diff --git a/config/base.nix b/config/base.nix index cd3d66f..a327672 100644 --- a/config/base.nix +++ b/config/base.nix @@ -9,7 +9,6 @@ { imports = [ inputs.home-manager.nixosModules.home-manager - ./users.nix ./jawz.nix ../modules/modules.nix ]; diff --git a/config/users.nix b/config/users.nix deleted file mode 100644 index c73aa80..0000000 --- a/config/users.nix +++ /dev/null @@ -1,12 +0,0 @@ -_: { - users.users = { - sonarr = { - uid = 274; - group = "piracy"; - }; - radarr = { - uid = 275; - group = "piracy"; - }; - }; -} diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 0a0975a..ed05d39 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -5,6 +5,9 @@ inputs, ... }: +let + lidarrMbGapId = 968; +in { imports = [ inputs.lidarr-mb-gap.nixosModules.lidarr-mb-gap @@ -49,13 +52,16 @@ sopsFile = ../../secrets/env.yaml; }; "private_keys/lidarr-mb-gap" = - lib.mkIf (config.my.secureHost && config.services.lidarr-mb-gap.enable) - { - sopsFile = ../../secrets/keys.yaml; - owner = config.users.users.lidarr-mb-gap.name; - inherit (config.users.users.lidarr-mb-gap) group; - path = "${config.users.users.lidarr-mb-gap.home}/.ssh/ed25519_lidarr-mb-gap"; - }; + let + cfg = config.services.lidarr-mb-gap; + usr = config.users.users.lidarr-mb-gap; + in + lib.mkIf (config.my.secureHost && cfg.enable) { + sopsFile = ../../secrets/keys.yaml; + owner = usr.name; + inherit (usr) group; + path = "${usr.home}/.ssh/ed25519_lidarr-mb-gap"; + }; }; networking = { hostName = "server"; @@ -82,6 +88,13 @@ users.users.jawz.packages = builtins.attrValues { inherit (pkgs) podman-compose attic-client; }; + users.groups.lidarr-mb-gap.gid = lidarrMbGapId; + users.users.lidarr-mb-gap = { + uid = lidarrMbGapId; + isSystemUser = true; + group = "lidarr-mb-gap"; + home = "/var/lib/lidarr-mb-gap"; + }; services = { btrfs.autoScrub = { enable = true; diff --git a/modules/nix/gitea-actions-runners/nixos.nix b/modules/nix/gitea-actions-runners/nixos.nix index c19da2e..3862055 100644 --- a/modules/nix/gitea-actions-runners/nixos.nix +++ b/modules/nix/gitea-actions-runners/nixos.nix @@ -6,11 +6,15 @@ }: let cfg = config.my.servers.gitea; + id = 969; + gid = id; + uid = id; in { config = lib.mkIf (cfg.enable && config.my.secureHost) { - users.groups.gitea-runner = { }; + users.groups.gitea-runner = { inherit gid; }; users.users.gitea-runner = { + inherit uid; isSystemUser = true; group = "gitea-runner"; extraGroups = [ diff --git a/modules/servers/audiobookshelf.nix b/modules/servers/audiobookshelf.nix index 1bd1c9b..653d3db 100644 --- a/modules/servers/audiobookshelf.nix +++ b/modules/servers/audiobookshelf.nix @@ -11,6 +11,11 @@ in options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687; config = lib.mkIf (cfg.enable && config.my.secureHost) { my.servers.audiobookshelf.enableSocket = true; + users.users.audiobookshelf = { + uid = 978; + group = "piracy"; + isSystemUser = true; + }; services.audiobookshelf = { inherit (cfg) enable port; host = cfg.ip; diff --git a/modules/servers/bazarr.nix b/modules/servers/bazarr.nix index 0c59891..a753077 100644 --- a/modules/servers/bazarr.nix +++ b/modules/servers/bazarr.nix @@ -6,11 +6,19 @@ let setup = import ../factories/mkserver.nix { inherit lib config; }; cfg = config.my.servers.bazarr; + uid = 985; in { options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort; - config.services.bazarr = lib.mkIf cfg.enable { - inherit (cfg) enable; - group = "piracy"; + config = lib.mkIf cfg.enable { + users.users.bazarr = { + inherit uid; + group = "piracy"; + isSystemUser = true; + }; + services.bazarr = { + inherit (cfg) enable; + group = "piracy"; + }; }; } diff --git a/modules/servers/gitea.nix b/modules/servers/gitea.nix index 86f3981..6650c09 100644 --- a/modules/servers/gitea.nix +++ b/modules/servers/gitea.nix @@ -15,6 +15,12 @@ in options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083; config = lib.mkIf (cfg.enable && config.my.secureHost) { sops.secrets.gitea.sopsFile = ../../secrets/env.yaml; + users.groups.gitea.gid = 974; + users.users.gitea = { + uid = 975; + isSystemUser = true; + group = "gitea"; + }; services.gitea = { inherit (cfg) enable; settings = { diff --git a/modules/servers/jellyfin.nix b/modules/servers/jellyfin.nix index 1de6171..7ed6c81 100644 --- a/modules/servers/jellyfin.nix +++ b/modules/servers/jellyfin.nix @@ -28,6 +28,11 @@ in pkgs.jellyfin-ffmpeg ] ++ (lib.optional cfg.enableCron [ sub-sync-path ]); + users.users.jellyfin = { + uid = 984; + group = "piracy"; + isSystemUser = true; + }; services = { jellyfin = { inherit (cfg) enable; diff --git a/modules/servers/kavita.nix b/modules/servers/kavita.nix index 24fca7e..56afa30 100644 --- a/modules/servers/kavita.nix +++ b/modules/servers/kavita.nix @@ -6,6 +6,9 @@ let setup = import ../factories/mkserver.nix { inherit lib config; }; cfg = config.my.servers.kavita; + id = 982; + gid = id; + uid = id; in { options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port; @@ -14,7 +17,9 @@ in owner = config.users.users.kavita.name; inherit (config.users.users.kavita) group; }; + users.groups.kavita.gid = { inherit gid; }; users.users.kavita = { + inherit uid; isSystemUser = true; group = "kavita"; extraGroups = [ diff --git a/modules/servers/nextcloud.nix b/modules/servers/nextcloud.nix index dd06810..efe00d5 100644 --- a/modules/servers/nextcloud.nix +++ b/modules/servers/nextcloud.nix @@ -32,6 +32,9 @@ let pytensorflow = pkgs.python3.withPackages (ps: [ ps.tensorflow ]); cfg = config.my.servers.nextcloud; cfgC = config.my.servers.collabora; + id = 990; + gid = id; + uid = id; in { options.my.servers = { @@ -48,8 +51,11 @@ in "nodejs-14.21.3" "openssl-1.1.1v" ]; + users.groups.nextcloud.gid = { inherit gid; }; users.users.nextcloud = { + inherit uid; isSystemUser = true; + group = "nextcloud"; extraGroups = [ "render" ]; packages = builtins.attrValues { inherit exiftool pytensorflow; diff --git a/modules/servers/oauth2-proxy.nix b/modules/servers/oauth2-proxy.nix index 1cf8b77..fec2d53 100644 --- a/modules/servers/oauth2-proxy.nix +++ b/modules/servers/oauth2-proxy.nix @@ -6,10 +6,19 @@ let setup = import ../factories/mkserver.nix { inherit lib config; }; cfg = config.my.servers.oauth2-proxy; + id = 967; + gid = id; + uid = id; in { options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180; config = lib.mkIf (cfg.enable && config.my.secureHost) { + users.groups.oauth2-proxy.gid = { inherit gid; }; + users.users.oauth2-proxy = { + inherit uid; + isSystemUser = true; + group = "oauth2-proxy"; + }; sops.secrets.oauth2-proxy = { sopsFile = ../../secrets/env.yaml; restartUnits = [ "oauth2-proxy.service" ]; diff --git a/modules/servers/paperless.nix b/modules/servers/paperless.nix index 751ceae..99d816c 100644 --- a/modules/servers/paperless.nix +++ b/modules/servers/paperless.nix @@ -2,11 +2,20 @@ let cfg = config.my.servers.paperless; inherit (config.services.paperless) port; + id = 315; + gid = id; + uid = id; in { options.my.servers.paperless.enable = lib.mkEnableOption "Paperless-ngx document management system"; config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { networking.firewall.allowedTCPPorts = [ port ]; + users.groups.paperless.gid = { inherit gid; }; + users.users.paperless = { + inherit uid; + isSystemUser = true; + group = "paperless"; + }; services.paperless = { inherit (cfg) enable; address = config.my.ips.server; diff --git a/modules/servers/plex.nix b/modules/servers/plex.nix index 931bae7..c9fdb8f 100644 --- a/modules/servers/plex.nix +++ b/modules/servers/plex.nix @@ -9,8 +9,13 @@ let in { options.my.servers.plex = setup.mkOptions "plex" "plex" 32400; - config.services = lib.mkIf (cfg.enable && config.my.secureHost) { - plex = { + config = lib.mkIf (cfg.enable && config.my.secureHost) { + users.users.plex = { + uid = 193; + group = "piracy"; + isSystemUser = true; + }; + services.plex = { inherit (cfg) enable; group = "piracy"; }; diff --git a/modules/servers/prowlarr.nix b/modules/servers/prowlarr.nix index 705846f..53d4df7 100644 --- a/modules/servers/prowlarr.nix +++ b/modules/servers/prowlarr.nix @@ -11,6 +11,7 @@ in options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696; config = lib.mkIf cfg.enable { users.users.prowlarr = { + uid = 987; group = "piracy"; isSystemUser = true; }; diff --git a/modules/servers/radarr.nix b/modules/servers/radarr.nix index 49cea50..01fb256 100644 --- a/modules/servers/radarr.nix +++ b/modules/servers/radarr.nix @@ -10,6 +10,11 @@ in { options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878; config = lib.mkIf cfg.enable { + users.users.radarr = { + uid = 275; + group = "piracy"; + isSystemUser = true; + }; services.radarr = { inherit (cfg) enable; group = "piracy"; diff --git a/modules/servers/sonarr.nix b/modules/servers/sonarr.nix index 0b30915..11b8240 100644 --- a/modules/servers/sonarr.nix +++ b/modules/servers/sonarr.nix @@ -9,8 +9,15 @@ let in { options.my.servers.sonarr = setup.mkOptions "sonarr" "series" 8989; - config.services.sonarr = lib.mkIf cfg.enable { - inherit (cfg) enable; - group = "piracy"; + config = lib.mkIf cfg.enable { + users.users.sonarr = { + uid = 274; + group = "piracy"; + isSystemUser = true; + }; + services.sonarr = { + inherit (cfg) enable; + group = "piracy"; + }; }; } diff --git a/modules/servers/stash.nix b/modules/servers/stash.nix index 1186b70..285747d 100644 --- a/modules/servers/stash.nix +++ b/modules/servers/stash.nix @@ -65,7 +65,9 @@ in }; }; users.users.stash = { + uid = 974; isSystemUser = true; + group = "glue"; packages = [ stashPythonFHS ]; }; }; diff --git a/modules/servers/synapse.nix b/modules/servers/synapse.nix index 393f241..51d27e4 100644 --- a/modules/servers/synapse.nix +++ b/modules/servers/synapse.nix @@ -16,6 +16,9 @@ let add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; + id = 224; + gid = id; + uid = id; in { options.my.servers = { @@ -27,6 +30,12 @@ in synapse = { inherit domain; }; element = { inherit domain; }; }; + users.groups.matrix-synapse.gid = { inherit gid; }; + users.users.matrix-synapse = { + inherit uid; + isSystemUser = true; + group = "matrix-synapse"; + }; sops.secrets = { synapse = { sopsFile = ../../secrets/env.yaml; diff --git a/modules/servers/vaultwarden.nix b/modules/servers/vaultwarden.nix index 07fdbbc..0781a82 100644 --- a/modules/servers/vaultwarden.nix +++ b/modules/servers/vaultwarden.nix @@ -7,11 +7,20 @@ let cfg = config.my.servers.vaultwarden; setup = import ../factories/mkserver.nix { inherit lib config; }; + id = 981; + gid = id; + uid = id; in { options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222; config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) { sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml; + users.groups.vaultwarden.gid = { inherit gid; }; + users.users.vaultwarden = { + inherit uid; + isSystemUser = true; + group = "vaultwarden"; + }; services.vaultwarden = { inherit (cfg) enable; dbBackend = "postgresql"; diff --git a/modules/users/nixremote.nix b/modules/users/nixremote.nix index 1ee67f6..b464b1a 100644 --- a/modules/users/nixremote.nix +++ b/modules/users/nixremote.nix @@ -31,6 +31,7 @@ users = { groups.nixremote.gid = config.my.users.nixremote.gid; users.nixremote = { + uid = 979; inherit (config.my.users.nixremote) home; isNormalUser = true; createHome = true;