box zfs

2026-01-19 22:37:30 -08:00
parent 3b33575b2a
commit d0cde973e7
21 changed files with 818 additions and 243 deletions
@@ -1,4 +1,10 @@
-{ config, options, lib, pkgs, ... }:
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
 with lib;
 let
  # cfg = config.services.archivebox;
@@ -7,9 +13,8 @@ let
  port = "8123";
 in
 {
-  nixpkgs.config.permittedInsecurePackages = [
-    "python3.10-django-3.1.14"
-  ];
+  # Note: permittedInsecurePackages must be set in flake.nix nixpkgsFor config
+  # if archivebox still requires python3.10-django-3.1.14

  services.nginx.virtualHosts."archive.mossnet.lan" = {
    enableACME = false;
@@ -26,7 +31,10 @@ in
  systemd.services.archivebox-install = {
    description = "archivebox install service";
    wantedBy = [ "multi-user.target" ];
-    path = with pkgs; [ coreutils archivebox ];
+    path = with pkgs; [
+      coreutils
+      archivebox
+    ];

    serviceConfig = {
      User = user;
@@ -51,7 +59,10 @@ in
  systemd.services.archivebox-server = {
    description = "archivebox server service";
    wantedBy = [ "multi-user.target" ];
-    path = with pkgs; [ coreutils archivebox ];
+    path = with pkgs; [
+      coreutils
+      archivebox
+    ];

    serviceConfig = {
      User = user;
@@ -8,7 +8,7 @@
    user = "calibre-server";
    group = "calibre-server";
    options = {
-      calibreLibrary = "/data/books";
+      calibreLibrary = "/tank/books";
      enableBookUploading = true;
    };
  };
@@ -20,7 +20,7 @@

  services.calibre-server = {
    enable = true;
-    libraries = [ "/data/books" ];
+    libraries = [ "/tank/books" ];
    # Bug in the module puts this in quotes in the systemd file
    # user = calibre;
    # group = calibre;
@@ -1,12 +1,17 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
  environment.systemPackages = [ pkgs.ffmpeg ];
  mossnet.gonic.enable = true;
  mossnet.gonic.settings = ''
-    music-path /mnt/two/music/
-    podcast-path /data/podcasts
-    cache-path /data/cache
-    playlists-path /data/playlists
+    music-path /tank/media/music/
+    podcast-path /tank/podcasts
+    cache-path /tank/cache
+    playlists-path /tank/playlists
  '';
  mossnet.gonic.user = "gonic";
  mossnet.gonic.group = "audio";
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
  services.headphones = {
    enable = true;
@@ -6,7 +11,7 @@
    port = 8181;
    user = "headphones";
    group = "audio";
-    dataDir = "/data/music";
+    dataDir = "/tank/media/music";
  };
  services.nginx.virtualHosts."headphones.mossnet.lan" = {
    enableACME = false;
@@ -8,7 +8,7 @@
    };
    host = "0.0.0.0";
    port = 8567;
-    mediaLocation = "/mnt/two/photos";
+    mediaLocation = "/tank/media/photos";
    openFirewall = true;
    settings.server.externalDomain = "https://photos.sealight.xyz";
  };
@@ -1,10 +1,13 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
  # Enable Hardware Acceleration for transcoding
-  nixpkgs.config.packageOverrides = pkgs: {
-    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
-  };
-  hardware.opengl = {
+  # Note: vaapiIntel override with enableHybridCodec should be in flake.nix overlay if needed
+  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      intel-media-driver
@@ -18,10 +21,22 @@
    enable = true;
    user = "jellyfin";
    group = "video";
-    openFirewall = true; # only for defaults
+    openFirewall = true; # only for defaults (8096)
  };
-  networking.firewall.allowedTCPPorts = [ 8181 ];
  users.users.jellyfin = {
-    extraGroups = [ "video" "audio" ];
+    extraGroups = [
+      "video"
+      "audio"
+    ];
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "jellyfin.mossnet.lan" = {
+        forceSSL = false;
+        enableACME = false;
+        locations."/".proxyPass = "http://localhost:8096/";
+      };
+    }; 
  };
 }
@@ -1,4 +1,10 @@
-{ self, config, pkgs, ... }: {
+{
+  self,
+  config,
+  pkgs,
+  ...
+}:
+{
  age.secrets.nullhex-smtp.file = "${self}/secrets/nullhex-smtp.age";
  age.secrets.nullhex-smtp.owner = "grafana";

@@ -25,7 +31,7 @@
  };

  # nginx reverse proxy
-  # services.nginx.recommendedProxySettings = true; # Needed for new grafana versions 
+  # services.nginx.recommendedProxySettings = true; # Needed for new grafana versions
  services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:2342";
@@ -33,21 +39,23 @@
    };
  };

-    services.postgresql = {
-      ensureUsers = [{
+  services.postgresql = {
+    ensureUsers = [
+      {
        name = "grafana";
-        # TODO this is deprecated 
-        # Need to translate this to 
-        # systemd.services.postgresql.postStart
-        # or initialScript 
-        ensurePermissions = {
-          "ALL TABLES IN SCHEMA public" = "SELECT";
-          "DATABASE wallabag" = "CONNECT";
-          "DATABASE ulogger" = "CONNECT";
-          "DATABASE photoprism" = "CONNECT";
-        };
-      }];
-    };
+      }
+    ];
+  };
+
+  # Grant grafana user read access to databases for monitoring
+  systemd.services.postgresql.postStart = pkgs.lib.mkAfter ''
+    $PSQL -tAc "GRANT CONNECT ON DATABASE wallabag TO grafana" 2>/dev/null || true
+    $PSQL -tAc "GRANT CONNECT ON DATABASE ulogger TO grafana" 2>/dev/null || true
+    $PSQL -tAc "GRANT CONNECT ON DATABASE photoprism TO grafana" 2>/dev/null || true
+    $PSQL -d wallabag -tAc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana" 2>/dev/null || true
+    $PSQL -d ulogger -tAc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana" 2>/dev/null || true
+    $PSQL -d photoprism -tAc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana" 2>/dev/null || true
+  '';

  services.prometheus = {
    enable = true;
@@ -66,11 +74,15 @@
    scrapeConfigs = [
      {
        job_name = "box";
-        static_configs = [{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }];
+        static_configs = [
+          { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }
+        ];
      }
      {
        job_name = "dns";
-        static_configs = [{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; }];
+        static_configs = [
+          { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; }
+        ];
      }
    ];
  };
@@ -12,16 +12,31 @@
    statdPort = 4000;
    extraNfsdConfig = '''';
    exports = ''
-      /home/ftp          192.168.1.0/24(rw)
-      /mnt/one           192.168.1.0/24(rw)
-      /mnt/two           192.168.1.0/24(rw,async,no_subtree_check) 10.0.69.0/24(rw,async,no_subtree_check)
-      /mnt/three         192.168.1.0/24(rw)
+      /tank/ftp              192.168.1.0/24(rw)
+      /tank/media/music      192.168.1.0/24(rw,async,no_subtree_check) 10.0.69.0/24(rw,async,no_subtree_check)
+      /tank/media/photos     192.168.1.0/24(rw,async,no_subtree_check) 10.0.69.0/24(rw,async,no_subtree_check)
+      /tank/media/movies     192.168.1.0/24(rw)
+      /tank/media/tv         192.168.1.0/24(rw)
    '';
  };

  networking.firewall = {
-    allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
-    allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
+    allowedTCPPorts = [
+      111
+      2049
+      4000
+      4001
+      4002
+      20048
+    ];
+    allowedUDPPorts = [
+      111
+      2049
+      4000
+      4001
+      4002
+      20048
+    ];
  };

  #systemd.services.create-mount-dir = {
@@ -4,9 +4,9 @@ set -euo pipefail

 REMOTE_HOST="aynish@talos.feralhosting.com"
 REMOTE_PATH="private/transmission/data/"
-LOCAL_PATH="/mnt/two/incoming"
-TRACKING_FILE="/mnt/two/incoming/.downloaded_albums"
-LOG_FILE="/mnt/two/incoming/download-log"
+LOCAL_PATH="/tank/new-music"
+TRACKING_FILE="/tank/new-music/.downloaded_albums"
+LOG_FILE="/tank/new-music/download-log"

 # Create tracking file if it doesn't exist
 touch "$TRACKING_FILE"
@@ -47,7 +47,7 @@ while IFS= read -r album; do
 			echo "$(date): Importing $album to beets..." >>"$LOG_FILE"
 			# Set umask to allow group read/write access
 			umask 002
-			if beet -p fetchart import -m -l /home/anish/music.log -q -g "$LOCAL_PATH/$album"; then
+			if beet import -q "$LOCAL_PATH/$album"; then
 				echo "$(date): Successfully imported $album to beets" >>"$LOG_FILE"
 			else
 				echo "$(date): Failed to import $album to beets" >>"$LOG_FILE"
@@ -11,12 +11,12 @@
      # Normally, I would write this into the homedir with home-manager
      # And explictly set the dir to be the output of the home-manager location
      script-torrent-done-filename = pkgs.writeShellScript "beet-import.sh" ''
-#!/usr/bin/env bash
+        #!/usr/bin/env bash

-beet -p fetchart  import -l /home/anish/music.log -q -g "$TR_TORRENT_DIR"
+        beet -p fetchart  import -l /home/anish/music.log -q -g "$TR_TORRENT_DIR"
      '';
      rpc-url = "/transmission/rpc/";
-      download-dir = "/mnt/two/new-music";
+      download-dir = "/tank/new-music";
    };
  };
  services.nginx.virtualHosts."transmission.mossnet.lan" = {