upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-16 03:20:53 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

feat: configured syncthing and photoprism

Browse source
This commit is contained in:
Nick 2025-12-14 01:52:25 -06:00
parent 77dcbe3c33
commit 8eb9ed31fc
8 changed files with 161 additions and 92 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/nixos/default.nix
View file

@ -59,7 +59,7 @@ in
impermanence impermanence
lix lix
microvm microvm
restic resticCeres
# wireguard # wireguard
forgejoCeres forgejoCeres
jellyfinCeres jellyfinCeres
@ -81,6 +81,7 @@ in
inherit (modules) inherit (modules)
impermanence impermanence
lix lix
resticEris
microvm microvm
sambaEris sambaEris
fireflyEris fireflyEris

50
modules/nixos/homelab/guests/photoprism/config/default.nix
View file

@ -1,6 +1,7 @@
{ {
flake, flake,
lib, lib,
pkgs,
... ...
}: }:
let let
@ -37,9 +38,13 @@ in
PHOTOPRISM_ADMIN_USER = user; PHOTOPRISM_ADMIN_USER = user;
PHOTOPRISM_DISABLE_TLS = "true"; PHOTOPRISM_DISABLE_TLS = "true";
PHOTOPRISM_DEFAULT_LOCAL = "en"; PHOTOPRISM_DEFAULT_LOCAL = "en";
PHOTOPRISM_BACKUP_DATABASE = "false";
PHOTOPRISM_BACKUP_ALBUMS = "true";
PHOTOPRISM_SIDECAR_YAML = "true";
PHOTOPRISM_READONLY = "true";
PHOTOPRISM_INDEX_SCHEDULE = "0 2 * * *";
}; };
passwordFile = "/etc/photoprism-secrets/${user}-pass"; passwordFile = "/etc/photoprism-secrets/${user}-pass";
# databasePasswordFile = "/etc/photoprism-secrets/${user}-pass";
storagePath = "/var/lib/${serviceCfg.name}"; storagePath = "/var/lib/${serviceCfg.name}";
originalsPath = "/var/lib/${serviceCfg.name}-media"; originalsPath = "/var/lib/${serviceCfg.name}-media";
address = "0.0.0.0"; address = "0.0.0.0";
@ -67,34 +72,29 @@ in
systemd = { systemd = {
services = { services = {
# fix-secrets-permissions = { photoprism-secrets = {
# description = "Fix secrets permissions for photoprism"; description = "Setup photoprism secrets";
# wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
# before = [ before = [ "photoprism.service" ];
# "photoprism.service" serviceConfig = {
# ]; Type = "oneshot";
# serviceConfig = { RemainAfterExit = true;
# Type = "oneshot"; };
# RemainAfterExit = true; script = ''
# }; mkdir -p /etc/photoprism-secrets
# script = '' cp /run/secrets/${user}-pass /etc/photoprism-secrets/${user}-pass
# mkdir -p /etc/photoprism-secrets chmod 755 /etc/photoprism-secrets
# cp /run/secrets/${user}-pass /etc/photoprism-secrets/${user}-pass chmod 644 /etc/photoprism-secrets/${user}-pass
# chmod 755 /etc/photoprism-secrets '';
# chmod 644 /etc/photoprism-secrets/* };
# '';
# };
photoprism = { photoprism = {
serviceConfig = { serviceConfig = {
DynamicUser = lib.mkForce false; DynamicUser = lib.mkForce false;
User = serviceCfg.name; User = serviceCfg.name;
Group = serviceCfg.name; Group = serviceCfg.name;
# Override LoadCredential to use our secrets path StateDirectory = lib.mkForce [ ];
LoadCredential = lib.mkForce [ StateDirectoryMode = lib.mkForce null;
"PHOTOPRISM_ADMIN_PASSWORD_FILE:/run/secrets/${user}-pass"
];
}; };
# Make sure secrets are mounted before service starts
after = [ "run-secrets.mount" ]; after = [ "run-secrets.mount" ];
requires = [ "run-secrets.mount" ]; requires = [ "run-secrets.mount" ];
}; };
@ -124,8 +124,8 @@ in
}; };
microvm = { microvm = {
vcpu = 1; vcpu = 2;
mem = 512; mem = 1024 * 4;
hypervisor = "qemu"; hypervisor = "qemu";
interfaces = [ interfaces = [
{ {

3
modules/nixos/homelab/guests/photoprism/photoprismEris/default.nix
View file

@ -1,13 +1,14 @@
{ {
flake, flake,
lib, lib,
pkgs,
labHelpers, labHelpers,
... ...
}: }:
let let
inherit (import ../../../helpers.nix { inherit flake; }) labHelpers; inherit (import ../../../helpers.nix { inherit flake; }) labHelpers;
inherit (labHelpers) guestPath mediaPath; inherit (labHelpers) guestPath mediaPath;
inherit (import ../config { inherit flake lib; }) photoprismVM; inherit (import ../config { inherit flake lib pkgs; }) photoprismVM;
inherit (flake.config.services.instances) photoprism; inherit (flake.config.services.instances) photoprism;
inherit (flake.config.people) user0; inherit (flake.config.people) user0;
interfaceCfg = photoprism.interfaces.interface0; interfaceCfg = photoprism.interfaces.interface0;

2
modules/nixos/homelab/guests/syncthing/config/default.nix
View file

@ -5,7 +5,7 @@
let let
inherit (flake.config.people) user0; inherit (flake.config.people) user0;
inherit (flake.config.services.instances) syncthing; inherit (flake.config.services.instances) syncthing;
inherit (import ../../../../helpers.nix { inherit flake; }) labHelpers; inherit (import ../../../helpers.nix { inherit flake; }) labHelpers;
inherit (labHelpers) mediaPath docsPath miscPath; inherit (labHelpers) mediaPath docsPath miscPath;
serviceCfg = syncthing; serviceCfg = syncthing;
in in

66
modules/nixos/homelab/restic/default.nix
View file

@ -1,63 +1,11 @@
{
config,
flake,
...
}:
let let
inherit (flake.config.services) instances; importList =
inherit (flake.config.people) user0; let
envFile = "backblaze/env"; content = builtins.readDir ./.;
repoFile = "backblaze/repo"; dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content);
passFile = "restic/pass"; in
map (name: ./. + "/${name}") dirContent;
in in
{ {
services.restic = { imports = importList;
backups = {
remote = {
environmentFile = config.sops.secrets.${envFile}.path;
initialize = true;
passwordFile = config.sops.secrets.${passFile}.path;
repositoryFile = config.sops.secrets.${repoFile}.path;
timerConfig = {
OnCalendar = "0/4:00";
Persistent = true;
};
paths =
let
inst = instance: interface: instances.${instance}.interfaces.${interface}.paths.mntPaths.path0;
in
[
"/home/${user0}/.ssh"
(inst "forgejo" "interface0")
(inst "mastodon" "interface0")
(inst "opencloud" "interface1")
(inst "minecraft" "interface0")
(inst "minecraft" "interface1")
((inst "jellyfin" "interface0") + "/cache")
((inst "jellyfin" "interface0") + "/data")
((inst "jellyfin" "interface0") + "/media/music")
];
};
};
};
sops = {
secrets = builtins.listToAttrs (
map
(secret: {
name = secret;
value = {
path = "/run/secrets/${secret}";
owner = "root";
group = "root";
mode = "0600";
};
})
[
envFile
repoFile
passFile
]
);
};
} }

64
modules/nixos/homelab/restic/resticCeres/default.nix Executable file
View file

@ -0,0 +1,64 @@
{
config,
flake,
...
}:
let
inherit (flake.config.services) instances;
inherit (flake.config.machines.devices) ceres;
inherit (flake.config.people) user0;
envFile = "backblaze/${ceres.name}-env";
repoFile = "backblaze/${ceres.name}-repo";
passFile = "restic/${ceres.name}-pass";
in
{
services.restic = {
backups = {
remote = {
initialize = true;
environmentFile = config.sops.secrets.${envFile}.path;
passwordFile = config.sops.secrets.${passFile}.path;
repositoryFile = config.sops.secrets.${repoFile}.path;
timerConfig = {
OnCalendar = "0/4:00";
Persistent = true;
};
paths =
let
inst = instance: interface: instances.${instance}.interfaces.${interface}.paths.mntPaths.path0;
in
[
"/home/${user0}/.ssh"
(inst "forgejo" "interface0")
(inst "mastodon" "interface0")
(inst "opencloud" "interface1")
(inst "minecraft" "interface0")
(inst "minecraft" "interface1")
((inst "jellyfin" "interface0") + "/cache")
((inst "jellyfin" "interface0") + "/data")
((inst "jellyfin" "interface0") + "/media/music")
];
};
};
};
sops = {
secrets = builtins.listToAttrs (
map
(secret: {
name = secret;
value = {
path = "/run/secrets/${secret}";
owner = "root";
group = "root";
mode = "0600";
};
})
[
envFile
repoFile
passFile
]
);
};
}

52
modules/nixos/homelab/restic/resticEris/default.nix Executable file
View file

@ -0,0 +1,52 @@
{
config,
flake,
...
}:
let
inherit (flake.config.machines.devices) eris;
inherit (flake.config.people) user0;
envFile = "backblaze/${eris.name}-env";
repoFile = "backblaze/${eris.name}-repo";
passFile = "restic/${eris.name}-pass";
in
{
services.restic = {
backups = {
remote = {
environmentFile = config.sops.secrets.${envFile}.path;
initialize = true;
passwordFile = config.sops.secrets.${passFile}.path;
repositoryFile = config.sops.secrets.${repoFile}.path;
timerConfig = {
OnCalendar = "0/4:00";
Persistent = true;
};
paths = [
"/home/${user0}/.ssh"
"/mnt/storage"
];
};
};
};
sops = {
secrets = builtins.listToAttrs (
map
(secret: {
name = secret;
value = {
path = "/run/secrets/${secret}";
owner = "root";
group = "root";
mode = "0600";
};
})
[
envFile
repoFile
passFile
]
);
};
}

13
secrets/secrets.yaml
View file

@ -65,10 +65,13 @@ torrent:
nick-wireguard-pass: ENC[AES256_GCM,data:9vvKbANYt/zuPgIQmYFFhBdN59p6aa8hgErYBv325ByPkeGNrxZYhpzv8d8Y,iv:rJbMKsFRBaRyyCE3fI+2XsmVCxSgGdn7glrF/8QThSU=,tag:cg/JFl1iahoqelvrB/T0nA==,type:str] nick-wireguard-pass: ENC[AES256_GCM,data:9vvKbANYt/zuPgIQmYFFhBdN59p6aa8hgErYBv325ByPkeGNrxZYhpzv8d8Y,iv:rJbMKsFRBaRyyCE3fI+2XsmVCxSgGdn7glrF/8QThSU=,tag:cg/JFl1iahoqelvrB/T0nA==,type:str]
nick-qbittorrent-pass: ENC[AES256_GCM,data:KT1L8pFz0sczfftnpGxA8Od0jY3dHzzDWpMf1fSyHsM9,iv:uzLkGIlWhA3+DsQxjdLd+bF4zCgsoKYDIs2W2LHtK2M=,tag:goIJ1uuqyPGHzqJMYq2wQg==,type:str] nick-qbittorrent-pass: ENC[AES256_GCM,data:KT1L8pFz0sczfftnpGxA8Od0jY3dHzzDWpMf1fSyHsM9,iv:uzLkGIlWhA3+DsQxjdLd+bF4zCgsoKYDIs2W2LHtK2M=,tag:goIJ1uuqyPGHzqJMYq2wQg==,type:str]
backblaze: backblaze:
env: ENC[AES256_GCM,data:cdOYt77KocuGB3aqYz13oBokoLkEIgI1AW+cYC5uutgZYujG3PqoLEh6Gvbpzn3O+0OWg1/4UAYr4f2v7oCsgwFzPWS3HrhqC5+kIBjrPCyAnxDxlu2xaQ9hR+ogFh5UTDo=,iv:6+jx4Dj5CNV72DAss6NNYm44f9gSHco/EUBvL2o2CNI=,tag:6/cx84MgTDqQJxu/zINEeA==,type:str] ceres-env: ENC[AES256_GCM,data:WQGj3+pgxWCd5qhS7ksOUWBeMzI1VsQVmgt2kFAqAggjLm0HDuVuGXI+aH4mh5i047USkU1z0oBGfIwNeiDfpaFlKeqLLQUCPZYSssPb5wUE3fGdkBHsCTfhW2TuOPmncYo=,iv:K+qVxHvp5DksSvX0HN/ct0VwM8WTtlxgpKBiS1TWWV0=,tag:YAKk7+LtwSYNnz7mzN44JA==,type:str]
repo: ENC[AES256_GCM,data:sRae9XELIfkWPaXelCdgEXIDbLTHVqGcRO0o+WA9aBfB8MUw92JjRCYgMgGXT0Apy38eszyuEHFB3XPpRmtQ7g==,iv:EilVA9zdHm6B9pTIhNxyj6Th1248nXvh0kpnEqZJ5HI=,tag:q9ASAgx5vgY0IePws4rT5Q==,type:str] ceres-repo: ENC[AES256_GCM,data:HPPfCfZnQpkgt+qsNWeecTQYDGB5eOcDHnYzI8u177C51BhnhAir14JWe+bL3cZY9oc9LynLjvl7UFePZcFCYw==,iv:/D4HV8GQEcn14YaB8NYA2VSm5F03aeDiXaHiDq4QT2M=,tag:XvkSTLbdWR8Pyoy9CBP6PQ==,type:str]
eris-env: ENC[AES256_GCM,data:0egE0S6ge+o404WKSwmOILvmVJoTnj9953IHAn+8vczZ++IQM+uoskxV2zsQ80tXII11c46VGfwqtJWC6pJLAdEPgFoQz4s4B21wkORRV8xAwnQ2jFiMHyWHhrF1jJtxcEI=,iv:E1lzUHI+usWyP5dne0EHrY+glBJX/A/pPHyy8pdiZzU=,tag:wwWLId8EO1qDfmcWW3Mlnw==,type:str]
eris-repo: ENC[AES256_GCM,data:Lro61R+gez+KlX3Tg5y2z/Pk3PhAjDpT1iP35wUSI1ZJm5pVYkPNZSJnz+vQZNrBkJQ+HVDtAQ==,iv:UJfAenX4bhWPxPN4cawhYYQxr7jAUfiZQBCxr7zyvJg=,tag:Q4qx3+VI4zbf6xxW1YOhsg==,type:str]
restic: restic:
pass: ENC[AES256_GCM,data:I5Bf7or9jNwtdK/r/DzUHw6FohzeMtWVrs5AG71geVr6,iv:WnHsFW6oJCBsm84y1rzQ6HbLG8ydPBPQQbHoXKGR7JM=,tag:HsoJxLv8FvrUNSwI0OFCbQ==,type:str] ceres-pass: ENC[AES256_GCM,data:oIFx/v9WbgMT44U/W62+nVlH8Y8VBD7+GoSDMKsVEvbj,iv:epzLHQaGwvEgmx2NDn3MD5xaUnAHu3qcapxGzzavoTM=,tag:d5+qfobstLXwWx3PjxIrag==,type:str]
eris-pass: ENC[AES256_GCM,data:gsqlsENMD4RSnoTXMBBpgmGKqOlFCrISVUBuEOOPtvNv,iv:/iCn+eYVDC79oQXfgMMRcaKEadtlMF6VTI2FwAL7H7E=,tag:J7R7ADX/5HQSPnQWY+8Jtg==,type:str]
passwords: passwords:
user0: ENC[AES256_GCM,data:72ABhoc8Hjdf56eHkxu82Ls1zTJwUJRkly9hqlHKhQ4INepT66LrUGRHUG1x+4FemNWvAirEXVHvPVtu+rArCrDpGP2ZIbP77f8=,iv:ukq8E7orUwFOUfoqPp9RMjZNm0MMobXcjbWLzx9z1+4=,tag:E9OTDzLkliDIlH5DrLqQVw==,type:str] user0: ENC[AES256_GCM,data:72ABhoc8Hjdf56eHkxu82Ls1zTJwUJRkly9hqlHKhQ4INepT66LrUGRHUG1x+4FemNWvAirEXVHvPVtu+rArCrDpGP2ZIbP77f8=,iv:ukq8E7orUwFOUfoqPp9RMjZNm0MMobXcjbWLzx9z1+4=,tag:E9OTDzLkliDIlH5DrLqQVw==,type:str]
photoprism: photoprism:
@ -89,7 +92,7 @@ sops:
bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-11T06:59:23Z" lastmodified: "2025-12-14T07:15:33Z"
mac: ENC[AES256_GCM,data:xGDaLeNV+YTJmX/v8WgRDPn683a8gfxSmE/Le+c9AB8VQfq+mKbqjz4DdtQ9TSdNz65BIjV1GCQJ1jsSxfqmJJaQJkVCgWCI+sKby/Qkpbjn+3xhMxWCbgI5kxasDGYHOXlcz5L4IXUg1pRIHQwuZjlA4q7H7fKUHim6UnUZzQ8=,iv:zywKqa6OWVb4TFhMAoHNasbkJdb9fLttGXCwGS+NzOE=,tag:7Vs8K3XeiFM6lNOTUDY67g==,type:str] mac: ENC[AES256_GCM,data:jH5VMFbTsriCcNwYxN4lgu3ORuoPYKBY1xl/09ecKLj/VtBMZcFAIRjsf101pFjN4MvcCtP3CgrI92LdL/LEbnTkT5LWULoqCvfXZNWSokaVvd9evIK1Gg3ZHwXC+1ONdYOHt/zLxLvT35Z2XqD7bkxOrDkmYYd0P+pkqyZDMRI=,iv:ynPngQxUSkMC82gD+rp8vvB0jblcTt45DTe5xFDm/qo=,tag:sQyZzFBKi4aPbXVG0OH6QQ==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0