From 2fdadf15f00894515b5d0d1ca6a5c71b420404c4 Mon Sep 17 00:00:00 2001 From: Nick Date: Sun, 7 Dec 2025 01:38:13 -0600 Subject: [PATCH] test: setting up nas structure --- .../nas/microvms/firefly-iii/default.nix | 3 - modules/nixos/nas/microvms/glance/default.nix | 3 - .../nixos/nas/microvms/paperless/default.nix | 3 - .../nixos/nas/microvms/photoprism/default.nix | 3 - .../nixos/nas/microvms/syncthing/default.nix | 3 - .../nas/microvms/vaultwarden/default.nix | 3 - .../nixos/nas/{ => onlyoffice}/default.nix | 0 .../nixos/nas/opencloud/config/default.nix | 187 ++++++++++++++++ modules/nixos/nas/opencloud/default.nix | 34 +++ .../nixos/nas/photoprism/config/default.nix | 157 +++++++++++++ modules/nixos/nas/photoprism/default.nix | 31 +++ modules/nixos/nas/shared/frigate/default.nix | 3 - .../nas/shared/homeAssistant/default.nix | 3 - .../nixos/nas/syncthing/config/default.nix | 206 ++++++++++++++++++ modules/nixos/nas/syncthing/default.nix | 38 ++++ modules/nixos/services/syncthing/default.nix | 67 ------ secrets/secrets.yaml | 12 +- 17 files changed, 662 insertions(+), 94 deletions(-) delete mode 100644 modules/nixos/nas/microvms/firefly-iii/default.nix delete mode 100644 modules/nixos/nas/microvms/glance/default.nix delete mode 100644 modules/nixos/nas/microvms/paperless/default.nix delete mode 100644 modules/nixos/nas/microvms/photoprism/default.nix delete mode 100644 modules/nixos/nas/microvms/syncthing/default.nix delete mode 100644 modules/nixos/nas/microvms/vaultwarden/default.nix rename modules/nixos/nas/{ => onlyoffice}/default.nix (100%) create mode 100644 modules/nixos/nas/opencloud/config/default.nix create mode 100644 modules/nixos/nas/opencloud/default.nix create mode 100644 modules/nixos/nas/photoprism/config/default.nix create mode 100644 modules/nixos/nas/photoprism/default.nix delete mode 100644 modules/nixos/nas/shared/frigate/default.nix delete mode 100644 modules/nixos/nas/shared/homeAssistant/default.nix create mode 100644 modules/nixos/nas/syncthing/config/default.nix create mode 100755 modules/nixos/nas/syncthing/default.nix delete mode 100755 modules/nixos/services/syncthing/default.nix diff --git a/modules/nixos/nas/microvms/firefly-iii/default.nix b/modules/nixos/nas/microvms/firefly-iii/default.nix deleted file mode 100644 index 0db3279..0000000 --- a/modules/nixos/nas/microvms/firefly-iii/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - -} diff --git a/modules/nixos/nas/microvms/glance/default.nix b/modules/nixos/nas/microvms/glance/default.nix deleted file mode 100644 index 0db3279..0000000 --- a/modules/nixos/nas/microvms/glance/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - -} diff --git a/modules/nixos/nas/microvms/paperless/default.nix b/modules/nixos/nas/microvms/paperless/default.nix deleted file mode 100644 index 0db3279..0000000 --- a/modules/nixos/nas/microvms/paperless/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - -} diff --git a/modules/nixos/nas/microvms/photoprism/default.nix b/modules/nixos/nas/microvms/photoprism/default.nix deleted file mode 100644 index 0db3279..0000000 --- a/modules/nixos/nas/microvms/photoprism/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - -} diff --git a/modules/nixos/nas/microvms/syncthing/default.nix b/modules/nixos/nas/microvms/syncthing/default.nix deleted file mode 100644 index 0db3279..0000000 --- a/modules/nixos/nas/microvms/syncthing/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - -} diff --git a/modules/nixos/nas/microvms/vaultwarden/default.nix b/modules/nixos/nas/microvms/vaultwarden/default.nix deleted file mode 100644 index 0db3279..0000000 --- a/modules/nixos/nas/microvms/vaultwarden/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - -} diff --git a/modules/nixos/nas/default.nix b/modules/nixos/nas/onlyoffice/default.nix similarity index 100% rename from modules/nixos/nas/default.nix rename to modules/nixos/nas/onlyoffice/default.nix diff --git a/modules/nixos/nas/opencloud/config/default.nix b/modules/nixos/nas/opencloud/config/default.nix new file mode 100644 index 0000000..9e7fbcf --- /dev/null +++ b/modules/nixos/nas/opencloud/config/default.nix @@ -0,0 +1,187 @@ +{ + flake, + pkgs, + ... +}: +let + inherit (flake.config.people) user0; + serviceCfg = { + name = "opencloud"; + }; +in +{ + opencloudVM = + { + user, + ip, + mac, + userMac, + ssh, + host, + }: + { + microvm.vms = { + "${serviceCfg.name}-${user}" = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services = { + opencloud = { + enable = true; + url = "https://${host}"; + port = 9200; + address = "0.0.0.0"; + stateDir = "/var/lib/${serviceCfg.name}"; + environmentFile = "/run/secrets/${user}-env"; + }; + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ + 22 + 587 + 9200 + ]; + systemd = { + services = { + systemd-networkd.wantedBy = [ "multi-user.target" ]; + opencloud = { + path = [ pkgs.inotify-tools ]; + }; + opencloud-fix-permissions = { + description = "Fix OpenCloud storage permissions"; + after = [ "opencloud.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = pkgs.writeShellScript "fix-perms" '' + echo "Starting permission fix..." + OPENCLOUD_UID=$(id -u opencloud) + echo "OpenCloud UID: $OPENCLOUD_UID" + find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do + echo "Fixing file: $file" + chown opencloud:opencloud "$file" 2>/dev/null || true + done + find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do + echo "Fixing dir: $dir" + chown opencloud:opencloud "$dir" 2>/dev/null || true + done + echo "Permission fix complete" + ''; + User = "root"; + }; + }; + }; + timers.opencloud-fix-permissions = { + description = "Periodically fix OpenCloud storage permissions"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "30s"; + OnUnitActiveSec = "2min"; + Unit = "opencloud-fix-permissions.service"; + }; + }; + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s6"; + addresses = [ + { Address = "${ip}/24"; } + ]; + routes = [ + { + Destination = "0.0.0.0/0"; + Gateway = "192.168.50.1"; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + tmpfiles.rules = [ + "d /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" + + ]; + }; + microvm = { + vcpu = 1; + mem = 512; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = "vm-oc-${user}"; + mac = mac; + } + { + type = "user"; + id = "vmuser-cloud"; + mac = userMac; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = ssh; + guest.port = 22; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}/data"; + tag = "${serviceCfg.name}_${user}_data"; + } + { + mountPoint = "/etc/${serviceCfg.name}"; + proto = "virtiofs"; + source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}/config"; + tag = "${serviceCfg.name}_${user}_config"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; + }; + environment.systemPackages = builtins.attrValues { + inherit (pkgs) + inotify-tools + opencloud + ; + }; + }; + }; + }; + systemd.tmpfiles.rules = [ + "d /mnt/storage/users/${user}/guests/${serviceCfg.name} 0751 microvm wheel - -" + "d /mnt/storage/users/${user}/guests/${serviceCfg.name}/config 0751 microvm wheel - -" + "d /mnt/storage/users/${user}/guests/${serviceCfg.name}/data 0751 microvm wheel - -" + ]; + sops.secrets = { + "${serviceCfg.name}/${user}-env" = { + owner = "root"; + mode = "0600"; + }; + }; + }; +} diff --git a/modules/nixos/nas/opencloud/default.nix b/modules/nixos/nas/opencloud/default.nix new file mode 100644 index 0000000..51c757d --- /dev/null +++ b/modules/nixos/nas/opencloud/default.nix @@ -0,0 +1,34 @@ +{ flake, ... }: +let + inherit (import ./config) opencloudVM; + inherit (flake.config.people) user0; + + opencloudNick = opencloudVM { + user = user0; + ip = "192.168.50.67"; + mac = "02:00:00:00:57:67"; + userMac = "02:00:00:00:00:67"; + ssh = 2507; + host = ""; + }; + + opencloudStacie = opencloudVM { + user = "stacie"; + ip = "192.168.50.68"; + mac = "02:00:00:00:58:68"; + userMac = "02:00:00:00:00:68"; + ssh = 2508; + host = ""; + }; + + opencloudGarnet = opencloudVM { + user = "garnet"; + ip = "192.168.50.69"; + mac = "02:00:00:00:59:69"; + userMac = "02:00:00:00:00:69"; + ssh = 2509; + host = ""; + }; + +in +opencloudNick // opencloudStacie // opencloudGarnet diff --git a/modules/nixos/nas/photoprism/config/default.nix b/modules/nixos/nas/photoprism/config/default.nix new file mode 100644 index 0000000..63fcefb --- /dev/null +++ b/modules/nixos/nas/photoprism/config/default.nix @@ -0,0 +1,157 @@ +{ + config, + flake, + ... +}: +let + inherit (flake.config.people) user0; + serviceCfg = { + name = "photoprism"; + }; +in +{ + photoprismVM = + { + user, + ip, + mac, + userMac, + ssh, + }: + { + microvm.vms = { + "${serviceCfg.name}-${user}" = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services = { + ${serviceCfg.name} = { + enable = true; + settings = { + PHOTOPRISM_ADMIN_USER = user; + PHOTOPRISM_DEFAULT_LOCAL = "en"; + }; + passwordFile = "/run/secrets/${user}-pass"; + originalsPath = "/var/lib/${serviceCfg.name}-media"; + importPath = "photos"; + }; + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 22 + 2342 + ]; + + systemd = { + services = { + systemd-networkd.wantedBy = [ + "multi-user.target" + ]; + }; + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s5"; + addresses = [ + { Address = "${ip}/24"; } + ]; + routes = [ + { + Destination = "0.0.0.0/0"; + Gateway = "192.168.50.1"; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + + tmpfiles.rules = [ + "Z /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d /var/lib/${serviceCfg.name}-media 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d /var/lib/${serviceCfg.name}-media/photos 0755 ${serviceCfg.name} ${serviceCfg.name} -" + + ]; + }; + + microvm = { + vcpu = 1; + mem = 512; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = "vm-pp-${user}"; + mac = mac; + } + { + type = "user"; + id = "vmuser-photo"; + mac = userMac; + } + ]; + + forwardPorts = [ + { + from = "host"; + host.port = ssh; + guest.port = 22; + } + ]; + + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}"; + tag = "${serviceCfg.name}_${user}_data"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}-media"; + proto = "virtiofs"; + source = "/mnt/storage/users/${user}/home/media"; + tag = "${serviceCfg.name}_${user}_media"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; + }; + }; + }; + }; + + systemd.tmpfiles.rules = [ + "d /mnt/storage/users/${user}/guests/${serviceCfg.name} 0751 microvm wheel - -" + "d /mnt/storage/users/${user}/home/media/photos 0751 microvm wheel - -" + ]; + + sops.secrets = { + "${serviceCfg.name}/${user}-pass" = { + owner = "root"; + mode = "0600"; + }; + }; + }; +} diff --git a/modules/nixos/nas/photoprism/default.nix b/modules/nixos/nas/photoprism/default.nix new file mode 100644 index 0000000..10fe3c2 --- /dev/null +++ b/modules/nixos/nas/photoprism/default.nix @@ -0,0 +1,31 @@ +{ flake, ... }: +let + inherit (import ./config) photoprismVM; + inherit (flake.config.people) user0; + + photoprismNick = photoprismVM { + user = user0; + ip = "192.168.50.64"; + mac = "02:00:00:00:54:64"; + userMac = "02:00:00:00:00:64"; + ssh = 2504; + }; + + photoprismStacie = photoprismVM { + user = "stacie"; + ip = "192.168.50.65"; + mac = "02:00:00:00:55:65"; + userMac = "02:00:00:00:00:65"; + ssh = 2505; + }; + + photoprismGarnet = photoprismVM { + user = "garnet"; + ip = "192.168.50.66"; + mac = "02:00:00:00:56:66"; + userMac = "02:00:00:00:00:66"; + ssh = 2506; + }; + +in +photoprismNick // photoprismStacie // photoprismGarnet diff --git a/modules/nixos/nas/shared/frigate/default.nix b/modules/nixos/nas/shared/frigate/default.nix deleted file mode 100644 index 0db3279..0000000 --- a/modules/nixos/nas/shared/frigate/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - -} diff --git a/modules/nixos/nas/shared/homeAssistant/default.nix b/modules/nixos/nas/shared/homeAssistant/default.nix deleted file mode 100644 index 0db3279..0000000 --- a/modules/nixos/nas/shared/homeAssistant/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - -} diff --git a/modules/nixos/nas/syncthing/config/default.nix b/modules/nixos/nas/syncthing/config/default.nix new file mode 100644 index 0000000..ace2ac2 --- /dev/null +++ b/modules/nixos/nas/syncthing/config/default.nix @@ -0,0 +1,206 @@ +{ + flake, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = instances.syncthing; +in +{ + syncthingVM = + { + user, + ip, + mac, + userMac, + ssh, + syncID, + deviceIP, + }: + { + microvm.vms = { + "${serviceCfg.name}-${user}" = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services = { + syncthing = { + enable = true; + overrideDevices = false; + overrideFolders = false; + openDefaultPorts = true; + systemService = true; + guiAddress = "0.0.0.0:${toString serviceCfg.ports.port0}"; + settings = { + folders = { + docs = { + enable = true; + id = "docs"; + path = "/var/lib/${serviceCfg.name}/docs"; + devices = [ + "${user}Phone" + ]; + }; + media = { + enable = true; + id = "media"; + path = "/var/lib/${serviceCfg.name}/media"; + devices = [ + "${user}Phone" + ]; + }; + misc = { + enable = true; + id = "misc"; + path = "/var/lib/${serviceCfg.name}/misc"; + devices = [ + "${user}Phone" + ]; + }; + }; + devices = { + "${user}Phone" = { + autoAcceptFolders = true; + name = "${user}Phone"; + addresses = [ + "tcp://${deviceIP}:${toString serviceCfg.ports.port2}" + ]; + id = syncID; + }; + }; + }; + }; + + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 22 + serviceCfg.ports.port0 + serviceCfg.ports.port1 + serviceCfg.ports.port2 + ]; + + systemd = { + services = { + systemd-networkd.wantedBy = [ + "multi-user.target" + ]; + }; + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s5"; + addresses = [ + { Address = "${ip}/24"; } + ]; + routes = [ + { + Destination = "0.0.0.0/0"; + Gateway = "192.168.50.1"; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + + tmpfiles.rules = [ + "d /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d /var/lib/${serviceCfg.name}/docs 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d /var/lib/${serviceCfg.name}/media 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d /var/lib/${serviceCfg.name}/misc 0755 ${serviceCfg.name} ${serviceCfg.name} -" + ]; + + }; + + microvm = { + vcpu = 1; + mem = 512; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = "vm-st-${user}"; + mac = mac; + } + { + type = "user"; + id = "vm-sync"; + mac = userMac; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = ssh; + guest.port = 22; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}"; + tag = "${serviceCfg.name}_${user}_data"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}/docs"; + proto = "virtiofs"; + source = "/mnt/storage/users/${user}/home/docs"; + tag = "${serviceCfg.name}_${user}_docs"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}/media"; + proto = "virtiofs"; + source = "/mnt/storage/users/${user}/home/media"; + tag = "${serviceCfg.name}_${user}_media"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}/misc"; + proto = "virtiofs"; + source = "/mnt/storage/users/${user}/home/misc"; + tag = "${serviceCfg.name}_${user}_misc"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; + }; + }; + }; + }; + + systemd.tmpfiles.rules = [ + "d /mnt/storage/users/${user}/guests/${serviceCfg.name} 0751 microvm wheel - -" + ]; + + sops.secrets = { + "${serviceCfg.name}/${user}-pass" = { + owner = "root"; + mode = "0600"; + }; + }; + }; +} diff --git a/modules/nixos/nas/syncthing/default.nix b/modules/nixos/nas/syncthing/default.nix new file mode 100755 index 0000000..79375c2 --- /dev/null +++ b/modules/nixos/nas/syncthing/default.nix @@ -0,0 +1,38 @@ +{ flake, ... }: +let + inherit (import ./config) syncthingVM; + inherit (flake.config.people) user0; + + syncthingNick = syncthingVM { + user = user0; + ip = "192.168.50.61"; + mac = "02:00:00:00:51:61"; + userMac = "02:00:00:00:00:61"; + ssh = 2501; + syncID = "RMDKNJY-BTX6FYF-G6SR332-WS6HARI-PF74SC6-VPBSGRQ-MKVQZEQ-KSIB6QV"; + deviceIP = "192.168.50.8"; + }; + + syncthingStacie = syncthingVM { + user = "stacie"; + ip = "192.168.50.62"; + mac = "02:00:00:00:52:62"; + userMac = "02:00:00:00:00:62"; + ssh = 2502; + syncID = ""; + deviceIP = ""; + }; + + syncthingGarnet = syncthingVM { + user = "garnet"; + ip = "192.168.50.63"; + mac = "02:00:00:00:53:63"; + userMac = "02:00:00:00:00:63"; + ssh = 2503; + syncID = ""; + deviceIP = ""; + }; + +in +syncthingNick +# // syncthingStacie // syncthingGarnet diff --git a/modules/nixos/services/syncthing/default.nix b/modules/nixos/services/syncthing/default.nix deleted file mode 100755 index c468eb0..0000000 --- a/modules/nixos/services/syncthing/default.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ flake, config, ... }: -let - inherit (flake.config.machines.devices) - phone - mars - ceres - ; - inherit (flake.config.services) - instances - ; - service = instances.syncthing; - - hostname = config.networking.hostName; - localhost = instances.web.localhost.address1; - postgres = instances.postgresql; - forgejo = instances.forgejo; - vaultwarden = instances.vaultwarden; - backupPath = "${service.paths.path1}"; - - syncDevices = { - phoneSync = { - ${phone.name} = { - autoAcceptFolders = true; - name = phone.name; - addresses = [ - "tcp://${phone.ip.address0}:${toString service.ports.port2}" - ]; - id = phone.sync.address0; - }; - }; - }; -in -{ - services = { - syncthing = { - enable = true; - overrideDevices = false; - overrideFolders = false; - openDefaultPorts = true; - systemService = true; - guiAddress = "${localhost}:${toString service.ports.port0}"; - settings = { - devices = if hostname == mars.name then syncDevices.phoneSync else { }; - }; - }; - }; - - systemd.tmpfiles.rules = [ - # Main syncthing directory - use Z to fix existing permissions - "z ${service.paths.path0} 0755 ${service.name} ${service.name} -" - # Backup directories - "d ${backupPath} 0755 ${service.name} ${service.name} -" - "d ${backupPath}/${postgres.name} 0750 ${postgres.name} ${service.name} -" - "d ${backupPath}/${forgejo.name} 0750 ${forgejo.name} ${service.name} -" - "d ${backupPath}/${vaultwarden.name} 0750 ${vaultwarden.name} ${service.name} -" - ]; - - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - service.ports.port1 - service.ports.port2 - ]; - }; - }; -} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 7b42473..af1d5af 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -47,7 +47,9 @@ wireguard: glance: jellyfin: ENC[AES256_GCM,data:Ddpv23kdMGTWvlemn7o5M2ARQ+NuzUfgO9eLuMnRh/kt,iv:RiMRQPoyHtQqqc3wx48g1+Ip3meuCKSOniLZq2iJ3i4=,tag:B2sZT8R4ZnLIKiUMaU3L+w==,type:str] opencloud: - env: ENC[AES256_GCM,data:/bzPV7JRZncxMPOI7559IP5SZFBYA6n2WOZRPifBU/TRO67aM5N3cIwNfmpT3OEBs55RxujodAIDVGTQECnbWsh6RpbxfXb7DWnqQHiatBju70oeWZpa/cX1CiZsg9ma19O55PRmHD9kZYvIwPAnWo6FDRZJ/iwUz4qZpgPR1RuMBoxRZfZ9zDaf5yTwFbAuGEyY8cZghMC24uOXGTOoYsN2wGhog/EYFA2/Kw73xC6xMK+/GtwRJDJq7NEfWiwReM2Lxb/mc3EAtlzX9fWP/xE5o5FsnC7VZGc5HWV832wLpUjt+Fcw3d+Mb2aB2qRHTcXV891j8qnESnSYoZsTiJz1EPiIeebWFdNmfDqAAn5Kz/IVUaiPlDew26tq6aFr5JFVVxdmIgqtOgZyWmEPkr6K7joTl5kbEK1vT6ulaBA8UroY6tu529m9DXF2y6dWbNRqaQ18nq6GEZOL1WIAJ3PIGEh1x0f18jXTfPmEKMuUcWQ983B+sMyZFBU/Z5LDojsuwrEVvj/28MX7XM9TbvFmgW3J9x2LgN32B0Q01pZfvhHBh4VJc0E0hYX9b9r+MHTTxaH7/iyNWLAuwFkGL/+zcYyanwIOYmvO85r4affkWcvpltAIIJECrKJO8qf4uSw1K409QDKAtF0IVf5mjw8zddAThuo=,iv:xGkn4l8LxBZeAyLvOIgEMoxP91yzCvnGTHH7BfqW4ys=,tag:w7IlZdW5/BIAv9dbfqNfQg==,type:str] + nick-env: ENC[AES256_GCM,data:bgrc1zzU3ByzTt7oVZVOLgm7zBAwHHq+rZMJQTmDUeQoUbvdPi6Y3Q9dI+cyBdzgKEIQjsDAkLw298a57qUvfOHS/341Myqy4QVEjpTXvvHqBS3yG64oOqg76nwyTl5B76w45lat4FCTvQ2RnVKgKhsUEwWhe6Jaf9qTd8c+18do4PHmnBfUUfy05dpI/lPnHhIIhPbNWhPzGhyq3oMjYBpnMK7z+pw8mMGveEdo9o8Kc69XtYP+rrkX03hXntVnBz2qwH/lVibIZfD2E+IsQGvQO3u5SSDXpI0BLfi0Au7kSdTnGwO5b8138LIC054hQkW9MdCzo6qZW231+6yhrixsosgz0x4T3vp4+38MgodrZHnrXCqpRHPqR9Lwbt07P3CgyTC47DNWo4ykwyfx7P4FbGrZ0lXWX8CT5E1yDjwaT9n4+1Zwsg+W7S6HIctQPlDNVLWc9L64ekdiw5Z2n4bfFvsph+/JoUe/hFuKmUzuw/fvPgBDOpuTMqDlIa4/fhZNVQJChnd0j52/QQ+NqdWmd3c2kgEIa1vbNRNvwYDN3UQmBCUGvohv1YbAENyaFsoYGj7LAnRGfrWcevvZIn4XFXCiYBZPm1Jnf9KxALnw6utt6s8mckzUtD36o1VqCgPV06cHZs4X2nRKxY+b1pdSxy2m5vQ=,iv:MrYZkzv5Y8xzzkHiRL4oRHPZ0fr+16iRQhyEcrBLKTY=,tag:SbagQ7zR+C8heOqwsmrbUA==,type:str] + stacie-env: ENC[AES256_GCM,data:un2iedgo0Uy1MFMDefeM8qgsJV9PgYJH+n6iKtokp9uPzd30wFmfbRHar1wjqjG2QLZ60RYzWfeQwgs+XVVh7Jwqflyo60hpOrY71jn5C3QvAlMxD4bGW9tCiiq2+bMPBbPlxfTrpnvjGXxFD2g0Do71IFsfTNiMWa9ebSDooRUYOLpumPWz2OXFsPfJdr8KaH7hrCEWOXfXE4HUFdluyQoWPT/YqxCJmb8=,iv:26EoscOH/ZuiI3nEr+JlwHLVp2OqKA7yG1jFbdtQfOE=,tag:zYC1sW1C3muLQ/P4XQDIdA==,type:str] + garnet-env: ENC[AES256_GCM,data:Vnf3KU6jzSKtvel1rEi5MqC/hyBJ7OS95sVIlchm82dVFyNSaQcmd1qeCNjNktxwvX5PboLVXpvpV5pQFp0LJiMMVV+b27CDdEDNIPpf1QcHgcmMOMcaVijavywXe2t+Q4q1n8qw/NsC8qdvmVe3pHK3IMtvA3/Rez/nHaM1tvayzdJ35DGibr+tI9MlzVAIW1Iu8Wm4MxSQlEQh/yp6ZfgRqosiTxe8NGQ=,iv:rID8YKduNcUG15WN6nwIcAKRu5MbnI0be2oVPJxVXwE=,tag:tS3C6OZ4p2EPwALbDndusA==,type:str] projectenv: ENC[AES256_GCM,data:NQuJeomWD+uaq+g5uGft/ecsWTNEpWkOi+vWQ9nXV3KRHDAeB9mCJuvxoj+642Q+hnq3zAH2fZ7KTa3W3UcizPbFIltoJMzh5E2vDteuEEYNXX2cJJLJir9b421Gsb9sB/5d8Mz+K0BhDPTG+fByR+O1XqoaSLbnqEGrdzje/6t/e2Eyse4+qE3oUvZkzJsGTHM+rkM+EE9NXXMd5dCvfZAzmnRnsLRWL/Axnv93s0lfTM2pDs0/+E4wAcRI2KLH08pQyRRAWJ7A0VB2d4hH6hYOerqAPVAtTBR5j7yDHeR3IyHMk4xzh35zz5MMfi2zSABBfzv6PXOaiYmuUPaZ7WH1ZJjfVdR+AIzMma3SFRn8n2fNdR11gX/ZBfaI0YLHg7rHZJ9JJM88poh1D3dByrkGVPRDRQMZpSUQPay8lymrjMAsjAlpWjUvVpELR99BTMpto3IB2D5aY7btHuUskBhIBl7nWTRKfGg8ScDaPgJeARNd78bfvXY5mtnUdT8m38m4AH7DTWpQ3rajHBJITbiLZaUDx7NxcYCVAJAjcQgJoV6fC/PCsMbUxwxlfjgnrirIRjGrA29+l784oMlNJuHQyAmFq9Ffe6GJUJP1WA5DIvxypBcGC3w4nUE6u/HyzFz7AcIpx2GCDIeC2UjsQgnr0ujzGb38/nM88+x8IWra,iv:YQR0CDFNDgeRwm+Q8xN7SYQ4Jo3PfneciGtIOhRDJOY=,tag:OArVLjnc3ZT2EAqP9QpzQQ==,type:str] caddy: share-auth: ENC[AES256_GCM,data:3jY2B2GOdz5EPJeAyVsk4XCs5NMft3VquIBep7SxYtEZ9H7IDroq1U1Sch6YVQ7VcL85L4Ix/OVPm4jVDEA0sZiGkltbYXRXZ8CR34ifsHtHR35lgjXyj8ZhJLydw7LgmZCEztWO8GjLdvSY,iv:MT5sA32Djx81HGc36rqV2xS5KUHLAeTyZiOdSu8oqQY=,tag:V1dv4yS2RXf4Xqrl5+tEuA==,type:str] @@ -68,6 +70,10 @@ restic: pass: ENC[AES256_GCM,data:I5Bf7or9jNwtdK/r/DzUHw6FohzeMtWVrs5AG71geVr6,iv:WnHsFW6oJCBsm84y1rzQ6HbLG8ydPBPQQbHoXKGR7JM=,tag:HsoJxLv8FvrUNSwI0OFCbQ==,type:str] passwords: user0: ENC[AES256_GCM,data:72ABhoc8Hjdf56eHkxu82Ls1zTJwUJRkly9hqlHKhQ4INepT66LrUGRHUG1x+4FemNWvAirEXVHvPVtu+rArCrDpGP2ZIbP77f8=,iv:ukq8E7orUwFOUfoqPp9RMjZNm0MMobXcjbWLzx9z1+4=,tag:E9OTDzLkliDIlH5DrLqQVw==,type:str] +photoprism: + nick-pass: ENC[AES256_GCM,data:2anC3qkrE6Z3NwMWSi5dVQ7C5Q2ym6cYCL/yXQUPAYJ3,iv:7ZVwkhQZ5MjHeobp0ACvY29h5wXA4Cq6Bsf2jnx/ZEE=,tag:+234QVuKo7yfOh3jo8HImQ==,type:str] + stacie-pass: ENC[AES256_GCM,data:45nwjOXOI2wYPi7H2RtUVMESCxLTYQrF4600MQHoCDwm,iv:WgYqJjbIO8fzU/z19RsiUpIbWQmyT4iU4yAFIj1fcsU=,tag:jzsYNrerq6syemssOOOwTg==,type:str] + garnet-pass: ENC[AES256_GCM,data:ccb7NJxYZxXeuiHxn6ntssTmnN9AoaqoFe8pFkPLNgLm,iv:yeTPsn01pVuWp5qVaFl1dWCoMYX6koBKN5ehJgCSix4=,tag:Pd2erGL2hBQnN5JZNBPo5A==,type:str] listenbrainz-token: ENC[AES256_GCM,data:rSLVOYj4PbWII+CQa3VzK36Tns5PTr6wwE9ARlGwt7h5HAf7,iv:GXpJlchq1B/jTjvn5EWrZ3pnCZgGcDNHEYA2+yESUsc=,tag:im6e/xqQMgbKPt9ey3l2TA==,type:str] sops: age: @@ -80,7 +86,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-06T03:43:57Z" - mac: ENC[AES256_GCM,data:/fio+AmzDXP1CSytMnfeew5ZoUfeSEQTVBBL7A0mgkKsSH/aJRTDyongVobwHIhdJWlPnfSD+JmCv2QNa2wdj6cZr8Ka/lJDCUVLnHRD/Q7StyWA6J1UzNXAzniSd7ppT3rnffifmVsp/wLk2gJaF9WvNWen4dv5ITEatIow9wk=,iv:/TSk6bYPQ/+0B5U8W4MzcxPbwwjhTtXe/kdJyg/UEuI=,tag:d6RHmPZNc4jOC2ue3VDK8g==,type:str] + lastmodified: "2025-12-07T07:33:25Z" + mac: ENC[AES256_GCM,data:iVMnQYSBHlTzERNWEIFt4Zhaz2i3CR3NFRacOXqoG6mBJS9OFQvJuDS+AyBDBjft8dTNehPKJ0C/npR7n1R1yhyjyHuCgGGX9mYzMIzNoo6zNoDoGiEdVMbHyRC2fWrSHodI/PWjDHvy0rr3nXh7qIduiFvcth5w+98QjJVQ+wI=,iv:uqjvU/LA6XEuYVC8/k3rWMliFTPyFTHn2dtje3wxThA=,tag:aNQYNRgLktBA6zdnizijJg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0