Merge pull request #462 from genebean/immich_backup

A whole mess of changes to nixnuc
2026-03-27 01:17:42 -04:00 · 2024-12-02 07:02:07 -05:00 · 2024-12-02 07:02:07 -05:00 · 4713174bb6
commit 4713174bb6
parent f77df80fc6 6bdb6f094d
3 changed files with 113 additions and 15 deletions
--- a/modules/hosts/nixos/nixnuc/default.nix
+++ b/modules/hosts/nixos/nixnuc/default.nix
@ -73,16 +73,26 @@ in {

  networking = {
    # Open ports in the firewall.
-    firewall.allowedTCPPorts = [
-      22 # ssh
-      80 # http to local Nginx
-      443 # https to local Nginx
-      3000 # PsiTransfer in oci-container
-      8080 # Tandoor in docker compose
-      8090 # Wallabag in docker compose
-      13378 # Audiobookshelf in oci-container
-    ];
-    # firewall.allowedUDPPorts = [ ... ];
+    firewall = {
+      allowedTCPPorts = [
+        22    # ssh
+        80    # http to local Nginx
+        443   # https to local Nginx
+        3000  # PsiTransfer in oci-container
+        3030  # Forgejo
+        8001  # Tube Archivist
+        8080  # Tandoor in docker compose
+        8384  # Syncthing gui
+        8888  # Atuin
+        8090  # Wallabag in docker compose
+        13378 # Audiobookshelf in oci-container
+        22000 # Syncthing transfers
+      ];
+      allowedUDPPorts = [
+        21027 # Syncthing discovery
+        22000 # Syncthing transfers
+      ];
+    };
    # Or disable the firewall altogether.
    # firewall.enable = false;

@ -126,6 +136,11 @@ in {

  # List services that you want to enable:
  services = {
+    atuin = {
+      enable = true;
+      host = "127.0.0.1";
+      maxHistoryLength = 2000000000;
+    };
    ##
    ## Gandi (gandi.net)
    ##
@ -150,12 +165,60 @@ in {
      '';
      passwordFile = "${config.sops.secrets.gandi_api.path}";
    };
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      lfs.enable = true;
+      settings = {
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        DEFAULT.APP_NAME = "Beantown's Code";
+        repository = {
+          DEFAULT_PUSH_CREATE_PRIVATE = true;
+          ENABLE_PUSH_CREATE_ORG = true;
+          ENABLE_PUSH_CREATE_USER = true;
+        };
+        server = {
+          DOMAIN = "git.${home_domain}";
+          HTTP_PORT = 3030;
+          LANDING_PAGE = "explore";
+          ROOT_URL = "https://git.${home_domain}/";
+        };
+        service.DISABLE_REGISTRATION = true;
+        session.COOKIE_SECURE = true;
+      };
+      stateDir = "/orico/forgejo";
+    };
    fwupd.enable = true;
    jellyfin = {
      enable = true;
      openFirewall = true;
    };
    lldpd.enable = true;
+    mealie = {
+      enable = true;
+      credentialsFile = config.sops.secrets.mealie.path;
+      listenAddress = "0.0.0.0";
+      port = 9000;
+      settings = {
+        ALLOW_SIGNUP = "false";
+        BASE_URL = "https://mealie.${home_domain}";
+        DATA_DIR = "/var/lib/mealie";
+        DB_ENGINE = "postgres";
+        POSTGRES_USER = "mealie";
+        POSTGRES_DB = "mealie";
+        POSTGRES_SERVER = "localhost";
+        POSTGRES_PORT = config.services.postgresql.settings.port;
+        SMTP_HOST = "localhost";
+        SMTP_PORT = 25;
+        SMTP_FROM_NAME = "Mealie";
+        SMTP_FROM_EMAIL = "mealie@${home_domain}";
+        SMTP_AUTH_STRATEGY = "NONE";
+      };
+    };
    nextcloud = {
      enable = true;
      hostName = "nextcloud.home.technicalissues.us";
@ -281,7 +344,17 @@ in {
          enableACME = true;
          acmeRoot = null;
          forceSSL = true;
-          locations."/".proxyPass = "http://${mini_watcher}:9999";
+          locations."/".proxyPass = "http://${backend_ip}:8888";
+        };
+        "git.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${backend_ip}:3030";
+          extraConfig = ''
+            client_max_body_size 0;
+          '';
        };
        "immich.${home_domain}" = {
          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
@ -297,6 +370,16 @@ in {
            send_timeout       600s;
          '';
        };
+        "mealie.${home_domain}" = {
+          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${backend_ip}:9000";
+          extraConfig = ''
+            client_max_body_size 10M;
+          '';
+        };
        "nc.${home_domain}" = {
          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
          enableACME = true;
@ -358,13 +441,22 @@ in {
    };
    resolved.enable = true;
    restic.backups.daily.paths = [
+      config.services.forgejo.stateDir
+      config.services.mealie.settings.DATA_DIR
      config.services.nextcloud.home
      "${config.users.users.${username}.home}/compose-files/tandoor"
      "${config.users.users.${username}.home}/compose-files/wallabag"
+      "/orico/immich/library"
      "/orico/jellyfin/data"
      "/orico/jellyfin/staging/downloaded-files"
      "/var/backup/postgresql"
    ];
+    syncthing = {
+      enable = true;
+      dataDir = "/orico/syncthing";
+      openDefaultPorts = true;
+      guiAddress = "0.0.0.0:8384";
+    };
    tandoor-recipes = {
      enable = true;
      address = "0.0.0.0";
@ -406,6 +498,7 @@ in {
        owner = "${username}";
        path = "/home/${username}/.private-env";
      };
+      mealie.mode = "0444";
      nextcloud_admin_pass.owner = config.users.users.nextcloud.name;
      tandoor_db_pass.mode = "0444";
      tandoor_db_pass.path = "/orico/tandoor-recipes/.dbpass";
@ -415,6 +508,10 @@ in {
  };

  systemd.services = {
+    "mealie" = {
+      requires = ["postgresql.service"];
+      after = ["postgresql.service"];
+    };
    "nextcloud-setup" = {
      requires = ["postgresql.service"];
      after = ["postgresql.service"];
--- a/modules/hosts/nixos/nixnuc/secrets.yaml
+++ b/modules/hosts/nixos/nixnuc/secrets.yaml
@ -1,6 +1,7 @@
 tailscale_key: ENC[AES256_GCM,data:aB3KUD4QYm+ZDrjjLcU3gQ8kneVGkVYBsrkVcioOhxunal2FekLDrpKxJwNXuiwx2M5vipnGAEPO,iv:e+tPPfVYkv4U0KRGwspWb1O3ZQom/WFFGm9H9cd/KKE=,tag:ZG5z1C18bj1L7DcGzunQ0w==,type:str]
 local_git_config: ENC[AES256_GCM,data:Nqwog5C4wnRzNoS4oqaYQ4J1DIj7fUL1y/nXESquR0N7KQ+ebhvuJnM=,iv:Q6o45LZStS3k8iO7s2P6u7OrKFu5alplshZuGgeRKmk=,tag:NcLJrI9AK4eDroODX15lcA==,type:str]
 local_private_env: ENC[AES256_GCM,data:qOPXTS2uo/1jyVEKCtBvuK/dzZaPf1K5tHuSVF2hBg4fdPYIsDPkM108cGVxJviebB3xVZejn/JVOdUDXQj6,iv:TtyMTOJXaPUrbSaAdtMaGPBlwLl/Y/IBYVCzhhiZozY=,tag:hUyVL8xk3w1iMwNAZw5QUw==,type:str]
+mealie: ENC[AES256_GCM,data:HuO2c5na5r271x98GLqYBP/ME+phH58e2scelEH7F3R+2liLRGK9xCA0ciHLJCo8,iv:bo6hTIsWfnWueRCiLcpxYoiol8oGOoPTHDgPQ7FnYqM=,tag:rHRfIv4vnIjO/eotxYmI/Q==,type:str]
 nextcloud_admin_pass: ENC[AES256_GCM,data:KztB3Tkqlt73PEO41lthGYElrbwVdfqQgT6f,iv:kRwXqGJO4AUOMq+uYzndGhscaJiyvG4ANKabHHd78YM=,tag:dP3PgKafDTv8x7huKJGDqA==,type:str]
 psitransfer_dot_env: ENC[AES256_GCM,data:bhvU0AOCjecZ62BtLw4H1DdkLeatI+uUl6L7UkdDRkBF3sayO45Z1eR4q60tflXucyTGhT8WgKFz53I+C2dn265wzojIRc3Xr4TBLyWpfJ7/dct40SckgUiRvOnrefiriWQ=,iv:DGMhDkzgeupzzTJnCdVWDPUSo2wxI3MAypKQwVfHExE=,tag:KbteGqrkqgj2XB1lvlk/yQ==,type:str]
 tandoor_db_pass: ENC[AES256_GCM,data:X0unx5jquLsUXadbF6xLjjeGY+f8Ec4kdc15JQ==,iv:XptlJHfAkF+3jbgJTqxhVReYjuVVdk3NzfPepP78DRI=,tag:3RG5P9QGCJ/fjdxWpY1xWA==,type:str]
@ -20,8 +21,8 @@ sops:
            bHZlNTZDV2NYU1hQQy9mem80SFF6TFkKfmjkJBfTdh0vTtGaVx1t3tHJvSsAwdYD
            PF025X9U+yG2oIopwXEVBkxcD70eyuJn3OqH0xoVLBkbhNM9i8LHrA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-04T21:34:21Z"
-    mac: ENC[AES256_GCM,data:gL7TbCjZNu3yF8oyEcFr367XymzSYRvltGJPG5jK/nbztKFV72Fl2gpdprch+P67dDxDFoJL1NvDDmHt6yM0WfdDPJS/ivMlgi9Sg5ZG2S5OyBBUxDbkp/6BXwJQ9eY72ee3SmufE+cTjUNF0ANxueznHpFhXLp/1Fj9TixgHM4=,iv:s2cE9lrjNvuYT96WXOJZaAomt3VWIzHFQqPncZyydhk=,tag:MGI4OmNfEDSB8jE7wxDamQ==,type:str]
+    lastmodified: "2024-07-14T20:03:31Z"
+    mac: ENC[AES256_GCM,data:HBQLqcgvYQMgI9gsaWHeO/aaU1BAB94S/Amo2eNiFwbF4Fv75Leb+7tA/Us4WrsVpjAPCNL8rz6bB8eqqhB3z6WRZPsBaTSNcw0zD+CMevviMrTvXI2LDrQKbuKBXbUQrr++Yfwasw47XstdpeqlBsr7vwqTXN9uBiGAEN6pMyw=,iv:StSyeRw528BlMGVxDHFqth7DSWp2p2PGJv8/Ud8rKVc=,tag:TIPiIkmwzi3GpqWnSfI40A==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/modules/system/common/secrets.yaml
+++ b/modules/system/common/secrets.yaml
@ -90,8 +90,8 @@ sops:
            N2VYRDNrUk5wd3JQRVZabUhlRTF2UHMKCjCaXJ394MfsOKSWCuRVa8EA2pcLu1TU
            VaXATezktIU+ZrXOrpwRc9u9uac9V3PmxykpzjEvyo2BQ7Ji0wOeEw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-15T21:02:47Z"
-    mac: ENC[AES256_GCM,data:vZie4+27bytMtLHLO3cR5X6XsvVjoLWXbZ9gSyeJAg//TYDdojfCKtLatBb22oVyjjeoFKKqcHwVPv888Kpc8SwFIY7C0YxgmFbHXZMkUk4EWsolGPJ4V3p2GdWSRJkn/B9fM0TjvWiHASvtDNUNw03Rs6PT8fP0YTSzomKGR+U=,iv:5UY3+wj8h/uW/l3gkBPub+bWWt2kKabH5jErjmNp4sM=,tag:2DrAzNOS+dd3bNCs42PPbw==,type:str]
+    lastmodified: "2024-09-11T17:22:16Z"
+    mac: ENC[AES256_GCM,data:WbuN9UpP0OP69ta29VW2LlCFfyTWI3v8IiwUu3tLOxtY3gjdJLZTpaG2hBR985qjLYL3MT7eR7eWp4p99DAKupVBvA6tJl8/+N9+0W/dapcec+qv7u9wRHcFjP9wtggq66vUdGqH8IIHYuGlIhAvCbDouoXuLoFIcB2i2lYNB4Q=,iv:u+KsBgHxLgwSgFLYtY0F6HjCUbSCvNAatIIwrCGGyJg=,tag:bHO4vovTLPVK2vsQvliwzQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1