diff --git a/.envrc b/.envrc index c5c9403..ddaf6a2 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1,5 @@ export DIRENV_WARN_TIMEOUT=20s -eval "$(devenv direnvrc)" +# eval "$(devenv direnvrc)" -use flake --no-pure-eval +use flake . --no-pure-eval diff --git a/config/_ids.nix b/config/_ids.nix deleted file mode 120000 index 797b98e..0000000 --- a/config/_ids.nix +++ /dev/null @@ -1 +0,0 @@ -/home/xmorel/homelab-private/_ids.nix \ No newline at end of file diff --git a/config/_ids.nix b/config/_ids.nix new file mode 100644 index 0000000..c2aa540 --- /dev/null +++ b/config/_ids.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + id = { + git = 1017; + mqtt = 1018; + metrics = 1019; + frigate = 1020; + power = 1021; + monitoring = 1022; + media = 1023; + vault = 1024; + proxy = 1025; + matrix = 1026; + db = 1027; + finances = 1028; + yarrr = 1029; + auth = 1030; + music = 1031; + dns = 1042; + z2m = 1016; + }; +} diff --git a/config/alloy/metrics.alloy.nix b/config/alloy/metrics.alloy.nix index 69cabfd..8dd24da 100644 --- a/config/alloy/metrics.alloy.nix +++ b/config/alloy/metrics.alloy.nix @@ -6,14 +6,14 @@ }: { out = '' - prometheus.exporter.unix "default" { - include_exporter_metrics = true - disable_collectors = ["mdadm"] - } + // prometheus.exporter.unix "default" { + // include_exporter_metrics = true + // disable_collectors = ["mdadm"] + // } prometheus.scrape "default" { targets = array.concat( - prometheus.exporter.unix.default.targets, + // prometheus.exporter.unix.default.targets, [{ // Self-collect metrics job = "alloy", diff --git a/config/dns-adguardhome.nix b/config/dns-adguardhome.nix index 59437a4..ee6b4ff 100644 --- a/config/dns-adguardhome.nix +++ b/config/dns-adguardhome.nix @@ -12,6 +12,7 @@ let proxy_addr = ip "proxy"; domain_ext = config.globals.domains.external; domain_int = config.globals.domains.internal; + json = pkgs.formats.json { }; in { environment.etc."alloy/logs-adguardhome.alloy".text = @@ -41,13 +42,43 @@ in } ''; }).out; + environment.etc."AdGuardHome/data/leases.json".source = json.generate "leases.json" { + version = 1; + leases = ( + lib.filter (x: x.mac != null) ( + lib.mapAttrsToList (host: h: { + expires = ""; + ip = tools.build_ip h.ip; + hostname = host; + mac = h.mac; + static = true; + }) config.globals.other_hosts + ) + ); + }; + systemd.services.adguardhome.preStart = '' + cp /etc/AdGuardHome/data/leases.json /var/lib/AdGuardHome/data/leases.json + chown adguardhome:adguardhome /var/lib/AdGuardHome/data/leases.json + ''; services.adguardhome = { enable = true; + allowDHCP = true; host = "0.0.0.0"; port = 80; openFirewall = true; mutableSettings = true; # ?? settings = { + dhcp = { + enabled = true; + interface_name = "eth0"; + dhcpv4 = { + gateway_ip = config.globals.gateway; + subnet_mask = config.globals.mask; + range_start = tools.build_ip 150; + range_end = tools.build_ip 199; + }; + local_domain_name = lib.removePrefix "." config.globals.domains.internal; + }; http = { address = "0.0.0.0:80"; session_ttl = "720h"; @@ -96,11 +127,13 @@ in { domain = "*${domain_ext}"; answer = proxy_addr; + enabled = true; } ] ++ (lib.mapAttrsToList (d: id: { domain = "${d}${domain_int}"; answer = "${ip d}"; + enabled = true; }) config.id); }; }; diff --git a/config/dns-unbound.nix b/config/dns-unbound.nix index 085f31b..0baa0f4 100644 --- a/config/dns-unbound.nix +++ b/config/dns-unbound.nix @@ -32,6 +32,9 @@ in enable = true; port = 9167; openFirewall = true; + unbound = { + host = "unix:///run/unbound/unbound.ctl"; + }; }; services.unbound = { enable = true; @@ -56,6 +59,7 @@ in private-address = [ mask_cidr ]; + do-udp = true; do-ip6 = false; so-sndbuf = 0; access-control = [ diff --git a/config/finances-fireflyiii.nix b/config/finances-fireflyiii.nix index 94729b4..16b5019 100644 --- a/config/finances-fireflyiii.nix +++ b/config/finances-fireflyiii.nix @@ -5,25 +5,32 @@ }: let name = "finances"; - hostname = tools.build_hostname name; - ip = tools.build_ip name; + db_ip = tools.build_ip "db"; in { + environment.etc."firefly-iii/app.key" = { + source = config.age.secrets.finances-app-key.path; + user = "firefly-iii"; + group = "nginx"; + }; services.firefly-iii = { enable = true; enableNginx = true; settings = { SITE_OWNER = config.globals.master.email; DB_CONNECTION = "pgsql"; - DB_HOST = ip; + DB_HOST = db_ip; DB_PORT = 5432; - DB_DATABASE = hostname; - DB_USERNAME = hostname; + DB_DATABASE = name; + DB_USERNAME = name; DB_PASSWORD = config.my-lxc.finances.db.password; AUTHENTICATION_GUARD = "remote_user_guard"; AUTHENTICATION_GUARD_HEADER = "HTTP_REMOTE_EMAIL"; AUTHENTICATION_GUARD_EMAIL = "HTTP_REMOTE_EMAIL"; - APP_KEY_FILE = config.age.secrets.finances-app-key.path; + APP_URL = "https://${tools.build_hostname "finances"}"; + APP_KEY_FILE = "/etc/firefly-iii/app.key"; + TRUSTED_PROXIES = tools.build_ip "proxy"; + TZ = config.globals.default_tz; }; }; } diff --git a/config/frigate-frigate.nix b/config/frigate-frigate.nix index b51c6fd..80cf967 100644 --- a/config/frigate-frigate.nix +++ b/config/frigate-frigate.nix @@ -2,7 +2,7 @@ let hostname = tools.build_hostname "frigate"; mask_cidr = tools.mask_cidr; - camera = tools.build_ip "camera"; + camera = tools.build_ip "camera-entree-4"; user = "admin"; # use yours pass = "admin"; # use yours in @@ -13,6 +13,7 @@ in checkConfig = false; settings = { auth = { + enabled = false; trusted_proxies = [ mask_cidr ]; @@ -25,6 +26,56 @@ in separator = "|"; default_role = "admin"; }; + # database.path => postgres ?? + mqtt = { + enabled = true; + host = tools.build_hostname "mqtt"; + user = "frigate"; + password = "pouet"; + # Auth ??? + }; + detect = { + enabled = true; + fps = 5; + }; + detectors.cpu.type = "cpu"; + objects.track = [ + "person" + "car" + "bird" + "cat" + "dog" + ]; + motion.enabled = true; + # genai => ollama + semantic_search = { + enabled = true; + model_size = "small"; + }; + review.detections = { + enabled = true; + labels = [ + "car" + "person" + "cat" + "dog" + ]; + }; + record = { + enabled = true; + retain.days = 2; + preview.quality = "medium"; + }; + snapshots = { + enabled = true; + retain.default = 7; + }; + # face_recognition = { + # enabled = true; + # model_size = "small"; + # }; + # lpr.enabled = true; + # classification.bird.enabled = true; cameras = { front = { enabled = true; @@ -45,6 +96,21 @@ in user = user; password = pass; }; + zones = { + ZoneA = { + coordinates = "0,0.036,0.985,0.041,0.985,0.494,0.01,0.496"; + loitering_time = 0; + }; + ZoneB = { + coordinates = "0,0.502,0,1,1,1,1,0.501"; + inertia = 3; + loitering_time = 0; + }; + }; + # review.alerts.required_zones = [ + # "ZoneA" + # "ZoneB" + # ]; }; }; }; diff --git a/config/media-jellyfin.nix b/config/media-jellyfin.nix new file mode 100644 index 0000000..6179a8c --- /dev/null +++ b/config/media-jellyfin.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + services.jellyfin = { + enable = true; + openFirewall = true; + # Manual bind-mount in proxmox + dataDir = "/mnt/nas/app-data/jellyfin"; + configDir = "/etc/jellyfin/"; + logDir = "/var/log/jellyfin"; + # user = "root"; + # group = "root"; + }; +} diff --git a/config/metrics-prometheus.nix b/config/metrics-prometheus.nix index f82b93f..f7b5833 100644 --- a/config/metrics-prometheus.nix +++ b/config/metrics-prometheus.nix @@ -27,25 +27,27 @@ in version = true; }; configFile = config.age.secrets.metrics-pve.path; + listenAddress = "0.0.0.0"; + openFirewall = true; port = 9221; }; globalConfig = { scrape_interval = "30s"; }; scrapeConfigs = [ - { - job_name = "prometheus"; - static_configs = [ - { - targets = [ "localhost:9090" ]; - labels = { - host = tools.build_hostname "metrics"; - host_ip = tools.build_ip "metrics"; - service = "prometheus"; - }; - } - ]; - } + # { + # job_name = "prometheus"; + # static_configs = [ + # { + # targets = [ "localhost:9090" ]; + # labels = { + # host = tools.build_hostname "metrics"; + # host_ip = tools.build_ip "metrics"; + # service = "prometheus"; + # }; + # } + # ]; + # } { job_name = "proxmox"; static_configs = [ diff --git a/config/monitoring-loki.nix b/config/monitoring-loki.nix index 5b9aba1..fc4b57b 100644 --- a/config/monitoring-loki.nix +++ b/config/monitoring-loki.nix @@ -36,6 +36,11 @@ retention_deletes_enabled = true; retention_period = config.globals.retention; }; + pattern_ingester.enabled = true; + limits_config = { + allow_structured_metadata = true; + volume_enabled = true; + }; }; }; } diff --git a/config/mqtt-mosquitto.nix b/config/mqtt-mosquitto.nix new file mode 100644 index 0000000..194ed4c --- /dev/null +++ b/config/mqtt-mosquitto.nix @@ -0,0 +1,64 @@ +{ + pkgs, + config, + tools, + ... +}: +{ + services.mosquitto = { + enable = true; + logType = [ + "error" + "warning" + "subscribe" + "unsubscribe" + "websockets" + ]; + settings = { + # ??? + }; + listeners = [ + { + acl = [ "pattern readwrite #" ]; + port = 1883; + omitPasswordAuth = false; + users = { + mqtt.passwordFile = config.age.secrets.mqtt-password-mqtt.path; + ha.passwordFile = config.age.secrets.mqtt-password-ha.path; + z2m.passwordFile = config.age.secrets.mqtt-password-z2m.path; + frigate.passwordFile = config.age.secrets.mqtt-password-frigate.path; + }; + settings = { + allow_anonymous = false; + require_certificate = true; + use_identity_as_username = true; + }; + } + { + acl = [ "pattern readwrite #" ]; + port = 9001; + omitPasswordAuth = false; + users = { + mqtt.passwordFile = config.age.secrets.mqtt-password-mqtt.path; + ha.passwordFile = config.age.secrets.mqtt-password-ha.path; + z2m.passwordFile = config.age.secrets.mqtt-password-z2m.path; + frigate.passwordFile = config.age.secrets.mqtt-password-frigate.path; + }; + settings = { + protocol = "websockets"; + allow_anonymous = false; + require_certificate = true; + use_identity_as_username = true; + }; + } + ]; + }; + services.prometheus.exporters.mqtt = { + enable = true; + mqttUsername = "mqtt"; + environmentFile = config.age.secrets.mqtt-exporter-environment.path; + openFirewall = true; + port = 9000; + zigbee2MqttAvailability = true; + }; +} diff --git a/config/proxy-traefik.nix b/config/proxy-traefik.nix index 5405f9d..53b2f55 100644 --- a/config/proxy-traefik.nix +++ b/config/proxy-traefik.nix @@ -24,6 +24,9 @@ in # # ''; # }).out; + environment.systemPackages = with pkgs; [ + openssl + ]; services = { traefik = { @@ -92,10 +95,12 @@ in addServicesLabels = true; }; }; - experimental.plugins = { - staticResponse = { - moduleName = "github.com/jdel/staticresponse"; - version = "v0.0.1"; + experimental = { + plugins = { + staticResponse = { + moduleName = "github.com/jdel/staticresponse"; + version = "v0.0.1"; + }; }; }; }; @@ -162,17 +167,23 @@ in "X-authentik-meta-provider" "X-authentik-meta-app" "X-authentik-meta-version" + "X-Forwarded-Host" + "X-Forwarded-Proto" "Remote-User" "Remote-Group" "Remote-Email" "Remote-Name" ]; }; - matrix-wellknown.plugin.staticResponse = { - statusCode = 200; - body = ''{"m.server": "${tools.build_hostname "matrix"}:443"}''; - headers = { - "Content-Type" = "application/json"; + matrix-wellknown-mw = { + plugin = { + staticResponse = { + statusCode = 200; + body = ''{"m.server": "${tools.build_hostname "matrix"}:443"}''; + headers = { + "Content-Type" = "application/json"; + }; + }; }; }; }; @@ -211,15 +222,22 @@ in ] ) config.my-lxc) ++ [ - (map (h: { - ${h.hostname} = { - rule = "Host(`${h.hostname}${dmn}`) " + (if (h.private == true) then internal else ""); - service = "${h.hostname}-service"; - entryPoints = [ "websecure" ]; - middlewares = if (h.auth) then [ "authentik" ] else [ ]; - tls.certResolver = "letsencrypt"; - }; - }) config.globals.other_hosts) + (lib.mapAttrsToList + # mapAttrs? + ( + hostname: h: + lib.optionalAttrs (h.port != null) { + ${hostname} = { + rule = "Host(`${hostname}${dmn}`) " + (if (h.private == true) then internal else ""); + service = "${hostname}-service"; + entryPoints = [ "websecure" ]; + middlewares = if (h.auth) then [ "authentik" ] else [ ]; + tls.certResolver = "letsencrypt"; + }; + } + ) + config.globals.other_hosts + ) ] ) ) @@ -228,7 +246,7 @@ in rule = "Path(`/\.well-known/matrix/server`)"; entryPoints = [ "websecure" ]; service = "noop"; - middlewares = [ "matrix-wellknown" ]; + middlewares = [ "matrix-wellknown-mw" ]; tls.certResolver = "letsencrypt"; }; } @@ -257,16 +275,19 @@ in ] ) config.my-lxc) ++ [ - (map (h: { - "${h.hostname}-service" = { - loadBalancer = { - servers = [ { url = h.addr; } ]; - } - // (lib.optionalAttrs (h.useCustomCA) { - serversTransport = "${h.hostname}-transport"; - }); - }; - }) config.globals.other_hosts) + (lib.mapAttrsToList ( + hostname: h: + lib.optionalAttrs (h.port != null) { + "${hostname}-service" = { + loadBalancer = { + servers = [ { url = "${h.protocol}://${ip h.ip}:${toString h.port}"; } ]; + } + // (lib.optionalAttrs (h.useCustomCA) { + serversTransport = "${hostname}-transport"; + }); + }; + } + ) config.globals.other_hosts) ] ) ) @@ -274,10 +295,10 @@ in noop.loadBalancer.servers = [ ]; }; serversTransports = mergeConf ( - (map ( - h: + (lib.mapAttrsToList ( + hostname: h: lib.optionalAttrs (h.useCustomCA) { - "${h.hostname}-transport" = { + "${hostname}-transport" = { rootCAs = customCAs; }; } diff --git a/config/z2m-zigbee2mqtt.nix b/config/z2m-zigbee2mqtt.nix new file mode 100644 index 0000000..897babc --- /dev/null +++ b/config/z2m-zigbee2mqtt.nix @@ -0,0 +1,111 @@ +{ tools, ... }: +{ + services.zigbee2mqtt = { + enable = true; + settings = { + homeassistant.enabled = true; + frontend.enabled = true; + frontend.port = 80; + mqtt = { + base_topic = "zigbee2mqtt"; + server = tools.build_proto_uri "mqtt" "mqtt" 1883; + user = "z2m"; + password = ""; + }; + serial = { + adapter = "ember"; + port = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0"; + rtscts = false; + }; + device_options.homeassistant.last_seen.enabled_by_default = true; + availability.enabled = true; + groups = { + "1".friendly_name = "chambre_lily"; + }; + advanced = { + last_seen = "ISO_8601"; + network_key = [ + 228 + 161 + 18 + 105 + 130 + 167 + 152 + 135 + 156 + 117 + 114 + 2 + 131 + 118 + 68 + 184 + ]; + pan_id = 55857; + ext_pan_id = [ + 134 + 209 + 175 + 31 + 23 + 62 + 37 + 117 + ]; + }; + devices = { + "0xa4c1388417d4338b".friendly_name = "thermo.bureau"; + "0xa4c13823a110391d".friendly_name = "porte.petit-salon"; + "0xa4c1381dec6190b8".friendly_name = "prise.radiateur_bureau"; + "0x8c8b48fffe0f7e7d".friendly_name = "prise.garage4"; + "0x8c8b48fffe22bdad".friendly_name = "prise.piscine"; + "0x94ec32fffe294a72".friendly_name = "prise.bureau-leds"; + "0xa4c138fe8162b02f".friendly_name = "detect-mvmt.bureau"; + "0xa4c138a2e759e4fe".friendly_name = "prise.salon-tv"; + "0xa4c13882e2f0b9b0".friendly_name = "prise.salon-entree"; + "0xfc4d6afffe9861ab".friendly_name = "detect-mvmt.couloir"; + "0x0c2a6ffffe9427d7".friendly_name = "qual-air.chambre"; + "0x6cfd22fffe741d4d".friendly_name = "lampe.couloir"; + "0x8c8b48fffe22be29".friendly_name = "prise.vinyle"; + "0xa4c138ad71c29b1a".friendly_name = "prise.dressing"; + "0x94ec32fffe005a54".friendly_name = "telecommande.1"; + "0xc4d8c8fffe8a77af".friendly_name = "telecommande.2"; + "0xc4d8c8fffe75fc4e".friendly_name = "telecommande.3"; + "0xc4d8c8fffe8aa9e9".friendly_name = "telecommande.4"; + "0xc4d8c8fffe8a334f".friendly_name = "telecommande.5"; + "0xa4c1383d67a9547f".friendly_name = "thermo.dressing"; + "0xa4c13814c6451d10".friendly_name = "thermo.salle"; + "0xa4c1384ad2338111".friendly_name = "thermo.cuisine"; + "0xa4c138ca886990cd".friendly_name = "thermo.petit-salon"; + "0xa4c1380843e93f46".friendly_name = "thermo.sdb"; + "0xa4c1381224ba47e6".friendly_name = "detect-mvmt.test"; + "0xa4c138cfc45b7415".friendly_name = "variateur.xav"; + "0xa4c1380648c97928".friendly_name = "porte.entree2"; + "0xa4c1383c9fe6e172".friendly_name = "detect-mvmt.wc-etg"; + "0xa4c13830906a830d".friendly_name = "detect-mvmt.salon"; + "0xa4c138dca3916211".friendly_name = "fenetre.chambre"; + "0x286847fffec2e17e".friendly_name = "interrupteur.chambre"; + "0x94a081fffe65644c".friendly_name = "lampe.chambre"; + "0xc02cedfffe3fcf82".friendly_name = "lampe.xav"; + "0xc02cedfffe451b62".friendly_name = "lampe.laeti"; + "0xa4c138e32b55464b".friendly_name = "variateur.laeti"; + "0xa4c138708bda69b4".friendly_name = "variateur.salledejeux"; + "0x781c9dfffe07bf3a".friendly_name = "lampe.salledejeux"; + "0xa4c138875f327aec".friendly_name = "thermo.dependance"; + "0x00158d000638ef03".friendly_name = "linky"; + "0xd4fe28fffe57a3a9".friendly_name = "interrupteur.chambre_lily"; + "0xc02cedfffe0c3f58".friendly_name = "lampe.lily-chambre-2"; + "0x70c59cfffe2bcbe0".friendly_name = "lampe.lily-chambre-1"; + "0x94a081fffebb4a7a".friendly_name = "interrupteur.cuisine"; + "0x08fd52fffe0f2220".friendly_name = "lampe.cuisine"; + "0x58263afffe6b046e".friendly_name = "interrupteur.dressing"; + "0xf0fd45fffe0b6e7f".friendly_name = "prise.dressing2"; + "0x94a081fffe76656b".friendly_name = "lampe.dressing"; + "0xf0fd45fffe0b6465".friendly_name = "prise.lave-linge"; + "0xd4fe28fffe5850de".friendly_name = "interrupteur.bureau"; + "0x8c8b48fffeba64d9".friendly_name = "lampe.bureau"; + }; + }; + }; +} diff --git a/config/z2m.configuration.yml b/config/z2m.configuration.yml new file mode 100644 index 0000000..7568e8c --- /dev/null +++ b/config/z2m.configuration.yml @@ -0,0 +1,154 @@ +version: 4 +homeassistant: + enabled: true +frontend: + enabled: true + port: 80 +mqtt: + base_topic: zigbee2mqtt + server: mqtt://192.168.68.18:1883 + user: z2m + password: QhtY@gxy*7BcGZhA +serial: + adapter: ember + port: /dev/serial/by-id/usb-1a86_USB_Serial-if00-port0 + rtscts: false +device_options: + homeassistant: + last_seen: + enabled_by_default: true +advanced: + last_seen: ISO_8601 + network_key: + - 228 + - 161 + - 18 + - 105 + - 130 + - 167 + - 152 + - 135 + - 156 + - 117 + - 114 + - 2 + - 131 + - 118 + - 68 + - 184 + pan_id: 55857 + ext_pan_id: + - 134 + - 209 + - 175 + - 31 + - 23 + - 62 + - 37 + - 117 +devices: + '0xa4c1388417d4338b': + friendly_name: thermo.bureau + '0xa4c13823a110391d': + friendly_name: porte.petit-salon + '0xa4c1381dec6190b8': + friendly_name: prise.radiateur_bureau + '0x8c8b48fffe0f7e7d': + friendly_name: prise.garage4 + '0x8c8b48fffe22bdad': + friendly_name: prise.piscine + '0x94ec32fffe294a72': + friendly_name: prise.bureau-leds + '0xa4c138fe8162b02f': + friendly_name: detect-mvmt.bureau + '0xa4c138a2e759e4fe': + friendly_name: prise.salon-tv + '0xa4c13882e2f0b9b0': + friendly_name: prise.salon-entree + '0xfc4d6afffe9861ab': + friendly_name: detect-mvmt.couloir + '0x0c2a6ffffe9427d7': + friendly_name: qual-air.chambre + '0x6cfd22fffe741d4d': + friendly_name: lampe.couloir + '0x8c8b48fffe22be29': + friendly_name: prise.vinyle + '0xa4c138ad71c29b1a': + friendly_name: prise.dressing + '0x94ec32fffe005a54': + friendly_name: telecommande.1 + '0xc4d8c8fffe8a77af': + friendly_name: telecommande.2 + '0xc4d8c8fffe75fc4e': + friendly_name: telecommande.3 + '0xc4d8c8fffe8aa9e9': + friendly_name: telecommande.4 + '0xc4d8c8fffe8a334f': + friendly_name: telecommande.5 + '0xa4c1383d67a9547f': + friendly_name: thermo.dressing + '0xa4c13814c6451d10': + friendly_name: thermo.salle + '0xa4c1384ad2338111': + friendly_name: thermo.cuisine + '0xa4c138ca886990cd': + friendly_name: thermo.petit-salon + '0xa4c1380843e93f46': + friendly_name: thermo.sdb + '0xa4c1381224ba47e6': + friendly_name: detect-mvmt.test + '0xa4c138cfc45b7415': + friendly_name: variateur.xav + '0xa4c1380648c97928': + friendly_name: porte.entree2 + '0xa4c1383c9fe6e172': + friendly_name: detect-mvmt.wc-etg + '0xa4c13830906a830d': + friendly_name: detect-mvmt.salon + '0xa4c138dca3916211': + friendly_name: fenetre.chambre + '0x286847fffec2e17e': + friendly_name: interrupteur.chambre + '0x94a081fffe65644c': + friendly_name: lampe.chambre + '0xc02cedfffe3fcf82': + friendly_name: lampe.xav + '0xc02cedfffe451b62': + friendly_name: lampe.laeti + '0xa4c138e32b55464b': + friendly_name: variateur.laeti + '0xa4c138708bda69b4': + friendly_name: variateur.salledejeux + '0x781c9dfffe07bf3a': + friendly_name: lampe.salledejeux + '0xa4c138875f327aec': + friendly_name: thermo.dependance + '0x00158d000638ef03': + friendly_name: linky + '0xd4fe28fffe57a3a9': + friendly_name: interrupteur.chambre_lily + '0xc02cedfffe0c3f58': + friendly_name: lampe.lily-chambre-2 + '0x70c59cfffe2bcbe0': + friendly_name: lampe.lily-chambre-1 + '0x94a081fffebb4a7a': + friendly_name: interrupteur.cuisine + '0x08fd52fffe0f2220': + friendly_name: lampe.cuisine + '0x58263afffe6b046e': + friendly_name: interrupteur.dressing + '0xf0fd45fffe0b6e7f': + friendly_name: prise.dressing2 + '0x94a081fffe76656b': + friendly_name: lampe.dressing + '0xf0fd45fffe0b6465': + friendly_name: prise.lave-linge + '0xd4fe28fffe5850de': + friendly_name: interrupteur.bureau + '0x8c8b48fffeba64d9': + friendly_name: lampe.bureau +availability: + enabled: true +groups: + '1': + friendly_name: chambre_lily diff --git a/containers/auth.nix b/containers/auth.nix index 484b1fe..d0ebec8 100644 --- a/containers/auth.nix +++ b/containers/auth.nix @@ -7,7 +7,7 @@ in container = { cores = 2; memory = 1024; - disk = "8G"; + disk = "12G"; swap = 1024; }; system = { @@ -32,7 +32,14 @@ in }; logging = { enable = true; - metricsEnable = true; + metricsEnable = false; + journalLoggers = { + authentik = ""; + authentik-ldap = ""; + authentik-migrate = ""; + authentik-proxy = ""; + authentik-worker = ""; + }; }; db = { enable = true; diff --git a/containers/db.nix b/containers/db.nix index 8ad47a6..747e0ce 100644 --- a/containers/db.nix +++ b/containers/db.nix @@ -19,14 +19,20 @@ enable = true; listenAddress = "0.0.0.0"; port = 9187; + openFirewall = true; + runAsLocalSuperUser = true; }; }; logging = { enable = true; - metricsEnable = true; + metricsEnable = false; prometheusPorts = { postgres = 9187; }; + journalLoggers = { + postgresql = ""; + postgresqlBackup = ""; + }; }; private = true; auth = true; diff --git a/containers/dns.nix b/containers/dns.nix index f2de34d..6d4533b 100644 --- a/containers/dns.nix +++ b/containers/dns.nix @@ -14,7 +14,12 @@ additionalPorts = [ 53 ]; - udpPorts = [ 53 ]; + udpPorts = [ + 53 + 67 + 5335 # unbound + 68 # DHCP + ]; importConfig = [ ../config/dns-adguardhome.nix ../config/dns-unbound.nix diff --git a/containers/finances.nix b/containers/finances.nix index 8835534..4a97cfa 100644 --- a/containers/finances.nix +++ b/containers/finances.nix @@ -9,7 +9,7 @@ in container = { cores = 1; memory = 512; - disk = "4G"; + disk = "5G"; swap = null; }; system = { @@ -17,10 +17,19 @@ in importConfig = [ ../config/finances-fireflyiii.nix ]; + additional = { + i18n.extraLocales = [ "all" ]; + }; }; logging = { enable = true; metricsEnable = true; + journalLoggers = { + firefly-iii-cron = ""; + firefly-iii-setup = ""; + nginx = ""; + phpfpm-firefly-iii = ""; + }; }; db = { enable = true; diff --git a/containers/frigate.nix b/containers/frigate.nix index c365926..04f6494 100644 --- a/containers/frigate.nix +++ b/containers/frigate.nix @@ -12,10 +12,16 @@ importConfig = [ ../config/frigate-frigate.nix ]; + additional = { + hardware.graphics.enable = true; + }; }; logging = { enable = true; metricsEnable = true; + journalLoggers = { + frigate = ""; + }; }; private = false; auth = true; diff --git a/containers/media.nix b/containers/media.nix index 0040f69..e84642b 100644 --- a/containers/media.nix +++ b/containers/media.nix @@ -16,38 +16,18 @@ in }; system = { port = 8096; # jellyfin default http - additionalPorts = [ 5055 ]; # jellyseerr default - services = { - jellyfin = { - enable = true; - openFirewall = true; - # TODO: Manual bind-mount in proxmox - dataDir = "/mnt/nas/app-data/jellyfin"; - logDir = "/var/log/jellyfin"; - user = "root"; - group = "root"; - }; - jellyseerr = { - enable = true; - openFirewall = true; - # TODO: Same... - configDir = "/mnt/nas/app-data/jellyseerr"; - }; - }; + importConfig = [ + ../config/media-jellyfin.nix + ]; }; logging = { enable = true; metricsEnable = true; + journalLoggers = { + jellyfin = ""; + }; }; private = true; auth = true; - otherDomains = [ - { - subdomain = "flix"; - port = 5055; - private = true; - auth = true; - } - ]; }; } diff --git a/containers/metrics.nix b/containers/metrics.nix index 1160c1e..1069cca 100644 --- a/containers/metrics.nix +++ b/containers/metrics.nix @@ -8,8 +8,8 @@ swap = 512; }; system = { + port = 9090; additionalPorts = [ - 9090 9221 ]; importConfig = [ diff --git a/containers/mqtt.nix b/containers/mqtt.nix new file mode 100644 index 0000000..eb81979 --- /dev/null +++ b/containers/mqtt.nix @@ -0,0 +1,49 @@ +{ ... }: +let + db_pass = import ../config/_passwords.nix; +in +{ + my-lxc.mqtt = { + container = { + cores = 1; + memory = 512; + disk = "5G"; + swap = 512; + }; + system = { + additionalPorts = [ + 1883 + 9001 + ]; + importConfig = [ + ../config/mqtt-mosquitto.nix + ]; + }; + logging = { + enable = true; + metricsEnable = true; + prometheusPorts = { + mosquitto = 9000; + }; + journalLoggers.mosquitto = '' + stage.regex { + expression = "^(?P\\d+): (?P\\S+) (?P.*)$" + } + stage.timestamp { + source = "timestamp" + format = "Unix" + } + stage.labels { + values = { + client_id = "", + } + } + stage.output { + source = "message" + } + ''; + }; + private = true; # available only on private lan + auth = true; # auth overlay + }; +} diff --git a/containers/music.nix b/containers/music.nix index b414829..cdddfbc 100644 --- a/containers/music.nix +++ b/containers/music.nix @@ -14,7 +14,11 @@ in port = 8095; additionalPorts = [ 8097 + 9090 + 9000 + 3483 ]; + udpPorts = [ 3483 ]; services.music-assistant = { enable = true; providers = [ @@ -30,6 +34,7 @@ in "jellyfin" "player_group" "ytmusic" + "squeezelite" ]; }; packages = with pkgs; [ @@ -40,6 +45,9 @@ in logging = { enable = true; metricsEnable = true; + journalLoggers = { + music-assistant = ""; + }; }; private = true; auth = false; diff --git a/containers/vault.nix b/containers/vault.nix index da3c87f..80fbaba 100644 --- a/containers/vault.nix +++ b/containers/vault.nix @@ -23,6 +23,9 @@ in logging = { enable = true; metricsEnable = true; + journalLoggers = { + vaultwarden = ""; + }; }; private = false; auth = false; diff --git a/containers/z2m.nix b/containers/z2m.nix new file mode 100644 index 0000000..dfff37d --- /dev/null +++ b/containers/z2m.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + my-lxc.z2m = { + container = { + cores = 1; + memory = 512; + disk = "6G"; + swap = 512; + }; + system = { + port = 80; + importConfig = [ + ../config/z2m-zigbee2mqtt.nix + ]; + }; + logging = { + enable = true; + metricsEnable = true; + }; + private = true; # available only on private lan + auth = true; # auth overlay + }; +} diff --git a/flake.lock b/flake.lock index 9d5f49f..5d3fcb0 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1761656077, - "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=", + "lastModified": 1762618334, + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", "owner": "ryantm", "repo": "agenix", - "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5", + "rev": "fcdea223397448d35d9b31f798479227e80183f6", "type": "github" }, "original": { @@ -37,11 +37,11 @@ "uv2nix": "uv2nix" }, "locked": { - "lastModified": 1761726959, - "narHash": "sha256-SGndrZx7I0z4vITH1Arf60OTSfkQVMZRTcRgtPIBVtg=", + "lastModified": 1763643080, + "narHash": "sha256-jlYmjrTw3g5iOYDZBGb5Plw6IyRa+WY60e3GzU19bkk=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "ea1e06f9fe7cbf59c61b2ec4f2979801ff395d8e", + "rev": "4a670757083d94a9dceb4929eb88eb9995bc1363", "type": "github" }, "original": { @@ -53,16 +53,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1759190535, - "narHash": "sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI=", + "lastModified": 1763564826, + "narHash": "sha256-xBnAfoAOUslOrxNzY5kV0h67qWMXKZnPC/wgRGXZleQ=", "owner": "goauthentik", "repo": "authentik", - "rev": "8d3a289d12c7de2f244c76493af7880f70d08af2", + "rev": "2fedc3d0a0ba91c16bb71bd4b2432108ca02e890", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2025.8.4", + "ref": "version/2025.10.2", "repo": "authentik", "type": "github" } @@ -110,11 +110,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1761922975, - "narHash": "sha256-j4EB5ku/gDm7h7W7A+k70RYj5nUiW/l9wQtXMJUD2hg=", + "lastModified": 1764608723, + "narHash": "sha256-fF//0lYLApVlXdv1WkXA6zz05u/+VBxfiWtidFtDvLI=", "owner": "cachix", "repo": "devenv", - "rev": "c9f0b47815a4895fadac87812de8a4de27e0ace1", + "rev": "c27ea8fd3b9f4ac19399be519f54bcf6c87c7005", "type": "github" }, "original": { @@ -126,11 +126,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", "type": "github" }, "original": { @@ -160,11 +160,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1760948891, - "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", + "lastModified": 1762980239, + "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", + "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", "type": "github" }, "original": { @@ -260,11 +260,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", + "lastModified": 1764234087, + "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", + "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", "type": "github" }, "original": { @@ -425,11 +425,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761114652, - "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=", + "lastModified": 1763421233, + "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c", + "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", "type": "github" }, "original": { @@ -441,11 +441,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "lastModified": 1761765539, + "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", "type": "github" }, "original": { @@ -488,11 +488,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1762111121, - "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", + "lastModified": 1764517877, + "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", + "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", "type": "github" }, "original": { @@ -533,11 +533,11 @@ ] }, "locked": { - "lastModified": 1759113590, - "narHash": "sha256-fgxP2RCN4cg0jYiMYoETYc7TZ2JjgyvJa2y9l8oSUFE=", + "lastModified": 1761781027, + "narHash": "sha256-YDvxPAm2WnxrznRqWwHLjryBGG5Ey1ATEJXrON+TWt8=", "owner": "pyproject-nix", "repo": "build-system-pkgs", - "rev": "dbfc0483b5952c6b86e36f8b3afeb9dde30ea4b5", + "rev": "795a980d25301e5133eca37adae37283ec3c8e66", "type": "github" }, "original": { @@ -554,11 +554,11 @@ ] }, "locked": { - "lastModified": 1760402624, - "narHash": "sha256-jF6UKLs2uGc2rtved8Vrt58oTWjTQoAssuYs/0578Z4=", + "lastModified": 1763435975, + "narHash": "sha256-SKdpcVuJKMNEXloIpLXY+jDI42+6Ew21vdkl894DxHo=", "owner": "pyproject-nix", "repo": "pyproject.nix", - "rev": "84c4ea102127c77058ea1ed7be7300261fafc7d2", + "rev": "7d3d8848358ccbd415afe2139f12b9e1508d3ace", "type": "github" }, "original": { @@ -645,11 +645,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1762161791, - "narHash": "sha256-J1L1yP29NVBJO04LA/JGM6kwhnjeNhEsX0tLFnuN3FI=", + "lastModified": 1762472226, + "narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=", "owner": "terranix", "repo": "terranix", - "rev": "a79a47b4617dfb92184e2e5b8f5aa6fc06c659c8", + "rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc", "type": "github" }, "original": { @@ -670,11 +670,11 @@ ] }, "locked": { - "lastModified": 1761101082, - "narHash": "sha256-4Kt3RsfJgg6HzmDCc44ZN//xB8n7KGEGxxt9dNjqPQc=", + "lastModified": 1763421857, + "narHash": "sha256-8JurcmEzAkrpm+eUDm8W/+KkU/w/viAeyJhJlIX2qOQ=", "owner": "pyproject-nix", "repo": "uv2nix", - "rev": "e6e728d9719e989c93e65145fe3f9e0c65a021a2", + "rev": "c9752c6c5915eece99505612d8f7805185cff990", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 9204c6b..0a2b9d2 100644 --- a/flake.nix +++ b/flake.nix @@ -142,7 +142,7 @@ IP_SUFFIX=$((CONTID - 1000)) # TODO Verify mapping exists... echo "Redeploying LXC on container '$1' ('$CONTID')" - nixos-rebuild switch --impure --flake .#$1 --target-host root@${globals.ip_prefix}$IP_SUFFIX + nixos-rebuild switch --impure --show-trace --flake .#$1 --target-host root@$1${globals.domains.internal} echo "Done." else echo "Error: Container definition 'containers/$1.nix' not found!" diff --git a/modules/containers.nix b/modules/containers.nix index 4347514..837df2e 100644 --- a/modules/containers.nix +++ b/modules/containers.nix @@ -218,6 +218,7 @@ in options = { ip_prefix = mkOption { type = str; }; cidr = mkOption { type = int; }; + mask = mkOption { type = str; }; # TODO: Build from cidr gateway = mkOption { type = str; }; domains = mkOption { type = submodule { @@ -232,7 +233,7 @@ in options = { login = mkOption { type = str; }; email = mkOption { type = str; }; - public_ssh_key = mkOption { type = str; }; + public_ssh_keys = mkOption { type = listOf str; }; initial_htpasswd = mkOption { type = str; }; }; }; @@ -251,9 +252,8 @@ in dns_provider = mkOption { type = str; }; other_hosts = mkOption { - type = listOf (submodule { + type = attrsOf (submodule { options = { - hostname = mkOption { type = str; }; private = mkOption { type = bool; default = true; @@ -262,9 +262,24 @@ in type = bool; default = true; }; - addr = mkOption { + # addr = mkOption { + # type = str; + # description = "ip:port for the service"; + # }; + protocol = mkOption { type = str; - description = "ip:port for the service"; + default = "http"; + }; + ip = mkOption { + type = int; + }; + port = mkOption { + type = nullOr int; + default = null; + }; + mac = mkOption { + type = nullOr str; + default = null; }; useCustomCA = mkOption { type = bool; @@ -311,12 +326,15 @@ in (mergeConf ( lib.attrValues ( lib.mapAttrs ( - secretName': _: + secretName': entry: let secretName = lib.removeSuffix ".age" secretName'; in { - age.secrets.${secretName}.file = ../secrets/${secretName'}; + age.secrets.${secretName} = { + file = ../secrets/${secretName'}; + } + // (entry.extra or { }); } ) (lib.filterAttrs (_: entry: builtins.elem ownKey entry.publicKeys) secrets) ) diff --git a/modules/lxc-template.nix b/modules/lxc-template.nix index ac754a5..62da7d0 100644 --- a/modules/lxc-template.nix +++ b/modules/lxc-template.nix @@ -58,9 +58,7 @@ in time.timeZone = config.globals.default_tz; users.users.root = { - openssh.authorizedKeys.keys = [ - config.globals.master.public_ssh_key - ]; + openssh.authorizedKeys.keys = config.globals.master.public_ssh_keys; initialPassword = "nixos"; }; diff --git a/modules/tools.nix b/modules/tools.nix index b6ce0ee..0d6f472 100644 --- a/modules/tools.nix +++ b/modules/tools.nix @@ -9,12 +9,19 @@ let ( if (!lib.strings.isString arg) then "${config.globals.ip_prefix}${toString arg}" - else + else if (lib.hasAttr arg config.id) then let id = config.id.${arg}; ip = if (id > 1000) then id - 1000 else id; in "${config.globals.ip_prefix}${toString ip}" + else if (lib.hasAttr arg config.globals.other_hosts) then + let + ip = config.globals.other_hosts.${arg}.ip; + in + "${config.globals.ip_prefix}${toString ip}" + else + "${config.globals.ip_prefix}${toString arg}" # probably erroneous ); build_ip_cidr = arg: "${build_ip arg}/${toString config.globals.cidr}"; mask_cidr = build_ip_cidr 0; @@ -29,6 +36,12 @@ let db_name = base; in "postgresql://${db_user}:${db_pass}@${db_host}:${db_port}/${db_name}"; + build_proto_uri = + proto: container: port: + let + ip = build_ip container; + in + "${proto}://${ip}:${toString port}"; in { build_ip = build_ip; @@ -36,6 +49,7 @@ in mask_cidr = mask_cidr; build_hostname = build_hostname; build_db_uri = build_db_uri; + build_proto_uri = build_proto_uri; loki_addr = "${build_ip "monitoring"}:3100"; metrics_addr = "${build_ip "metrics"}:9090"; diff --git a/secrets/mqtt-exporter-environment.age b/secrets/mqtt-exporter-environment.age new file mode 100644 index 0000000..ec8acf5 --- /dev/null +++ b/secrets/mqtt-exporter-environment.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 jxhkLg a0rOqllhr8SnSsM53G4mAp2pSRRX1/EYLJQKgjPrjAY +UXUdyiq1ojxH9YZ/PwHf7+pGYtd5sKtA9aPccYB0wKM +-> ssh-ed25519 5VK9ng bd37JC2kqvXrsZSsH+fMt0S1ULiehdub0wZHVAUzNCY +U3VFp17t8ZiHjsGRJSQVD3+z2cpiDHSQkQo0RRWeklk +--- nPOOj5Xq2B4Ts830QorRYXwxAkt1MQWLyUy8A6hhOo4 +KKgd(A_RiŲ5[X3:garsV| !,|E8#j \ No newline at end of file diff --git a/secrets/mqtt-password-frigate.age b/secrets/mqtt-password-frigate.age new file mode 100644 index 0000000..2c60aab --- /dev/null +++ b/secrets/mqtt-password-frigate.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 jxhkLg rr+vKs1Qgs8MDzYUezyf5INNH7AJZmiGNtjDxcClfiI +bUYhP2R9eT4jJ1EV8eSJ+xCltXeaCgPkfVzM2Qun25Q +-> ssh-ed25519 5VK9ng RZl7w8xP1fONgmk8iI8iyLIw+8SWjp2OKU7W0y/0PQg +9fLYbhO9Idn0qPqaI4aYFOL57Q3jPmJuHRK3UtqJ00c +--- bYV4tQShFjdGpmMKM3Ox2TCheNBG/Vv9VsC3r/o1tDY +}ƐbiB0c1p`q3 \ No newline at end of file diff --git a/secrets/mqtt-password-ha.age b/secrets/mqtt-password-ha.age new file mode 100644 index 0000000..9dee2d2 --- /dev/null +++ b/secrets/mqtt-password-ha.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 jxhkLg MjLm6icSBfHv1BBG02B+lhz0YvPji9Om54M5XqHAFXY +4ahvZ3SBT5Xrr2BwmtBCcDsVlYC1tPIcB5D6UA/WCEA +-> ssh-ed25519 5VK9ng /kynjS64KZzh0hbozlWC0cE13NXNYNetcP/H3b0rE10 +fwol5+4AGj4i7kF0LzV/eNA/fnGSZzCoNQDAH1pAyqE +--- vsPRvqoFaVl87PWj7vSzHFafPdUbld2hVsARvuz0pLk +,Br\|mdeQ 2:nN#B_4[CY6sY*"4 \ No newline at end of file diff --git a/secrets/mqtt-password-mqtt.age b/secrets/mqtt-password-mqtt.age new file mode 100644 index 0000000..0047eae Binary files /dev/null and b/secrets/mqtt-password-mqtt.age differ diff --git a/secrets/mqtt-password-z2m.age b/secrets/mqtt-password-z2m.age new file mode 100644 index 0000000..ea9d4b7 --- /dev/null +++ b/secrets/mqtt-password-z2m.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 jxhkLg 84dBTYr7B4bxbAisPICSkRNek8NW2Kg6wstpKbG2whI +R6zotscZ9DT9hUJs8+H6LkFxj8I1OQhyDbTxnOOk3jI +-> ssh-ed25519 5VK9ng jrwdT0rYXg2Ab3M7L8VVVmZ2GCU/LwQ3jF0tqzA3ljo +GOB8/g8xPU7lQ7JS87P0K4rM1gyqnHIGkuL33+s7dHo +--- BLqErP1g1Gw/8bWlHoD/w2LIM73NZTAmXVZY23tPM+U +~H{榝i}# _ywRkϭK D␊2 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d661fa1..35eb246 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -21,15 +21,36 @@ in "db-postgres-initscript.age".publicKeys = users ++ [ keys.db ]; - "finances-app-key.age".publicKeys = users ++ [ - keys.finances - ]; + "finances-app-key.age" = { + publicKeys = users ++ [ + keys.finances + ]; + extra = { + owner = "firefly-iii"; + group = "nginx"; + }; + }; "matrix-maubot-cfg.age".publicKeys = users ++ [ keys.matrix ]; "metrics-pve.age".publicKeys = users ++ [ keys.metrics ]; + "mqtt-exporter-environment.age".publicKeys = users ++ [ + keys.mqtt + ]; + "mqtt-password-mqtt.age".publicKeys = users ++ [ + keys.mqtt + ]; + "mqtt-password-frigate.age".publicKeys = users ++ [ + keys.mqtt + ]; + "mqtt-password-ha.age".publicKeys = users ++ [ + keys.mqtt + ]; + "mqtt-password-z2m.age".publicKeys = users ++ [ + keys.mqtt + ]; "power-password-file.age".publicKeys = users ++ [ keys.power ];