From 8649008c93bcc437a296f6120fd16c714bb026f3 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 9 Dec 2025 21:01:56 -0600 Subject: [PATCH] feat: services for nas all up and running --- .../config/instances/config/photoprism.nix | 2 +- .../config/instances/config/vaultwarden.nix | 8 ++--- .../guests/firefly-iii/config/default.nix | 3 +- .../guests/opencloud/config/default.nix | 2 +- .../guests/photoprism/config/default.nix | 33 ++++++++++++++++--- .../guests/syncthing/config/default.nix | 14 +++++--- .../syncthing/syncthingEris/default.nix | 1 + .../guests/vaultwarden/config/default.nix | 6 ++-- secrets/secrets.yaml | 6 ++-- 9 files changed, 54 insertions(+), 21 deletions(-) diff --git a/modules/config/instances/config/photoprism.nix b/modules/config/instances/config/photoprism.nix index aa5d5b8..2dcd565 100644 --- a/modules/config/instances/config/photoprism.nix +++ b/modules/config/instances/config/photoprism.nix @@ -21,7 +21,7 @@ in "images" ]; ports = { - port0 = 3030; + port0 = 2342; }; interfaces = { interface0 = diff --git a/modules/config/instances/config/vaultwarden.nix b/modules/config/instances/config/vaultwarden.nix index 7bf97a5..6abbb9f 100755 --- a/modules/config/instances/config/vaultwarden.nix +++ b/modules/config/instances/config/vaultwarden.nix @@ -37,12 +37,12 @@ in email = "noreply@${domain0}"; microvm = { id = "vm-${name}"; - mac = "02:00:00:00:51:01"; + mac = "02:00:00:00:78:88"; idUser = "vmuser-vault"; - macUser = "02:00:00:00:00:01"; - ip = "192.168.50.111"; + macUser = "02:00:00:00:00:88"; + ip = "192.168.50.88"; gate = "192.168.50.1"; - ssh = 2201; + ssh = 2588; }; ssl = { path = ssl; diff --git a/modules/nixos/homelab/guests/firefly-iii/config/default.nix b/modules/nixos/homelab/guests/firefly-iii/config/default.nix index 269344f..e5e1e41 100755 --- a/modules/nixos/homelab/guests/firefly-iii/config/default.nix +++ b/modules/nixos/homelab/guests/firefly-iii/config/default.nix @@ -103,6 +103,7 @@ in }; networking.firewall.allowedTCPPorts = [ 22 + 80 smtpCfg.ports.port1 serviceCfg.ports.port0 serviceCfg.ports.port1 @@ -138,7 +139,7 @@ in network = { enable = true; networks."20-lan" = { - matchConfig.Name = "enp0s*"; + matchConfig.Name = "enp0s6"; addresses = [ { Address = "${ip}/24"; } ]; diff --git a/modules/nixos/homelab/guests/opencloud/config/default.nix b/modules/nixos/homelab/guests/opencloud/config/default.nix index 15ca763..221f87d 100755 --- a/modules/nixos/homelab/guests/opencloud/config/default.nix +++ b/modules/nixos/homelab/guests/opencloud/config/default.nix @@ -91,7 +91,7 @@ in network = { enable = true; networks."20-lan" = { - matchConfig.Name = "enp0s*"; + matchConfig.Name = "enp0s6"; addresses = [ { Address = "${ip}/24"; } ]; diff --git a/modules/nixos/homelab/guests/photoprism/config/default.nix b/modules/nixos/homelab/guests/photoprism/config/default.nix index 48f5a31..a2d87ca 100755 --- a/modules/nixos/homelab/guests/photoprism/config/default.nix +++ b/modules/nixos/homelab/guests/photoprism/config/default.nix @@ -34,11 +34,12 @@ in enable = true; settings = { PHOTOPRISM_SITE_URL = "https://${host}"; - PHOTOPRISM_DISABLE_TLS = "true"; PHOTOPRISM_ADMIN_USER = user; + PHOTOPRISM_DISABLE_TLS = "true"; PHOTOPRISM_DEFAULT_LOCAL = "en"; }; - passwordFile = "/run/secrets/${user}-pass"; + passwordFile = "/etc/photoprism-secrets/${user}-pass"; + # databasePasswordFile = "/etc/photoprism-secrets/${user}-pass"; storagePath = "/var/lib/${serviceCfg.name}"; originalsPath = "/var/lib/${serviceCfg.name}-media"; address = "0.0.0.0"; @@ -61,17 +62,41 @@ in networking.firewall.allowedTCPPorts = [ 22 - 2342 + serviceCfg.ports.port0 ]; systemd = { services = { + # fix-secrets-permissions = { + # description = "Fix secrets permissions for photoprism"; + # wantedBy = [ "multi-user.target" ]; + # before = [ + # "photoprism.service" + # ]; + # serviceConfig = { + # Type = "oneshot"; + # RemainAfterExit = true; + # }; + # script = '' + # mkdir -p /etc/photoprism-secrets + # cp /run/secrets/${user}-pass /etc/photoprism-secrets/${user}-pass + # chmod 755 /etc/photoprism-secrets + # chmod 644 /etc/photoprism-secrets/* + # ''; + # }; photoprism = { serviceConfig = { DynamicUser = lib.mkForce false; User = serviceCfg.name; Group = serviceCfg.name; + # Override LoadCredential to use our secrets path + LoadCredential = lib.mkForce [ + "PHOTOPRISM_ADMIN_PASSWORD_FILE:/run/secrets/${user}-pass" + ]; }; + # Make sure secrets are mounted before service starts + after = [ "run-secrets.mount" ]; + requires = [ "run-secrets.mount" ]; }; systemd-networkd.wantedBy = [ "multi-user.target" @@ -80,7 +105,7 @@ in network = { enable = true; networks."20-lan" = { - matchConfig.Name = "enp0s*"; + matchConfig.Name = "enp0s6"; addresses = [ { Address = "${ip}/24"; } ]; diff --git a/modules/nixos/homelab/guests/syncthing/config/default.nix b/modules/nixos/homelab/guests/syncthing/config/default.nix index 6b0cf63..4166579 100755 --- a/modules/nixos/homelab/guests/syncthing/config/default.nix +++ b/modules/nixos/homelab/guests/syncthing/config/default.nix @@ -11,6 +11,7 @@ in syncthingVM = { user, + pass, ip, mac, userMac, @@ -38,14 +39,17 @@ in openDefaultPorts = true; systemService = true; guiAddress = "0.0.0.0:${toString serviceCfg.ports.port0}"; - guiPasswordFile = "/run/secrets/${user}-pass"; + # guiPasswordFile = "/run/secrets/${user}-pass"; + settings = { + gui = { + user = user; + password = pass; + }; folders = folders; devices = devices; options = { - upAccepted = -1; - user = user; - authMode = "static"; + urAccepted = -1; }; }; }; @@ -74,7 +78,7 @@ in network = { enable = true; networks."20-lan" = { - matchConfig.Name = "enp0s*"; + matchConfig.Name = "enp0s8"; addresses = [ { Address = "${ip}/24"; } ]; diff --git a/modules/nixos/homelab/guests/syncthing/syncthingEris/default.nix b/modules/nixos/homelab/guests/syncthing/syncthingEris/default.nix index 2a698cf..748be02 100755 --- a/modules/nixos/homelab/guests/syncthing/syncthingEris/default.nix +++ b/modules/nixos/homelab/guests/syncthing/syncthingEris/default.nix @@ -87,6 +87,7 @@ let in syncthingVM { user = user0; + pass = "$2y$05$WoNmQOeBPM5GhxhgkUmZqOoyBU0Y34e9N7gLZ3Xwb2J8V0j5Uoy7u"; ip = interface0Cfg.microvm.ip; mac = interface0Cfg.microvm.mac; userMac = interface0Cfg.microvm.macUser; diff --git a/modules/nixos/homelab/guests/vaultwarden/config/default.nix b/modules/nixos/homelab/guests/vaultwarden/config/default.nix index fca44a1..072fa7e 100755 --- a/modules/nixos/homelab/guests/vaultwarden/config/default.nix +++ b/modules/nixos/homelab/guests/vaultwarden/config/default.nix @@ -59,7 +59,8 @@ in # Rocket (Web Server) Settings ROCKET_ADDRESS = "0.0.0.0"; - ROCKET_PORT = serviceCfg.ports.port0; + # ROCKET_PORT = serviceCfg.ports.port0; + ENABLE_WEBSOCKET = true; }; # Environment file with secrets (mounted from host) @@ -77,6 +78,7 @@ in networking.firewall.allowedTCPPorts = [ 22 587 + serviceCfg.ports.port0 ]; systemd = { services = { @@ -85,7 +87,7 @@ in network = { enable = true; networks."20-lan" = { - matchConfig.Name = "enp0s*"; + matchConfig.Name = "enp0s5"; addresses = [ { Address = "${ip}/24"; } ]; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index d4511a0..8e25e5d 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -75,7 +75,7 @@ photoprism: stacie-pass: ENC[AES256_GCM,data:45nwjOXOI2wYPi7H2RtUVMESCxLTYQrF4600MQHoCDwm,iv:WgYqJjbIO8fzU/z19RsiUpIbWQmyT4iU4yAFIj1fcsU=,tag:jzsYNrerq6syemssOOOwTg==,type:str] garnet-pass: ENC[AES256_GCM,data:ccb7NJxYZxXeuiHxn6ntssTmnN9AoaqoFe8pFkPLNgLm,iv:yeTPsn01pVuWp5qVaFl1dWCoMYX6koBKN5ehJgCSix4=,tag:Pd2erGL2hBQnN5JZNBPo5A==,type:str] syncthing: - nick-pass: ENC[AES256_GCM,data:1GBRck3M9E9x1vJs8iHMF5IHVEwozrZ2Kon6MOx7MjwK,iv:4FfSlWDH4klRXvKU19w/iI233v0OudkLxsT16fYi4GU=,tag:MVOX7+Z+BRIxaiO/Rl+sMQ==,type:str] + nick-pass: ENC[AES256_GCM,data:Ypb3g/siQqTyiIYowT/mOMEOwCrWwKXfjomrYew8qf/N,iv:5iuSMhhcm4/9S3ut+DKXyh687exqM00Q/H05L4eI7NY=,tag:/THFt1Ipv16NSknNCdjl0w==,type:str] listenbrainz-token: ENC[AES256_GCM,data:rSLVOYj4PbWII+CQa3VzK36Tns5PTr6wwE9ARlGwt7h5HAf7,iv:GXpJlchq1B/jTjvn5EWrZ3pnCZgGcDNHEYA2+yESUsc=,tag:im6e/xqQMgbKPt9ey3l2TA==,type:str] sops: age: @@ -88,7 +88,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-09T22:33:37Z" - mac: ENC[AES256_GCM,data:nMOflva5Y8/ARjuQJi3xxrlHE9gPWrBsEVPlV/hRAHOT96DjeQwotlOXSVHKQA5oTdX9tyBhlCtAV+FXWlE9+X/SDNJ1McKOPRNyg63iroMDzO0U6o56yWD7mETdv2H+mrSqJMPXibwRyeWtRMXeFc2paay1C87gSaY7cxa5HT8=,iv:MmxVhxWO3HnLSU4DHERWYdnRTRfKFkTPPgK834oF6Uk=,tag:+MaLPsgjm07kyseF9Hgy9A==,type:str] + lastmodified: "2025-12-10T02:07:35Z" + mac: ENC[AES256_GCM,data:W+q1Qy0tWuWBVQyVoyE2xnfxHEnHvBTt+HWnx/gEK4i+jgnJFGCn8EjZycBwr9jrMTCf70HpSnPIyKd8xg0n6E49Y0yHq6WBOG2K3SKFueqohljNf4QfpG4Gtrr6pyWFXDs5WKdRd9iszTs8jZ4bnOVNsMBggE5r8Sqt4Pu6Ico=,iv:1Pp2nLyjhSRnjPCBzFRll7m+NO/h7Y5l+nCXOoEGE6Q=,tag:9KPuFI0keIsVF5c6BPyQow==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0