jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wip uid/gid mapping

Browse Source
This commit is contained in:
Danilo Reyes
2026-01-17 13:36:51 -06:00
parent 1b76039f49
commit 20c8d082eb
20 changed files with 125 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/base.nix
View File

@@ -9,7 +9,6 @@
{ {
imports = [ imports = [
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
./users.nix
./jawz.nix ./jawz.nix
../modules/modules.nix ../modules/modules.nix
]; ];

12
config/users.nix
View File

@@ -1,12 +0,0 @@
_: {
users.users = {
sonarr = {
uid = 274;
group = "piracy";
};
radarr = {
uid = 275;
group = "piracy";
};
};
}

27
hosts/server/configuration.nix
View File

@@ -5,6 +5,9 @@
inputs, inputs,
... ...
}: }:
let
lidarrMbGapId = 968;
in
{ {
imports = [ imports = [
inputs.lidarr-mb-gap.nixosModules.lidarr-mb-gap inputs.lidarr-mb-gap.nixosModules.lidarr-mb-gap
@@ -49,13 +52,16 @@
sopsFile = ../../secrets/env.yaml; sopsFile = ../../secrets/env.yaml;
}; };
"private_keys/lidarr-mb-gap" = "private_keys/lidarr-mb-gap" =
lib.mkIf (config.my.secureHost && config.services.lidarr-mb-gap.enable) let
{ cfg = config.services.lidarr-mb-gap;
sopsFile = ../../secrets/keys.yaml; usr = config.users.users.lidarr-mb-gap;
owner = config.users.users.lidarr-mb-gap.name; in
inherit (config.users.users.lidarr-mb-gap) group; lib.mkIf (config.my.secureHost && cfg.enable) {
path = "${config.users.users.lidarr-mb-gap.home}/.ssh/ed25519_lidarr-mb-gap"; sopsFile = ../../secrets/keys.yaml;
}; owner = usr.name;
inherit (usr) group;
path = "${usr.home}/.ssh/ed25519_lidarr-mb-gap";
};
}; };
networking = { networking = {
hostName = "server"; hostName = "server";
@@ -82,6 +88,13 @@
users.users.jawz.packages = builtins.attrValues { users.users.jawz.packages = builtins.attrValues {
inherit (pkgs) podman-compose attic-client; inherit (pkgs) podman-compose attic-client;
}; };
users.groups.lidarr-mb-gap.gid = lidarrMbGapId;
users.users.lidarr-mb-gap = {
uid = lidarrMbGapId;
isSystemUser = true;
group = "lidarr-mb-gap";
home = "/var/lib/lidarr-mb-gap";
};
services = { services = {
btrfs.autoScrub = { btrfs.autoScrub = {
enable = true; enable = true;

6
modules/nix/gitea-actions-runners/nixos.nix
View File

@@ -6,11 +6,15 @@
}: }:
let let
cfg = config.my.servers.gitea; cfg = config.my.servers.gitea;
id = 969;
gid = id;
uid = id;
in in
{ {
config = lib.mkIf (cfg.enable && config.my.secureHost) { config = lib.mkIf (cfg.enable && config.my.secureHost) {
users.groups.gitea-runner = { }; users.groups.gitea-runner = { inherit gid; };
users.users.gitea-runner = { users.users.gitea-runner = {
inherit uid;
isSystemUser = true; isSystemUser = true;
group = "gitea-runner"; group = "gitea-runner";
extraGroups = [ extraGroups = [

5
modules/servers/audiobookshelf.nix
View File

@@ -11,6 +11,11 @@ in
options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687; options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687;
config = lib.mkIf (cfg.enable && config.my.secureHost) { config = lib.mkIf (cfg.enable && config.my.secureHost) {
my.servers.audiobookshelf.enableSocket = true; my.servers.audiobookshelf.enableSocket = true;
users.users.audiobookshelf = {
uid = 978;
group = "piracy";
isSystemUser = true;
};
services.audiobookshelf = { services.audiobookshelf = {
inherit (cfg) enable port; inherit (cfg) enable port;
host = cfg.ip; host = cfg.ip;

14
modules/servers/bazarr.nix
View File

@@ -6,11 +6,19 @@
let let
setup = import ../factories/mkserver.nix { inherit lib config; }; setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.bazarr; cfg = config.my.servers.bazarr;
uid = 985;
in in
{ {
options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort; options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort;
config.services.bazarr = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
inherit (cfg) enable; users.users.bazarr = {
group = "piracy"; inherit uid;
group = "piracy";
isSystemUser = true;
};
services.bazarr = {
inherit (cfg) enable;
group = "piracy";
};
}; };
} }

6
modules/servers/gitea.nix
View File

@@ -15,6 +15,12 @@ in
options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083; options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
config = lib.mkIf (cfg.enable && config.my.secureHost) { config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.gitea.sopsFile = ../../secrets/env.yaml; sops.secrets.gitea.sopsFile = ../../secrets/env.yaml;
users.groups.gitea.gid = 974;
users.users.gitea = {
uid = 975;
isSystemUser = true;
group = "gitea";
};
services.gitea = { services.gitea = {
inherit (cfg) enable; inherit (cfg) enable;
settings = { settings = {

5
modules/servers/jellyfin.nix
View File

@@ -28,6 +28,11 @@ in
pkgs.jellyfin-ffmpeg pkgs.jellyfin-ffmpeg
] ]
++ (lib.optional cfg.enableCron [ sub-sync-path ]); ++ (lib.optional cfg.enableCron [ sub-sync-path ]);
users.users.jellyfin = {
uid = 984;
group = "piracy";
isSystemUser = true;
};
services = { services = {
jellyfin = { jellyfin = {
inherit (cfg) enable; inherit (cfg) enable;

5
modules/servers/kavita.nix
View File

@@ -6,6 +6,9 @@
let let
setup = import ../factories/mkserver.nix { inherit lib config; }; setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.kavita; cfg = config.my.servers.kavita;
id = 982;
gid = id;
uid = id;
in in
{ {
options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port; options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
@@ -14,7 +17,9 @@ in
owner = config.users.users.kavita.name; owner = config.users.users.kavita.name;
inherit (config.users.users.kavita) group; inherit (config.users.users.kavita) group;
}; };
users.groups.kavita.gid = { inherit gid; };
users.users.kavita = { users.users.kavita = {
inherit uid;
isSystemUser = true; isSystemUser = true;
group = "kavita"; group = "kavita";
extraGroups = [ extraGroups = [

6
modules/servers/nextcloud.nix
View File

@@ -32,6 +32,9 @@ let
pytensorflow = pkgs.python3.withPackages (ps: [ ps.tensorflow ]); pytensorflow = pkgs.python3.withPackages (ps: [ ps.tensorflow ]);
cfg = config.my.servers.nextcloud; cfg = config.my.servers.nextcloud;
cfgC = config.my.servers.collabora; cfgC = config.my.servers.collabora;
id = 990;
gid = id;
uid = id;
in in
{ {
options.my.servers = { options.my.servers = {
@@ -48,8 +51,11 @@ in
"nodejs-14.21.3" "nodejs-14.21.3"
"openssl-1.1.1v" "openssl-1.1.1v"
]; ];
users.groups.nextcloud.gid = { inherit gid; };
users.users.nextcloud = { users.users.nextcloud = {
inherit uid;
isSystemUser = true; isSystemUser = true;
group = "nextcloud";
extraGroups = [ "render" ]; extraGroups = [ "render" ];
packages = builtins.attrValues { packages = builtins.attrValues {
inherit exiftool pytensorflow; inherit exiftool pytensorflow;

9
modules/servers/oauth2-proxy.nix
View File

@@ -6,10 +6,19 @@
let let
setup = import ../factories/mkserver.nix { inherit lib config; }; setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.oauth2-proxy; cfg = config.my.servers.oauth2-proxy;
id = 967;
gid = id;
uid = id;
in in
{ {
options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180; options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180;
config = lib.mkIf (cfg.enable && config.my.secureHost) { config = lib.mkIf (cfg.enable && config.my.secureHost) {
users.groups.oauth2-proxy.gid = { inherit gid; };
users.users.oauth2-proxy = {
inherit uid;
isSystemUser = true;
group = "oauth2-proxy";
};
sops.secrets.oauth2-proxy = { sops.secrets.oauth2-proxy = {
sopsFile = ../../secrets/env.yaml; sopsFile = ../../secrets/env.yaml;
restartUnits = [ "oauth2-proxy.service" ]; restartUnits = [ "oauth2-proxy.service" ];

9
modules/servers/paperless.nix
View File

@@ -2,11 +2,20 @@
let let
cfg = config.my.servers.paperless; cfg = config.my.servers.paperless;
inherit (config.services.paperless) port; inherit (config.services.paperless) port;
id = 315;
gid = id;
uid = id;
in in
{ {
options.my.servers.paperless.enable = lib.mkEnableOption "Paperless-ngx document management system"; options.my.servers.paperless.enable = lib.mkEnableOption "Paperless-ngx document management system";
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
networking.firewall.allowedTCPPorts = [ port ]; networking.firewall.allowedTCPPorts = [ port ];
users.groups.paperless.gid = { inherit gid; };
users.users.paperless = {
inherit uid;
isSystemUser = true;
group = "paperless";
};
services.paperless = { services.paperless = {
inherit (cfg) enable; inherit (cfg) enable;
address = config.my.ips.server; address = config.my.ips.server;

9
modules/servers/plex.nix
View File

@@ -9,8 +9,13 @@ let
in in
{ {
options.my.servers.plex = setup.mkOptions "plex" "plex" 32400; options.my.servers.plex = setup.mkOptions "plex" "plex" 32400;
config.services = lib.mkIf (cfg.enable && config.my.secureHost) { config = lib.mkIf (cfg.enable && config.my.secureHost) {
plex = { users.users.plex = {
uid = 193;
group = "piracy";
isSystemUser = true;
};
services.plex = {
inherit (cfg) enable; inherit (cfg) enable;
group = "piracy"; group = "piracy";
}; };

1
modules/servers/prowlarr.nix
View File

@@ -11,6 +11,7 @@ in
options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696; options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
users.users.prowlarr = { users.users.prowlarr = {
uid = 987;
group = "piracy"; group = "piracy";
isSystemUser = true; isSystemUser = true;
}; };

5
modules/servers/radarr.nix
View File

@@ -10,6 +10,11 @@ in
{ {
options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878; options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
users.users.radarr = {
uid = 275;
group = "piracy";
isSystemUser = true;
};
services.radarr = { services.radarr = {
inherit (cfg) enable; inherit (cfg) enable;
group = "piracy"; group = "piracy";

13
modules/servers/sonarr.nix
View File

@@ -9,8 +9,15 @@ let
in in
{ {
options.my.servers.sonarr = setup.mkOptions "sonarr" "series" 8989; options.my.servers.sonarr = setup.mkOptions "sonarr" "series" 8989;
config.services.sonarr = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
inherit (cfg) enable; users.users.sonarr = {
group = "piracy"; uid = 274;
group = "piracy";
isSystemUser = true;
};
services.sonarr = {
inherit (cfg) enable;
group = "piracy";
};
}; };
} }

2
modules/servers/stash.nix
View File

@@ -65,7 +65,9 @@ in
}; };
}; };
users.users.stash = { users.users.stash = {
uid = 974;
isSystemUser = true; isSystemUser = true;
group = "glue";
packages = [ stashPythonFHS ]; packages = [ stashPythonFHS ];
}; };
}; };

9
modules/servers/synapse.nix
View File

@@ -16,6 +16,9 @@ let
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}'; return 200 '${builtins.toJSON data}';
''; '';
id = 224;
gid = id;
uid = id;
in in
{ {
options.my.servers = { options.my.servers = {
@@ -27,6 +30,12 @@ in
synapse = { inherit domain; }; synapse = { inherit domain; };
element = { inherit domain; }; element = { inherit domain; };
}; };
users.groups.matrix-synapse.gid = { inherit gid; };
users.users.matrix-synapse = {
inherit uid;
isSystemUser = true;
group = "matrix-synapse";
};
sops.secrets = { sops.secrets = {
synapse = { synapse = {
sopsFile = ../../secrets/env.yaml; sopsFile = ../../secrets/env.yaml;

9
modules/servers/vaultwarden.nix
View File

@@ -7,11 +7,20 @@
let let
cfg = config.my.servers.vaultwarden; cfg = config.my.servers.vaultwarden;
setup = import ../factories/mkserver.nix { inherit lib config; }; setup = import ../factories/mkserver.nix { inherit lib config; };
id = 981;
gid = id;
uid = id;
in in
{ {
options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222; options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) { config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml; sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml;
users.groups.vaultwarden.gid = { inherit gid; };
users.users.vaultwarden = {
inherit uid;
isSystemUser = true;
group = "vaultwarden";
};
services.vaultwarden = { services.vaultwarden = {
inherit (cfg) enable; inherit (cfg) enable;
dbBackend = "postgresql"; dbBackend = "postgresql";

1
modules/users/nixremote.nix
View File

@@ -31,6 +31,7 @@
users = { users = {
groups.nixremote.gid = config.my.users.nixremote.gid; groups.nixremote.gid = config.my.users.nixremote.gid;
users.nixremote = { users.nixremote = {
uid = 979;
inherit (config.my.users.nixremote) home; inherit (config.my.users.nixremote) home;
isNormalUser = true; isNormalUser = true;
createHome = true; createHome = true;