From 3470cb1bbcf7ab45c1dd9ce73ed81e031853b6e3 Mon Sep 17 00:00:00 2001 From: blake Date: Sat, 11 Oct 2025 13:00:29 -0500 Subject: [PATCH] 293 current 2025-10-11 12:20:27 25.05.20251006.20c4598 6.12.50 * --- flake.nix | 2 +- hosts/snowbelle/configuration.nix | 1 + modules/homelab/services/default.nix | 1 + modules/homelab/services/glance/default.nix | 111 ++++++++++++++++++++ modules/system/backups.nix.bak | 102 ++++++++++++++++++ 5 files changed, 216 insertions(+), 1 deletion(-) create mode 100644 modules/homelab/services/glance/default.nix create mode 100644 modules/system/backups.nix.bak diff --git a/flake.nix b/flake.nix index 87ff605..0b3dfe6 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ # flake for blakes nixos config # define new devices in outputs -# generation: 292 current 2025-10-11 12:17:54 25.05.20251006.20c4598 6.12.50 * +# generation: 293 current 2025-10-11 12:20:27 25.05.20251006.20c4598 6.12.50 * { description = "blakes nix config"; inputs = { diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix index 3e37884..147fe65 100644 --- a/hosts/snowbelle/configuration.nix +++ b/hosts/snowbelle/configuration.nix @@ -36,6 +36,7 @@ in jellyfin.enable = true; vaultwarden.enable = true; gitea.enable = true; + glance.enable = true; qbittorrent.enable = true; immich.enable = true; hass.enable = true; diff --git a/modules/homelab/services/default.nix b/modules/homelab/services/default.nix index 9b0c1e5..4b907ce 100644 --- a/modules/homelab/services/default.nix +++ b/modules/homelab/services/default.nix @@ -7,6 +7,7 @@ ./jellyfin ./vaultwarden ./gitea + ./glance ./qbittorrent ./immich ./uptime-kuma diff --git a/modules/homelab/services/glance/default.nix b/modules/homelab/services/glance/default.nix new file mode 100644 index 0000000..f9991aa --- /dev/null +++ b/modules/homelab/services/glance/default.nix @@ -0,0 +1,111 @@ +{ pkgs, config, lib, ... }: + +let + service = "glance"; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.modules.homelab; +in +{ + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7700; + description = "set port for ${service} (default: ${toString cfg.port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${homelab.base_domain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = cfg.port; + description = "set uid and pid of ${service} user (matches port by default)"; + }; + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for ${service}"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare ${service} group + users.groups.${service} = { gid = lib.mkForce cfg.ids; }; + + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = lib.mkForce cfg.ids; + isSystemUser = true; + home = cfg.data_dir; + createHome = true; + group = "${service}"; + extraGroups = []; + }; + + # enable the ${service} service + services.${service} = { + enable = true; + openFirewall = true; + settings = { + server = { + host = "0.0.0.0"; + port = cfg.port; + }; + #pages + }; + }; + + # override umask to make permissions work out + systemd.services.${service}.serviceConfig = { + UMask = lib.mkForce "0007"; +# User = "${service}"; +# Group = "${service}"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."${cfg.url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; +# # external reverse proxy entry +# services.nginx.virtualHosts."${service}.blakedheld.xyz" = { +# forceSSL = true; +# sslCertificate = sec."ssl_blakedheld_crt".path; +# sslCertificateKey = sec."ssl_blakedheld_key".path; +# locations."/" = { +# proxyPass = "http://127.0.0.1:${toString cfg.port}"; +# }; +# }; +# +# sops.secrets = { +# "${service}_" = { +# owner = "${service}"; +# group = "${service}"; +# }; +# }; + + # add to backups + modules.system.backups.baks = { + ${service} = { paths = [ cfg.data_dir ]; }; + }; + }; +} diff --git a/modules/system/backups.nix.bak b/modules/system/backups.nix.bak new file mode 100644 index 0000000..e3fcb9c --- /dev/null +++ b/modules/system/backups.nix.bak @@ -0,0 +1,102 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.modules.system.backups; + borg = "${pkgs.borgbackup}/bin/borg"; + backup_paths = lib.unique config.modules.system.backups.paths; + passwd_file = config.sops.secrets."borg_passwd".path; +in +{ + options.modules.system.backups = { + enable = lib.mkEnableOption "enables backups with borg"; + paths = lib.mkOption { + type = lib.types.listOf lib.types.path; + default = []; + description = "list of directories to back up"; + }; + repo = lib.mkOption { + type = lib.types.path; + default = "/holocron/borg"; + description = "borg repository path"; + }; + passphraseFile = lib.mkOption { + type = lib.types.path; + default = passwd_file; + description = "borg repository passphrase file"; + }; + }; + + config = lib.mkIf (cfg.enable && backup_paths != []) { + +# systemd.tmpfiles.rules = [ +# "d ${cfg.repo} 0755 root root" +# ]; + + systemd.services.backups = { + description = "backup service with borg!"; + path = [ pkgs.borgbackup ]; + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = config.modules.system.backups.passphraseFile; + # the actual script borg is using + ExecStart = pkgs.writeShellScript "borg-backup" '' + set -euo pipefail + export BORG_PASSPHRASE="$(cat ${passwd_file})" + export BORG_REPO="${cfg.repo}" + timestamp="$(date +'%Y-%m-%dT%H:%M:%S')" + + # Initialize repo if it doesn't exist + if ! borg info "$BORG_REPO" >/dev/null 2>&1; then + echo "init borg repo at $BORG_REPO" + borg init --encryption=repokey "$BORG_REPO" + fi + + # Create backup + echo "starting backup..." + borg create \ + --verbose \ + --filter AME \ + --list \ + --stats \ + --show-rc \ + --compression lzma,9 \ + "$BORG_REPO::${toString config.networking.hostName}-$timestamp" \ + ${lib.concatStringsSep " " cfg.paths} + + # Prune old backups according to retention policy + echo "Pruning old backups..." + borg prune -v --list "$BORG_REPO" \ + --keep-daily=7 \ + --keep-weekly=52 \ + --keep-monthly=-1 + + echo "$timestamp - backup completed successfully." + ''; + }; + }; + + # create timer to run backups daily + systemd.timers.backups = { + description = "daily borg backup timer"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + }; + + # install borg binary + environment.systemPackages = [ pkgs.borgbackup ]; + + # declare secret for repo password + sops.secrets = { + "borg_passwd" = { + owner = "root"; + group = "root"; + }; + }; + }; +} + +# add to modules +# modules.system.backups.paths = lib.mkIf cfg.backups [ ];