diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 2757762..849309e 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -3,6 +3,7 @@ "extends": [ "github>truxnell/renovate-config", "github>truxnell/renovate-config:automerge-github-actions", + "github>truxnell/nix-config//.github/renovate/autoMerge.json5", ], "gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>", @@ -13,7 +14,19 @@ "nix": { "enabled": "true" }, + "lockFileMaintenance": { "enabled": "true" - }, - } \ No newline at end of file + }, + + { + "regexManagers": [ + { + fileMatch: ["^.*\\.nix$"], + matchStrings: [ + 'image *= *"(?[^"]+):(?[^"]+)(@(?sha256:[a-f0-9]+))?";', + ], + datasourceTemplate: "docker", + } + ], +} \ No newline at end of file diff --git a/.github/renovate/autoMerge.json5 b/.github/renovate/autoMerge.json5 new file mode 100644 index 0000000..c62751e --- /dev/null +++ b/.github/renovate/autoMerge.json5 @@ -0,0 +1,17 @@ +{ + packageRules: [ + // auto update all up to major + { + matchDatasources: ['docker'], + automerge: "true", + matchUpdateTypes: [ 'minor', 'patch', 'digest'], + matchPackageNames: [ + 'onedr0p/sonarr', + 'onedr0p/readarr', + 'onedr0p/radarr', + 'onedr0p/lidarr', + 'onedr0p/prowlarr', + ], + }, + ], +} \ No newline at end of file diff --git a/docs/vm/k8s.md b/docs/vm/k8s.md new file mode 100644 index 0000000..b21118a --- /dev/null +++ b/docs/vm/k8s.md @@ -0,0 +1,10 @@ +Removed complexity + +- external secrets -> bog standard sops +- HA file storage -> standard file system +- HA database cluster -> nixos standard cluster +- Database user operator -> nixos standard ensure_users +- Database permissions operator -> why even?? +- secrets reloader -> sops restart_unit +- easier managment, all services run through systemd for consistency, cockpit makes viewing logs/pod console etc easy. + diff --git a/nixos/home/modules/programs/browsers/firefox/search.nix b/nixos/home/modules/programs/browsers/firefox/search.nix index 0c3d9de..999e41c 100644 --- a/nixos/home/modules/programs/browsers/firefox/search.nix +++ b/nixos/home/modules/programs/browsers/firefox/search.nix @@ -36,8 +36,8 @@ definedAliases = [ "@nhmo" ]; }; "NixOS Wiki" = { - urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }]; - iconUpdateURL = "https://nixos.wiki/favicon.png"; + urls = [{ template = "https://wiki.nixos.org/w/index.php?search={searchTerms}"; }]; + iconUpdateURL = "https://wiki.nixos.org/favicon.ico"; updateInterval = 24 * 60 * 60 * 1000; # every day definedAliases = [ "@nw" ]; }; @@ -47,6 +47,12 @@ updateInterval = 24 * 60 * 60 * 1000; # every day definedAliases = [ "@ks" ]; }; + "Github Code Search" = { + urls = [{ template = "https://github.com/search?type=code&q={searchTerms}"; }]; + iconUpdateURL = "https://github.githubassets.com/favicons/favicon-dark.svg"; + updateInterval = 24 * 60 * 60 * 1000; # every day + definedAliases = [ "@gs" ]; + }; # "Searx" = { # urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }]; diff --git a/nixos/hosts/shodan/default.nix b/nixos/hosts/shodan/default.nix index c515f86..891a9dc 100644 --- a/nixos/hosts/shodan/default.nix +++ b/nixos/hosts/shodan/default.nix @@ -13,11 +13,14 @@ mySystem.services = { openssh.enable = true; - cockpit.enable = true; podman.enable = true; traefik.enable = true; - sonarr.enable = true; homepage.enable = true; + sonarr.enable = true; + radarr.enable = true; + lidarr.enable = true; + readarr.enable = true; + }; mySystem.nfs.nas.enable = true; @@ -40,7 +43,7 @@ }; }; - networking.hostName = "shodan"; # Define your hostname. + networking.hostName = "shodan1"; # Define your hostname. networking.useDHCP = lib.mkDefault true; fileSystems."/" = diff --git a/nixos/modules/nixos/services/arr/default.nix b/nixos/modules/nixos/services/arr/default.nix index 6955140..0c624fd 100644 --- a/nixos/modules/nixos/services/arr/default.nix +++ b/nixos/modules/nixos/services/arr/default.nix @@ -1,5 +1,9 @@ { imports = [ ./sonarr + ./radarr + ./lidarr + ./readarr + ./prowlarr ]; } diff --git a/nixos/modules/nixos/services/arr/lidarr/default.nix b/nixos/modules/nixos/services/arr/lidarr/default.nix new file mode 100644 index 0000000..919b058 --- /dev/null +++ b/nixos/modules/nixos/services/arr/lidarr/default.nix @@ -0,0 +1,79 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + app = "lidarr"; + image = "ghcr.io/onedr0p/lidarr@sha256:6b9564037159c2b90f32a2ee34683275783a4b8eff4b609e2d2b1c0654c94bac"; + user = "568"; #string + group = "568"; #string + port = 8686; #int + cfg = config.mySystem.services.sonarr; + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; +in +{ + options.mySystem.services.${app} = + { + enable = mkEnableOption "${app}"; + addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; + }; + + config = mkIf cfg.enable { + # ensure folder exist and has correct owner/group + systemd.tmpfiles.rules = [ + "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period + ]; + + sops.secrets."services/${app}/env" = { + + # configure secret for forwarding rules + sopsFile = ./secrets.sops.yaml; + owner = config.users.users.kah.name; + inherit (config.users.users.kah) group; + restartUnits = [ "podman-${app}.service" ]; + }; + + virtualisation.oci-containers.containers.${app} = { + image = "${image}"; + user = "${user}:${group}"; + environment = { + PUSHOVER_DEBUG = "false"; + PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; + LIDARR__INSTANCE_NAME = "Lidarr"; + LIDARR__APPLICATION_URL = "https://${app}.${config.networking.domain}"; + LIDARR__LOG_LEVEL = "info"; + }; + environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; + volumes = [ + "${persistentFolder}:/config:rw" + "/mnt/nas/natflix:/media:rw" + "/etc/localtime:/etc/localtime:ro" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.${app}.entrypoints" = "websecure"; + "traefik.http.routers.${app}.middlewares" = "local-only@file"; + "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; + + }; + }; + + mySystem.services.homepage.media-services = [ + { + Lidarr = { + icon = "${app}.png"; + href = "https://${app}.${config.networking.domain}"; + description = "Music management"; + container = "${app}"; + widget = { + type = "${app}"; + url = "http://${app}:${toString port}"; + key = "{{HOMEPAGE_VAR_LIDARR__API_KEY}}"; + }; + }; + } + ]; + }; +} diff --git a/nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml new file mode 100644 index 0000000..e38b868 --- /dev/null +++ b/nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml @@ -0,0 +1,59 @@ +services: + lidarr: + env: ENC[AES256_GCM,data:+Ja2gz7l5bueQJdMxtsF2o2rXtnPfsj9xfANoZ7T2wI4vf/VQRcHFG8IFvpJWr03kr+4iIK7BlSqE+o5CqL7pZLPbC6FW0mnqFKXUpZZxctPlrDXPHLR6UcnDbvJjNgSF4O+nLz0yzUFV28/C0I=,iv:j+q/uM16sxffCaKZHeXD957J8mFG6sLUL8vBwwO7/mE=,tag:QPDD6WiRTLrXtUeNytYGew==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bW9rRnF5TzBBQUdSdy9q + NExkZjdUWFI4VkFDUHF2REFQaXg4SGppUkcwCk12NW05NVUwaHBkNVdJRHA4L3Qw + d0VtVkVmdmJpRDJCOHBIU1lHNVFpT1UKLS0tIGhVQlVibk1aOEc2YnBCM3RXVHQ2 + MUt0TzZTeXE3RkZBM0RBRkFkWkFYRTgKPQrxDiWBOyAIZpgLzHViMJGg4o+P/PlZ + pCj3n5C1z4lZgaWU+oE70a3r2CXg0toaG0Lg9lq7hh5pQV+KfLcO8g== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eWVSejhCcmhUT1hGZHlK + SVVUbmJ3UlVJT1k5azA3TkNsdDZCNWZQK0N3CnBYWUFWcXdSamhDT2pXTUFsZFIr + akgxSkZtRE44eW0yQlFGc0U5RWUxdjQKLS0tIExDdXBhSGh0dDM5ZnFNTzdmdVNj + MUY5UlFuNitiR08xeW9EZ09ZNThnQ1UKC+O/NlGD6ZdWAdJAAMyamGUJi8M6LhW2 + 2CRjIhXpfhiG4vjbgP5Xs6JXXYfiF7mFN6W3VZAZ/B4aO/S+BEVYoA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Z1BYNDBVRjJDanVFNHMx + aUpXZW8wdGdDVkVQdXVRVnd0aFRLTnZuVUdFCmZJei84bVUyOFA5S2JaOVpLMVM2 + T3B1YnNCcmNEV2s5WC9CRCtqd0pITTgKLS0tIHFmcjlmSjhXaWl2U09ralVjZzZE + ZW5LaVhIVUNlN09aUVN0eGZvRU1TUGMKxQXeVgv5pwTTSM+b5YV0Clys/z6spAd6 + E8X0l9Q8QfKTw4JHhKZvVYtPQ/oKCqex7ez5WpARcOOcZmHojwuXdg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZmYzZElqQ0xBYmdrMHdD + dUVlTXlrVXJnNmNBZTZQMEdvYmwwMVIva2pvClZLU1pPV0xUVFZGQ0t5TGI5Mkhw + SE0wUWg2OWFnUTdBVEkzcTVOZWZFbWMKLS0tIEVCU2VnR3lIQXpqTnh0eHJzejEz + SzgxZG9TU1BsdVZlU1h5MkNyNG9ZaDgKGndrjZxBKRcvrLkPpE2cHCOGye3a6ek9 + EmLowxl4EQ+pQqbukteFBfSlrs/302FfNrzL7cP4p2jzrCiT1RtHTw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRlIyYnlxRmZYSzlhUzNX + am9iS3h5TVJ5TWhraVYrWU9ETHdGMUpJZEIwCjBmQ3FMZHJFcjg0SXM1Q1FybXZq + azVCL25XVXpHd01wbzRHMTN4QVd3N0UKLS0tIEFIc2dNNjErZFoxdzNDcEo4VE9B + NVJrMEs2Q09aQlphYXdaelluYjgveUUKJndBGHWzTUoexspNKF29jlaBgEruu/ee + acxnf1IGetFRKVNRu9mBPxAoMo+21Qi61E0/gdGaXWGmK2HEwSCaSA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-07T01:10:07Z" + mac: ENC[AES256_GCM,data:3WmOa5i4eB5L88TjzLhJG6tHF4/ecwZQHE1aC4b737nJjFw4F7tWMtHECIPHjRXM8wTie/FZgIQA4AHQS8WxLMILWkiSHVAei0jYWUQLie6R1qvcZu6NdSg22Co368pSBaEkDy+jy1uXmhTGOcAWYivKdhLyuVyr+jVO7W0B600=,iv:MFHlY+iRxS9udlgZSRSr/06BHnhfLXcIhYlDY3RUpRc=,tag:u7FnVRGcK6Y3Zoh3h2fEjw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/prowlarr/default.nix b/nixos/modules/nixos/services/arr/prowlarr/default.nix new file mode 100644 index 0000000..daf8284 --- /dev/null +++ b/nixos/modules/nixos/services/arr/prowlarr/default.nix @@ -0,0 +1,78 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + app = "prowlarr"; + image = "ghcr.io/onedr0p/prowlarr@sha256:7f90035619b4dbff6bff985181275300cd999be5d4f03fcaf359ef7068fc5e5e"; + user = "568"; #string + group = "568"; #string + port = 9696; #int + cfg = config.mySystem.services.sonarr; + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; +in +{ + options.mySystem.services.${app} = + { + enable = mkEnableOption "${app}"; + addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; + }; + + config = mkIf cfg.enable { + # ensure folder exist and has correct owner/group + systemd.tmpfiles.rules = [ + "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period + ]; + + sops.secrets."services/${app}/env" = { + + # configure secret for forwarding rules + sopsFile = ./secrets.sops.yaml; + owner = config.users.users.kah.name; + inherit (config.users.users.kah) group; + restartUnits = [ "podman-${app}.service" ]; + }; + + virtualisation.oci-containers.containers.${app} = { + image = "${image}"; + user = "${user}:${group}"; + environment = { + PUSHOVER_DEBUG = "false"; + PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; + PROWLARR__INSTANCE_NAME = "Prowlarr"; + PROWLARR__APPLICATION_URL = "https://${app}.${config.networking.domain}"; + PROWLARR__LOG_LEVEL = "info"; + }; + environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; + volumes = [ + "${persistentFolder}:/config:rw" + "/etc/localtime:/etc/localtime:ro" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.${app}.entrypoints" = "websecure"; + "traefik.http.routers.${app}.middlewares" = "local-only@file"; + "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; + + }; + }; + + mySystem.services.homepage.media-services = [ + { + Prowlarr = { + icon = "${app}.png"; + href = "https://${app}.${config.networking.domain}"; + description = "Content locator"; + container = "${app}"; + widget = { + type = "${app}"; + url = "http://${app}:${toString port}"; + key = "{{HOMEPAGE_VAR_PROWLARR__API_KEY}}"; + }; + }; + } + ]; + }; +} diff --git a/nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml new file mode 100644 index 0000000..c6fac8a --- /dev/null +++ b/nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml @@ -0,0 +1,59 @@ +services: + prowlarr: + env: ENC[AES256_GCM,data:NvGX3+harRQfv0x5L/6QznuIyu6su08EkD1btg2mZmemcxndZSVb+5odFZIDnoCsSUSMlxfZXHn2gOHB+7ePpHlVYy3/MZZTbn8I/nxVaAOPKYCJ7KXG5eKp7uEk+ZqEwIeMTI1MKekhCCwm43Ndn+oD,iv:uFpbHQMocdzFe+HQPEmC9Cz2hWOuL6TLi4Or94EzEIY=,tag:xeDbq4Ab5UuQQYa0kUnbig==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSUwrZFliUC8wV1NKbm94 + U0VmR2t2VndWUFRjMzVOcitHZXJlZ2ZDVDI4ClpieVJnR044N0JEcVgvcU8rcDlB + ZG5VbVhpOXVaYXpoMERkYnVjbkhWWEEKLS0tIEhXUGt2SnBVSmNtdEdibm9TbEx4 + YnIrdkpGMGFYUXViQnE2Z0VlQVlHVVUKdh4QPZmkOUHY0nhZTgQHN/Is/OaHUKdB + fwPX5XltwaIgUCzKOJ18dOx24CA+xajvpRGDY5vdK6cN8N1lDnYPpw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTDUySUpRbXBNOVlNSGNu + NTY1Q3Ntd1pWaDVnMzQ4MW94QXN6T3dQb1J3CkNIRnBINmNsRWt3OGFlR056Nk02 + MEZlejIya2N6RUE2TlJtRkI3QTFTQlEKLS0tIGlneU1RSXBRdlhHMFFESU9wcE5W + YTlwU2srUjAySDI4TGt0bDlBT2VLL1kK8PJnEGhGAjDjQYBuPhS9NWsHg31ddkpq + UrC/SDONnawAVqC0djWkv2w71rHPh41GIFCW3V/IFS8vxQLSMiBo5w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUFp3MXFkVHU5dTdhcndG + aGdLWHY2Ti9ES0hjeWc2VXFTcXdPSWZrN25zCno2Snc1LzBTdC8zTS9lQSsrSmwz + d0VTb1Z6V0RxLzFzcEM4ZXEzZVpoSEkKLS0tIExvT2pKbzhaMUJaRHZoNlZpTXJY + eE5zVUhBblNFQ1RDVzl5K3VFaVMxRDAKuNxtVAqjbxaLJPr7LXKRj0Pt/gh8++Fp + AmYw0AVp/GMikWPCWVoCGiLr6svmNtbY0Q0B6KcN1N615G6AbrsoVg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicTlKS0FhRHRRRXNuMURH + UnN6QUhZUFNjSlRLRzJEYmU2cDAxdHhaQndZClRVR0p2UFBTdVNDUVhnSE1KSEQ3 + elNJeDdhK3lBb0xPK2daMmVBWUtMamMKLS0tIFZWeU9wdDErby90S2VFUHcrYjIx + MlVtM1dqSmdaTWZtdjZMcmd2aEhCN2cKYbzlgLrLhoGutJ6PPgALF9O1Pe5zZrfB + RCciStCtTO0Geloxf7YqelPW3D3crSSCmf4Yq4VTMnLccudGNRgaLA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOXNBN3MrajlTa1cxZ05y + MWx4TW40c3dabzZtZjErU0JzVUR4S2p4VVRjCkxkRjJNODI0M0pkYXBIQ1RxcFZY + OVhra0NmNnRkb1VOTHJMaDFVR0RuR28KLS0tIFlLNFk4MSt1M1UwL0tnRzRkYk00 + YTAwcUlzMGRDMldCYjUwM2lZYS9YOWcKdgArTqnH04EMDc8s4q8eIoAlRbD7hsYj + RJNesG9wKZlrGOlDydOX7CD7hyrVRH1CrhMIAzWggu5dy8Bl9Mbe4w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-07T03:01:12Z" + mac: ENC[AES256_GCM,data:ec1pzZ90D5jkY8jPDyDNyMxTovZqSjYBUryllybBPZwn08EeMPya/08+/mo3kqwgT4bVIFnEe/Fwk1ofEiz1G0YppcA4F43Rv0O7wGyTgRUKJ1sDuAcUvnvS/WSbG3POKibGcsu8v7wqDt9/JdFjoCfsurx+Ze17T9V+ZmYSQWo=,iv:oq55QVt2rMwCK8IPLNbUx5cs2sLAgWIp6/wb4faMpPU=,tag:rlmhn6XU7qgp58WpRlTwvA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/radarr/default.nix b/nixos/modules/nixos/services/arr/radarr/default.nix new file mode 100644 index 0000000..2105044 --- /dev/null +++ b/nixos/modules/nixos/services/arr/radarr/default.nix @@ -0,0 +1,79 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + app = "radarr"; + image = "ghcr.io/onedr0p/radarr@sha256:2de39930de91ae698f9461bb959d93b9d59610f88e0c026e96bc5d9c99aeea89"; + user = "568"; #string + group = "568"; #string + port = 7878; #int + cfg = config.mySystem.services.sonarr; + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; +in +{ + options.mySystem.services.${app} = + { + enable = mkEnableOption "${app}"; + addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; + }; + + config = mkIf cfg.enable { + # ensure folder exist and has correct owner/group + systemd.tmpfiles.rules = [ + "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period + ]; + + sops.secrets."services/${app}/env" = { + + # configure secret for forwarding rules + sopsFile = ./secrets.sops.yaml; + owner = config.users.users.kah.name; + inherit (config.users.users.kah) group; + restartUnits = [ "podman-${app}.service" ]; + }; + + virtualisation.oci-containers.containers.${app} = { + image = "${image}"; + user = "${user}:${group}"; + environment = { + PUSHOVER_DEBUG = "false"; + PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; + RADARR__INSTANCE_NAME = "Radarr"; + RADARR__APPLICATION_URL = "https://${app}.${config.networking.domain}"; + RADARR__LOG_LEVEL = "info"; + }; + environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; + volumes = [ + "${persistentFolder}:/config:rw" + "/mnt/nas/natflix/series:/media:rw" + "/etc/localtime:/etc/localtime:ro" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.${app}.entrypoints" = "websecure"; + "traefik.http.routers.${app}.middlewares" = "local-only@file"; + "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; + + }; + }; + + mySystem.services.homepage.media-services = [ + { + Radarr = { + icon = "${app}.png"; + href = "https://${app}.${config.networking.domain}"; + description = "Movie management"; + container = "${app}"; + widget = { + type = "${app}"; + url = "http://${app}:${toString port}"; + key = "{{HOMEPAGE_VAR_RADARR__API_KEY}}"; + }; + }; + } + ]; + }; +} diff --git a/nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml new file mode 100644 index 0000000..6c50d4b --- /dev/null +++ b/nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml @@ -0,0 +1,59 @@ +services: + radarr: + env: ENC[AES256_GCM,data:Sup7QbkSx/m7KlXToXmd50pewu9Ofjz+mfhVWuDdLm0P3Z1mjNOwVEuvJPmgzj6xth2/nMxtStb+0HTxzPnPVx3pfVxM/AAUPNryvK4xPmhr2ROyJ6sdUFwCzv0QmT+mS1mYy4GJ6ms/6is5agViRdKu+uoTMI5ogb2L2UJR9D6S1V/VH/OuPr/KNcFQF+f1uuo76h42pCuagJ+Biek6Mr9qoLNAUA63+PkWuRkZs9XZxTSTmF38AdOXJhU+RF7HV7WCtNQhQvVIRmRO0wSm,iv:mbmOxJusIfhoQkT2B+etQh8afYFpLP+nRfKJnR212yE=,tag:huIYNNzZFR8oDzX3FM2SZQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL0VUU1FrUGhsZ3RvTFQw + RVBLTXdMTEtUc0twalVUUTM5b0dnRU1WUWpFCjBNeG5zU1NUU1BkRGo5MWFESEg1 + bTNmc2VFbHJXM1pKbkpTUzVHWmJSaTgKLS0tIGsydXlwRHpVeVE3VlZvbVdYNWps + L0hlSDVPQXlES1ZwQWxaYXlkaHhCeGMKKKzYAzrByU7kx2FaroGt1G7HJpmfxZ/4 + m1q//Leo6qttDeLod8ZrZR+nCjx2LzqWiMFatEpirgUU1SxVYLsN0Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ2RKTUtYZW56cU91UHM4 + NkJ5dnJjU1pjV09kUUtxOHU3dlJhMXkycFU0CmVWSCtJUHc2WkJyTDQ1c0J0dVBK + SFY5bmtpQWNTRXgvMi9RTWJCNXlJZkkKLS0tIFk5Wmk3Sy9ucjl1YVMwL3BSVCtF + aWxGNWtxZmJuR0RCRmFTdUs0c0xaR1kKEzEzyrAzLm812z7lqGMXY7hxX2zSanah + Z4+3X44basjM8FTI6CvZAFqtpouv5o4QAerggCZatQV2DEs+6iAvLw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT3RtQk1uMjBIWnlMdEt2 + MXJNMEhPVDc0bGxEb0tXY1JpWS9wQ3pKV0JJCnBqcUNJOUMyYVhJdGh5YzBuY0FC + eEhlZFRiK0NIcnhJZVA0Q2J6bytXNk0KLS0tIDlVSEd3NHFNakdqeEpwRC96M0lB + Ym95TkpWVS9JY1JjL0F1dUF1QkhDbHMKvBOtjm/T+s9xjPhSzicL5yAGg66qQGnf + 7HJVClweQ343WwIw8lO2/GM3CVaU20Q/UibaBYszUTNyNbQSFv5Sow== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcFVmMEdaN0oycG9sdk1m + bjdBem5lQVB4bEM4TmM0QnpPK3p4RldDT25VCmV6YVdoR2NnNEx4WC9kdzRySWl6 + amxJeTNTRmdjZEJVc05UWnFDdDJ4UkkKLS0tIER1dmFGdmVPWHhXUUJ1Ym96NU9K + aE9NS04yblVQNmVxNFlVRFZlRnkyRDgK+/uf5R1GT5bFkSSsYx5R6aehDcyapsz0 + 1uzffKV95MSo0I2ZqZDJgJPqsh23IxhzBJKsFhCw233bIaOaCSApuA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcXFxc1o4OVZqbVBkWW9S + d1FMY3Nma3VVNS9kQ2E2NHo2VXdlQS9jWVFzCkUrV3c3d3RkclZLaktuWG0yTitx + OVVkQm9uaEFmMVFhYW92SlJKTlA0bVEKLS0tIG5PZm9NTjF6blR6TzhDOS94ck5N + S1doVkdGQjIzNmtTQkp0VHJoSWp3czAK1NPIYn78CEqiLk7cZKoZU2RPeS0hZImd + Sj7V+yVS0zZvLnHVhHcOIOGuVIAhsxNZgQ2Wd4sT2GaueUS3dRVhyw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-07T00:54:00Z" + mac: ENC[AES256_GCM,data:Ale1C+ow3OyKdgyyVBSco6mmK/o+wbSUFOzW7QScn8v80itwe42rLqGHdcTrrfxONVY0hrYBbaTA9dbRekNUa04goZbzyzrVYHAfdqf9qw7ugFLazeL3GA4hHUdkmfCtYEhjqK3Y3Ef88i1uysvJWfBlm/ayE8N2mv17CRxl8cA=,iv:bY6/ih+Boc1oY1NpLOnd1RLZxASD/vbom/sirb8ktao=,tag:GU+nM1Oncx3j0x9UXJ784w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/readarr/default.nix b/nixos/modules/nixos/services/arr/readarr/default.nix new file mode 100644 index 0000000..a817850 --- /dev/null +++ b/nixos/modules/nixos/services/arr/readarr/default.nix @@ -0,0 +1,77 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + app = "readarr"; + image = "ghcr.io/onedr0p/readarr-nightly@sha256:dd429811956178223ca7db1699f4ce03641edfa39ea8a1436a33272618278ade"; + user = "568"; #string + group = "568"; #string + port = 8787; #int + cfg = config.mySystem.services.sonarr; + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; +in +{ + options.mySystem.services.${app} = + { + enable = mkEnableOption "${app}"; + addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; + }; + + config = mkIf cfg.enable { + # ensure folder exist and has correct owner/group + systemd.tmpfiles.rules = [ + "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period + ]; + + sops.secrets."services/${app}/env" = { + + # configure secret for forwarding rules + sopsFile = ./secrets.sops.yaml; + owner = config.users.users.kah.name; + inherit (config.users.users.kah) group; + restartUnits = [ "podman-${app}.service" ]; + }; + + virtualisation.oci-containers.containers.${app} = { + image = "${image}"; + user = "${user}:${group}"; + environment = { + READARR__INSTANCE_NAME = "Lidarr"; + READARR__APPLICATION_URL = "https://${app}.${config.networking.domain}"; + READARR__LOG_LEVEL = "info"; + }; + environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; + volumes = [ + "${persistentFolder}:/config:rw" + "/mnt/nas/natflix:/media:rw" + "/etc/localtime:/etc/localtime:ro" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.${app}.entrypoints" = "websecure"; + "traefik.http.routers.${app}.middlewares" = "local-only@file"; + "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; + + }; + }; + + mySystem.services.homepage.media-services = [ + { + Readar = { + icon = "${app}.png"; + href = "https://${app}.${config.networking.domain}"; + description = "Book management"; + container = "${app}"; + widget = { + type = "${app}"; + url = "http://${app}:${toString port}"; + key = "{{HOMEPAGE_VAR_READARR__API_KEY}}"; + }; + }; + } + ]; + }; +} diff --git a/nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml new file mode 100644 index 0000000..8079849 --- /dev/null +++ b/nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml @@ -0,0 +1,59 @@ +services: + readarr: + env: ENC[AES256_GCM,data:/nOtTAhPSy3jlzZb3CmmOOyyhoxH8wgF7/sOlQxWP6FC6+lDH/DhibckUVHscwNAlwSIT4MeuLaE2vyeNUOSwhx5WwxGXvqQFjXRv0hkIPcHpWriJmuc44c7rHga+sCDpQNGPCLRbEmcYvTpm403cA==,iv:G0Elt5Oe0yGzVCoLkKUKp5QexziHzOIZO/AUqx13JE4=,tag:Ue9xgKJ4QyDs2445y9/xtg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d1V3dC9oWFR2RUV4RXFo + ZEw1QmlMc1VXc2hZTTFFK3d1TEtiSXJtcTFjCjFTMHpkK1Q2TFlTbFZEdjQ1RlVs + K3dsOGhLN011eXBEV21vckZRdHRsWVEKLS0tIDNQRDRxTHI3SjBkZGxGQmdoOWg0 + TlUzeDRwNUppSHpSSHNnWkJKYS8vSU0KyIu/ttRKDqQ3mKtk1AyCDnL5ZwydMv/9 + Mc9we7EXPzbGkOoGVNzFH+sP1GZM4k9f5wQ8OgiseVKTwzuHzqaFYg== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZW94S2VxL0QwN2gweThB + YUNhall0bFZvTm02ZHkwYXhRb0E1bTc0OEhVCnBtQ2FhSTZabmJzMm1RUzE4VzlE + MmJ1aEFMRUxwUTcwWVVGOXBXa05QNW8KLS0tIHJ3VjlDVzUremhkd25lM2IrR2tH + dlkxVkpnUFZTYTd0cDR6bTBCR1VzSUkKlUGI4JKzdWdvJuYSc8PeR3qEA3OXG7w3 + Jv42OCDczivOR69E8ZBIU+dS+1XrLNgGxN7xSGFpHnz0ZgaZWYow/w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeG83T1RXckYralg3SzJP + QmVYa3lkZittTFJFSDBBRmdrQWFHNE5PTkdFCjcvK1J5SGhYVVlHM2xMempCMHVV + Mzh4eGR0QzZwMjZycFV4cGdJQ09RUzAKLS0tIFJGMnNQcW16eFhWeXY5V3dOUDV0 + WUhuQUZDbGU3V3JIeXpxVytuUy9PNjgKy9Y/XkjkDX3ypVSWZhfACkXQdjz2Qm8N + 4Am69qQRvOCnnFuw30RftgJSRvs1X7dTnvUKwCcweUiCAL+o2R/q6A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TWRLQzNGTHJZM0lzRkVx + OG9vdS9wc0VsYTRoR2FRM1dWdXREZ1RjK1M0CnczVjI1a0lNTVpCbmZMR0FmRDFS + aGpuQzdyMkc2WW1BWkp2ODFhc1JUcGMKLS0tIGNyOXd6a1dqdHRKUEJEOE1UNjBr + aU9EeWg4Rm9sbTdrWGZ4cmNMUVI3a3MKhUyeqGGZPxcHUCXVNAAcZtx35vzFmunQ + fTNNnoI6CM0Xmwznlp0576s3qmjbXMc5+Wm9Ni4tLnBrnyl/Y4oijg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Z1doS3pjc0FaczdudDBp + Ykx4aGl0YVZUUmoxNUs2aWpieFZlQ0dYN0VNClZQQkF2QWtyeVpta2VBbEpMZjVZ + T3hrU2ozbE10M3c2ejlta2tNNEhBYWMKLS0tIHlGeVNnRmNiUzhKYmpUWG8xbDVo + V0JjaGpDTXpsSE5Ldm13N3N1UU9zRE0Ky8tp8tJkgwyLNBvnOM+puMy2+46Khf7n + LzxXw/7ZJnIPsYywXPj7IdeMha9nvXow8zpSriI52ecOmJZxSbkLeg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-07T01:10:50Z" + mac: ENC[AES256_GCM,data:8Cx1SzSIeNSYGCyOsPCkaWv/Z8A4t8a+o1UDYnf4KsuysH8NolDMZWziMiPnzKpWLMNBo6qzJfaDfm2b6MyvEsLRue1Z5iAuNIlMOWYeVkeQu9ZDPOOYuEqxCMmRLOpHdsQh9G++bcGzNjZoFOKMkh4uCCQrboohFGO38WEWnHY=,iv:hPbqJSYvPb1npIIyc4a92YytDMRm7c9pgPv3j6TvxoQ=,tag:1s3Jxup2X/gWAinn12Rxzg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/sonarr/default.nix b/nixos/modules/nixos/services/arr/sonarr/default.nix index d9484fc..3b99959 100644 --- a/nixos/modules/nixos/services/arr/sonarr/default.nix +++ b/nixos/modules/nixos/services/arr/sonarr/default.nix @@ -5,46 +5,76 @@ }: with lib; let + app = "sonarr"; image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655"; - port = 8989; - cfg = config.mySystem.services.sonarr; - persistentFolder = "${config.mySystem.persistentFolder}/sonarr"; + user = "568"; #string + group = "568"; #string + port = 8989; #int + cfg = config.mySystem.services.${app}; + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; + containerPersistentFolder = "/config"; in { - options.mySystem.services.sonarr.enable = mkEnableOption "Sonarr"; + options.mySystem.services.${app} = + { + enable = mkEnableOption "${app}"; + addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; + }; config = mkIf cfg.enable { # ensure folder exist and has correct owner/group systemd.tmpfiles.rules = [ - "d ${persistentFolder} 0755 568 568 -" #The - disables automatic cleanup, so the file wont be removed after a period + "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period ]; - virtualisation.oci-containers.containers.sonarr = { + sops.secrets."services/${app}/env" = { + + # configure secret for forwarding rules + sopsFile = ./secrets.sops.yaml; + owner = config.users.users.kah.name; + inherit (config.users.users.kah) group; + restartUnits = [ "podman-${app}.service" ]; + }; + + virtualisation.oci-containers.containers.${app} = { image = "${image}"; - user = "568:568"; + user = "${user}:${group}"; environment = { - UMASK = "002"; + PUSHOVER_DEBUG = "false"; + PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; + SONARR__INSTANCE_NAME = "Radarr"; + SONARR__APPLICATION_URL = "https://${app}.${config.networking.domain}"; + SONARR__LOG_LEVEL = "info"; }; + environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; volumes = [ - "${persistentFolder}:/config:rw" - "/mnt/nas/natflix/series:/media:rw" + "${persistentFolder}:${containerPersistentFolder}:rw" + "/mnt/nas/natflix:/media:rw" "/etc/localtime:/etc/localtime:ro" ]; labels = { "traefik.enable" = "true"; - "traefik.http.routers.sonarr.entrypoints" = "websecure"; - "traefik.http.routers.sonarr.middlewares" = "local-only@file"; - "traefik.http.services.sonarr.loadbalancer.server.port" = "${toString port}"; + "traefik.http.routers.${app}.entrypoints" = "websecure"; + "traefik.http.routers.${app}.middlewares" = "local-only@file"; + "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; - "homepage.group" = "Media"; - "homepage.name" = "Sonarr"; - "homepage.icon" = "sonarr.png"; - "homepage.href" = "https://sonarr.${config.networking.domain}"; - "homepage.description" = "Series manager"; - # "homepage.weight" = -70000; - "homepage.widget.type" = "sonarr"; - "homepage.widget.url" = "https://sonarr.${config.networking.domain}"; }; }; + + mySystem.services.homepage.media-services = [ + { + Sonarr = { + icon = "${app}.png"; + href = "https://${app}.${config.networking.domain}"; + description = "TV show management"; + container = "${app}"; + widget = { + type = "${app}"; + url = "http://${app}:${toString port}"; + key = "{{HOMEPAGE_VAR_SONARR__API_KEY}}"; + }; + }; + } + ]; }; } diff --git a/nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml new file mode 100644 index 0000000..7cea01a --- /dev/null +++ b/nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml @@ -0,0 +1,59 @@ +services: + sonarr: + env: ENC[AES256_GCM,data:Lg92wQkiBY5gBZ2+ckLs7EBPo/0fEwqhEvnWcnU5quUMNlJeWnjWFqU8qu1TaW0Vmux/A/QgIJAiYgWnbQuD9benOR2swkt4+DazSeC+35VQOTbegVDrH4wiJikTHTtoKpgSKHLBQAy113jaDL/RBFRpsSjsXEsGGu+G+GZ1MFcW5hRbYam1o62NqOAG66efcIGXv8T+sD0ouLcN2g9ZjU2QqUqJqsGBtg1d0SIVj9bNW2vUHHmMtIQBTxfR6S5V3tzqjP2EfzaT/gDSPPJg,iv:e9/vpvTFDixP07fVXutIhJcAg8Qb9d7fVJNmn+XhMjU=,tag:7MAF0kHvcf5VDUMCpJATVA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYTlNSGpIclBoWVlWWDBz + ckVZQWdndVBreDRXV3k1UDhxR0Y4R1J5blNBCmh0RmtwbzMrcGxLL1FoQVBjSVUy + QUxPUXJmaFYxRXFFb0lTQ2JHd3M3aFUKLS0tIEZ6UWJOVXp1VE1XTnhzQVhGT2RS + MVhTTE1JbU5rZnZjUFI2NDNkRUEvY0EKxglGGpDa8xY9w9VKayRF2Oqjv+UhDiLY + 3uPQWLasVcQviZE7AqG5n8azLTaX5DEoAOVFDCnhJYjU9NatXhcutw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdU84WkVMVWl2UXQ2WHN3 + ZE1IbENMU0JlN0pPMTZSeHFPdW5mN1NhcUVRCkovcEJSNm9FWU9LdWk2aWRMbzJO + b3VoM0F5VWxSU2I1UU9lblMreXNvcjQKLS0tIG9hSVk4RzRzbVgyektXQ1lkcGF6 + Q1FLdWZGOUFqWm9Hc0NDVUFFczlXYXcKxxWKSOrDUGld40zvDzsmMBOAexWoijDN + tBxJteEnSbTd+s93MDfuM+axeNR5Ak4+f/pEoLho5xjjn8f/fdlebA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdGV5ZU1ZSFNvaHpGRUFs + cWRkVWlMZUZrbDNLSlJJSUpZVkhKUHI3OVdnCk1pckRmbWJNMkdvOXZscE1sMFcw + QktRU0Foa2hNTU9tcUN0UmM0Y0h2TU0KLS0tIDY1c2lVb1Bnd1c0d1Y3NVMrYmVZ + UXJFb294d1Bqc3E0SUFjWmFqSjdka28K2cEgMCIxpzGe2Z1rgaWq+rWXKJvfsTi9 + PFWywF6/E+9Egwrh98FspQAzYP/7zl+N8gjR5Pa+Scx2D2iOizXWfg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKallmeUFQMmRvNFZRbnho + SVYzYit2TWFSRnV6dVNjUzlSQ0ZhTEJUNEhjCmFmaEsvMkpPQVZBN0FLVVp1dzgv + Ym56YzhwcWdkNlVSbHA4cnQ2T2VVeXMKLS0tIENqdXZCaFNrZVpFVUIrakpsY1ZP + QUxPS3lqcTBISnByTXVWcWdtZWYwNXMK8FRzmS0q2l6MWUu0YreaqEnKKW085j4s + f1oTHPpErwPLuh3hUciUPFe5Mbm3zSdjBsGyQtxPF6xLtw8dFaDYBA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXg2S2R2M2tHYmllUXFZ + NkZzcTdRaU5RM29RQkdEQnpNWXowZUFoR3hZCm1TclN2K0FoQktVTzg4YkkyRUhC + NXRybXE5Ym1XYjF3cG53RitvK3VTR1kKLS0tIGtkZXFLWmJiRG81M2RyYzdXZUEx + M2tqQVZaUmNVbm9YZys0NUNpSk4vN3cKpkL37l/i3VD6zhWHK/ROvcvmCBQfifuw + EFYI+F+BTjkoptqIVFCDbATRrqSfOqsYPmEg5lM0e3Oul+vT++e0/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-06T21:26:23Z" + mac: ENC[AES256_GCM,data:ITWKix2aNhXzzzZTvq2sBPXO3Phvr+lS83fSwEbH7FTowD7uScxqAF4PMJ+txAfIpmZiaD5vXIK98YU9HOWRFUoOiYxdwVwfOiX63mB0JKj5jLHHeIe6bMaWfudITlIL9an6YO/qyUww9OVXaxYEmwOJI4W+HnMLbYLf5lGboEo=,iv:i8dddSV2W9FifN+ktwGsaYRRnK4UJtrG7g6LpWPtgu4=,tag:acP4YvJarHLCZUJ3dCFuOQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/cockpit/default.nix b/nixos/modules/nixos/services/cockpit/default.nix index 7c87ca2..2307432 100644 --- a/nixos/modules/nixos/services/cockpit/default.nix +++ b/nixos/modules/nixos/services/cockpit/default.nix @@ -11,11 +11,32 @@ in { options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit"; - config = mkIf cfg.enable { - services.cockpit.enable = true; - services.cockpit.openFirewall = true; + config.services.cockpit = mkIf cfg.enable { + enable = true; + openFirewall = true; + package = pkgs.cockpit.overrideAttrs (old: { + # remove packagekit and selinux, don't work on NixOS + postBuild = '' + ${old.postBuild} + rm -rf \ + dist/packagekit \ + dist/selinux + ''; + }); }; + config.environment = mkIf cfg.enable { + systemPackages = with pkgs; + [ + (mkIf config.virtualisation.podman.enable nur.repos.procyon.cockpit-podman) # only if server runs pods + # nur.repos.dukzcry.cockpit-machines # TODO enable with virtualisation on server + # nur.repos.dukzcry.libvirt-dbus # TODO enable with virtualisation on server + # pkgs.virt-manager # TODO enable with virtualisation on server + ]; + + + + }; } diff --git a/nixos/modules/nixos/services/homepage/default.nix b/nixos/modules/nixos/services/homepage/default.nix index c6b2e4a..9af844a 100644 --- a/nixos/modules/nixos/services/homepage/default.nix +++ b/nixos/modules/nixos/services/homepage/default.nix @@ -13,12 +13,121 @@ let persistentFolder = "${config.mySystem.persistentFolder}/${app}"; cfg = config.mySystem.services.homepage; + + settings = { + # title = "Hades"; + # theme = "dark"; + # color = "slate"; + showStats = true; + }; + settingsFile = builtins.toFile "homepage-settings.yaml" (builtins.toJSON settings); + + bookmarks = [ + { + Administration = [ + { Source = [{ icon = "github.png"; href = "https://github.com/truxnell/nix-config"; }]; } + { Cloudflare = [{ icon = "cloudflare.png"; href = "https://dash.cloudflare.com/"; }]; } + ]; + } + { + Development = [ + { CyberChef = [{ icon = "cyberchef.png"; href = "https://gchq.github.io/CyberChef/"; }]; } + { "Nix Options Search" = [{ abbr = "NS"; href = "https://search.nixos.org/packages"; }]; } + { "Doppler Secrets" = [{ abbr = "DP"; href = "https://dashboard.doppler.com"; }]; } + { "onedr0p Containers" = [{ abbr = "OC"; href = "https://github.com/onedr0p/containers"; }]; } + { "bjw-s Containers" = [{ abbr = "BC"; href = "https://github.com/bjw-s/container-images"; }]; } + + ]; + } + ]; + bookmarksFile = builtins.toFile "homepage-bookmarks.yaml" (builtins.toJSON bookmarks); + + widgets = [ + { + resources = { + cpu = true; + memory = true; + cputemp = true; + uptime = true; + disk = "/"; + units = "metric"; + # label = "system"; + }; + } + { + search = { + provider = "duckduckgo"; + target = "_blank"; + }; + } + ]; + widgetsFile = builtins.toFile "homepage-widgets.yaml" (builtins.toJSON widgets); + + services = [ + { Infrastructure = cfg.infrastructure-services; } + { Home = cfg.home-services; } + { Media = cfg.media-services; } + ]; + servicesFile = builtins.toFile "homepage-config.yaml" (builtins.toJSON services); in { - options.mySystem.services.homepage.enable = mkEnableOption "Homepage dashboard"; + options.mySystem.services.homepage = { + enable = mkEnableOption "Homepage dashboard"; + infrastructure-services = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + description = "Services to add to the infrastructure column"; + default = [ ]; + }; + home-services = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + description = "Services to add to the infrastructure column"; + default = [ ]; + }; + media-services = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + description = "Services to add to the infrastructure column"; + default = [ ]; + }; + }; config = mkIf cfg.enable { + sops.secrets."services/sonarr/env" = { + # configure secret for forwarding rules + sopsFile = ../arr/sonarr/secrets.sops.yaml; + owner = "kah"; + group = "kah"; + restartUnits = [ "podman-${app}.service" ]; + }; + sops.secrets."services/radarr/env" = { + # configure secret for forwarding rules + sopsFile = ../arr/radarr/secrets.sops.yaml; + owner = "kah"; + group = "kah"; + restartUnits = [ "podman-${app}.service" ]; + }; + sops.secrets."services/lidarr/env" = { + # configure secret for forwarding rules + sopsFile = ../arr/lidarr/secrets.sops.yaml; + owner = "kah"; + group = "kah"; + restartUnits = [ "podman-${app}.service" ]; + }; + sops.secrets."services/readarr/env" = { + # configure secret for forwarding rules + sopsFile = ../arr/readarr/secrets.sops.yaml; + owner = "kah"; + group = "kah"; + restartUnits = [ "podman-${app}.service" ]; + }; + sops.secrets."services/prowlarr/env" = { + # configure secret for forwarding rules + sopsFile = ../arr/prowlarr/secrets.sops.yaml; + owner = "kah"; + group = "kah"; + restartUnits = [ "podman-${app}.service" ]; + }; + # ensure folder exist and has correct owner/group systemd.tmpfiles.rules = [ "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period @@ -27,23 +136,43 @@ in virtualisation.oci-containers.containers.${app} = { image = "${image}"; user = "${user}:${group}"; + environment = { UMASK = "002"; PUID = "${user}"; PGID = "${group}"; }; + + environmentFiles = [ + config.sops.secrets."services/sonarr/env".path + config.sops.secrets."services/radarr/env".path + config.sops.secrets."services/readarr/env".path + config.sops.secrets."services/lidarr/env".path + config.sops.secrets."services/prowlarr/env".path + ]; + labels = { "traefik.enable" = "true"; "traefik.http.routers.${app}.entrypoints" = "websecure"; "traefik.http.routers.${app}.middlewares" = "local-only@file"; "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; }; - # mount socket for service discovery. + # not using docker socket for discovery, just + # building up the apps from a shared key + # this is a bit more tedious, but more secure + # from not exposing docker socet and makes it + # easier to have/move services between hosts volumes = [ - "${persistentFolder}:/app/config:rw" - "/var/run/podman/podman.sock:/var/run/docker.sock:ro" # TODO abstract out podman/docker socket + "/etc/localtime:/etc/localtime:ro" + "${persistentFolder}:/app/config/logs:rw" + "${settingsFile}:/app/config/settings.yaml" + "${servicesFile}:/app/config/services.yaml" + "${bookmarksFile}:/app/config/bookmarks.yaml" + "${widgetsFile}:/app/config/widgets.yaml" + ]; }; + }; } diff --git a/nixos/modules/nixos/services/podman/default.nix b/nixos/modules/nixos/services/podman/default.nix index 81716fc..af02a87 100644 --- a/nixos/modules/nixos/services/podman/default.nix +++ b/nixos/modules/nixos/services/podman/default.nix @@ -18,6 +18,12 @@ in dockerCompat = true; extraPackages = [ pkgs.zfs ]; + + # regular cleanup + autoPrune.enable = true; + autoPrune.dates = "weekly"; + + # and add dns defaultNetwork.settings = { dns_enabled = true; }; @@ -27,7 +33,14 @@ in }; networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ]; + # extra user for containers + users.users.kah = { + uid = 568; + group = "kah"; + + }; + users.groups.kah = { }; }; } diff --git a/nixos/profiles/role-server.nix b/nixos/profiles/role-server.nix index 2faa44e..6db8d23 100644 --- a/nixos/profiles/role-server.nix +++ b/nixos/profiles/role-server.nix @@ -14,6 +14,7 @@ with lib; mySystem.services.promMonitoring.enable = true; mySystem.services.rebootRequiredCheck.enable = true; mySystem.security.wheelNeedsSudoPassword = false; + mySystem.services.cockpit.enable = true; nix.settings = { # TODO factor out into mySystem diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix index 4e17049..7a0e308 100644 --- a/nixos/profiles/role-worstation.nix +++ b/nixos/profiles/role-worstation.nix @@ -15,6 +15,7 @@ with config; # Lets see if fish everywhere is OK on the pi's # TODO decide if i drop to bash on pis? shell.fish.enable = true; + services.cockpit.enable = true; nfs.nas.enable = true; };