From 4f063d66e0892e4ba59bb6629f8ece64e8f56f35 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 9 Oct 2025 03:08:30 -0500 Subject: [PATCH] feat: added firefly-iii --- modules/nixos/services/firefly/default.nix | 41 +++++++++++++++++++++- secrets/secrets.yaml | 5 +-- 2 files changed, 43 insertions(+), 3 deletions(-) mode change 100644 => 100755 modules/nixos/services/firefly/default.nix diff --git a/modules/nixos/services/firefly/default.nix b/modules/nixos/services/firefly/default.nix old mode 100644 new mode 100755 index 881955b..b15ec2a --- a/modules/nixos/services/firefly/default.nix +++ b/modules/nixos/services/firefly/default.nix @@ -1,6 +1,7 @@ -{ flake, ... }: +{ flake, config, ... }: let inherit (flake.config.services.instances) firefly; + inherit (flake.config.machines.devices) ceres; service = firefly; in { @@ -10,12 +11,50 @@ in dataDir = service.paths.path0; settings = { DB_CONNECTION = "pgsql"; + APP_KEY_FILE = config.sops.secrets."${service.name}-pass".path; }; }; firefly-iii-data-importer = { enable = true; }; }; + sops = + let + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${service.name}/${secret}"; + value = sopsPath secret; + }) + [ + "pass" + ] + ); + }; + + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; + fsType = "none"; + options = [ + "bind" + ]; + depends = [ + ceres.storage0.mount + ]; + }; + + systemd.tmpfiles.rules = [ + "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" + ]; + networking = { firewall.allowedTCPPorts = [ 8080 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index f2eaa08..c1e3b9f 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -50,6 +50,7 @@ caddy: prompter-auth: ENC[AES256_GCM,data:uEj6gruCfcIRoCQY9eNcOka+PAIIhAlKnI+ehZ88aZo90tINcxZ7ZvKqlTJr4rt5o+EO7rvRJcYH/s8/+piszFyxSa64Rtq5KdAjfHnRm0QM8q/2JIHnZsQC3fPz1S177WPs/c3Eydh4VeVe,iv:ZOru4ABFgIy9DoTlMl3InSf8zM1ERNpbRNLN6vy97Jc=,tag:5v3w7kvFQCEPBjchE8K0cw==,type:str] comfyui-auth: ENC[AES256_GCM,data:YkHxbW/0zTmnrggXKl2jNO4OnBaepmCwB3ZC6d8MPIKf8snWJzAvTq5+X5ABzziwKaypHRTcS6vuNntxKrrD8DS7hX9DqVCZc5WeFHI6S5VzHh3SprW2MF4E8nm4Hj+VHoKGmRSSOU1cfX3J,iv:v0Pid0BCY2QsMNaahBvJd4WWZD115JDLHlOCQvPiaGU=,tag:gpsAgt052NoOyIa9WqJXyg==,type:str] wifi-home: ENC[AES256_GCM,data:5NYSCUyalDf7gZF7WaRQJCo=,iv:RkVZKsmVEBg5M28DSkBD41673iLM+dqDAAhSwjqejck=,tag:QQ17VSWOnU0bGglZq6455Q==,type:str] +firefly-pass: ENC[AES256_GCM,data:/VOknfdSYC5Jb3l3rAgzaPbz7/onuKQFMXqLgnHlsFV34kIVui49WCujPcs=,iv:BMGcCo+kVJNU5LnEs9J36W0KmVQG3SXnuBVRsnXAhtM=,tag:ksz8d7aAM297a1270FiF3A==,type:str] sops: age: - recipient: age19dpncsdphdt2tmknjs99eghk527pvdrw0m29qjn2z2gg3et5tdtqycqhl0 @@ -61,7 +62,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-05T04:29:56Z" - mac: ENC[AES256_GCM,data:NgScQQg5pblqPBr/SVAQUvdrg08hfDjKzbW2BYK6fMHZMdNbWv9NznSEmSha8Ewp3/NCTA/WKgaIrzXurcQGInalvNdx5VUPS8qxSInaMye7Zjzcz73eiMHHTScRjwFk733FXhG2wKNbUnYIHaiuZsz3vGhOgYIJum6Hr2MgjsY=,iv:eBBI93GLO6p18QcwrTSet5+gbZUTTH897cvFuAdDFXE=,tag:vdFSLR6ormJK8QV0xg+E6Q==,type:str] + lastmodified: "2025-10-09T08:05:45Z" + mac: ENC[AES256_GCM,data:NI8LDAk3WfECb9Fa3K7+XkI6gvn6pG9SooaGlsECN86gNvQtmcAEMzUDQXuifBUA/EtT9MJTqWKtUjayoset8hTWIUFyfT6sl4YrICnia9GqvzJqsuN6zw6AgDKD/1pJALdZEZAqgoKtUQi3Vax9ICaLKCUeMdX6w3KcbqJOPW8=,iv:KKtblTvTfi6iA2KHRqBHyEhYfTmd1cVkp+LL/f/AbhE=,tag:FgOLIdFvLjJQLxdMS2xZwg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0