feat(odin+others): removed avahi, firmed up umask, and other things

hosts/odin/services/avahi.nix

@@ -1,36 +0,0 @@
-{ lib, pkgs, ... }:
-let
-  go-avahi-cname = lib.getExe pkgs.unstable.go-avahi-cname;
-in
-{
-  services.avahi = {
-    nssmdns4 = true;
-    enable = true;
-    ipv4 = true;
-    ipv6 = true;
-    publish = {
-      enable = true;
-      addresses = true;
-      workstation = true;
-      userServices = true;
-    };
-  };
-
-  systemd.services.avahi-cname = {
-    description = "Avahi CNAME Publisher";
-    wantedBy = [ "multi-user.target" ];
-    after = [
-      "network.target"
-      "avahi-daemon.service"
-    ];
-    requires = [ "avahi-daemon.service" ];
-
-    serviceConfig = {
-      Type = "simple";
-      User = "root";
-      ExecStart = "${go-avahi-cname} subdomain";
-      Restart = "always";
-      RestartSec = "10";
-    };
-  };
-}

hosts/odin/services/caddy.nix

@@ -1,7 +1,5 @@
 { config, pkgs, ... }:
 {
-  networking.firewall.allowedTCPPorts = [ 80 ];
-
   services.caddy = {
     enable = true;
 
@@ -14,11 +12,5 @@
     globalConfig = ''
       acme_dns cloudflare {env.CF_API_TOKEN}
     '';
-
-    virtualHosts.welcome.hostName = "http://localhost";
-    virtualHosts.welcome.serverAliases = [ "localhost" ];
-    virtualHosts.welcome.extraConfig = ''
-      respond "Hello World"
-    '';
   };
 }

hosts/odin/services/default.nix

@@ -1,7 +1,6 @@
 {
   imports = [
     ./adguard.nix
-    ./avahi.nix
     ./caddy.nix
     ./cloudflared.nix
     ./immich.nix

hosts/odin/services/immich.nix

@@ -1,8 +1,7 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 let
   cfg = config.services.immich;
   domain = "photos.t5.st";
-  go-avahi-cname = lib.getExe pkgs.unstable.go-avahi-cname;
 in
 {
   services.immich = {
@@ -43,54 +42,26 @@ in
   };
 
   services.caddy.virtualHosts.immich = {
-    hostName = "http://photos.odin.local";
-    serverAliases = [ "photos.odin.t5.st" ];
+    hostName = "photos.odin.t5.st";
     extraConfig = ''
       encode gzip zstd
       reverse_proxy ${cfg.host}:${toString cfg.port}
     '';
   };
 
-  systemd.services.photos-local = {
-    description = "Avahi photos.odin.local domain";
-    wantedBy = [ "multi-user.target" ];
-    after = [
-      "network.target"
-      "avahi-daemon.service"
-    ];
-    requires = [ "avahi-daemon.service" ];
-
-    serviceConfig = {
-      Type = "simple";
-      User = "root";
-      ExecStart = "${go-avahi-cname} cname photos";
-      Restart = "always";
-      RestartSec = "10";
-    };
-  };
+  systemd.tmpfiles = {
+    settings.immich."${cfg.mediaLocation}".e.mode =
+      lib.mkForce "0750";
 
-  systemd.tmpfiles.rules = [
-    "d /mnt/storage/immich 0770 immich storage - -"
-    "d /var/cache/immich 0770 immich storage - -"
-    "d /var/cache/immich/mpl 0700 immich storage - -"
-    "d /var/cache/immich/encoded-video 0700 immich storage - -"
-    "d /var/cache/immich/profile 0700 immich storage - -"
-    "d /var/cache/immich/thumbs 0700 immich storage - -"
-  ];
-
-  system.activationScripts.createSymlink = ''
-    ln -sf /var/cache/immich/encoded-video /mnt/storage/immich/encoded-video
-    ln -sf /var/cache/immich/profile /mnt/storage/immich/profile
-    ln -sf /var/cache/immich/thumbs /mnt/storage/immich/thumbs
-  '';
-
-  services.samba.settings = {
-    christine-photos = {
-      "path" = "/mnt/storage/immich/library/3aaaf0a1-011e-450d-a47c-4a320deb93e5";
-      "browseable" = "yes";
-      "read only" = "yes";
-      "valid users" = "christine";
-      "force user" = "immich";
-    };
+    rules = [
+      "d  /var/cache/immich 0750 immich storage - -"
+      "d  /var/cache/immich/mpl 0750 immich storage - -"
+      "d  /var/cache/immich/encoded-video 0750 immich storage - -"
+      "d  /var/cache/immich/profile 0750 immich storage - -"
+      "d  /var/cache/immich/thumbs 0750 immich storage - -"
+      "L+ /var/cache/immich/encoded-video - - - - /mnt/storage/immich/encoded-video"
+      "L+ /var/cache/immich/profile - - - - /mnt/storage/immich/profile"
+      "L+ /var/cache/immich/thumbs - - - - /mnt/storage/immich/thumbs"
+    ];
   };
 }

hosts/odin/services/samba.nix

@@ -5,7 +5,6 @@
 }:
 let
   shares = [ "thomas" "christine" ];
-  # TODO: make sure to add system users for all the users that don't exist
 in
 {
   services.samba = {
@@ -41,7 +40,7 @@ in
             "read only" = "no";
             "guest ok" = "no";
             "create mask" = "0644";
-            "directory mask" = "0755";
+            "directory mask" = "0750";
             "valid users" = "${name}";
             "fruit:aapl" = "yes";
             "vfs objects" = "catia fruit streams_xattr";
@@ -51,8 +50,8 @@ in
   };
 
   systemd.tmpfiles.rules = [
-    "d /mnt/storage/samba 0755 root storage -"
-  ] ++ map (name: "d /mnt/storage/samba/${name} 0770 ${name} storage -") shares;
+    "d /mnt/storage/samba 0750 root storage -"
+  ] ++ map (name: "d /mnt/storage/samba/${name} 0750 ${name} storage -") shares;
 
   system.activationScripts.addSambaUsers = {
     text = ''

hosts/odin/services/vaultwarden.nix

@@ -18,7 +18,7 @@ in
   ];
 
   services.caddy.virtualHosts.vaultwarden = {
-    hostName = "vault.{$DOMAIN}";
+    hostName = "vault.odin.t5.st";
     extraConfig = ''
       encode gzip zstd
       reverse_proxy ${cfg.ROCKET_ADDRESS}:${toString cfg.ROCKET_PORT}

hosts/odin/system/mergerfs.nix

@@ -20,6 +20,7 @@
       "moveonenospc=true"
       "minfreespace=25G"
       "func.getattr=newest"
+      "func.create=ff"
       "fsname=storage"
       "gid=${toString config.users.groups.storage.gid}"
     ];

hosts/odin/users/christine.nix

@@ -0,0 +1,16 @@
+{
+  users.users.christine = {
+    isSystemUser = true;
+    group = "storage";
+  };
+
+  services.samba.settings = {
+    christine-photos = {
+      "path" = "/mnt/storage/immich/library/3aaaf0a1-011e-450d-a47c-4a320deb93e5";
+      "browseable" = "yes";
+      "read only" = "yes";
+      "valid users" = "christine";
+      "force user" = "immich";
+    };
+  };
+}

hosts/odin/users/default.nix

@@ -1,19 +1,8 @@
-{ config, ... }:
 {
   users.mutableUsers = false;
 
-  users.users.thomas = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" "users" "storage" ];
-    shell = config.programs.fish.package;
-    hashedPasswordFile = config.age.secrets."odin/users/thomas".path;
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5o7LT5wPYWgI8Mvr6RKOv+BcsbQgU7PCw2hheVu17alwF1uFUsAYV5BVQu+uv9uEm/UDsCNhfM6TwI0A1prdmtBz4pKiwXbj7fcdp6DcVOgTsPfawbXEpivtJvlhEatyTsR26MjHKnqpT0BxPvj6Ug6pvRkCYW5d2bWXiY9murmAX6Q5kSyNunkB8PdRTH+S47f7eOdCJY63VBOkkiG8M7XyPwFCDTYiHhbMZcejIdY9mB6kYnMQVRHDznQWiQxrcaE1fD/TY3db9GDcOVoo2aDBOZX7WT2+me67sU8dEK9+nSyhWDzBbEs8knu87ZlKPFwhl4slenRniKhbf22OpicXArtEcjEj0GyDJH5e+ZCIQ4eSQanA7TxnKFlDuaf+Qqx55UT+ya4vJJeik7nkzbRHaE9IoWhhiOaOnaN6kHIxuxB6z7EL3Gk7f78+I/qBaj5df6fgnXM3JBXKa5bRH2wqoSetJAo6EGpEgmU2huB1ktiGlO7BlF5XwSw6cb/KT7NSIXhncgLkCzsDVXxecVQv1FnPISBcp3+ti01ADVf2trgpPDbNTWV40Rgiefie0o2fc6KWAFfum1j5N3WWU+XVVmRjDmKKHiEJBLNKDAe0rQf+tryPW4c5GIN7aFoB+8dYFAuUyLd7Fu3vhZdmcckN5ryHunEc0dKPIiuoVZw=="
-    ];
-  };
-
-  users.users.christine = {
-    isSystemUser = true;
-    group = "storage";
-  };
+  imports = [
+    ./christine.nix
+    ./thomas.nix
+  ];
 }

hosts/odin/users/thomas.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+{
+  users.users.thomas = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "users" "storage" ];
+    shell = config.programs.fish.package;
+    hashedPasswordFile = config.age.secrets."odin/users/thomas".path;
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5o7LT5wPYWgI8Mvr6RKOv+BcsbQgU7PCw2hheVu17alwF1uFUsAYV5BVQu+uv9uEm/UDsCNhfM6TwI0A1prdmtBz4pKiwXbj7fcdp6DcVOgTsPfawbXEpivtJvlhEatyTsR26MjHKnqpT0BxPvj6Ug6pvRkCYW5d2bWXiY9murmAX6Q5kSyNunkB8PdRTH+S47f7eOdCJY63VBOkkiG8M7XyPwFCDTYiHhbMZcejIdY9mB6kYnMQVRHDznQWiQxrcaE1fD/TY3db9GDcOVoo2aDBOZX7WT2+me67sU8dEK9+nSyhWDzBbEs8knu87ZlKPFwhl4slenRniKhbf22OpicXArtEcjEj0GyDJH5e+ZCIQ4eSQanA7TxnKFlDuaf+Qqx55UT+ya4vJJeik7nkzbRHaE9IoWhhiOaOnaN6kHIxuxB6z7EL3Gk7f78+I/qBaj5df6fgnXM3JBXKa5bRH2wqoSetJAo6EGpEgmU2huB1ktiGlO7BlF5XwSw6cb/KT7NSIXhncgLkCzsDVXxecVQv1FnPISBcp3+ti01ADVf2trgpPDbNTWV40Rgiefie0o2fc6KWAFfum1j5N3WWU+XVVmRjDmKKHiEJBLNKDAe0rQf+tryPW4c5GIN7aFoB+8dYFAuUyLd7Fu3vhZdmcckN5ryHunEc0dKPIiuoVZw=="
+    ];
+  };
+}