nixos/jackflix: Remove unnecessary insecure packages exception

nixos/jackflix: Add copyparty
2025-09-08 23:29:51 +01:00 · 2025-09-08 23:28:31 +01:00
8 changed files with 158 additions and 42 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -67,6 +67,27 @@
        "type": "github"
      }
    },
+    "copyparty": {
+      "inputs": {
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757362872,
+        "narHash": "sha256-juUSWjxX8y2gueU34BpkQipUlhZRFJNLFccdprle0iM=",
+        "owner": "9001",
+        "repo": "copyparty",
+        "rev": "e09f3c9e2c3dccf8f3912539e04dd840b10b51ee",
+        "type": "github"
+      },
+      "original": {
+        "owner": "9001",
+        "repo": "copyparty",
+        "type": "github"
+      }
+    },
    "crane": {
      "locked": {
        "lastModified": 1725409566,
@@ -148,7 +169,7 @@
    },
    "devshell-tools": {
      "inputs": {
-        "flake-utils": "flake-utils_8",
+        "flake-utils": "flake-utils_9",
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
@@ -239,6 +260,24 @@
      }
    },
    "flake-utils_10": {
+      "inputs": {
+        "systems": "systems_9"
+      },
+      "locked": {
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_11": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@@ -302,6 +341,21 @@
      }
    },
    "flake-utils_5": {
+      "locked": {
+        "lastModified": 1678901627,
+        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_6": {
      "inputs": {
        "systems": "systems_4"
      },
@@ -319,7 +373,7 @@
        "type": "github"
      }
    },
-    "flake-utils_6": {
+    "flake-utils_7": {
      "inputs": {
        "systems": "systems_5"
      },
@@ -337,7 +391,7 @@
        "type": "github"
      }
    },
-    "flake-utils_7": {
+    "flake-utils_8": {
      "inputs": {
        "systems": "systems_7"
      },
@@ -355,7 +409,7 @@
        "type": "github"
      }
    },
-    "flake-utils_8": {
+    "flake-utils_9": {
      "inputs": {
        "systems": "systems_8"
      },
@@ -373,24 +427,6 @@
        "type": "github"
      }
    },
-    "flake-utils_9": {
-      "inputs": {
-        "systems": "systems_9"
-      },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -485,7 +521,7 @@
    },
    "nixGL": {
      "inputs": {
-        "flake-utils": "flake-utils_6",
+        "flake-utils": "flake-utils_7",
        "nixpkgs": [
          "nixpkgs-unstable"
        ]
@@ -669,7 +705,7 @@
      "inputs": {
        "agenix": "agenix",
        "crane": "crane",
-        "flake-utils": "flake-utils_7",
+        "flake-utils": "flake-utils_8",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
@@ -694,9 +730,10 @@
      "inputs": {
        "boardie": "boardie",
        "borgthin": "borgthin",
+        "copyparty": "copyparty",
        "deploy-rs": "deploy-rs",
        "devshell": "devshell_3",
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_6",
        "home-manager-stable": "home-manager-stable",
        "home-manager-unstable": "home-manager-unstable",
        "impermanence": "impermanence",
@@ -733,7 +770,7 @@
    },
    "sbt": {
      "inputs": {
-        "flake-utils": "flake-utils_10",
+        "flake-utils": "flake-utils_11",
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
@@ -753,7 +790,7 @@
    "sharry": {
      "inputs": {
        "devshell-tools": "devshell-tools",
-        "flake-utils": "flake-utils_9",
+        "flake-utils": "flake-utils_10",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
--- a/flake.nix
+++ b/flake.nix
@@ -41,6 +41,8 @@
    borgthin.url = "github:devplayer0/borg";
    # TODO: Update borgthin so this works
    # borgthin.inputs.nixpkgs.follows = "nixpkgs-mine";
+    copyparty.url = "github:9001/copyparty";
+    copyparty.inputs.nixpkgs.follows = "nixpkgs-unstable";
  };

  outputs =
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -13,6 +13,7 @@ rec {
      kea = 404;
      keepalived_script = 405;
      photoprism = 406;
+      copyparty = 408;
    };
    gids = {
      matrix-syncv3 = 400;
@@ -23,6 +24,7 @@ rec {
      keepalived_script = 405;
      photoprism = 406;
      adbusers = 407;
+      copyparty = 408;
    };
  };

--- a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
@@ -23,7 +23,7 @@ in
      };
    };

-    configuration = { lib, pkgs, config, ... }:
+    configuration = { lib, pkgs, config, allAssignments, ... }:
    let
      inherit (lib) mkForce;
    in
@@ -39,8 +39,18 @@ in
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUv1ntVrZv5ripsKpcOAnyDQX2PHjowzyhqWK10Ml53";
            files = {
              "jackflix/photoprism-pass.txt" = {};
+              "jackflix/copyparty-pass.txt" = {
+                owner = "copyparty";
+                group = "copyparty";
+              };
            };
          };
+
+          firewall = {
+            tcp.allowed = [
+              3923
+            ];
+          };
        };

        users = with lib.my.c.ids; {
@@ -60,11 +70,16 @@ in
              uid = uids.photoprism;
              group = "photoprism";
            };
+            copyparty = {
+              uid = uids.copyparty;
+              extraGroups = [ "media" ];
+            };
          };
          groups = {
            media.gid = 2000;
            jellyseerr.gid = gids.jellyseerr;
            photoprism.gid = gids.photoprism;
+            copyparty.gid = gids.copyparty;
          };
        };

@@ -94,14 +109,6 @@ in
          };
        };

-        nixpkgs.config.permittedInsecurePackages = [
-          # FIXME: This is needed for Sonarr
-          "aspnetcore-runtime-wrapped-6.0.36"
-          "aspnetcore-runtime-6.0.36"
-          "dotnet-sdk-wrapped-6.0.428"
-          "dotnet-sdk-6.0.428"
-        ];
-
        services = {
          netdata.enable = true;

@@ -159,6 +166,50 @@ in
              PHOTOPRISM_DATABASE_DRIVER = "sqlite";
            };
          };
+
+          copyparty = {
+            enable = true;
+            package = pkgs.copyparty.override {
+              withMagic = true;
+            };
+            settings = {
+              name = "dev-stuff";
+              no-reload = true;
+              j = 8; # cores
+              http-only = true;
+              xff-src =
+                with allAssignments.middleman.internal;
+                [ "${ipv4.address}/32" prefixes.ctrs.v6 ];
+              rproxy = 1; # get if from x-forwarded-for
+              magic = true; # enable checking file magic on upload
+              hist = "/var/cache/copyparty";
+              shr = "/share"; # enable share creation
+              ed = true; # enable dotfiles
+              chmod-f = 664;
+              chmod-d = 775;
+              e2dsa = true; # file indexing
+              e2t = true; # metadata indexing
+              og-ua = "(Discord|Twitter|Slack)bot"; # embeds
+              theme = 6;
+            };
+            accounts.dev.passwordFile = config.age.secrets."jackflix/copyparty-pass.txt".path;
+            volumes = {
+              "/" = {
+                path = "/mnt/media/stuff";
+                access.A = "dev"; # dev has admin access
+              };
+              "/pub" = {
+                path = "/mnt/media/public";
+                access = {
+                  A = "dev";
+                  "r." = "*";
+                };
+                flags = {
+                  shr_who = "no"; # no reason to have shares here
+                };
+              };
+            };
+          };
        };
      };
    };
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -347,12 +347,7 @@ in

      "stuff.${pubDomain}" = {
        locations."/" = {
-          basicAuthFile = config.age.secrets."middleman/htpasswd".path;
-          root = "/mnt/media/stuff";
-          extraConfig = ''
-            fancyindex on;
-            fancyindex_show_dotfiles on;
-          '';
+          proxyPass = "http://jackflix-ctr.${domain}:3923";
        };
        useACMEHost = pubDomain;
      };
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -12,6 +12,7 @@ in
    inputs.impermanence.nixosModule
    inputs.ragenix.nixosModules.age
    inputs.sharry.nixosModules.default
+    inputs.copyparty.nixosModules.default
  ];

  config = mkMerge [
@@ -70,6 +71,7 @@ in
          # TODO: Re-enable when borgthin is updated
          # inputs.borgthin.overlays.default
          inputs.boardie.overlays.default
+          inputs.copyparty.overlays.default
        ];
        config = {
          allowUnfree = true;
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -587,6 +587,22 @@ in
          }
        ];
      })
+      (mkIf config.services.copyparty.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = "/var/lib/copyparty";
+            mode = "0755";
+            user = "copyparty";
+            group = "copyparty";
+          }
+          {
+            directory = "/var/cache/copyparty";
+            mode = "0755";
+            user = "copyparty";
+            group = "copyparty";
+          }
+        ];
+      })
    ]))
  ]);

--- a/secrets/jackflix/copyparty-pass.txt.age
+++ b/secrets/jackflix/copyparty-pass.txt.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyA4Qk8z
+SkhFWWMyaGM1c2luVzZzbWNvT0ZsS09yN0w1N01oY0tldWFXZnhVCkM0YzBVZUM1
+MmRzdFlCL1o5ZTdkTjkxQ1YyQ0kwbnJ0eVRuYUpQNWw2c0EKLT4gWDI1NTE5IGli
+dkp5RjZRSmROMEtQeWJiVkt2UktxdTAwUzZBRW9XajFDblFqZ3ZVR0EKYzFubnp0
+UHo5WlViYTNwbXFBd01qM0R4Wk82MTV1TzJsVVczdGRNSFRBQQotPiAnLWdyZWFz
+ZSAuPzVDCm1SZkdDMHRjT2NBVXI5ektKZ1R3dXhMUEVRblhBdC9mclFZSitSODI0
+OHZzZThEQnlBY25lVnFTQXRaV2FIYTIKeHkrY1NRCi0tLSBhUFgvd1BUbFlJeEFO
+RWRBQzcrT0ZFMG5SZVliNlZnK2N2VDJVV05UTkhBCrZM7RtMrOVIGIpod8aU4GLn
+0KBGTSq6kE01+f1kmTZDAKHx/LhiWgHYKLxTLW4VpYnUCg==
+-----END AGE ENCRYPTED FILE-----
Author	SHA1	Message	Date
Jack O'Sullivan	20b7da74bf	nixos/jackflix: Remove unnecessary insecure packages exception All checks were successful CI / Check, build and cache nixfiles (push) Successful in 2h28m59s Details	2025-09-08 23:29:51 +01:00
Jack O'Sullivan	adaf8b6a83	nixos/jackflix: Add copyparty	2025-09-08 23:28:31 +01:00