adding uptime-kuma

flake.nix

@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 178 current  2025-10-09 16:19:44  25.05.20251006.20c4598  6.12.50                          *
+# generation: 189 current  2025-10-09 21:50:35  25.05.20251006.20c4598  6.12.50                          *
 {
   description = "blakes nix config";
   inputs = {

hosts/snowbelle/configuration.nix

@@ -40,6 +40,9 @@ in
       gitea.enable = true;
       qbittorrent.enable = true;
       immich.enable = true;
+      home-assistant.enable = true;
+      zigbee2mqtt.enable = true;
+      mosquitto.enable = true;
       prowlarr.enable = true;
       flaresolverr.enable = true;
       bazarr.enable = true;

modules/homelab/services/default.nix

@@ -9,7 +9,11 @@
     ./gitea
     ./qbittorrent
     ./immich
+    ./uptime-kuma
     ./nginx-proxy
+    ./smarthome/homeassistant
+    ./smarthome/zigbee2mqtt
+    ./smarthome/mosquitto
     ./arr/prowlarr
     ./arr/flaresolverr
     ./arr/bazarr

modules/homelab/services/immich/default.nix

@@ -18,7 +18,7 @@ in
     };
     url = lib.mkOption {
       type = lib.types.str;
-      default = "${service}.${homelab.base_domain}";
+      default = "$=photos.${homelab.base_domain}";
       description = "set domain for ${service}";
     };
     data_dir = lib.mkOption {
@@ -86,7 +86,7 @@ in
       };
     };
      # external reverse proxy entry
-     services.nginx.virtualHosts."pics.blakedheld.xyz" = {
+     services.nginx.virtualHosts."photos.blakedheld.xyz" = {
       forceSSL = true;
       sslCertificate = sec."ssl_blakedheld_crt".path;
       sslCertificateKey = sec."ssl_blakedheld_key".path;

modules/homelab/services/smarthome/homeassistant/default.nix

@@ -0,0 +1,116 @@
+{ pkgs, config, lib, inputs, ... }:
+
+let
+  service = "home-assistant";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7704;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "hass.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      package = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.home-assistant;
+      configDir = cfg.data_dir;
+      config = null;
+#      openFirewall = true;
+      # if config is set in here, configuration.yaml will be overwritten every startup with this
+#      configWritable = true;
+#      config = {
+#       http.server_port = cfg.port;
+#        homeassistant = {
+#          name = "snowbelle";
+#          time_zone = cfg.tz;
+#          unit_system = "us_customary";
+#          temperature_unit = "F";
+#        };
+#      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+      User = lib.mkForce "${service}";
+      Group = lib.mkForce "${service}";
+    };
+
+#    # open firewall
+    networking.firewall.allowedTCPPorts = [ cfg.port 8123 ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+     # external reverse proxy entry
+     services.nginx.virtualHosts."hass.blakedheld.xyz" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+#    sops.secrets = {
+#      "${service}_" = {
+#        owner = "${service}";
+#        group = "${service}";
+#      };
+#    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}

modules/homelab/services/smarthome/mosquitto/default.nix

@@ -0,0 +1,97 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "mosquitto";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 1883;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "${service}.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = lib.mkForce "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [];
+    };
+
+    # enable the ${service} service
+    services.mosquitto.enable = true;
+    services.mosquitto.listeners = [
+      {
+        port = 1883;
+        address = "0.0.0.0";
+        settings.allow_anonymous = true;
+        #passwordFile = sec."mosquitto_password_file".path;   # optional
+      }
+    ];
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+      User = "${service}";
+      Group = "${service}";
+    };
+
+#    # open firewall
+    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+#    # internal reverse proxy entry
+#    services.nginx.virtualHosts."${cfg.url}" = {
+#      forceSSL = true;
+#      sslCertificate = sec."ssl_blakedheld_crt".path;
+#      sslCertificateKey = sec."ssl_blakedheld_key".path;
+#      locations."/" = {
+#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+#      };
+#    };
+
+    sops.secrets = {
+      "${service}_password_file" = {
+        owner = "${service}";
+        group = "${service}";
+      };
+    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}

modules/homelab/services/smarthome/zigbee2mqtt/default.nix

@@ -0,0 +1,113 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "zigbee2mqtt";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7705;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "${service}.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      dataDir = cfg.data_dir;
+      settings = {
+          mqtt = {
+            base_topic = "zigbee2mqtt";
+            server = "mqtt://localhost:1883";
+          };
+          serial = {
+            port = "/dev/serial/by-id/usb-Itead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_V2_4a4e75d63653ef1198d728e0174bec31-if00-port0";
+            adapter = "ember";
+          };
+          advanced = {
+            channel = 11;
+          };
+          frontend = {
+            enabled = true;
+            port = cfg.port;
+          };
+          homeassistant = {
+            enabled = true;      
+          };
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+      User = "${service}";
+      Group = "${service}";
+    };
+
+#    # open firewall
+    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+#
+#    sops.secrets = {
+#      "${service}_" = {
+#        owner = "${service}";
+#        group = "${service}";
+#      };
+#    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}

modules/homelab/services/uptime-kuma/default.nix

@@ -0,0 +1,105 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "uptime-kuma";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7901;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "up.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      settings = 
+      {
+        PORT = cfg.port;
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+#      User = "${service}";
+#      Group = "${service}";
+    };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+#     # external reverse proxy entry
+#     services.nginx.virtualHosts."uptime.blakedheld.xyz" = {
+#      forceSSL = true;
+#      sslCertificate = sec."ssl_blakedheld_crt".path;
+#      sslCertificateKey = sec."ssl_blakedheld_key".path;
+#      locations."/" = {
+#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+#      };
+#    };
+
+    sops.secrets = {
+      "${service}_" = {
+        owner = "${service}";
+        group = "${service}";
+      };
+    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}

secrets/secrets.yaml

@@ -20,6 +20,8 @@ vpncon_mex_config: ENC[AES256_GCM,data:4i356X97sBoRliskmh5ewcEwZHkpo37IhPcemKVdW
 vaultwarden_admin_token: ENC[AES256_GCM,data:G1v3N064ci0Fw5EtTzaryailWpsv6f4w6eoHp2vjXIBtIlScdQk1Q0W+eDNRk8Wr2C3ysTXQNbyYismNsls+jeS3W+YqkKL4fnh3a5UTzQrMqvaH11n3ak0X9R9vmt+ZJXBrUrAOKJ6RPHJJSWenhjDB77kwEdQ=,iv:f8X+x/AdmZ3b3dtcSFrxGgA2tCgDRpgddjlVu3mdCmM=,tag:c0MXljVvhwOdvrb/8hWlsQ==,type:str]
 #ENC[AES256_GCM,data:2ESzSsQZqKdjD7OXN8ZPThj6g9acJREe,iv:aDFPB0vs8NNo8ExLcJw7qtQvWbCb1XK6TJrHSK86qss=,tag:z+dypHAGUjEXP7Y9MHYWwg==,type:comment]
 gitea_database_password: ENC[AES256_GCM,data:nhFn0/G7gW5rk996OZzlcTt7T9KMbP8MNM+ReFC8w1H9ZqBSJUbs3K+n68uQVrkOVSXE0cKpOR1VbQ+i+46z3g==,iv:bT4GRZZ83v47/EmeV2KaUFo+4qTT4T2AktFUpPiZdF4=,tag:OC9TInkAr1egM+xnBDizxw==,type:str]
+#ENC[AES256_GCM,data:nbB5Cd7i/KTMCjCzcX8o1sxREZQ/gLAG,iv:iyuO2erxdJM08WHJBjKuNIXYxVhH7rfyOLTcGCcGqNQ=,tag:UeDszimXv8kQUmDetLeFqg==,type:comment]
+mosquitto_password_file: ENC[AES256_GCM,data:7ifs2hGnFQSgJOAKpN0usfiaqLjj7Rjb7zn1/qBDbqEi5hV0JfUncZGorBivR/+kjXHQO6nxaHcKqYvPedNdJ7Qy4/uil/xwgwSmzcbisdVYkhd2pf/N34EQFxmqohud0aTH9V47QbgTdrUPfvsiL+ljLvLu4w==,iv:z7YPIfJHHaLOJrDVnMQhgcMzYAPordFR11kHRAzZqYU=,tag:LRddczdvy01YTm2DFDgSJQ==,type:str]
 sops:
     age:
         - recipient: age14gfh682a7m7jfp3qrulql03x5rs7yedwmxwksxrrmgjsunstyuksqx93pz
@@ -31,7 +33,7 @@ sops:
             U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
             PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-09T00:57:39Z"
-    mac: ENC[AES256_GCM,data:NCsVDJnzb/x6/InOrE7Aco1bEfbcOA0t5mEQOO/tSM4uj5QjDeCTUyfzfK0A7LHdQSMvRpZLZuz7xDg/WA/QLe0F/CdA1h5HJucpop4NWN/bnJrVNIcik/YlvB6xSWojimZF9sbWZQQb2lPsn3GWt9wIHIHWlBhjIMfHHpLANq8=,iv:yQgpRv+xCvKcBYCyVac66egptSbF/8vi4TtQ5vL5xWQ=,tag:JdsI0yAecTnNO9UiE2IEwQ==,type:str]
+    lastmodified: "2025-10-09T23:59:55Z"
+    mac: ENC[AES256_GCM,data:Zdn1teUi8epB0WJZrpwdOxsnZ4XtJN7dPefGROPUpt0mMFDI5pP9NJpczNLj6ZddCka75Bca8Z3ixcpKasZAJhlQNNKTCe6NRhuh6ergSepzerYGTN1fUwKm+goLY40d33moZFurHkHjmdsNXgb6T9JsIz9bzjLrzqiK9P/gPoM=,iv:AQKQuW1zR9hiaBx3KxfwftM9GnwsOSfsmTN/nEJh5qA=,tag:qxODcuuzTh6ifwMNKR/6lg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0