293 current 2025-10-11 12:20:27 25.05.20251006.20c4598 6.12.50 *

2025-10-11 13:00:29 -05:00
parent d46d270ad0
commit 3470cb1bbc
5 changed files with 216 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 292 current  2025-10-11 12:17:54  25.05.20251006.20c4598  6.12.50                          *
+# generation: 293 current  2025-10-11 12:20:27  25.05.20251006.20c4598  6.12.50                          *
 {
  description = "blakes nix config";
  inputs = {
--- a/hosts/snowbelle/configuration.nix
+++ b/hosts/snowbelle/configuration.nix
@@ -36,6 +36,7 @@ in
      jellyfin.enable = true;
      vaultwarden.enable = true;
      gitea.enable = true;
+      glance.enable = true;
      qbittorrent.enable = true;
      immich.enable = true;
      hass.enable = true;
--- a/modules/homelab/services/default.nix
+++ b/modules/homelab/services/default.nix
@@ -7,6 +7,7 @@
    ./jellyfin
    ./vaultwarden
    ./gitea
+    ./glance
    ./qbittorrent
    ./immich
    ./uptime-kuma
--- a/modules/homelab/services/glance/default.nix
+++ b/modules/homelab/services/glance/default.nix
@@ -0,0 +1,111 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "glance";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7700;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        server = {
+          host = "0.0.0.0";
+          port = cfg.port;
+        };
+        #pages
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+#      User = "${service}";
+#      Group = "${service}";
+    };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+#     # external reverse proxy entry
+#     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
+#      forceSSL = true;
+#      sslCertificate = sec."ssl_blakedheld_crt".path;
+#      sslCertificateKey = sec."ssl_blakedheld_key".path;
+#      locations."/" = {
+#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+#      };
+#    };
+#
+#    sops.secrets = {
+#      "${service}_" = {
+#        owner = "${service}";
+#        group = "${service}";
+#      };
+#    };
+
+    # add to backups
+    modules.system.backups.baks = {
+      ${service} = { paths = [ cfg.data_dir ]; };
+    };
+  };
+}
--- a/modules/system/backups.nix.bak
+++ b/modules/system/backups.nix.bak
@@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.modules.system.backups;
+  borg = "${pkgs.borgbackup}/bin/borg";
+  backup_paths = lib.unique config.modules.system.backups.paths;
+  passwd_file = config.sops.secrets."borg_passwd".path;
+in
+{
+  options.modules.system.backups = {
+    enable = lib.mkEnableOption "enables backups with borg";
+    paths = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [];
+      description = "list of directories to back up";
+    };
+    repo = lib.mkOption {
+      type = lib.types.path;
+      default = "/holocron/borg";
+      description = "borg repository path";
+    };
+    passphraseFile = lib.mkOption {
+      type = lib.types.path;
+      default = passwd_file;
+      description = "borg repository passphrase file";
+    };
+  };
+
+  config = lib.mkIf (cfg.enable && backup_paths != []) {
+    
+#    systemd.tmpfiles.rules = [
+#      "d ${cfg.repo} 0755 root root"
+#    ];
+
+    systemd.services.backups = {
+      description = "backup service with borg!";
+      path = [ pkgs.borgbackup ];
+      serviceConfig = {
+        Type = "oneshot";
+        EnvironmentFile = config.modules.system.backups.passphraseFile;
+        # the actual script borg is using
+        ExecStart = pkgs.writeShellScript "borg-backup" ''
+          set -euo pipefail
+          export BORG_PASSPHRASE="$(cat ${passwd_file})"
+          export BORG_REPO="${cfg.repo}"
+          timestamp="$(date +'%Y-%m-%dT%H:%M:%S')"
+
+          # Initialize repo if it doesn't exist
+          if ! borg info "$BORG_REPO" >/dev/null 2>&1; then
+            echo "init borg repo at $BORG_REPO"
+            borg init --encryption=repokey "$BORG_REPO"
+          fi
+
+          # Create backup
+          echo "starting backup..."
+          borg create \
+            --verbose \
+            --filter AME \
+            --list \
+            --stats \
+            --show-rc \
+            --compression lzma,9 \
+            "$BORG_REPO::${toString config.networking.hostName}-$timestamp" \
+            ${lib.concatStringsSep " " cfg.paths}
+
+          # Prune old backups according to retention policy
+          echo "Pruning old backups..."
+          borg prune -v --list "$BORG_REPO" \
+            --keep-daily=7 \
+            --keep-weekly=52 \
+            --keep-monthly=-1
+
+          echo "$timestamp - backup completed successfully."
+        '';
+      };
+    };
+
+    # create timer to run backups daily
+    systemd.timers.backups = {
+      description = "daily borg backup timer";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
+    };
+
+    # install borg binary
+    environment.systemPackages = [ pkgs.borgbackup ];
+
+    # declare secret for repo password
+    sops.secrets = {
+      "borg_passwd" = { 
+        owner = "root";
+        group = "root";
+      };
+    };
+  };
+}
+
+# add to modules
+# modules.system.backups.paths = lib.mkIf cfg.backups [ <path> ];