aynish/helm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

idk some stuff, mostly 25.11 and opencode stuff

Browse Source
This commit is contained in:
Anish Lakhwara
2026-02-01 23:39:21 -08:00
parent cd8bb0fe0f
commit 615ea7b026
33 changed files with 992 additions and 914 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/box/default.nix
+3 -1
View File
@@ -10,7 +10,7 @@
../profiles/monitoring
../profiles/nfs
../profiles/gonic
../profiles/headphones
# ../profiles/headphones
../profiles/radicale
# ../profiles/seafile # waiting for https://github.com/NixOS/nixpkgs/pull/249523 to be merged
../profiles/syncthing
@@ -20,6 +20,7 @@
../profiles/finance
../profiles/sync/website
../profiles/sync/music
../profiles/sync/tv
# ../profiles/grasp # private repo - disabled
# ../profiles/archivebox # requires insecure django - fix in flake.nix permittedInsecurePackages
../profiles/woodpecker-agent
@@ -31,6 +32,7 @@
../profiles/transmission
../profiles/raven
../profiles/radicle-node
../profiles/opencode-server
# ../profiles/postgres_upgrade_script # one-time use
];
hosts/curve/default.nix
+1
View File
@@ -12,6 +12,7 @@
../profiles/mimetypes
../profiles/syncthing
../profiles/mossnet-hosts
../profiles/opencode-server
# ../profiles/fly-wg
# ../profiles/kuberenetes
# ../profiles/mount-mossnet
hosts/helix/default.nix
+6 -5
View File
@@ -11,14 +11,15 @@
../profiles/core
../profiles/server
# ../profiles/metrics
# ../profiles/gitea # Replaced by radicle
../profiles/radicle-seed
../profiles/gitea
# ../profiles/radicle-seed
# ../profiles/woodpecker-server
../profiles/rss-bridge
# ../profiles/mount-mossnet
../profiles/freshrss
../profiles/microbin
../profiles/site
# ../profiles/freshrss
# ../profiles/microbin
# TODO: re-enable after basant pyproject fix for 25.11
# ../profiles/site
# ../profiles/postgres_upgrade_script
];
hosts/profiles/immich/default.nix
+1
View File
@@ -5,6 +5,7 @@
package = pkgs.unstable.immich;
database = {
enable = true;
enableVectorChord = true; # 25.11: Use VectorChord instead of pgvecto-rs
};
host = "0.0.0.0";
port = 8567;
hosts/profiles/jacket/default.nix
+38 -2
View File
@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
services.jackett = {
enable = true;
@@ -17,9 +22,9 @@
'';
};
};
services.lidarr = {
enable = true;
user = "headphones";
group = "audio";
};
services.nginx.virtualHosts."lidarr.mossnet.lan" = {
@@ -32,4 +37,35 @@
'';
};
};
services.sonarr = {
enable = true;
group = "video";
};
services.nginx.virtualHosts."sonarr.mossnet.lan" = {
enableACME = false;
forceSSL = false;
locations."/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8989/;
'';
};
};
services.jellyseerr = {
enable = true;
# group = "video";
};
services.nginx.virtualHosts."seerr.mossnet.lan" = {
enableACME = false;
forceSSL = false;
locations."/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:5055/;
'';
};
};
}
hosts/profiles/jellyfin/default.nix
+4 -4
View File
@@ -6,13 +6,13 @@
}:
{
# Enable Hardware Acceleration for transcoding
# Note: vaapiIntel override with enableHybridCodec should be in flake.nix overlay if needed
# Note: intel-vaapi-driver override with enableHybridCodec should be in flake.nix overlay if needed
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vaapiIntel
vaapiVdpau
intel-vaapi-driver # renamed from vaapiIntel in 25.11
libva-vdpau-driver # renamed from vaapiVdpau in 25.11
libvdpau-va-gl
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
];
@@ -37,6 +37,6 @@
enableACME = false;
locations."/".proxyPass = "http://localhost:8096/";
};
};
};
};
}
hosts/profiles/matrix/compress-state-service.nix
+2 -2
View File
@@ -1,10 +1,10 @@
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.matrix-synapse-tools.rust-synapse-compress-state ];
environment.systemPackages = [ pkgs.rust-synapse-compress-state ];
systemd.services.compress-matrix-state = {
serviceConfig.Type = "oneshot";
path = [
pkgs.matrix-synapse-tools.rust-synapse-compress-state
pkgs.rust-synapse-compress-state
];
script = ''
synapse_auto_compressor -p "host=/run/postgresql port=5432 user=matrix-synapse dbname=matrix-synapse" -n 2000000 -c 10000
hosts/profiles/matrix/default.nix
+35 -21
View File
@@ -1,10 +1,16 @@
{ self, config, lib, pkgs, ... }:
{
self,
config,
lib,
pkgs,
...
}:
{
imports = [
./mautrix-telegram.nix
./mautrix-services.nix
# ./mautrix-discord.nix
# ./mautrix-discord.nix # Native NixOS 25.11 module (replaces nix-matrix-appservices)
# ./mautrix-services.nix # Old nix-matrix-appservices - discord moved to native module
# ./mautrix-whatsapp.nix
# ./mautrix-slack.nix
# ./mautrix-signal.nix
@@ -18,30 +24,37 @@
age.secrets.synapse-config.owner = "matrix-synapse";
systemd.services.matrix-synapse.serviceConfig.TimeoutStartSec = "10min";
services.matrix-synapse = {
enable = true;
settings = {
max_upload_size = "100M";
server_name = "sealight.xyz";
federation_sender_instances = [];
federation_sender_instances = [ ];
listeners = [
{
port = 8448;
tls = false;
resources = [{
compress = true;
names = [ "client" "federation" ];
}];
resources = [
{
compress = true;
names = [
"client"
"federation"
];
}
];
}
{
port = 9090;
type = "metrics";
bind_addresses = [ "0.0.0.0" ];
resources = [{
compress = false;
names = [ ];
}];
resources = [
{
compress = false;
names = [ ];
}
];
tls = false;
}
];
@@ -52,10 +65,9 @@
# chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/discord-registration.yaml
# "/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/signal-registration.yaml"
#"/var/lib/matrix-as-whatsapp/whatsapp-registration.yaml"
"/var/lib/matrix-as-discord/discord-registration.yaml"
# Discord now uses native module with registerToSynapse = true (auto-registers)
# "/var/lib/matrix-as-discord/discord-registration.yaml"
# "/var/lib/matrix-synapse/slack-registration.yaml"
# "/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/whatsapp-registration.yaml"
];
turn_uris = [
@@ -67,7 +79,7 @@
# ''
# max_upload_size: "50M"
# use_presence: false
# registration_shared_secret: "hD9HQGTTDxp0mQsQ5JDsfudWMDiubmZENOgPchIvfBvUlPxlvQSvjoO4wn2L1seU";
# registration_shared_secret: "hD9HQGTTDxp0mQsQ5JDsfudWMDiubmZENOgPchIvfBvUlPxlvQSvjoO4wn2L1seU";
# enable_registration_without_verification: true
# '';
enable_metrics = true;
@@ -156,10 +168,12 @@
networking.firewall =
let
range = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
range = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
in
{
enable = true;
hosts/profiles/matrix/mautrix-discord.nix
+34
View File
@@ -0,0 +1,34 @@
{
self,
config,
lib,
pkgs,
...
}:
{
# Native NixOS 25.11 mautrix-discord module
# Replaces the nix-matrix-appservices discord configuration
services.mautrix-discord = {
enable = true;
registerToSynapse = true;
settings = {
homeserver = {
address = "https://sealight.xyz";
domain = "sealight.xyz";
};
appservice = {
id = "discord";
bot_username = "discordbridge";
address = "http://localhost:29188";
port = 29188;
# Uses SQLite by default, can switch to PostgreSQL:
# database = "postgresql:///mautrix-discord?host=/run/postgresql";
};
bridge = {
permissions = {
"@aynish:sealight.xyz" = "admin";
};
};
};
};
}
hosts/profiles/opencode-server/default.nix
+50
View File
@@ -0,0 +1,50 @@
{
self,
config,
pkgs,
inputs,
...
}:
let
opencode = inputs.llm-agents.packages.${pkgs.system}.opencode;
in
{
systemd.services.opencode-server = {
description = "OpenCode HTTP Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
# Read the API key from the agenix secret file and export it
script = ''
export ANTHROPIC_API_KEY="$(cat /run/agenix/anthropicToken)"
exec ${opencode}/bin/opencode serve --port 4096 --hostname 0.0.0.0
'';
serviceConfig = {
Type = "simple";
WorkingDirectory = "/home/anish/usr";
User = "anish";
Restart = "on-failure";
RestartSec = "10";
# Hardening
NoNewPrivileges = true;
PrivateTmp = true;
};
};
# Open firewall port for LAN access
networking.firewall.allowedTCPPorts = [ 4096 ];
services.nginx = {
enable = true;
virtualHosts = {
"opencode.mossnet.lan" = {
forceSSL = false;
enableACME = false;
locations."/".proxyPass = "http://localhost:4096/";
};
};
};
}
hosts/profiles/sync/music/get-music.sh
+1 -1
View File
@@ -13,7 +13,7 @@ touch "$TRACKING_FILE"
# Get list of albums on remote server
echo "$(date): Checking for new albums on seedbox..." >>"$LOG_FILE"
REMOTE_ALBUMS=$(rsync --dry-run --list-only "$REMOTE_HOST:$REMOTE_PATH" | grep '^d' | awk '{$1=$2=$3=$4=""; sub(/^ +/, ""); print}' | grep -v '^\.') || true
REMOTE_ALBUMS=$(rsync --dry-run --list-only "$REMOTE_HOST:$REMOTE_PATH" | grep '^d' | awk '{$1=$2=$3=$4=""; sub(/^ +/, ""); print}' | grep -v '^\.' | grep -v '^tv-sonarr$') || true
if [ -z "$REMOTE_ALBUMS" ]; then
echo "$(date): No albums found on remote server" >>"$LOG_FILE"
hosts/profiles/sync/tv/default.nix
+23
View File
@@ -0,0 +1,23 @@
{ pkgs, lib, ... }:
{
systemd.services.get-tv-sync = {
serviceConfig.Type = "oneshot";
path = [
pkgs.coreutils
pkgs.openssh
pkgs.gawk
pkgs.rsync
pkgs.curl
];
script = builtins.readFile ./get-tv.sh;
serviceConfig = {
User = "anish";
};
};
systemd.timers.get-tv-sync = {
wantedBy = [ "timers.target" ];
partOf = [ "get-tv-sync.service" ];
timerConfig.OnCalendar = [ "hourly" ];
};
}
hosts/profiles/sync/tv/get-tv.sh
+63
View File
@@ -0,0 +1,63 @@
#!/usr/bin/env bash
set -euo pipefail
REMOTE_HOST="aynish@talos.feralhosting.com"
REMOTE_PATH="private/transmission/data/tv-sonarr/"
LOCAL_PATH="/tank/media/tv"
TRACKING_FILE="/tank/media/tv/.downloaded_shows"
LOG_FILE="/tank/media/tv/download-log"
# Create local directory and tracking file if they don't exist
mkdir -p "$LOCAL_PATH"
touch "$TRACKING_FILE"
# Get list of shows on remote server
echo "$(date): Checking for new TV shows on seedbox..." >>"$LOG_FILE"
REMOTE_SHOWS=$(rsync --dry-run --list-only "$REMOTE_HOST:$REMOTE_PATH" | grep '^d' | awk '{$1=$2=$3=$4=""; sub(/^ +/, ""); print}' | grep -v '^\.') || true
if [ -z "$REMOTE_SHOWS" ]; then
echo "$(date): No shows found on remote server" >>"$LOG_FILE"
exit 0
fi
# Check each show against tracking file
NEW_SHOWS=""
while IFS= read -r show; do
if [ -n "$show" ] && ! grep -qF "$show" "$TRACKING_FILE"; then
NEW_SHOWS="$NEW_SHOWS$show\n"
echo "$(date): Found new show: $show" >>"$LOG_FILE"
fi
done <<<"$REMOTE_SHOWS"
if [ -z "$NEW_SHOWS" ]; then
echo "$(date): No new shows to download" >>"$LOG_FILE"
exit 0
fi
# Download new shows only
echo "$(date): Starting download of new shows..." >>"$LOG_FILE"
while IFS= read -r show; do
if [ -n "$show" ]; then
echo "$(date): Downloading $show" >>"$LOG_FILE"
# Set umask to allow group read/write access for Jellyfin
umask 002
if rsync -r --log-file="$LOG_FILE" "$REMOTE_HOST:$REMOTE_PATH$show/" "$LOCAL_PATH/$show/"; then
echo "$show" >>"$TRACKING_FILE"
echo "$(date): Successfully downloaded $show" >>"$LOG_FILE"
else
echo "$(date): Failed to download $show" >>"$LOG_FILE"
fi
fi
done <<<"$(echo -e "$NEW_SHOWS")"
# Trigger Jellyfin library scan
echo "$(date): Triggering Jellyfin library refresh..." >>"$LOG_FILE"
if curl -s -X POST "http://localhost:8096/Library/Refresh" \
-H "X-Emby-Token: aef1b1e0cd5445dc97b755ef8c6224e5"; then
echo "$(date): Jellyfin library refresh triggered" >>"$LOG_FILE"
else
echo "$(date): Failed to trigger Jellyfin library refresh" >>"$LOG_FILE"
fi
echo "$(date): TV sync completed" >>"$LOG_FILE"
hosts/profiles/transmission/default.nix
+1
View File
@@ -3,6 +3,7 @@
environment.systemPackages = [ pkgs.beets ];
services.transmission = {
enable = true;
package = pkgs.transmission_4; # 25.11: transmission_3 removed, explicitly use v4
settings = {
rpc-enabled = true;
rpc-bind-address = "0.0.0.0";