wip uid/gid mapping
This commit is contained in:
Danilo Reyes
@@ -9,7 +9,6 @@
|
||||
{
|
||||
imports = [
|
||||
inputs.home-manager.nixosModules.home-manager
|
||||
./users.nix
|
||||
./jawz.nix
|
||||
../modules/modules.nix
|
||||
];
|
||||
|
||||
@@ -1,12 +0,0 @@
|
||||
_: {
|
||||
users.users = {
|
||||
sonarr = {
|
||||
uid = 274;
|
||||
group = "piracy";
|
||||
};
|
||||
radarr = {
|
||||
uid = 275;
|
||||
group = "piracy";
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -5,6 +5,9 @@
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
lidarrMbGapId = 968;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
inputs.lidarr-mb-gap.nixosModules.lidarr-mb-gap
|
||||
@@ -49,12 +52,15 @@
|
||||
sopsFile = ../../secrets/env.yaml;
|
||||
};
|
||||
"private_keys/lidarr-mb-gap" =
|
||||
lib.mkIf (config.my.secureHost && config.services.lidarr-mb-gap.enable)
|
||||
{
|
||||
let
|
||||
cfg = config.services.lidarr-mb-gap;
|
||||
usr = config.users.users.lidarr-mb-gap;
|
||||
in
|
||||
lib.mkIf (config.my.secureHost && cfg.enable) {
|
||||
sopsFile = ../../secrets/keys.yaml;
|
||||
owner = config.users.users.lidarr-mb-gap.name;
|
||||
inherit (config.users.users.lidarr-mb-gap) group;
|
||||
path = "${config.users.users.lidarr-mb-gap.home}/.ssh/ed25519_lidarr-mb-gap";
|
||||
owner = usr.name;
|
||||
inherit (usr) group;
|
||||
path = "${usr.home}/.ssh/ed25519_lidarr-mb-gap";
|
||||
};
|
||||
};
|
||||
networking = {
|
||||
@@ -82,6 +88,13 @@
|
||||
users.users.jawz.packages = builtins.attrValues {
|
||||
inherit (pkgs) podman-compose attic-client;
|
||||
};
|
||||
users.groups.lidarr-mb-gap.gid = lidarrMbGapId;
|
||||
users.users.lidarr-mb-gap = {
|
||||
uid = lidarrMbGapId;
|
||||
isSystemUser = true;
|
||||
group = "lidarr-mb-gap";
|
||||
home = "/var/lib/lidarr-mb-gap";
|
||||
};
|
||||
services = {
|
||||
btrfs.autoScrub = {
|
||||
enable = true;
|
||||
|
||||
@@ -6,11 +6,15 @@
|
||||
}:
|
||||
let
|
||||
cfg = config.my.servers.gitea;
|
||||
id = 969;
|
||||
gid = id;
|
||||
uid = id;
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||
users.groups.gitea-runner = { };
|
||||
users.groups.gitea-runner = { inherit gid; };
|
||||
users.users.gitea-runner = {
|
||||
inherit uid;
|
||||
isSystemUser = true;
|
||||
group = "gitea-runner";
|
||||
extraGroups = [
|
||||
|
||||
@@ -11,6 +11,11 @@ in
|
||||
options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687;
|
||||
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||
my.servers.audiobookshelf.enableSocket = true;
|
||||
users.users.audiobookshelf = {
|
||||
uid = 978;
|
||||
group = "piracy";
|
||||
isSystemUser = true;
|
||||
};
|
||||
services.audiobookshelf = {
|
||||
inherit (cfg) enable port;
|
||||
host = cfg.ip;
|
||||
|
||||
@@ -6,11 +6,19 @@
|
||||
let
|
||||
setup = import ../factories/mkserver.nix { inherit lib config; };
|
||||
cfg = config.my.servers.bazarr;
|
||||
uid = 985;
|
||||
in
|
||||
{
|
||||
options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort;
|
||||
config.services.bazarr = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users.bazarr = {
|
||||
inherit uid;
|
||||
group = "piracy";
|
||||
isSystemUser = true;
|
||||
};
|
||||
services.bazarr = {
|
||||
inherit (cfg) enable;
|
||||
group = "piracy";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -15,6 +15,12 @@ in
|
||||
options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
|
||||
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||
sops.secrets.gitea.sopsFile = ../../secrets/env.yaml;
|
||||
users.groups.gitea.gid = 974;
|
||||
users.users.gitea = {
|
||||
uid = 975;
|
||||
isSystemUser = true;
|
||||
group = "gitea";
|
||||
};
|
||||
services.gitea = {
|
||||
inherit (cfg) enable;
|
||||
settings = {
|
||||
|
||||
@@ -28,6 +28,11 @@ in
|
||||
pkgs.jellyfin-ffmpeg
|
||||
]
|
||||
++ (lib.optional cfg.enableCron [ sub-sync-path ]);
|
||||
users.users.jellyfin = {
|
||||
uid = 984;
|
||||
group = "piracy";
|
||||
isSystemUser = true;
|
||||
};
|
||||
services = {
|
||||
jellyfin = {
|
||||
inherit (cfg) enable;
|
||||
|
||||
@@ -6,6 +6,9 @@
|
||||
let
|
||||
setup = import ../factories/mkserver.nix { inherit lib config; };
|
||||
cfg = config.my.servers.kavita;
|
||||
id = 982;
|
||||
gid = id;
|
||||
uid = id;
|
||||
in
|
||||
{
|
||||
options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
|
||||
@@ -14,7 +17,9 @@ in
|
||||
owner = config.users.users.kavita.name;
|
||||
inherit (config.users.users.kavita) group;
|
||||
};
|
||||
users.groups.kavita.gid = { inherit gid; };
|
||||
users.users.kavita = {
|
||||
inherit uid;
|
||||
isSystemUser = true;
|
||||
group = "kavita";
|
||||
extraGroups = [
|
||||
|
||||
@@ -32,6 +32,9 @@ let
|
||||
pytensorflow = pkgs.python3.withPackages (ps: [ ps.tensorflow ]);
|
||||
cfg = config.my.servers.nextcloud;
|
||||
cfgC = config.my.servers.collabora;
|
||||
id = 990;
|
||||
gid = id;
|
||||
uid = id;
|
||||
in
|
||||
{
|
||||
options.my.servers = {
|
||||
@@ -48,8 +51,11 @@ in
|
||||
"nodejs-14.21.3"
|
||||
"openssl-1.1.1v"
|
||||
];
|
||||
users.groups.nextcloud.gid = { inherit gid; };
|
||||
users.users.nextcloud = {
|
||||
inherit uid;
|
||||
isSystemUser = true;
|
||||
group = "nextcloud";
|
||||
extraGroups = [ "render" ];
|
||||
packages = builtins.attrValues {
|
||||
inherit exiftool pytensorflow;
|
||||
|
||||
@@ -6,10 +6,19 @@
|
||||
let
|
||||
setup = import ../factories/mkserver.nix { inherit lib config; };
|
||||
cfg = config.my.servers.oauth2-proxy;
|
||||
id = 967;
|
||||
gid = id;
|
||||
uid = id;
|
||||
in
|
||||
{
|
||||
options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180;
|
||||
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||
users.groups.oauth2-proxy.gid = { inherit gid; };
|
||||
users.users.oauth2-proxy = {
|
||||
inherit uid;
|
||||
isSystemUser = true;
|
||||
group = "oauth2-proxy";
|
||||
};
|
||||
sops.secrets.oauth2-proxy = {
|
||||
sopsFile = ../../secrets/env.yaml;
|
||||
restartUnits = [ "oauth2-proxy.service" ];
|
||||
|
||||
@@ -2,11 +2,20 @@
|
||||
let
|
||||
cfg = config.my.servers.paperless;
|
||||
inherit (config.services.paperless) port;
|
||||
id = 315;
|
||||
gid = id;
|
||||
uid = id;
|
||||
in
|
||||
{
|
||||
options.my.servers.paperless.enable = lib.mkEnableOption "Paperless-ngx document management system";
|
||||
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
|
||||
networking.firewall.allowedTCPPorts = [ port ];
|
||||
users.groups.paperless.gid = { inherit gid; };
|
||||
users.users.paperless = {
|
||||
inherit uid;
|
||||
isSystemUser = true;
|
||||
group = "paperless";
|
||||
};
|
||||
services.paperless = {
|
||||
inherit (cfg) enable;
|
||||
address = config.my.ips.server;
|
||||
|
||||
@@ -9,8 +9,13 @@ let
|
||||
in
|
||||
{
|
||||
options.my.servers.plex = setup.mkOptions "plex" "plex" 32400;
|
||||
config.services = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||
plex = {
|
||||
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
||||
users.users.plex = {
|
||||
uid = 193;
|
||||
group = "piracy";
|
||||
isSystemUser = true;
|
||||
};
|
||||
services.plex = {
|
||||
inherit (cfg) enable;
|
||||
group = "piracy";
|
||||
};
|
||||
|
||||
@@ -11,6 +11,7 @@ in
|
||||
options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users.prowlarr = {
|
||||
uid = 987;
|
||||
group = "piracy";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
@@ -10,6 +10,11 @@ in
|
||||
{
|
||||
options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users.radarr = {
|
||||
uid = 275;
|
||||
group = "piracy";
|
||||
isSystemUser = true;
|
||||
};
|
||||
services.radarr = {
|
||||
inherit (cfg) enable;
|
||||
group = "piracy";
|
||||
|
||||
@@ -9,8 +9,15 @@ let
|
||||
in
|
||||
{
|
||||
options.my.servers.sonarr = setup.mkOptions "sonarr" "series" 8989;
|
||||
config.services.sonarr = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users.sonarr = {
|
||||
uid = 274;
|
||||
group = "piracy";
|
||||
isSystemUser = true;
|
||||
};
|
||||
services.sonarr = {
|
||||
inherit (cfg) enable;
|
||||
group = "piracy";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -65,7 +65,9 @@ in
|
||||
};
|
||||
};
|
||||
users.users.stash = {
|
||||
uid = 974;
|
||||
isSystemUser = true;
|
||||
group = "glue";
|
||||
packages = [ stashPythonFHS ];
|
||||
};
|
||||
};
|
||||
|
||||
@@ -16,6 +16,9 @@ let
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
return 200 '${builtins.toJSON data}';
|
||||
'';
|
||||
id = 224;
|
||||
gid = id;
|
||||
uid = id;
|
||||
in
|
||||
{
|
||||
options.my.servers = {
|
||||
@@ -27,6 +30,12 @@ in
|
||||
synapse = { inherit domain; };
|
||||
element = { inherit domain; };
|
||||
};
|
||||
users.groups.matrix-synapse.gid = { inherit gid; };
|
||||
users.users.matrix-synapse = {
|
||||
inherit uid;
|
||||
isSystemUser = true;
|
||||
group = "matrix-synapse";
|
||||
};
|
||||
sops.secrets = {
|
||||
synapse = {
|
||||
sopsFile = ../../secrets/env.yaml;
|
||||
|
||||
@@ -7,11 +7,20 @@
|
||||
let
|
||||
cfg = config.my.servers.vaultwarden;
|
||||
setup = import ../factories/mkserver.nix { inherit lib config; };
|
||||
id = 981;
|
||||
gid = id;
|
||||
uid = id;
|
||||
in
|
||||
{
|
||||
options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
|
||||
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
|
||||
sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml;
|
||||
users.groups.vaultwarden.gid = { inherit gid; };
|
||||
users.users.vaultwarden = {
|
||||
inherit uid;
|
||||
isSystemUser = true;
|
||||
group = "vaultwarden";
|
||||
};
|
||||
services.vaultwarden = {
|
||||
inherit (cfg) enable;
|
||||
dbBackend = "postgresql";
|
||||
|
||||
@@ -31,6 +31,7 @@
|
||||
users = {
|
||||
groups.nixremote.gid = config.my.users.nixremote.gid;
|
||||
users.nixremote = {
|
||||
uid = 979;
|
||||
inherit (config.my.users.nixremote) home;
|
||||
isNormalUser = true;
|
||||
createHome = true;
|
||||
|
||||
Reference in New Issue
Block a user