From f54b895602857606f776c87a23791c6a5c652f3b Mon Sep 17 00:00:00 2001 From: Haak Saxberg Date: Thu, 2 Oct 2025 21:00:17 -0700 Subject: [PATCH 1/5] Add immich to the set of programs we have configured --- nix/deployments/hive.nix | 1 + nix/home/programs/immich/default.nix | 62 ++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 nix/home/programs/immich/default.nix diff --git a/nix/deployments/hive.nix b/nix/deployments/hive.nix index fcf64a6..622710a 100644 --- a/nix/deployments/hive.nix +++ b/nix/deployments/hive.nix @@ -61,6 +61,7 @@ in ../home/programs/jellyfin ../home/programs/calibre-web ../home/programs/forgejo/webserver.nix + ../home/programs/immich ]; fileSystems."/storage" = { diff --git a/nix/home/programs/immich/default.nix b/nix/home/programs/immich/default.nix new file mode 100644 index 0000000..c2c8ccc --- /dev/null +++ b/nix/home/programs/immich/default.nix @@ -0,0 +1,62 @@ +{ lib, config, ... }: + +let + immichDomain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/immichdomain; +in +{ + services.immich = { + enable = true; + port = 2283; + mediaLocation = "/storage/organized/photos"; + + ## Enable hardware acceleration for video + # `null` will give access to all devices. +# You may want to restrict this by using something like `[ "/dev/dri/renderD128" ]` + accelerationDevices = null; + + settings.server.externalDomain = "https://${immichDomain}"; +}; + + hardware.graphics = { + enable = true; + # Maybe we need more here, hard to say... + }; + + users.users.immich.extraGroups = [ "video" "render" "multimedia" + # something strange here about remote file-system groups... + "jellyfin" ]; + + ## Expose immich to "the world" + networking.firewall = { + allowedTCPPorts = [ + #nginx + 80 + 443 + ]; + }; + + services.nginx = { + + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts."${immichDomain}" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.immich.port}"; + proxyWebsockets = true; + }; + }; + }; +} + From e4a88cc6990ce0ac7f367cb4ce3e999a0a5c7db7 Mon Sep 17 00:00:00 2001 From: Haak Saxberg Date: Tue, 6 Jan 2026 10:01:41 -0800 Subject: [PATCH 2/5] Stop serving calibre-web --- nix/deployments/hive.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nix/deployments/hive.nix b/nix/deployments/hive.nix index 622710a..ab1eb1d 100644 --- a/nix/deployments/hive.nix +++ b/nix/deployments/hive.nix @@ -59,7 +59,6 @@ in ../system/xps11/configuration.nix ../home/programs/nginx ../home/programs/jellyfin - ../home/programs/calibre-web ../home/programs/forgejo/webserver.nix ../home/programs/immich ]; From b21c3b559baece14094ce89fc55db3cb0e78b759 Mon Sep 17 00:00:00 2001 From: Haak Saxberg Date: Tue, 6 Jan 2026 10:02:30 -0800 Subject: [PATCH 3/5] Update configuration based on new nixpkgs errors --- nix/home/programs/beets/default.nix | 4 +++- nix/home/programs/nvim/default.nix | 2 +- nix/home/programs/zsh/default.nix | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/nix/home/programs/beets/default.nix b/nix/home/programs/beets/default.nix index 547bb1f..a3af9b9 100644 --- a/nix/home/programs/beets/default.nix +++ b/nix/home/programs/beets/default.nix @@ -1,6 +1,8 @@ { pkgs, ... }: { - environment.systemPackages = with pkgs; [ beets-unstable ]; + environment.systemPackages = with pkgs; [ + beets + ]; # If using home-manager, we could the beets settings in a more in-nix way. As # it is, here's the YAML that's currently on the NAS. If being serious, we diff --git a/nix/home/programs/nvim/default.nix b/nix/home/programs/nvim/default.nix index d8bafd0..60cd79d 100644 --- a/nix/home/programs/nvim/default.nix +++ b/nix/home/programs/nvim/default.nix @@ -127,7 +127,7 @@ with builtins; pkgs.replaceVars ./nvim-lspconfig.lua { # since both of these are used for actually configuring the system, # we'll probably always want them around. - lua_ls = pkgs.sumneko-lua-language-server; + lua_ls = pkgs.lua-language-server; nixd = pkgs.nixd; ts_server = pkgs.nodePackages.typescript-language-server; diagnostic_server = pkgs.nodePackages.diagnostic-languageserver; diff --git a/nix/home/programs/zsh/default.nix b/nix/home/programs/zsh/default.nix index 355cde6..53c4ad1 100644 --- a/nix/home/programs/zsh/default.nix +++ b/nix/home/programs/zsh/default.nix @@ -12,7 +12,7 @@ with builtins; { enableCompletion = true; defaultKeymap = "viins"; - initExtra = readFile ./zshrc; + initContent = readFile ./zshrc; oh-my-zsh = { enable = true; From 67243bad118531eb49e9184bd421ade1b0f8eb86 Mon Sep 17 00:00:00 2001 From: Haak Saxberg Date: Tue, 6 Jan 2026 10:02:59 -0800 Subject: [PATCH 4/5] Cleanup of some configuration: jellyfin, nvim, systems --- nix/home/programs/jellyfin/default.nix | 4 +--- nix/home/programs/nvim/init.vim | 1 - nix/system/svalbard/configuration.nix | 9 ++++----- nix/system/xps11/configuration.nix | 4 +++- 4 files changed, 8 insertions(+), 10 deletions(-) diff --git a/nix/home/programs/jellyfin/default.nix b/nix/home/programs/jellyfin/default.nix index 50fadbc..d0c09db 100644 --- a/nix/home/programs/jellyfin/default.nix +++ b/nix/home/programs/jellyfin/default.nix @@ -3,9 +3,6 @@ { networking.firewall = { allowedTCPPorts = [ - # jellyfin frontend - 8096 - 8920 #nginx 80 443 @@ -22,6 +19,7 @@ # 2. override default hardening measure from NixOS - this is default since 22.05 systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false; + ## Expose jelly to "the world" services.nginx = { virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/domain}" = { forceSSL = true; diff --git a/nix/home/programs/nvim/init.vim b/nix/home/programs/nvim/init.vim index 854bfd8..a3c9351 100644 --- a/nix/home/programs/nvim/init.vim +++ b/nix/home/programs/nvim/init.vim @@ -6,7 +6,6 @@ filetype plugin indent on let g:netrw_liststyle = 3 set nobackup set noswapfile -set pastetoggle= set nowrap set background=dark diff --git a/nix/system/svalbard/configuration.nix b/nix/system/svalbard/configuration.nix index 323bc50..57b0e51 100644 --- a/nix/system/svalbard/configuration.nix +++ b/nix/system/svalbard/configuration.nix @@ -42,7 +42,7 @@ (pkgs.writeTextFile { name = "dev-device-no-auto-name"; text = '' - SUBSYSTEM=="net", ACTION=="add", DEVTYPE!=="?*", ATTR{address}=="04:7c:16:10:27:5e", NAME="eth0" + SUBSYSTEM=="net", ACTION=="add", ENV{DEVTYPE}!="?*", ATTR{address}=="04:7c:16:10:27:5e", NAME="eth0" ''; destination = "/etc/udev/rules.d/70-persistent-net.rules"; @@ -50,12 +50,12 @@ ]; # Select internationalisation properties. - i18n.defaultLocale = "en_US.utf8"; + i18n.defaultLocale = "en_US.UTF-8"; # Configure keymap in X11 services.xserver = { - layout = "us"; - xkbVariant = ""; + xkb.layout = "us"; + xkb.variant = ""; }; # Allow unfree packages @@ -94,5 +94,4 @@ # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.05"; # Did you read the comment? - } diff --git a/nix/system/xps11/configuration.nix b/nix/system/xps11/configuration.nix index e274c57..bf3ca8f 100644 --- a/nix/system/xps11/configuration.nix +++ b/nix/system/xps11/configuration.nix @@ -82,7 +82,7 @@ name = "dev-device-no-auto-name"; # xps11 uses a usb device as an ethernet port text = '' - SUBSYSTEM=="net", ACTION=="add", DEVTYPE!=="?*", ATTR{address}=="00:e0:4c:68:13:bf", NAME="eth0" + SUBSYSTEM=="net", ACTION=="add", ENV{DEVTYPE}!="?*", ATTR{address}=="00:e0:4c:68:13:bf", NAME="eth0" ''; destination = "/etc/udev/rules.d/70-persistent-net.rules"; @@ -116,4 +116,6 @@ # servers. You should change this only after NixOS release notes say you # should. system.stateVersion = "20.03"; # Did you read the comment? + # postgres 11 has EOL'd + services.postgresql.package = pkgs.postgresql_15; } From ad82b2f136532401f2c6f45359af2d8f742bc905 Mon Sep 17 00:00:00 2001 From: Haak Saxberg Date: Tue, 6 Jan 2026 10:03:24 -0800 Subject: [PATCH 5/5] Configure mangadex downloader --- .../programs/mangadex-downloader/default.nix | 58 +++++++++++++++++++ nix/system/framework/configuration.nix | 1 + 2 files changed, 59 insertions(+) create mode 100644 nix/home/programs/mangadex-downloader/default.nix diff --git a/nix/home/programs/mangadex-downloader/default.nix b/nix/home/programs/mangadex-downloader/default.nix new file mode 100644 index 0000000..6b14982 --- /dev/null +++ b/nix/home/programs/mangadex-downloader/default.nix @@ -0,0 +1,58 @@ +{ pkgs, ... }: + +let + + buildPythonPackage = pkgs.python311Packages.buildPythonPackage; + fetchPypi = pkgs.python311Packages.fetchPypi; + requests_doh = buildPythonPackage rec { + pname = "requests_doh"; + version = "1.0.0"; + format = "setuptools"; + src = fetchPypi { + inherit pname version; + sha256 = "sha256-bOi8liRQMKGY7yDSEAtNyzsSCgWljfcD+L4SGnn48vs="; + }; + + doCheck = false; + + propagatedBuildInputs = with pkgs.python311Packages; [ + requests + dnspython + ] ++ requests.optional-dependencies.socks ++ dnspython.optional-dependencies.doh; + }; + + mangadex-downloader = buildPythonPackage + rec { + pname = "mangadex_downloader"; + version = "3.1.4"; + format = "setuptools"; + + src = fetchPypi { + inherit pname version; + sha256 = "sha256-653lHYQPFZ3I9+bqMRxGcSyJv1MEqPvYbbX0j/SATyo="; + }; + + doCheck = false; + + propagatedBuildInputs = with pkgs.python311Packages; [ + pysocks + requests_doh + requests + beautifulsoup4 + chardet + packaging + requests + tqdm + pyjwt + pillow + pathvalidate + ]++ requests.optional-dependencies.socks; + }; +in +{ + environment.systemPackages = [ + (pkgs.python311.withPackages (p: [ + mangadex-downloader + ])) + ]; +} diff --git a/nix/system/framework/configuration.nix b/nix/system/framework/configuration.nix index a602dab..0bccf23 100644 --- a/nix/system/framework/configuration.nix +++ b/nix/system/framework/configuration.nix @@ -15,6 +15,7 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ../common/users.nix + (import ../../home/programs/mangadex-downloader) ]; # enable nix-flakes