEssFibuu+HMXXwuCoLmMOmEwQf7sESSI=",
         "ref": "refs/heads/master",
-        "rev": "dfe0e95be5ef539bf28602ff47beeea26cc4d1b8",
+        "rev": "7f5901bb5d6eeaa94d7e1f18f66093be9df014e4",
-        "revCount": 22,
+        "revCount": 27,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },
@@ -658,11 +658,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722330636,
+        "lastModified": 1724833132,
-        "narHash": "sha256-uru7JzOa33YlSRwf9sfXpJG+UAV+bnBEYMjrzKrQZFw=",
+        "narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "768acdb06968e53aa1ee8de207fd955335c754b7",
+        "rev": "3ffd842a5f50f435d3e603312eefa4790db46af5",
         "type": "github"
       },
       "original": {

flake.nix

@@ -112,7 +112,12 @@
         magicRollback = true;
         autoRollback = true;
         sshUser = "root";
-        nodes = lib.genAttrs [ "mail" "pi" "skycam" "vps1" ] mkDeployNode;
+        nodes = lib.genAttrs [
+          "mail"
+          # "pi"
+          # "skycam"
+          "vps1"
+        ] mkDeployNode;
       };
 
       checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;

hosts/eos/hardware-configuration.nix

@@ -7,11 +7,12 @@
 
   boot = {
     initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
-    initrd.kernelModules = [ ];
     initrd.supportedFilesystems = [ "zfs" ];
-    kernelModules = [ ];
+    kernel.sysctl = {
+      "kernel.nmi_watchdog" = 0;
+      "vm.laptop_mode" = 5;
+    };
     kernelParams = [ "elevator=none" ];
-    extraModulePackages = [ ];
     supportedFilesystems = [ "zfs" ];
   };
 

hosts/hypnos/hardware-configuration.nix

@@ -7,6 +7,10 @@
 
   boot = {
     initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+    kernel.sysctl = {
+      "kernel.nmi_watchdog" = 0;
+      "vm.laptop_mode" = 5;
+    };
     kernelModules = [ "applesmc" "kvm-intel" "wl" ];
     extraModulePackages = [
       config.boot.kernelPackages.broadcom_sta

hosts/vps1/default.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports = [
@@ -37,10 +37,47 @@
     groups = {
       jellyfin = { };
     };
+    extraGroups.acme.members = [ "kanidm" "nginx" ];
   };
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
+  security.acme.certs."auth.vimium.com" = {
+    postRun = "systemctl restart kanidm.service";
+    group = "acme";
+  };
+
+  services.kanidm = let
+    baseDomain = "vimium.com";
+    domain = "auth.${baseDomain}";
+    uri = "https://${domain}";
+  in {
+    package = pkgs.unstable.kanidm;
+    enableClient = true;
+    enableServer = true;
+    clientSettings = {
+      inherit uri;
+    };
+    serverSettings = {
+      bindaddress = "[::1]:3013";
+      ldapbindaddress = "[::1]:636";
+      domain = baseDomain;
+      origin = uri;
+      tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
+      tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "auth.vimium.com" = {
+      useACMEHost = "auth.vimium.com";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://[::1]:3013";
+      };
+    };
+  };
+
   modules = rec {
     databases.postgresql.enable = true;
     services = {

modules/default.nix

@@ -32,6 +32,7 @@
     ./editors/neovim
     ./editors/vscode.nix
     ./hardware/presonus-studio.nix
+    ./networking/netbird.nix
     ./networking/tailscale.nix
     ./networking/wireless.nix
     ./security/gpg.nix
@@ -42,6 +43,7 @@
     ./services/gitea
     ./services/gitea-runner
     ./services/headscale
+    ./services/immich
     ./services/mail
     ./services/matrix
     ./services/nginx

modules/networking/netbird.nix

@@ -0,0 +1,70 @@
+{ config, lib, self, ... }:
+
+let
+  cfg = config.modules.networking.netbird;
+  hostname = config.networking.hostName;
+in {
+  options.modules.networking.netbird = {
+    enable = lib.mkEnableOption "netbird";
+    coordinatorDomain = lib.mkOption {
+      type = lib.types.str;
+      default = "netbird.vimium.net";
+    };
+    meshDomain = lib.mkOption {
+      type = lib.types.str;
+      default = "mesh.vimium.net";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.secrets."passwords/services/netbird/data-store-encryption-key" = {
+      file = "${self.inputs.secrets}/passwords/services/netbird/data-store-encryption-key.age";
+    };
+
+    services.netbird = {
+      enable = true;
+    };
+
+    services.netbird.server = {
+      domain = cfg.coordinatorDomain;
+      enable = true;
+      enableNginx = true;
+      dashboard.settings = {
+        AUTH_AUTHORITY = "https://auth.vimium.com/oauth2/openid/netbird";
+      };
+      management = rec {
+        disableAnonymousMetrics = true;
+        dnsDomain = cfg.meshDomain;
+        oidcConfigEndpoint = "https://auth.vimium.com/oauth2/openid/netbird/.well-known/openid-configuration";
+        settings = {
+          DataStoreEncryptionKey = {
+            _secret = config.age.secrets."passwords/services/netbird/data-store-encryption-key".path;
+          };
+          HttpConfig = {
+            AuthAudience = "netbird";
+          };
+          StoreConfig = { Engine = "sqlite"; };
+          TURNConfig = {
+            Secret._secret = config.age.secrets."passwords/services/coturn/static-auth-secret".path;
+            TimeBasedCredentials = true;
+          };
+          PKCEAuthorizationFlow.ProviderConfig = {
+            AuthorizationEndpoint = "https://auth.vimium.com/ui/oauth2";
+            TokenEndpoint = "https://auth.vimium.com/oauth2/token";
+          };
+        };
+        singleAccountModeDomain = dnsDomain;
+        turnDomain = config.services.coturn.realm;
+        turnPort = config.services.coturn.listening-port;
+      };
+    };
+
+    systemd.services.netbird-signal.serviceConfig.RestartSec = "60";
+    systemd.services.netbird-management.serviceConfig.RestartSec = "60";
+
+    services.nginx.virtualHosts."netbird.vimium.net" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}

modules/services/headscale/default.nix

@@ -1,19 +1,17 @@
 { config, lib, pkgs, ... }:
 
-with lib;
-
 let
   cfg = config.modules.services.headscale;
   fqdn = "headscale.vimium.net";
 in {
   options.modules.services.headscale = {
-    enable = mkOption {
+    enable = lib.mkOption {
       default = false;
       example = true;
     };
   };
 
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
     environment.systemPackages = [ pkgs.headscale ];
 
     services.headscale = {
@@ -22,10 +20,16 @@ in {
       port = 8080;
 
       settings = {
+        acl_policy_path = null;
         ip_prefixes = [
           "100.64.0.0/10"
         ];
         server_url = "https://${fqdn}";
+        derp = {
+          auto_update_enable = false;
+          update_frequency = "24h";
+          urls = [];
+        };
         dns_config = {
           base_domain = "vimium.net";
           extra_records = [
@@ -40,6 +44,10 @@ in {
               value = "100.64.0.7";
             }
           ];
+          magic_dns = true;
+          nameservers = [
+            "9.9.9.9"
+          ];
         };
         logtail.enabled = false;
       };

modules/services/immich/default.nix

@@ -0,0 +1,54 @@
+{ config, lib, self, ... }:
+
+with lib;
+
+let cfg = config.modules.services.immich;
+in {
+  options.modules.services.immich = {
+    enable = mkOption {
+      default = false;
+      example = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      virtualHosts = {
+        "gallery.vimium.com" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://localhost:${toString config.services.immich.port}";
+            extraConfig = ''
+              client_max_body_size 50000M;
+
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header Host $host;
+
+              proxy_buffering off;
+              proxy_redirect off;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+
+              proxy_read_timeout 600s;
+              proxy_send_timeout 600s;
+              send_timeout 600s;
+            '';
+          };
+        };
+      };
+    };
+
+    age.secrets."files/services/immich/envfile" = {
+      file = "${self.inputs.secrets}/files/services/immich/envfile.age";
+    };
+
+    services.immich = {
+      enable = true;
+      secretsFile = config.age.secrets."files/services/immich/envfile".path;
+    };
+  };
+}

modules/services/matrix/default.nix

@@ -171,6 +171,11 @@ in {
       };
     } else {});
 
+    nixpkgs.config.permittedInsecurePackages = [
+      "jitsi-meet-1.0.8043"
+      "olm-3.2.16"
+    ];
+
     services.matrix-synapse = {
       enable = true;
       enableRegistrationScript = true;

modules/services/nginx/default.nix

@@ -118,8 +118,12 @@ in {
           serverAliases = [ "www.jdholt.com" ];
           extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
           locations."/skycam/snapshot.jpg" = {
-            proxyPass = "http://skycam.mesh.vimium.net:8080/snapshot";
             extraConfig = ''
+              set $backend "skycam.mesh.vimium.net:8080";
+
+              resolver 100.100.100.100;
+
+              proxy_pass http://$backend/snapshot;
               proxy_cache skycam_cache;
               proxy_cache_valid any 10s;
               proxy_ignore_headers Cache-Control Expires Set-Cookie;

overlays/gnome.nix

@@ -4,7 +4,7 @@ final: prev:
     mutter = gsuper.mutter.overrideAttrs (oldAttrs: {
       src = prev.fetchurl {
         url = "https://gitlab.gnome.org/Community/Ubuntu/mutter/-/archive/triple-buffering-v4-46/mutter-triple-buffering-v4-46.tar.gz";
-        sha256 = "mmFABDsRMzYnLO3+Cf3CJ60XyUBl3y9NAUj+vs7nLqE=";
+        sha256 = "9MVb53tcOTkcXJ025bF2kX1+fGSfffliA43q00x2c/Y=";
       };
     });
   });