chore: merge remote-tracking branch 'refs/remotes/origin/master'

2025-12-05 23:25:39 +01:00 · 2025-11-21 11:50:22 +01:00 · 2025-11-21 11:50:22 +01:00 · a83e6f907a
commit a83e6f907a
parent c22b806b15 3fa1cfe043
22 changed files with 142 additions and 451 deletions
--- a/modules/services/attic.nix
+++ b/modules/services/attic.nix
@ -0,0 +1,52 @@
+{ config, ... }:
+{
+  services = {
+    atticd = {
+      enable = true;
+
+      # File containing the server token in the following format:
+      #   ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=<...>
+      # You can generate the token by running the following command:
+      #   openssl genrsa -traditional 4096 | base64 -w0
+      environmentFile = config.sops.secrets.atticdEnvironment.path;
+      settings = {
+        # Listen on some port. Replace it!
+        listen = "[::]:8060";
+        # The two lines below should be set to the URL where your Attic cache will be available.
+        allowed-hosts = [ "cache.liv.town" ];
+        # Apparently it's very important this ends in a "/"
+        api-endpoint = "https://cache.liv.town/";
+        jwt = { };
+        database = {
+          # I used Postgres here, but if you leave it empty
+          # it will use an in-memory SQLite DB instead.
+          # url = "postgresql://atticd@127.0.0.1/atticd";
+          # heartbeat = true;
+        };
+        storage = {
+          # You could also use S3 here. But nah lol shit's expensive.
+          type = "local";
+          # Leave this empty to use the default path,
+          # or change it to some path that Attic can write to.
+          path = "/mnt/nfs/violet/nix";
+        };
+      };
+    };
+    anubis.instances.atticd = {
+      settings = {
+        TARGET = "http://localhost:8060";
+        BIND = ":8061";
+        BIND_NETWORK = "tcp";
+      };
+    };
+    nginx.virtualHosts."cache.liv.town" = {
+      forceSSL = true;
+      sslCertificate = "/var/lib/acme/liv.town/cert.pem";
+      sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
+      locations."/" = {
+        proxyPass = "http://localhost${toString config.services.anubis.instances.atticd.settings.BIND}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -46,19 +46,28 @@ in
      };
      secrets.mailer.PASSWD = config.sops.secrets.systemMailerPassword.path;
    };
-    gitea-actions-runner = {
-      package = pkgs.forgejo-runner;
-      instances.code-liv-town = {
-        enable = true;
-        name = "forgejo-01";
-        tokenFile = "${config.sops.secrets.forgejoWorkerSecret.path}";
-        url = "https://code.liv.town";
-        labels = [
-          "node-22:docker://node:22-bookworm"
-          "nixos-latest:docker://nixos/nix"
-        ];
-      };
-    };
+    # gitea-actions-runner = {
+    #   package = pkgs.forgejo-runner;
+    #   instances.forgejo-01 = {
+    #     enable = true;
+    #     name = "forgejo-01";
+    #     tokenFile = "${config.sops.secrets.forgejoWorkerSecret.path}";
+    #     url = "https://code.liv.town";
+    #     labels = [
+    #       "node-22:docker://node:22-bookworm"
+    #       "nixos-latest:docker://nixos/nix"
+    #       # "docker:docker://node:24-alpine"
+    #       # "alpine-latest:docker://node:24-alpine"
+    #     ];
+    #     settings = {
+    #       log.level = "info";
+    #       runner = {
+    #         file = ".runner";
+    #         timeout = "3h";
+    #       };
+    #     };
+    #   };
+    # };
    anubis.instances.forgejo = {
      settings = {
        TARGET = "http://localhost:3050";
--- a/modules/services/funkwhale.nix
+++ b/modules/services/funkwhale.nix
@ -0,0 +1,16 @@
+{ config, inputs, ... }:
+{
+  nixpkgs.overlays = [ inputs.funkwhale.overlay ];
+  services = {
+    funkwhale = {
+      enable = true;
+      hostname = "music.liv.town";
+      defaultFromEmail = "notifications@liv.town";
+      protocol = "https";
+      forceSSL = true; # uncomment when LetsEncrypt needs to access "http:" in order to check domain
+      api = {
+        djangoSecretKeyFile = config.sops.secrets.funkwhaleDjangoSecret.path;
+      };
+    };
+  };
+}
--- a/modules/services/ollama.nix
+++ b/modules/services/ollama.nix
@ -3,7 +3,7 @@
    enable = true;
    # Optional: preload models, see https://ollama.com/library
    # loadModels = [ "llama3.2:3b" "deepseek-r1:1.5b"];
-    # acceleration = "rocm"; # nope, 5700XT is too old for this
+    acceleration = "rocm"; # nope, 5700XT is too old for this
  };
-  services.open-webui.enable = false;
+  services.open-webui.enable = true;
 }
--- a/modules/services/violet.nix
+++ b/modules/services/violet.nix
@ -3,12 +3,14 @@
  imports =
    [ (import ./invidious.nix) ]
    ++ [ (import ./anubis.nix) ]
+    ++ [ (import ./attic.nix) ]
    ++ [ (import ./borg.nix) ]
    ++ [ (import ./binternet-proxy.nix) ]
    ++ [ (import ./bluemap-proxy.nix) ]
    ++ [ (import ./docker.nix) ]
    ++ [ (import ./email.nix) ]
    ++ [ (import ./forgejo.nix) ]
+    # ++ [ (import ./funkwhale.nix) ]
    ++ [ (import ./grafana.nix) ]
    ++ [ (import ./guacamole.nix) ]
    ++ [ (import ./gokapi.nix) ]