deluge directory permissions

Flake lock file updates:

• Updated input 'home-manager-unstable':
    'github:nix-community/home-manager/2af7c78b7bb9cf18406a193eba13ef9f99388f49' (2024-04-29)
  → 'github:nix-community/home-manager/6d3b6dc9222c12b951169becdf4b0592ee9576ef' (2024-04-30)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/53db5e1070d07e750030bf65f1b9963df8f0c678' (2024-04-27)
  → 'github:NixOS/nixos-hardware/68d680c1b7c0e67a9b2144d6776583ee83664ef4' (2024-04-30)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/12430e43bd9b81a6b4e79e64f87c624ade701eaf' (2024-04-28)
  → 'github:NixOS/nixpkgs/576ecd43d3b864966b4423a853412d6177775e8b' (2024-04-29)
• Updated input 'secrets':
    'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=6d65c05c19961bd0874240810446378cd04c0257' (2024-04-29)
  → 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=e09d11dbc33eb854f64cfda0d153ca23aeec4035' (2024-04-30)

.gitea/workflows/update.yaml

@@ -20,7 +20,7 @@ jobs:
       - run: |
           # Configure SSH
           mkdir ~/.ssh/
-          echo "git.caspervk.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd" > ~/.ssh/known_hosts
+          echo "git.caspervk.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4Kvx/lcFRvl7KlxqqhrJ32h3FzuzyLA5BNB42+p92c" > ~/.ssh/known_hosts
           echo "${{ secrets.SNOWFLAKE_SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
           chmod 0600 ~/.ssh/id_ed25519
 

flake.lock

@@ -85,11 +85,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714203603,
-        "narHash": "sha256-eT7DENhYy7EPLOqHI9zkIMD9RvMCXcqh6gGqOK5BWYQ=",
+        "lastModified": 1714515075,
+        "narHash": "sha256-azMK7aWH0eUc3IqU4Fg5rwZdB9WZBvimOGG3piqvtsY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c1609d584a6b5e9e6a02010f51bd368cb4782f8e",
+        "rev": "6d3b6dc9222c12b951169becdf4b0592ee9576ef",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1714201532,
-        "narHash": "sha256-nk0W4rH7xYdDeS7k1SqqNtBaNrcgIBYNmOVc8P2puEY=",
+        "lastModified": 1714465198,
+        "narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "53db5e1070d07e750030bf65f1b9963df8f0c678",
+        "rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1714272655,
-        "narHash": "sha256-3/ghIWCve93ngkx5eNPdHIKJP/pMzSr5Wc4rNKE1wOc=",
+        "lastModified": 1714409183,
+        "narHash": "sha256-Wacm/DrzLD7mjFGnSxxyGkJgg2unU/dNdNgdngBH+RU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "12430e43bd9b81a6b4e79e64f87c624ade701eaf",
+        "rev": "576ecd43d3b864966b4423a853412d6177775e8b",
         "type": "github"
       },
       "original": {
@@ -228,11 +228,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1714320269,
-        "narHash": "sha256-hc1oeeIyhoSwz4uW1i6XbKyPrUmmjj/EwnqEjpLD1N8=",
+        "lastModified": 1714518477,
+        "narHash": "sha256-doZSxR7Aot5ZvcCSa/qiC9LbRXJr6XNuflWPS2skStk=",
         "ref": "refs/heads/master",
-        "rev": "3cb27fc185eceef3c6efc4e6084a275c153fe9ee",
-        "revCount": 30,
+        "rev": "e09d11dbc33eb854f64cfda0d153ca23aeec4035",
+        "revCount": 34,
         "type": "git",
         "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
       },

hosts/sigma/default.nix

@@ -11,6 +11,7 @@
     ./hardware.nix
     ./jellyfin.nix
     ./mail.nix
+    ./memos.nix
     ./network.nix
     ./sonarr.nix
   ];

hosts/sigma/deluge.nix

@@ -54,6 +54,10 @@
     };
   };
 
+  # Add caspervk user to the 'torrent' group to allow viewing downloads
+  users.groups.torrent.members = ["caspervk"];
+
+
   environment.persistence."/nix/persist" = {
     directories = [
       # Deluge data directory. This is *NOT* where the downloads are saved
@@ -70,7 +74,7 @@
       # /srv/torrents/downloads/movies/ and /srv/torrents/tv/.
       {
         directory = "/srv/torrents";
-        user = "caspervk";
+        user = "deluge";
         group = "torrent";
         mode = "0770";
       }

hosts/sigma/forgejo.nix

@@ -1,9 +1,83 @@
 {
   config,
+  nixpkgs-unstable,
   pkgs,
   secrets,
   ...
 }: {
+  # Forgejo is a lightweight software forge (Git host), with a highlight on
+  # being completely free software. It's a fork of Gitea.
+  # https://wiki.nixos.org/wiki/Forgejo
+  services.forgejo = {
+    enable = true;
+    # TODO: remove package override in NixOS 24.04
+    package = nixpkgs-unstable.legacyPackages.x86_64-linux.forgejo;
+    # Run Forgejo under git:git for better ssh clone urls.
+    user = "git";
+    group = "git";
+    # https://forgejo.org/docs/latest/admin/config-cheat-sheet/
+    settings = {
+      DEFAULT = {
+        # Application name, used in the page title.
+        APP_NAME = "Git";
+      };
+      repository = {
+        # Default branch name of all repositories.
+        DEFAULT_BRANCH = "master";
+        # Comma separated list of globally disabled repo units.
+        DISABLED_REPO_UNITS = "repo.issues,repo.ext_issues,repo.pulls,repo.wiki,repo.ext_wiki,repo.projects,repo.packages";
+      };
+      ui = {
+        # Default theme.
+        DEFAULT_THEME = "gitea-light";
+      };
+      server = {
+        # Listen address. Defaults to '0.0.0.0'.
+        HTTP_ADDR = "localhost";
+        # Domain name of the server.
+        DOMAIN = "git.caspervk.net";
+        # Full public URL of Forgejo server.
+        ROOT_URL = "https://git.caspervk.net/";
+        # Landing page for unauthenticated users.
+        LANDING_PAGE = "/caspervk";
+      };
+      security = {
+        # Cookie lifetime, in days.
+        LOGIN_REMEMBER_DAYS = 365;
+      };
+      service = {
+        # Disable registration, after which only admin can create accounts for
+        # users.
+        DISABLE_REGISTRATION = true;
+      };
+      session = {
+        # Marks session cookies as “secure” as a hint for browsers to only send
+        # them via HTTPS. This option is recommend, if Forgejo is being served
+        # over HTTPS.
+        COOKIE_SECURE = true;
+        # Session engine provider.
+        PROVIDER = "db";
+      };
+    };
+  };
+
+  # The configured Forgejo user and group is only created automatically if it
+  # is left at the default "forgejo". The following is copied from
+  # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/forgejo.nix
+  # but with the mkIf removed and "forgejo" substituted for "git".
+  users.users = {
+    git = {
+      home = config.services.forgejo.stateDir;
+      useDefaultShell = true;
+      group = "git";
+      isSystemUser = true;
+    };
+  };
+  users.groups = {
+    git = {};
+  };
+
+  # https://wiki.nixos.org/wiki/Forgejo
   # https://forgejo.org/docs/latest/admin/actions/
   services.gitea-actions-runner = {
     package = pkgs.forgejo-actions-runner;
@@ -31,6 +105,17 @@
     };
   };
 
+  environment.persistence."/nix/persist" = {
+    directories = [
+      {
+        directory = "/var/lib/forgejo";
+        user = "git";
+        group = "git";
+        mode = "0750";
+      }
+    ];
+  };
+
   age.secrets.forgejo-actions-runner-token-file = {
     file = "${secrets}/secrets/forgejo-actions-runner-token-file.age";
     mode = "400";

hosts/sigma/memos.nix

@@ -0,0 +1,20 @@
+{...}: {
+  virtualisation.oci-containers.containers = {
+    memos = {
+      # https://www.usememos.com/docs/install/self-hosting
+      image = "docker.io/neosmemo/memos:stable";
+      environment = {
+        # https://github.com/usememos/memos/issues/2433#issuecomment-1797316081
+        MEMOS_METRIC = "false";
+      };
+      ports = [
+        # TODO: for some *very* weird reason, exposing the port does not work
+        # if we use the same port on the host and inside the container. Why??
+        "127.0.0.1:5231:5230"
+      ];
+      volumes = [
+        "memos:/var/opt/memos"
+      ];
+    };
+  };
+}

modules/base/default.nix

@@ -11,6 +11,7 @@
     ./network.nix
     ./nix.nix
     ./packages.nix
+    ./podman.nix
     ./ripgrep.nix
     ./ssh.nix
     ./sudo.nix

modules/base/podman.nix

@@ -0,0 +1,30 @@
+{...}: {
+  # Podman can run rootless containers and be a drop-in replacement for Docker.
+  # It is used for systemd services containers defined using
+  # `virtualisation.oci-containers`.
+  # https://wiki.nixos.org/wiki/Podman
+  virtualisation.containers.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    # Automatically `podman system prune` weekly
+    autoPrune.enable = true;
+    # Required for containers under podman-compose to be able to talk to each
+    # other.
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      ipv6_enabled = true;
+    };
+  };
+
+  # Persist docker volumes
+  environment.persistence."/nix/persist" = {
+    directories = [
+      {
+        directory = "/var/lib/containers";
+        user = "root";
+        group = "root";
+        mode = "0700";
+      }
+    ];
+  };
+}

modules/borg.nix

@@ -90,15 +90,17 @@
       "! /**/found.000/*"
 
       "! /**/.cache"
-      "! /**/Cache"
       "! /**/cache"
+      "! /**/Cache"
       "! /srv/torrents"
+      "! /var/lib/containers/overlay*"
       "! /var/lib/docker/overlay2"
       "- *.tmp"
 
       "! /home/*/Android/Sdk"
       "! /home/*/Downloads"
       "! /home/*/GOG Games"
+      "! /home/*/.local/share/containers/storage/overlay*"
       "! /home/*/.steam"
     ];