Merry Christmas! I hope you are having a great time with your family!

I had some spare time and synced with upstream (=you). Applying the configuration resulted in postgres failing. You already mentioned packaging immich is tricky...

Looks like t is missing vectors.so but the file is there. Could it be a permissions issue?

/etc/nixos (main) » sudo systemctl status postgresql.service                                                                                                                                    me@bender
× postgresql.service - PostgreSQL Server
     Loaded: loaded (/etc/systemd/system/postgresql.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Tue 2023-12-26 03:39:06 MST; 1h 19min ago
   Duration: 2w 1d 14h 2min 49.851s
    Process: 2061981 ExecStartPre=/nix/store/2k93cwh6gd8ygd8v4z5j0lmcjaawwg4l-unit-script-postgresql-pre-start/bin/postgresql-pre-start (code=exited, status=0/SUCCESS)
    Process: 2061984 ExecStart=/nix/store/wbrijxflsv0gy8m2l39h9yn079vhla4b-postgresql-and-plugins-14.10/bin/postgres (code=exited, status=1/FAILURE)
   Main PID: 2061984 (code=exited, status=1/FAILURE)
         IP: 0B in, 0B out
        CPU: 22ms

Dec 26 03:39:06 bender systemd[1]: Starting PostgreSQL Server...
Dec 26 03:39:06 bender postgres[2061984]: [2061984] FATAL:  could not load library "/nix/store/wbrijxflsv0gy8m2l39h9yn079vhla4b-postgresql-and-plugins-14.10/lib/vectors.so": /nix/store/wbrijxflsv0gy8m2l39h9yn079vhla4b-postgresql-and-plugins-14.10/lib/vectors.so: cannot open shared object file: No such file or directory
Dec 26 03:39:06 bender postgres[2061984]: [2061984] LOG:  database system is shut down
Dec 26 03:39:06 bender systemd[1]: postgresql.service: Main process exited, code=exited, status=1/FAILURE
Dec 26 03:39:06 bender systemd[1]: postgresql.service: Failed with result 'exit-code'.
Dec 26 03:39:06 bender systemd[1]: Failed to start PostgreSQL Server.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/etc/nixos (main) » stat /nix/store/wbrijxflsv0gy8m2l39h9yn079vhla4b-postgresql-and-plugins-14.10/lib/vectors.so                                                                            3 ↵ me@bender
  File: /nix/store/wbrijxflsv0gy8m2l39h9yn079vhla4b-postgresql-and-plugins-14.10/lib/vectors.so -> /nix/store/1z0f7np703hb9kqw1y9yaki6ik81nqwn-pgvecto-rs-0.1.11/lib/vectors.so
  Size: 76              Blocks: 8          IO Block: 4096   symbolic link
Device: 0,30    Inode: 2050601     Links: 2
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-12-26 03:26:46.374489275 -0700
Modify: 1969-12-31 17:00:01.000000000 -0700
Change: 2023-12-26 03:26:44.570480285 -0700
 Birth: 2023-12-26 03:26:44.282478850 -0700
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  

Any pointers would be appreciated 😄.

In case you ever stumble upon this problem, I hope this saves you some time.

https://github.com/suderman/nixos/blob/15969aa685d71cdb34699e323462c767a6f003c9/modules/ocis/default.nix#L84C19-L84C19
If the dataDir is changed to e.g. /mnt/documents, OCIS tries to find that folder inside the container because of this line.

Sticking to the default works for me, so consider this informative, not a request to fix.

Hi again!

I was just wondering how your worfkow is for managing your private ssh keys. You seem have just two users, "me" and "blink" on your systems. Does that translate to two workstations allowed to ssh to your server(s)? Does "me" have the same private key on all your systems?

In the past, i just created key pairs for each system i was accessing my servers from. That would mean I'd have to add the public keys for me@laptop, me@desktop, me@other-pc.

Have a nice weekend, enjoy the snow!

(yes, i'm reading you commit messages 😉 )

Hello!

I'm currently learning nix and browsing your repo is really insightful. Thank you for sharing it!

For the first time i decided to try home-manager following your setup but i have stumbled upon an issue.
I added the required files ./configurations/buxel/{base, home}.nix and updated the config to include a profile for my user:

      homeConfigurations = {
        # umbra = mkUser ./configurations/umbra; /* system = "x86_64-darwin" */
        buxel = mkUser ./configurations/buxel ; /* system = "x86_64-linux" */
      };

If i run the repl and wuld like to inspect the homeConfiguration, there is an error

       error: attribute 'system' missing

       at /nix/store/sd1h6viq28m18xlixsr3sminp8j5pm3k-source/flake.nix:129:23:

          128|         extraSpecialArgs = { inherit inputs outputs; base = import (path + /base.nix); };
          129|         pkgs = mkPkgs extraSpecialArgs.system;
             |                       ^
          130|         modules = [

I managed to mess it up a little more by trying to add a line inherit (extraSpecialArgs.base) system; , but this just brought me to a different error which made me realize, i accidently passed system to homeManagerConfiguration.

It feels like an easy fix but the nix language is still very verbose to me.

Hi @suderman

After a long break I have time to tinker again. I was planning to use OCIS with my wife after evaluating the wife-acceptance-factor myself on multiple devices.
Have you also noticed seemingly random logouts and/or frequent prompts to login again? I'm not sure if it is connected but occasionally when I open it in a browser, it will show an HTTP basic auth popup. My OCIS credentials do not work here and after closing it, OCIS will ask me to re-authenticate via the OCIS login form.

Needless to say, the WAF is pretty low in this state :D

I have merged the latest changes after a long(ish) time not updating my server.
When applying the changes, I'm stuck at "setting up tmpfiles" with no indication of what is going wrong. I left it running in that state for ~30 minutes, hoping I'd see some error messages after a timeout.

Where could i start investigating this? I doubt it has anything to do with your "file" option from file.nix, since it is not that new and I'm not using it in my configuration / modules at all.

sudo nixos-rebuild --flake /etc/nixos#bender switch --verbose             130 ↵ me@bender
$ nix --extra-experimental-features nix-command flakes build --out-link /tmp/nixos-rebuild.ZLshUt/nixos-rebuild /etc/nixos#nixosConfigurations."bender".config.system.build.nixos-rebuild --verbose
$ exec /nix/store/zdryq00r24r8hcw798vlqf611s559n1n-nixos-rebuild/bin/nixos-rebuild --flake /etc/nixos#bender switch --verbose
building the system configuration...
Building in flake mode.
$ nix --extra-experimental-features nix-command flakes build /etc/nixos#nixosConfigurations."bender".config.system.build.toplevel --verbose --out-link /tmp/nixos-rebuild.evxpgd/result
$ sudo --preserve-env=NIXOS_INSTALL_BOOTLOADER -- nix-env -p /nix/var/nix/profiles/system --set /nix/store/q8h9mzidfdnjvndh322xz5f7zl9x947d-nixos-system-bender-23.11.20240301.79baff8
Using systemd-run to switch configuration.
$ sudo --preserve-env=NIXOS_INSTALL_BOOTLOADER -- systemd-run -E LOCALE_ARCHIVE -E NIXOS_INSTALL_BOOTLOADER --collect --no-ask-password --pty --quiet --same-dir --service-type=exec --unit=nixos-rebuild-switch-to-configuration --wait /nix/store/q8h9mzidfdnjvndh322xz5f7zl9x947d-nixos-system-bender-23.11.20240301.79baff8/bin/switch-to-configuration switch
activating the configuration...
[agenix] creating new generation in /run/agenix.d/4
[agenix] decrypting secrets...
decrypting '/nix/store/853pw6jpxnqjm4csh9afs51xzcgsw74z-alphanumeric-secret.age' to '/run/agenix.d/4/alphanumeric-secret'...
decrypting '/nix/store/vj76c1dj1v9p78xnczrafccyj6mpbgsz-basic-auth.age' to '/run/agenix.d/4/basic-auth'...
decrypting '/nix/store/g9603z4lnrvkpzn8yjw64k0vdpkxg460-blobfuse-yaml.age' to '/run/agenix.d/4/blobfuse.yaml'...
decrypting '/nix/store/amkx8gd976bag186a8rvny0gibwv1ksc-ca-key.age' to '/run/agenix.d/4/ca-key'...
decrypting '/nix/store/d1h05d15xdbk8cfvbdf2pbki4zrdjgay-cloudflare-env.age' to '/run/agenix.d/4/cloudflare-env'...
decrypting '/nix/store/xz65z1m8jfyh9m12i6d8y4aj6s4d0mzl-ocis-env.age' to '/run/agenix.d/4/ocis-env'...
decrypting '/nix/store/70bigv0jq7bkrvv5h8w9dp66l49g37al-password.age' to '/run/agenix.d/4/password'...
decrypting '/nix/store/mc9q62bgavxwh9f08by1cv4by5icxygf-password-hash.age' to '/run/agenix.d/4/password-hash'...
decrypting '/nix/store/3c0dfyaq6pbsrlflwk5yl833fgyqailh-rclone-conf.age' to '/run/agenix.d/4/rclone-conf'...
decrypting '/nix/store/h1wh3jm71hv9gjyn2flhydmkyy2zjxxv-restic-azure-env.age' to '/run/agenix.d/4/restic-azure-env'...
decrypting '/nix/store/z8iambp9q3d4vzmkc3w1lnka44g1rsz8-traefik-env.age' to '/run/agenix.d/4/traefik-env'...
[agenix] symlinking new secrets to /run/agenix (generation 4)...
[agenix] removing old secrets (generation 3)...
[agenix] chowning...
setting up /etc...
reloading user units for me...
setting up tmpfiles

I switched back to my old main branch and suddenly ran into the same issue, which perists after a reboot. Has some hidden state (gasp!) snuck in which might be causing this?

As usual, any help is highly appreciated :)

Sorry to bug you with another one. I played with blocky on my VPS, which i usually never reboot.

But yeah, I did today. Blocky fails to start when it tries to bring up the webserver. The service is in failed state and the logs show

Error: can't start server: start http listener on 100.101.148.41:4000 failed

Fair enough. netstat did not show any service on that port but as i was lazy, i just changed blocky to 4001:

Error: can't start server: start http listener on 100.101.148.41:4001 failed

Yeah... is blocky blocking itself? Maybe. I will drop some more notes when i get to do some more research (why do i always run into errors way past bedtime?).

I have followed the system "pom" as a reference for my server. After merging the most recent changes, the user "me“ is gone.

To verify, I checked:

nix-repl> nixosConfigurations.bender.config.users.users.me
error: attribute 'me' missing

       at «string»:1:1:

            1| nixosConfigurations.bender.config.users.users.me
             | ^

i made sure to include it in configurations/<system>/users/me.nix. Is this still WIP and just unfortunate timing?

Luckily, i can still connect as root, so no harm done 😄

Enjoy your weekend!

BTW: don't forget to create postgres extensions to keep immich working!

Hi @suderman !

i reviewed the last few weeks of commits and wondered hwo you are using the custom CA.
I thought it was going to replace letsencrypt but it does not seem to be the case (also: why should you do that?)

Could they be use for client certificate authentication? 🤔

I also noticed that when accessing immich from my phone, it showed an (seemingly invalid) certificate signed by the custom CA.
Loading it on the browser, it showed the letsencrypt CA. Going back to the phone's browser and it also showed letsencrypt after a reload.

Enjoy your sunday!

Hi again!

I hope it is oaky if I ask some questions here. If you do not have time to play support for a personal configuration, I totally understand.

I wondered how your network is set up because there seems to be two ways of accessing the services

• all of them via tailscale (got that working by pointing my cloudflare dns to the tailscale IP)
• public services via public internet (the sol readme mentions "Linode VPS for public web services", hence my guess )

I'm struggling to understand how internet access is implemented because to me it looks like the traefik whitelist of IP ranges applies to all configurations.

Hi @suderman ! This is more or less a follow up on #11

Having seamless 'service.hostname' domains between VPS and homelab is pretty decent!

Reading your implementation of the traefik helper i wondered if it is possible to have a more stable custom TLD.
As things are always shifting (for me) it may come in handy to have a "stable" address for services, not bound to machine's hostnames. For example, anything my wife and family uses should be available at ".zz"

I played with some variations of this

  # wiki is available at "wiki.bender"

  # attempt 1
  modules.silverbullet = { enable = true; name = "wiki"; };
  modules.traefik.routers.wiki = "http://wiki.zz:80"; # ".zz" is not a hostname of any machine. It is a made up TLD
  # attempt 2
  modules.silverbullet = { enable = true; name = "wiki.zz"; };

I think this is getting pretty close. Both seem to generate the required config for traefik but blocky is missing a CNAME to properly route the request. At least that's what i assume.

I started reading the blocky code but i could not follow it all the way through. Any pointers? 😇