jahanson/nix-config-tn
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

feat: add *arr (#61)

Browse source 
* feat: add cockpit to all servers

* hacing

* feat: *arr bones

* feat: add docker versioning

---------

Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
This commit is contained in:
Truxnell 2024-04-07 14:05:51 +10:00 committed by GitHub
parent 14e1aa9300
commit c4e7e0215b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 891 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
.github/renovate.json5 vendored
View file

@ -3,6 +3,7 @@
"extends": [ "extends": [
"github>truxnell/renovate-config", "github>truxnell/renovate-config",
"github>truxnell/renovate-config:automerge-github-actions", "github>truxnell/renovate-config:automerge-github-actions",
"github>truxnell/nix-config//.github/renovate/autoMerge.json5",
], ],
"gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>", "gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>",
@ -13,7 +14,19 @@
"nix": { "nix": {
"enabled": "true" "enabled": "true"
}, },
"lockFileMaintenance": { "lockFileMaintenance": {
"enabled": "true" "enabled": "true"
}, },
}
{
"regexManagers": [
{
fileMatch: ["^.*\\.nix$"],
matchStrings: [
'image *= *"(?<depName>[^"]+):(?<currentValue>[^"]+)(@(?<currentDigest>sha256:[a-f0-9]+))?";',
],
datasourceTemplate: "docker",
}
],
}

17
.github/renovate/autoMerge.json5 vendored Normal file
View file

@ -0,0 +1,17 @@
{
packageRules: [
// auto update all up to major
{
matchDatasources: ['docker'],
automerge: "true",
matchUpdateTypes: [ 'minor', 'patch', 'digest'],
matchPackageNames: [
'onedr0p/sonarr',
'onedr0p/readarr',
'onedr0p/radarr',
'onedr0p/lidarr',
'onedr0p/prowlarr',
],
},
],
}

10
docs/vm/k8s.md Normal file
View file

@ -0,0 +1,10 @@
Removed complexity
- external secrets -> bog standard sops
- HA file storage -> standard file system
- HA database cluster -> nixos standard cluster
- Database user operator -> nixos standard ensure_users
- Database permissions operator -> why even??
- secrets reloader -> sops restart_unit
- easier managment, all services run through systemd for consistency, cockpit makes viewing logs/pod console etc easy.

10
nixos/home/modules/programs/browsers/firefox/search.nix
View file

@ -36,8 +36,8 @@
definedAliases = [ "@nhmo" ]; definedAliases = [ "@nhmo" ];
}; };
"NixOS Wiki" = { "NixOS Wiki" = {
urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }]; urls = [{ template = "https://wiki.nixos.org/w/index.php?search={searchTerms}"; }];
iconUpdateURL = "https://nixos.wiki/favicon.png"; iconUpdateURL = "https://wiki.nixos.org/favicon.ico";
updateInterval = 24 * 60 * 60 * 1000; # every day updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = [ "@nw" ]; definedAliases = [ "@nw" ];
}; };
@ -47,6 +47,12 @@
updateInterval = 24 * 60 * 60 * 1000; # every day updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = [ "@ks" ]; definedAliases = [ "@ks" ];
}; };
"Github Code Search" = {
urls = [{ template = "https://github.com/search?type=code&q={searchTerms}"; }];
iconUpdateURL = "https://github.githubassets.com/favicons/favicon-dark.svg";
updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = [ "@gs" ];
};
# "Searx" = { # "Searx" = {
# urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }]; # urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }];

9
nixos/hosts/shodan/default.nix
View file

@ -13,11 +13,14 @@
mySystem.services = { mySystem.services = {
openssh.enable = true; openssh.enable = true;
cockpit.enable = true;
podman.enable = true; podman.enable = true;
traefik.enable = true; traefik.enable = true;
sonarr.enable = true;
homepage.enable = true; homepage.enable = true;
sonarr.enable = true;
radarr.enable = true;
lidarr.enable = true;
readarr.enable = true;
}; };
mySystem.nfs.nas.enable = true; mySystem.nfs.nas.enable = true;
@ -40,7 +43,7 @@
}; };
}; };
networking.hostName = "shodan"; # Define your hostname. networking.hostName = "shodan1"; # Define your hostname.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
fileSystems."/" = fileSystems."/" =

4
nixos/modules/nixos/services/arr/default.nix
View file

@ -1,5 +1,9 @@
{ {
imports = [ imports = [
./sonarr ./sonarr
./radarr
./lidarr
./readarr
./prowlarr
]; ];
} }

79
nixos/modules/nixos/services/arr/lidarr/default.nix Normal file
View file

@ -0,0 +1,79 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
app = "lidarr";
image = "ghcr.io/onedr0p/lidarr@sha256:6b9564037159c2b90f32a2ee34683275783a4b8eff4b609e2d2b1c0654c94bac";
user = "568"; #string
group = "568"; #string
port = 8686; #int
cfg = config.mySystem.services.sonarr;
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
];
sops.secrets."services/${app}/env" = {
# configure secret for forwarding rules
sopsFile = ./secrets.sops.yaml;
owner = config.users.users.kah.name;
inherit (config.users.users.kah) group;
restartUnits = [ "podman-${app}.service" ];
};
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
PUSHOVER_DEBUG = "false";
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
LIDARR__INSTANCE_NAME = "Lidarr";
LIDARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
LIDARR__LOG_LEVEL = "info";
};
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
volumes = [
"${persistentFolder}:/config:rw"
"/mnt/nas/natflix:/media:rw"
"/etc/localtime:/etc/localtime:ro"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${app}.entrypoints" = "websecure";
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
};
};
mySystem.services.homepage.media-services = [
{
Lidarr = {
icon = "${app}.png";
href = "https://${app}.${config.networking.domain}";
description = "Music management";
container = "${app}";
widget = {
type = "${app}";
url = "http://${app}:${toString port}";
key = "{{HOMEPAGE_VAR_LIDARR__API_KEY}}";
};
};
}
];
};
}

59
nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,59 @@
services:
lidarr:
env: ENC[AES256_GCM,data:+Ja2gz7l5bueQJdMxtsF2o2rXtnPfsj9xfANoZ7T2wI4vf/VQRcHFG8IFvpJWr03kr+4iIK7BlSqE+o5CqL7pZLPbC6FW0mnqFKXUpZZxctPlrDXPHLR6UcnDbvJjNgSF4O+nLz0yzUFV28/C0I=,iv:j+q/uM16sxffCaKZHeXD957J8mFG6sLUL8vBwwO7/mE=,tag:QPDD6WiRTLrXtUeNytYGew==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bW9rRnF5TzBBQUdSdy9q
NExkZjdUWFI4VkFDUHF2REFQaXg4SGppUkcwCk12NW05NVUwaHBkNVdJRHA4L3Qw
d0VtVkVmdmJpRDJCOHBIU1lHNVFpT1UKLS0tIGhVQlVibk1aOEc2YnBCM3RXVHQ2
MUt0TzZTeXE3RkZBM0RBRkFkWkFYRTgKPQrxDiWBOyAIZpgLzHViMJGg4o+P/PlZ
pCj3n5C1z4lZgaWU+oE70a3r2CXg0toaG0Lg9lq7hh5pQV+KfLcO8g==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eWVSejhCcmhUT1hGZHlK
SVVUbmJ3UlVJT1k5azA3TkNsdDZCNWZQK0N3CnBYWUFWcXdSamhDT2pXTUFsZFIr
akgxSkZtRE44eW0yQlFGc0U5RWUxdjQKLS0tIExDdXBhSGh0dDM5ZnFNTzdmdVNj
MUY5UlFuNitiR08xeW9EZ09ZNThnQ1UKC+O/NlGD6ZdWAdJAAMyamGUJi8M6LhW2
2CRjIhXpfhiG4vjbgP5Xs6JXXYfiF7mFN6W3VZAZ/B4aO/S+BEVYoA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Z1BYNDBVRjJDanVFNHMx
aUpXZW8wdGdDVkVQdXVRVnd0aFRLTnZuVUdFCmZJei84bVUyOFA5S2JaOVpLMVM2
T3B1YnNCcmNEV2s5WC9CRCtqd0pITTgKLS0tIHFmcjlmSjhXaWl2U09ralVjZzZE
ZW5LaVhIVUNlN09aUVN0eGZvRU1TUGMKxQXeVgv5pwTTSM+b5YV0Clys/z6spAd6
E8X0l9Q8QfKTw4JHhKZvVYtPQ/oKCqex7ez5WpARcOOcZmHojwuXdg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZmYzZElqQ0xBYmdrMHdD
dUVlTXlrVXJnNmNBZTZQMEdvYmwwMVIva2pvClZLU1pPV0xUVFZGQ0t5TGI5Mkhw
SE0wUWg2OWFnUTdBVEkzcTVOZWZFbWMKLS0tIEVCU2VnR3lIQXpqTnh0eHJzejEz
SzgxZG9TU1BsdVZlU1h5MkNyNG9ZaDgKGndrjZxBKRcvrLkPpE2cHCOGye3a6ek9
EmLowxl4EQ+pQqbukteFBfSlrs/302FfNrzL7cP4p2jzrCiT1RtHTw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRlIyYnlxRmZYSzlhUzNX
am9iS3h5TVJ5TWhraVYrWU9ETHdGMUpJZEIwCjBmQ3FMZHJFcjg0SXM1Q1FybXZq
azVCL25XVXpHd01wbzRHMTN4QVd3N0UKLS0tIEFIc2dNNjErZFoxdzNDcEo4VE9B
NVJrMEs2Q09aQlphYXdaelluYjgveUUKJndBGHWzTUoexspNKF29jlaBgEruu/ee
acxnf1IGetFRKVNRu9mBPxAoMo+21Qi61E0/gdGaXWGmK2HEwSCaSA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-07T01:10:07Z"
mac: ENC[AES256_GCM,data:3WmOa5i4eB5L88TjzLhJG6tHF4/ecwZQHE1aC4b737nJjFw4F7tWMtHECIPHjRXM8wTie/FZgIQA4AHQS8WxLMILWkiSHVAei0jYWUQLie6R1qvcZu6NdSg22Co368pSBaEkDy+jy1uXmhTGOcAWYivKdhLyuVyr+jVO7W0B600=,iv:MFHlY+iRxS9udlgZSRSr/06BHnhfLXcIhYlDY3RUpRc=,tag:u7FnVRGcK6Y3Zoh3h2fEjw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

78
nixos/modules/nixos/services/arr/prowlarr/default.nix Normal file
View file

@ -0,0 +1,78 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
app = "prowlarr";
image = "ghcr.io/onedr0p/prowlarr@sha256:7f90035619b4dbff6bff985181275300cd999be5d4f03fcaf359ef7068fc5e5e";
user = "568"; #string
group = "568"; #string
port = 9696; #int
cfg = config.mySystem.services.sonarr;
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
];
sops.secrets."services/${app}/env" = {
# configure secret for forwarding rules
sopsFile = ./secrets.sops.yaml;
owner = config.users.users.kah.name;
inherit (config.users.users.kah) group;
restartUnits = [ "podman-${app}.service" ];
};
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
PUSHOVER_DEBUG = "false";
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
PROWLARR__INSTANCE_NAME = "Prowlarr";
PROWLARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
PROWLARR__LOG_LEVEL = "info";
};
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
volumes = [
"${persistentFolder}:/config:rw"
"/etc/localtime:/etc/localtime:ro"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${app}.entrypoints" = "websecure";
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
};
};
mySystem.services.homepage.media-services = [
{
Prowlarr = {
icon = "${app}.png";
href = "https://${app}.${config.networking.domain}";
description = "Content locator";
container = "${app}";
widget = {
type = "${app}";
url = "http://${app}:${toString port}";
key = "{{HOMEPAGE_VAR_PROWLARR__API_KEY}}";
};
};
}
];
};
}

59
nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,59 @@
services:
prowlarr:
env: ENC[AES256_GCM,data:NvGX3+harRQfv0x5L/6QznuIyu6su08EkD1btg2mZmemcxndZSVb+5odFZIDnoCsSUSMlxfZXHn2gOHB+7ePpHlVYy3/MZZTbn8I/nxVaAOPKYCJ7KXG5eKp7uEk+ZqEwIeMTI1MKekhCCwm43Ndn+oD,iv:uFpbHQMocdzFe+HQPEmC9Cz2hWOuL6TLi4Or94EzEIY=,tag:xeDbq4Ab5UuQQYa0kUnbig==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSUwrZFliUC8wV1NKbm94
U0VmR2t2VndWUFRjMzVOcitHZXJlZ2ZDVDI4ClpieVJnR044N0JEcVgvcU8rcDlB
ZG5VbVhpOXVaYXpoMERkYnVjbkhWWEEKLS0tIEhXUGt2SnBVSmNtdEdibm9TbEx4
YnIrdkpGMGFYUXViQnE2Z0VlQVlHVVUKdh4QPZmkOUHY0nhZTgQHN/Is/OaHUKdB
fwPX5XltwaIgUCzKOJ18dOx24CA+xajvpRGDY5vdK6cN8N1lDnYPpw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTDUySUpRbXBNOVlNSGNu
NTY1Q3Ntd1pWaDVnMzQ4MW94QXN6T3dQb1J3CkNIRnBINmNsRWt3OGFlR056Nk02
MEZlejIya2N6RUE2TlJtRkI3QTFTQlEKLS0tIGlneU1RSXBRdlhHMFFESU9wcE5W
YTlwU2srUjAySDI4TGt0bDlBT2VLL1kK8PJnEGhGAjDjQYBuPhS9NWsHg31ddkpq
UrC/SDONnawAVqC0djWkv2w71rHPh41GIFCW3V/IFS8vxQLSMiBo5w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUFp3MXFkVHU5dTdhcndG
aGdLWHY2Ti9ES0hjeWc2VXFTcXdPSWZrN25zCno2Snc1LzBTdC8zTS9lQSsrSmwz
d0VTb1Z6V0RxLzFzcEM4ZXEzZVpoSEkKLS0tIExvT2pKbzhaMUJaRHZoNlZpTXJY
eE5zVUhBblNFQ1RDVzl5K3VFaVMxRDAKuNxtVAqjbxaLJPr7LXKRj0Pt/gh8++Fp
AmYw0AVp/GMikWPCWVoCGiLr6svmNtbY0Q0B6KcN1N615G6AbrsoVg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicTlKS0FhRHRRRXNuMURH
UnN6QUhZUFNjSlRLRzJEYmU2cDAxdHhaQndZClRVR0p2UFBTdVNDUVhnSE1KSEQ3
elNJeDdhK3lBb0xPK2daMmVBWUtMamMKLS0tIFZWeU9wdDErby90S2VFUHcrYjIx
MlVtM1dqSmdaTWZtdjZMcmd2aEhCN2cKYbzlgLrLhoGutJ6PPgALF9O1Pe5zZrfB
RCciStCtTO0Geloxf7YqelPW3D3crSSCmf4Yq4VTMnLccudGNRgaLA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOXNBN3MrajlTa1cxZ05y
MWx4TW40c3dabzZtZjErU0JzVUR4S2p4VVRjCkxkRjJNODI0M0pkYXBIQ1RxcFZY
OVhra0NmNnRkb1VOTHJMaDFVR0RuR28KLS0tIFlLNFk4MSt1M1UwL0tnRzRkYk00
YTAwcUlzMGRDMldCYjUwM2lZYS9YOWcKdgArTqnH04EMDc8s4q8eIoAlRbD7hsYj
RJNesG9wKZlrGOlDydOX7CD7hyrVRH1CrhMIAzWggu5dy8Bl9Mbe4w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-07T03:01:12Z"
mac: ENC[AES256_GCM,data:ec1pzZ90D5jkY8jPDyDNyMxTovZqSjYBUryllybBPZwn08EeMPya/08+/mo3kqwgT4bVIFnEe/Fwk1ofEiz1G0YppcA4F43Rv0O7wGyTgRUKJ1sDuAcUvnvS/WSbG3POKibGcsu8v7wqDt9/JdFjoCfsurx+Ze17T9V+ZmYSQWo=,iv:oq55QVt2rMwCK8IPLNbUx5cs2sLAgWIp6/wb4faMpPU=,tag:rlmhn6XU7qgp58WpRlTwvA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

79
nixos/modules/nixos/services/arr/radarr/default.nix Normal file
View file

@ -0,0 +1,79 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
app = "radarr";
image = "ghcr.io/onedr0p/radarr@sha256:2de39930de91ae698f9461bb959d93b9d59610f88e0c026e96bc5d9c99aeea89";
user = "568"; #string
group = "568"; #string
port = 7878; #int
cfg = config.mySystem.services.sonarr;
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
];
sops.secrets."services/${app}/env" = {
# configure secret for forwarding rules
sopsFile = ./secrets.sops.yaml;
owner = config.users.users.kah.name;
inherit (config.users.users.kah) group;
restartUnits = [ "podman-${app}.service" ];
};
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
PUSHOVER_DEBUG = "false";
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
RADARR__INSTANCE_NAME = "Radarr";
RADARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
RADARR__LOG_LEVEL = "info";
};
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
volumes = [
"${persistentFolder}:/config:rw"
"/mnt/nas/natflix/series:/media:rw"
"/etc/localtime:/etc/localtime:ro"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${app}.entrypoints" = "websecure";
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
};
};
mySystem.services.homepage.media-services = [
{
Radarr = {
icon = "${app}.png";
href = "https://${app}.${config.networking.domain}";
description = "Movie management";
container = "${app}";
widget = {
type = "${app}";
url = "http://${app}:${toString port}";
key = "{{HOMEPAGE_VAR_RADARR__API_KEY}}";
};
};
}
];
};
}

59
nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,59 @@
services:
radarr:
env: ENC[AES256_GCM,data:Sup7QbkSx/m7KlXToXmd50pewu9Ofjz+mfhVWuDdLm0P3Z1mjNOwVEuvJPmgzj6xth2/nMxtStb+0HTxzPnPVx3pfVxM/AAUPNryvK4xPmhr2ROyJ6sdUFwCzv0QmT+mS1mYy4GJ6ms/6is5agViRdKu+uoTMI5ogb2L2UJR9D6S1V/VH/OuPr/KNcFQF+f1uuo76h42pCuagJ+Biek6Mr9qoLNAUA63+PkWuRkZs9XZxTSTmF38AdOXJhU+RF7HV7WCtNQhQvVIRmRO0wSm,iv:mbmOxJusIfhoQkT2B+etQh8afYFpLP+nRfKJnR212yE=,tag:huIYNNzZFR8oDzX3FM2SZQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL0VUU1FrUGhsZ3RvTFQw
RVBLTXdMTEtUc0twalVUUTM5b0dnRU1WUWpFCjBNeG5zU1NUU1BkRGo5MWFESEg1
bTNmc2VFbHJXM1pKbkpTUzVHWmJSaTgKLS0tIGsydXlwRHpVeVE3VlZvbVdYNWps
L0hlSDVPQXlES1ZwQWxaYXlkaHhCeGMKKKzYAzrByU7kx2FaroGt1G7HJpmfxZ/4
m1q//Leo6qttDeLod8ZrZR+nCjx2LzqWiMFatEpirgUU1SxVYLsN0Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ2RKTUtYZW56cU91UHM4
NkJ5dnJjU1pjV09kUUtxOHU3dlJhMXkycFU0CmVWSCtJUHc2WkJyTDQ1c0J0dVBK
SFY5bmtpQWNTRXgvMi9RTWJCNXlJZkkKLS0tIFk5Wmk3Sy9ucjl1YVMwL3BSVCtF
aWxGNWtxZmJuR0RCRmFTdUs0c0xaR1kKEzEzyrAzLm812z7lqGMXY7hxX2zSanah
Z4+3X44basjM8FTI6CvZAFqtpouv5o4QAerggCZatQV2DEs+6iAvLw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT3RtQk1uMjBIWnlMdEt2
MXJNMEhPVDc0bGxEb0tXY1JpWS9wQ3pKV0JJCnBqcUNJOUMyYVhJdGh5YzBuY0FC
eEhlZFRiK0NIcnhJZVA0Q2J6bytXNk0KLS0tIDlVSEd3NHFNakdqeEpwRC96M0lB
Ym95TkpWVS9JY1JjL0F1dUF1QkhDbHMKvBOtjm/T+s9xjPhSzicL5yAGg66qQGnf
7HJVClweQ343WwIw8lO2/GM3CVaU20Q/UibaBYszUTNyNbQSFv5Sow==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcFVmMEdaN0oycG9sdk1m
bjdBem5lQVB4bEM4TmM0QnpPK3p4RldDT25VCmV6YVdoR2NnNEx4WC9kdzRySWl6
amxJeTNTRmdjZEJVc05UWnFDdDJ4UkkKLS0tIER1dmFGdmVPWHhXUUJ1Ym96NU9K
aE9NS04yblVQNmVxNFlVRFZlRnkyRDgK+/uf5R1GT5bFkSSsYx5R6aehDcyapsz0
1uzffKV95MSo0I2ZqZDJgJPqsh23IxhzBJKsFhCw233bIaOaCSApuA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcXFxc1o4OVZqbVBkWW9S
d1FMY3Nma3VVNS9kQ2E2NHo2VXdlQS9jWVFzCkUrV3c3d3RkclZLaktuWG0yTitx
OVVkQm9uaEFmMVFhYW92SlJKTlA0bVEKLS0tIG5PZm9NTjF6blR6TzhDOS94ck5N
S1doVkdGQjIzNmtTQkp0VHJoSWp3czAK1NPIYn78CEqiLk7cZKoZU2RPeS0hZImd
Sj7V+yVS0zZvLnHVhHcOIOGuVIAhsxNZgQ2Wd4sT2GaueUS3dRVhyw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-07T00:54:00Z"
mac: ENC[AES256_GCM,data:Ale1C+ow3OyKdgyyVBSco6mmK/o+wbSUFOzW7QScn8v80itwe42rLqGHdcTrrfxONVY0hrYBbaTA9dbRekNUa04goZbzyzrVYHAfdqf9qw7ugFLazeL3GA4hHUdkmfCtYEhjqK3Y3Ef88i1uysvJWfBlm/ayE8N2mv17CRxl8cA=,iv:bY6/ih+Boc1oY1NpLOnd1RLZxASD/vbom/sirb8ktao=,tag:GU+nM1Oncx3j0x9UXJ784w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

77
nixos/modules/nixos/services/arr/readarr/default.nix Normal file
View file

@ -0,0 +1,77 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
app = "readarr";
image = "ghcr.io/onedr0p/readarr-nightly@sha256:dd429811956178223ca7db1699f4ce03641edfa39ea8a1436a33272618278ade";
user = "568"; #string
group = "568"; #string
port = 8787; #int
cfg = config.mySystem.services.sonarr;
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
];
sops.secrets."services/${app}/env" = {
# configure secret for forwarding rules
sopsFile = ./secrets.sops.yaml;
owner = config.users.users.kah.name;
inherit (config.users.users.kah) group;
restartUnits = [ "podman-${app}.service" ];
};
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
READARR__INSTANCE_NAME = "Lidarr";
READARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
READARR__LOG_LEVEL = "info";
};
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
volumes = [
"${persistentFolder}:/config:rw"
"/mnt/nas/natflix:/media:rw"
"/etc/localtime:/etc/localtime:ro"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${app}.entrypoints" = "websecure";
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
};
};
mySystem.services.homepage.media-services = [
{
Readar = {
icon = "${app}.png";
href = "https://${app}.${config.networking.domain}";
description = "Book management";
container = "${app}";
widget = {
type = "${app}";
url = "http://${app}:${toString port}";
key = "{{HOMEPAGE_VAR_READARR__API_KEY}}";
};
};
}
];
};
}

59
nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,59 @@
services:
readarr:
env: ENC[AES256_GCM,data:/nOtTAhPSy3jlzZb3CmmOOyyhoxH8wgF7/sOlQxWP6FC6+lDH/DhibckUVHscwNAlwSIT4MeuLaE2vyeNUOSwhx5WwxGXvqQFjXRv0hkIPcHpWriJmuc44c7rHga+sCDpQNGPCLRbEmcYvTpm403cA==,iv:G0Elt5Oe0yGzVCoLkKUKp5QexziHzOIZO/AUqx13JE4=,tag:Ue9xgKJ4QyDs2445y9/xtg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d1V3dC9oWFR2RUV4RXFo
ZEw1QmlMc1VXc2hZTTFFK3d1TEtiSXJtcTFjCjFTMHpkK1Q2TFlTbFZEdjQ1RlVs
K3dsOGhLN011eXBEV21vckZRdHRsWVEKLS0tIDNQRDRxTHI3SjBkZGxGQmdoOWg0
TlUzeDRwNUppSHpSSHNnWkJKYS8vSU0KyIu/ttRKDqQ3mKtk1AyCDnL5ZwydMv/9
Mc9we7EXPzbGkOoGVNzFH+sP1GZM4k9f5wQ8OgiseVKTwzuHzqaFYg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZW94S2VxL0QwN2gweThB
YUNhall0bFZvTm02ZHkwYXhRb0E1bTc0OEhVCnBtQ2FhSTZabmJzMm1RUzE4VzlE
MmJ1aEFMRUxwUTcwWVVGOXBXa05QNW8KLS0tIHJ3VjlDVzUremhkd25lM2IrR2tH
dlkxVkpnUFZTYTd0cDR6bTBCR1VzSUkKlUGI4JKzdWdvJuYSc8PeR3qEA3OXG7w3
Jv42OCDczivOR69E8ZBIU+dS+1XrLNgGxN7xSGFpHnz0ZgaZWYow/w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeG83T1RXckYralg3SzJP
QmVYa3lkZittTFJFSDBBRmdrQWFHNE5PTkdFCjcvK1J5SGhYVVlHM2xMempCMHVV
Mzh4eGR0QzZwMjZycFV4cGdJQ09RUzAKLS0tIFJGMnNQcW16eFhWeXY5V3dOUDV0
WUhuQUZDbGU3V3JIeXpxVytuUy9PNjgKy9Y/XkjkDX3ypVSWZhfACkXQdjz2Qm8N
4Am69qQRvOCnnFuw30RftgJSRvs1X7dTnvUKwCcweUiCAL+o2R/q6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TWRLQzNGTHJZM0lzRkVx
OG9vdS9wc0VsYTRoR2FRM1dWdXREZ1RjK1M0CnczVjI1a0lNTVpCbmZMR0FmRDFS
aGpuQzdyMkc2WW1BWkp2ODFhc1JUcGMKLS0tIGNyOXd6a1dqdHRKUEJEOE1UNjBr
aU9EeWg4Rm9sbTdrWGZ4cmNMUVI3a3MKhUyeqGGZPxcHUCXVNAAcZtx35vzFmunQ
fTNNnoI6CM0Xmwznlp0576s3qmjbXMc5+Wm9Ni4tLnBrnyl/Y4oijg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Z1doS3pjc0FaczdudDBp
Ykx4aGl0YVZUUmoxNUs2aWpieFZlQ0dYN0VNClZQQkF2QWtyeVpta2VBbEpMZjVZ
T3hrU2ozbE10M3c2ejlta2tNNEhBYWMKLS0tIHlGeVNnRmNiUzhKYmpUWG8xbDVo
V0JjaGpDTXpsSE5Ldm13N3N1UU9zRE0Ky8tp8tJkgwyLNBvnOM+puMy2+46Khf7n
LzxXw/7ZJnIPsYywXPj7IdeMha9nvXow8zpSriI52ecOmJZxSbkLeg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-07T01:10:50Z"
mac: ENC[AES256_GCM,data:8Cx1SzSIeNSYGCyOsPCkaWv/Z8A4t8a+o1UDYnf4KsuysH8NolDMZWziMiPnzKpWLMNBo6qzJfaDfm2b6MyvEsLRue1Z5iAuNIlMOWYeVkeQu9ZDPOOYuEqxCMmRLOpHdsQh9G++bcGzNjZoFOKMkh4uCCQrboohFGO38WEWnHY=,iv:hPbqJSYvPb1npIIyc4a92YytDMRm7c9pgPv3j6TvxoQ=,tag:1s3Jxup2X/gWAinn12Rxzg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

72
nixos/modules/nixos/services/arr/sonarr/default.nix
View file

@ -5,46 +5,76 @@
}: }:
with lib; with lib;
let let
app = "sonarr";
image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655"; image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655";
port = 8989; user = "568"; #string
cfg = config.mySystem.services.sonarr; group = "568"; #string
persistentFolder = "${config.mySystem.persistentFolder}/sonarr"; port = 8989; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
containerPersistentFolder = "/config";
in in
{ {
options.mySystem.services.sonarr.enable = mkEnableOption "Sonarr"; options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable { config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group # ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 568 568 -" #The - disables automatic cleanup, so the file wont be removed after a period "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
]; ];
virtualisation.oci-containers.containers.sonarr = { sops.secrets."services/${app}/env" = {
# configure secret for forwarding rules
sopsFile = ./secrets.sops.yaml;
owner = config.users.users.kah.name;
inherit (config.users.users.kah) group;
restartUnits = [ "podman-${app}.service" ];
};
virtualisation.oci-containers.containers.${app} = {
image = "${image}"; image = "${image}";
user = "568:568"; user = "${user}:${group}";
environment = { environment = {
UMASK = "002"; PUSHOVER_DEBUG = "false";
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
SONARR__INSTANCE_NAME = "Radarr";
SONARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
SONARR__LOG_LEVEL = "info";
}; };
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
volumes = [ volumes = [
"${persistentFolder}:/config:rw" "${persistentFolder}:${containerPersistentFolder}:rw"
"/mnt/nas/natflix/series:/media:rw" "/mnt/nas/natflix:/media:rw"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "true";
"traefik.http.routers.sonarr.entrypoints" = "websecure"; "traefik.http.routers.${app}.entrypoints" = "websecure";
"traefik.http.routers.sonarr.middlewares" = "local-only@file"; "traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.sonarr.loadbalancer.server.port" = "${toString port}"; "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
"homepage.group" = "Media";
"homepage.name" = "Sonarr";
"homepage.icon" = "sonarr.png";
"homepage.href" = "https://sonarr.${config.networking.domain}";
"homepage.description" = "Series manager";
# "homepage.weight" = -70000;
"homepage.widget.type" = "sonarr";
"homepage.widget.url" = "https://sonarr.${config.networking.domain}";
}; };
}; };
mySystem.services.homepage.media-services = [
{
Sonarr = {
icon = "${app}.png";
href = "https://${app}.${config.networking.domain}";
description = "TV show management";
container = "${app}";
widget = {
type = "${app}";
url = "http://${app}:${toString port}";
key = "{{HOMEPAGE_VAR_SONARR__API_KEY}}";
};
};
}
];
}; };
} }

59
nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,59 @@
services:
sonarr:
env: ENC[AES256_GCM,data:Lg92wQkiBY5gBZ2+ckLs7EBPo/0fEwqhEvnWcnU5quUMNlJeWnjWFqU8qu1TaW0Vmux/A/QgIJAiYgWnbQuD9benOR2swkt4+DazSeC+35VQOTbegVDrH4wiJikTHTtoKpgSKHLBQAy113jaDL/RBFRpsSjsXEsGGu+G+GZ1MFcW5hRbYam1o62NqOAG66efcIGXv8T+sD0ouLcN2g9ZjU2QqUqJqsGBtg1d0SIVj9bNW2vUHHmMtIQBTxfR6S5V3tzqjP2EfzaT/gDSPPJg,iv:e9/vpvTFDixP07fVXutIhJcAg8Qb9d7fVJNmn+XhMjU=,tag:7MAF0kHvcf5VDUMCpJATVA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYTlNSGpIclBoWVlWWDBz
ckVZQWdndVBreDRXV3k1UDhxR0Y4R1J5blNBCmh0RmtwbzMrcGxLL1FoQVBjSVUy
QUxPUXJmaFYxRXFFb0lTQ2JHd3M3aFUKLS0tIEZ6UWJOVXp1VE1XTnhzQVhGT2RS
MVhTTE1JbU5rZnZjUFI2NDNkRUEvY0EKxglGGpDa8xY9w9VKayRF2Oqjv+UhDiLY
3uPQWLasVcQviZE7AqG5n8azLTaX5DEoAOVFDCnhJYjU9NatXhcutw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdU84WkVMVWl2UXQ2WHN3
ZE1IbENMU0JlN0pPMTZSeHFPdW5mN1NhcUVRCkovcEJSNm9FWU9LdWk2aWRMbzJO
b3VoM0F5VWxSU2I1UU9lblMreXNvcjQKLS0tIG9hSVk4RzRzbVgyektXQ1lkcGF6
Q1FLdWZGOUFqWm9Hc0NDVUFFczlXYXcKxxWKSOrDUGld40zvDzsmMBOAexWoijDN
tBxJteEnSbTd+s93MDfuM+axeNR5Ak4+f/pEoLho5xjjn8f/fdlebA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdGV5ZU1ZSFNvaHpGRUFs
cWRkVWlMZUZrbDNLSlJJSUpZVkhKUHI3OVdnCk1pckRmbWJNMkdvOXZscE1sMFcw
QktRU0Foa2hNTU9tcUN0UmM0Y0h2TU0KLS0tIDY1c2lVb1Bnd1c0d1Y3NVMrYmVZ
UXJFb294d1Bqc3E0SUFjWmFqSjdka28K2cEgMCIxpzGe2Z1rgaWq+rWXKJvfsTi9
PFWywF6/E+9Egwrh98FspQAzYP/7zl+N8gjR5Pa+Scx2D2iOizXWfg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKallmeUFQMmRvNFZRbnho
SVYzYit2TWFSRnV6dVNjUzlSQ0ZhTEJUNEhjCmFmaEsvMkpPQVZBN0FLVVp1dzgv
Ym56YzhwcWdkNlVSbHA4cnQ2T2VVeXMKLS0tIENqdXZCaFNrZVpFVUIrakpsY1ZP
QUxPS3lqcTBISnByTXVWcWdtZWYwNXMK8FRzmS0q2l6MWUu0YreaqEnKKW085j4s
f1oTHPpErwPLuh3hUciUPFe5Mbm3zSdjBsGyQtxPF6xLtw8dFaDYBA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXg2S2R2M2tHYmllUXFZ
NkZzcTdRaU5RM29RQkdEQnpNWXowZUFoR3hZCm1TclN2K0FoQktVTzg4YkkyRUhC
NXRybXE5Ym1XYjF3cG53RitvK3VTR1kKLS0tIGtkZXFLWmJiRG81M2RyYzdXZUEx
M2tqQVZaUmNVbm9YZys0NUNpSk4vN3cKpkL37l/i3VD6zhWHK/ROvcvmCBQfifuw
EFYI+F+BTjkoptqIVFCDbATRrqSfOqsYPmEg5lM0e3Oul+vT++e0/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-06T21:26:23Z"
mac: ENC[AES256_GCM,data:ITWKix2aNhXzzzZTvq2sBPXO3Phvr+lS83fSwEbH7FTowD7uScxqAF4PMJ+txAfIpmZiaD5vXIK98YU9HOWRFUoOiYxdwVwfOiX63mB0JKj5jLHHeIe6bMaWfudITlIL9an6YO/qyUww9OVXaxYEmwOJI4W+HnMLbYLf5lGboEo=,iv:i8dddSV2W9FifN+ktwGsaYRRnK4UJtrG7g6LpWPtgu4=,tag:acP4YvJarHLCZUJ3dCFuOQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

27
nixos/modules/nixos/services/cockpit/default.nix
View file

@ -11,11 +11,32 @@ in
{ {
options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit"; options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit";
config = mkIf cfg.enable { config.services.cockpit = mkIf cfg.enable {
services.cockpit.enable = true; enable = true;
services.cockpit.openFirewall = true; openFirewall = true;
package = pkgs.cockpit.overrideAttrs (old: {
# remove packagekit and selinux, don't work on NixOS
postBuild = ''
${old.postBuild}
rm -rf \
dist/packagekit \
dist/selinux
'';
});
}; };
config.environment = mkIf cfg.enable {
systemPackages = with pkgs;
[
(mkIf config.virtualisation.podman.enable nur.repos.procyon.cockpit-podman) # only if server runs pods
# nur.repos.dukzcry.cockpit-machines # TODO enable with virtualisation on server
# nur.repos.dukzcry.libvirt-dbus # TODO enable with virtualisation on server
# pkgs.virt-manager # TODO enable with virtualisation on server
];
};
} }

137
nixos/modules/nixos/services/homepage/default.nix
View file

@ -13,12 +13,121 @@ let
persistentFolder = "${config.mySystem.persistentFolder}/${app}"; persistentFolder = "${config.mySystem.persistentFolder}/${app}";
cfg = config.mySystem.services.homepage; cfg = config.mySystem.services.homepage;
settings = {
# title = "Hades";
# theme = "dark";
# color = "slate";
showStats = true;
};
settingsFile = builtins.toFile "homepage-settings.yaml" (builtins.toJSON settings);
bookmarks = [
{
Administration = [
{ Source = [{ icon = "github.png"; href = "https://github.com/truxnell/nix-config"; }]; }
{ Cloudflare = [{ icon = "cloudflare.png"; href = "https://dash.cloudflare.com/"; }]; }
];
}
{
Development = [
{ CyberChef = [{ icon = "cyberchef.png"; href = "https://gchq.github.io/CyberChef/"; }]; }
{ "Nix Options Search" = [{ abbr = "NS"; href = "https://search.nixos.org/packages"; }]; }
{ "Doppler Secrets" = [{ abbr = "DP"; href = "https://dashboard.doppler.com"; }]; }
{ "onedr0p Containers" = [{ abbr = "OC"; href = "https://github.com/onedr0p/containers"; }]; }
{ "bjw-s Containers" = [{ abbr = "BC"; href = "https://github.com/bjw-s/container-images"; }]; }
];
}
];
bookmarksFile = builtins.toFile "homepage-bookmarks.yaml" (builtins.toJSON bookmarks);
widgets = [
{
resources = {
cpu = true;
memory = true;
cputemp = true;
uptime = true;
disk = "/";
units = "metric";
# label = "system";
};
}
{
search = {
provider = "duckduckgo";
target = "_blank";
};
}
];
widgetsFile = builtins.toFile "homepage-widgets.yaml" (builtins.toJSON widgets);
services = [
{ Infrastructure = cfg.infrastructure-services; }
{ Home = cfg.home-services; }
{ Media = cfg.media-services; }
];
servicesFile = builtins.toFile "homepage-config.yaml" (builtins.toJSON services);
in in
{ {
options.mySystem.services.homepage.enable = mkEnableOption "Homepage dashboard"; options.mySystem.services.homepage = {
enable = mkEnableOption "Homepage dashboard";
infrastructure-services = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Services to add to the infrastructure column";
default = [ ];
};
home-services = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Services to add to the infrastructure column";
default = [ ];
};
media-services = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Services to add to the infrastructure column";
default = [ ];
};
};
config = mkIf cfg.enable { config = mkIf cfg.enable {
sops.secrets."services/sonarr/env" = {
# configure secret for forwarding rules
sopsFile = ../arr/sonarr/secrets.sops.yaml;
owner = "kah";
group = "kah";
restartUnits = [ "podman-${app}.service" ];
};
sops.secrets."services/radarr/env" = {
# configure secret for forwarding rules
sopsFile = ../arr/radarr/secrets.sops.yaml;
owner = "kah";
group = "kah";
restartUnits = [ "podman-${app}.service" ];
};
sops.secrets."services/lidarr/env" = {
# configure secret for forwarding rules
sopsFile = ../arr/lidarr/secrets.sops.yaml;
owner = "kah";
group = "kah";
restartUnits = [ "podman-${app}.service" ];
};
sops.secrets."services/readarr/env" = {
# configure secret for forwarding rules
sopsFile = ../arr/readarr/secrets.sops.yaml;
owner = "kah";
group = "kah";
restartUnits = [ "podman-${app}.service" ];
};
sops.secrets."services/prowlarr/env" = {
# configure secret for forwarding rules
sopsFile = ../arr/prowlarr/secrets.sops.yaml;
owner = "kah";
group = "kah";
restartUnits = [ "podman-${app}.service" ];
};
# ensure folder exist and has correct owner/group # ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
@ -27,23 +136,43 @@ in
virtualisation.oci-containers.containers.${app} = { virtualisation.oci-containers.containers.${app} = {
image = "${image}"; image = "${image}";
user = "${user}:${group}"; user = "${user}:${group}";
environment = { environment = {
UMASK = "002"; UMASK = "002";
PUID = "${user}"; PUID = "${user}";
PGID = "${group}"; PGID = "${group}";
}; };
environmentFiles = [
config.sops.secrets."services/sonarr/env".path
config.sops.secrets."services/radarr/env".path
config.sops.secrets."services/readarr/env".path
config.sops.secrets."services/lidarr/env".path
config.sops.secrets."services/prowlarr/env".path
];
labels = { labels = {
"traefik.enable" = "true"; "traefik.enable" = "true";
"traefik.http.routers.${app}.entrypoints" = "websecure"; "traefik.http.routers.${app}.entrypoints" = "websecure";
"traefik.http.routers.${app}.middlewares" = "local-only@file"; "traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
}; };
# mount socket for service discovery. # not using docker socket for discovery, just
# building up the apps from a shared key
# this is a bit more tedious, but more secure
# from not exposing docker socet and makes it
# easier to have/move services between hosts
volumes = [ volumes = [
"${persistentFolder}:/app/config:rw" "/etc/localtime:/etc/localtime:ro"
"/var/run/podman/podman.sock:/var/run/docker.sock:ro" # TODO abstract out podman/docker socket "${persistentFolder}:/app/config/logs:rw"
"${settingsFile}:/app/config/settings.yaml"
"${servicesFile}:/app/config/services.yaml"
"${bookmarksFile}:/app/config/bookmarks.yaml"
"${widgetsFile}:/app/config/widgets.yaml"
]; ];
}; };
}; };
} }

13
nixos/modules/nixos/services/podman/default.nix
View file

@ -18,6 +18,12 @@ in
dockerCompat = true; dockerCompat = true;
extraPackages = [ pkgs.zfs ]; extraPackages = [ pkgs.zfs ];
# regular cleanup
autoPrune.enable = true;
autoPrune.dates = "weekly";
# and add dns
defaultNetwork.settings = { defaultNetwork.settings = {
dns_enabled = true; dns_enabled = true;
}; };
@ -27,7 +33,14 @@ in
}; };
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ]; networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
# extra user for containers
users.users.kah = {
uid = 568;
group = "kah";
};
users.groups.kah = { };
}; };
} }

1
nixos/profiles/role-server.nix
View file

@ -14,6 +14,7 @@ with lib;
mySystem.services.promMonitoring.enable = true; mySystem.services.promMonitoring.enable = true;
mySystem.services.rebootRequiredCheck.enable = true; mySystem.services.rebootRequiredCheck.enable = true;
mySystem.security.wheelNeedsSudoPassword = false; mySystem.security.wheelNeedsSudoPassword = false;
mySystem.services.cockpit.enable = true;
nix.settings = { nix.settings = {
# TODO factor out into mySystem # TODO factor out into mySystem

1
nixos/profiles/role-worstation.nix
View file

@ -15,6 +15,7 @@ with config;
# Lets see if fish everywhere is OK on the pi's # Lets see if fish everywhere is OK on the pi's
# TODO decide if i drop to bash on pis? # TODO decide if i drop to bash on pis?
shell.fish.enable = true; shell.fish.enable = true;
services.cockpit.enable = true;
nfs.nas.enable = true; nfs.nas.enable = true;
}; };