From 9607277667972a682bd49199d296c86a7f773525 Mon Sep 17 00:00:00 2001 From: kiri Date: Mon, 1 Dec 2025 23:32:24 +0100 Subject: [PATCH] Improve filebrowser and rclone --- modules/home-manager/rclone.nix | 44 ++++++++++++++++++++++++++++++--- modules/nixos/filebrowser.nix | 26 +++++++++++++------ secrets/default.nix | 1 + secrets/secrets.yaml | 5 ++-- 4 files changed, 64 insertions(+), 12 deletions(-) diff --git a/modules/home-manager/rclone.nix b/modules/home-manager/rclone.nix index bf00d01..9d371a2 100644 --- a/modules/home-manager/rclone.nix +++ b/modules/home-manager/rclone.nix @@ -1,7 +1,19 @@ -{ config, ... }: +{ + config, + pkgs, + ... +}: { programs.rclone = { enable = true; + + # Give rclone access to the ssh agent + package = pkgs.writeShellScriptBin "rclone" '' + export GNUPGHOME="${config.xdg.dataHome}/gnupg" + export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) + exec ${pkgs.rclone}/bin/rclone "$@" + ''; + remotes = { gdrive = { config = { @@ -24,9 +36,35 @@ mountPoint = "${config.home.homeDirectory}/gdrive"; options = { - dir-cache-time = "5000h"; + dir-cache-time = "5m"; poll-interval = "10s"; - vfs-cache-mode = "full"; + }; + }; + }; + }; + + orion = { + config = { + type = "sftp"; + user = config.var.username; + }; + + secrets = { + host = config.sops.secrets.orion_ip.path; + }; + + mounts = { + "/var/lib/filebrowser/files" = { + enable = true; + + mountPoint = "${config.home.homeDirectory}/orion"; + + options = { + dir-cache-time = "5m"; + poll-interval = "10s"; + # Network optimizations + "buffer-size" = "32M"; + "vfs-read-chunk-size" = "32M"; }; }; }; diff --git a/modules/nixos/filebrowser.nix b/modules/nixos/filebrowser.nix index 52fb950..eaefd05 100644 --- a/modules/nixos/filebrowser.nix +++ b/modules/nixos/filebrowser.nix @@ -8,11 +8,6 @@ let storageRoot = "/var/lib/filebrowser/files"; publishDirName = "_publish"; - fontPackages = with pkgs; [ - libertinus - gyre-fonts - ]; - processorScript = pkgs.writeShellScriptBin "process-docs" '' SRC_ROOT="${storageRoot}" OUT_ROOT="${storageRoot}/${publishDirName}" @@ -73,6 +68,11 @@ let in { + + imports = [ + ./fonts.nix + ]; + services.filebrowser = { enable = true; @@ -87,12 +87,12 @@ in reverse_proxy :${toString config.services.filebrowser.settings.port} ''; + # Auto compile pdfs systemd.services.pdf-watcher = { description = "Auto-compile MD and Typst to PDF"; after = [ "filebrowser.service" ]; wantedBy = [ "multi-user.target" ]; - # Important: Run as the same user as Filebrowser to avoid permission issues serviceConfig = { User = "filebrowser"; Group = "filebrowser"; @@ -102,7 +102,7 @@ in Environment = [ "HOME=/var/lib/filebrowser" "XDG_CACHE_HOME=/var/lib/filebrowser/.cache" - "TYPST_FONT_PATHS=${lib.makeSearchPath "share/fonts" fontPackages}" + # 3"TYPST_FONT_PATHS=${lib.makeSearchPath "share/fonts" fontPackages}" ]; Restart = "always"; @@ -113,4 +113,16 @@ in pandoc ]; }; + + # Allow my user to access the filebrowser directory + users.users."${config.var.username}".extraGroups = [ "filebrowser" ]; + + systemd.services.filebrowser.serviceConfig = { + UMask = lib.mkForce "0007"; + }; + + systemd.tmpfiles.rules = [ + "Z /var/lib/filebrowser 0750 filebrowser filebrowser -" # Explicitly secure the data dir root + "Z /var/lib/filebrowser/files 2770 filebrowser filebrowser -" # Sticky group on files + ]; } diff --git a/secrets/default.nix b/secrets/default.nix index 08384a3..c1e4e52 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -13,6 +13,7 @@ secrets = { radicale_pass = { }; university_calendar_url = { }; + orion_ip = { }; ssh_config_orion = { mode = "0600"; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 64e61a6..1674706 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,6 +1,7 @@ radicale_pass: ENC[AES256_GCM,data:zdUxtJKNPC8SzajhFKo=,iv:H55GWMiQLJvZx6rAufkk807lZflg0sepxoq6z0XJ/q4=,tag:MoDOuF37PeF7QEpUxBntEg==,type:str] university_calendar_url: ENC[AES256_GCM,data:y5UtZVC0KJPUz//6S0QsrNeFGQshc88zieQgmlur75VFw9y5CJpnZRpdhLnYva00z5HBkxYQelLqS/I5GrXexWtC7Y7d1dCcQ+IZ0K7GGJ5NrYtjNXfMhzNSlhqjvl5lBGb+S565kel3VsCTyo/YRxdbBN6FA/oQNsx8/AvTgtsPeFkQRDGlGkybFRfWHWuTIDLL,iv:rZK9utRrm/KAkVRUjC3VR09MvDZjpoLx7BgaidzQo3o=,tag:tGWGoQCsS3zZh818OKixPw==,type:str] ssh_config_orion: ENC[AES256_GCM,data:P2jH5BDIzeHSIwTBcZwTOXKes727xK0Xoj9W64GmEszEPZw8vA==,iv:hSY9mFdC82pBbOjMFuzoR2eufhjY2MGERJ4ODmcogbA=,tag:ejF535LrQwwH66nQG3qLGw==,type:str] +orion_ip: ENC[AES256_GCM,data:RCK6EKOEDaTu1uR2d/8=,iv:5JhIkVQEELB6MoPh49xq+0CrbPjI/6+qfqUHRqCza5s=,tag:+00T4+pWOWRj7R1ft39HAw==,type:str] sops: age: - recipient: age122w85pqj508ukv0rd388mahecgfckmpgnsgz0zcyec37ljae2epsdnvxpl @@ -21,7 +22,7 @@ sops: ODdTa0VlYjg0ajJuUWhiRVUrR1VSTHMK6NVeKyMTomvZoqAtJN1SshIZdd2fHFBy Waghxmi6x/93lf54E1ZiXZQ+LDCjqqmMY8jgoF00XCo0WeURlHXpaw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-29T18:05:48Z" - mac: ENC[AES256_GCM,data:j0pHRA3c5lRdyLjqxlP2MTzIYb3WYAy7p+FttOjTQpXcyT5dFykXuu8rv+MQTmWdvHLQKC4iuZ7HTSO9qx8SbAuxHBWpoycpy3cZpmFp5T5crCl65AVQ/yRZKD9gRxkhnVW7aAK1kC3Mq07PamznvX/b7eEJ8h3tvmymuw6z/vY=,iv:W430t2YAXVcJztbO+fNdlOyjjy6+cH5r5YwuM2QdIdc=,tag:dDRJSslL9/Hac465A/TstA==,type:str] + lastmodified: "2025-12-01T16:01:07Z" + mac: ENC[AES256_GCM,data:LAXl/FJafDOEOYrukqfzGMIXZzihX2zHMIQaR735MHWsTr3DSkCUqZ5IPEn9EmUSDkO8SaS0QdhRk0h7IhzS4MOsAAMdEtAEec4k0f9sMCLRWbV/G4tYxESPeuQNwdwS0iPsBsMQgvH93u7ttR59zyzQE1izal5nMwK3yQmNV5s=,iv:R3bnPXQY38Zf9BJuEP+inbRIVvAmLvEyGrlWzl3N9YI=,tag:eetYNetPvKXiJnR7AA3dwA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0