From 6a278729f8f180c6ed3b2baf17c75c8dde0f6d67 Mon Sep 17 00:00:00 2001 From: Joe Hanson Date: Sun, 19 May 2024 06:39:08 -0500 Subject: [PATCH] reduce, reuse, refine (#3) * reduce, reuse, refine * more refining and replacing * More refining * Removing unused code such as homepage and traefik * Remove homepage references. --- LICENSE | 21 -- README.md | 4 + flake.nix | 14 +- garnix.yaml | 8 - mkdocs.yml | 95 ------ nixos/lib/default.nix | 82 +---- nixos/modules/default.nix | 2 - .../modules/nixos/containers/arr/default.nix | 9 - .../nixos/containers/arr/lidarr/default.nix | 108 ------ .../containers/arr/lidarr/secrets.sops.yaml | 50 --- .../nixos/containers/arr/prowlarr/default.nix | 105 ------ .../containers/arr/prowlarr/secrets.sops.yaml | 50 --- .../nixos/containers/arr/radarr/default.nix | 110 ------ .../containers/arr/radarr/secrets.sops.yaml | 50 --- .../nixos/containers/arr/readarr/default.nix | 106 ------ .../containers/arr/readarr/secrets.sops.yaml | 50 --- .../nixos/containers/arr/sonarr/default.nix | 110 ------ .../containers/arr/sonarr/secrets.sops.yaml | 50 --- .../nixos/containers/backrest/default.nix | 14 - .../nixos/containers/calibre/default.nix | 157 --------- .../nixos/containers/cross-seed/default.nix | 43 --- nixos/modules/nixos/containers/default.nix | 15 +- .../nixos/containers/ecowitt2mqtt/default.nix | 158 --------- .../containers/ecowitt2mqtt/secrets.sops.yaml | 50 --- .../nixos/containers/factorio/default.nix | 101 ------ .../containers/factorio/secrets.sops.yaml | 50 --- .../nixos/containers/gatus/default.nix | 16 - .../nixos/containers/gatus/secrets.sops.yaml | 46 +-- .../containers/home-assistant/default.nix | 97 ------ .../home-assistant/secrets.sops.yaml | 50 --- .../nixos/containers/homepage/default.nix | 321 ------------------ .../containers/homepage/secrets.sops.yaml | 50 --- .../modules/nixos/containers/plex/default.nix | 102 ------ .../nixos/containers/qbittorrent/default.nix | 107 ------ .../nixos/containers/redlib/default.nix | 143 -------- .../nixos/containers/redlib/default.nix.old | 68 ---- .../nixos/containers/sabnzbd/default.nix | 94 ----- .../nixos/containers/searxng/default.nix | 84 ----- .../nixos/containers/tautulli/default.nix | 87 ----- .../nixos/containers/whoogle/default.nix | 86 ----- nixos/modules/nixos/default.nix | 6 +- nixos/modules/nixos/editor/default.nix | 6 - nixos/modules/nixos/editor/vscodium.nix | 156 --------- nixos/modules/nixos/lib.nix | 2 - nixos/modules/nixos/programs/shell/fish.nix | 2 - .../nixos/security/acme/secrets.sops.yaml | 46 +-- .../nixos/services/adguardhome/default.nix | 213 ------------ .../services/adguardhome/secrets.sops.yaml | 78 ----- .../modules/nixos/services/blocky/default.nix | 221 ------------ .../nixos/services/calibre-web/default.nix | 138 -------- .../cloudflare-dyndns.sops.yaml | 51 --- .../services/cloudflare-dyndns/default.nix | 44 --- .../nixos/services/cockpit/default.nix | 14 - nixos/modules/nixos/services/default.nix | 35 +- .../services/dnscrypt-proxy2/default.nix | 52 --- .../dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml | 51 --- .../nixos/services/forgejo/secrets.sops.yaml | 46 +-- .../nixos/services/glances/default.nix | 11 - .../nixos/services/grafana/default.nix | 25 -- .../nixos/services/languagetool/default.nix | 148 -------- .../modules/nixos/services/maddy/default.nix | 31 -- nixos/modules/nixos/services/maddy/maddy.conf | 30 -- .../nixos/services/maddy/maddy.sops.yaml | 51 --- .../nixos/services/miniflux/default.nix | 180 ---------- .../nixos/services/miniflux/secrets.sops.yaml | 50 --- .../nixos/services/mosquitto/default.nix | 58 ---- .../services/mosquitto/secrets.sops.yaml | 52 --- nixos/modules/nixos/services/nfs/default.nix | 9 +- .../modules/nixos/services/nginx/default.nix | 1 - .../nixos/services/nix-serve/default.nix | 2 - .../nixos/services/node-red/default.nix | 77 ----- .../services/openvscode-server/default.nix | 64 ---- .../nixos/services/postgresql/default.nix | 19 -- .../nixos/services/powerdns/default.nix | 110 ------ .../nixos/services/powerdns/secrets.sops.yaml | 51 --- .../nixos/services/prometheus/default.nix | 16 - .../nixos/services/radicale/default.nix | 15 +- .../nixos/services/radicale/secrets.sops.yaml | 81 ++--- .../modules/nixos/services/restic/default.nix | 6 - .../nixos/services/restic/secrets.sops.yaml | 50 +-- .../nixos/services/rss-bridge/default.nix | 136 -------- .../nixos/services/syncthing/default.nix | 39 --- .../nixos/services/traefik/default.nix | 230 ------------- .../nixos/services/traefik/secrets.sops.yaml | 79 ----- .../nixos/services/zigbee2mqtt/default.nix | 116 ------- nixos/modules/nixos/system/impermanence.nix | 4 - nixos/modules/nixos/system/nix.nix | 7 - nixos/modules/nixos/system/openssh.nix | 4 - .../modules/nixos/system/pushover/default.nix | 3 - nixos/modules/nixos/system/security.nix | 6 - nixos/modules/nixos/system/systempackages.nix | 2 - nixos/modules/nixos/system/time.nix | 2 +- nixos/modules/nixos/system/zfs.nix | 10 +- nixos/overlays/default.nix | 2 - nixos/profiles/global.nix | 6 +- nixos/profiles/global/nix.nix | 12 +- nixos/profiles/global/secrets.sops.yaml | 52 +-- nixos/profiles/global/sops.nix | 2 - nixos/profiles/global/system.nix | 35 +- nixos/profiles/global/users.nix | 8 +- nixos/profiles/hw-generic-x86.nix | 1 - nixos/profiles/hw-thinkpad-t470.nix | 2 - 102 files changed, 188 insertions(+), 5831 deletions(-) delete mode 100644 LICENSE delete mode 100644 garnix.yaml delete mode 100644 mkdocs.yml delete mode 100644 nixos/modules/nixos/containers/arr/default.nix delete mode 100644 nixos/modules/nixos/containers/arr/lidarr/default.nix delete mode 100644 nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/containers/arr/prowlarr/default.nix delete mode 100644 nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/containers/arr/radarr/default.nix delete mode 100644 nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/containers/arr/readarr/default.nix delete mode 100644 nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/containers/arr/sonarr/default.nix delete mode 100644 nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/containers/calibre/default.nix delete mode 100644 nixos/modules/nixos/containers/cross-seed/default.nix delete mode 100644 nixos/modules/nixos/containers/ecowitt2mqtt/default.nix delete mode 100644 nixos/modules/nixos/containers/ecowitt2mqtt/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/containers/factorio/default.nix delete mode 100644 nixos/modules/nixos/containers/factorio/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/containers/home-assistant/default.nix delete mode 100644 nixos/modules/nixos/containers/home-assistant/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/containers/homepage/default.nix delete mode 100644 nixos/modules/nixos/containers/homepage/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/containers/plex/default.nix delete mode 100644 nixos/modules/nixos/containers/qbittorrent/default.nix delete mode 100644 nixos/modules/nixos/containers/redlib/default.nix delete mode 100644 nixos/modules/nixos/containers/redlib/default.nix.old delete mode 100644 nixos/modules/nixos/containers/sabnzbd/default.nix delete mode 100644 nixos/modules/nixos/containers/searxng/default.nix delete mode 100644 nixos/modules/nixos/containers/tautulli/default.nix delete mode 100644 nixos/modules/nixos/containers/whoogle/default.nix delete mode 100644 nixos/modules/nixos/editor/default.nix delete mode 100644 nixos/modules/nixos/editor/vscodium.nix delete mode 100644 nixos/modules/nixos/services/adguardhome/default.nix delete mode 100644 nixos/modules/nixos/services/adguardhome/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/blocky/default.nix delete mode 100644 nixos/modules/nixos/services/calibre-web/default.nix delete mode 100644 nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml delete mode 100644 nixos/modules/nixos/services/cloudflare-dyndns/default.nix delete mode 100644 nixos/modules/nixos/services/dnscrypt-proxy2/default.nix delete mode 100644 nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml delete mode 100644 nixos/modules/nixos/services/languagetool/default.nix delete mode 100644 nixos/modules/nixos/services/maddy/default.nix delete mode 100644 nixos/modules/nixos/services/maddy/maddy.conf delete mode 100644 nixos/modules/nixos/services/maddy/maddy.sops.yaml delete mode 100644 nixos/modules/nixos/services/miniflux/default.nix delete mode 100644 nixos/modules/nixos/services/miniflux/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/mosquitto/default.nix delete mode 100644 nixos/modules/nixos/services/mosquitto/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/node-red/default.nix delete mode 100644 nixos/modules/nixos/services/openvscode-server/default.nix delete mode 100644 nixos/modules/nixos/services/powerdns/default.nix delete mode 100644 nixos/modules/nixos/services/powerdns/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/rss-bridge/default.nix delete mode 100644 nixos/modules/nixos/services/syncthing/default.nix delete mode 100644 nixos/modules/nixos/services/traefik/default.nix delete mode 100644 nixos/modules/nixos/services/traefik/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/zigbee2mqtt/default.nix diff --git a/LICENSE b/LICENSE deleted file mode 100644 index debbde4..0000000 --- a/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2024 Truxnell - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/README.md b/README.md index 195dae7..ce727bd 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,10 @@ [Repository Documentation](https://truxnell.github.io/nix-config/) +## Thank you Truxnell + +Thank you for a lot of the groundwork you laid for the base nixos configuration and a lot of modules! + ## Getting started To Install diff --git a/flake.nix b/flake.nix index 1fc7c9c..2ae6239 100644 --- a/flake.nix +++ b/flake.nix @@ -73,7 +73,6 @@ "aarch64-linux" "x86_64-linux" ]; - in rec { # Use nixpkgs-fmt for 'nix fmt' @@ -91,11 +90,8 @@ ); nixosConfigurations = - with self.lib; let - specialArgs = { - inherit inputs outputs; - }; + inherit inputs outputs; # Import overlays for building nixosconfig with them. overlays = import ./nixos/overlays { inherit inputs; }; @@ -145,9 +141,10 @@ }; in - rec { + { "durincore" = mkNixosConfig { - # NixOS laptop - T470 Thinkpad + # T470 Thinkpad + # Nix dev laptop hostname = "durincore"; system = "x86_64-linux"; hardwareModules = [ @@ -162,7 +159,7 @@ }; "varda" = mkNixosConfig { # Arm64 cax21 @ Hetzner - + # forgejo server hostname = "varda"; system = "aarch64-linux"; hardwareModules = [ @@ -186,5 +183,4 @@ in nixtop; }; - } diff --git a/garnix.yaml b/garnix.yaml deleted file mode 100644 index aab5500..0000000 --- a/garnix.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# Config for garnix.io builds & caching -builds: - include: - - homeConfigurations.* - - nixosConfigurations.* - - packages.x86_64-linux.* - - packages.aarch64-linux.* diff --git a/mkdocs.yml b/mkdocs.yml deleted file mode 100644 index 4efaa08..0000000 --- a/mkdocs.yml +++ /dev/null @@ -1,95 +0,0 @@ -site_name: Truxnell's NixOS homelab -site_author: truxnell -site_url: https://truxnell.github.io/nix-config/ - -# Repository -repo_name: truxnell/nix-config -repo_url: https://github.com/truxnell/nix-config - -docs_dir: ./docs -site_dir: ./site - -copyright: Copyright © 2024 Nat Allan - -theme: - name: material - # custom_dir: ../../docs/overrides - features: - - announce.dismiss - - content.code.annotate - - content.code.copy - - navigation.expand - - navigation.indexes - - navigation.path - # - navigation.sections - - navigation.footer - # - navigation.tabs - - navigation.top - - search.suggest - palette: - - scheme: slate - media: "(prefers-color-scheme: light)" - primary: black - accent: indigo - toggle: - icon: material/brightness-4 - name: Switch to light mode - - scheme: default - media: "(prefers-color-scheme: dark)" - toggle: - icon: material/brightness-7 - name: Switch to dark mode - font: - text: Roboto - code: Roboto Mono - icon: - logo: simple/nixos - annotations: material/chat-question - -# Plugins -plugins: - - search: - separator: '[\s\u200b\-_,:!=\[\]()"`/]+|\.(?!\d)|&[lg]t;|(?!\b)(?=[A-Z][a-z])' - - minify: - minify_html: true - -# Extensions -markdown_extensions: - - admonition - - abbr - - attr_list - - md_in_html - - pymdownx.emoji: - emoji_index: !!python/name:material.extensions.emoji.twemoji - emoji_generator: !!python/name:material.extensions.emoji.to_svg - - pymdownx.highlight: - anchor_linenums: true - line_spans: __span - pygments_lang_class: true - - pymdownx.inlinehilite - - pymdownx.caret - - pymdownx.tilde - - pymdownx.snippets: - check_paths: true - auto_append: - - ./docs/includes/abbreviations.md - - pymdownx.superfences - - toc: - permalink: true - toc_depth: 3 - -nav: - - readme.md: index.md - - Overview: - - Goals: overview/goals.md - - Features: overview/features.md - - Design Principals: overview/design.md - - Structure: overview/structure.md - - Maintenance: - - Software Updates: maintenance/software_updates.md - - Backups: maintenance/backups.md - - Monitoring: - - SystemD failures: monitoring/systemd.md - - Nix Warnings: monitoring/warnings.md - - Other Features: - - MOTD: motd.md diff --git a/nixos/lib/default.nix b/nixos/lib/default.nix index dc903da..dc65e27 100644 --- a/nixos/lib/default.nix +++ b/nixos/lib/default.nix @@ -4,29 +4,14 @@ with lib; rec { firstOrDefault = first: default: if first != null then first else default; - existsOrDefault = x: set: default: if builtins.hasAttr x set then builtins.getAttr x set else default; - # Will be v. useful when i grok - # https://github.com/ahbk/my-nixos/blob/5fe1521b11422c66fd823b442393b3b044a5a5b8/nix#L5 - # pick a list of attributes from an attrSet - # mySystem.pick = attrNames: attrSet: filterAttrs (name: value: elem name attrNames) attrSet; - - # create an env-file (package) that can be sourced to set environment variables - # mySystem.mkEnv = name: value: pkgs.writeText "${name}-env" (concatStringsSep "\n" (mapAttrsToList (n: v: "${n}=${v}") value)); - - # loop over an attrSet and merge the attrSets returned from f into one (latter override the former in case of conflict) - # mySystem.mergeAttrs = f: attrs: builtins.foldlAttrs (acc: name: value: (recursiveUpdate acc (f name value))) { } attrs; - # main service builder mkService = options: ( let user = existsOrDefault "user" options "568"; group = existsOrDefault "group" options "568"; - addTraefikLabels = if (builtins.hasAttr "container" options) && (builtins.hasAttr "addTraefikLabels" options.container) then options.container.addTraefikLabels else true; - addToHomepage = lib.attrsets.attrByPath [ "homepage" "enable" ] true options; - homepageIcon = if (builtins.hasAttr "homepage" options) && (builtins.hasAttr "icon" options.homepage) then options.homepage.icon else "${options.app}.svg"; subdomain = existsOrDefault "subdomainOverride" options options.app; host = existsOrDefault "host" options "${subdomain}.${options.domain}"; @@ -41,9 +26,7 @@ rec { ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs=${folders}") tmpfsFolders) ] ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt=no-new-privileges" ] ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ] - ; - in { virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable { @@ -53,68 +36,13 @@ rec { TZ = options.timeZone; } // options.container.env; environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options; - volumes = [ "/etc/localtime:/etc/localtime:ro" ] - ++ lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [ - "${options.persistence.folder}:${options.container.persistentFolderMount}:rw" - ] - ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options; - - - labels = mkIf addTraefikLabels (mkTraefikLabels { - name = subdomain; - inherit (options) port; - inherit (options) domain; - url = host; - }); - + volumes = [ "/etc/localtime:/etc/localtime:ro" ] ++ + lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [ + "${options.persistence.folder}:${options.container.persistentFolderMount}:rw" + ] ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options; extraOptions = containerExtraOptions; }; - - systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ] - ; - - # built a entry for homepage - mySystem.services.homepage.${options.homepage.category} = mkIf addToHomepage [ - { - ${options.app} = { - icon = homepageIcon; - href = "https://${ host }"; - inherit host; - inherit (options) description; - }; - } - ]; - - } - - - ); - - # build up traefik docker labels - mkTraefikLabels = options: ( - let - inherit (options) name; - subdomain = if builtins.hasAttr "subdomain" options then options.subdomain else options.name; - host = existsOrDefault "host" options "${options.name}.${options.domain}"; - - # created if port is specified - service = if builtins.hasAttr "service" options then options.service else options.name; - middleware = if builtins.hasAttr "middleware" options then options.middleware else "local-ip-only@file"; - in - { - "traefik.enable" = "true"; - "traefik.http.routers.${name}.rule" = "Host(`${host}`)"; - "traefik.http.routers.${name}.entrypoints" = "websecure"; - "traefik.http.routers.${name}.middlewares" = "${middleware}"; - } // attrsets.optionalAttrs (builtins.hasAttr "port" options) { - "traefik.http.routers.${name}.service" = service; - "traefik.http.services.${service}.loadbalancer.server.port" = "${builtins.toString options.port}"; - } // attrsets.optionalAttrs (builtins.hasAttr "scheme" options) { - "traefik.http.routers.${name}.service" = service; - "traefik.http.services.${service}.loadbalancer.server.scheme" = "${options.scheme}"; - } // attrsets.optionalAttrs (builtins.hasAttr "service" options) { - "traefik.http.routers.${name}.service" = service; + systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ]; } ); - } diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 8d1b7d9..5c4694e 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -1,5 +1,3 @@ { - mySystem = import ./nixos; - } diff --git a/nixos/modules/nixos/containers/arr/default.nix b/nixos/modules/nixos/containers/arr/default.nix deleted file mode 100644 index 0c624fd..0000000 --- a/nixos/modules/nixos/containers/arr/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - imports = [ - ./sonarr - ./radarr - ./lidarr - ./readarr - ./prowlarr - ]; -} diff --git a/nixos/modules/nixos/containers/arr/lidarr/default.nix b/nixos/modules/nixos/containers/arr/lidarr/default.nix deleted file mode 100644 index d6de882..0000000 --- a/nixos/modules/nixos/containers/arr/lidarr/default.nix +++ /dev/null @@ -1,108 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "lidarr"; - image = "ghcr.io/onedr0p/lidarr:2.2.5"; - user = "568"; #string - group = "568"; #string - port = 8686; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - sops.secrets."services/${app}/env" = { - - # configure secret for forwarding rules - sopsFile = ./secrets.sops.yaml; - owner = config.users.users.kah.name; - inherit (config.users.users.kah) group; - restartUnits = [ "podman-${app}.service" ]; - }; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - dependsOn = [ "prowlarr" ]; - environment = { - PUSHOVER_DEBUG = "false"; - PUSHOVER_APP_URL = "${app}.${config.mySystem.domain}"; - LIDARR__INSTANCE_NAME = "Lidarr"; - LIDARR__APPLICATION_URL = "https://${app}.${config.mySystem.domain}"; - LIDARR__LOG_LEVEL = "info"; - }; - environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; - volumes = [ - "${appFolder}:/config:rw" - "${config.mySystem.nasFolder}/natflix:/media:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - mySystem.services.homepage.media = mkIf cfg.addToHomepage [ - { - Lidarr = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "Music management"; - container = "${app}"; - widget = { - type = "${app}"; - url = "https://${app}.${config.mySystem.domain}"; - key = "{{HOMEPAGE_VAR_LIDARR__API_KEY}}"; - }; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app; - user = builtins.toString user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - }; -} diff --git a/nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml deleted file mode 100644 index 71337ee..0000000 --- a/nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -services: - lidarr: - env: ENC[AES256_GCM,data:O4d3rRXSIEngArtNd+faqg==,iv:uZjQYc+eWtyHSDiWy2ApR4Hhly1vKV2cl50mWxNImhk=,tag:q6C5iyT5GJAgmi2Ei0dL/A==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQnV5QXg0YXpKK3JZdXFL - dVRBbjVGRkl1VWhzQzVUT0pOMU92OHI1NUNvClgwaUhpSVJzbENjY0MzN0tXUDdl - ZnpLa0dsL2d1cDh2MmIrL0ZXK0dlWWcKLS0tIEJYNStPRWpFTmhWWHlVRDJnOEhT - Sm9kK04zOHVlS3diNzlRMEk1VW5VcncKVMW00zzIjYeGkMaHI5qGzVVsrQMzXxmt - d4QS4OVt+LSiZVFkp7o84Lwzg42ljxG8TYGFZrXItzlfA8H+1Mo84w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbkpVVkVmNnJiWTV6Mm4r - OW1HQ3hBZVAwOGxrSDJNVUpUTWtCblhQQmo0CldBWGNzblUvVGptNVRtR2ZCSkly - L0cvdUZ6Tm1KcmJ4MFdNT05iQzVrOXMKLS0tIEY0cmRhSkY0L0V2dzhvaEFwYzQ3 - M3g0MGVKUWlORlZxMlo4U0N2OEJJQkEK5nIb7vaPxO2hfKRD2pes/zC5rVDrcL1l - fah/WWuh1UcLZWloj6Vqx+xPm16G10wzDJEWD/ANGTly3ke3aD2tgg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMDRPZjc5OWJvczBmbFoy - WnQ0VVA1ZThVdm44NnhrV2dNWUtaQ0E1SlVzCjR4TnNRVDdXWFdqMktMUHcwQlJn - RnYzZndYQ1paVkJWTUw3R3VLR1VtSVEKLS0tIG10RmNrcGovcWNCOG53aEZLR2U0 - UVR6L3ovamh2Rm1uTXJVUlZoV0xuWUUKQkF1Ss94AkIBh3y/tSGuHe1VOPO49tHK - Lh42/KE+8Jsev1hZfKzhq+6J3yi5+aIrjuFWYhJEfu1SM29J9CNZMA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrK08xbkUyY1dSend4NDd0 - UjkrNW81a0NGUjVFS3NQc2V1UUpOczFqZkNnCno1Nkdyb1AvT1dhN3pySVZXeE1W - Q2ZYeUFsZmxScmtETHJnUkNyTGt3Q0kKLS0tIHBjV0JCYkxraTFDckVxemRpbTZM - SmJ1U1U5RStxcmR5a2VJV1pQNUx1MHMK1GuvIoo4XQZmLOvh2lluzn49h7My7/XW - tCtQEz0w0jAVA2R+QBi+IfAL3ZlHmRIBEOfL8OWmewnIDyOSrmOWuQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:oRC7wCHbR7j6EM37aNu/HUxWECNjU5WUdgtBnKa15LnUDH5RmqzUdmLcqE7rWSxjhVdAG5KdukeUilic/EF3+Z36cClENaEX5MYDbr85DAv9Fh5eb7vVuqnxyCf1H4LLeDFxR7OS+i5bWL8yR0xmCrzQeq8H5PSZDtKDyymE7tc=,iv:uQBQi8J5hIk9uKo1+wuioFeRwKbKm4CZ1k8oz/NvMpA=,tag:D5OSyWS1bLHTij587aUxjA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/containers/arr/prowlarr/default.nix b/nixos/modules/nixos/containers/arr/prowlarr/default.nix deleted file mode 100644 index c1bad7d..0000000 --- a/nixos/modules/nixos/containers/arr/prowlarr/default.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "prowlarr"; - image = "ghcr.io/onedr0p/prowlarr:1.16.2.4435@sha256:3d3d5702d40824da9ece02f465dbf221dfa726846e9212bc3fe89af5562e6e9e"; - user = "568"; #string - group = "568"; #string - port = 9696; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - sops.secrets."services/${app}/env" = { - - # configure secret for forwarding rules - sopsFile = ./secrets.sops.yaml; - owner = config.users.users.kah.name; - inherit (config.users.users.kah) group; - restartUnits = [ "podman-${app}.service" ]; - }; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - environment = { - PUSHOVER_DEBUG = "false"; - PUSHOVER_APP_URL = "${app}.${config.mySystem.domain}"; - PROWLARR__INSTANCE_NAME = "Prowlarr"; - PROWLARR__APPLICATION_URL = "https://${app}.${config.mySystem.domain}"; - PROWLARR__LOG_LEVEL = "info"; - }; - environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; - volumes = [ - "${appFolder}:/config:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - mySystem.services.homepage.media = mkIf cfg.addToHomepage [ - { - Prowlarr = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "Content locator"; - container = "${app}"; - widget = { - type = "${app}"; - url = "https://${app}.${config.mySystem.domain}"; - key = "{{HOMEPAGE_VAR_PROWLARR__API_KEY}}"; - }; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - - }; -} diff --git a/nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml deleted file mode 100644 index e91e34a..0000000 --- a/nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -services: - prowlarr: - env: ENC[AES256_GCM,data:RfSMBc1GuRAnMi2IwCp1yA==,iv:Qwixp/vl+fwV6u5Mrz49CvlTqm175ir501TMNb8DAiU=,tag:vWmDAJIx+xgf1JZXsgvZAg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSjMxdWdxTHlWbGJkNVFi - a2llUzhZTjk1aTRQeGZWUGVDRlp2MGRRYm13CjZKdGJwby9SQlRhRUNRTUE5OVU4 - UHRtVWhldzBudzVoT3VDaXZZSk8xVTAKLS0tIFhZcnhweC9RbWphYVpWRWsvd1FM - ejlOUjFFb1djVkZPRFg5V2RRUjlVYk0KS6hkIaUrA87JZFy17GQCHGwOPP/I5FOt - e/3HWlon+q8S97gAKjK/B723YpeQII9IJOFnnzpf/9iYbfCRCt5PGg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZR3g2bXI2alA0bGVscjBr - cWVHVE5PT01NQWk4cktTc01SeFdhekIvTWt3CkFzcjBsMGZJR0p3cWdQSlpqTUtF - MnAvQlc3NE1xN0hyTHZkL3FWRkZVMUUKLS0tIFFEQ01ndTV4L0E4aWI3MmtycGJC - bFYzaG1ybnBSZ0VCRnNxWHJPckhiOGMKY6pWJ3Y+HC0rPVWU1Jev6LyGe8XWl//N - ExvlsfXWAIrFPPhuxrrX58vvupiQnC39NOvlDAaK2MhgfAqK0Prx3A== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2U29taVkzWmVqbDY0RWJX - alZ6ODdPd0NXMHBnRW80UHNYcXN5eEd1S0JZCkg0akM0WGhiRzRhNFRIWERqaENN - V0VTV3VRT1ZkR25UbFdMdFdwS2NWbE0KLS0tIE9nT2lrZzRYb3krK0tMWmt4ajNS - OTBWUEEwRzR6c2tKUlNEQkFrSDc1eG8KBvg21rH2DBdsKu3yPlpcG3qPrTARLqKv - s7j3wf69rMOeCDRr8axHvAQBaILRQXfsMvcg958hHuxkxgmXyvmsnw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbVpQQURsQlNHNWtqMEMv - MnhsMndzTkduaXBMblNxa1Bpb2dPT21OTFdrCitBdkE2OHBWS1VyU0pTQVU4Y2cx - Y01mTCtUdExmT0JmbnNrZEpaZXMraWsKLS0tIDBZVmhzc29WVVJsQm5hSTVLYllF - NitGTFJqM0lTYkJoRzRwaEpIL2hHYjgKk3PPKX1oSS7vXOykj8YSCM0Mqmvs/56k - BvcqOi2UymCWAdWd4doKiTGOCnPbvPbcVn/DCP7IiJ7tGovW3Hds3w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:sbFacPQYDCUu8tqBhvNRl22IlgycS5I1NLPrdQ2mI7MBqbDjvUMdfNL/sdHTnnPEWbYmPxdm1eymyRE4Bi+RKAYYtj400Rv7oZtXcivXdodTFW1WnxvPs4vaW5eLPuoKY8fbkPJBN0dk5g/rTNsIgbDYGU20VQh4au3pdIP/1Ds=,iv:RL1747DNQX/p1X0IDnVfdtuBDovD7M3vYdPcWwZ4e3Q=,tag:5aLv5VZSYwFeUx8X6IKb1Q==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/containers/arr/radarr/default.nix b/nixos/modules/nixos/containers/arr/radarr/default.nix deleted file mode 100644 index a9b1fff..0000000 --- a/nixos/modules/nixos/containers/arr/radarr/default.nix +++ /dev/null @@ -1,110 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "radarr"; - image = "ghcr.io/onedr0p/radarr:5.4.6.8723@sha256:3198f09197697a4d57f995650ebf34b57b2fdbb991dac1611ad8356d9e8bda8e"; - user = "568"; #string - group = "568"; #string - port = 7878; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - sops.secrets."services/${app}/env" = { - - # configure secret for forwarding rules - sopsFile = ./secrets.sops.yaml; - owner = config.users.users.kah.name; - inherit (config.users.users.kah) group; - restartUnits = [ "podman-${app}.service" ]; - }; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - dependsOn = [ "prowlarr" ]; - environment = { - PUSHOVER_DEBUG = "false"; - PUSHOVER_APP_URL = "${app}.${config.mySystem.domain}"; - RADARR__INSTANCE_NAME = "Radarr"; - RADARR__APPLICATION_URL = "https://${app}.${config.mySystem.domain}"; - RADARR__LOG_LEVEL = "info"; - }; - environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; - volumes = [ - "${appFolder}:/config:rw" - "${config.mySystem.nasFolder}/natflix:/media:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - - mySystem.services.homepage.media = mkIf cfg.addToHomepage [ - { - Radarr = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "Movie management"; - container = "${app}"; - widget = { - type = "${app}"; - url = "https://${app}.${config.mySystem.domain}"; - key = "{{HOMEPAGE_VAR_RADARR__API_KEY}}"; - }; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - - - }; -} diff --git a/nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml deleted file mode 100644 index 82fdff4..0000000 --- a/nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -services: - radarr: - env: ENC[AES256_GCM,data:g2nOfHP6L3XzAXov85ObnA==,iv:wQuUoMQTSK0LhqITzwfT9jzar0AgDd/XjaGZqNULEKA=,tag:P575LQESgmqcK+lt6qjnLw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVE9jMWhqNDZkMVVyM0w3 - ck9vcVYwak5oeTJBd1ZhbENHb2laWmZqalZjClVGSXl6Uk1wK2N3UGJ6SzZ3OU9N - NGoweU5IUzc1M3RocGtJbWkxWkorbmsKLS0tIEVlandoSmovWGNPeUU0SkQ4RXpX - a2hDQzZ5NWd0eGExSVBCV1llZ0ROZTAKc11CpTzPGUjnvszlbup4C2/tiFDAcg8X - 3MPCJyx7AZpEVXaU4XXGjx5AGuNsNq/AK0t5Erl2IV9onr+2R5oWYA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNTJOYzZON2dpRzFLUnFN - TDlReHhuOW1rWjZDUjEzZ0R4WjRYazRNQjBNCkU3SEZqa09mUk9ZZWpBbUxJdnov - QzA5a3BOSDZNSGNOZmhkaWxBck9PWkEKLS0tIFNsUzBRZndxUVdPMklHanJRUjNJ - UTVxK2JJQ29xa2V0ZURDSGcvdUQ0TzAKxED8XhpsizFpEAryqoFDcpCyFeLB9o9H - nhL2KgyYwO5dE4EblcEH6TQ05tn4Z5hauytKtD3ScisOAtUuSYTXTQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6YnMzVGdNb2dzcEY5YWF1 - MHVrZ01mNlo1em9zanh1OXhjdUJpUExJWWg0CnNDQXFmVlJoenpmQmxnM1pmbUc1 - VlRYcWx0SzkrR1hMdGF0T2dxeUtaQkkKLS0tIENpZ2E4N01YRTgwRVRiL0lNT3pv - a0ZVeHd2VjNSdmN6Wk9iOHVEYzhZSWsKWIX7et7d34D5sFHIXORJBBtV0NlGIAey - BKsLefbu4HA20FE29MbN9FgUEFhWWMmUbGdfTqZ1tLeIkxfnUTwaiw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTmRGUktWYmZlRjhrbmpa - dGFnRDRiNFJSeUw2a0VWQktNTFJPRDNYclI4CkVmZkJlYVVlRDkvSzkvcnlYZC9a - Nm00aEZlRmRnQ3lOOEtvZUNaU3hjU1kKLS0tIEdHQmQrbHQvNExCMExlOE1Bc0Jk - TzNUUHplZXhCVWpVSmp1MjJUK2VFbmMKst2kIb/iDFtkSTOachOMtf7EQQXgbuq9 - OvUjBi7pGQZyR3R2Xd53TyuB/XN/oP87HBO9J5sJaL7JM/E2GiMMDQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:ZqR5/KDorn+Aa729BpNkQuUuSTm5KRlJ+IW/78W2TvURhC/9E2GjjPSXe3+xUhDQ/dx1L/OImjkqehfpnRcuIkrYzMyUg6m7Vi5dbRms6q6vrxmyH673JMuRL0SCtCEvk5cGPZP8Gpy1iVyolLFa/e85/d9/QddFPm2ol+PIfF4=,iv:ciZtUoUrehvqd1YktiMJ0kxloPZXlLeFopHGG2O7xwg=,tag:z/n0By181i9pacikNM3CIQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/containers/arr/readarr/default.nix b/nixos/modules/nixos/containers/arr/readarr/default.nix deleted file mode 100644 index 673a40e..0000000 --- a/nixos/modules/nixos/containers/arr/readarr/default.nix +++ /dev/null @@ -1,106 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "readarr"; - image = "ghcr.io/onedr0p/readarr-nightly:0.3.25.2515"; - user = "568"; #string - group = "568"; #string - port = 8787; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - sops.secrets."services/${app}/env" = { - - # configure secret for forwarding rules - sopsFile = ./secrets.sops.yaml; - owner = config.users.users.kah.name; - inherit (config.users.users.kah) group; - restartUnits = [ "podman-${app}.service" ]; - }; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - dependsOn = [ "prowlarr" ]; - environment = { - TZ = "${config.time.timeZone}"; - READARR__INSTANCE_NAME = "Lidarr"; - READARR__APPLICATION_URL = "https://${app}.${config.mySystem.domain}"; - READARR__LOG_LEVEL = "info"; - }; - environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; - volumes = [ - "${appFolder}:/config:rw" - "${config.mySystem.nasFolder}/natflix:/media:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - mySystem.services.homepage.media = mkIf cfg.addToHomepage [ - { - Readar = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "Book management"; - container = "${app}"; - widget = { - type = "${app}"; - url = "https://${app}.${config.mySystem.domain}"; - key = "{{HOMEPAGE_VAR_READARR__API_KEY}}"; - }; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - - }; -} diff --git a/nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml deleted file mode 100644 index b50a523..0000000 --- a/nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -services: - readarr: - env: ENC[AES256_GCM,data:qeJ2QSYl4QwJdZY9EwUyxw==,iv:juUUsv+tm9+2fRjXuQKToq4leb8SwoMlD/XSzwK4tds=,tag:ATdu3cvUe5xnSDQrSjJpEg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TG9jcEQvTkRRVlV2NFBm - cGtqcnljeUVBN3R5djN5cktKN1pjTGZkbkRRCjlnb1lsWTIwZFJockxNVThFcG1Z - bGxRODBEODdiWDhoNjJGejJGbG5wL0EKLS0tICsrMVVpWVVWOWRGd0l3TVJ3WGJL - eVpiZGtvZlhLdW1nNTVZZHl4aDZpdm8KeMcKEiI57FIl6cMz4A7OiiEMx+4A3JHD - FOONn+HkF9EXUWTxNyfczDjP/5av8xgVnB4dxItvI1edeZKebthIRA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcGRCajhLWUp1SnhmbHVG - TUVzUkFHQTV6ZURVZ0lxWjRSTHJETEtEd2xrCkQ5LzFNbVptNXErVDdpQWNRSk8y - RC9yenkzUmlKRExUMWVIRGpKV1c1aDgKLS0tIDByOFBkVkxGYWMvUnVMb1Z3YmVl - elhxUkJkUkptbTY0K1NuQjZaZjRlLzgKZqQUyR4iiRbWrLGabJnQotIxorXpmuGc - 2SxWtWGHwJzlzkPy1C7D/mLwfzcNwicZnNSKPGcKv6krhrZnlrBR2g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDQ1c2ejNYd1NNZTBlMWNV - WHIraHFPSU8rWVZuUHV6ZWp2Z2h1dDRnckhJCmpybVRyUHl3S0IvUnBveUc0VUVG - T1BaTnJTZlkyYWRLYXczMFgxeEdSeFUKLS0tIG9WTWpUZWtWUWVXLzFxMndiSVFN - QTJCK3llaFVYN3JDdDBGZ2RNNlVtN2cKL3nx9qLMBVYFRdIv3s09a7b0m2vnL+JA - flKp/BhauIBNXMiG5YlFyjkpTuADY7GyCxJBOUere2fVVRKLXKPQpA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdm40TnJpSmFkRWcvUXRa - bmdFSmYzd2MzellUTFIzVEdOYnlNZVdicENjCjBZcENtY094MXc2MVdWcnNWV1hn - QmhnL2QyczkzazkrZU9TZDBXMEpoNlEKLS0tIHVaWFFPYi80YXlSWU9SN3RHR0xm - UnZvc3hmcXBXTUk2VFozRkpWQjFvWTgKaBNOARVfCmBg9avayVWNmuN42N2oas1c - ViaEfbzNi50jJiSjebcdfVb8GZSPi5laaGPlcBlTaH4/tIVSO0v6oQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:U2RcBHHHyDY0KFGr8XMmiMtpVv8WsfaMmKPasJvh8SR56njkGFoH0CvYr3tbGfOy0P4TWddh4ywlFkCA0LkWEv6Uh/0jxgq1ZYiKvq5Vrv0wyT5xP6kC5cBtST7+y14NrMbAiT4hO+sfw9utH/b/C0YHmUl6WLJaYbikJFQmx4c=,iv:QbKtME9p2i+/E51pntOjRwtSEgz4iq4gi81dCLoIkTc=,tag:VMXaP2pB7h37Grt+9UDBoQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/containers/arr/sonarr/default.nix b/nixos/modules/nixos/containers/arr/sonarr/default.nix deleted file mode 100644 index 367bf78..0000000 --- a/nixos/modules/nixos/containers/arr/sonarr/default.nix +++ /dev/null @@ -1,110 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "sonarr"; - image = "ghcr.io/onedr0p/sonarr:4.0.4@sha256:9c78b3a37af6e814062e4a631c25ad181c800ae11d21acdfd26c843da9e4a42e"; - user = "568"; #string - group = "568"; #string - port = 8989; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - containerPersistentFolder = "/config"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - sops.secrets."services/${app}/env" = { - - # configure secret for forwarding rules - sopsFile = ./secrets.sops.yaml; - owner = config.users.users.kah.name; - inherit (config.users.users.kah) group; - restartUnits = [ "podman-${app}.service" ]; - }; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - dependsOn = [ "prowlarr" ]; - environment = { - TZ = "${config.time.timeZone}"; - PUSHOVER_DEBUG = "false"; - PUSHOVER_APP_URL = "${app}.${config.mySystem.domain}"; - SONARR__INSTANCE_NAME = "Radarr"; - SONARR__APPLICATION_URL = "https://${app}.${config.mySystem.domain}"; - SONARR__LOG_LEVEL = "info"; - }; - environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; - volumes = [ - "${appFolder}:/config:rw" - "${config.mySystem.nasFolder}/natflix:/media:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - mySystem.services.homepage.media = mkIf cfg.addToHomepage [ - { - Sonarr = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "TV show management"; - container = "${app}"; - widget = { - type = "${app}"; - url = "https://${app}.${config.mySystem.domain}"; - key = "{{HOMEPAGE_VAR_SONARR__API_KEY}}"; - }; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - - - }; -} diff --git a/nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml deleted file mode 100644 index 175c7d5..0000000 --- a/nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -services: - sonarr: - env: ENC[AES256_GCM,data:qqHY3p092WfsIfWdKXvVJg==,iv:89h8Xw10HkOyN3ZlpeeEXvB9N2MrOopD/1AL51NobuI=,tag:Bk1MJcb58K0tmccGBlOMiQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxL09DMDJFd1RnZHNwbjFQ - MmkzSCtRWHN3Ri92cFhUUGIreGQ4MUJMOGxBCmlFSnBsM1RKclpGc3dad0w2eEdj - MkVLYUdWYnBRQ2VSYWVmcjFlK2xpU1kKLS0tIHIrUEtINWtJbmpqcUticmpWbWc2 - U3ZFRUExV2lHUG1RZ09aVFU2RTZuTjQK+jetUpJHMLJwVxazQBDlhrvZrrHGm9ks - 5xUr6jkpE6zmg8W1DVQ4rShfDyCpTbqsqfx2zV1wJ9Poe24lMNw4LA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6amQ2QUhUWDlqelBFWkFu - N2VodmIrMnRnWjcvZThYVVpXWGl0Mk5kUEFRCm1iczQrU21wc2NlN0ZXTE9YOUZp - S2hSaExab2QzTUZhTHhsYjRwOVE0MlkKLS0tIG8zVDFqWG94TStEZmx5aEZNRmQw - eGs4YnFMWmhTOGhLQ0VWdFlkSGkrM1EK0PbiqN11i9xOgFiMLy8715mkwog1iZgm - QjCbFL+MbOqcpbfMStupHrg34aP4mgmcjBQlTwqlbhn1K3mqhjQu8g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndTFMNEJvYjFYUTRzRDBW - ZmJwSmxWeEJOYTU1a2JUVFpmcHAzb2Zyem5JCmQ4QWJGY3RCVmNoeUwyaUVDeERz - a05kSDFaMHl1S2JPNkw1ZnJZYmZSYXcKLS0tIEk1KzlmTkVWVDlacFh4Q1FqTzJT - bWNJYTZURFJmeXYzbjdna243RmpZdkEKM9Ixfy0eE8iGGTUcY92NhDYuJ/oOuiCT - pucwAuVGlO/ZJxvByrGHmfHp8pvsAdE1H46nIXssqb+LoZOnl1nSWw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SmdHOVhCL0V5a21GMjQ0 - M1JES0dKclBmcjNSdWFPTXd6RzQ2WnhUd2pVClliS1pncHZld0NGYzFtTE90OWhy - V3lweGUvM0ZnV0lObDdBaFpLSGpaQ1kKLS0tIDduQXVaRzZqTUwrTjVmRTFYa1lN - M01kODQrTzlOQUJmNmlmcXpEdUNqYUEKtDP4fGNkOFbXVFt5612CPGFspsM/PuhZ - mU/7mEWCNauZ74VrHWVtEYYI6bvr8Z6BszJe0UF5Wt4ZL0QVObj5Fg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:qPTN+la1YmZ/RpBf2jgYnc4LfvEInH8jlvX+5AICIXYB9RhF9zaWAohn4lUch/rcMaZsBSCiqvS3xpe+FgKU567hePRLgaezl9lDUya/RYynJJ8i8FG3Sg6EgMaqqn8naDl9Ywo3kCvDl5LRLe5u+gdkHXzLIQ7O/44BpcKusn4=,iv:nl2MsL6bIZN3r/HUBeDd9JQo5iYN/yTboq3r/8lWKQg=,tag:gWTgEF63PyGQrVEFx61SOA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/containers/backrest/default.nix b/nixos/modules/nixos/containers/backrest/default.nix index 0fd6b35..f3f40a6 100644 --- a/nixos/modules/nixos/containers/backrest/default.nix +++ b/nixos/modules/nixos/containers/backrest/default.nix @@ -56,21 +56,7 @@ in }; }; - - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - Backrest = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "Local restic backup browser"; - container = "${app}"; - }; - } - ]; - mySystem.services.gatus.monitors = [{ - name = app; group = "infrastructure"; url = "https://${app}.${config.mySystem.domain}"; diff --git a/nixos/modules/nixos/containers/calibre/default.nix b/nixos/modules/nixos/containers/calibre/default.nix deleted file mode 100644 index f10fec6..0000000 --- a/nixos/modules/nixos/containers/calibre/default.nix +++ /dev/null @@ -1,157 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.${category}.${app}; - app = "calibre"; - category = "containers"; - description = "eBook managment"; - image = "ghcr.io/linuxserver/calibre:version-v7.10.0"; - user = "0"; #string - group = "0"; #string - port = 8091; #int - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - host = "${app}" + (if cfg.dev then "-dev" else ""); - url = "${host}.${config.networking.domain}"; -in -{ - options.mySystem.${category}.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - monitor = mkOption - { - type = lib.types.bool; - description = "Enable gatus monitoring"; - default = true; - }; - prometheus = mkOption - { - type = lib.types.bool; - description = "Enable prometheus scraping"; - default = true; - }; - addToDNS = mkOption - { - type = lib.types.bool; - description = "Add to DNS list"; - default = true; - }; - dev = mkOption - { - type = lib.types.bool; - description = "Development instance"; - default = false; - }; - backup = mkOption - { - type = lib.types.bool; - description = "Enable backups"; - default = true; - }; - - - - }; - - config = mkIf cfg.enable { - - ## Secrets - # sops.secrets."${category}/${app}/env" = { - # sopsFile = ./secrets.sops.yaml; - # owner = user; - # group = group; - # restartUnits = [ "${app}.service" ]; - # }; - - users.users.jahanson.extraGroups = [ group ]; - - - # Folder perms - only for containers - systemd.tmpfiles.rules = [ - "d ${appFolder}/ 0750 ${user} ${group} -" - ]; - - ## service - virtualisation.oci-containers.containers = config.lib.mySystem.mkContainer { - inherit app image user group; - - env = { - PUID = "568"; - PGID = "568"; - }; - volumes = [ - "${appFolder}:/config:rw" - "${config.mySystem.nasFolder}/natflix/:/media:rw" - ]; - ports = [ "${builtins.toString port}:8080" ]; - caps = { - noNewPrivileges = true; - }; - }; - - # homepage integration - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${url}"; - inherit description; - }; - } - ]; - - ### gatus integration - mySystem.services.gatus.monitors = mkIf cfg.monitor [ - { - name = app; - group = "${category}"; - url = "https://${url}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - } - ]; - - ### Ingress - services.nginx.virtualHosts.${url} = { - forceSSL = true; - useACMEHost = config.networking.domain; - locations."^~ /" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - proxyWebsockets = true; - }; - }; - - ### firewall config - - # networking.firewall = mkIf cfg.openFirewall { - # allowedTCPPorts = [ port ]; - # allowedUDPPorts = [ port ]; - # }; - - ### backups - warnings = [ - (mkIf (!cfg.backup && config.mySystem.purpose != "Development") - "WARNING: Backups for ${app} are disabled!") - ]; - - services.restic.backups = mkIf cfg.backup (config.lib.mySystem.mkRestic - { - inherit app user; - paths = [ appFolder ]; - inherit appFolder; - }); - - - # services.postgresqlBackup = { - # databases = [ app ]; - # }; - - - - }; -} diff --git a/nixos/modules/nixos/containers/cross-seed/default.nix b/nixos/modules/nixos/containers/cross-seed/default.nix deleted file mode 100644 index 3866e42..0000000 --- a/nixos/modules/nixos/containers/cross-seed/default.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "cross-seed"; - image = "ghcr.io/onedr0p/sabnzbd:4.2.3@sha256:8943148a1ac5d6cc91d2cc2aa0cae4f0ab3af49fb00ca2d599fbf0344798bc37"; - user = "568"; #string - group = "568"; #string - port = 8080; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - configFile = builtins.toFile "config.js" (builtins.toJSON configVar); - -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - cmd = [ "daemon" ]; - volumes = [ - "${appFolder}:/config:rw" - "${configFile}:/config/config.yaml:ro" - "/etc/localtime:/etc/localtime:ro" - ]; - }; - - }; -} diff --git a/nixos/modules/nixos/containers/default.nix b/nixos/modules/nixos/containers/default.nix index 246ab5e..641ca00 100644 --- a/nixos/modules/nixos/containers/default.nix +++ b/nixos/modules/nixos/containers/default.nix @@ -1,19 +1,6 @@ { imports = [ - ./arr - ./homepage - ./gatus - ./sabnzbd - ./qbittorrent - ./plex - ./tautulli ./backrest - ./searxng - ./factorio - ./whoogle - ./redlib - ./home-assistant - ./calibre - ./ecowitt2mqtt + ./gatus ]; } diff --git a/nixos/modules/nixos/containers/ecowitt2mqtt/default.nix b/nixos/modules/nixos/containers/ecowitt2mqtt/default.nix deleted file mode 100644 index 754ca60..0000000 --- a/nixos/modules/nixos/containers/ecowitt2mqtt/default.nix +++ /dev/null @@ -1,158 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.${category}.${app}; - app = "ecowitt2mqtt"; - category = "containers"; - description = "Weather station to MQTT"; - image = "ghcr.io/bachya/ecowitt2mqtt:latest@sha256:91d31b6db0c00021580f8890341cbbea44c8835dd8eb9f80f811dfcd6ac29c24"; - user = "nobody"; #string - group = "nobody"; #string - port = 8080; #int - # appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - host = "${app}" + (if cfg.dev then "-dev" else ""); - url = "${host}.${config.networking.domain}"; -in -{ - options.mySystem.${category}.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - monitor = mkOption - { - type = lib.types.bool; - description = "Enable gatus monitoring"; - default = true; - }; - prometheus = mkOption - { - type = lib.types.bool; - description = "Enable prometheus scraping"; - default = true; - }; - addToDNS = mkOption - { - type = lib.types.bool; - description = "Add to DNS list"; - default = true; - }; - dev = mkOption - { - type = lib.types.bool; - description = "Development instance"; - default = false; - }; - backupLocal = mkOption - { - type = lib.types.bool; - description = "Enable local backups"; - default = true; - }; - backupRemote = mkOption - { - type = lib.types.bool; - description = "Enable remote backups"; - default = true; - }; - - - }; - - config = mkIf cfg.enable { - - ## Secrets - sops.secrets."${category}/${app}/env" = { - sopsFile = ./secrets.sops.yaml; - owner = user; - inherit group; - restartUnits = [ "podman-${app}.service" ]; - }; - - users.users.jahanson.extraGroups = [ group ]; - - - # Folder perms - only for containers - # systemd.tmpfiles.rules = [ - # "d ${persistentFolder}/ 0750 ${user} ${group} -" - # ]; - - ## service - virtualisation.oci-containers.containers = config.lib.mySystem.mkContainer { - inherit app image user group; - env = { - ECOWITT2MQTT_MQTT_BROKER = "mqtt.trux.dev"; - ECOWITT2MQTT_MQTT_PORT = "1883"; - ECOWITT2MQTT_MQTT_TOPIC = "ecowitt2mqtt/pws"; - ECOWITT2MQTT_PORT = "8080"; - ECOWITT2MQTT_HASS_DISCOVERY = "true"; - ECOWITT2MQTT_OUTPUT_UNIT_SYSTEM = "metric"; # Come on guys nobody want to use freedum units" - }; - envFiles = [ config.sops.secrets."${category}/${app}/env".path ]; - }; - - # homepage integration - # mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - # { - # ${app} = { - # icon = "${app}.svg"; - # href = "https://${url}"; - # description = description; - # }; - # } - # ]; - - ### gatus integration - mySystem.services.gatus.monitors = mkIf cfg.monitor [ - { - name = app; - group = "${category}"; - url = "https://${url}/data/report"; # check the reporting URL for 405 'method not allowed's - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 405" "[RESPONSE_TIME] < 50" ]; - } - ]; - - ### Ingress - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - # I dont need/want ssl for this one, weather station expets http - # useACMEHost = config.networking.domain; - # forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - proxyWebsockets = true; - extraConfig = "resolver 10.88.0.1;"; - }; - }; - - ### firewall config - - # networking.firewall = mkIf cfg.openFirewall { - # allowedTCPPorts = [ port ]; - # allowedUDPPorts = [ port ]; - # }; - - ### backups - # warnings = [ - # (mkIf (!cfg.backupLocal && config.mySystem.purpose != "Development") - # "WARNING: Local backups for ${app} are disabled!") - # (mkIf (!cfg.backupRemote && config.mySystem.purpose != "Development") - # "WARNING: Remote backups for ${app} are disabled!") - # ]; - - # services.restic.backups = mkIf cfg.backups config.lib.mySystem.mkRestic - # { - # inherit app user; - # paths = [ appFolder ]; - # inherit appFolder; - # local = cfg.backupLocal; - # remote = cfg.backupRemote; - # }; - - - }; -} diff --git a/nixos/modules/nixos/containers/ecowitt2mqtt/secrets.sops.yaml b/nixos/modules/nixos/containers/ecowitt2mqtt/secrets.sops.yaml deleted file mode 100644 index 590ca51..0000000 --- a/nixos/modules/nixos/containers/ecowitt2mqtt/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -containers: - ecowitt2mqtt: - env: ENC[AES256_GCM,data:jyDAIs+y8kk5jI88bC//YQ==,iv:dbNmqstFgVN5aNWv7rDAybcyt65VADHyL4DSRA/F0qg=,tag:rRQNUvU/q+TZKa/QCLSRtw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOK2tBVjlBaFo1VVJ1ekpx - b0xNU0VMZk4rNVVHR241S1djMjlIcTI3V20wCkEzejErbEZnNVNVKzhmcjIwVWJU - dU5vVVpGZi9OR1RXcW9NQ1d1UDBqWVEKLS0tIDdBRGtwcmZsamFMRVRvcWdZME1y - OTZ3SzNyWWMxTmxwOUpnTTExbTVQZWMKP+39o6T1Ml0bBFeCk9bKsWcWy19xxVQy - cqanZLReUgvYJKHkYV+F0IAUp6Hk/bTStOapN9qjqkZtU9c09dRJ/g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQTFCdEhMY2hkaDBJUG5P - cmkyeTZUNUpnSEpIWWVpSUNvOUhyc2JnODJrClFuK0ZGcENYRkhCbnR4dzMrMm1k - SWg4ZkJ1Y0Q3TENUQ1FVSE5XVFpLUkkKLS0tIDBoVkd6UUlrdFp1dEpDWHdwV2s4 - bnoxd3RxQWhWY2hJWEpDT3N4RGp3VVUKb3q6vXN3giYz34zIc0oYpG6Bibnoqjyj - 62k3ym5rjXlSLLnSk+ABQ+OwCZb6hzNT9u7I6hkmnLQhGgX0loqz3g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVUjZudFBUU2VDdzcveUZr - aUI5Z00xMEQrejAvQS9LdGxnVXVocXhLS2hzCk9nTk9lb0ZpT3FZWTU4eEYyYVJt - UXFWTGNwUkJpcnBIcnNRTSt6UHkzcEUKLS0tIDkxdzk0cDc0andKRVlEdEo2L000 - eXJkRUw1ZEY0bDhxVUJsSGN2WGtZNUEKSLSZCBWcauFt4TvTPSsklYKRfcHrSVob - B6CClhyG4mgrG0C9TZzaqw9ZXGoHyukWAOXY6wTAKdFliNvk8PzAfg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3dW05N3l3T0dyT0pBMDdT - NllmNlZnUVlwV1FJeWhueHdTZHRuQlFVWlFrCjhQODRiSkc2bmhqWmZ4bkhyOWNI - Z3BjNVhsSkFRQWpBdGpaaitlL2lwUTgKLS0tIHBrZm0vSHNYdktwd2w5aGdpTTNI - dGE2bTlQcm1PNUZkK1lVNXpDUEYrd2sK12fPbfKuiWMm8HD/360QS8MrdWS2eUgy - g3BaWucH7GFa1veVw3uBqeFMDW/ZisC27w4lS6buQVq4TcHybbtD7Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:U4Q/RboQRdfyTsSqxppc86xRNQpTE7vZ2zujrWU5SZ+nJho2H+uXkbFQrXFasgBy5gxT2IJtcjd0k/logVMc5KMd+whwf2q35qKpAtIbEDXYGfUsvrz2UMl/K4Kq4tM21zCzMHWQWiSXPSGDN9BE8QiRbZKjGCZ4Mp+yFv+1vrA=,iv:8Q0adi1GXu4AnH2pYyI18AsBx5KVxAYQibIEo4VgaFI=,tag:9LSw+hh1b5wuqb8POyeU1w==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/containers/factorio/default.nix b/nixos/modules/nixos/containers/factorio/default.nix deleted file mode 100644 index 0c913b9..0000000 --- a/nixos/modules/nixos/containers/factorio/default.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "factorio"; - instance = "freight-forwarding"; - image = "factoriotools/factorio:stable@sha256:fae8a40742bd6fc42c92eac3956ad36737cf0ce5a31d2793438b65ad8b50d50a"; - user = "845"; #string - group = "845"; #string - port = 34203; #int - port_rcon = 27019; #int - cfg = config.mySystem.services.${app}.${instance}; - appFolder = "/var/lib/${app}/${instance}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app}.${instance} = - { - enable = mkEnableOption "${app} - ${instance}"; - addToHomepage = mkEnableOption "Add ${app} - ${instance} to homepage" // { default = true; }; - openFirewall = mkEnableOption "Open firewall for ${app} - ${instance}" // { - default = true; - }; - }; - - config = mkIf cfg.enable { - - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - # make user for container - users = { - users.${app} = { - name = app; - uid = lib.strings.toInt user; - group = app; - isSystemUser = true; - }; - groups.${app} = { - gid = lib.strings.toInt group; - }; - }; - # add user to group to view files/storage - users.users.jahanson.extraGroups = [ "${app}" ]; - - sops.secrets."services/${app}/env" = { - sopsFile = ./secrets.sops.yaml; - owner = app; - group = app; - restartUnits = [ "podman-${app}-${instance}.service" ]; - }; - - - virtualisation.oci-containers.containers."${app}-${instance}" = { - image = "${image}"; - user = "${user}:${group}"; - volumes = [ - "${appFolder}:/factorio:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - environment = - { - UPDATE_MODS_ON_START = "false"; - PORT = "34203"; - RCON_PORT = "27019"; - }; - environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; - ports = [ "${builtins.toString port}:${builtins.toString port}/UDP" ]; # expose port - }; - networking.firewall = mkIf cfg.openFirewall { - - allowedTCPPorts = [ port ]; # I dont use rcon so not opening that too. - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - - mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ - - name = app; - group = "media"; - url = "udp://${config.networking.hostName}:${builtins.toString port}"; - interval = "30s"; - conditions = [ "[CONNECTED] == true" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app user; - paths = [ appFolder ]; - inherit appFolder; - }; - - }; -} diff --git a/nixos/modules/nixos/containers/factorio/secrets.sops.yaml b/nixos/modules/nixos/containers/factorio/secrets.sops.yaml deleted file mode 100644 index 1e96c0e..0000000 --- a/nixos/modules/nixos/containers/factorio/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -services: - factorio: - env: ENC[AES256_GCM,data:VuRK4vLrpPgmr41OfN6xCw==,iv:Z3vlV9WZdcZ9fZXSjrQ67O4oec0xDHcg2tMqAi8E1hM=,tag:E/y2cCjeDcoS8itM2uSEOQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRV2Y4V3gxaUEzeThaQW54 - QVhXZnNoMlpQaksxZ0pCVGZkdWpucUNUaUE0ClNpbWVETlFTRDk1NDdiYjJWZ1ND - NFFCMnFRa3ViazB5dG1FWHRNMk4zWVkKLS0tIG9sTHEwWlhGZUNKV1VPSWZpWlcy - ZjVoQjBsMjVwYnh6MTdVWFZGNm9UbW8KC2FM/dCsmmQ0q9uiwe9zeczJNabJnBVh - sLMJ/X41hGlb8G0dGVRnBbbXqRelSLyCgFkgpcUO8hFNKyW9WtG4Dw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5dVBVdjNLTG5iWG5kYXAv - K0ZrZzUxaEZzN2UvVFlneHpyOWtudG5obmlvCjlscXhYRnFuZEwvdDFZNWhnazhk - KzFBZzZVMksyaHl2SzFKRnZvT3UyUW8KLS0tIGN4bFRVMVd3SzFzRjJoVFFKM0E5 - UHpyYkE3OVRoQWErN0JBcm96MmltdDgKliCv1TytM2xKWhNCbAyOkjpky48J+/pb - nnrSd1+RiZvICH3W4H2wKImTsPx2Rs5eRwju9eG/jW/RKXgiG9Kbvg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFU0VwRUJsVnhlQk91VnhH - NnFRZkZGRTV5REJPT2duRkN3cGN6Wkl0cjNzCjgrcVNhTkM5cXIxbkppdm9yOUww - UTFvMnYyWnlzdXZrNitTcUFmU2ZjMm8KLS0tIDFEc0RzU2YrRjhtbDY4c3dYTTRQ - VEJvSzlWTElJZWQ1U3I3SUFFOXYvMFEKqvLQbs9GaW/Y/IjUpsyqpAwADGjC2rUL - l6ShXZ8L5rvSvN0eArgUmTyOH1gCzx0nt3P4Q0u/KVMkjetqISatqw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxYmo5WkJwTlVGQUlIeXBE - VXNpUmNFRWJ5cWI4Yzl4NEt2Qm9CTXQ5a2pJCnNYdmMxaHRIUE53bmwvdUc4UzZr - d3JSVGx1eWFOTy80UG13enBwVUFCVk0KLS0tIHVJeGc5SDFoZXNKdGdSYVk1azZt - YWJvQmlWNm01Vi9rRUZ6eG51MENTaEEKUaq7S1z54TITkZoNKhgn+zWdL3XZbGgr - 1XrQ73ITvDeMMal0EGMJ7znj1xhOioplMINqGE8gQX3xUVaNLtkhpA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:q4gp2pazpoheErkCDwDYSRLzw0MmpAGGEtGC/opwRmsjATDIA5RMF7BW+0s+LqC/mIUCWiV803jNRH0RHkyAM+B1zkgx0IMyTDLCeIKphMDEQHHwnS/kBSyFQNimEXevdkOVe1x4W/Uyj048o0n4/T81ivQc7b3Im3kBj5JRSIQ=,iv:VqLb3FNS7hNpvGBE+WC3em5USqbh1l738UjazXTFQMM=,tag:f23h1kKy8ux2uo4QBy9GYA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/containers/gatus/default.nix b/nixos/modules/nixos/containers/gatus/default.nix index edba2ad..9231238 100644 --- a/nixos/modules/nixos/containers/gatus/default.nix +++ b/nixos/modules/nixos/containers/gatus/default.nix @@ -115,21 +115,5 @@ in extraConfig = "resolver 10.88.0.1;"; }; }; - - - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - "Gatus Internal" = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - description = "Internal Infrastructure Monitoring"; - container = "${app}"; - widget = { - type = "${app}"; - url = "https://${app}.${config.mySystem.domain}"; - }; - }; - } - ]; }; } diff --git a/nixos/modules/nixos/containers/gatus/secrets.sops.yaml b/nixos/modules/nixos/containers/gatus/secrets.sops.yaml index 27bdb28..8088e41 100644 --- a/nixos/modules/nixos/containers/gatus/secrets.sops.yaml +++ b/nixos/modules/nixos/containers/gatus/secrets.sops.yaml @@ -1,6 +1,6 @@ services: gatus: - env: ENC[AES256_GCM,data:bqAAKTvPB4tXACy2EiuqPw==,iv:wN6h6yOoW5LiZileoHWk0lxgFlDkf7slrv3koYtMb9o=,tag:iXI4IKRZLxO0YoJ0dK7nJA==,type:str] + env: ENC[AES256_GCM,data:K3OMquhrq0GwltyBC0+ljA==,iv:sy65e+JNYFmxkapd98KdknS6RIdysCuypA7GkdjwbvM=,tag:asCMBItfHCkqE/dT2IlPxQ==,type:str] sops: kms: [] gcp_kms: [] @@ -10,41 +10,41 @@ sops: - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVempGU2FMYTNOSEtPdTVO - WS9qRHQ0alFtYUxXTk1sa3ltcU1RQWtGR0FvCk40aUVkbVBBdmVaTTdrclhzWHJY - ME4wc0F3bjFXWmxLZXE1UmxyTnl0ZEkKLS0tIHRyOFNCY05CdXpLRURpTzV4MW5P - dTM1N2FlRWVvVXBmaGw5QUViZEpndDQKWKVtD50hfJS2AR+3VxGGZXyMcdsawx6s - lxatCKMnWW1VWpz50Il16vYAnIttPeN5C9qBc5bbVdmPcG+pC6Miug== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NFQzOHZ6RjRLeU5FWEQv + cmhrUkI3T2ZmcU9FNmZPWkhyVEIrZU5rZWg4CnNRVlVuV0VtN25QYUx3bjVZbmdU + emgrUXppWTFNYklZYnN4cDRRVk9CN1UKLS0tIEdiK0FGYkw1UWE2QUVLa0RndkxW + S2hBTExyOU5mSFJaNWRsK0VXUElwQlUKf+XUWwIkQ2UUk9N99Ern2dL8NPttuCvC + O2ED+sj17lm8H1Qm9GHB7cMAF4JJB94TvIUsRH7+q/jJe2WETHlDVw== -----END AGE ENCRYPTED FILE----- - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VlRhTWtsSGw5WENMZDl6 - OEx3SWxYQWZSc2tmc3VsS3BJNjNJN2dpSkZJCi9KMWZlb3pwMjErNHR1VkgxQ2VR - Y1lzYThjOWNpTCtRNldJak5WSnZBUTAKLS0tIGhwWTJUNG4wejdIUkM0OWJEek5U - Sy9PQ1F4ekFqRUZ2RnIvTzJxaDFnRmsKFpDLBvNKtDRN2KPLSFsd7nFM63fZvBGk - 3bLGz5L72kKrcqsha08ePtPGi1N4s3xGFmNPXZC5TUPAEkRcJ2PVwQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQXYvNlpuaENwVEJuSUxj + WllLaWZTdVo0Z0FQRFFZazJpTnZxUFNuS1VjCmRPdEwvVjZHazI5TDNuaVl0MDlh + Zko1eGEvYkhRcWZpV3NRdGM1VnFnWFkKLS0tIDNqVTF4bTUvTTFuL3lZa1l0VkZj + bmdZVVZ5MUUyZWE2NFovRVVyalg2YzgK+K/9Nd4KJ3EmiebAci5rwAJf308y4a/s + d0x8asfxk00YDRcZbxsNcMCLxFX+PUUol04GMz8SzImQrDcl8FATWg== -----END AGE ENCRYPTED FILE----- - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd3VLOFhaczRybnIzQUpo - NWVBS0dlMUM3ZWN5eHhmaFhZV2FzQlNQeEJVCnErYTZkQzVZazh4a0dNY1A3d2N3 - enJpUEpTOGN5eGVFQ29XSXdtZjR4ZmsKLS0tIExkck1FcEtQTTh5RzNjL1Rvak9z - Um9LcnQ5akZqdmdkZTg1SnpzWVVTeTAK04JYXziITePLRUqLojzYni7EwszgKgeS - mCfxGm9UKaUiEc7UWYoTWw3OonyShw3AiNXSTBo/asbyK5aQuSgnjA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZW9XTVM1Z0JjMGJNQnND + cW9aNW1RRGNBOSt0V3RSODVQK21hVkxLR3ljCnBia0pvTmhNbFNVSDNxNStIWjEw + eWJIRTZvVTAwMzhwcHlIbDRxQzlBRUkKLS0tIFhBV0paeGxRcVU0ZnVncGM1ODAr + SitqR3UzNnhyaUp3UFZrZ0xHOEhXZ0EKc9WuFf6FAba4lByVxfH+hGrq/2imOzjL + 4oWMfV6gucLa5+9ko2PP0hMrT8/KAtnMX7z062Pg9eEW0E0U8KaKzQ== -----END AGE ENCRYPTED FILE----- - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzOEo4S0lTYk1ZcjA2MUQx - Yk1XUFJxWUIrQW1wT1NzKzFwbjg2ZkkvdzNJCmdGWE9PRHN1cjl0R0ZpWVc5WWVj - TkdRUFVMK3JkSld5NkthenNubWJMOE0KLS0tIGp5OUUvTnh2cUZoTXJ6SFpKMlMy - UjVsN3RzT2psMk9ObWtaSFZKUWoreEUKqTjC55QrJlbNHcLZ5asr125QQMgJ8z78 - sm7dsKAhdOKHjLvW9Cqf68/zsEXeToiB40SC94eFXHs4UOMYbKcN0g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXWUdDUzQ2YjZsZHQ3OUR3 + bmhjY05IM0J0bXlvL2ZRK09DSzJpQWQ1UEhVCnkwMVB6c3pTcFRQRitaZEw0MUdU + SnpORnV2TkxRK3FYRVBVZWhGQVp1YzAKLS0tIFZWbGJabW9aUnpxT2h5QVdSbDNk + aHFPYWRwRS9qMmd4QUFPL0JCbEdVb3cKg4XvsbpCTJrx17y2SzKotqA0wNo6Tdht + VXXUwiD48ZKP8WxuGCAJQbmoDWozX9b27HDwWz04fcmxxdQ7TL3ShA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:mXCcrWWhheFFHCm1cqblLDV1N/of9WbNZDBcCeVtnPxeS+VF2f+Yovy/DT5PH029ppg388Un0lS/P+ZYUhwGGQLaY9hHbTryZ/474EkBCG2B20mEZvMFGczbCkFCnx1zA7wePm9QHRqMa5S2PnsWn32SaP4GfBz/w8K++BUw8/Y=,iv:usWSlCtgTWNrEDfatE0RQrSjtv6buk8N3Ai4zlT6osY=,tag:DwlALfatw/1IK1TIUmhRSQ==,type:str] + lastmodified: "2024-05-18T16:39:41Z" + mac: ENC[AES256_GCM,data:Otd3VL5QNOmddoEeszeOioKh5EVXMKzLRZ66WhB3eA5TdTZ2s49xTplHHd3vj1v9GGYkm8zrF4JBrz2llOZxByR9nnHmY8eRANapy6/bE9c89cAkiy25mNF5AE0UKX5/Ds4lao0D1PcebBLLGu2IBCXoDs83v5z3Wn3LHqaZPG0=,iv:TaSVuY/gAlAjCzWksg5BDFlF3YAyVWGUNvJI+wrCcXU=,tag:yR7ZhTg+Z3FYZZfXx7dL/A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/containers/home-assistant/default.nix b/nixos/modules/nixos/containers/home-assistant/default.nix deleted file mode 100644 index 10fc10d..0000000 --- a/nixos/modules/nixos/containers/home-assistant/default.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "home-assistant"; - image = "ghcr.io/onedr0p/home-assistant:2024.5.2@sha256:76e416dd4ab2f14ca9be120617fe69f51ad335c284352c189a0315954bed4b4e"; - user = "kah"; #string - group = "kah"; #string - port = 8123; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - sops.secrets."services/${app}/env" = { - - # configure secret for forwarding rules - sopsFile = ./secrets.sops.yaml; - owner = config.users.users.kah.name; - inherit (config.users.users.kah) group; - restartUnits = [ "podman-${app}.service" ]; - }; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - environment = { - HASS_IP = "10.8.20.42"; - }; - environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; - volumes = [ - "${appFolder}:/config:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - proxyWebsockets = true; - extraConfig = "resolver 10.88.0.1;"; - }; - }; - - - - mySystem.services.homepage.home = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - description = "Home automation"; - container = "${app}"; - }; - } - ]; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; user = "kah"; group = "kah"; mode = "750"; }]; - }; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app; - user = builtins.toString user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - }; -} diff --git a/nixos/modules/nixos/containers/home-assistant/secrets.sops.yaml b/nixos/modules/nixos/containers/home-assistant/secrets.sops.yaml deleted file mode 100644 index d614275..0000000 --- a/nixos/modules/nixos/containers/home-assistant/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -services: - home-assistant: - env: ENC[AES256_GCM,data:8rZWXEsMTYMRy58P+aPu2Q==,iv:EBtDsAuuC6uxJ+LC2+5v54S+zP7OBs5KsnqiHXslDRo=,tag:vizmALq1bV5beiLqRnduDA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucHI1ZW5NMXVhN3pQSC80 - aEg4TDJONU1DWFlXTHNsdEJiS2VxcXpYL1hrCkR6bDFaYWtxQmhJemdLKzVyUGRa - WDBVRHFiNGlYQTZkaU5SWU9qdmFrbUkKLS0tIFAxUUxJdFlEQXVmd0pTY05iK3pM - NmdVdDA3WFR6c3BRZTJVM1Fza0NXZEEKxl5C7+GfCwbr+6sOAMXOt0Tcu9W65M9T - Enux8Cr2afdPc6fKtKh1LS38wp7gtDI0/GKO3xQ6jYhOi3m3pHvfxg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWTJZck5yYWIwbG42aDBD - cm04SXFKWGVJUlhpWEhEMGNVTnAzekNMS2hNClBsTWRDWWUxSjg0bkd4OHNYajBo - RmNJMWtyOTNxYTUrNmhQQURVT1hEN2MKLS0tIHZwalhob3JnZWF5RW9vMWlmeVdI - VjAwNUN1SkprKysyMWJSTmlHU1dYOGcKGA2Jk98ZMSAaWTdhL3sN5BSBMAlXv4Zj - IONPTFS48yoAiWFjMAUUuQfrYF38MJCTFVRrx66DGEWqf5XRAmxedg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXc0FCOUcxOXJ4bEhRVnlN - bWJWd3pwTGw1eG5ObFNtSjM4ODFyZjY0NldjCmpSMnJWMVRWc3ZqcTNjeGFFUG9I - YlFEeGdrSTYrZzlxZ0tVcW5nWEw0bUkKLS0tIHkzRTN5RXZackRnMkdDNmZIRjJx - R3MxN0VETS9LMnpvRFp1bEN0UmM4Rm8K11D35Yf43EkkKxi5bPX1/LJsmejnwkNu - 243GBpNR3vS2DOhf+q9IpAULdWjPnO9UQUZxzGxZmlekJ20hwXjLLw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcFFPUm5DTFZyWGthTHE1 - UExFZUlNNUVHRyt6OGhCeWRnZS9BdCt6Z1JNCkZRc29wVURmNnJmdHB6bkNTZDkv - UmxIT24zSitCZldGNXl5Wk9nSy9pVTgKLS0tIFhFYThPVGVjbWRDSWdzdEhUODFi - UzFTZTQzMVlHb1Vjc1p4NC84cUFOaW8KoW7zvAvXxDVXCWYi+InWK4zK2nta+ydS - i1pd5uxdTFqPLt+GR9HNpcaIPUXOv2szIF24IKGAXitP6ysYp3bLsQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:12Z" - mac: ENC[AES256_GCM,data:G7QG5R9tbsAKyLsQDcg5P8PLufiNerP1JjddxGy+kGu6rRWnyZ0HOPVpJN0xv6gbRiUMWhhUt/V39O/bK9OSc/FzN3lZf6pDT9PAfYGnCY3hfyDBYN6fiJooovqGKkkBMS97rt+00FUPJEjwRLgJAK3MpdA65F2xJxXkSvQbzLg=,iv:749n6L8hKE+Ng17JgllSv4nL17sDSD40ZSerUhDXCTM=,tag:sCODC6LTpEHcVDoFBwT17w==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/containers/homepage/default.nix b/nixos/modules/nixos/containers/homepage/default.nix deleted file mode 100644 index f92f748..0000000 --- a/nixos/modules/nixos/containers/homepage/default.nix +++ /dev/null @@ -1,321 +0,0 @@ -{ lib -, config -, pkgs -, self -, ... -}: -with lib; -let - app = "homepage"; - image = "ghcr.io/gethomepage/homepage:v0.8.12"; - user = "568"; #string - group = "568"; #string - port = 3000; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - - # TODO refactor out this sht - settings = - { - title = "NatFlix"; - theme = "dark"; - color = "slate"; - showStats = true; - disableCollape = true; - cardBlur = "md"; - statusStyle = "none"; - - datetime = { - text_size = "l"; - format = { - timeStyle = "short"; - dateStyle = "short"; - hourCycle = "h23"; - }; - }; - - providers = { - openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}"; - }; - }; - - settingsFile = builtins.toFile "homepage-settings.yaml" (builtins.toJSON settings); - - bookmarks = [ - { - Administration = [ - { Source = [{ icon = "github.png"; href = "https://github.com/truxnell/nix-config"; }]; } - { Cloudflare = [{ icon = "cloudflare.png"; href = "https://dash.cloudflare.com/"; }]; } - ]; - } - { - Development = [ - { CyberChef = [{ icon = "cyberchef.png"; href = "https://gchq.github.io/CyberChef/"; }]; } - { "Nix Options Search" = [{ abbr = "NS"; href = "https://search.nixos.org/packages"; }]; } - { "Doppler Secrets" = [{ abbr = "DP"; href = "https://dashboard.doppler.com"; }]; } - { "onedr0p Containers" = [{ abbr = "OC"; href = "https://github.com/onedr0p/containers"; }]; } - { "bjw-s Containers" = [{ abbr = "BC"; href = "https://github.com/bjw-s/container-images"; }]; } - - ]; - } - ]; - bookmarksFile = builtins.toFile "homepage-bookmarks.yaml" (builtins.toJSON bookmarks); - - widgets = [ - { - resources = { - cpu = true; - memory = true; - cputemp = true; - uptime = true; - disk = "/"; - units = "metric"; - # label = "system"; - }; - } - { - datetime = { - text_size = "l"; - locale = "au"; - format = { - timeStyle = "short"; - dateStyle = "short"; - hourCycle = "h23"; - }; - }; - } - { - openmeteo = { - label = "Melbourne"; - latitude = "-37.8136"; - longitude = "144.9631"; - timezone = config.time.timeZone; - units = "metric"; - cache = 5; - }; - } - ]; - widgetsFile = builtins.toFile "homepage-widgets.yaml" (builtins.toJSON widgets); - - extraInfrastructure = [ - { - "UDMP" = { - href = "https://unifi.${config.mySystem.internalDomain}"; - - description = "Unifi Dream Machine Pro"; - icon = "ubiquiti"; - widget = { - url = "https://unifi.${config.mySystem.internalDomain}"; - username = "unifi_read_only"; - password = "{{HOMEPAGE_VAR_UNIFI_PASSWORD}}"; - type = "unifi"; - }; - }; - } - { - "Nextdns" = { - href = "https://my.nextdns.io/"; - description = "Adblocking DNS"; - icon = "nextdns"; - widget = { - profile = "{{HOMEPAGE_VAR_NEXTDNS_TRUSTED_PROFILE}}"; - key = "{{HOMEPAGE_VAR_NEXTDNS_API_KEY}}"; - type = "nextdns"; - }; - }; - } - { - "Cloudflare" = { - href = "https://dash.cloudflare.com"; - description = "DNS and security provider"; - icon = "cloudflare"; - widget = { - key = "{{HOMEPAGE_VAR_CLOUDFLARE_TUNNEL_API}}"; - accountid = "{{HOMEPAGE_VAR_CLOUDFLARE_ACCOUNT_ID}}"; - tunnelid = "{{HOMEPAGE_VAR_CLOUDFLARE_TUNNEL_ID}}"; - type = "cloudflared"; - }; - }; - } - - ]; - - extraHome = [ - { - "Prusa Octoprint" = { - href = "http://prusa.${config.mySystem.internalDomain}:5000"; - - description = "Prusa MK3s 3D printer"; - icon = "octoprint"; - widget = { - type = "octoprint"; - url = "http://prusa:5000"; - key = "{{HOMEPAGE_VAR_PRUSA_OCTOPRINT_API}}"; - }; - }; - } - ]; - - services = [ - { - Infrastructure = builtins.concatMap (cfg: cfg.config.mySystem.services.homepage.infrastructure) - (builtins.attrValues self.nixosConfigurations) ++ extraInfrastructure; - } - { - Home = builtins.concatMap (cfg: cfg.config.mySystem.services.homepage.home) - (builtins.attrValues self.nixosConfigurations) ++ extraHome; - } - { - Media = builtins.concatMap (cfg: cfg.config.mySystem.services.homepage.media) - (builtins.attrValues self.nixosConfigurations); - } - ]; - servicesFile = builtins.toFile "homepage-config.yaml" (builtins.toJSON services); - emptyFile = builtins.toFile "docker.yaml" (builtins.toJSON [{ }]); - -in -{ - options.mySystem.services.homepage = { - enable = mkEnableOption "Homepage dashboard"; - infrastructure = lib.mkOption { - type = lib.types.listOf lib.types.attrs; - description = "Services to add to the infrastructure column"; - default = [ ]; - }; - home = lib.mkOption { - type = lib.types.listOf lib.types.attrs; - description = "Services to add to the infrastructure column"; - default = [ ]; - }; - media = lib.mkOption { - type = lib.types.listOf lib.types.attrs; - description = "Services to add to the infrastructure column"; - default = [ ]; - }; - }; - - config = mkIf cfg.enable { - - # homepage secrets - # ensure you dont have whitespace around your ='s! - # ex: HOMEPAGE_VAR_CLOUDFLARE_TUNNEL_API=supersecretlol - sops.secrets."services/homepage/env" = { - # configure secret for forwarding rules - sopsFile = ./secrets.sops.yaml; - owner = "kah"; - group = "kah"; - restartUnits = [ "podman-${app}.service" ]; - }; - - # api secrets from other apps - sops.secrets."services/sonarr/env" = { - # configure secret for forwarding rules - sopsFile = ../arr/sonarr/secrets.sops.yaml; - owner = "kah"; - group = "kah"; - restartUnits = [ "podman-${app}.service" ]; - }; - sops.secrets."services/radarr/env" = { - # configure secret for forwarding rules - sopsFile = ../arr/radarr/secrets.sops.yaml; - owner = "kah"; - group = "kah"; - restartUnits = [ "podman-${app}.service" ]; - }; - sops.secrets."services/lidarr/env" = { - # configure secret for forwarding rules - sopsFile = ../arr/lidarr/secrets.sops.yaml; - owner = "kah"; - group = "kah"; - restartUnits = [ "podman-${app}.service" ]; - }; - sops.secrets."services/readarr/env" = { - # configure secret for forwarding rules - sopsFile = ../arr/readarr/secrets.sops.yaml; - owner = "kah"; - group = "kah"; - restartUnits = [ "podman-${app}.service" ]; - }; - sops.secrets."services/prowlarr/env" = { - # configure secret for forwarding rules - sopsFile = ../arr/prowlarr/secrets.sops.yaml; - owner = "kah"; - group = "kah"; - restartUnits = [ "podman-${app}.service" ]; - }; - sops.secrets."services/adguardhome/env" = { - sopsFile = ../../services/adguardhome/secrets.sops.yaml; - owner = "kah"; - group = "kah"; - restartUnits = [ "podman-${app}.service" ]; - }; - - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - - environment = { - UMASK = "002"; - PUID = "${user}"; - PGID = "${group}"; - LOG_TARGETS = "stdout"; - }; - - # secrets - environmentFiles = [ - config.sops.secrets."services/homepage/env".path - - config.sops.secrets."services/sonarr/env".path - config.sops.secrets."services/radarr/env".path - config.sops.secrets."services/readarr/env".path - config.sops.secrets."services/lidarr/env".path - config.sops.secrets."services/prowlarr/env".path - config.sops.secrets."services/adguardhome/env".path - - ]; - - # not using docker socket for discovery, just - # building up the apps from a shared key - # this is a bit more tedious, but more secure - # from not exposing docker socket and makes it - # easier to have/move services between hosts - volumes = [ - "/etc/localtime:/etc/localtime:ro" - "${settingsFile}:/app/config/settings.yaml:ro" - "${servicesFile}:/app/config/services.yaml:ro" - "${bookmarksFile}:/app/config/bookmarks.yaml:ro" - "${widgetsFile}:/app/config/widgets.yaml:ro" - "${emptyFile}:/app/config/docker.yaml:ro" - "${emptyFile}:/app/config/kubernetes.yaml:ro" - ]; - - extraOptions = [ - "--read-only" - "--tmpfs=/app/config" - ]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - - mySystem.services.gatus.monitors = [{ - name = app; - group = "infrastructure"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - - }; -} diff --git a/nixos/modules/nixos/containers/homepage/secrets.sops.yaml b/nixos/modules/nixos/containers/homepage/secrets.sops.yaml deleted file mode 100644 index d7cc9e4..0000000 --- a/nixos/modules/nixos/containers/homepage/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -services: - homepage: - env: ENC[AES256_GCM,data:nqlPgxgNmoQNPX7ASt2VFQ==,iv:0BcE5l0wLH2/Cy8uHNzZbMOkrJIRfsgzb12SPt5380E=,tag:TheQzCRAI/kASwpQUKMZTw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Y1Z4M2p5YzN3QkRyRCt2 - RkpxZnpoTXh5Q2NPdU92RmxVa3hGUFNCeEJvCmFtYlZIbWZhMitXTlBLK2RRMXBD - VmVmU09HaDhtdVRQdEptWXhla1R4ZTAKLS0tIDVKeWZYUnZNYkxvMUJUTXd4bHcy - SXJXS3BIMmJBR0RoR1NPS3ZrVEh4VTQKi3IIvONwfj4Jk60ZLohXD1m5Vgc2QmWw - d6v/aR3CJuR8MLYKE4copWF2lz9LoqwEmCy4GZZfa0HGUI67+XntYg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MG9BeCt0UzJ3cTh0Mito - WnBoL1pLY3R3SVNMaXViMlBLZS9Rd3AxRTBnCjdOYnR1em9UdHdXZCt5VmNnQWwx - VVIxY09VRGUxd0dNRnVHMWg2bDBNajAKLS0tIDRabmtrYURKMGdUallWZEZscHFH - bnlndUx4ajhYak1oZVlZYTdsTEhva1EKFHHlMUtctfxY2DwtVNxPYZXp8lkQcTnq - G8b/w168XFqixs+L0H+nTwcAXf93r8QpPyXMbfaiIxcjLThkZTtC1w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcEhTWGRFajUzRmw5UFdn - YWVmanpoRG9DZ2VUT3VjZ29GM3ZEM1p4cVdBCkVoL2wya1I1WDl3OGRldFl2MDVI - RHl1dERJQ3c3Q08xMU9LNDI1QW1IQjAKLS0tIFJDNWtoQlJWR1I4ZWxMQjNwQVcr - N0M1ZUpaZkxxTzBiamw5L1YxMWtESFUKCaCDbgI2RT2V31LfaUzU+SATw5YqeTIz - Am2Wfh3+z1WllTS3uO7se4zTMgPdXM1rySoDDwHMJbx0o8yy0n9N6w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVHo0cXNMU0xJcUtzRGgx - cG56SHJmVkJDSlIrN3BHMzBFaFI4aHBRdG5NCk9BdUYxQXN0TjhvbGNkeTZOeCtO - MllDZFVJVlNEbUc2QloxOW1qYmZsVFUKLS0tIERjckdSNldxS0tQalZzTDNpdTJv - UEoxWk5MWUI1UlIwVW9JakFEMlZhUHcKjRAqw7cMt7FrFjoZJYOEhStpuAWo8akF - mygrfz46TnX2n7wA01M+bog/VqwAmcGjbdWdyUXQwzr3qE1DV2F/oA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:12Z" - mac: ENC[AES256_GCM,data:s1aUi3ZQPjw7ntOW8Sc7OXcBb14R6U0D9pSnzzFNx2ZoRDGaSEnmKktKlfUXQctaFF3spTbuF4ibUcrZODQA0bU659Y1iSMAe5Lr08gsICwwaAL4qpIEHSmjXa4ydwKFVnBrSNGowNSBDYy0vs1sFwEEFuGtiJsbxSpI2Zbamtk=,iv:84+2EA/8yX9FCDkS/pnE2TWAOnO9EyZbyPV2rF7mpX0=,tag:duNJI2Exe7zupuqIC+jCpg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/containers/plex/default.nix b/nixos/modules/nixos/containers/plex/default.nix deleted file mode 100644 index 919b4d3..0000000 --- a/nixos/modules/nixos/containers/plex/default.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "plex"; - image = "ghcr.io/onedr0p/plex:1.40.1.8227-c0dd5a73e@sha256:a60bc6352543b4453b117a8f2b89549e458f3ed8960206d2f3501756b6beb519"; - user = "568"; #string - group = "568"; #string - port = 32400; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - - ## persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - openFirewall = mkEnableOption "Open firewall for ${app}" // { - default = true; - }; - }; - - config = mkIf cfg.enable { - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - volumes = [ - "${appFolder}:/config:rw" - "${config.mySystem.nasFolder}/natflix:/data:rw" - "${config.mySystem.nasFolder}/backup/kubernetes/apps/plex:/config/backup:rw" - "/dev/dri:/dev/dri" # for hardware transcoding - "/etc/localtime:/etc/localtime:ro" - ]; - environment = { - PLEX_ADVERTISE_URL = "https://10.8.20.42:32400,https://${app}.${config.mySystem.domain}:443"; # TODO var ip - }; - ports = [ "${builtins.toString port}:${builtins.toString port}" ]; # expose port - }; - networking.firewall = mkIf cfg.openFirewall { - - allowedTCPPorts = [ port ]; - allowedUDPPorts = [ port ]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - - - mySystem.services.homepage.media = mkIf cfg.addToHomepage [ - { - Plex = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "Media streaming service"; - container = "${app}"; - widget = { - type = "tautulli"; - url = "https://tautulli.${config.mySystem.domain}"; - key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}"; - }; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}/web/"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app user; - # excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - - }; -} diff --git a/nixos/modules/nixos/containers/qbittorrent/default.nix b/nixos/modules/nixos/containers/qbittorrent/default.nix deleted file mode 100644 index c22fd93..0000000 --- a/nixos/modules/nixos/containers/qbittorrent/default.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "qbittorrent"; - image = "ghcr.io/onedr0p/qbittorrent:4.6.4@sha256:b9af0f2173572a69d2c02eab8f701ef7b04f61689efe1c5338b96445d528dec4"; - user = "568"; #string - group = "568"; #string - port = 8080; #int - qbit_port = 32189; - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - openFirewall = mkEnableOption "Open firewall for ${app}" // { - default = true; - }; - - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - environment = { - QBITTORRENT__BT_PORT = builtins.toString qbit_port; - }; - ports = [ "${builtins.toString qbit_port}:${builtins.toString qbit_port}" ]; - volumes = [ - "${appFolder}:/config:rw" - "${config.mySystem.nasFolder}/natflix:/media:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - - # gotta open up that firewall - networking.firewall = mkIf cfg.openFirewall { - - allowedTCPPorts = [ qbit_port ]; - allowedUDPPorts = [ qbit_port ]; - }; - - - mySystem.services.homepage.media = mkIf cfg.addToHomepage [ - { - Qbittorrent = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "Torrent Downloader"; - container = "${app}"; - widget = { - type = "${app}"; - url = "https://${app}.${config.mySystem.domain}"; - }; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - - - }; -} diff --git a/nixos/modules/nixos/containers/redlib/default.nix b/nixos/modules/nixos/containers/redlib/default.nix deleted file mode 100644 index ed762d5..0000000 --- a/nixos/modules/nixos/containers/redlib/default.nix +++ /dev/null @@ -1,143 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.${category}.${app}; - app = "redlib"; - category = "services"; - description = "reddit alternative frontend"; - image = "quay.io/redlib/redlib@sha256:7fa92bb9b5a281123ee86a0b77a443939c2ccdabba1c12595dcd671a84cd5a64"; - user = "nobody"; #string - group = "nobody"; #string - port = 8080; #int - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - host = "${app}" + (if cfg.dev then "-dev" else ""); - url = "${host}.${config.networking.domain}"; -in -{ - options.mySystem.${category}.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - monitor = mkOption - { - type = lib.types.bool; - description = "Enable gatus monitoring"; - default = true; - }; - prometheus = mkOption - { - type = lib.types.bool; - description = "Enable prometheus scraping"; - default = true; - }; - addToDNS = mkOption - { - type = lib.types.bool; - description = "Add to DNS list"; - default = true; - }; - dev = mkOption - { - type = lib.types.bool; - description = "Development instance"; - default = false; - }; - backups = mkOption - { - type = lib.types.bool; - description = "Enable local backups"; - default = true; - }; - - - }; - - config = mkIf cfg.enable { - - ## Secrets - # sops.secrets."${category}/${app}/env" = { - # sopsFile = ./secrets.sops.yaml; - # owner = user; - # group = group; - # restartUnits = [ "${app}.service" ]; - # }; - - users.users.jahanson.extraGroups = [ group ]; - - - # Folder perms - # systemd.tmpfiles.rules = [ - # "d ${appFolder}/ 0750 ${user} ${group} -" - # ]; - - ## service - # services.test= { - # enable = true; - # }; - - ## container - virtualisation.oci-containers.containers = config.lib.mySystem.mkContainer { - inherit app image user group; - }; - - # homepage integration - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${url}"; - inherit description; - }; - } - ]; - - ### gatus integration - mySystem.services.gatus.monitors = mkIf cfg.monitor [ - { - name = app; - group = "${category}"; - url = "https://${url}/settings"; # settings page as pinging the main page is slow/creates requests - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - } - ]; - - ### Ingress - services.nginx.virtualHosts.${url} = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - }; - }; - - ### firewall config - - # networking.firewall = mkIf cfg.openFirewall { - # allowedTCPPorts = [ port ]; - # allowedUDPPorts = [ port ]; - # }; - - ### backups - # warnings = [ - # (mkIf (!cfg.backups && config.mySystem.purpose != "Development") - # "WARNING: Local backups for ${app} are disabled!") - # ]; - - # services.restic.backups = config.lib.mySystem.mkRestic - # { - # inherit app user; - # paths = [ appFolder ]; - # inherit appFolder; - - # }; - - - }; -} diff --git a/nixos/modules/nixos/containers/redlib/default.nix.old b/nixos/modules/nixos/containers/redlib/default.nix.old deleted file mode 100644 index 26c5143..0000000 --- a/nixos/modules/nixos/containers/redlib/default.nix.old +++ /dev/null @@ -1,68 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.services.redlib; -in -{ - options.mySystem.services.redlib.enable = mkEnableOption "redlib"; - - # fuck /u/spez - config = - mkIf cfg.enable - (myLib.mkService - { - app = "Redlib"; - description = "Reddit alternate frontend"; - port = 8080; - user = "nobody"; - group = "nobody"; - inherit (config.time) timeZone; - inherit (config.networking) domain; - homepage = { - icon = "libreddit.svg"; - category = "home"; - }; - container = { - enable = true; - image = "quay.io/redlib/redlib@sha256:7fa92bb9b5a281123ee86a0b77a443939c2ccdabba1c12595dcd671a84cd5a64"; - env = { - REDLIB_DEFAULT_SHOW_NSFW = "on"; - REDLIB_DEFAULT_USE_HLS = "on"; - REDLIB_DEFAULT_HIDE_HLS_NOTIFICATION = "on"; - }; - caps = { - readOnly = true; - noNewPrivileges = true; - dropAll = true; - }; - }; - }); - # mkService - # app: App Name, string, required - # appUrl: App url, string, default "https://APP.DOMAIN" - # description: App Description, string, required - # image: Container IMage, string, required - # port: port, int - # timeZone: timezone, required - # domain: domain of app, required - # addToHomepage: Flag to add to homepage, bool, default false - ## HOMEPAGE - # homepage.icon: Icon for homepage listing, string, default "app.svg" - - # user: user to run as, string, default 568 - # group: group to run as, string, default 568 - # envFiles, files to add as env, list of string, default [ TZ = timeZone ] - - ## CONTAINER - # container.env, env vars for container, attrset, default { } - # container.addTraefikLabels, flag for adding traefik exposing labels, default true - # caps.privileged: privileged pod, grant pod high privs, defualt SUPER false. SUPER DOOPER FALSE - # caps.readOnly: readonly pod (outside mounted paths etc). default false - # - - -} diff --git a/nixos/modules/nixos/containers/sabnzbd/default.nix b/nixos/modules/nixos/containers/sabnzbd/default.nix deleted file mode 100644 index bda2896..0000000 --- a/nixos/modules/nixos/containers/sabnzbd/default.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "sabnzbd"; - image = "ghcr.io/onedr0p/sabnzbd:4.2.3@sha256:8943148a1ac5d6cc91d2cc2aa0cae4f0ab3af49fb00ca2d599fbf0344798bc37"; - user = "568"; #string - group = "568"; #string - port = 8080; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - environment = { - SABNZBD__HOST_WHITELIST_ENTRIES = "sabnzbd, sabnzbd.trux.dev"; - }; - volumes = [ - "${appFolder}:/config:rw" - "${config.mySystem.nasFolder}/natflix:/media:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - - mySystem.services.homepage.media = mkIf cfg.addToHomepage [ - { - Sabnzbd = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - description = "Usenet Downloader"; - container = "${app}"; - widget = { - type = "${app}"; - url = "https://${app}.${config.mySystem.domain}"; - key = "{{HOMEPAGE_VAR_SABNZBD__API_KEY}}"; - }; - }; - } - ]; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - - - }; -} diff --git a/nixos/modules/nixos/containers/searxng/default.nix b/nixos/modules/nixos/containers/searxng/default.nix deleted file mode 100644 index 3369aec..0000000 --- a/nixos/modules/nixos/containers/searxng/default.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "searxng"; - image = "docker.io/searxng/searxng:2023.11.1-b5a8ddfec"; - user = "977"; #string - group = "977"; #string - port = 8080; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - configNix = { use_default_settings = { engines = { keep_only = [ "arch linux wiki" "google" "google images" "google news" "google videos" "google scholar" "google play apps" "duckduckgo" "brave" "startpage" "gitlab" "github" "codeberg" "sourcehut" "bitbucket" "apple app store" "wikipedia" "currency" "docker hub" "ddg definitions" "duckduckgo images" "bandcamp" "deviantart" "tineye" "apple maps" "fdroid" "flickr" "free software directory" "z-library" "lobste.rs" "azlyrics" "openstreetmap" "npm" "pypi" "lib.rs" "nyaa" "reddit" "sepiasearch" "soundcloud" "stackoverflow" "askubuntu" "superuser" "searchcode code" "unsplash" "youtube" "wolframalpha" "mojeek" ]; }; }; engines = [{ name = "brave"; disabled = false; } { name = "startpage"; disabled = false; } { name = "apple app store"; disabled = false; } { name = "ddg definitions"; disabled = false; } { name = "tineye"; disabled = false; } { name = "apple maps"; disabled = false; } { name = "duckduckgo images"; disabled = false; } { name = "fdroid"; disabled = false; } { name = "free software directory"; disabled = false; } { name = "bitbucket"; disabled = false; } { name = "gitlab"; disabled = false; } { name = "codeberg"; disabled = false; } { name = "google play apps"; disabled = false; } { name = "lobste.rs"; disabled = false; } { name = "azlyrics"; disabled = false; } { name = "npm"; disabled = false; } { name = "nyaa"; disabled = false; categories = "videos"; } { name = "searchcode code"; disabled = false; } { name = "mojeek"; disabled = false; } { name = "lib.rs"; disabled = false; } { name = "sourcehut"; disabled = false; }]; general = { instance_name = "NatFlix Search"; enable_metrics = false; }; brand = { new_issue_url = ""; docs_url = ""; public_instances = ""; wiki_url = ""; issue_url = ""; }; search = { safe_search = 0; autocomplete = "duckduckgo"; autocomplete_min = 2; default_lang = "en"; max_page = 0; }; server = { base_url = "https://searxng.\${EXTERNAL_DOMAIN}/"; image_proxy = true; http_protocol_version = "1.1"; method = "GET"; }; ui = { static_use_hash = true; infinite_scroll = true; default_theme = "simple"; theme_args = { simple_style = "dark"; }; }; enabled_plugins = [ "Hash plugin" "Search on category select" "Self Information" "Tracker URL remover" "Open Access DOI rewrite" "Vim-like hotkeys" ]; }; - configFile = builtins.toFile "config.yaml" (builtins.toJSON configNix); -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - volumes = [ - "${configFile}:/config/config.yaml:ro" - "/etc/localtime:/etc/localtime:ro" - ]; - environment = { - TZ = "${config.time.timeZone}"; - SEARXNG_BASE_URL = "https://searxng.${config.mySystem.domain}/"; - SEARXNG_URL = "https://searxng.${config.mySystem.domain}"; - }; - extraOptions = [ - "--read-only" - "--tmpfs=/etc/searxng/" - "--cap-add=CHOWN" - "--cap-add=SETGID" - "--cap-add=SETUID" - "--cap-add=DAC_OVERRIDE" - ]; - - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - mySystem.services.homepage.home = mkIf cfg.addToHomepage [ - { - Searxng = { - icon = "${app}.png"; - href = "https://${app}.${config.mySystem.domain}"; - ping = "https://${app}.${config.mySystem.domain}"; - description = "Private meta search engine"; - }; - } - ]; - - mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "30s"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - - }]; - - - }; -} diff --git a/nixos/modules/nixos/containers/tautulli/default.nix b/nixos/modules/nixos/containers/tautulli/default.nix deleted file mode 100644 index 95cbd23..0000000 --- a/nixos/modules/nixos/containers/tautulli/default.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "tautulli"; - image = "ghcr.io/onedr0p/tautulli:2.13.4@sha256:633a57b2f8634feb67811064ec3fa52f40a70641be927fdfda6f5d91ebbd5d73"; - user = "568"; #string - group = "568"; #string - port = 8181; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${appFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - volumes = [ - "${appFolder}:/config:rw" - "${config.mySystem.nasFolder}/natflix:/media:rw" - "${config.mySystem.nasFolder}/backup/kubernetes/apps/tautulli:/config/backup:rw" - "/etc/localtime:/etc/localtime:ro" - ]; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - mySystem.services.homepage.media = mkIf cfg.addToHomepage [ - { - Tautulli = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "Plex Monitoring & Stats"; - container = "${app}"; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - - - }; -} diff --git a/nixos/modules/nixos/containers/whoogle/default.nix b/nixos/modules/nixos/containers/whoogle/default.nix deleted file mode 100644 index 10d98ab..0000000 --- a/nixos/modules/nixos/containers/whoogle/default.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - app = "whoogle"; - image = "ghcr.io/benbusby/whoogle-search:0.8.4@sha256:93977c3aec8a039df94745a6e960d1b590a897e451b874c90ce484fbdbc3630f"; - user = "927"; #string - group = "927"; #string - port = 5000; #int - cfg = config.mySystem.services.${app}; - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; -in -{ - options.mySystem.services.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - - virtualisation.oci-containers.containers.${app} = { - image = "${image}"; - user = "${user}:${group}"; - ports = [ (builtins.toString port) ]; # expose port - environment = { - TZ = "${config.time.timeZone}"; - WHOOGLE_ALT_TW = "nitter.${config.networking.domain}"; - WHOOGLE_ALT_YT = "invidious.${config.networking.domain}"; - WHOOGLE_ALT_IG = "imginn.com"; - WHOOGLE_ALT_RD = "redlib.${config.networking.domain}"; - WHOOGLE_ALT_MD = "scribe.${config.networking.domain}"; - WHOOGLE_ALT_TL = ""; - WHOOGLE_ALT_IMG = "bibliogram.art"; - WHOOGLE_ALT_IMDB = ""; - WHOOGLE_ALT_WIKI = ""; - WHOOGLE_ALT_QUORA = ""; - WHOOGLE_CONFIG_ALTS = "1"; - WHOOGLE_CONFIG_THEME = "system"; - WHOOGLE_CONFIG_URL = "https://search.${config.networking.domain}"; - WHOOGLE_CONFIG_GET_ONLY = "1"; - WHOOGLE_CONFIG_COUNTRY = "AU"; - WHOOGLE_CONFIG_VIEW_IMAGE = "1"; - WHOOGLE_CONFIG_DISABLE = "1"; - }; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."^~ /" = { - proxyPass = "http://${app}:${builtins.toString port}"; - extraConfig = "resolver 10.88.0.1;"; - - }; - }; - - - mySystem.services.homepage.home = mkIf cfg.addToHomepage [ - { - Whoogle = { - icon = "whooglesearch.png"; - href = "https://${app}.${config.mySystem.domain}"; - - description = "Google frontend"; - container = "${app}"; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "services"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - - }; -} diff --git a/nixos/modules/nixos/default.nix b/nixos/modules/nixos/default.nix index ee5d9e8..002d912 100644 --- a/nixos/modules/nixos/default.nix +++ b/nixos/modules/nixos/default.nix @@ -6,7 +6,6 @@ with lib; ./programs ./services ./de - ./editor ./hardware ./containers ./lib.nix @@ -24,6 +23,11 @@ with lib; description = "folder where nas mounts reside"; default = "/mnt/nas"; }; + options.mySystem.nasAddress = mkOption { + type = types.str; + description = "NAS Address or name for the backup nas"; + default = "10.1.1.13"; + }; options.mySystem.domain = mkOption { type = types.str; description = "domain for hosted services"; diff --git a/nixos/modules/nixos/editor/default.nix b/nixos/modules/nixos/editor/default.nix deleted file mode 100644 index 20df622..0000000 --- a/nixos/modules/nixos/editor/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./vscodium.nix - - ]; -} diff --git a/nixos/modules/nixos/editor/vscodium.nix b/nixos/modules/nixos/editor/vscodium.nix deleted file mode 100644 index 0b03f88..0000000 --- a/nixos/modules/nixos/editor/vscodium.nix +++ /dev/null @@ -1,156 +0,0 @@ -{ lib -, config -, pkgs - -, ... -}: - -with lib; -let - cfg = config.mySystem.editor.vscodium; -in -{ - options.mySystem.editor.vscodium.enable = mkEnableOption "Vscodium"; - - config = mkIf cfg.enable { - - # TODO add USER settings.json - # Enable vscode & addons - environment.systemPackages = with pkgs; [ - (vscode-with-extensions.override { - vscode = vscodium; - vscodeExtensions = with vscode-extensions; - [ - bbenoist.nix - mkhl.direnv - streetsidesoftware.code-spell-checker - oderwat.indent-rainbow - - ] - ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ - { - name = "prettier-vscode"; - publisher = "esbenp"; - version = "10.1.0"; - sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9"; - } - - { - name = "vscode-docker"; - publisher = "ms-azuretools"; - version = "1.28.0"; - sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0"; - } - - { - name = "gitlens"; - publisher = "eamodio"; - version = "14.7.0"; - sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy"; - } - - { - name = "remote-containers"; - publisher = "ms-vscode-remote"; - version = "0.327.0"; - sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz"; - } - - { - name = "remote-ssh"; - publisher = "ms-vscode-remote"; - version = "0.107.1"; - sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf"; - } - - { - name = "vscode-yaml"; - publisher = "redhat"; - version = "1.14.0"; - sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944"; - } - - { - name = "todo-tree"; - publisher = "gruntfuggly"; - version = "0.0.226"; - sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn"; - } - - { - name = "path-autocomplete"; - publisher = "ionutvmi"; - version = "1.25.0"; - sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb"; - } - - { - name = "even-better-toml"; - publisher = "tamasfe"; - version = "0.19.2"; - sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14"; - } - - { - name = "linter"; - publisher = "fnando"; - version = "0.0.19"; - sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g"; - } - - { - name = "catppuccin-vsc"; - publisher = "catppuccin"; - version = "3.11.0"; - sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d"; - } - - { - name = "catppuccin-vsc-icons"; - publisher = "catppuccin"; - version = "1.8.0"; - sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z"; - } - - { - name = "nix-ide"; - publisher = "jnoortheen"; - version = "0.2.2"; - sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg"; - } - - { - name = "vscode-swissknife"; - publisher = "luisfontes19"; - version = "1.8.1"; - sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c"; - } - - { - name = "pre-commit-helper"; - publisher = "elagil"; - version = "0.5.0"; - sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj"; - } - - { - name = "sops-edit"; - publisher = "shipitsmarter"; - version = "1.0.0"; - sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4"; - } - - { - name = "json5-for-vscode"; - publisher = "tudoudou"; - version = "0.0.3"; - sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w"; - } - ]; - }) - ]; - - }; - - -} diff --git a/nixos/modules/nixos/lib.nix b/nixos/modules/nixos/lib.nix index f91fa68..dbe8dc9 100644 --- a/nixos/modules/nixos/lib.nix +++ b/nixos/modules/nixos/lib.nix @@ -32,7 +32,6 @@ with lib; } ); - # build a restic restore set for both local and remote lib.mySystem.mkRestic = options: ( let @@ -53,7 +52,6 @@ with lib; # ${pkgs.restic}/bin/restic unlock --remove-all || true ''; - in { # local backup diff --git a/nixos/modules/nixos/programs/shell/fish.nix b/nixos/modules/nixos/programs/shell/fish.nix index ac0acec..4105a86 100644 --- a/nixos/modules/nixos/programs/shell/fish.nix +++ b/nixos/modules/nixos/programs/shell/fish.nix @@ -17,9 +17,7 @@ in type = lib.types.bool; description = "If we want to add fish plugins"; default = true; - }; - }; # Install fish systemwide diff --git a/nixos/modules/nixos/security/acme/secrets.sops.yaml b/nixos/modules/nixos/security/acme/secrets.sops.yaml index 6afcb43..42d2994 100644 --- a/nixos/modules/nixos/security/acme/secrets.sops.yaml +++ b/nixos/modules/nixos/security/acme/secrets.sops.yaml @@ -1,6 +1,6 @@ security: acme: - env: ENC[AES256_GCM,data:ZdtHl/MTYH1Hiw5Euf6PudZi74rFapfjbUlgEpUXA+H1kbqhZ8SdxEad1Pp8bAhEMpjK72uIAwHtGzz3HgElp4g=,iv:I5q2Ntn7Fh34VQd6ALH8NjKJI21V+fGBdw9RIEd8ksg=,tag:Y5mlPUq0QEAdXeU4Y4cheg==,type:str] + env: ENC[AES256_GCM,data:/exabYG1GvSCxe+TBeECudCN6DQLVBrifa9509skrNRYBsbm1UJRK+WxO0xcrAQkcb1Lse4WE95ueQurSFaY81w=,iv:oD2zcXbO12TlOeH0xLYsaHWw4PVjMHtbVm1LAWp89oo=,tag:dwGBevRXV1B4n/5Sveq5cg==,type:str] sops: kms: [] gcp_kms: [] @@ -10,41 +10,41 @@ sops: - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WjhEaW54SEpGRGgwT0ly - REVkS2xvOGxhT1puRm5Gc0N1Y1FHWko1ekcwCml5MHFWWG1qNjNZbkY1TldORFdm - YWRMTjJwODFYZFhXcHNxWUViNCtVcUEKLS0tIGlpdVdwc01XUmpsT0VFSWJXa01J - bHoxZnBPZFFjQ0FCdWJrVGwzcEEzakEKNLWXfzWIQqaciDQ9ZQc3qnF9lnZew1D6 - q3vHQJ6rEagGh/EsHzdDzo8y5NOj7L5e+Igi9rwtoS7+Xle55i3T+Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVEVHekhud2xUclpURFZB + bzgrSkh2TWFibndHcTBpb3AySjRnUWliYzJBCmlROE83ZmJNbWpLaTExOUNwTmZw + dElIUThUQVo3MjlobjVrdFMrZUJHM1EKLS0tIGVlcU16Vm12eERKN1o1Ym1yRnJB + UkR2YUlLSnBWT0QrWTJuS0hRMnhBM2MKBaaD1gtd52RwKKPf7Yi7fhVEot6kIhAg + oaS589WtWIiIiEs/Fde8QfOEJ4aydhuyfVFGxsJkb8a5QGkjKP4Faw== -----END AGE ENCRYPTED FILE----- - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbUUzc1BHbWkxQlJqcDZs - aVhrYkdzM054R3hkT2g4Tm90WTNseEdlR21VCkF3NkJqSVIrYzJZUHVNNVJncEla - RnVDcG1OTWlQa2l4dEVhdEQ3dWRTa3MKLS0tIEpnQ3pqb090N0Jta0QzdEhrNUFy - eU9iZ0xzSUcrVG1VV3BQbnUxSll1ZWsKeSVfkJgoPnSiW0rguTwUFvbYdA2LETIR - OePUhnczLMJL6Qj+uolCJB5cedLPpmOuPILKU1BI0eZEmH8HsarCdQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSEwyT21iZHl2cEtKZTRG + RGwwclFtTnNkK2c0U2U0U2NTWTkrckllbHhrCkprUTRxcFJnT3hTS3VuUjZXQUti + MDNWZGMrSmFDL2svaTJDZlEwcFpEeEUKLS0tIEVBMDlxZmVEU0UreS9KZnNodWcy + bUF2WVRySUd6NDJpbFRiYWszVlFYeGMK7Cl76mjrhdMNKy3SXQ4KqpUJl/P9peJc + O+EZ0Q1m0tZrShg1soqdMb1p/00ubvy+Rvxx5Tq0jsIF/Lq0Y3Q3CA== -----END AGE ENCRYPTED FILE----- - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudk1BWGVWY1IwSXhOZVNX - bHFQQ0pYaWo3R3B1bXFpbndRMTdBRHdndlNvClJSTjN6WTQ4b2V2NHdISXVTMDZj - MkFrQnhMUmIxWnJGZjFRT3VDeWVZQW8KLS0tIENlTUM1TEdnOEh6UFVjSWREYW5q - THhhdG5oYm96QlUwZW42YUJDeDdTbW8KNRwQ/ENQPgeJiXNggFxcgkymhVQy66TO - IRzxYmmo/MlBhDWQlk0EBFHYudmC8lF7n/pTvM8pz6V/5tc0Y1R9ow== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5U0cyRlFDaCsvSEZyeE1q + WXpUdU5teVpGT1J6dkJ3VHJudG5UaEIvMlYwCm8xcldxOTFEV3JJbUhYbHNjZjgw + T2tDZERTNnZtdVEvNWo5STZTdzZYbnMKLS0tIHpXQUREODAzOWIzcGVxZFJ1a2Rh + S2U3T2NUdkVKL3VhWGtRTXUrclJ3TnMKE+6waO9P3EWCGeBRmh3OH689ttLU0F0G + hEeBbwYSXfrXtHGSEwwNo++5vP1UVA7KUvLTF2G3mM2nhztJwacWtg== -----END AGE ENCRYPTED FILE----- - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWDgwSXowMG5pM2dzbDJJ - clNFM2UvcVZWT0o4UVZQdnlxc25BeXR4V1hjClVzZHlXaHQvN0NiT0JoWG9EWmRz - VDAyTkxod0FGVENOZndMTE9aZnM1UmcKLS0tIHAzWFRoZVdXNnIya0gyMFVXa1Va - SUtQblFtK2RSR1F6WFphUWlXRmJCeDgKbvve6CId6RF/F90Px5sl6FdJH6VhLR4w - K52iqxq1or/YKUn69dC9l21UwW2u1dJ7g9lTXcRll/clmh8LtDXZXw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSEREWEtSWTFUN1l3Uktp + YlJCNUZEMnBJL0xQc21VenBkVTgrcVBDQlJFCm51QkhVK2J4ODNQN3AyZ2V4dnQw + SVI2blo4SzdSYVdpeDluSFJ1YjFscXMKLS0tIEFMQXAyMGc2MHdMYjkxeHZOWHJ3 + TnJ6dFBkUGpXMTBjRU5MMVJGTWZmd2sKh83VVst9g3e9lbx2v3b46X23HHtQAeS/ + //oLEkBDuk5yqnNFtbcSGsWI9DBh9mD87bupw0Hz7GXTC/5LkApTkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-13T03:24:35Z" - mac: ENC[AES256_GCM,data:Gz8uMG1pYseVsD1ooCuT48euPjed47su97ycdtKFsy8r3fLRvXUIfP8YPxSJ/OPGPm0yXBoNGRCovoey1N3B8NQXqWmQ78pmHIEVN6EqM8DvKLUn3a4XR52g0mURGqgFqJJXJCxn/UN4SMs1Kbl3Ahc9cXf17J1MoScVRqhpDWE=,iv:xYX7OUtaKDwjRohYN3q0mdrFfjop3XtzxAjQrMFrydk=,tag:sawX4x4KFzHJoPAeE18dag==,type:str] + lastmodified: "2024-05-18T16:39:41Z" + mac: ENC[AES256_GCM,data:tiHQmGUiTuM6aH5Vf9abJUIPDlQ73vmXHCNvkoBHanX7k9ScDxpByqgnDaIR2Tue4SusVVgXFpAlSda9fTT/bSgLUA1+0Qxo4YDLRz5I0pp4sCXAGVELHguADKwAbv+AyT7x4idzecLZ532RGqKkLWHljfOzHtAAlA8FBHH3ylk=,iv:iHlFeshdBreirhJGCBYUucUkz0oEbxYLo6dIeab73e0=,tag:ZeUXSWla9hDldeoqFIw+/g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/adguardhome/default.nix b/nixos/modules/nixos/services/adguardhome/default.nix deleted file mode 100644 index dc857ac..0000000 --- a/nixos/modules/nixos/services/adguardhome/default.nix +++ /dev/null @@ -1,213 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.services.adguardhome; - app = "adguard-home"; - yaml_schema_version = 24; - port = 53; - port_webui = 3000; - adguardUser = "adguardhome"; -in -{ - options.mySystem.services.adguardhome = { - enable = mkEnableOption "Adguard Home"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - openFirewall = mkEnableOption "Open firewall for ${app}" // { - default = true; - }; - }; - - config = mkIf cfg.enable { - - - # Warn if backups are disable and machine isnt a dev box - warnings = mkIf (yaml_schema_version != pkgs.adguardhome.schema_version) [ "WARNING: Adguard upstream YAML schema is version ${builtins.toString pkgs.adguardhome.schema_version}, this config is set to ${builtins.toString config.services.adguardhome.settings.schema_version}" ]; - - sops.secrets."services/adguardhome/password" = { - sopsFile = ./secrets.sops.yaml; - owner = adguardUser; - restartUnits = [ "adguardhome.service" ]; - }; - - services.adguardhome = { - enable = true; - - mutableSettings = false; - settings = { - bind_host = "0.0.0.0"; - bind_port = port_webui; - schema_version = yaml_schema_version; # Just to be cautious, defualt is pkgs.adguardhome.schema_version. - - users = [{ - name = "admin"; - password = "ADGUARDPASS"; # placeholder - }]; - - auth_attempts = 3; - block_auth_min = 3600; - - dns = { - # dns server bind deets - bind_host = "127.0.0.1"; - inherit port; - - protection_enabled = true; - filtering_enabled = true; - - # bootstrap DNS - used for resolving upstream dns deets - bootstrap_dns = [ - # quad9 - "9.9.9.10" - "149.112.112.10" - "2620:fe::10" - "2620:fe::fe:10" - - # cloudflare - "1.1.1.1" - "2606:4700:4700::1111" - ]; - - # upstream DNS - upstream_dns = [ - # split brain dns - forward to local powerdns - "[/trux.dev/]127.0.0.1:5353" - - # resolve fqdn for local ip's - "[/l.voltaicforge.com/]10.8.10.1" - - # reverse dns setup - "[/in-addr.arpa/]10.8.10.1" # reverse dns lookup to UDMP - "[/ip6.arpa/]10.8.10.1" # reverse dns lookup to UDMP - - # primary dns - quad9 - "https://dns10.quad9.net/dns-query" - - ]; - upstream_mode = "load_balance"; - - # fallback dns - cloudflare and mullvad - fallback_dns = [ - "https://dns.cloudflare.com/dns-query" - "https://doh.mullvad.net/dns-query" - ]; - - # resolving local addresses - local_ptr_upstreams = [ "10.8.10.1" ]; # UDMP router - use_private_ptr_resolvers = true; - - # security - enable_dnssec = true; - - # local cache settings - cache_size = 100000000; # 100MB - unnessecary but hey - cache_ttl_min = 60; - cache_optimistic = true; - - theme = "auto"; - }; - - filters = - let - urls = [ - { name = "AdGuard DNS filter"; url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; } - { name = "AdAway Default Blocklist"; url = "https://adaway.org/hosts.txt"; } - { name = "Big OSID"; url = "https://big.oisd.nl"; } - { name = "1Hosts Lite"; url = "https://o0.pages.dev/Lite/adblock.txt"; } - { name = "hagezi multi pro"; url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt"; } - { name = "osint"; url = "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"; } - { name = "phishing army"; url = "https://phishing.army/download/phishing_army_blocklist_extended.txt"; } - { name = "notrack malware"; url = "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"; } - { name = "EasyPrivacy"; url = "https://v.firebog.net/hosts/Easyprivacy.txt"; } - ]; - - buildList = id: url: { - enabled = true; - inherit id; - inherit (url) name; - inherit (url) url; - }; - in - - lib.imap1 buildList urls; - }; - }; - - # add user, needed to access the secret - users.users.${adguardUser} = { - isSystemUser = true; - group = adguardUser; - }; - users.groups.${adguardUser} = { }; - - - # insert password before service starts - # password in sops is unencrypted, so we bcrypt it - # and insert it as per config requirements - systemd.services.adguardhome = { - preStart = lib.mkAfter '' - HASH=$(cat ${config.sops.secrets."services/adguardhome/password".path} | ${pkgs.apacheHttpd}/bin/htpasswd -niB "" | cut -c 2-) - ${pkgs.gnused}/bin/sed -i "s,ADGUARDPASS,$HASH," "$STATE_DIRECTORY/AdGuardHome.yaml" - ''; - serviceConfig.User = adguardUser; - }; - - networking.firewall = mkIf cfg.openFirewall { - - allowedTCPPorts = [ port port_webui ]; - allowedUDPPorts = [ port port_webui ]; - - }; - - mySystem.services.gatus.monitors = [ - { - name = "${config.networking.hostName} external dns"; - group = "dns"; - url = "${config.networking.hostName}.${config.mySystem.internalDomain}:${builtins.toString port}"; - dns = { - query-name = "cloudflare.com"; - query-type = "A"; - }; - interval = "1m"; - alerts = [{ type = "pushover"; }]; - conditions = [ "[DNS_RCODE] == NOERROR" ]; - } - { - name = "${config.networking.hostName} internal dns"; - group = "dns"; - url = "${config.networking.hostName}.${config.mySystem.internalDomain}:${builtins.toString port}"; - dns = { - query-name = "unifi.${config.mySystem.internalDomain}"; - query-type = "A"; - }; - interval = "1m"; - alerts = [{ type = "pushover"; }]; - conditions = [ "[DNS_RCODE] == NOERROR" ]; - } - ]; - - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - "Adguard ${config.networking.hostName}" = { - icon = "${app}.svg"; - href = "http://${config.networking.hostName}.${config.mySystem.internalDomain}:${builtins.toString port_webui}"; - description = "DNS Ad blocking"; - container = "Infrastructure"; - widget = - { - type = "adguard"; - url = "http://${config.networking.hostName}.${config.mySystem.internalDomain}:${builtins.toString port_webui}"; - username = "admin"; - password = "{{HOMEPAGE_VAR_ADGUARDHOME_PASS}}"; - }; - }; - } - ]; - - - }; - -} diff --git a/nixos/modules/nixos/services/adguardhome/secrets.sops.yaml b/nixos/modules/nixos/services/adguardhome/secrets.sops.yaml deleted file mode 100644 index b0bfba3..0000000 --- a/nixos/modules/nixos/services/adguardhome/secrets.sops.yaml +++ /dev/null @@ -1,78 +0,0 @@ -services: - adguardhome: - password: ENC[AES256_GCM,data:LO+CWyPEYKA=,iv:of7rfa2afrK+/zO2fxpMgEFCed2FzHr3g3XvsW7MEqE=,tag:rmyDo8/MIUtBHLPCHjwoOA==,type:str] - env: ENC[AES256_GCM,data:U8lindfbchCpD3DYkkwqMTcvKM/DWzbyAKvzOwx+FIfVl6OtMak=,iv:hRP5k9yipMVYEQB+lz2jauf59aSf3+or6YbRM7p2isc=,tag:fRz4aNoCHiwsCACN9+/CZg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaUo2NmF0VGhzQm9ycDND - RnNNUGpsN3dWS05YRDM0YU9jQStEQWNrYUdrCkRQVDA3TjNFS3IwTWE0VkZISE5X - MHN5aElJMFYzRHB1K1dsUVhEVDFxVmcKLS0tIEh0c2UvT2hCK0wvdHorV0dUV0JT - REtTYXJnS2ZhNk9uaGhNSGJEQzV2S1EKWSmmm6xP7eplu8rAc6YXsXvj+lV96umT - MOs0/6oR+rKOTknEEUTVeQl6Fe9rtHS7UHFP7Mpk3vh647l9KOFoZA== - -----END AGE ENCRYPTED FILE----- - - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdkp5M1VtM1ZvM0tIN3p6 - WUs1a0xZYyswTlRoeFFlcTJFTWgrRVAvbEJZCnVPMTBRUTF4RFdYVk5yZ0NCMmJ1 - Y21YLzVrZDd5Z1ZFOGpwNmFXSWp4Z2cKLS0tIFJPMVcyVXpoRGRzSTlvZGtwUFRt - VmhzMUczR2l3b0RPem9VNlhXaCtBaXcK6Ch7J/UnzQLggMTS+4eOmIZatAY8cmqF - 9DKeRs5euytwEDJUrXFm8hCc4p/Lf/OH0f74coXtXmEV1ejoHklDNQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SmFpWCtRZkNVNktFK0Fx - R05xT2NnU1d5RTgrTU81eDhwZDZtNkpyWVFBClRZRGNBaFg1WWhITncxL085clJ5 - eDY2Q1kzWXlMdUZ5RUl5eklMY2dNN1UKLS0tIDVDYXY3VVl5MStlUFNTQU9xS1Ra - bWVqWmpobEExcWFOdVpxQnJNaThWV1kKuZLi1DntH94dLnZejAZbkwxHGb6mAhSU - UvdRVNOKB0+7vGMHRqI8XGBgrkDGe3eriya4tcHFA+hQlTqTPJsPPw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZVdDM0tGZEZRcHlyNnJJ - SGh1VzBqRG1RNFFRaGtuSENCa3BrSTV0Y0JZCnJJbUhENFRoUW9JVjZSMmd2b25n - bDVCdFBWQThGWjFHeStGQ1JTVkVOSncKLS0tIGM3YmdvUndSS214bTZHd0FYZXFn - a1FZUTE0cmVFMEt3K1l1WDlkcHllYk0KEyDE20xEfXT2n8+SxZcwirfiRkk+VPrg - iJJO46gNjwN6pmLW6N9XavAV7TRqSX9nRRNslMNcmf/FXo1jgwDiEQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ekt5xz7u2xgdzgsrffhd9x22n80cn4thxd8zxjy2ey5vq3ca7gnqz25g5r - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SVBzRkJvMVNsazM3MEEw - OS91V3NqeGI2dklEbVlKekM0WEZRTmEvRnl3CnI5N0NIMTBFNmxaMjZQYVZGSmFI - MG9wWGpMc3p0UmZtd0hOLzE5R09DVGsKLS0tIEZBWWVIb0twWHlSVHdJQWd2bWRs - dnlIOXhFc3VMQ29FeVdWL2xoYUpKa1kKd6tU03d/aop+Isl62DF2iorDOvGGqOob - u3JRXJYJsdEAzJb9hV1De4QGAm/pa8lsMFoG+3shIZOFo9ZG1Iu9sQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWDcyb1lhNk1HR1BkOURl - L2M1ZDRpUEVRS0VSRXRDUXpiVjRCNWFQa2ljCmJMY2dvRVZZTTd6L2V1MlBydmF6 - Vld6U2ppcWhXSGh2ZElRQWErS0JNK2cKLS0tICtFbVp5N0FKR2lwSXEwc0NVTldk - MFlsOTZZSGtlSGVhaVhtdWwyWUF4ZkEK5OEd2m61aTa8HvKEhK82rfnIs4aff6gk - Ls6g5vaV6g8oh60sunuVohf6E0Clnjf5T+l8emSy9a5dv6iQ5tkbfg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSEh6VUc1UEhSUzNwQkcw - cnZnS214Ly9sN1hCTkVZYXdLTkUwR1kvb1Z3CnVKNS9CYitiYi81L09aV1RIb1hj - NUlmUUI1UWtac094dDJFNGVUWVpnek0KLS0tIGtxemxUMVFSMGVmYUFONlc0cFE4 - L1dJbXJqVWxUNDR2dEI1YmVsRmVlZlUKpoRUvVf8IttYAyXdyYCKq3iAzS+nFXIS - 8TGxzD1FHwOWEd7gEWVOvPFHiGYPuMbWSkt/iEuTfu06YFZ71n+O6g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-25T02:28:14Z" - mac: ENC[AES256_GCM,data:NcY2RQcEu4RtCPotGn075MxA1Kn5spd8EHHem/IKsA68LoMXz7XN1RtFIvbvBPUYSOof93l88pJNGnz9gdTqZSkWEG3zUgCUxXryjcFj5hBojW3nEYtXJRlpsK++VBJSa50rJ7+E1tB5cA/6MIbUpY7F6IUu0ye7hatwj5TZ0n0=,iv:M5pZaYBIg3mJGh0wQ48WEYFfDvjY9DKnEveQRbfMrao=,tag:DrLPUtiKtc3NPRsCE1sJCQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/blocky/default.nix b/nixos/modules/nixos/services/blocky/default.nix deleted file mode 100644 index 9d736e9..0000000 --- a/nixos/modules/nixos/services/blocky/default.nix +++ /dev/null @@ -1,221 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.services.blocky; -in -{ - options.mySystem.services.blocky.enable = mkEnableOption "blocky"; - - config = mkIf cfg.enable { - - services.blocky = { - enable = true; - settings = { - - # optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.) - blocking = { - # definition of blacklist groups. Can be external link (http/https) or local file - blackLists = { - ads = [ - - - "https://blocklistproject.github.io/Lists/ads.txt" - - ]; - malicious = [ - "https://blocklistproject.github.io/Lists/adguard/malware-ags.txt" - - ]; - adult = [ - "https://blocklistproject.github.io/Lists/adguard/porn-ags.txt" - ]; - - void = [ ]; - }; - # definition of whitelist groups. Attention: if the same group has black and whitelists, whitelists will be used to disable particular blacklist entries. If a group has only whitelist entries -> this means only domains from this list are allowed, all other domains will be blocked - whiteLists.ads = [ ]; - # definition: which groups should be applied for which client - clientGroupsBlock = { - # default will be used, if no special definition for a client name exists - default = [ "ads" "malicious" ]; - # use client name (with wildcard support: * - sequence of any characters, [0-9] - range) - # or single ip address / client subnet as CIDR notation - # "foo*" = [ "ads" ]; - "10.8.10.40/24" = [ "ads" "malicioous" "adult" ]; - }; - - # which response will be sent, if query is blocked: - # zeroIp: 0.0.0.0 will be returned (default) - # nxDomain: return NXDOMAIN as return code - # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page. - blockType = "zeroIp"; - # optional: TTL for answers to blocked domains - # default: 6h - blockTTL = "6h"; - - loading = { - # optional: automatically list refresh period (in duration format). Default: 4h. - # Negative value -> deactivate automatically refresh. - # 0 value -> use default - refreshPeriod = "4h"; - - # optional: if failOnError, application startup will fail if at least one list can't be downloaded / opened. Default: blocking - strategy = "fast"; - - downloads = { - # optional: timeout for list download (each url). Default: 60s. Use large values for big lists or slow internet connections - timeout = "60s"; - # optional: Number of download attempts. - attempts = 5; - # optional: Time between the download attempts. Default: 1s - cooldown = "1s"; - }; - }; - }; - - # optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries. - bootstrapDns = [ - { - upstream = "https://one.one.one.one/dns-query"; - ips = [ "1.1.1.1" "1.0.0.1" ]; - } - { - upstream = "https://dns.quad9.net/dns-query"; - ips = [ "9.9.9.9" "149.112.112.112" ]; - } - ]; - # optional: configuration for caching of DNS responses - caching = { - # duration how long a response must be cached (min value). - # If <=0, use response's TTL, if >0 use this value, if TTL is smaller - # Default: 0 - minTime = "0m"; - # duration how long a response must be cached (max value). - # If <0, do not cache responses - # If 0, use TTL - # If > 0, use this value, if TTL is greater - # Default: 0 - maxTime = "0m"; - # Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM. - # Default (0): unlimited - maxItemsCount = 0; - # if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window) - # this improves the response time for often used queries, but significantly increases external traffic - # default: false - prefetching = true; - # prefetch track time window (in duration format) - # default: 120 - prefetchExpires = "2h"; - # name queries threshold for prefetch - # default: 5 - prefetchThreshold = 5; - # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM. - # Default (0): unlimited - prefetchMaxItemsCount = 0; - # Time how long negative results (NXDOMAIN response or empty result) are cached. A value of -1 will disable caching for negative results. - # Default: 30m - cacheTimeNegative = "90m"; - }; - - # optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists. - # accepted: dual, v4, v6 - # default: dual - connectIPVersion = "v4"; - - # optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma - # example: query "printer.local" or "my.printer.local" will return 192.168.178.3 - customDNS = { - customTTL = "1h"; - # optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined). - # if false, queries with unmapped types will be forwarded to the upstream resolver - filterUnmappedTypes = false; - # optional: replace domain in the query with other domain before resolver lookup in the mapping - # mapping = [ ]; - }; - # conditional = { - # fallbackUpstream = false; - # mapping = { - # "trux.dev" = "127.0.0.1:5353"; - - # # resolve fqdn for local ip's - # "l.voltaicforge.com" = "10.8.10.1"; - - # # reverse dns setup - # "in-addr.arpa" = "10.8.10.1"; # reverse dns lookup to UDMP - # "ip6.arpa" = "10.8.10.1"; # reverse dns lookup to UDMP - # }; - # }; - # optional: drop all queries with following query types. Default: empty - filtering.queryTypes = [ "AAAA" ]; - - # optional: logging configuration - log = { - # optional: Log level (one from debug, info, warn, error). Default: info - level = "info"; - # optional: Log format (text or json). Default: text - format = "text"; - # optional: log timestamps. Default: true - timestamp = true; - # optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false - privacy = false; - }; - - # optional: Minimal TLS version that the DoH and DoT server will use - minTlsServeVersion = "1.2"; - # if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated - #certFile: server.crt - #keyFile: server.key - - # optional: ports configuration - ports = { - # optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353" - dns = 53; - # optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853 - tls = 853; - # optional: Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:443. Example: 443, :443, 127.0.0.1:443,[::1]:443 - https = 8443; - # optional: Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:4000. Example: 4000, :4000, 127.0.0.1:4000,[::1]:4000 - http = 4000; - }; - - # optional: configuration for prometheus metrics endpoint - prometheus = { - # enabled if true - enable = true; - # url path, optional (default '/metrics') - path = "/metrics"; - }; - - # optional: If true, blocky will fail to start unless at least one upstream server per group is reachable. Default: false - startVerifyUpstream = true; - - upstreams = { - groups = { - # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query - # format for resolver: [net:]host:[port][/path]. net could be empty (default, shortcut for tcp+udp), tcp+udp, tcp, udp, tcp-tls or https (DoH). If port is empty, default port will be used (53 for udp and tcp, 853 for tcp-tls, 443 for https (Doh)) - # this configuration is mandatory, please define at least one external DNS resolver - default = [ - "https://dns10.quad9.net/dns-query" - "https://dns.cloudflare.com/dns-query" - "https://doh.mullvad.net/dns-query" - ]; - - # optional: use client name (with wildcard support: * - sequence of any characters, [0-9] - range) - # or single ip address / client subnet as CIDR notation - "10.8.50.1/24" = [ "https://cloudflare-dns.com/dns-query" ]; - }; - # Blocky supports different upstream strategies (default parallel_best) that determine how and to which upstream DNS servers requests are forwarded. - strategy = "parallel_best"; - - # optional: timeout to query the upstream resolver. Default: 2s - timeout = "2s"; - }; - }; - }; - - }; -} diff --git a/nixos/modules/nixos/services/calibre-web/default.nix b/nixos/modules/nixos/services/calibre-web/default.nix deleted file mode 100644 index eee4e19..0000000 --- a/nixos/modules/nixos/services/calibre-web/default.nix +++ /dev/null @@ -1,138 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.${category}.${app}; - app = "calibre-web"; - category = "services"; - description = "Calibre web-server"; - # image = "%{image}"; - inherit (config.services.calibre-web) user;#string - inherit (config.services.calibre-web) group;#string - port = 8083; #int - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - host = "${app}" + (if cfg.dev then "-dev" else ""); - url = "${host}.${config.networking.domain}"; -in -{ - options.mySystem.${category}.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - monitor = mkOption - { - type = lib.types.bool; - description = "Enable gatus monitoring"; - default = true; - }; - prometheus = mkOption - { - type = lib.types.bool; - description = "Enable prometheus scraping"; - default = true; - }; - addToDNS = mkOption - { - type = lib.types.bool; - description = "Add to DNS list"; - default = true; - }; - dev = mkOption - { - type = lib.types.bool; - description = "Development instance"; - default = false; - }; - backup = mkOption - { - type = lib.types.bool; - description = "Enable backups"; - default = true; - }; - - }; - - config = mkIf cfg.enable { - - ## Secrets - # sops.secrets."${category}/${app}/env" = { - # sopsFile = ./secrets.sops.yaml; - # owner = user; - # group = group; - # restartUnits = [ "${app}.service" ]; - # }; - - users.users.jahanson.extraGroups = [ group ]; - - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - ## service - services.calibre-web = { - enable = true; - listen.ip = "0.0.0.0"; - listen.port = port; - options = { - calibreLibrary = "${config.mySystem.nasFolder}/natflix/books/"; - }; - }; - - # homepage integration - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${url}"; - inherit description; - }; - } - ]; - - ### gatus integration - mySystem.services.gatus.monitors = mkIf cfg.monitor [ - { - name = app; - group = "${category}"; - url = "https://${url}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - } - ]; - - ### Ingress - services.nginx.virtualHosts.${url} = { - forceSSL = true; - useACMEHost = config.networking.domain; - locations."^~ /" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - }; - }; - - ### firewall config - - # networking.firewall = mkIf cfg.openFirewall { - # allowedTCPPorts = [ port ]; - # allowedUDPPorts = [ port ]; - # }; - - ### backups - warnings = [ - (mkIf (!cfg.backup && config.mySystem.purpose != "Development") - "WARNING: Backups for ${app} are disabled!") - ]; - - services.restic.backups = mkIf cfg.backup (config.lib.mySystem.mkRestic - { - inherit app user; - paths = [ appFolder ]; - inherit appFolder; - }); - - }; -} diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml deleted file mode 100644 index da41358..0000000 --- a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml +++ /dev/null @@ -1,51 +0,0 @@ -system: - networking: - cloudflare-dyndns: - apiTokenFile: ENC[AES256_GCM,data:bNg/,iv:Zt4clxpz4+HLBZQtoPSHSOyfoeiY8WmIC0NK8KKpoZE=,tag:RbwizOVkM+cfXZHzP1PDzw==,type:int] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbkxUU3FIQnJDNWxrYXNm - Q0dBQ1J2Z2hpK1JXZ1NhT2JyWkFTbVFyeG1FCk5YT2RkcDltaGxhUkwxV0xmTzVy - QzFvYzR1ZTRrdWJzOEIyVG1PMGVCd1UKLS0tIGwySFd2WUk5bHVEZUtXMVhxQUhV - V0U0b0lTT3VSdXBLK3JJNHI4N1J3K1kKR1WbRwnhAxjC95olt0Qn9fGrG7r0oCVf - Un0X4Stg1IXisiSoGb4soAPGDsFmF8fjVv8ThzjwHtXg+2dMOFjObA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNWIwT09XNzhWc1Bza1Bp - WFRGVWpHOE9YYXJ1OEE0WEQzandxdExBcjJzCi9QaU9EZ3hSSHowREszYmlZRXhJ - TElFMjkwS01wNGs0U1JsYlRCV09sT0UKLS0tIDZhMmsvZUJxQWF5RGY3U0QzZUdr - YjdENFFNaGdKNVZ1c0lkS3NhQ1pBOUkKhKiTX7kMqg+Swm4nUfrTuVCX4yrKqsS8 - dxvb47fns+UZ/ethNU9n38zmgFzpuceWIzslxa+uRNAtk/bfD75SBw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVlBIYUVyWkprQll0a0dO - YmNyN1ZMcS9FSy9JSDBwWm1aZzVzQ3BUbXlzCitraGNNOElLSzdPMEtlRGNmbzNW - VWxkNVRnT09hWXhGcEdMN0E1cmkyRW8KLS0tIGFZeHRFMmkxZ2doOUg3Y0F6WTFM - ckdXWFdESG5CT0ZJNmcvOSthVTJHTGcK4igNpUBRHsbanKSwJOLPmLTC+sDEjJX4 - fDwBCbALA9OzenUlfeOrnxDfWeB+Ww3PfF0eUUK8ojAXUhbIqaUnjg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQzVHcFRBbkRHYlRhVWNB - dGpWeGhyK29MVzdWdEJRNTVoQ2hXN2h2Mmp3ClpnbDdscS9uZ0RwcVJSUDF2R2I3 - dWhrTHFEWFNnbkRwV2lsVXdrSjZZdXMKLS0tIFNWZnZaMmpKZGk2SjNySit5YkM5 - VDJSbFMySy9OS0pZMytqVE1GS3h1T28KJuQfwvcUqKS4qVRNEQQTcePdwuYc2sjY - 0UY80I4ABFWiyAqwQ+PG7Kd33Z+gSuNJqlLyX2LyACOKVqyqNeR8Qg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:7ZPUQ3KwVRsrLoB+7/DS3iZE/FtJW7kHlJLmkpZfLts5K0IIrtgDv4r9SyiSdA/ejwYan3zPwRvtlsXN2FqU5uoFomL37UK6+TSFDjnJWIWNeOEbhGRZ3opZfw2NIMQoiGMHQRXzLQK4I+flzwce3KKQgtRpmlO+iXzm7LN3eLs=,iv:quon4A5FME1bftGbmifsD8fsRR72zpcwvL/UQu3gn6U=,tag:gCK1SWg35TPwPC/LgAPxrA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/default.nix b/nixos/modules/nixos/services/cloudflare-dyndns/default.nix deleted file mode 100644 index 174ec89..0000000 --- a/nixos/modules/nixos/services/cloudflare-dyndns/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ lib -, config -, ... -}: - -with lib; -let - cfg = config.mySystem.services.cfDdns; -in -{ - options.mySystem.services.cfDdns.enable = mkEnableOption "Cloudflare ddns"; - - config = mkIf cfg.enable { - # Current nixpkgs cf-ddns only supports using a env file for the apitoken - # but not for domains, which makes them hard to find. - # To circumvent this, I put both in the 'apiTokenFile' var - # so my secret is: - - # apiTokenFile: |- - # CLOUDFLARE_API_TOKEN=derp - # CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz - - # TODO add notifications on IP change - # init secret - sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml; - - # Restart when secret changes - sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns.service" ]; - - networking.firewall = { - allowedUDPPorts = [ 53 ]; - allowedTCPPorts = [ 53 ]; - }; - - # Cloudflare dynamic dns to keep my DNS records pointed at home - services.cloudflare-dyndns = { - enable = true; - ipv6 = false; - proxied = true; - apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path; - domains = [ ]; - }; - }; -} diff --git a/nixos/modules/nixos/services/cockpit/default.nix b/nixos/modules/nixos/services/cockpit/default.nix index c0bb91a..77a2979 100644 --- a/nixos/modules/nixos/services/cockpit/default.nix +++ b/nixos/modules/nixos/services/cockpit/default.nix @@ -18,24 +18,10 @@ in # remove packagekit and selinux, don't work on NixOS postBuild = '' ${old.postBuild} - rm -rf \ dist/packagekit \ dist/selinux ''; }); }; - - config.environment = mkIf cfg.enable { - systemPackages = with pkgs; - [ - # (mkIf config.virtualisation.podman.enable nur.repos.procyon.cockpit-podman) # TODO replace only if server runs pods - # nur.repos.dukzcry.cockpit-machines # TODO enable with virtualisation on server - # nur.repos.dukzcry.libvirt-dbus # TODO enable with virtualisation on server - # pkgs.virt-manager # TODO enable with virtualisation on server - ]; - - - - }; } diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix index 219778a..c9371bb 100644 --- a/nixos/modules/nixos/services/default.nix +++ b/nixos/modules/nixos/services/default.nix @@ -1,33 +1,18 @@ { imports = [ - ./monitoring.nix - ./reboot-required-check.nix - ./cloudflare-dyndns - ./maddy - ./dnscrypt-proxy2 ./cockpit - ./podman - ./traefik - ./nfs - ./nix-serve + ./forgejo ./glances - ./syncthing - ./restic - ./powerdns - ./adguardhome - ./mosquitto - ./zigbee2mqtt - ./postgresql - ./blocky - ./openvscode-server ./grafana + ./monitoring.nix + ./nfs + ./nginx + ./nix-serve + ./podman + ./postgresql ./prometheus ./radicale - ./node-red - ./nginx - ./miniflux - ./calibre-web - ./rss-bridge - ./forgejo + ./reboot-required-check.nix + ./restic ]; -} +} \ No newline at end of file diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix deleted file mode 100644 index 0d0dc91..0000000 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ lib -, config -, ... -}: - -with lib; -let - cfg = config.mySystem.services.dnscrypt-proxy; -in -{ - options.mySystem.services.dnscrypt-proxy.enable = mkEnableOption "Cloudflare ddns"; - - config = mkIf cfg.enable { - # Disable resolvd to ensure it doesnt re-write /etc/resolv.conf - services.resolved.enable = false; - - # Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt - # causing a risk of no dns if service fails. - networking = { - nameservers = [ "10.8.10.1" ]; # TODO make varible IP - firewall.allowedTCPPorts = [ 53 ]; - firewall.allowedUDPPorts = [ 53 ]; - - dhcpcd.extraConfig = "nohook resolv.conf"; - }; - sops.secrets = { - - # configure secret for forwarding rules - "system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; - "system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file - - # Restart dnscrypt when secret changes - "system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2.service" ]; - }; - - services.dnscrypt-proxy2 = { - enable = true; - settings = { - require_dnssec = true; - forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path; - listen_addresses = [ "0.0.0.0:53" ]; - server_names = [ "NextDNS" ]; - - static = { - "NextDNS" = { - stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ"; - }; - }; - }; - }; - }; -} diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml deleted file mode 100644 index 689ca43..0000000 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml +++ /dev/null @@ -1,51 +0,0 @@ -system: - networking: - dnscrypt-proxy2: - forwarding-rules: ENC[AES256_GCM,data:7HwvXgs=,iv:Y+1VqcRn6lxcahN1gitJrhHvG5mSj2qBFlHOmbPV4Ns=,tag:CROQyeTRCynSIE3dJ2vVzg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZ2piaVYySmsrOU9sbnI2 - Q2xmR3V2Zk01UHRMNjN6Q2R5MUhEWGEvS1JRCllXRkorY3k2MzJ3QXpOV2JpaG8v - MWFKWlVkS2Z2RFpzMlpCaVN0TkhvSDQKLS0tIFAvZExaQjZBQXZwY1dqQWhLc25P - RERwOTQwYThMUHkzK24rc1dTcW5FcFUKi3iVa5lHCFIYeel3DH46WWRVhkYOEKw2 - /kXqJ+aH4ul/e1xIsGBJWdKTg8V0K5JA454hw4WyofvhcdaZdjEqyw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkb3FlSFdQZEMzN1BuVEd5 - WHkxUk5ETGpDeHlLeUorVTg3Z3ZqWHJ5SHdzCkpJY0lqMGN6RC84MGZzQnU3b3Ft - NGlMUUF4eDhvQ0JodGVEbHkxUjFINU0KLS0tIHNObkdLZnVZMmhWdHdkVGlEWlVT - N3U1STJaZEQrN1Y0SFRaWDlrSDFvdDAKmIrWErhAnTivaXVCrMpNvgUaxLIf5Azg - vjK15Olgd0lxHi41f/zAoOdv5P/BWss0Pc2lk0Qkspl/GhTAmTQN9w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMGtrL2ZreFFRQ3ZHZ09y - UXM3RGFwMkdDWFlsWGY5Q29FUmlEUnZjZjJjCmJpZEJka25OQmJZdlRPZjFJZkh4 - NERwOGhtMkJaTXZ0T1ppZlVVOWNERDgKLS0tIHVpUFFvU2plY2ZFVzZIUUFtN3hr - Q3ZEcmd2ZS9tOHZVQmdmTnVsV3dnbVkKz8fc2zwSrQ03WcppCGNnFYheL2udwHVj - qiIrI9hwKwp9s7hU2leUXWsd5z6A9oPelnr7TuQ+nGy3XHicEsjY5g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrbzVsQSs2Zm0vcEVybk1n - aUs2NmlOSSs1NHhwblFQOXErTFh2ekxIQ0hzCjd1S3h5a1hrL0V5dkZMaURrR1ZC - VmcrV1MwSU4yQlZiNXdWbTVCUkc4cXMKLS0tIEI5bW41Z1ErQWUrOW50VkFWeVRU - a1NFWTJvNTNuYXVYVkRhaHZCRmRyVU0KrKR67gl5OrLWLA5OlseCZeU+aNh8YtM4 - psiAFihucI0f7A68J1xx3idBHa5iblBKrQAvdGkKMfR76gsn6XbM5Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:GGQuROg9LD0nbQSOd0d//JzSq5C6i3lo3memU6p4PMnCsODt0CxW6Srpb70uc4zHL+k1iuHvY1vDLwPW2/u4dcNZcDA4LLlf9BE3pRmrpzzXBfxguqlWuMk68tBNtLyXgpcTT/AN1OhBWS43GMwFUGEmF9jPc0XyQFfPT5sTYHk=,iv:9NtAWjPZW5Jg4UaBA6W95GJdkJ3evqAYwlPE2nNFd8A=,tag:0bGyF/kVUKXqswumE7kQSg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/forgejo/secrets.sops.yaml b/nixos/modules/nixos/services/forgejo/secrets.sops.yaml index 26a7da4..5f87110 100644 --- a/nixos/modules/nixos/services/forgejo/secrets.sops.yaml +++ b/nixos/modules/nixos/services/forgejo/secrets.sops.yaml @@ -1,7 +1,7 @@ services: forgejo: smtp: - password: ENC[AES256_GCM,data:WL+v0tKArR90bzbZ04lL6ODADSMXGHAEYAnNrhdgCShEcNjUwJXVHV8bsOIdiAsXoic=,iv:+KPPzcHrHPee2EhQCQzGsCNzLQa9t2MCdXHF3O8zZ+M=,tag:FuxrUg1/qS0WvD222wbfkw==,type:str] + password: ENC[AES256_GCM,data:p5iDVW+V0aIlj9RTHpMgko/1ahVkiHXafgm2u2g3TTrYFORBqCJqv+lCSSm4mGIabn4=,iv:GIx/dnn1y6Is6uzKEkmo326AUSS+I5RnLsV2duKHPBo=,tag:7R4222rGEsK+egunnB+llg==,type:str] sops: kms: [] gcp_kms: [] @@ -11,41 +11,41 @@ sops: - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByQmVLNjhPNThZa3dLd3ha - a0VCa1JDaGJXLzQwck1Ga2wvVWU0K1BCbkVRCjdlL3B0cUZVZEtFalFkb2lTWktL - cGZGcjR1KzVEYzZKakZHMnlBR0FvM2MKLS0tIHpRZm5nbGpVZmVpVVkrZVVSKzlk - ZUx0c29QMWpTRHJ0U3B1V2lkdEJvUk0KVK8GKsSl8uXhw8zbxpW4An/E7UI8yW6u - 0MELMJtmskLQnCUKKbeE8nAHW2MMGt6schoXwqsAEkspeaf+AC2G1A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVOU9SMEZvQUxhZWU2dzJ0 + Z1ZUODd0R2Rtb2lmaHhweC9Tb0J2anJuRno4Cis5UGZHc3pobkQ2OUJwSy9tV1RF + SmNvUi9Xek9oVFdPdzZQUnlJeWtBSEEKLS0tIFpoWTZOYlFOK2p4bTFaUVhGV1hz + dlpWOWhLT2VtYXdDQjJlWnh4T05TT3MKJtewm9QN1EfT8IQkkHdH0GGNDyg1wH6Z + Ja6lcZB580FPEHwoMC7cayQe5v82vbQsj6s8mOaUW9yRQLMQMkmOfA== -----END AGE ENCRYPTED FILE----- - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Mk1UVzJQM044aG9BRmg3 - QnUrdURwNGhONUxnR2Jjbjc1TitWWXEvb2dBCmlGSVh0Y0VNcExUYk9ER3JsNUgx - d1BCQWI2L0I0TGZoYUdmamg0aTBVbjQKLS0tIE52elRkSjd3eUlWempGSFBvbHoy - U1hZT2FVeEtkSDUvUERRYWpyanI2UUUKO7EHrVbhMFqZdwnIlK0Fnd5cLUVJ9Mhx - NRwYxneeBTHg2VV53n+n8mRhO0eQtOfNh6Mvc4eHC2eTBk/XlUynDg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bUNpMWJ1YklkV1JPMnFi + S0tiajlKblV5aTU2djJaQjN0M1IwOU9pdTNRCnFycmQ5WHFadmxhZ1R6a1ZHYjlW + TjVCN2dUelc5Qkt5Y0ZtYUtNRHN0WTAKLS0tIDFKSUE2YzFmQzB1TjgrRDFEalJO + MDg0bU9NS3VObVVYNDAvY1JIRU5xZEEKSWzp9smLNYypodRIh49XPBxS536XtFWf + kJWaLiUfULifcN46F8Tyts9dGHXx/bOgM5rCFAqtqTL7EaJbam13pw== -----END AGE ENCRYPTED FILE----- - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZWtMQVhOTTJxM1dYYW5w - aFViZWU2KzR2RnpDZEdDbk5nU1loQ1F0cVdnCjlPb0VtNFYvQzBiNDZUaTROOHRO - a3ZlaFlGblhnR1hRK3lRQ05mR0lJYzQKLS0tIFovSzEyNXhrcC9iRjAyVlZBWXIy - UWZBeXIrR0tvaFBVTFhqblB0d2xTM0UKULrTgxENwhZvEpNS0/Puxoh2d8s2zNo4 - EY+fkaR3dOGjnro+E6PYO7NydZOfc/rT/VUBAQi8Dl8DPlJHV4WOjw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuQ09PSWwyY2tGZzdyOGxq + KzZuUW95Z2QzVXY4dk5tRGZ3MXMxNW9INXlRCmkra2t2UUMwWnBhM0VoTnpUaWIx + UW13a3VxZWJyL0ZDdk1IVXJNQitpblkKLS0tIGMwZHJqOGt4Y2FCUUUrc2tEQjY0 + eWp3WmdOMUlTNVlUT3FMM0JCTnViQ28KE6rpeFodW4BAIDVdjpgPpRs26XgUya3b + Xbg6IuB90DvzNMKkoGB36Dh5cWUGFBsJ3QYopSDQGFbUepyDQa4Wvw== -----END AGE ENCRYPTED FILE----- - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaEpWdkk0eUpiT0duTjRS - aXEwZlh1dW5oQkNwMjRGbVNKeTRxanpneVdZCkZVTjJHblo0Ui8yYytKeDZHaFVn - eVAzeHpxck9VN0pDVnIyb3A3VGdxY2cKLS0tIGRiNVprcHFqVUpJeFJHNklkT3JR - azV4ajZHUXFnY1VHS0JzaHM1aUtySHcKWw3FRCjkKm99+Rw7uL+550go0EoKJdKY - 6tBW4vsh0+a3WBd/cNXwHVt8R3UscZ+MOwgSKyHDA62slqblH+G81Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VG9uejd2YTZ4c1p3akFZ + dUtEbXk3S1UzeEhLeld4VXVLK1dVKytlOEc4ClFwbVVUUG9SbzB2bDZwRHA2cE4y + STFLOWR3S0YrQ1FBbjJDV3o1aW1rNjgKLS0tIDlnQkZhRlpXanY5TzViVzdTNGpo + NDhZZ24zWmwwNVE4VDM0bllyUkdxVncKdyYx4r4ERRy2lz7b2oK4JvzF1RnIJ/mV + neTz0N1LSdmTUAOUtRT7D73tR6HhBZQNxH4LIsYiRllto46mEamx7g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-12T03:37:15Z" - mac: ENC[AES256_GCM,data:OM7jU2HfvOtNDvK4C5FE567dobZxhBdCDu5KSyBgGfzgFi1tSX0F4YoRZhspmfQKOeT/3+vLj1bfqDIkv2krDeZOnxw8vns7qgnTgR2tOn15bQmS8mIkSyk5WWdS1tbHfk1v+vF8T6lsl78G4nDSU/Q9DyFFdgmQUDDzlwW5vAs=,iv:tZgzqxwPqdDpQVkC/9598ixEzUNES5YMNfTwGUOEErQ=,tag:2w3/EftLvS/a2wl8ug6t3Q==,type:str] + lastmodified: "2024-05-18T16:39:41Z" + mac: ENC[AES256_GCM,data:TQ019mze1TDfHM3unUvhLzQOdPVhZ0lIw+CbcuSGIqpjITr7nGVRYtPMvHtY9taxaAQgpdJghOaP9MS/YR6KT9II54qYtel944rmOHxOIpB8Oy/mRHBJvx1JhQxHzxPx6hLsLxNagSbgIpyiNGwMiR2gedBLPI/BBNcPGESiMTA=,iv:m4UnG4p0eWzRmspSU/RL4HSeq3Fr5t+9FnNMxgCMOJE=,tag:w2aJxYjVoEHlaQAT+VAa7g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/glances/default.nix b/nixos/modules/nixos/services/glances/default.nix index ccadff1..610a5b8 100644 --- a/nixos/modules/nixos/services/glances/default.nix +++ b/nixos/modules/nixos/services/glances/default.nix @@ -79,16 +79,5 @@ with lib; interval = "1m"; conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; }]; - - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - "Glances ${config.networking.hostName}" = { - icon = "${app}.svg"; - href = "http://${config.networking.hostName}.${config.mySystem.internalDomain}:61208"; - description = "System Monitoring"; - container = "Infrastructure"; - }; - } - ]; }; } diff --git a/nixos/modules/nixos/services/grafana/default.nix b/nixos/modules/nixos/services/grafana/default.nix index 4e6fb5e..abc7fc3 100644 --- a/nixos/modules/nixos/services/grafana/default.nix +++ b/nixos/modules/nixos/services/grafana/default.nix @@ -28,12 +28,6 @@ in description = "Enable gatus monitoring"; default = true; }; - # prometheus = mkOption - # { - # type = lib.types.bool; - # description = "Enable prometheus scraping"; - # default = true; - # }; addToDNS = mkOption { type = lib.types.bool; @@ -58,14 +52,6 @@ in config = mkIf cfg.enable { - ## Secrets - # sops.secrets."${category}/${app}/env" = { - # sopsFile = ./secrets.sops.yaml; - # owner = user; - # group = group; - # restartUnits = [ "${app}.service" ]; - # }; - users.users.jahanson.extraGroups = [ group ]; ## service @@ -76,17 +62,6 @@ in addr = "127.0.0.1"; }; - # homepage integration - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${url}"; - inherit description; - }; - } - ]; - ### gatus integration mySystem.services.gatus.monitors = mkIf cfg.monitor [ { diff --git a/nixos/modules/nixos/services/languagetool/default.nix b/nixos/modules/nixos/services/languagetool/default.nix deleted file mode 100644 index c966d12..0000000 --- a/nixos/modules/nixos/services/languagetool/default.nix +++ /dev/null @@ -1,148 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.${category}.${app}; - app = "%{app}"; - category = "%{cat}"; - description = "%{description}"; - image = "%{image}"; - user = "%{user kah}"; #string - group = "%{group kah}"; #string - port = 1234; #int - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - host = "${app}" + (if cfg.dev then "-dev" else ""); - url = "${host}.${config.networking.domain}"; -in -{ - options.mySystem.${category}.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - monitor = mkOption - { - type = lib.types.bool; - description = "Enable gatus monitoring"; - default = true; - }; - prometheus = mkOption - { - type = lib.types.bool; - description = "Enable prometheus scraping"; - default = true; - }; - addToDNS = mkOption - { - type = lib.types.bool; - description = "Add to DNS list"; - default = true; - }; - dev = mkOption - { - type = lib.types.bool; - description = "Development instance"; - default = false; - }; - backup = mkOption - { - type = lib.types.bool; - description = "Enable backups"; - default = true; - }; - - - - }; - - config = mkIf cfg.enable { - - ## Secrets - # sops.secrets."${category}/${app}/env" = { - # sopsFile = ./secrets.sops.yaml; - # owner = user; - # group = group; - # restartUnits = [ "${app}.service" ]; - # }; - - users.users.jahanson.extraGroups = [ group ]; - - - # Folder perms - only for containers - # systemd.tmpfiles.rules = [ - # "d ${persistentFolder}/ 0750 ${user} ${group} -" - # ]; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - - ## service - # services.test= { - # enable = true; - # }; - - # homepage integration - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${url}"; - inherit description; - }; - } - ]; - - ### gatus integration - mySystem.services.gatus.monitors = mkIf cfg.monitor [ - { - name = app; - group = "${category}"; - url = "https://${url}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - } - ]; - - ### Ingress - services.nginx.virtualHosts.${url} = { - forceSSL = true; - useACMEHost = config.networking.domain; - locations."^~ /" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - }; - }; - - ### firewall config - - # networking.firewall = mkIf cfg.openFirewall { - # allowedTCPPorts = [ port ]; - # allowedUDPPorts = [ port ]; - # }; - - ### backups - warnings = [ - (mkIf (!cfg.backup && config.mySystem.purpose != "Development") - "WARNING: Backups for ${app} are disabled!") - ]; - - services.restic.backups = mkIf cfg.backup (config.lib.mySystem.mkRestic - { - inherit app user; - paths = [ appFolder ]; - inherit appFolder; - }); - - - # services.postgresqlBackup = { - # databases = [ app ]; - # }; - - - - }; -} diff --git a/nixos/modules/nixos/services/maddy/default.nix b/nixos/modules/nixos/services/maddy/default.nix deleted file mode 100644 index 5ac4a51..0000000 --- a/nixos/modules/nixos/services/maddy/default.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ lib -, config -, ... -}: - -with lib; -let - cfg = config.mySystem.services.maddy; -in -{ - options.mySystem.services.maddy.enable = mkEnableOption "Maddy SMTP Client (Relay)"; - - config = mkIf cfg.enable { - - sops.secrets."system/mail/maddy/envFile" = { - sopsFile = ./maddy.sops.yaml; - owner = "maddy"; - group = "maddy"; - }; - - sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy.service" ]; - - services.maddy = { - enable = true; - openFirewall = true; - secrets = [ config.sops.secrets."system/mail/maddy/envFile".path ]; - config = builtins.readFile ./maddy.conf; - }; - - }; -} diff --git a/nixos/modules/nixos/services/maddy/maddy.conf b/nixos/modules/nixos/services/maddy/maddy.conf deleted file mode 100644 index 1fdc16d..0000000 --- a/nixos/modules/nixos/services/maddy/maddy.conf +++ /dev/null @@ -1,30 +0,0 @@ -state_dir /dev/shm/maddy/state -runtime_dir /dev/shm/maddy/run - -openmetrics tcp://0.0.0.0:9749 { } - -smtp tcp://0.0.0.0:2525 { - debug {env:DEBUG} - io_debug {env:DEBUG} - - source {env:SMTP_DOMAIN} { - deliver_to &remote_queue - } - - default_source { - reject - } -} - -target.queue remote_queue { - debug {env:DEBUG} - target &remote_smtp -} - -target.smtp remote_smtp { - debug {env:DEBUG} - attempt_starttls yes - require_tls yes - auth plain {env:SMTP_USERNAME} {env:SMTP_PASSWORD} - targets tls://{env:SMTP_SERVER}:{env:SMTP_PORT} -} diff --git a/nixos/modules/nixos/services/maddy/maddy.sops.yaml b/nixos/modules/nixos/services/maddy/maddy.sops.yaml deleted file mode 100644 index 944a05e..0000000 --- a/nixos/modules/nixos/services/maddy/maddy.sops.yaml +++ /dev/null @@ -1,51 +0,0 @@ -system: - mail: - maddy: - envFile: ENC[AES256_GCM,data:TGLFJJWixtAVaSJuU42prg==,iv:rmwPfjW/2ALMbsJyepq23VXcLHrBp5ZWlxGIEh7uOO4=,tag:a/qKkPBCl3ewABlJv81lfw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUTAwMEU0SGw0Q1lpOXJF - TnZGVzhINUlSTlFVcU8vcXl6czhrODJ0Q3c4CkNnVEwyb1AwanNzMEhvRmFaemUr - ZEFSOFgyU0RCM002Y0dPUjRRZXZZcDgKLS0tIHFJTnBaelMzV3Z2Ry8zNTYwWG5r - Y2xIWmc3QSsrVmZCdGhBbVREaFg4Qk0KjIE4soj0P7PZ/TsVSDCN05C43WFmmoFS - fn1dR0oIYygwGWz2poaI6Jb3Zm4cjEfhn27hcPDGp4kFIIz+97OXVA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ak8yckhRMm53bHpnQk5Y - K0hyaGFGcW5EUk9NUG1rS1BKczU5dVN0akhRCktmYlhvdnNPYnlWcVNUUklQNWpz - dFNZMDAyV2dwZUcrc2gzUW95aGZvalUKLS0tIE83TXFZRHNDNmZDZ2xwbm1jZnk3 - WkdlVkt1ZzRuVTN6bFJuQ3I3WDdYOFEKo28KVA7f8acjrOp4sVWzgbBGUBzX6axI - 8zNfrLtTz30Kx8rllMZ/t8x7jEGXDW4r2UQCgErt2s/Zdb6qNoBYqw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bGRaWGxEMk9VYXJXYS93 - TURXOVNxeWdkTkhMVUFLcERLWkx6YkNRd2drCnE0Z1RQYlQ4aTA0SVVFSTF2M3BW - NVVQdk9nMHNqL3hPTFNBSHdNczVNY00KLS0tIGVFdURIaitlYXR0TGh4UitYeGlM - a1NGWDdnOHlIc3JyTll4U0RoRk9xTUUKv0IVwG7nxvNfbJh6hmWpd+YtZw88NjFa - 6m03PhSnjftVyi5ZkEEbAf4HsDgv+HW6w6Gmzlsf2FkTT5IDGgrquw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTGFCWnNDTlIwTDJqNDc1 - RVc4V3hiY2o1eEdsakwwcnp5Z1N1UGEyeENZCk1qUG1Db2FRTUx4ZTg2a0xtOTQw - UjBzSHFmaHJ3WlR0VGs0bzZpbWpOWDgKLS0tIC9hakJsYm9qZ2dSRzlGaXFpbURq - bW1OLzc3cnBXYkNuUFJNaERua0NTRzAKLX7YXGrrHfTtmHhNjEjd6N/7V9oic2/N - tXx274guzFcjfppTMGkvIV7yC7BleQMmbzlEVx6JKflUWVoQnNmYNw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:H+XTxzT6l3fmke+JO0y8OedKltDVETJsd4trm11/UIPEB57GhY80P34rnyc2Skz6DhV9a+rqkIq1mXlOv0zMhpobhb/9Gov6Hc+toK+8Km9J/ypikKen3m06unvV31j3Nw7coKPHEaK/XAyUx3un7+eaKGIkEG+xQnLm6cOLuEg=,iv:QxGs6OMvFxsnAXA1PN4ptZ4MT6S1ZAndQtXjpoz2Zhc=,tag:TVkg52QLS00alXy94wQ9JA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/miniflux/default.nix b/nixos/modules/nixos/services/miniflux/default.nix deleted file mode 100644 index 8f82c3d..0000000 --- a/nixos/modules/nixos/services/miniflux/default.nix +++ /dev/null @@ -1,180 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.${category}.${app}; - app = "miniflux"; - category = "services"; - description = "Minimalist feed reader"; - # image = "%{image}"; - user = app; #string - group = app; #string - port = 8072; #int - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - host = "${app}" + (if cfg.dev then "-dev" else ""); - url = "${host}.${config.networking.domain}"; - databaseUrl = "user=miniflux host=/run/postgresql dbname=miniflux"; -in -{ - options.mySystem.${category}.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - monitor = mkOption - { - type = lib.types.bool; - description = "Enable gatus monitoring"; - default = true; - }; - prometheus = mkOption - { - type = lib.types.bool; - description = "Enable prometheus scraping"; - default = true; - }; - addToDNS = mkOption - { - type = lib.types.bool; - description = "Add to DNS list"; - default = true; - }; - dev = mkOption - { - type = lib.types.bool; - description = "Development instance"; - default = false; - }; - backup = mkOption - { - type = lib.types.bool; - description = "Enable backups"; - default = true; - }; - - }; - - config = mkIf cfg.enable { - - ## Secrets - sops.secrets."${category}/${app}/env" = { - sopsFile = ./secrets.sops.yaml; - owner = user; - inherit group; - restartUnits = [ "${app}.service" ]; - }; - - users.users.jahanson.extraGroups = [ group ]; - users.users.miniflux = { - isSystemUser = true; - group = "miniflux"; - }; - - users.groups.miniflux = { }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - ## service - services.miniflux = { - enable = true; - adminCredentialsFile = config.sops.secrets."${category}/${app}/env".path; - config = { - LISTEN_ADDR = "localhost:${builtins.toString port}"; - DATABASE_URL = databaseUrl; - RUN_MIGRATIONS = "1"; - CREATE_ADMIN = "1"; - }; - }; - - # automatically reset feed errors regular - # systemd.services.miniflux-reset-feed-errors = { - # description = "Miniflux reset feed errors"; - # wantedBy = [ "multi-user.target" ]; - # after = [ "network.target" "${app}.service" ]; - # environment.DATABASE_URL = databaseUrl; - # startAt = "00/4:00"; # Every four hours. - # serviceConfig = { - # Type = "oneshot"; - # DynamicUser = true; - # RuntimeDirectory = "miniflux"; # Creates /run/miniflux. - ## EnvironmentFile = cfg.envFilePath; - # ExecStart = pkgs.writeShellScriptBin "miniflux-reset-feed-errors" '' - # ${cfg.package}/bin/miniflux -reset-feed-errors - # ''; - # }; - # }; - - # homepage integration - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${url}"; - inherit description; - }; - } - ]; - - # ensure postgresql setup - - services.postgresql = { - ensureDatabases = [ app ]; - ensureUsers = [{ - name = app; - ensureDBOwnership = true; - }]; - }; - - ### gatus integration - mySystem.services.gatus.monitors = mkIf cfg.monitor [ - { - name = app; - group = "${category}"; - url = "https://${url}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - } - ]; - - ### Ingress - services.nginx.virtualHosts.${url} = { - forceSSL = true; - useACMEHost = config.networking.domain; - locations."^~ /" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - }; - }; - - ### firewall config - - # networking.firewall = mkIf cfg.openFirewall { - # allowedTCPPorts = [ port ]; - # allowedUDPPorts = [ port ]; - # }; - - ### backups - warnings = [ - (mkIf (!cfg.backup && config.mySystem.purpose != "Development") - "WARNING: Backups for ${app} are disabled!") - ]; - - # services.restic.backups = mkIf cfg.backup (config.lib.mySystem.mkRestic - # { - # inherit app user; - # paths = [ appFolder ]; - # inherit appFolder; - # }); - - services.postgresqlBackup = mkIf cfg.backup { - databases = [ app ]; - }; - - - - }; -} diff --git a/nixos/modules/nixos/services/miniflux/secrets.sops.yaml b/nixos/modules/nixos/services/miniflux/secrets.sops.yaml deleted file mode 100644 index ddc67e6..0000000 --- a/nixos/modules/nixos/services/miniflux/secrets.sops.yaml +++ /dev/null @@ -1,50 +0,0 @@ -services: - miniflux: - env: ENC[AES256_GCM,data:T3nNmyoFmiTdJrgyfdwWfQ==,iv:b+80Yn6CSzXIwM3BbG9Jf6ZwPoCCdr4ykOspz9Fjaj0=,tag:jduWlAz8gT87NpR0KSv1ow==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZ2N2WFF4VmkwL3I1cE80 - dmxzRHZrZC9OelBsZ2N6WTZUKzhxNURlb1RjCjllTUdLTUgvOXBPclU5ZFQwYjdm - R2FkaUFGOWhtRjBxVExwMXdSUFl4NW8KLS0tIE5QV0gyNUUrTHlKVW5qWVI1NmNL - eVlsaGRCYlJnbnRrS05UYmJrSkNDUW8KxB6Jd4r0Bt4nLGjm4gP+wMHu9CvoHzqV - y/Y6NJWFqKIi30QcgW4jZ9E2Fu5I1dvAFmIKXNRM7bYI6lBz+JY5QA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbDY3ZVRLMGowQzZPamlv - OWI2bitmcmIyOVJxQ3djM3hadHdRRXVrWmlZClpzdVM3U0g2YnZ4V2IrWDNpZVlT - WGg1V0lQR3Nwc2JpaVl3WG1zSmErTTgKLS0tIFo5VEZoZGtnSjhCMmlLd0tEREVM - ai9PMHlVaU5rWThzR0lJY3JGdTJwdUkKOkgwmFm4MussjOG26AmVibgrtj+hKAhl - o2FhSGw0BfI3K1X3tNg3RvEWQOXCyLFTl5w3gGeZ3fsNFwoaSpcSLg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Z2krLzZVc0Q2b1Vpb1Mw - ME1RcGpGSzNNRkV3aGZwMEQyVGZHUDRwaTN3CjBqRFM2S3hIai80Z3BzWHdJdDZC - K29YZXZYL1IxVERKNW5qSjYvamxPNkEKLS0tIFd2RUl2MHBIZlJTTlFEQmlvU2Iw - YU9MbG5yRFJTSkwwR0ZwcDRVMDJIWUUKuCQIJkYZqj7yUvJTWzLyl+JhfUDUTmE5 - j2z+EdRS0HQ+qpNNDJK0zc4uCUOXNmpsZgjUsdDfBvWmcnR02uXwXA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJbUN3eW4yWHZnQ1lRSklu - MVl2bWJKaHRrN1FCaDY2MHoxOW5QYVB0L21rCmVrTmF1YXdhSWJpaFJBMWR4SnZh - dC9UYWRnM0t6M09QdlRiK2Y4OUk2QkkKLS0tIEhIN1VJU3MrQlBHdVkwOUp3dEtC - MTdIRU9wNUg0dVV1L1AxTmVCL09QSW8KOXi+ysyVdBPX2//FhQi8GmtcVfxwlFGN - fgdzXO8PRNHyN2CYJMjQOzeV8es+s5xk9vS40Dl4u+8TFyIDJbn8nw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T02:52:42Z" - mac: ENC[AES256_GCM,data:jtjchjbuU2vXVBPGz7pyyMmP1R75Sf6LqepYqQaggZtXVjQL24pulPwViRIU4RsksHTdHNGzoDimWKF5xFrOb1FFeHglkfKOEBt8A/kYpttIOJcfTXxjFv44AldhUmFP2LaJKj2BRXpGiBtMBuB8kFUYqG2s80hDM27bMEEIrEQ=,iv:WZbTD6b5EC66XcyBSuQwsa+eVQmqYwuf8nARLlEFsfY=,tag:whk+hAZ9U+w3GUJmcambSQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/mosquitto/default.nix b/nixos/modules/nixos/services/mosquitto/default.nix deleted file mode 100644 index 6b8fc44..0000000 --- a/nixos/modules/nixos/services/mosquitto/default.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.services.mosquitto; - # persistentFolder = "${config.mySystem.persistentFolder}/nixos/services/mosquitto/"; - app = "mosquitto"; - user = app; - group = app; - appFolder = config.services.mosquitto.dataDir; -in -{ - options.mySystem.services.mosquitto.enable = mkEnableOption "mosquitto MQTT"; - - config = mkIf cfg.enable { - - sops.secrets."services/mosquitto/mq/hashedPassword" = { - sopsFile = ./secrets.sops.yaml; - owner = app; - group = app; - restartUnits = [ "${app}.service" ]; - }; - - - services.mosquitto = { - enable = true; - # persistance for convienience on restarts - # but not backed up, there is no data - # that requires keeping in MQTT - settings = { - persistence_location = appFolder; - max_keepalive = 300; - }; - - listeners = [ - { - users.mq = { - acl = [ - "readwrite #" - ]; - hashedPasswordFile = config.sops.secrets."services/mosquitto/mq/hashedPassword".path; - }; - } - ]; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - users.users.jahanson.extraGroups = [ "mosquitto" ]; - networking.firewall.allowedTCPPorts = [ 1883 ]; - - }; -} diff --git a/nixos/modules/nixos/services/mosquitto/secrets.sops.yaml b/nixos/modules/nixos/services/mosquitto/secrets.sops.yaml deleted file mode 100644 index 667bead..0000000 --- a/nixos/modules/nixos/services/mosquitto/secrets.sops.yaml +++ /dev/null @@ -1,52 +0,0 @@ -services: - mosquitto: - mq: - hashedPassword: ENC[AES256_GCM,data:ars=,iv:fpJQrFgs3Db0UGCDNqUqaUg8D6uBg0+W4Dkg2p1j2OI=,tag:D8yeAs+yQV67Un0yPeNzFA==,type:str] - plainPassword.yaml: ENC[AES256_GCM,data:OVZqyq/3OKf2mhrI0GtrHg==,iv:rUQuXRSGCRHk10DpA6KFLO4zP4BlroHSJyDT1oO8dvc=,tag:RtSvFJH2Evpn5QoyFaKHwQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMXlGakdyNFVuemtWVUFF - ZDh5SVZ3aTBSWVdETE1oMFJ5Q0daMnZmQ2hJCndiQVBRM08vbnpXR3FQVlR5SWtm - ZWNMb2FqMEVWcGs2YTNFaUFOWW9idG8KLS0tIDNiQk1OV1lCUnd0eGNkT1VGNXFi - clZCVDY4L0lyUTg2NUpPdkx5NDgwYzgKOOdEdfLiP2V3txjKogJFVOD80y86bn6V - 5KsWtsAd+QmtaBav+XHEFoWkcmBYXfKdl0Sg+VuLT+GiP+Dr9EIT1Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVmZoc2lheCt0a0Y0S2ps - b3FURHNIdWlMWk5SdU54dW1lNmlPY2oxYlV3CmMxMzVHZVUrWTR6bm9XQWRjWUNw - V2NpSk9BNlJ2eGoraE00SytrZTdWdGMKLS0tIFliakZDeHRwNmpJM2lFVDNDYTNj - SXFxZk9CV1ZTSmFHTUIreDhlRmMzRmMKT1AJxxnKxNce1fa/Q1AsCWdpy86dYKpu - CPKBBYYl2w2pcs0Al+tZ+WtAdFtR5+YZ/6hWOTQT1bWMm7rQWMh6Kw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlUmdYdU8xTkNRUUVYVFpG - dGdyb214TSt2dGhlcFJFTE1lcWdXQ0lQVWswCmdFQjFadVNQU0YyK2YxQ3lQbjNh - d0xGWDRObFI3U3JvL0o0b3VsNFhXbXcKLS0tIGVHY0E1NHk5OTRkMkQ2OWVDcEMz - cWVlWUdtK09kQkUrZlFnTi90UEVyNkEKS5K98WlBImPdvn+zuOUvWeCNkjFqMmfN - jstl8kBwKQ8yyHtJ8vzOQr/qnRbK9fpZH/65uMOrH5oUYosEwfB+qg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdy9GK1FPV3JaZDBsZmVX - T2RYSTRLd1dSZVZvb3Vxdnp2bThXSkZXSkQ4CjJ2b3M4bDJLNzdsaWdWOXlTWmsx - dWdDYVdEK0ROWkNEUWZMSUY2N0Q3d3MKLS0tIHRmOVl6d3hVUVJxdkkyTjZPQjFE - S2hWS3kzNW9jWFJKMjJjUU5qZmd4M2cKsabfN35q7aeA/QwC6QrzZkLHzNQAW8y6 - Zbj+TwnXLcvJLkP2zRp3jJ4pwjj14bumnM5zwSq68HLvTSTZY1u9bQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:hae5SKE6XDTGYxxDb0ub7SctWLAHH2b+GygkrvtX70FUIdQdb7BAc7C/YMl11Z5hsIlFL3DYzJZmkz14E89rqFDs9g7xVYLi4rNyIAd4IfV9Ev5CNYHpsSZdcHq83cfUknD4lU7kjHidq9ITAh8xd1vRfPp+5CX41o5jLI83ohU=,iv:9tlwM7XCYnXC1oBUeuwK7N6SBjyJzHiDUiNLxfErU+c=,tag:1KfVyy+bN5oG63x8F1j66A==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/nfs/default.nix b/nixos/modules/nixos/services/nfs/default.nix index 56856d4..371fd70 100644 --- a/nixos/modules/nixos/services/nfs/default.nix +++ b/nixos/modules/nixos/services/nfs/default.nix @@ -16,15 +16,11 @@ in description = "Enable lazymount"; default = false; }; - }; - config = mkIf cfg.enable { - services.rpcbind.enable = true; # needed for NFS - environment.systemPackages = with pkgs; [ nfs-utils ]; systemd.mounts = lib.mkIf cfg.lazy [{ @@ -32,7 +28,7 @@ in mountConfig = { Options = "noatime"; }; - what = "daedalus.${config.mySystem.internalDomain}:/tank"; + what = "${config.mySystem.nasAddress}:/tank"; where = "/mnt/nas"; }]; @@ -45,9 +41,8 @@ in }]; fileSystems."${config.mySystem.nasFolder}" = lib.mkIf (!cfg.lazy) { - device = "daedalus.${config.mySystem.internalDomain}:/tank"; + device = "${config.mySystem.nasAddress}:/tank"; fsType = "nfs"; }; - }; } diff --git a/nixos/modules/nixos/services/nginx/default.nix b/nixos/modules/nixos/services/nginx/default.nix index 8bcefa4..24030e8 100644 --- a/nixos/modules/nixos/services/nginx/default.nix +++ b/nixos/modules/nixos/services/nginx/default.nix @@ -62,6 +62,5 @@ in # required for using acme certs users.users.nginx.extraGroups = [ "acme" ]; - }; } diff --git a/nixos/modules/nixos/services/nix-serve/default.nix b/nixos/modules/nixos/services/nix-serve/default.nix index b449fa3..6e85097 100644 --- a/nixos/modules/nixos/services/nix-serve/default.nix +++ b/nixos/modules/nixos/services/nix-serve/default.nix @@ -19,6 +19,4 @@ in openFirewall = true; }; - - } diff --git a/nixos/modules/nixos/services/node-red/default.nix b/nixos/modules/nixos/services/node-red/default.nix deleted file mode 100644 index 436c02e..0000000 --- a/nixos/modules/nixos/services/node-red/default.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.services.node-red; - app = "node-red"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - appFolder = config.services.node-red.userDir; - inherit (config.services.node-red) user; - inherit (config.services.node-red) group; - url = "${app}.${config.networking.domain}"; - -in -{ - options.mySystem.services.node-red = - { - enable = mkEnableOption "node-red"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - - services.node-red = { - enable = true; - }; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString config.services.node-red.port}"; - proxyWebsockets = true; - }; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - mySystem.services.homepage.home = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${url}"; - - description = "Workflow automation"; - container = "${app}"; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "media"; - url = "https://${url}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app; - user = builtins.toString user; - excludePaths = [ "Backups" ]; - paths = [ appFolder ]; - inherit appFolder; - }; - - - - - }; -} diff --git a/nixos/modules/nixos/services/openvscode-server/default.nix b/nixos/modules/nixos/services/openvscode-server/default.nix deleted file mode 100644 index 37935e5..0000000 --- a/nixos/modules/nixos/services/openvscode-server/default.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.services.openvscode-server; - app = "openvscode-server"; - url = "code-${config.networking.hostName}.${config.networking.domain}"; -in -{ - options.mySystem.services.openvscode-server = - { - enable = mkEnableOption "openvscode-server"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - config = mkIf cfg.enable { - - services.openvscode-server = { - enable = true; - telemetryLevel = "off"; - package = pkgs.unstable.openvscode-server; # TODO move to stable in 24.05? - # serverDataDir - user = "truxnell"; - host = "0.0.0.0"; - extraPackages = with pkgs;[ fish tmux ]; - withoutConnectionToken = true; - }; - - services.nginx.virtualHosts."code-${config.networking.hostName}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString config.services.openvscode-server.port}"; - proxyWebsockets = true; - }; - }; - - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - "code-${config.networking.hostName}" = { - icon = "vscode.svg"; - href = "https://${url}"; - - description = "Code editor"; - container = "${app}"; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "services"; - url = "https://${url}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - - }; -} diff --git a/nixos/modules/nixos/services/postgresql/default.nix b/nixos/modules/nixos/services/postgresql/default.nix index 5a558ff..4371e78 100644 --- a/nixos/modules/nixos/services/postgresql/default.nix +++ b/nixos/modules/nixos/services/postgresql/default.nix @@ -9,13 +9,7 @@ let app = "postgresql"; category = "services"; description = "Postgres RDMS"; - # user = "%{user kah}"; #string - # group = "%{group kah}"; #string - # port = 1234; #int appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - # host = "${app}" + (if cfg.dev then "-dev" else ""); - # url = "${host}.${config.networking.domain}"; in { options.mySystem.${category}.${app} = @@ -39,14 +33,6 @@ in config = mkIf cfg.enable { - ## Secrets - # sops.secrets."${category}/${app}/env" = { - # sopsFile = ./secrets.sops.yaml; - # owner = user; - # group = group; - # restartUnits = [ "${app}.service" ]; - # }; - services.postgresql = { enable = true; identMap = '' @@ -72,8 +58,6 @@ in location = "${config.mySystem.nasFolder}/backup/nixos/postgresql"; }; - - ### firewall config # networking.firewall = mkIf cfg.openFirewall { @@ -81,8 +65,5 @@ in # allowedUDPPorts = [ port ]; # }; - - - }; } diff --git a/nixos/modules/nixos/services/powerdns/default.nix b/nixos/modules/nixos/services/powerdns/default.nix deleted file mode 100644 index 2b5f61e..0000000 --- a/nixos/modules/nixos/services/powerdns/default.nix +++ /dev/null @@ -1,110 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.services.powerdns; - persistentFolder = "${config.mySystem.persistentFolder}/nixos/pdns"; # TODO refactor using bind mounts - user = "pdns"; - group = "pdns"; - portDns = 5353; # avoiding conflict with adguardhome - portWebUI = 8081; - configDir = pkgs.writeTextDir "pdns.conf" "${pdnsConfig}"; - - # $APIKEY is replaced via envsubst in the pdns module - pdnsConfig = '' - expand-alias=yes - resolver=9.9.9.9:53 - local-address=0.0.0.0:${builtins.toString portDns} - launch=gsqlite3 - gsqlite3-database=${persistentFolder}/pdns.sqlite3 - webserver=yes - webserver-address=0.0.0.0:${builtins.toString portWebUI} - webserver-allow-from=10.8.10.0/20 - api=yes - api-key=$APIKEY - ''; -in -{ - options.mySystem.services.powerdns = - { - enable = mkEnableOption "powerdns"; - openFirewall = mkEnableOption "Open firewall for ${app}" // { - default = true; - }; - admin-ui = mkEnableOption "Powerdns-admin UI"; - }; - - config = mkIf cfg.enable { - - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${persistentFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - services.powerdns = { - enable = true; - extraConfig = pdnsConfig; - secretFile = config.sops.secrets."system/services/powerdns/apiKey".path; - }; - sops.secrets."system/services/powerdns/apiKey" = { - sopsFile = ./secrets.sops.yaml; - restartUnits = [ "pdns.service" ]; - }; - - # powerdns doesnt create the sqlite database for us - # so we gotta either do it manually once-off or do the below to ensure its created - # if the file is missing before service start - systemd.services.pdns.serviceConfig.ExecStartPre = lib.mkBefore [ - (pkgs.writeScript "pdns-sqlite-init.sh" - '' - #!${pkgs.bash}/bin/bash - - pdns_folder="${persistentFolder}" - echo "INIT: Checking if pdns sqlite exists" - # Check if the pdns.sqlite3 file exists in the pdns folder - if [ ! -f "${persistentFolder}/pdns.sqlite3" ]; then - echo "INIT: No sqlite db found, initializing from pdns github schema..." - - ${pkgs.wget}/bin/wget -O "${persistentFolder}/schema.sqlite3.sql" https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/gsqlite3backend/schema.sqlite3.sql - ${pkgs.sqlite}/bin/sqlite3 "${persistentFolder}/pdns.sqlite3" < "${persistentFolder}/schema.sqlite3.sql" - ${pkgs.busybox}/bin/chown pdns:pdns ${persistentFolder}/pdns.sqlite3 - ${pkgs.busybox}/bin/rm "${persistentFolder}/schema.sqlite3.sql" - fi - - # Exit successfully - exit 0 - - '' - ) - ]; - - networking.firewall = mkIf cfg.openFirewall { - - allowedTCPPorts = [ portWebUI portDns ]; - allowedUDPPorts = [ portDns ]; - - }; - - mySystem.services.gatus.monitors = [ - - { - name = "${config.networking.hostName} split DNS"; - group = "dns"; - url = "${config.networking.hostName}.${config.mySystem.internalDomain}:${builtins.toString portDns}"; - dns = { - query-name = "canary.trux.dev"; # special domain always present for testing - query-type = "A"; - }; - interval = "1m"; - alerts = [{ type = "pushover"; }]; - conditions = [ "[DNS_RCODE] == NOERROR" ]; - } - ]; - - - - }; -} diff --git a/nixos/modules/nixos/services/powerdns/secrets.sops.yaml b/nixos/modules/nixos/services/powerdns/secrets.sops.yaml deleted file mode 100644 index dfc2af7..0000000 --- a/nixos/modules/nixos/services/powerdns/secrets.sops.yaml +++ /dev/null @@ -1,51 +0,0 @@ -system: - services: - powerdns: - apiKey: ENC[AES256_GCM,data:pQtycqEH,iv:mSFDKAvSTdQHXFWOcPpdU9qpT7gksyCmLLrZsco0f6A=,tag:xxNKhsYb7nNvY/tVjvb2Lw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VWswY0E5dmhvNmRuWk5Q - QzRUTStEemwrZ2VSU3ZrbnFkc3ZWU201SlhJCkJKSzNORmtHbnBvVFBLNmxVNEps - WWR1TUdVTTJJYm9aY1FKL3NDbDB6NkkKLS0tIGh2SjIydU5OOXVHL1FyR0tjL1RJ - SVRqVE5RQTFYdi9GbFduUjJrN05RME0KTsOMRsER5UevR3H/g+1eMBxPWnYU+h9f - h2YSkPO/xDoYIJZl9ZMfH2kjvutKE4s6MzutDuZ941enlcOP5BDtww== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4TlZsME5wSkp5Q1VxTDd3 - cU5taXU3M0xhbFdlK2lpZk53b3RaME4wQlNnCk5XLzZUbGl5YzF3OGUrVUNBMjlG - WkNyTUZJaUdjSEZwbzB0dnFwWUxnV0EKLS0tIG1kZEtCdXE0RTE3ZTh0ZU04b1pp - bzdZSHIwczVGd0RkcC9qRUJuRlZmaW8KnMO9asbe7iaSng0VlVD5Q+Z4kttrNYpR - yMyRiimyd8Vcb0o3ph/99ptWFZYTI0omVnsoMCkWcRoj8ZOgZZOYEA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJT0o4YzBXbHowcU5nd090 - V1VEUFRlUFJRQ3pPRkprTytFR0lXeFpoNUI4CnNTVUQ0Q0tsMVpsQXpodWNYWFJp - OE1VeWt6ajJySmhiRXdjQlNiTmxoMUUKLS0tIGg1cy84Smh1R2xQZHRrcDdQZlhT - T1EzTjZrT3Z3NlNZeXNLYlJMaTVYK0kKUeVBmWLhyKLwcu5DNSc+B0Q9AQBq8Z1w - QZOa1EZQ5FPEZBtjg45P+uVKoERq8WlPeFawY0vRdBG3s1ZeErRR2Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRbTJhUEV2d1BBTUZKUnJJ - Nk0yWnZkcTZpNUdqVjc5TXlLRXNYd3J0djJBCjBnSWQ5aHRmbm5LbmxwemtrRUVO - c29XcVZjODFnK3l5OHR2bFFsbktUVG8KLS0tIFpaYVZKOURtcXU2ZG5ZV25QTkh1 - Q0RGL2FQRmtNRlhTMHRtZ212RzY2K2sKWIHrTJl1jDinfREMDbgLaayvqH1SuwNL - pDyg9qM5gpY9ayNo5g6Xpgxq/wNNffcco9NDpekQOS40iYdq35cggQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:ZhJT03jkD2x9wH1HIwkN3RZbXG1OUna4ph1Xq7YNphpCdqz+IyPU0HpiZHxgB2KWnZTCcP8uh/2lrKDUImatX3Uhz7kLWUT+G/uKKzLT2RaNzjBuwL9CkIK/KnQBwBhiuW2TIjBDboFWnE3Y83ABMnvI06UChF5uE5cw4zjMxEk=,iv:Lx08otWjhrGMQP4bJxnlN+LvR8j1bvj0W7BMfcJqMYs=,tag:Eq6pR4H03Jx4BlHOhdh47w==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/prometheus/default.nix b/nixos/modules/nixos/services/prometheus/default.nix index 84e5a48..d1f993f 100644 --- a/nixos/modules/nixos/services/prometheus/default.nix +++ b/nixos/modules/nixos/services/prometheus/default.nix @@ -46,8 +46,6 @@ in description = "Enable local backups"; default = true; }; - - }; config = mkIf cfg.enable { @@ -71,17 +69,6 @@ in port = 9001; }; - # homepage integration - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${url}"; - inherit description; - }; - } - ]; - ### gatus integration mySystem.services.gatus.monitors = mkIf cfg.monitor [ { @@ -122,8 +109,5 @@ in inherit appFolder; }; - - - }; } diff --git a/nixos/modules/nixos/services/radicale/default.nix b/nixos/modules/nixos/services/radicale/default.nix index 843faa9..1929d9f 100644 --- a/nixos/modules/nixos/services/radicale/default.nix +++ b/nixos/modules/nixos/services/radicale/default.nix @@ -9,12 +9,10 @@ let app = "radicale"; category = "services"; description = "Contact/Calendar managment"; - # image = "%{image}"; user = app; #string group = app; #string port = 5232; #int appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; host = "${app}" + (if cfg.dev then "-dev" else ""); url = "${host}.${config.networking.domain}"; in @@ -89,18 +87,7 @@ in }; }; - - # homepage integration - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${ url }"; - inherit description; - }; - } - ]; - + ### gatus integration mySystem.services.gatus.monitors = mkIf cfg.monitor [ { diff --git a/nixos/modules/nixos/services/radicale/secrets.sops.yaml b/nixos/modules/nixos/services/radicale/secrets.sops.yaml index c5158aa..8f721cf 100644 --- a/nixos/modules/nixos/services/radicale/secrets.sops.yaml +++ b/nixos/modules/nixos/services/radicale/secrets.sops.yaml @@ -1,77 +1,50 @@ services: radicale: - htpasswd: ENC[AES256_GCM,data:1UwfofyQcZicSUVhPumzw5g=,iv:y6Mm588YuxIM5u41hA7gtxAai9+AsvsLIyEBUHx79+8=,tag:jpuuBVlumhRFkQw777W9jA==,type:str] + htpasswd: ENC[AES256_GCM,data:4y6QUrivlOpUVNAGDuPb9w==,iv:AS13cN3EKDEfRCc6USejkYG4SEFS4sPoYrfok8jsfYg=,tag:60ZhYvH/+SQhZKR6M9Zlfw==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYc3dCb0t3VkdlVXQvOVVp - SFRVMnRuRHdHSGxiOGxTRjJnaHhBWUQ0b2dRCnp6YmNZSTVVdnUvZXpIQ3ZmYjI4 - cThjRk8zREU4dDhLNjVzeFhLUFVTUkUKLS0tIHJJcHZkSHFKdmVPNkFvZlV5UXpj - a0JLb0lWdlJGd3FqRFlXMFNWUk9yQUEKrsZP7IYj5Po07bvj513ZyZwlPnGecYnw - dC3LeW6ZhWtFNRl3y4xjZeAE4ghX0TyrGoHEMIjFUszid4sT2iHvnQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLc011SkxreTJSZERMemlS + clM0NnhPekF3bFZiUXUreDZEN3dkN3NmN0RNCmM3UEdlV3Azbk4yL2dpS3ZRQVpv + OWRQZ2E0eGU5cVIxRUU1c3RxMnpucEUKLS0tIHhjVXhtZEdVb3lvRnpoVGdJbkNq + WEM1bGRUOFVrOU5jbmhxSmpRK0F4WWsKoV2ABFGgcLb0qMmorOzNaAzPf6AbMfr0 + PUdIkaXLJrF3Qi3bts96KhlPLUA7llArSMrUBtkXeCit6xS+87Imuw== -----END AGE ENCRYPTED FILE----- - - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRHlaMlU5Y05HUHBxVFc2 - WG96Rk41VUdYNS9KSmpvK0tiSnk3TUxZMkdNCnExNkVFYVcrOFRsM3g0YTJROFRq - VDU2bytVcWlvNUhpNWNCc25ldU5HMEEKLS0tIGswWkZYYnJwZmJXelVQc1R3N1Ju - elcvU0ZKMk9ocUlIQk1tVTNPeisxR3MKaeHf2BILzQHFlnFHWUEEILiFR7h/HOoT - 6Xl018GPmmm+6cjJLNjdvvjcPlxwbakw6fRVdirsP5H3LRdBRDYvMA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBka1htN2tsN2ZZMkpDdHph + dk5EY1JkM0hONlRiaXFhdGVIT0xuVDA0b2tBCnlTVExGOHg5RFdiRzU0RWd3dEg3 + aXB2UkhQRUF6QnBRN0FnNjRqMWIwRkUKLS0tIHJxOWNmR09PRVFQK1E3Um1laHJj + VmdPdHl0OGtGODBIZHVzelByaVVoRTAKWb7/Th4zdNFo+K+rwi+nHpbftxnnMOlt + BV0hsMpFBaQZXw01n9uw71MZiJZAbZOMA9P+toMKL9UwWSx+isa3gA== -----END AGE ENCRYPTED FILE----- - - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQckIwK0FBcnhRSXYvTlk2 - TGZWR29KUmg1ampBWXBRUThVZFIyd2R6bTBJClRJdGVHazlGVDJoSVc3SDlkbVg1 - U3hHTzFlQWRnekswUmwranUydm90QUkKLS0tIDNNaTdSbGZwOG1hSXlya1FEN2oz - Q0xUNDNpUFZHYkhjNncvUjdocmdYVUEKBMLMqLHvoxYciaSQM9cT0WBkIbrXE+x3 - ZYtDfEQAu9FZvUqVYoGomR/0P1R/NNfhqHb1VAMuLKjB8d3obE0Gvg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVTdVN1VnN1JpWkJFWC95 + Qmc3dUNQdUtWSjRwWlVSVlJ2aGZ1MXIrMEFJCjNtck5vcGVhNnFQNXk2MjlHSC9P + aDU3WHQwbWdtbTBMcWdCUFE4Ulg5RlkKLS0tIGFDYnpGNE1SY2cvaUk4cWtBVmN6 + VGRIaEpkUk1qN1RsakV2YkdCbGJhUGcK8l4O+ysy9MeOq5uqnzt9GdkkH53BPtFf + rmONh4pxPogBB0IsvZBz2NUsKkixnucEK0+SrF2X5x0wveMl/2Nm3Q== -----END AGE ENCRYPTED FILE----- - - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMWtIcFJUQTM5UURaNUQx - VzJjcDU1QTZZUE5JYTAzOEpPYXhBdkpnVm04ClVHaWRTSTJxUm54NUV6M2o2c3U5 - OXdmOE9ZT1h6dlN4Z2pVbHFZdENWQ2cKLS0tIHNrZ1hTQUxVSWxWcmYvcnBBbUkx - V1pQQUpsNEt0RXBVQUNFY2p5ejhOc1kK5nhUW8lEFa2m38mTGVnQGuRj2DMr+JJ0 - 9oEjLbMkZHfeYKSGDlkOPeG5f7Lp3qCJnJ7FHv6/TlL2tN4yVcUYxA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3d2FMMStGS2dSYVcxMHNM + QXdPenBQMXJlWFJWcHp0U0h0SkNpWWlNdXgwClBTMk1TQXg4M3ZueVZha1dNN1gv + cTNuS3hBblNPQjBCa3o3N2xyNG9EZWMKLS0tIEo5SVc1b04xZndSNXQ4T3BOTmtr + M1NVZkphS2E1R2c3dWovcHlaTloxTkUKsDiyHq40XddMdcZ/2UmOUnPSu44SWTRZ + ZcDiYbfU4R7Ysgqaxl2iqBun/GOPWf4yeAbcynwXsLMUGG+XnsRWVw== -----END AGE ENCRYPTED FILE----- - - recipient: age1ekt5xz7u2xgdzgsrffhd9x22n80cn4thxd8zxjy2ey5vq3ca7gnqz25g5r - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWXdDUW5RMHhnR3NzamI4 - ZzhWVHBsWnRPSkJieGpuOEg1VDNzMHpVQXhnCmdGbVJRa3BQU0l0Mmk1aWI3eG0v - MlRZdEdkTmxuUnp0QVVSaFdpQVp1Z00KLS0tIHJzZ3BkdEcxUzNDRjZWaUhYOEJs - VTF3R2VscUtSSFJEZGN2Qk42TEJKMEEKeohZ/XNFDQSjwmWDSOfUg95S3SXLFqdl - hUNGRF32Sno7qE55fTPfK2uffb1Wocyjnt6Otp+Bmu0KUDGeBaBYLA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpNldwQlNGN25RYW9qanhh - bkg3c0VvY0ZFUHBjOE85VHJvODI3Y21GRmhRClFabkEwNWJMMy8rR3lmOUJaTElv - a1A4ajJkU3FnTitmZzhUQWNKckE2MUEKLS0tIE5iVUxzM2ZpOGdEc3VJSE54cjF0 - L1h0TERMSm82N0ZYalB1QmZ0QUMxd2cKminvLq5ok5M44znw1etDknkNho7eohur - jgVEWEpn1vL570BVeNwZUcVRW2tUuMGgzznabkWTl19qMaxck//XiA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraWx2dXpUaEhUS09GWXVx - T0daMWlDU2U1NDlCcUVlYkhBUWs2cXBYdHhrCnlTYThNQlJsZGZDRWJ2SUJWRVVW - QzBja2I1MWJ2YnN5d0NWMXRSbE43L1EKLS0tIHZETEpOQnZNT1JkYlEzNCtDS1FP - UWVaNG0vVXB0YjNXb0ZHeEFaZDVrSmsK3EKc2FhyfB4kG08hfBXRD/pJOyWwmjj8 - qUns8YxX5KI2dI+P7UNH8uxzpbxhbfKIx1oCGRSsFfLkDfZPtRLKtg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-30T23:25:37Z" - mac: ENC[AES256_GCM,data:dadR/CZPmDYJCIFgbWdbu6hjNGrwc1IRk1IucAhVTOkuVQBCMhd4+Qv0CWG5Lc1O4juSblJDQbp9PGO/YCGfJ6jfLplBxlei7LTX45RbaChrPc/bVULSAXDZRjdQKVN/gb2HVgwh2PXXdR0IvYyDao55Repw+Va5qfSSa1FiHfg=,iv:nM1TwKOOB8Qr8f1l/ct32qrAV7dLhclu4SsRk/KcSSM=,tag:6fzeJyS/dPe7Bxm4WYBBwQ==,type:str] + lastmodified: "2024-05-18T16:39:41Z" + mac: ENC[AES256_GCM,data:9HLkT8t+LOSeVCWbjMhXMi7XduJ0nw4nZz9/dYCeyMW0w0/NscYn2avSUSks/5j14xAt4/NFmuM+KxW6z2dEdXE7DsCo1nWh+WyaTpL1QUId5xSWc6abQaexaKeRu/3QJ1wLNFgotaCuut96iFFTmvDL+t266ozxst8N3iR7zhk=,iv:NQwgSFv6Ogybrs6BMYl9eLeu0kNIJpmHR0MJCYHbCxA=,tag:X3BkmlHDt3E3GFT1iDYJHg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/restic/default.nix b/nixos/modules/nixos/services/restic/default.nix index f460c67..e66bc52 100644 --- a/nixos/modules/nixos/services/restic/default.nix +++ b/nixos/modules/nixos/services/restic/default.nix @@ -35,8 +35,6 @@ in }; }; - - config = { # Warn if backups are disable and machine isnt a dev box @@ -65,8 +63,6 @@ in }; }; - - # useful commands: # view snapshots - zfs list -t snapshot @@ -106,8 +102,6 @@ in mount -t zfs rpool/safe/persist@restic_nightly_snap ${cfg.mountPath} ''; }; - - }; }; } diff --git a/nixos/modules/nixos/services/restic/secrets.sops.yaml b/nixos/modules/nixos/services/restic/secrets.sops.yaml index 6a69155..c542c5f 100644 --- a/nixos/modules/nixos/services/restic/secrets.sops.yaml +++ b/nixos/modules/nixos/services/restic/secrets.sops.yaml @@ -1,8 +1,8 @@ services: restic: - password: ENC[AES256_GCM,data:0dA=,iv:CmmDdEsoyfZEsqfzFODsiskkQSBpOrrAmvPr109rMws=,tag:b34pv7e6pQpvn449TMXl4w==,type:str] - repository: ENC[AES256_GCM,data:OCctcQ==,iv:4KzR+WZx/2s8rFnLrjfUwOjIkH3E9IwRmCuxRHbEl3s=,tag:EzkhysnA+WUEjZP/BALGyw==,type:str] - env: ENC[AES256_GCM,data:zNCWLkFkT4VimYZoMPyRXg==,iv:k0m1ZK7gI3NPNWvkSLz4SlobD1ESyj+RP4W4DWweU5I=,tag:RC8ntYEJ9LC2J0qHUy2TJQ==,type:str] + password: ENC[AES256_GCM,data:23E=,iv:qK5OxK70KSC6nxsiovOWLDG1+6Mdlf+DNibc/mm3uGA=,tag:GV3V+T/Y8dO/L7pv+OkHzg==,type:str] + repository: ENC[AES256_GCM,data:Sbao4Q==,iv:M9asdh36DY4Ys3RHugTeduECunSkrcL9yjE0j+CaCTk=,tag:Nmy8LNJbwr7cOTQd1p/kqQ==,type:str] + env: ENC[AES256_GCM,data:wNFPsVW6DwZF6Qyyztt0Jw==,iv:PrP6gq+IMTUSKWIKt8zV8o1wbR51vZuZ95Yjwt07ypU=,tag:bBO0tYVR4qrSTZxMoQKgZA==,type:str] sops: kms: [] gcp_kms: [] @@ -12,41 +12,41 @@ sops: - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbnFLZ3lqbHoxUmlXUEhT - dUJZRmVwVUdmbGxIc2NEN3I2UWpsYXVNdndvClNRTHV1UTVLYkhXdjBaRU1RNE5U - RExaUzVZNEhqemk5a09YazZHLzEwVEUKLS0tIDdCeGU5SnphK1BmaGRnWmxEalRI - Ti9lSmRHME9XMkdJeFBDVjRnVVNxQjQKU2DwTHVVnKqp9++LqSHBX0vXr6vQ6JIL - UuMgiXBrMai4F99tmJLxlUGrIA3gnMJ8+t/iPEyQ6LJMjQhbybXj8Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMzZ0Y0FRaUdzY0tMeEx5 + VUJxZkFRUlY3clI1ejVCT0xPNnN3NTh1OHhZCnh2YkxkemZ0ekwxT1NQKzIvTGlH + ejZISVJqVmM2UE1iM0M1eGpDSTN6VGcKLS0tIHJxSEhobUxoYWNXeE1LbWV6N0t1 + dGluUjZCbjFMMktnMFhHSVRscUtUNFEKFAEjmLUA0/9iZLQ4EhpPgyYYYkzQCpUL + bo83xqeLmxY7jU8HGF2YNyBe+I9LHpZvxDTiXzBDiK0Bry9b57hWgg== -----END AGE ENCRYPTED FILE----- - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEWGZqQk9CMkozaEs5RGpJ - azlxbDNHVFNRWVFGcjRxKzl2Q3l3ZnRQNTJjCklTeHd5bm9vWkFSYWFYV3dkVEdm - MVZJaElkVDI2b1d4aGpXaTd0dFpoQUUKLS0tIHNpV1Z1NnBwTWtrK3pIZXZCOHRW - dkFCbnlUVitXTGNMSkNySGZLZkM5NkkKiCriIwpURxB0BKF6YGKUlHlV3XTnGzFy - jbYvT7bj2PS7pZUaZvqmoFq3cmQD1W6dGWtEGu3F8l9YpHX5nKk0+w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLS1diU0xaU0M0amJEajM3 + YkpDeUh2VlNGa3liTFZMOGZYUDRoRUNGeldzCk5kSTcrOXNsclJTUnRoMEZqT0s5 + WTVKcFh4WVlSY0JlYUp0QmF4dWhCWlEKLS0tIGhoeERZWmZCcHR5bEtRZW1JczFy + bEl2Yy9mb1NnbUx6WFFHUGhjUXNqV2cK4M0cAXzjNzG09g2FHCZUw8NQkw6Qw3o9 + G3uFAkWw1Dny8PewS4tzOErAZlUQ0iKJDgUVqOrrBrfvctTFtBseAw== -----END AGE ENCRYPTED FILE----- - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQmt6bUV6OHMrVytvaWJz - Mm1IUUxQaHBFQUVMbUg4KzJLQTJLM0lGcWdzClVSME1VOEVJWkgweWsrNzlMSnRO - WDArVFBjT2dZWmkyNDZNb0NxemZRVW8KLS0tIEZZNjRoV3J6MW11djFxOGc0eEQ3 - SXdacTVFcEJwdXRudlF4enFrbE00dU0KeInLc+T1BSSTBgsMnSJxtR2UH7BaCCrp - 2CxHBwqdV490qI++GAuGOD633YrSWjJvKaNBrUt2IkhqCRU1rbYzGA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3WE9jVFRMRC9iNFVaTnNw + OEovY3hwYW5kWnlrSTRIbFU5enFJVXlFVTJjCkdueno5bXZFS0VPU2RWdk5PUTRj + Tk53UGJVZXZ3MExER2txVlRsVDIvY1kKLS0tIFI3VlNyYzB1S1RLS2JEbW54MTdW + aHpBN3ZqWENXc1cvZE5Xa2FiaHNlU0UKQ5/xk21o60JLZ6xNcB0cFHkoTXMN99LD + okhdVhlpml06ODoMIsFq/PR3adjeWJRjB7C4/Bz/wzlEUmze3TQMew== -----END AGE ENCRYPTED FILE----- - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUUhiVkRJWEIwZWtDcHlF - L0l6cXhhL1YrSXBoVnhQNjU1VzJVYVIvaUJFCllGQVdGRGNKeFlGbHZ0YkdHamJV - bnlhN01GWGxvVjBBaXNBakF2M1VzZFUKLS0tIHJ0cm1qWWZBcXM5elNQdjVjampq - ZE5KeldzeUgxdEE5RlhaWk05eDk3ZGMKclNvmniziFtucvDeUuskIDNrVvaqR8xi - 51IMQjrKDpXBDug/J2I6wCcSPfYGMBEJXuofBccHZcFflYgukfSFoQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3L0h2T3crY2JpaGMreS8z + YkJLOTMvbTRKUFNlWXgzZkpPUVJ5eDFON3pFCnBEeDg1YnpxNXZvdWtPbndRT1VZ + ZUhPRFE3TGFYaGluSDRjbkFHdi81NVEKLS0tIFJYZ3NaSVd6a25qMmxZV1VUNk50 + Wmo2cHY4cUZFMkFlUmNKcmg2RjcrUncKmbMWBL8r6R777c3SvFmmRpRY2oRQsf+A + Yqlv0wmrD6A1B61SDRDwkmFggnk0PquznZD/y0JctqRqmcstAscyNQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:13Z" - mac: ENC[AES256_GCM,data:L1RXxt8t9fz1R1N5tBGOpSr4wn99EazFA24NUjtirNhNnp0wbea9UInb/U/j9PlgptM/G9M7Uh+WO35pw+htkTnpCkENyyAUb58pBKeG+185AFr3yl9u7+vTHkib3KIphQ4L40rwe1ws8/oGTrBUQZ87RuT2RIHwfjS0+GSW4hc=,iv:oX9ZQHUoc+2+EhE09Z8KMnz9cogFjZR1FTBxoks/O6g=,tag:zMVDEjIaCMcJyEX1JHym7w==,type:str] + lastmodified: "2024-05-18T16:39:41Z" + mac: ENC[AES256_GCM,data:sMTQ25VnUOrMSN9Ro7GoovFWh9Y/4RmHXm/mRHNuOGpl2utXGGQhAGM0F2lpdQwJfd/cRneiDfEJ1GSV+yaSPfTm2KFVVM+Kzl7AyHQO6W1dEvaMhJgGvxixc0SkF9zuU0WXnNOxW67fKUuuZZ69TwMdcVmwF1u7pV9tsONtgf8=,iv:Heynu00CnyU17zNkv1riz2hpulbXOeoi7ukj7c3Qk1g=,tag:Jqkaqq3XSXvENl/8a1z2QA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/rss-bridge/default.nix b/nixos/modules/nixos/services/rss-bridge/default.nix deleted file mode 100644 index 143f215..0000000 --- a/nixos/modules/nixos/services/rss-bridge/default.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.${category}.${app}; - app = "rss-bridge"; - category = "services"; - description = "rss feed for sites without"; - # image = "%{image}"; - inherit (config.services.rss-bridge) user;#string - inherit (config.services.rss-bridge) group;#string - port = 1234; #int - appFolder = "/var/lib/${app}"; - # persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}"; - host = "${app}" + (if cfg.dev then "-dev" else ""); - url = "${host}.${config.networking.domain}"; -in -{ - options.mySystem.${category}.${app} = - { - enable = mkEnableOption "${app}"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - monitor = mkOption - { - type = lib.types.bool; - description = "Enable gatus monitoring"; - default = true; - }; - prometheus = mkOption - { - type = lib.types.bool; - description = "Enable prometheus scraping"; - default = true; - }; - addToDNS = mkOption - { - type = lib.types.bool; - description = "Add to DNS list"; - default = true; - }; - dev = mkOption - { - type = lib.types.bool; - description = "Development instance"; - default = false; - }; - backup = mkOption - { - type = lib.types.bool; - description = "Enable backups"; - default = true; - }; - - - - }; - - config = mkIf cfg.enable { - - ## Secrets - # sops.secrets."${category}/${app}/env" = { - # sopsFile = ./secrets.sops.yaml; - # owner = user; - # group = group; - # restartUnits = [ "${app}.service" ]; - # }; - - users.users.jahanson.extraGroups = [ group ]; - - ## service - services.rss-bridge = { - enable = true; - whitelist = [ "*" ]; - virtualHost = "${url}"; - }; - - # homepage integration - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${url}"; - inherit description; - }; - } - ]; - - ### gatus integration - mySystem.services.gatus.monitors = mkIf cfg.monitor [ - { - name = app; - group = "${category}"; - url = "https://${url}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - } - ]; - - ### Ingress - services.nginx.virtualHosts.${url} = { - forceSSL = true; - useACMEHost = config.networking.domain; - }; - - ### firewall config - - # networking.firewall = mkIf cfg.openFirewall { - # allowedTCPPorts = [ port ]; - # allowedUDPPorts = [ port ]; - # }; - - ### backups - warnings = [ - (mkIf (!cfg.backup && config.mySystem.purpose != "Development") - "WARNING: Backups for ${app} are disabled!") - ]; - - services.restic.backups = mkIf cfg.backup (config.lib.mySystem.mkRestic - { - inherit app user; - paths = [ appFolder ]; - inherit appFolder; - }); - - - # services.postgresqlBackup = { - # databases = [ app ]; - # }; - - - - }; -} diff --git a/nixos/modules/nixos/services/syncthing/default.nix b/nixos/modules/nixos/services/syncthing/default.nix deleted file mode 100644 index 52840a3..0000000 --- a/nixos/modules/nixos/services/syncthing/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.services.syncthing; -in -{ - options.mySystem.services.syncthing.enable = mkEnableOption "Syncthing"; - options.mySystem.services.syncthing.openFirewall = mkEnableOption "Syncthing" // { default = true; }; - - config = mkIf cfg.enable { - - services.syncthing = { - enable = true; - group = "users"; - guiAddress = "0.0.0.0:8384"; - settings.options.urAccepted = -1; # decline telemetry - openDefaultPorts = cfg.openFirewall; - - }; - - mySystem.services.traefik.routers = [{ - http.routers.syncthing = { - rule = "Host(`syncthing.${config.mySystem.domain}`)"; - entrypoints = "websecure"; - middlewares = "local-ip-only@file"; - service = "syncthing"; - }; - http.routers.syncthing.loadbalancer.server = { - port = "8384"; - }; - }]; - - - }; -} diff --git a/nixos/modules/nixos/services/traefik/default.nix b/nixos/modules/nixos/services/traefik/default.nix deleted file mode 100644 index d69c3ac..0000000 --- a/nixos/modules/nixos/services/traefik/default.nix +++ /dev/null @@ -1,230 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -# ref: https://github.com/rishid/nix-config/blob/be0d5cbbe4df79ed2b2ba4714456f21777c72b38/modules/traefik/default.nix#L170 -with lib; -let - cfg = config.mySystem.services.traefik; - - # core dynamic options to define middleware - # sso etc - dynamicOptions = [{ - - http.middlewares = { - # Whitelist local network and VPN addresses - local-ip-only.ipWhiteList.sourceRange = [ - "127.0.0.1/32" # localhost - "192.168.0.0/16" # RFC1918 - "10.0.0.0/8" # RFC1918 - "172.16.0.0/12" # RFC1918 (docker network) - ]; - - # authelia = { - # # Forward requests w/ middlewares=authelia@file to authelia. - # forwardAuth = { - # # address = cfg.autheliaUrl; - # address = "http://127.0.0.1:9092/api/verify?rd=https://auth.dhupar.xyz:444/"; - # trustForwardHeader = true; - # authResponseHeaders = [ - # "Remote-User" - # "Remote-Name" - # "Remote-Email" - # "Remote-Groups" - # ]; - # }; - # }; - # authelia-basic = { - # # Forward requests w/ middlewares=authelia-basic@file to authelia. - # forwardAuth = { - # address = "http://127.0.0.1:9092/api/verify?auth=basic"; - # trustForwardHeader = true; - # authResponseHeaders = [ - # "Remote-User" - # "Remote-Name" - # "Remote-Email" - # "Remote-Groups" - # ]; - # }; - # }; - # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#forwardauth-with-static-upstreams-configuration - # auth-headers = { - # browserXssFilter = true; - # contentTypeNosniff = true; - # forceSTSHeader = true; - # frameDeny = true; - # sslHost = domain; - # sslRedirect = true; - # stsIncludeSubdomains = true; - # stsPreload = true; - # stsSeconds = 315360000; - # }; - }; - - tls.options.default = { - minVersion = "VersionTLS13"; - sniStrict = true; - }; - - # Set up wildcard domain certificates for both *.hostname.domain and *.local.domain - http.routers = { - traefik = { - entrypoints = "websecure"; - rule = "Host(`traefik-${config.networking.hostName}.${config.mySystem.domain}`)"; - tls.certresolver = "letsencrypt"; - tls.domains = [{ - main = "${config.mySystem.domain}"; - sans = "*.${config.mySystem.domain}"; - }]; - middlewares = "local-ip-only@file"; - service = "api@internal"; - }; - }; - }]; - - # Combine the above 'core 'options with the (dynamicOptions) - # list of ingress routers for each serfie defined in various - # modules (cfg.routers) - # this folds the list and iterates each element to add them together - dynamicOptionsAttrset = lib.foldl' (acc: elem: lib.recursiveUpdate acc elem) { } (dynamicOptions ++ cfg.routers); - routersFile = builtins.toFile "routers.yaml" (builtins.toJSON dynamicOptionsAttrset); - -in -{ - options.mySystem.services.traefik = { - enable = mkEnableOption "Traefik reverse proxy"; - routers = lib.mkOption { - type = lib.types.listOf lib.types.attrs; - description = "Routers to add to traefik"; - default = [ ]; - }; - }; - - - config = mkIf cfg.enable - { - - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "f ${config.services.traefik.dataDir}/acme.json 0600 traefik ${config.services.traefik.group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - - # put the dynamic configs in a file - # i put this in a file instead of piping directly into - # the traefik module, so that if i update the file - # with a new router nix doesnt restart traefik, it just updates - # the etc file and traefik picks up the changes. - environment.etc."traefik/config.yaml".source = routersFile; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - sops.secrets."system/services/traefik/apiTokenFile".sopsFile = ./secrets.sops.yaml; - - # Restart when secret changes - sops.secrets."system/services/traefik/apiTokenFile".restartUnits = [ "traefik.service" ]; - - systemd.services.traefik = { - serviceConfig.EnvironmentFile = [ - config.sops.secrets."system/services/traefik/apiTokenFile".path - ]; - }; - - # add user to group to view files/storage - users.users.jahanson.extraGroups = [ "traefik" ]; - - services.traefik = { - # TODO refactor into subfiles - enable = true; - group = "podman"; # podman backend, required to access socket - - dataDir = "${config.mySystem.persistentFolder}/traefik"; - # Required so traefik is permitted to watch docker events - # group = "docker"; - - staticConfigOptions = { - - global = { - checkNewVersion = false; - sendAnonymousUsage = false; - }; - - api.dashboard = true; - log.level = "DEBUG"; - - # Allow backend services to have self-signed certs - serversTransport.insecureSkipVerify = true; - - providers = { - docker = { - endpoint = "unix:///var/run/podman/podman.sock"; - exposedByDefault = false; - defaultRule = "Host(`{{ normalize .Name }}.${config.mySystem.domain}`)"; - # network = "proxy"; - }; - file = { - filename = "/etc/traefik/config.yaml"; - watch = true; - }; - - }; - - # Listen on port 80 and redirect to port 443 - entryPoints.web = { - address = ":80"; - http.redirections.entrypoint.to = "websecure"; - }; - - # Run everything SSL - entryPoints.websecure = { - address = ":443"; - http = { - tls = { - certresolver = "letsencrypt"; - domains.main = "${config.mySystem.domain}"; - domains.sans = "*.${config.mySystem.domain}"; - }; - }; - http3 = { }; - }; - - certificatesResolvers.letsencrypt.acme = { - dnsChallenge.provider = "cloudflare"; - dnsChallenge.resolvers = [ "1.1.1.1:53" ]; - keyType = "EC256"; - storage = "${config.services.traefik.dataDir}/acme.json"; - }; - # }; - }; - # Dynamic configuration - # refer the etc file defined above with the build - # dynamic options - dynamicConfigFile = "/etc/traefik/config.yaml"; - }; - - mySystem.services.homepage.infrastructure = [ - { - "Traefik ${config.networking.hostName}" = { - icon = "traefik.png"; - href = "https://traefik-${config.networking.hostName}.${config.mySystem.domain}/dashboard/"; - - description = "Reverse Proxy"; - widget = { - type = "traefik"; - url = "https://traefik-${config.networking.hostName}.${config.mySystem.domain}"; - }; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = "Traefik ${config.networking.hostName}"; - group = "infrastructure"; - url = "https://traefik-${config.networking.hostName}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - }; -} diff --git a/nixos/modules/nixos/services/traefik/secrets.sops.yaml b/nixos/modules/nixos/services/traefik/secrets.sops.yaml deleted file mode 100644 index bb4d032..0000000 --- a/nixos/modules/nixos/services/traefik/secrets.sops.yaml +++ /dev/null @@ -1,79 +0,0 @@ -system: - services: - #ENC[AES256_GCM,data:nOjY3Vj7zNlnAtqKP7gQ85bvNFYy9LTUEvFEr7+Zcjl+SHVtav/xSvouZvHfS2R1s5FUO/IHhAO/b5lo+7gS5rXWprtwpmxTz274Mw==,iv:TXSdzhn10kgG16OSIhbJNWnuBHYPto7KEJmI4plMPJM=,tag:PiS2lcOE59pcX/P4kSfhCw==,type:comment] - traefik: - apiTokenFile: ENC[AES256_GCM,data:y0MToeBoYzrlbHq6+7Z05A6qNgREyPc48GURsQlFf9vKnK1rEi+isezqJD1VMMy6QtOeJQrzCi22VrUYlEMV63sPOsHYK+el9Om6oa8WA2HrqMrAswDNZWGSXdX1RW98WQ==,iv:h0xIH6wnZloLz3EdlMEGkbz1L5Z9gOfnFnjWPupvevQ=,tag:nP8E0trNt/yhxWO0PDDCtg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTjFjWnBoQkhWYVIzb1Av - OENjREtkN20xZnFIb1gya3RnY3grN3o4d1RVCmpwd0pwWi9QVTdKVUdxa0M4NzJk - L2pCRWQ5bUNpTlJ1WjArQ0tVd01HdXMKLS0tIGhvVjZMcmlpVUhzV1FmMVFJdVQv - YzFLUFZXZEpmWHpha2Z0U0dqb0hTaWMKvKvBprEyebIYK0fc61x49G/ATlGsXUkQ - HvStwbMhMKy2dctwtTiDSTPQyu3qLjHYqpFK0ePiTXxmIBMsEU3zGw== - -----END AGE ENCRYPTED FILE----- - - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZ0tkOHBOZC9vaVdBU1ND - bkdGalM0WDBLSzRIOGl6L09oYkFaSm1MaFNVCmpYMzFqTFkvY2VTWlNWQW5Lak84 - RmlRYktQQ1ZrS3QzWXJNTUxhajJDRWMKLS0tIGVUemd2REMrdncrN0htTVZYOERq - YjJmOXVjbzVic0wrZzBPdHNEWWZ1WDQKarMJdvW4G2ox95IZ+Nc4cuTfc5hvUYh7 - uPxsSwHwicfKJf7lbdDnQc9YQ/xwre0aget6rUvpqKUA4uzXy7AN2w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhamNwNFdtdlQrM1IzRnZS - V0I5T2RyN2pOa0IxMUNzRUFqN1ZJeUFRTnhBCkRDaEU4SlNhb0tCMFJBV2Q4N2Jy - QWFVSzVEU0p6TXF1b2IvUnUwNEZOZ00KLS0tIFB4ZGo5dWJtOVNvWWdvZFFPWnBr - U0F2N3ZLdEVLaGRBV0Y1SDlsSGowM1EKjTbBambxpqg4ahEhKn0ky66XXMA/NESL - QcGxQCpveOp2OFHswg2TMAjYcFeWyQD/GgR13ipSrHCWugoyMfqGOQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSNm9mYUN6VTZScWlaOTBz - Uk0xQnl0TlIvRlpid090Wk5ubnNPMk9GalhVCjc1aUlPVmE1bUdET3VVZ0NXMEdX - MlF5N0RNTm1xNHhTL2ZDVGVyeEFHb28KLS0tIGVwMFZuUmYyUGk5T21LdWtRendW - Sm9BUzhPSnFJMWJ3dmlObGJadmo0VHMKFDsnDSMx5Gr9i5lushxBkEWkEwLr/5HO - HNmzpSpIIf2cnKtSM3rw+a1Wq6l8kFX5KBE71Fxn59clbVlU1TTolA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ekt5xz7u2xgdzgsrffhd9x22n80cn4thxd8zxjy2ey5vq3ca7gnqz25g5r - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSU1dvUWU1UXZINzQ0NHlD - TllxbXl2Y29sN0d4MHBLVHlaRi9NYUJDcUc4CnJ0Y1VhWkpwN1Z1dmhjNkNFYlRn - WTB2eXM3NnVyK2Z2QVhHWmNtNzM5RjQKLS0tIGlKRFZoblhXTjNXd1ZsQms2Y25N - M3RDOTVvK25scFF4T1kra2lGUXN1S3cK1rVQdADhWxjZjvKtNNs8tzkwzi/VkGs7 - AyPX8Eb5aMSmiF3e36CLAiF29nRqhV78Y+HglenbmzuEVGhPqVTMTw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa1lCOHY0MWhFR2QxSHUv - ZHZjMFVmR282ZGpwMzNpKzFIR25rbVN5MjNnClk4YWZzeTQ1ek1ES2tQcnVGcXhJ - d0JaMkM1Wm1DUXpQK084Z0JyeGQwREkKLS0tIEw2bWZhWk9hbEZDdDVmUmwzQXBa - UHdOaXMyVFNyMmwwSTI0UzRYMEtzNTgK2SmnaLbnNxaD8hL5cl87b+671ekxzrCx - owPvUyleS9PKpF3b38qEbK5Jo+1rkoWHduV4fuGniTScrsaSVWXm/g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Sm8xU1NkWHBOL2lZTDha - SFYvNCtxb3ZoeXhPd0Q1cUNES0JjKzRsUGx3CkZYcUFSdElucmNBekU4WjJvVDli - cW9RMi9tdUZjK0RBb2hnN0dBSkJMK1UKLS0tIGhrMlcrS1JvenJQOWp1OVdwOXdM - SFFlVmo2MWhFemRDYkwrL3pjeUovbGsKvcvOI7UAsuaNnlcR4jYhGFH3SWi4W9on - N+Wox9Hqr3ZLYtswpdAc6Zjzi1XBiEAaXEHWBFRLk0bSE9ZR9BZe6Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-25T02:28:14Z" - mac: ENC[AES256_GCM,data:0VhDlbDrYeK3aOqaeIqmQtTE4ubv+nmwQCx1GXIGB7qxs5qxQbx9UVO/xZJh08L8NBPtMwgM2LarvwBSqINjo9ekUkgKX9ezUMIJrvSN9DTarZiw6mBYLaKDF+sCB8/2C4mWNvzt9tBP94it/1d7lCzi/gutlGKzAyXVGIawwWI=,iv:UWueUfPPmUhMfacnmVW6jei+8Dm6AUykIFzqpNIYty8=,tag:ZIvY8e63TZ+n+rEp2VDWwg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/zigbee2mqtt/default.nix b/nixos/modules/nixos/services/zigbee2mqtt/default.nix deleted file mode 100644 index abdf5ce..0000000 --- a/nixos/modules/nixos/services/zigbee2mqtt/default.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: -with lib; -let - cfg = config.mySystem.services.zigbee2mqtt; - # persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}/"; - app = "zigbee2mqtt"; - user = app; - group = app; - appFolder = config.services.zigbee2mqtt.dataDir; - port = 8080; -in -{ - options.mySystem.services.zigbee2mqtt = { - enable = mkEnableOption "zigbee2mqtt"; - addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; - }; - - - config = mkIf cfg.enable { - - sops.secrets."services/mosquitto/mq/plainPassword.yaml" = { - sopsFile = ../mosquitto/secrets.sops.yaml; - owner = config.users.users.zigbee2mqtt.name; - inherit (config.users.users.zigbee2mqtt) group; - restartUnits = [ "${app}.service" ]; - }; - - services.zigbee2mqtt = { - enable = true; - settings = { - homeassistant = true; - permit_join = false; - include_device_information = true; - frontend = - { - inherit port; - url = "https://${app}.${config.networking.domain}"; - }; - client_id = "z2m"; - serial = { - port = "tcp://10.8.30.110:6638"; - }; - mqtt = { - server = "mqtt://mqtt.trux.dev:1883"; - client_id = "z2m"; - reject_unauthorized = true; - keepalive = 60; - version = 4; - user = "mq"; - base_topic = "zigbee2mqtt"; - password = "!${config.sops.secrets."services/mosquitto/mq/plainPassword.yaml".path} password"; - }; - availability = { - active.timeout = 10; - passive.timeout = 1500; - }; - advanced = { - log_level = "debug"; - network_key = [ 42 88 79 94 97 102 54 190 99 52 160 64 224 107 103 40 ]; - pan_id = 62782; - last_seen = "ISO_8601"; - }; - experimental.new_api = true; - }; - }; - - environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable { - directories = [{ directory = appFolder; inherit user; inherit group; mode = "750"; }]; - }; - - users.users.jahanson.extraGroups = [ app ]; - - services.nginx.virtualHosts."${app}.${config.networking.domain}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - proxyWebsockets = true; - }; - }; - - - mySystem.services.homepage.infrastructure = mkIf cfg.addToHomepage [ - { - ${app} = { - icon = "${app}.svg"; - href = "https://${app}.${config.mySystem.domain}"; - description = "Zigbee bridge to MQTT"; - container = "${app}"; - }; - } - ]; - - mySystem.services.gatus.monitors = [{ - - name = app; - group = "services"; - url = "https://${app}.${config.mySystem.domain}"; - interval = "1m"; - conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ]; - }]; - - services.restic.backups = config.lib.mySystem.mkRestic - { - inherit app appFolder; - user = builtins.toString user; - paths = [ appFolder ]; - }; - - - }; -} diff --git a/nixos/modules/nixos/system/impermanence.nix b/nixos/modules/nixos/system/impermanence.nix index 8751a10..a6aebb2 100644 --- a/nixos/modules/nixos/system/impermanence.nix +++ b/nixos/modules/nixos/system/impermanence.nix @@ -21,10 +21,7 @@ with lib; type = lib.types.str; default = "/persist"; }; - }; - - config = lib.mkIf cfg.enable { # move ssh keys @@ -45,7 +42,6 @@ with lib; "/var/log" # persist logs between reboots for debugging "/var/lib/cache" # cache files (restic, nginx, contaienrs) "/var/lib/nixos" # nixos state - ]; files = [ "/etc/machine-id" diff --git a/nixos/modules/nixos/system/nix.nix b/nixos/modules/nixos/system/nix.nix index 2905ae4..29019aa 100644 --- a/nixos/modules/nixos/system/nix.nix +++ b/nixos/modules/nixos/system/nix.nix @@ -14,7 +14,6 @@ in type = lib.types.bool; description = "If we want to auto optimise store"; default = true; - }; gc = { enable = mkEnableOption "automatic garbage collection" // { @@ -27,13 +26,10 @@ in default = true; }; }; - }; config.nix = { - optimise.automatic = cfg.autoOptimiseStore; - # automatically garbage collect nix store gc = mkIf cfg.gc.enable { # garbage collection @@ -42,8 +38,5 @@ in options = "--delete-older-than 7d"; inherit (cfg.gc) persistent; }; - }; - - } diff --git a/nixos/modules/nixos/system/openssh.nix b/nixos/modules/nixos/system/openssh.nix index f9cc968..3933aac 100644 --- a/nixos/modules/nixos/system/openssh.nix +++ b/nixos/modules/nixos/system/openssh.nix @@ -15,14 +15,12 @@ in type = lib.types.bool; description = "If password can be accepted for ssh (commonly disable for security hardening)"; default = false; - }; permitRootLogin = mkOption { type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ]; description = "If root can login via ssh (commonly disable for security hardening)"; default = "no"; - }; }; @@ -42,8 +40,6 @@ in # Allow forwarding ports to everywhere GatewayPorts = "clientspecified"; }; - }; - }; } diff --git a/nixos/modules/nixos/system/pushover/default.nix b/nixos/modules/nixos/system/pushover/default.nix index 1d105da..4f0866e 100644 --- a/nixos/modules/nixos/system/pushover/default.nix +++ b/nixos/modules/nixos/system/pushover/default.nix @@ -29,7 +29,6 @@ in description = "Notify on failed unit %i"; serviceConfig = { Type = "oneshot"; - # User = config.users.users.jahanson.name; EnvironmentFile = config.sops.secrets."services/pushover/env".path; }; @@ -49,9 +48,7 @@ in --form-string "title=Unit failure: '$1' on $2" \ --form-string "message=$1 has failed on $2
Journal tail:

$(journalctl -u $1 -n 10 -o cat)" \ https://api.pushover.net/1/messages.json 2&>1 - ''; }; - }; } diff --git a/nixos/modules/nixos/system/security.nix b/nixos/modules/nixos/system/security.nix index 6c4af18..d02137f 100644 --- a/nixos/modules/nixos/system/security.nix +++ b/nixos/modules/nixos/system/security.nix @@ -8,9 +8,7 @@ let in { options.mySystem.security = { - sshAgentAuth.enable = lib.mkEnableOption "openssh"; - wheelNeedsSudoPassword = lib.mkOption { type = lib.types.bool; description = "If wheel group users need password for sudo"; @@ -22,16 +20,13 @@ in default = true; }; }; - config = { security = { sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; # Don't bother with the lecture or the need to keep state about who's been lectured sudo.extraConfig = "Defaults lecture=\"never\""; - pam.sshAgentAuth.enable = cfg.sshAgentAuth.enable; - # Increase open file limit for sudoers pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [ { @@ -49,5 +44,4 @@ in ]; }; }; - } diff --git a/nixos/modules/nixos/system/systempackages.nix b/nixos/modules/nixos/system/systempackages.nix index 49969d1..4e4fc53 100644 --- a/nixos/modules/nixos/system/systempackages.nix +++ b/nixos/modules/nixos/system/systempackages.nix @@ -16,11 +16,9 @@ in default = [ ]; }; }; - # System packages deployed globally. # This is NixOS so lets keep this liiight? # Ideally i'd keep most of it to home-manager user only stuff # and keep server role as light as possible config.environment.systemPackages = cfg.packages; - } diff --git a/nixos/modules/nixos/system/time.nix b/nixos/modules/nixos/system/time.nix index 0f3c7a2..76b8dc2 100644 --- a/nixos/modules/nixos/system/time.nix +++ b/nixos/modules/nixos/system/time.nix @@ -10,7 +10,7 @@ in timeZone = lib.mkOption { type = lib.types.str; description = "Timezone of system"; - default = "Australia/Melbourne"; + default = "America/Chicago"; }; hwClockLocalTime = lib.mkOption { type = lib.types.bool; diff --git a/nixos/modules/nixos/system/zfs.nix b/nixos/modules/nixos/system/zfs.nix index f4e657d..fecbcd5 100644 --- a/nixos/modules/nixos/system/zfs.nix +++ b/nixos/modules/nixos/system/zfs.nix @@ -14,11 +14,8 @@ with lib; type = lib.types.listOf lib.types.str; default = [ ]; }; - }; - config = lib.mkIf cfg.enable { - # setup boot boot = { supportedFilesystems = [ @@ -28,22 +25,17 @@ with lib; forceImportRoot = false; # if stuck on boot, modify grub options , force importing isnt secure extraPools = cfg.mountPoolsAtBoot; }; - - }; - services.zfs = { autoScrub.enable = true; # Defaults to weekly and is a bit too regular for my NAS - autoScrub.interval = "monthly"; + autoScrub.interval = "weekly"; trim.enable = true; }; - # Pushover notifications environment.systemPackages = with pkgs; [ busybox ]; - services.zfs.zed.settings = { ZED_PUSHOVER_TOKEN = "$(${pkgs.busybox}/bin/cat ${config.sops.secrets.pushover-api-key.path})"; ZED_PUSHOVER_USER = "$(${pkgs.busybox}/bin/cat ${config.sops.secrets.pushover-user-key.path})"; diff --git a/nixos/overlays/default.nix b/nixos/overlays/default.nix index 93f7c26..94d2178 100644 --- a/nixos/overlays/default.nix +++ b/nixos/overlays/default.nix @@ -2,9 +2,7 @@ , ... }: { - nur = inputs.nur.overlay; - # The unstable nixpkgs set (declared in the flake inputs) will # be accessible through 'pkgs.unstable' unstable-packages = final: _prev: { diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix index 744b875..495bd8b 100644 --- a/nixos/profiles/global.nix +++ b/nixos/profiles/global.nix @@ -14,21 +14,17 @@ with lib; (modulesPath + "/installer/scan/not-detected.nix") # Generated by nixos-config-generate ./global ]; - config = { - boot.tmp.cleanOnBoot = true; - mySystem = { - # basics for all devices time.timeZone = "America/Chicago"; security.increaseWheelLoginLimits = true; system.packages = [ pkgs.bat ]; domain = "hsn.dev"; internalDomain = "home.lan"; - shell.fish.enable = true; + # But wont enable plugins globally, leave them for workstations system.resticBackup.remote.location = "s3:https://x.r2.cloudflarestorage.com/nixos-restic"; }; diff --git a/nixos/profiles/global/nix.nix b/nixos/profiles/global/nix.nix index 72cc6da..851cdf3 100644 --- a/nixos/profiles/global/nix.nix +++ b/nixos/profiles/global/nix.nix @@ -6,7 +6,6 @@ # Make `nix repl ''` use the same nixpkgs as the one used by this flake. environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}"; nix = { - # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake. registry.nixpkgs.flake = nixpkgs; channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. @@ -18,7 +17,6 @@ ### settings = { - # Enable flakes experimental-features = [ "nix-command" @@ -27,31 +25,25 @@ # Substitutions substituters = [ - "https://cache.garnix.io" + "https://hsndev.cachix.org" "https://nix-community.cachix.org" "https://numtide.cachix.org" ]; trusted-public-keys = [ + "hsndev.cachix.org-1:vN1/XGBZtMLnTFYDmTLDrullgZHSUYY3Kqt+Yg/C+tE=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" ]; # Fallback quickly if substituters are not available. connect-timeout = 25; # Avoid copying unnecessary stuff over SSH builders-use-substitutes = true; - - trusted-users = [ "root" "@wheel" ]; - warn-dirty = false; - # The default at 10 is rarely enough. log-lines = lib.mkDefault 25; - }; }; - } diff --git a/nixos/profiles/global/secrets.sops.yaml b/nixos/profiles/global/secrets.sops.yaml index 888eae6..5dca229 100644 --- a/nixos/profiles/global/secrets.sops.yaml +++ b/nixos/profiles/global/secrets.sops.yaml @@ -1,9 +1,9 @@ services: pushover: - env: ENC[AES256_GCM,data:kQSOPR+RUZZXcXqbK8Y+GAfMXljlrKJyxPmIeWN9GD/P0/sKwL+IyhvosZ9D8LiPksCiAKnn0g0KlGszbiOiS1juCTM2vF1h1r5o2sl8Qv4gGVv0FHUHofhlR/+4ZMIU,iv:CCZNo1Prqmu2OnX16Uf8Rxz/QoLI5auOeRfmwE47UR8=,tag:xyPAou+o2e3qWzJqCmD3pw==,type:str] -pushover-user-key: ENC[AES256_GCM,data:ixr36X/fTH79cZxZnOAq5MvUsvrAX4B+Iw0RAWgB,iv:Kjy2vW2YZOTRcamJcD30jeXJyGA/n6hmKxSDA8+63Qs=,tag:aW+fE1o8WoDFdgRA5kiJLg==,type:str] -pushover-api-key: ENC[AES256_GCM,data:TcoTh0scNEnZmqpRjThPqR5XAV6x0UqlopxD0IEM,iv:lmn9JTUxTIQLaW64YOkTWqQ35o76IQe7eZitkWKBQ4M=,tag:T7JHba7NSwI7Rc7nV4xX5w==,type:str] -jahanson-password: ENC[AES256_GCM,data:duTg2nl4qxyXVpiwWyA=,iv:Up2VFioPFTpQ9K/5DElwRm5YXQwT3qYU3RUEJNsYDmY=,tag:+0fvfQZ8zxFwwvoWMHGxvg==,type:str] + env: ENC[AES256_GCM,data:Ug92K492ytxkRMHTw6fmYKgpkz47gBg9aLxqivo+t5GejJbIU1cOewo88/7ASmslceTAiY57NcBTM56eHw7U9+HEq1IjX6RukM/OxZ27R4aMkLCdf1c7DNJ5GOOvX2Zo,iv:uVXUIervTvgLnr60oeWeysB08TR/jy9AjNMWLW75teo=,tag:l2ZGGzMKcVTdnKx5q7XJiA==,type:str] +pushover-user-key: ENC[AES256_GCM,data:EWMIbhjq6+CH958H661xlxcVNLSKWHgxVyjTCU50,iv:Ph6z7Tri64WoPnCbTtrCA2ziprID1VXg8rynx6j6OOg=,tag:MZvq0AE1gp9Ga/73s6MWOw==,type:str] +pushover-api-key: ENC[AES256_GCM,data:1rnQ/dgls1iLtx3efKT37PyrZyArVbRe7BjmKYqZ,iv:pRvkTjRtpf5PhXG555OR+TVmgzwmJnF8+Pb2wfbTKWU=,tag:3DFYTgLxQFQIT4qTP9cQgQ==,type:str] +jahanson-password: ENC[AES256_GCM,data:HPLOlKHCpQIhat5qKKg=,iv:AawKpXj+2ZfEXg/eO2On4qtqHsoxksdRxH6nr+/oTGE=,tag:4wWfOGXybP6B88iGdFMF9A==,type:str] sops: kms: [] gcp_kms: [] @@ -13,41 +13,41 @@ sops: - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTHBld3gyZWRKRnM2V3pG - ZWFwdXNNRFY0ckRtSDdRMDRtV1FiM1lnekFJCk94UUVXL0JXcVhwcUxNZTNkT2R0 - RUQrL2N4aFdJbTlGZUNLUzlxV0trRHMKLS0tIHJkSStjdUhNaFpYRzVPSjljYTV3 - d3p1MWZaNmxKRWRoMjdLems5L1ZxNU0Kz+uH3c+RCmcNm15OTkGku/nkr6HJxXqz - zW2xW0Z7pij8FjJTx3+AD/NF2sufYAEQSUDjZxg2qzxcHPkuLaaQng== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSTUzM1RzZEFVZTJBdFAz + UnlYSmllNUdWa3BEa1BWQnBtbXZ1YTBnR25RClVIdy9YTUFyZ2VOdHlyVnNxTS9W + Smw5dDc2S053ZElsdHZpdTRQc2dCWGsKLS0tIGZXUzNMTFlxaVFWNE1GREphanBu + Rkdyd2lXUE5ucUVYT1FOZVlJR0hORGcKC5k9U3D+rfp4yEOx88APxmobjvOnf9jn + POshirAInB/FjEOCb6gwmX8Y/0KJK1A69vwrx3+C4S+8xWcTQwnHqA== -----END AGE ENCRYPTED FILE----- - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQXplYjZlL1VORHlOekVR - bG9UeEVUMnVXMnVRTHp5MnVDd04vQlNMWUNjCndlNXJ1eDhpMk5BcW1OUytLRUhv - THNyQVRUWkEvaUI2UUdjOFRUYUJvbHMKLS0tIGo3VVI5L2RPTG1SbXZqdlhEREpj - VndGbzE1SEFWcXNvbkRFemNMTCtpeXMKQm1KY5e0kAO4l8bDdCj5IEC/S7ntjCyj - dRqVlnmA8ClnyBo7HfURRbOxLK8iScKLDHVU0xo1CBGiEk5RLY8+Eg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMeCtkNnllZ3RHSjdVWHpq + N0pXM3B3RVJ2QnNwVXpvN2Q3R09mSFU1QWtnCnRvYnR6eVZCaEJkMjMxeEFzRHZ2 + enVodXlHUVFGcEZpTnFHT1VkTGwzbFkKLS0tIFhCTzQ3Ny9TOVBTamZ5SHIzKzFZ + L2NsSjFGWHR4ZDBQR0FFZUdCUXpPRmcKdC6gSCxkHvThXEhp94b3Gx/5Tz4E2B6C + TcwMZVgCC2VkSMASj1Jg08AX+xmJ92gc2xl/v9hQ3MWJbR38KBkaBw== -----END AGE ENCRYPTED FILE----- - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YlBZTDQrN0JXblZnN3Yy - alNITnBCc21jMmMvczZwQVFoWEV1VkhSdVhFCjg3RDl1WFFaTXRIUzRoMW9jVU8y - WklEUjFxMHlMQVhIY3dNU3pxbkZlN3cKLS0tIFNDbWRJR1p5NWZoS0lUeHJRV0du - UldSMFh3S2U4ZkNrWGgvL1h4czRqUkUKxh04CjPIN2w/D/bw0V07BXVa4U7UNZrd - tp9WUhUhySZkSwS+TDAtEYWLVOayCojq5OfdrvNfgfmOsnek+t+HNQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMk1XRjdHQUtYbnNrb1oy + SnlwVjBEUTd3dFdlaWh6UGlFTzR1RmpKYjE4CmhSKzFBOFFJSmtnM3Zwc3pKUy9j + SmJiNFhoVmd0ZzE0V2xDK0dzaGhZRGMKLS0tIHlqbWozZHV1R3JSclQ0ZWNRejlD + b1Q4RjJSWm1uSjRVNWd1WjBld1hUbk0KOB+7u0eLMslPCBE745dk7P8kVgELGp6m + glDmVIqsKmvutZ54AhCtI/pOuL5vlmnstRn8MCXcZgXbm3a80BSNFg== -----END AGE ENCRYPTED FILE----- - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZmg2L2ZCK2JXMHArUmw1 - Z3BWQ2J0QkFzbmoyeVZIN1RZVng0c0NGRG5jCjlXM2ZmL21EaTJ2Wk9uRmlqUlow - dU55bFMyenluYUxVcFBEWUQ5UXovSkUKLS0tIGp3Y2lMMWdoNDBDeU9TUDRxc01v - TmxUK3B1QUNKcXNzVDg2M0hLOWpkWFkKuBAU1zDdTLjyeVxzcnVf34wo/mLSjKoh - YUysbhHwu7EVwgdX+OoRHyQFjWenPZ/IkLsjDuYrQ+3RDrpKDyWe3Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOcUFiQk5yMGJBUitabTB6 + UHFVRXFVVWFoREV2dXZXcVJ0cG11TlhCUEVVCnAxQkJUUkU1VUhSaWNLQStpcUJu + ZzJBQjlUQXhuZk9PZXRJSktnQWFHZmcKLS0tIFI4TUNwREF5cXNXZEd1NUJ3MGFH + OFVrMXovMDVZTU5obE42NXkwektRa0UKmd1VNqD43WmhwICUohG2DLsZ9wYsGujp + IERwiWAiCppqOEULQeZti8ioPHJDs6tjpuAR+vZ1TD/uhdJP4xsfcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T03:03:12Z" - mac: ENC[AES256_GCM,data:HEScCXJq4vBv8iJ9I/Ya9YtZWOKVKJlQsPrOMMt1zHVPxvDH/GZvDGJcJj63+1t4jkmr75z2ccH01ODcYgB82AISvckQYA/GBi/uQkQpvWuzzxpf11taIlikQjEogMDMDDlsjbHcJZjwQGQcPwr/HvPqGF6kzRHyxfwKb2ZUZ2w=,iv:1hAmBzMKqSk6hbsHOqhKCNoi4YIxhaItjr1nJrUk9ho=,tag:kyVDSJpr2bH4l3xzIwDo1Q==,type:str] + lastmodified: "2024-05-18T16:39:41Z" + mac: ENC[AES256_GCM,data:EXz+9dIdcI21WlJ9r/lewrfx9MjynA1eS82MMnO0BBiE2KV6XcMvrxStMIerXY/0nr2XGoZii8amo072naaHBTCwCsaDlx0Ry3oMyZYZNFwTM2mqIK93CymIkhe/qhMyNxDTmKc3QFEiRtimLnUx8YW27leS1b4mNFHcauXYNHA=,iv:EEmK39VBNXnJayk6z4MfHHsfj7OuwXUeLZQ06q2y2cE=,tag:9PLLS5BbwB1wmA+UV/oIwA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/profiles/global/sops.nix b/nixos/profiles/global/sops.nix index b881b15..77bd84e 100644 --- a/nixos/profiles/global/sops.nix +++ b/nixos/profiles/global/sops.nix @@ -1,6 +1,5 @@ { config, ... }: { - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # Secret for machine-specific pushover sops.secrets."services/pushover/env" = { @@ -12,5 +11,4 @@ sops.secrets.pushover-api-key = { sopsFile = ./secrets.sops.yaml; }; - } diff --git a/nixos/profiles/global/system.nix b/nixos/profiles/global/system.nix index bd12372..6c6301a 100644 --- a/nixos/profiles/global/system.nix +++ b/nixos/profiles/global/system.nix @@ -9,39 +9,6 @@ with lib; ''; # Do not change unless you know what you are doing - stateVersion = "23.11"; # THERE BE DRAGONS - - # (This one comes in the niiiiight) ::: - # :: :::. - # \/, .::::: - # \), \`-._ :::888 - # /\ \ `-. ::88888 - # / \ | .( ::88 - # /,. \ ; ( ` .:8888 - # ), \ / ;`` :::888 - # /_ \ __/_(_ :88 - # `. ,`..-' `-._ \ / :8 - # )__ `. `._ .\/. - # / `. ` `-._______m _, - # ,-=====-.-;' , ___________/ _,-_,'"`/__,-. - # C =-- ; `.`._ V V V -=-'"#==-._ - # :, \ ,| UuUu _,......__ `-.__A_A_ -. ._ ,--._ ",`` `- - # || |`---' : uUuUu,' `'--...____/ `" `". ` - # |` : \ UuUu: - # : / \ UuUu`-._ - # \(_ `._ uUuUu `-. - # (_3 `._ uUu `._ - # ``-._ `. - # `-._ `. - # `. \ - # ) ; - # / / - # `. |\ ,' / - # ",_A_/\-| ` ,' - # `--..,_|_,-'\ - # | \ - # | \__ - # |__ - + stateVersion = "23.11"; }; } diff --git a/nixos/profiles/global/users.nix b/nixos/profiles/global/users.nix index 3e9c5f3..cbe6607 100644 --- a/nixos/profiles/global/users.nix +++ b/nixos/profiles/global/users.nix @@ -1,12 +1,8 @@ -{ pkgs -, config -, ... -}: +{ pkgs, config, ... }: let ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; in { - sops.secrets = { jahanson-password = { sopsFile = ./secrets.sops.yaml; @@ -38,7 +34,7 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETR70eQJiXaJuB+qpI1z+jFOPbEZoQNRcq4VXkojWfU" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIATyScd8ZRhV7uZmrQNSAbRTs9N/Dbx+Y8tGEDny30sA" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore" - ]; # TODO do i move to ingest github creds? + ]; # packages = [ pkgs.home-manager ]; }; diff --git a/nixos/profiles/hw-generic-x86.nix b/nixos/profiles/hw-generic-x86.nix index cbc3be9..9758aab 100644 --- a/nixos/profiles/hw-generic-x86.nix +++ b/nixos/profiles/hw-generic-x86.nix @@ -1,5 +1,4 @@ { config, lib, pkgs, imports, boot, ... }: - with lib; { diff --git a/nixos/profiles/hw-thinkpad-t470.nix b/nixos/profiles/hw-thinkpad-t470.nix index e1a17dd..ba524f6 100644 --- a/nixos/profiles/hw-thinkpad-t470.nix +++ b/nixos/profiles/hw-thinkpad-t470.nix @@ -1,6 +1,4 @@ { config, lib, pkgs, imports, boot, ... }: - -with lib; { boot = { # Use the systemd-boot EFI boot loader.