smallest change

modules/nixos/sites/cv/default.nix

@@ -27,7 +27,7 @@ in {
         root = "${inputs.resume.packages.${pkgs.system}.default}";
       };
       extraConfig = ''
-        index resume.pdf;
+        index ZacharyMyersResume.pdf;
       '';
     };
   };

modules/nixos/sites/gitlab/default.nix

@@ -75,7 +75,7 @@ in {
             mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
             mkdir -p -m 0700 "$HOME/.nix-defexpr"
             . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
-            ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-24.05 nixpkgs # 3
+            ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-24.11 nixpkgs # 3
             ${pkgs.nix}/bin/nix-channel --update nixpkgs
             ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
           '';

modules/nixos/sites/gitlab/sec/gitlab-runner.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 CtmR6w UnmasP/1wPHR+LhLwOPU8n8xmYxzSxnz3zvnIxhKngY
+bHwSyrccC/4a4X1nCSVR+Vl+Oi7Y1Sd5IzZjXVmkG5s
+-> ssh-ed25519 RMNffg 5EgurJJqitwKtwze+WrcNmfFolK29aW0nqLyRFShamY
+YsNxchVifSo+rBnhKsGYkVCxkHGmRH0FwnpLVjHYMH8
+--- 0RY2Pmkw1TKwh8hCJ55R/6IYHWZAXrKra+y82GsJWNk
+…®<>M
ÑPpÿVš9Ýc¥ÅP<Õ¨´8m<5<>{ˆÊ
8ïCê^+[S”-²ªÞ^%,­ò—˜0KÛ΀çºFDOµNbY†ts@¬ó™5§ÓE­&Us¸‘P7È5å]ÇmPd˜h<CB9C>„ä¿ÎŽCz

modules/nixos/sites/immich/default.nix

@@ -0,0 +1,35 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.sites.immich;
+in {
+  options.sites.immich = with types; {
+    enable = mkBoolOpt false "Enable Immich Photo backup";
+  };
+
+  config = mkIf cfg.enable {
+    services.immich.enable = true;
+    services.immich.port = 2283;
+
+    services.nginx.virtualHosts."i.zoeys.photos" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://[::1]:${toString config.services.immich.port}";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+        extraConfig = ''
+          client_max_body_size 50000M;
+          proxy_read_timeout   600s;
+          proxy_send_timeout   600s;
+          send_timeout         600s;
+        '';
+      };
+    };
+  };
+}

modules/nixos/sites/jellyfin/default.nix

@@ -16,6 +16,22 @@ in {
     services.jellyfin = {
       enable = true;
       openFirewall = true;
+      user = "zoey";
+      group = "users";
     };
+
+    virtualisation.oci-containers = {
+      containers.jellyfin-vue = {
+        image = "ghcr.io/jellyfin/jellyfin-vue:unstable";
+        environment = {
+          "PUBLIC_JELLYFIN_API" = "http://localhost:8096";
+        };
+        ports = [
+          "8065:80"
+        ];
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [8065];
   };
 }

modules/nixos/sites/mealie/default.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.sites.mealie;
+in {
+  options.sites.mealie = with types; {
+    enable = mkBoolOpt false "Enable mealie";
+  };
+
+  config = mkIf cfg.enable {
+    services.mealie = {
+      enable = true;
+      port = 9090;
+      listenAddress = "127.0.0.1";
+    };
+  };
+}

modules/nixos/sites/minio/default.nix

@@ -38,6 +38,7 @@ in {
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
+          client_max_body_size 1G;
         '';
       };
     };

modules/nixos/sites/mirror/default.nix

@@ -39,6 +39,18 @@ in {
       locations."/".extraConfig = ''
         autoindex on;
       '';
+
+      locations."~* \.iso$".extraConfig = ''
+        limit_req zone=iso_ratelimit burst=20 nodelay;
+        limit_conn iso_connlimit 5;
+        limit_rate_after 10m;
+        limit_rate 500k;
+
+        if ($http_user_agent ~* "Transmission") {
+          access_log /var/log/nginx/blocked_transmission.log combined;
+          return 403;
+        }
+      '';
     };
   };
 }

modules/nixos/sites/polaris/default.nix

@@ -0,0 +1,131 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.sites.polaris;
+
+  polaris-web = pkgs.buildNpmPackage rec {
+    pname = "polaris-web";
+    version = "76";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "agersant";
+      repo = "polaris-web";
+      rev = "build-${version}";
+      hash = "sha256-mGsgW6lRqCt+K2RrF2s4zhvYzH94K+GEXGUCn5ngBTY=";
+    };
+
+    npmDepsHash = "sha256-MVqC6mMdiqtJzAB8J8xdxO5xCwiibBasA3BvN6EiBSM=";
+
+    env.CYPRESS_INSTALL_BINARY = "0";
+
+    npmBuildScript = "build";
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/share
+      cp -a dist $out/share/polaris-web
+
+      runHook postInstall
+    '';
+  };
+
+  polaris = pkgs.rustPlatform.buildRustPackage rec {
+    pname = "polaris";
+    version = "0.15.0";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "agersant";
+      repo = "polaris";
+      tag = version;
+      hash = "sha256-uwYNyco4IY6lF+QSVEOVVhZCJ4nRkj8gsgRA0UydLHU=";
+
+      # The polaris version upstream in Cargo.lock is "0.0.0".
+      # We're unable to simply patch it in the patch phase due to
+      # rustPlatform.buildRustPackage fetching dependencies before applying patches.
+      # If we patch it after fetching dependencies we get an error when
+      # validating consistency between the final build and the prefetched deps.
+      postFetch = ''
+        # 'substituteInPlace' does not support multiline replacements?
+        sed -i $out/Cargo.lock -z \
+          -e 's/\[\[package\]\]\nname = "polaris"\nversion = "0.0.0"/[[package]]\nname = "polaris"\nversion = "'"${version}"'"/g'
+      '';
+    };
+
+    useFetchCargoVendor = true;
+    cargoHash = "sha256-EUUxKLLdXgNp7GWTWAkzdNHKogu4Voo8wjeFFzM9iEg=";
+
+    # Compile-time environment variables for where to find assets needed at runtime
+    env = {
+      POLARIS_WEB_DIR = "${polaris-web}/share/polaris-web";
+    };
+
+    preCheck = ''
+      # 'Err' value: Os { code: 24, kind: Uncategorized, message: "Too many open files" }
+      ulimit -n 4096
+      # to debug bumps
+      export RUST_BACKTRACE=1
+    '';
+
+    checkFlags = [
+      # requires network
+      "--skip=server::test::settings::put_settings_golden_path"
+    ];
+
+    __darwinAllowLocalNetworking = true;
+
+    doCheck = false;
+
+    meta = with lib; {
+      description = "Self-host your music collection, and access it from any computer and mobile device";
+      longDescription = ''
+        Polaris is a FOSS music streaming application, designed to let you enjoy your music collection
+        from any computer or mobile device. Polaris works by streaming your music directly from your
+        own computer, without uploading it to a third-party. There are no  kind of premium version.
+        The only requirement is that your computer stays on while it streams your music!
+      '';
+      homepage = "https://github.com/agersant/polaris";
+      license = licenses.mit;
+      maintainers = with maintainers; [pbsds];
+      platforms = platforms.unix;
+      mainProgram = "polaris";
+    };
+  };
+in {
+  options.sites.polaris = with types; {
+    enable = mkBoolOpt false "Enable Music (Polaris)";
+
+    domain = mkStringOpt "music.zoeys.cloud" "The domain of the music instance";
+  };
+
+  config = mkIf cfg.enable {
+    services.polaris2 = {
+      enable = true;
+      package = polaris;
+      # group = "users";
+      # user = "zoey";
+      openFirewall = true;
+      settings = {
+        mount_dirs = [
+          {
+            name = "local";
+            source = "/home/zoey/Music/";
+          }
+        ];
+      };
+    };
+
+    services.nginx.virtualHosts.${cfg.domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.polaris.port}";
+      };
+    };
+  };
+}