feat: last bits of server setup

2026-01-22 08:06:50 +01:00 · 2025-04-23 00:02:00 +02:00 · 2025-04-23 00:02:00 +02:00 · db85aeb044
commit db85aeb044
parent 9ef90f8dba
12 changed files with 157 additions and 24 deletions
--- a/hosts/homelab/arr.nix
+++ b/hosts/homelab/arr.nix
@ -0,0 +1,64 @@
 {
  config,
  username,
  ...
 }: let
  user = "media";
  group = "media";
  mkVirtualHost = port: {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://localhost:${toString port}";
    };
    basicAuthFile = "${config.age.secrets.arr-basic-auth.path}";
  };
 in {
  # for linux ISOs
  age.secrets = {
    arr-basic-auth = {
      rekeyFile = ../../secrets/hosts/homelab/basic-auth.age;
      owner = config.services.nginx.user;
      inherit (config.services.nginx) group;
    };
  };
  users.groups."${group}" = {
    members = [username];
  };
  users.users."${user}" = {
    inherit group;
    isSystemUser = true;
  };
  services = {
    nginx.virtualHosts = {
      "radarr.nickolaj.com" = mkVirtualHost 7878;
      "sonarr.nickolaj.com" = mkVirtualHost 8989;
      "prowlarr.nickolaj.com" = mkVirtualHost 9696;
      "sabnzbd.nickolaj.com" = mkVirtualHost 8080;
    };
    restic.backups.homelab.paths = [
      "/var/lib/radarr"
      "/var/lib/sonarr"
      "/var/lib/prowlarr"
      "/var/lib/sabnzbd"
    ];
    sabnzbd = {
      inherit user group;
      enable = true;
    };
    radarr = {
      inherit user group;
      enable = true;
    };
    sonarr = {
      inherit user group;
      enable = true;
    };
    prowlarr.enable = true;
  };
 }
--- a/hosts/homelab/docker-compose-out.sh
+++ b/hosts/homelab/docker-compose-out.sh
@ -1,8 +0,0 @@
 CONTAINER ID   IMAGE                                             COMMAND                  CREATED        STATUS                            PORTS                                                                                                                                                                                                                               NAMES
 8dbebe22375a   lscr.io/linuxserver/radarr:latest                 "/init"                  13 hours ago   Up 15 minutes                     7878/tcp                                                                                                                                                                                                                            deployment-radarr-1
 b445f1a00c58   lscr.io/linuxserver/prowlarr:latest               "/init"                  13 hours ago   Up 15 minutes                     9696/tcp                                                                                                                                                                                                                            deployment-prowlarr-1
 8ae82963dbcc   lscr.io/linuxserver/sonarr:latest                 "/init"                  37 hours ago   Up 15 minutes                     8989/tcp                                                                                                                                                                                                                            deployment-sonarr-1
 44e019b912ea   ghcr.io/open-webui/open-webui:ollama              "bash start.sh"          37 hours ago   Up 15 minutes (healthy)           8080/tcp                                                                                                                                                                                                                            open-webui
 65956cc9ab2b   lscr.io/linuxserver/sabnzbd:latest                "/init"                  3 days ago     Up 15 minutes                     8080/tcp                                                                                                                                                                                                                            deployment-sabnzbd-1
 bdddf0848dc3   lscr.io/linuxserver/bazarr:latest                 "/init"                  4 days ago     Up 15 minutes                     6767/tcp                                                                                                                                                                                                                            deployment-bazarr-1
 b1492d62fcb0   nextcloud:latest                                  "/entrypoint.sh apac…"   9 days ago     Up 15 minutes                     80/tcp                                                                                                                                                                                                                              deployment-nextcloud-1
--- a/hosts/homelab/flame.nix
+++ b/hosts/homelab/flame.nix
@ -2,6 +2,8 @@ _: let
  dataDir = "/var/lib/flame";
  domain = "flame.nickolaj.com";
 in {
  services.restic.backups.homelab.paths = [dataDir];
  services.nginx.virtualHosts."${domain}" = {
    enableACME = true;
    forceSSL = true;
--- a/hosts/homelab/home-assistant.nix
+++ b/hosts/homelab/home-assistant.nix
@ -5,7 +5,7 @@
  ...
 }: let
  mosquittoPort = 1883;
-  zigbee2mqttPort = 8080;
+  zigbee2mqttPort = 8180;
  homeAssistantPort = 8123;
 in {
  age.secrets = {
@ -29,6 +29,11 @@ in {
  ];
  services = {
    restic.backups.homelab.paths = [
      config.services.zigbee2mqtt.dataDir
      config.services.home-assistant.configDir
    ];
    nginx.virtualHosts = {
      "zigbee.nickolaj.com" = {
        enableACME = true;
--- a/hosts/homelab/nextcloud.nix
+++ b/hosts/homelab/nextcloud.nix
@ -0,0 +1,32 @@
 {
  config,
  pkgs,
  ...
 }: {
  age.secrets.nextcloud-admin-pass = {
    rekeyFile = ../../secrets/hosts/homelab/nextcloud-admin-pass.age;
    owner = "nextcloud";
    group = "nextcloud";
  };
  services = {
    restic.backups.homelab.paths = [config.services.nextcloud.home];
    nginx.virtualHosts.${config.services.nextcloud.hostName} = {
      forceSSL = true;
      enableACME = true;
    };
    nextcloud = {
      package = pkgs.nextcloud31;
      enable = true;
      https = true;
      database.createLocally = true;
      hostName = "nextcloud.nickolaj.com";
      config = {
        adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
        dbtype = "pgsql";
      };
    };
  };
 }
--- a/hosts/homelab/plex.nix
+++ b/hosts/homelab/plex.nix
@ -14,5 +14,7 @@ in {
  services.plex = {
    enable = true;
    openFirewall = true;
    user = "media";
    group = "media";
  };
 }
--- a/hosts/homelab/postgres.nix
+++ b/hosts/homelab/postgres.nix
@ -0,0 +1,8 @@
 {config, ...}: {
  services = {
    restic.backups.homelab.paths = [config.services.postgresqlBackup.location];
    postgresql.enable = true;
    postgresqlBackup.enable = true;
  };
 }
--- a/hosts/homelab/restic.nix
+++ b/hosts/homelab/restic.nix
@ -10,10 +10,19 @@
  age.secrets.restic-password.rekeyFile = ../../secrets/hosts/homelab/restic-password.age;
  age.secrets.restic-env.rekeyFile = ../../secrets/hosts/homelab/restic-env.age;
-  services.restic.backups.server = {
+  services.restic.backups.homelab = {
    repository = "b2:fireproof-backup";
-    timerConfig = null;
+    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
    };
    passwordFile = "${config.age.secrets.restic-password.path}";
    environmentFile = "${config.age.secrets.restic-env.path}";
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 12"
      "--keep-yearly 75"
    ];
  };
 }
--- a/hosts/homelab/vaultwarden.nix
+++ b/hosts/homelab/vaultwarden.nix
@ -1,21 +1,24 @@
 {config, ...}: let
  domain = "bitwarden.nickolaj.com";
 in {
-  services.vaultwarden = {
+  services = {
-    enable = true;
+    vaultwarden = {
-    config = {
+      enable = true;
-      DOMAIN = "https://${domain}";
+      config = {
-      SIGNUPS_ALLOWED = false;
+        DOMAIN = "https://${domain}";
-      ROCKET_ADDRESS = "127.0.0.1";
+        SIGNUPS_ALLOWED = false;
-      ROCKET_PORT = 8222;
+        ROCKET_ADDRESS = "127.0.0.1";
        ROCKET_PORT = 8222;
      };
    };
-  };
+    restic.backups.homelab.paths = ["/var/lib/vaultwarden"];
-  services.nginx.virtualHosts."${domain}" = {
+    nginx.virtualHosts."${domain}" = {
-    enableACME = true;
+      enableACME = true;
-    forceSSL = true;
+      forceSSL = true;
-    locations."/" = {
+      locations."/" = {
-      proxyPass = "http://${toString config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+        proxyPass = "http://${toString config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}";
      };
    };
  };
 }
--- a/secrets/hosts/homelab/.rekey/8d65b3a47f9c2735fafd0556e65983d3-nextcloud-admin-pass.age
+++ b/secrets/hosts/homelab/.rekey/8d65b3a47f9c2735fafd0556e65983d3-nextcloud-admin-pass.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw T3iQeydf5m2cmRY0H8hzJ5wKdknvri4LRHEPQoPfUhc
 ah+IZpsTRcR/J8P+hR7kpbjRzr8XtUgDNWviC49itDU
 -> r{-grease
 WyHSFZU6HctEZe+MQcQD94ETzxHCgV0VpmxG5Lzju9XU7jfpWrFBIOwaJ9L61/YB
 AvvGhmY1GQ
 --- 35NN+MmHUk0uPB2at7SM47scGl6FL1zdBo7eGbV9vU4
 <+å:ÁÉGµ P,:aL-î÷ìþXJØVµÖú0Sö1&4›f<E280BA>ßìÄÕ
--- a/secrets/hosts/homelab/.rekey/ce1e98e4b461da4e405ecdef56b69d89-arr-basic-auth.age
+++ b/secrets/hosts/homelab/.rekey/ce1e98e4b461da4e405ecdef56b69d89-arr-basic-auth.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 uxq+Zw /8gmkIvDLrzwMr3XyUlVji+st35d1fT6YZDCxSRPWkM
 tf9Hl+UAlYUWBvtUsSmVcTkjjrHQa3cUgIKa81xiyYA
 -> >rf&x@Sl-grease
 kUUirnVM0mh3+S9KGWoeL4PhgIXVCd7FQQ+tjwySVoFtJrlFC335TwccCLHaU+nw
 l0Hta7Xfj5JGr80AXvhACRN7JkNF0bseJPoCyiG1hPrpspUGh3im9A
 --- DJlEK7SM/SUwiYXD/tpfxpEvmpsqchdYSUaZfOe93Fo
 y<EFBFBD>vÕ®¯ë*R¢NG‹aÈÌ¼“ª£ñ¡ç»ô	 {,Á„§€Ùã[zqùÀØl÷'þp_¨~”£|©'eOºÃÛ”vä®•(`—3¤ËGˆÀ„á`ÙBLÖb—´˜Î<CB9C>¬š²…6›ÿÝéÛÎSÕsWqZÏÇs¨‘K>|
--- a/secrets/hosts/homelab/nextcloud-admin-pass.age
+++ b/secrets/hosts/homelab/nextcloud-admin-pass.age