From db85aeb0443e3142825ee7d77518781c66f34b43 Mon Sep 17 00:00:00 2001 From: Nickolaj Jepsen Date: Wed, 23 Apr 2025 00:02:00 +0200 Subject: [PATCH] feat: last bits of server setup --- hosts/homelab/arr.nix | 64 ++++++++++++++++++ hosts/homelab/docker-compose-out.sh | 8 --- hosts/homelab/flame.nix | 2 + hosts/homelab/home-assistant.nix | 7 +- hosts/homelab/nextcloud.nix | 32 +++++++++ hosts/homelab/plex.nix | 2 + hosts/homelab/postgres.nix | 8 +++ hosts/homelab/restic.nix | 13 +++- hosts/homelab/vaultwarden.nix | 29 ++++---- ...5fafd0556e65983d3-nextcloud-admin-pass.age | 8 +++ ...461da4e405ecdef56b69d89-arr-basic-auth.age | 8 +++ .../hosts/homelab/nextcloud-admin-pass.age | Bin 0 -> 357 bytes 12 files changed, 157 insertions(+), 24 deletions(-) create mode 100644 hosts/homelab/arr.nix delete mode 100644 hosts/homelab/docker-compose-out.sh create mode 100644 hosts/homelab/nextcloud.nix create mode 100644 hosts/homelab/postgres.nix create mode 100644 secrets/hosts/homelab/.rekey/8d65b3a47f9c2735fafd0556e65983d3-nextcloud-admin-pass.age create mode 100644 secrets/hosts/homelab/.rekey/ce1e98e4b461da4e405ecdef56b69d89-arr-basic-auth.age create mode 100644 secrets/hosts/homelab/nextcloud-admin-pass.age diff --git a/hosts/homelab/arr.nix b/hosts/homelab/arr.nix new file mode 100644 index 0000000..7985fb6 --- /dev/null +++ b/hosts/homelab/arr.nix @@ -0,0 +1,64 @@ +{ + config, + username, + ... +}: let + user = "media"; + group = "media"; + + mkVirtualHost = port: { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString port}"; + }; + basicAuthFile = "${config.age.secrets.arr-basic-auth.path}"; + }; +in { + # for linux ISOs + age.secrets = { + arr-basic-auth = { + rekeyFile = ../../secrets/hosts/homelab/basic-auth.age; + owner = config.services.nginx.user; + inherit (config.services.nginx) group; + }; + }; + + users.groups."${group}" = { + members = [username]; + }; + users.users."${user}" = { + inherit group; + isSystemUser = true; + }; + + services = { + nginx.virtualHosts = { + "radarr.nickolaj.com" = mkVirtualHost 7878; + "sonarr.nickolaj.com" = mkVirtualHost 8989; + "prowlarr.nickolaj.com" = mkVirtualHost 9696; + "sabnzbd.nickolaj.com" = mkVirtualHost 8080; + }; + + restic.backups.homelab.paths = [ + "/var/lib/radarr" + "/var/lib/sonarr" + "/var/lib/prowlarr" + "/var/lib/sabnzbd" + ]; + + sabnzbd = { + inherit user group; + enable = true; + }; + radarr = { + inherit user group; + enable = true; + }; + sonarr = { + inherit user group; + enable = true; + }; + prowlarr.enable = true; + }; +} diff --git a/hosts/homelab/docker-compose-out.sh b/hosts/homelab/docker-compose-out.sh deleted file mode 100644 index 31c4b6b..0000000 --- a/hosts/homelab/docker-compose-out.sh +++ /dev/null @@ -1,8 +0,0 @@ -CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES -8dbebe22375a lscr.io/linuxserver/radarr:latest "/init" 13 hours ago Up 15 minutes 7878/tcp deployment-radarr-1 -b445f1a00c58 lscr.io/linuxserver/prowlarr:latest "/init" 13 hours ago Up 15 minutes 9696/tcp deployment-prowlarr-1 -8ae82963dbcc lscr.io/linuxserver/sonarr:latest "/init" 37 hours ago Up 15 minutes 8989/tcp deployment-sonarr-1 -44e019b912ea ghcr.io/open-webui/open-webui:ollama "bash start.sh" 37 hours ago Up 15 minutes (healthy) 8080/tcp open-webui -65956cc9ab2b lscr.io/linuxserver/sabnzbd:latest "/init" 3 days ago Up 15 minutes 8080/tcp deployment-sabnzbd-1 -bdddf0848dc3 lscr.io/linuxserver/bazarr:latest "/init" 4 days ago Up 15 minutes 6767/tcp deployment-bazarr-1 -b1492d62fcb0 nextcloud:latest "/entrypoint.sh apac…" 9 days ago Up 15 minutes 80/tcp deployment-nextcloud-1 diff --git a/hosts/homelab/flame.nix b/hosts/homelab/flame.nix index 80feda9..9e4f5e5 100644 --- a/hosts/homelab/flame.nix +++ b/hosts/homelab/flame.nix @@ -2,6 +2,8 @@ _: let dataDir = "/var/lib/flame"; domain = "flame.nickolaj.com"; in { + services.restic.backups.homelab.paths = [dataDir]; + services.nginx.virtualHosts."${domain}" = { enableACME = true; forceSSL = true; diff --git a/hosts/homelab/home-assistant.nix b/hosts/homelab/home-assistant.nix index 3818da1..7e8d88b 100644 --- a/hosts/homelab/home-assistant.nix +++ b/hosts/homelab/home-assistant.nix @@ -5,7 +5,7 @@ ... }: let mosquittoPort = 1883; - zigbee2mqttPort = 8080; + zigbee2mqttPort = 8180; homeAssistantPort = 8123; in { age.secrets = { @@ -29,6 +29,11 @@ in { ]; services = { + restic.backups.homelab.paths = [ + config.services.zigbee2mqtt.dataDir + config.services.home-assistant.configDir + ]; + nginx.virtualHosts = { "zigbee.nickolaj.com" = { enableACME = true; diff --git a/hosts/homelab/nextcloud.nix b/hosts/homelab/nextcloud.nix new file mode 100644 index 0000000..b5c6b9b --- /dev/null +++ b/hosts/homelab/nextcloud.nix @@ -0,0 +1,32 @@ +{ + config, + pkgs, + ... +}: { + age.secrets.nextcloud-admin-pass = { + rekeyFile = ../../secrets/hosts/homelab/nextcloud-admin-pass.age; + owner = "nextcloud"; + group = "nextcloud"; + }; + + services = { + restic.backups.homelab.paths = [config.services.nextcloud.home]; + + nginx.virtualHosts.${config.services.nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + }; + + nextcloud = { + package = pkgs.nextcloud31; + enable = true; + https = true; + database.createLocally = true; + hostName = "nextcloud.nickolaj.com"; + config = { + adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; + dbtype = "pgsql"; + }; + }; + }; +} diff --git a/hosts/homelab/plex.nix b/hosts/homelab/plex.nix index 0fb1d68..58bb8c7 100644 --- a/hosts/homelab/plex.nix +++ b/hosts/homelab/plex.nix @@ -14,5 +14,7 @@ in { services.plex = { enable = true; openFirewall = true; + user = "media"; + group = "media"; }; } diff --git a/hosts/homelab/postgres.nix b/hosts/homelab/postgres.nix new file mode 100644 index 0000000..29fd3da --- /dev/null +++ b/hosts/homelab/postgres.nix @@ -0,0 +1,8 @@ +{config, ...}: { + services = { + restic.backups.homelab.paths = [config.services.postgresqlBackup.location]; + + postgresql.enable = true; + postgresqlBackup.enable = true; + }; +} \ No newline at end of file diff --git a/hosts/homelab/restic.nix b/hosts/homelab/restic.nix index 9228422..97e1cff 100644 --- a/hosts/homelab/restic.nix +++ b/hosts/homelab/restic.nix @@ -10,10 +10,19 @@ age.secrets.restic-password.rekeyFile = ../../secrets/hosts/homelab/restic-password.age; age.secrets.restic-env.rekeyFile = ../../secrets/hosts/homelab/restic-env.age; - services.restic.backups.server = { + services.restic.backups.homelab = { repository = "b2:fireproof-backup"; - timerConfig = null; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; passwordFile = "${config.age.secrets.restic-password.path}"; environmentFile = "${config.age.secrets.restic-env.path}"; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; }; } diff --git a/hosts/homelab/vaultwarden.nix b/hosts/homelab/vaultwarden.nix index 7c9596e..6336076 100644 --- a/hosts/homelab/vaultwarden.nix +++ b/hosts/homelab/vaultwarden.nix @@ -1,21 +1,24 @@ {config, ...}: let domain = "bitwarden.nickolaj.com"; in { - services.vaultwarden = { - enable = true; - config = { - DOMAIN = "https://${domain}"; - SIGNUPS_ALLOWED = false; - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = 8222; + services = { + vaultwarden = { + enable = true; + config = { + DOMAIN = "https://${domain}"; + SIGNUPS_ALLOWED = false; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + }; }; - }; + restic.backups.homelab.paths = ["/var/lib/vaultwarden"]; - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://${toString config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://${toString config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + }; }; }; } diff --git a/secrets/hosts/homelab/.rekey/8d65b3a47f9c2735fafd0556e65983d3-nextcloud-admin-pass.age b/secrets/hosts/homelab/.rekey/8d65b3a47f9c2735fafd0556e65983d3-nextcloud-admin-pass.age new file mode 100644 index 0000000..6ba27d4 --- /dev/null +++ b/secrets/hosts/homelab/.rekey/8d65b3a47f9c2735fafd0556e65983d3-nextcloud-admin-pass.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 uxq+Zw T3iQeydf5m2cmRY0H8hzJ5wKdknvri4LRHEPQoPfUhc +ah+IZpsTRcR/J8P+hR7kpbjRzr8XtUgDNWviC49itDU +-> r{-grease +WyHSFZU6HctEZe+MQcQD94ETzxHCgV0VpmxG5Lzju9XU7jfpWrFBIOwaJ9L61/YB +AvvGhmY1GQ +--- 35NN+MmHUk0uPB2at7SM47scGl6FL1zdBo7eGbV9vU4 +<+:G P,:aL-XJV0S1&4f \ No newline at end of file diff --git a/secrets/hosts/homelab/.rekey/ce1e98e4b461da4e405ecdef56b69d89-arr-basic-auth.age b/secrets/hosts/homelab/.rekey/ce1e98e4b461da4e405ecdef56b69d89-arr-basic-auth.age new file mode 100644 index 0000000..2e79199 --- /dev/null +++ b/secrets/hosts/homelab/.rekey/ce1e98e4b461da4e405ecdef56b69d89-arr-basic-auth.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 uxq+Zw /8gmkIvDLrzwMr3XyUlVji+st35d1fT6YZDCxSRPWkM +tf9Hl+UAlYUWBvtUsSmVcTkjjrHQa3cUgIKa81xiyYA +-> >rf&x@Sl-grease +kUUirnVM0mh3+S9KGWoeL4PhgIXVCd7FQQ+tjwySVoFtJrlFC335TwccCLHaU+nw +l0Hta7Xfj5JGr80AXvhACRN7JkNF0bseJPoCyiG1hPrpspUGh3im9A +--- DJlEK7SM/SUwiYXD/tpfxpEvmpsqchdYSUaZfOe93Fo +yvծ*RNGa̼ {,[zql'p_~|'eO۔v䮕(`3G`BLbΐ6SsWq ZsK>| \ No newline at end of file diff --git a/secrets/hosts/homelab/nextcloud-admin-pass.age b/secrets/hosts/homelab/nextcloud-admin-pass.age new file mode 100644 index 0000000000000000000000000000000000000000..f24ab3835300756ba614510bbe742daf60be76f4 GIT binary patch literal 357 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{Z1caIHvADzq#sbPq4_HOnq_ zNpq>pF*Wk=cQ!W-H7nNFPmFXk^U@D?F6S!Ca5b~Y@%QyF@(nfe_B6;b$_y^ePD#%V z&Q8s6a|+EgE{M!=4bpeY4+Ys!kXfc%U}S2hP-yJq7gny|sGnbuo)~0NoSTtcSP^2G znUQapnptWQ?5Ax|UYKkd>Fb+XP?~FLr0E;&*vdd1TQpr&_y(l%YI8`A;q0~UZ*ezAnK_M=e%Q)Z2 zIMK4SluK7vS0Okz+}qfz!qqZNKf=s6G$1%TG|M+2FQOvL(=}Y%BE`!y&@DVLJJh?< zlZ$P^l;57#Q|G==e;_yU6bn;+vXw~Tf>jKvZ}M+3zBsfiq~nm^{Wr@u?3@Y!Y7}>5 literal 0 HcmV?d00001