Add 'my packages'

flake.nix

@@ -134,6 +134,7 @@
       inherit inputs;
       # Import overlays for building nixosconfig with them.
       overlays = import ./nixos/overlays {inherit inputs;};
+
       # generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
       mkNixosConfig = {
         hostname,
@@ -162,12 +163,7 @@
           }
         ],
         profileModules ? [],
-      }:
+      }: let
-        nixpkgs.lib.nixosSystem {
-          inherit system lib;
-          modules = baseModules ++ hardwareModules ++ profileModules;
-          specialArgs = {inherit self inputs nixpkgs;};
-          # Add our overlays
         pkgs = import nixpkgs {
           inherit system;
           overlays = builtins.attrValues overlays;
@@ -176,6 +172,15 @@
             allowUnfreePredicate = _: true;
           };
         };
+      in
+        nixpkgs.lib.nixosSystem {
+          inherit system lib;
+          modules = baseModules ++ hardwareModules ++ profileModules;
+          specialArgs = {
+            inherit self inputs nixpkgs;
+            myPkgs = lib.myLib.mkMyPkgs pkgs;
+          };
+          inherit pkgs;
         };
     in {
       "shadowfax" = mkNixosConfig {

nixos/hosts/shadowfax/config/borgmatic/default.nix

@@ -0,0 +1,10 @@
+{ lib, ... }:
+let
+  dir = ./.;
+  files = lib.filterAttrs (name: type:
+    type == "regular" && name != "default.nix" && lib.hasSuffix ".nix" name
+  ) (builtins.readDir dir);
+  imports = map (name: "${dir}/${name}") (builtins.attrNames files);
+in {
+  imports = imports;
+}

nixos/hosts/shadowfax/config/borgmatic/plex.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.borgmatic = {
+    enable = true;
+    configurations.plex = {
+      source_directories = [
+        "/mnt/restic_nightly_backup/nahar/containers/volumes/plex/Library/"
+      ];
+
+      repositories = [
+        {
+          label = "local";
+          path = "/eru/borg/plex";
+        }
+      ];
+
+      storage.encryption_passcommand = ''${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgmatic/encryption_passphrase".path}'';
+
+      # Retention settings
+      retention.keep_daily = 7;
+      retention.keep_weekly = 4;
+      retention.keep_monthly = 6;
+      zfs = {
+        zfs_command = "${pkgs.zfs}/bin/zfs";
+        mount_command = "${pkgs.util-linux}/bin/mount";
+        umount_command = "${pkgs.util-linux}/bin/umount";
+      };
+    };
+  };
+}

nixos/hosts/shadowfax/config/sops-secrets.nix

@@ -1,5 +1,4 @@
-{ ... }:
+{...}: {
-{
   secrets = {
     # Minio
     "minio" = {
@@ -7,204 +6,209 @@
       owner = "minio";
       group = "minio";
       mode = "400";
-      restartUnits = [ "minio.service" ];
+      restartUnits = ["minio.service"];
     };
     # Syncthing
     "syncthing/publicCert" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "jahanson";
       mode = "400";
-      restartUnits = [ "syncthing.service" ];
+      restartUnits = ["syncthing.service"];
     };
     "syncthing/privateKey" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "jahanson";
       mode = "400";
-      restartUnits = [ "syncthing.service" ];
+      restartUnits = ["syncthing.service"];
     };
     # Prowlarr
     "arr/prowlarr/apiKey" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "prowlarr";
       mode = "400";
-      restartUnits = [ "prowlarr.service" ];
+      restartUnits = ["prowlarr.service"];
     };
     "arr/prowlarr/postgres/dbName" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "prowlarr";
       mode = "400";
-      restartUnits = [ "prowlarr.service" ];
+      restartUnits = ["prowlarr.service"];
     };
     "arr/prowlarr/postgres/user" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "prowlarr";
       mode = "400";
-      restartUnits = [ "prowlarr.service" ];
+      restartUnits = ["prowlarr.service"];
     };
     "arr/prowlarr/postgres/password" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "prowlarr";
       mode = "400";
-      restartUnits = [ "prowlarr.service" ];
+      restartUnits = ["prowlarr.service"];
     };
     "arr/prowlarr/postgres/host" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "prowlarr";
       mode = "400";
-      restartUnits = [ "prowlarr.service" ];
+      restartUnits = ["prowlarr.service"];
     };
     # Sonarr
     "arr/sonarr/1080p/apiKey" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-tv1080p.service" ];
+      restartUnits = ["sonarr-tv1080p.service"];
     };
     "arr/sonarr/1080p/postgres/dbName" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-tv1080p.service" ];
+      restartUnits = ["sonarr-tv1080p.service"];
     };
     "arr/sonarr/1080p/postgres/user" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-tv1080p.service" ];
+      restartUnits = ["sonarr-tv1080p.service"];
     };
     "arr/sonarr/1080p/postgres/password" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-tv1080p.service" ];
+      restartUnits = ["sonarr-tv1080p.service"];
     };
     "arr/sonarr/1080p/postgres/host" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-tv1080p.service" ];
+      restartUnits = ["sonarr-tv1080p.service"];
     };
     "arr/sonarr/1080p/extraEnvVars" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-tv1080p.service" ];
+      restartUnits = ["sonarr-tv1080p.service"];
     };
     "arr/sonarr/anime/apiKey" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-anime.service" ];
+      restartUnits = ["sonarr-anime.service"];
     };
     "arr/sonarr/anime/postgres/dbName" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-anime.service" ];
+      restartUnits = ["sonarr-anime.service"];
     };
     "arr/sonarr/anime/postgres/user" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-anime.service" ];
+      restartUnits = ["sonarr-anime.service"];
     };
     "arr/sonarr/anime/postgres/password" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-anime.service" ];
+      restartUnits = ["sonarr-anime.service"];
     };
     "arr/sonarr/anime/postgres/host" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-anime.service" ];
+      restartUnits = ["sonarr-anime.service"];
     };
     "arr/sonarr/anime/extraEnvVars" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "sonarr";
       mode = "400";
-      restartUnits = [ "sonarr-anime.service" ];
+      restartUnits = ["sonarr-anime.service"];
     };
     # Radarr
     "arr/radarr/1080p/apiKey" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-movies1080p.service" ];
+      restartUnits = ["radarr-movies1080p.service"];
     };
     "arr/radarr/1080p/postgres/dbName" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-movies1080p.service" ];
+      restartUnits = ["radarr-movies1080p.service"];
     };
     "arr/radarr/1080p/postgres/user" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-movies1080p.service" ];
+      restartUnits = ["radarr-movies1080p.service"];
     };
     "arr/radarr/1080p/postgres/password" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-movies1080p.service" ];
+      restartUnits = ["radarr-movies1080p.service"];
     };
     "arr/radarr/1080p/postgres/host" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-movies1080p.service" ];
+      restartUnits = ["radarr-movies1080p.service"];
     };
     "arr/radarr/1080p/extraEnvVars" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-movies1080p.service" ];
+      restartUnits = ["radarr-movies1080p.service"];
     };
     "arr/radarr/anime/apiKey" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-anime.service" ];
+      restartUnits = ["radarr-anime.service"];
     };
     "arr/radarr/anime/postgres/dbName" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-anime.service" ];
+      restartUnits = ["radarr-anime.service"];
     };
     "arr/radarr/anime/postgres/user" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-anime.service" ];
+      restartUnits = ["radarr-anime.service"];
     };
     "arr/radarr/anime/postgres/password" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-anime.service" ];
+      restartUnits = ["radarr-anime.service"];
     };
     "arr/radarr/anime/postgres/host" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-anime.service" ];
+      restartUnits = ["radarr-anime.service"];
     };
     "arr/radarr/anime/extraEnvVars" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
       mode = "400";
-      restartUnits = [ "radarr-anime.service" ];
+      restartUnits = ["radarr-anime.service"];
     };
     # Unpackerr
     "arr/unpackerr/extraEnvVars" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "unpackerr";
       mode = "400";
-      restartUnits = [ "unpackerr.service" ];
+      restartUnits = ["unpackerr.service"];
+    };
+    "borgmatic/encryption_passphrase" = {
+      sopsFile = ../secrets.sops.yaml;
+      mode = "400";
+      restartUnits = ["borgmatic.service"];
     };
   };
 }

nixos/hosts/shadowfax/default.nix

@@ -43,6 +43,7 @@ in {
     (import ../../profiles/disko-nixos.nix {
       disks = ["/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"];
     })
+    ./config/borgmatic
     inputs.nix-minecraft.nixosModules.minecraft-servers
   ];
 

nixos/hosts/shadowfax/secrets.sops.yaml

@@ -11,6 +11,8 @@ postgres:
     port: ENC[AES256_GCM,data:Z0fHNA==,iv:otbEsYxhJ6/YR+A5oRx3Dwrqk6T6BL9OGka5yu1H+HA=,tag:T+KW8DaRJ8NN7k1mIMn6QA==,type:int]
 pushover:
     userKey: ENC[AES256_GCM,data:RYn9OCGaEgu/41kMolmqjYtr8FRmyEOvNStk+7Uz1A==,iv:L4pJJxGPhrmGSJdRDIP/OONibHvIP8KUdXwED29kTJ8=,tag:6TxYaUA6QA1NroBXhQHRlQ==,type:str]
+borgmatic:
+    encryption_passphrase: ENC[AES256_GCM,data:Rzmb+tNo0IG6Ub3Z5pB+XahW7gtZOPs5Cjvrzw4m47q0D7bErACTzQx7VdrSJcm8+g==,iv:cQsm3MfrY4KCTvByUcQe0n51UVm/kNtTUGORx0r+wjg=,tag:j/n/4TI193ec3/mOJeB1Lg==,type:str]
 arr:
     prowlarr:
         apiKey: ENC[AES256_GCM,data:qxm2yp8ReuMgQ0155mKBAWickKusOaa/FeoIopj9l1Z3,iv:pAeDxK6CGap4fKU5xQ5hZR9It6/1uo27dKZBi5Bl3rc=,tag:HZl914AfFU4D5J7cDS3I1g==,type:str]
@@ -133,8 +135,8 @@ sops:
             aVlOSHhFb2I5UnYwVytyQzlWTXBDYUUKdQKilmfJ1F7UYKtQV9zV95FcRIK17p4M
             vGvu/pGJ32tH8xI7cNs9I5Hmg9c5wOam21W1FDk+VlJ/ClXqQzS0MA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-10T19:15:54Z"
+    lastmodified: "2025-02-24T21:27:42Z"
-    mac: ENC[AES256_GCM,data:KyP1lzKD/iV6SgHbsEYvVRwgrFy/PqHGMVEjeTAcLFCFrIyn9/Gd5ravTOj+37phVARnHI3h2vetqzOBO7/tE4jz0nsEGawOfVMOTKR1Y7+35TKJaC4FTO3/hfczjzolvoLk8011J9aoeC44yx+UT8Ijehc3mkd4x8zVvOK/OG4=,iv:e6FudQPXESAw/CNVqJWGZG+/8j/J88Z8InjM++GJ9lM=,tag:KaQkmLGSU+jJF3f6YBKhmQ==,type:str]
+    mac: ENC[AES256_GCM,data:5E9adS+q+Vb45MtKDuI65GaKxb/yksqSN73ZFHYhdL+w6Lk4/WPd9n7qTENKfFkYN2qIRP3S4IQUBwobep4wiEQt4v8XdNN7gR7cgI/2u4y/iKptyv/YWyj+YYfFaZjJ6lqxod3MAq92L4xYq+91aKoWEW/ErpDy8N3xOe7GI6U=,iv:WGWCD9pfu7ijiDXhcV26j7XpFl5dVglWZeMVQFyFUSA=,tag:PP4yI+iLaaPLG0YoI19zTQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4

nixos/lib/default.nix

@@ -1,63 +1,69 @@
-{ lib, ... }:
+{lib, ...}:
+with lib; rec {
+  firstOrDefault = first: default:
+    if first != null
+    then first
+    else default;
+  existsOrDefault = x: set: default:
+    if builtins.hasAttr x set
+    then builtins.getAttr x set
+    else default;
 
-with lib;
+  # Create custom package set
-rec {
+  mkMyPkgs = pkgs: {
-
+    borgmatic = pkgs.callPackage ../../nixos/packages/borgmatic {};
-  firstOrDefault = first: default: if first != null then first else default;
+  };
-  existsOrDefault =
-    x: set: default:
-    if builtins.hasAttr x set then builtins.getAttr x set else default;
 
   # main service builder
-  mkService =
+  mkService = options: (
-    options:
-    (
     let
       user = existsOrDefault "user" options "568";
       group = existsOrDefault "group" options "568";
 
       enableBackups =
-          (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
+        (lib.attrsets.hasAttrByPath ["persistence" "folder"] options)
-          && (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
+        && (lib.attrsets.attrByPath ["persistence" "enable"] true options);
 
       # Security options for containers
       containerExtraOptions =
-          lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [
+        lib.optionals (lib.attrsets.attrByPath ["container" "caps" "privileged"] false options) [
           "--privileged"
         ]
-          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "readOnly"] false options) [
           "--read-only"
         ]
-          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "tmpfs"] false options) [
           (map (folders: "--tmpfs=${folders}") tmpfsFolders)
         ]
-          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "noNewPrivileges"] false options) [
           "--security-opt=no-new-privileges"
         ]
-          ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [
+        ++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "dropAll"] false options) [
           "--cap-drop=ALL"
         ];
-      in
+    in {
-      {
       virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
         image = "${options.container.image}";
         user = "${user}:${group}";
-          environment = {
+        environment =
+          {
             TZ = options.timeZone;
-          } // options.container.env;
+          }
-          environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
+          // options.container.env;
+        environmentFiles = lib.attrsets.attrByPath ["container" "envFiles"] [] options;
         volumes =
-            [ "/etc/localtime:/etc/localtime:ro" ]
+          ["/etc/localtime:/etc/localtime:ro"]
-            ++ lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
+          ++ lib.optionals (lib.attrsets.hasAttrByPath ["container" "persistentFolderMount"] options) [
             "${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
           ]
-            ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
+          ++ lib.attrsets.attrByPath ["container" "volumes"] [] options;
         extraOptions = containerExtraOptions;
       };
       systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [
           "persistence"
           "folder"
-        ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
+        ]
+        options) ["d ${options.persistence.folder} 0750 ${user} ${group} -"];
     }
   );
 }

nixos/packages/borgmatic/default.nix

@@ -0,0 +1,46 @@
+{
+  lib,
+  python3,
+  fetchFromGitHub,
+}:
+python3.pkgs.buildPythonApplication rec {
+  pname = "borgmatic";
+  version = "1.9.12";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "borgmatic-collective";
+    repo = "borgmatic";
+    rev = version;
+    hash = "sha256-tTnk2xO5F5AoQICZGVnEj8v6kNA7Wkd8kzvm4i3r0kU=";
+  };
+
+  build-system = [
+    python3.pkgs.setuptools
+  ];
+
+  dependencies = with python3.pkgs; [
+    jsonschema
+    packaging
+    requests
+    ruamel-yaml
+  ];
+
+  optional-dependencies = with python3.pkgs; {
+    Apprise = [
+      apprise
+    ];
+  };
+
+  pythonImportsCheck = [
+    "borgmatic"
+  ];
+
+  meta = {
+    description = "Simple, configuration-driven backup software for servers and workstations";
+    homepage = "https://github.com/borgmatic-collective/borgmatic/";
+    changelog = "https://github.com/borgmatic-collective/borgmatic/blob/${src.rev}/NEWS";
+    license = lib.licenses.gpl3Only;
+    mainProgram = "borgmatic";
+  };
+}