Improve filebrowser and rclone

2025-12-01 23:32:24 +01:00
parent 830c3ebe5a
commit 9607277667
4 changed files with 64 additions and 12 deletions
--- a/modules/home-manager/rclone.nix
+++ b/modules/home-manager/rclone.nix
@@ -1,7 +1,19 @@
-{ config, ... }:
+{
+  config,
+  pkgs,
+  ...
+}:
 {
  programs.rclone = {
    enable = true;
+
+    # Give rclone access to the ssh agent
+    package = pkgs.writeShellScriptBin "rclone" ''
+      export GNUPGHOME="${config.xdg.dataHome}/gnupg"
+      export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
+      exec ${pkgs.rclone}/bin/rclone "$@"
+    '';
+
    remotes = {
      gdrive = {
        config = {
@@ -24,9 +36,35 @@
            mountPoint = "${config.home.homeDirectory}/gdrive";

            options = {
-              dir-cache-time = "5000h";
+              dir-cache-time = "5m";
              poll-interval = "10s";
-              vfs-cache-mode = "full";
+            };
+          };
+        };
+      };
+
+      orion = {
+        config = {
+          type = "sftp";
+          user = config.var.username;
+        };
+
+        secrets = {
+          host = config.sops.secrets.orion_ip.path;
+        };
+
+        mounts = {
+          "/var/lib/filebrowser/files" = {
+            enable = true;
+
+            mountPoint = "${config.home.homeDirectory}/orion";
+
+            options = {
+              dir-cache-time = "5m";
+              poll-interval = "10s";
+              # Network optimizations
+              "buffer-size" = "32M";
+              "vfs-read-chunk-size" = "32M";
            };
          };
        };
--- a/modules/nixos/filebrowser.nix
+++ b/modules/nixos/filebrowser.nix
@@ -8,11 +8,6 @@ let
  storageRoot = "/var/lib/filebrowser/files";
  publishDirName = "_publish";

-  fontPackages = with pkgs; [
-    libertinus
-    gyre-fonts
-  ];
-
  processorScript = pkgs.writeShellScriptBin "process-docs" ''
    SRC_ROOT="${storageRoot}"
    OUT_ROOT="${storageRoot}/${publishDirName}"
@@ -73,6 +68,11 @@ let

 in
 {
+
+  imports = [
+    ./fonts.nix
+  ];
+
  services.filebrowser = {
    enable = true;

@@ -87,12 +87,12 @@ in
    reverse_proxy :${toString config.services.filebrowser.settings.port}
  '';

+  # Auto compile pdfs
  systemd.services.pdf-watcher = {
    description = "Auto-compile MD and Typst to PDF";
    after = [ "filebrowser.service" ];
    wantedBy = [ "multi-user.target" ];

-    # Important: Run as the same user as Filebrowser to avoid permission issues
    serviceConfig = {
      User = "filebrowser";
      Group = "filebrowser";
@@ -102,7 +102,7 @@ in
      Environment = [
        "HOME=/var/lib/filebrowser"
        "XDG_CACHE_HOME=/var/lib/filebrowser/.cache"
-        "TYPST_FONT_PATHS=${lib.makeSearchPath "share/fonts" fontPackages}"
+        # 3"TYPST_FONT_PATHS=${lib.makeSearchPath "share/fonts" fontPackages}"
      ];

      Restart = "always";
@@ -113,4 +113,16 @@ in
      pandoc
    ];
  };
+
+  # Allow my user to access the filebrowser directory
+  users.users."${config.var.username}".extraGroups = [ "filebrowser" ];
+
+  systemd.services.filebrowser.serviceConfig = {
+    UMask = lib.mkForce "0007";
+  };
+
+  systemd.tmpfiles.rules = [
+    "Z /var/lib/filebrowser 0750 filebrowser filebrowser -" # Explicitly secure the data dir root
+    "Z /var/lib/filebrowser/files 2770 filebrowser filebrowser -" # Sticky group on files
+  ];
 }