jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wip uid/gid mapping

Browse Source
This commit is contained in:
Danilo Reyes
2026-01-17 13:36:51 -06:00
parent 1b76039f49
commit 20c8d082eb
20 changed files with 125 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/base.nix
View File

@@ -9,7 +9,6 @@
{
imports = [
inputs.home-manager.nixosModules.home-manager
./users.nix
./jawz.nix
../modules/modules.nix
];

12
config/users.nix
View File

@@ -1,12 +0,0 @@
_: {
users.users = {
sonarr = {
uid = 274;
group = "piracy";
};
radarr = {
uid = 275;
group = "piracy";
};
};
}

27
hosts/server/configuration.nix
View File

@@ -5,6 +5,9 @@
inputs,
...
}:
let
lidarrMbGapId = 968;
in
{
imports = [
inputs.lidarr-mb-gap.nixosModules.lidarr-mb-gap
@@ -49,13 +52,16 @@
sopsFile = ../../secrets/env.yaml;
};
"private_keys/lidarr-mb-gap" =
lib.mkIf (config.my.secureHost && config.services.lidarr-mb-gap.enable)
{
sopsFile = ../../secrets/keys.yaml;
owner = config.users.users.lidarr-mb-gap.name;
inherit (config.users.users.lidarr-mb-gap) group;
path = "${config.users.users.lidarr-mb-gap.home}/.ssh/ed25519_lidarr-mb-gap";
};
let
cfg = config.services.lidarr-mb-gap;
usr = config.users.users.lidarr-mb-gap;
in
lib.mkIf (config.my.secureHost && cfg.enable) {
sopsFile = ../../secrets/keys.yaml;
owner = usr.name;
inherit (usr) group;
path = "${usr.home}/.ssh/ed25519_lidarr-mb-gap";
};
};
networking = {
hostName = "server";
@@ -82,6 +88,13 @@
users.users.jawz.packages = builtins.attrValues {
inherit (pkgs) podman-compose attic-client;
};
users.groups.lidarr-mb-gap.gid = lidarrMbGapId;
users.users.lidarr-mb-gap = {
uid = lidarrMbGapId;
isSystemUser = true;
group = "lidarr-mb-gap";
home = "/var/lib/lidarr-mb-gap";
};
services = {
btrfs.autoScrub = {
enable = true;

6
modules/nix/gitea-actions-runners/nixos.nix
View File

@@ -6,11 +6,15 @@
}:
let
cfg = config.my.servers.gitea;
id = 969;
gid = id;
uid = id;
in
{
config = lib.mkIf (cfg.enable && config.my.secureHost) {
users.groups.gitea-runner = { };
users.groups.gitea-runner = { inherit gid; };
users.users.gitea-runner = {
inherit uid;
isSystemUser = true;
group = "gitea-runner";
extraGroups = [

5
modules/servers/audiobookshelf.nix
View File

@@ -11,6 +11,11 @@ in
options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
my.servers.audiobookshelf.enableSocket = true;
users.users.audiobookshelf = {
uid = 978;
group = "piracy";
isSystemUser = true;
};
services.audiobookshelf = {
inherit (cfg) enable port;
host = cfg.ip;

14
modules/servers/bazarr.nix
View File

@@ -6,11 +6,19 @@
let
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.bazarr;
uid = 985;
in
{
options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort;
config.services.bazarr = lib.mkIf cfg.enable {
inherit (cfg) enable;
group = "piracy";
config = lib.mkIf cfg.enable {
users.users.bazarr = {
inherit uid;
group = "piracy";
isSystemUser = true;
};
services.bazarr = {
inherit (cfg) enable;
group = "piracy";
};
};
}

6
modules/servers/gitea.nix
View File

@@ -15,6 +15,12 @@ in
options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.gitea.sopsFile = ../../secrets/env.yaml;
users.groups.gitea.gid = 974;
users.users.gitea = {
uid = 975;
isSystemUser = true;
group = "gitea";
};
services.gitea = {
inherit (cfg) enable;
settings = {

5
modules/servers/jellyfin.nix
View File

@@ -28,6 +28,11 @@ in
pkgs.jellyfin-ffmpeg
]
++ (lib.optional cfg.enableCron [ sub-sync-path ]);
users.users.jellyfin = {
uid = 984;
group = "piracy";
isSystemUser = true;
};
services = {
jellyfin = {
inherit (cfg) enable;

5
modules/servers/kavita.nix
View File

@@ -6,6 +6,9 @@
let
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.kavita;
id = 982;
gid = id;
uid = id;
in
{
options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
@@ -14,7 +17,9 @@ in
owner = config.users.users.kavita.name;
inherit (config.users.users.kavita) group;
};
users.groups.kavita.gid = { inherit gid; };
users.users.kavita = {
inherit uid;
isSystemUser = true;
group = "kavita";
extraGroups = [

6
modules/servers/nextcloud.nix
View File

@@ -32,6 +32,9 @@ let
pytensorflow = pkgs.python3.withPackages (ps: [ ps.tensorflow ]);
cfg = config.my.servers.nextcloud;
cfgC = config.my.servers.collabora;
id = 990;
gid = id;
uid = id;
in
{
options.my.servers = {
@@ -48,8 +51,11 @@ in
"nodejs-14.21.3"
"openssl-1.1.1v"
];
users.groups.nextcloud.gid = { inherit gid; };
users.users.nextcloud = {
inherit uid;
isSystemUser = true;
group = "nextcloud";
extraGroups = [ "render" ];
packages = builtins.attrValues {
inherit exiftool pytensorflow;

9
modules/servers/oauth2-proxy.nix
View File

@@ -6,10 +6,19 @@
let
setup = import ../factories/mkserver.nix { inherit lib config; };
cfg = config.my.servers.oauth2-proxy;
id = 967;
gid = id;
uid = id;
in
{
options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
users.groups.oauth2-proxy.gid = { inherit gid; };
users.users.oauth2-proxy = {
inherit uid;
isSystemUser = true;
group = "oauth2-proxy";
};
sops.secrets.oauth2-proxy = {
sopsFile = ../../secrets/env.yaml;
restartUnits = [ "oauth2-proxy.service" ];

9
modules/servers/paperless.nix
View File

@@ -2,11 +2,20 @@
let
cfg = config.my.servers.paperless;
inherit (config.services.paperless) port;
id = 315;
gid = id;
uid = id;
in
{
options.my.servers.paperless.enable = lib.mkEnableOption "Paperless-ngx document management system";
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
networking.firewall.allowedTCPPorts = [ port ];
users.groups.paperless.gid = { inherit gid; };
users.users.paperless = {
inherit uid;
isSystemUser = true;
group = "paperless";
};
services.paperless = {
inherit (cfg) enable;
address = config.my.ips.server;

9
modules/servers/plex.nix
View File

@@ -9,8 +9,13 @@ let
in
{
options.my.servers.plex = setup.mkOptions "plex" "plex" 32400;
config.services = lib.mkIf (cfg.enable && config.my.secureHost) {
plex = {
config = lib.mkIf (cfg.enable && config.my.secureHost) {
users.users.plex = {
uid = 193;
group = "piracy";
isSystemUser = true;
};
services.plex = {
inherit (cfg) enable;
group = "piracy";
};

1
modules/servers/prowlarr.nix
View File

@@ -11,6 +11,7 @@ in
options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
config = lib.mkIf cfg.enable {
users.users.prowlarr = {
uid = 987;
group = "piracy";
isSystemUser = true;
};

5
modules/servers/radarr.nix
View File

@@ -10,6 +10,11 @@ in
{
options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
config = lib.mkIf cfg.enable {
users.users.radarr = {
uid = 275;
group = "piracy";
isSystemUser = true;
};
services.radarr = {
inherit (cfg) enable;
group = "piracy";

13
modules/servers/sonarr.nix
View File

@@ -9,8 +9,15 @@ let
in
{
options.my.servers.sonarr = setup.mkOptions "sonarr" "series" 8989;
config.services.sonarr = lib.mkIf cfg.enable {
inherit (cfg) enable;
group = "piracy";
config = lib.mkIf cfg.enable {
users.users.sonarr = {
uid = 274;
group = "piracy";
isSystemUser = true;
};
services.sonarr = {
inherit (cfg) enable;
group = "piracy";
};
};
}

2
modules/servers/stash.nix
View File

@@ -65,7 +65,9 @@ in
};
};
users.users.stash = {
uid = 974;
isSystemUser = true;
group = "glue";
packages = [ stashPythonFHS ];
};
};

9
modules/servers/synapse.nix
View File

@@ -16,6 +16,9 @@ let
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
id = 224;
gid = id;
uid = id;
in
{
options.my.servers = {
@@ -27,6 +30,12 @@ in
synapse = { inherit domain; };
element = { inherit domain; };
};
users.groups.matrix-synapse.gid = { inherit gid; };
users.users.matrix-synapse = {
inherit uid;
isSystemUser = true;
group = "matrix-synapse";
};
sops.secrets = {
synapse = {
sopsFile = ../../secrets/env.yaml;

9
modules/servers/vaultwarden.nix
View File

@@ -7,11 +7,20 @@
let
cfg = config.my.servers.vaultwarden;
setup = import ../factories/mkserver.nix { inherit lib config; };
id = 981;
gid = id;
uid = id;
in
{
options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml;
users.groups.vaultwarden.gid = { inherit gid; };
users.users.vaultwarden = {
inherit uid;
isSystemUser = true;
group = "vaultwarden";
};
services.vaultwarden = {
inherit (cfg) enable;
dbBackend = "postgresql";

1
modules/users/nixremote.nix
View File

@@ -31,6 +31,7 @@
users = {
groups.nixremote.gid = config.my.users.nixremote.gid;
users.nixremote = {
uid = 979;
inherit (config.my.users.nixremote) home;
isNormalUser = true;
createHome = true;