chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

add grocy

Browse source
This commit is contained in:
chaos 2024-02-08 20:21:35 +00:00
parent f62522bd63
commit 221b765adf
No known key found for this signature in database
11 changed files with 170 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
hosts/hetzner-arm/containers/grocy/default.nix Normal file
View file

@ -0,0 +1,58 @@
{
self,
hostPath,
tree,
inputs,
pkgs,
config,
...
}: let
containerName = "grocy";
containerAddresses = import "${hostPath}/data/containerAddresses.nix";
hostIP = containerAddresses.host;
containerIP = containerAddresses.containers.${containerName};
in {
containers.grocy = {
autoStart = true;
privateNetwork = true;
hostAddress = hostIP;
localAddress = containerIP;
specialArgs = {
inherit inputs;
inherit tree;
inherit self;
inherit hostPath;
};
config = {...}: {
nixpkgs.pkgs = pkgs;
imports = with tree;
[
presets.nixos.containerBase
./secrets.nix
]
++ (with hosts.hetzner-arm.containers.grocy.profiles; [
grocy
restic
]);
networking.firewall.allowedTCPPorts = [80];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
};
};
services.nginx.virtualHosts."grocy.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${containerIP}:80";
proxyWebsockets = true;
};
};
}

12
hosts/hetzner-arm/containers/grocy/profiles/grocy.nix Normal file
View file

@ -0,0 +1,12 @@
{...}: {
services.grocy = {
enable = true;
hostName = "grocy.owo.monster";
nginx.enableSSL = false;
settings = {
currency = "GBP";
culture = "en_GB";
calendar.firstDayOfWeek = 1;
};
};
}

39
hosts/hetzner-arm/containers/grocy/profiles/restic.nix Normal file
View file

@ -0,0 +1,39 @@
{
pkgs,
config,
...
}: let
secrets = config.services.secrets.secrets;
in {
environment.systemPackages = with pkgs; [
restic
(pkgs.writeShellScriptBin "restic-grocy" ''
env \
RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
$(cat ${secrets.restic_env.path}) \
${pkgs.restic}/bin/restic $@
'')
];
services.restic.backups.grocy = {
user = "root";
paths = [
"/var/lib/grocy"
];
# repository is overrided in environmentFile to contain auth
# make sure to keep up to date when changing repository
repository = "rest:https://storage-restic.owo.monster/Grocy";
passwordFile = "${secrets.restic_password.path}";
environmentFile = "${secrets.restic_env.path}";
pruneOpts = [
"--keep-last 5"
];
timerConfig = {
OnBootSec = "10m";
OnCalendar = "8h";
};
};
}

37
hosts/hetzner-arm/containers/grocy/secrets.nix Normal file
View file

@ -0,0 +1,37 @@
{...}: {
services.secrets = {
enable = true;
vaultLogin = {
enable = true;
loginUsername = "hetzner-arm-container-grocy";
};
autoSecrets = {
enable = true;
};
requiredVaultPaths = [
"api-keys/data/storage/restic/Grocy"
"private-public-keys/data/restic/Grocy"
];
secrets = {
vault_password = {
manual = true;
};
restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Grocy" .password > "$secretFile"
'';
};
restic_env = {
fetchScript = ''
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Grocy" .restic)
echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Grocy" > "$secretFile"
'';
};
};
};
}

1
hosts/hetzner-arm/containers/storage/data/ports.nix
View file

@ -20,6 +20,7 @@ in {
restic_caldav = restic + 7;
restic_owncast = restic + 8;
restic_jellyfin = restic + 9;
restic_grocy = restic + 10;
http_music = http + 0;
http_public = http + 1;

0
hosts/hetzner-arm/containers/storage/rclone_config.template → hosts/hetzner-arm/containers/storage/data/rclone_config.template
View file

1
hosts/hetzner-arm/containers/storage/default.nix
View file

@ -124,6 +124,7 @@ in {
"/CalDAV/".proxyPass = "http://${containerIP}:${toString ports.restic_caldav}";
"/Owncast/".proxyPass = "http://${containerIP}:${toString ports.restic_owncast}";
"/Jellyfin/".proxyPass = "http://${containerIP}:${toString ports.restic_jellyfin}";
"/Grocy/".proxyPass = "http://${containerIP}:${toString ports.restic_grocy}";
};
extraConfig = ''
client_max_body_size ${clientMaxBodySize};

10
hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
View file

@ -223,6 +223,16 @@ in {
"--baseurl=/Jellyfin/"
];
}
{
id = "restic-grocy";
remote = "StorageBox:Backups/Restic/Grocy";
type = "restic";
extraArgs = [
"--addr=0.0.0.0:${toString ports.restic_grocy}"
"--htpasswd=${secrets.restic_grocy_htpasswd.path}"
"--baseurl=/Grocy/"
];
}
];
};
}

11
hosts/hetzner-arm/containers/storage/secrets.nix
View file

@ -35,6 +35,7 @@
"api-keys/data/storage/restic/CalDAV"
"api-keys/data/storage/restic/Owncast"
"api-keys/data/storage/restic/Jellyfin"
"api-keys/data/storage/restic/Grocy"
"api-keys/data/storage/webdav/Main"
"api-keys/data/storage/webdav/Media"
@ -182,6 +183,14 @@
'';
};
restic_grocy_htpasswd = {
user = "storage";
group = "storage";
fetchScript = ''
simple_get_htpasswd "/api-keys/storage/restic/Grocy" "$secretFile"
'';
};
webdav_main_htpasswd = {
user = "storage";
group = "storage";
@ -222,7 +231,7 @@
user = "storage";
group = "storage";
fetchScript = ''
cp ${./rclone_config.template} "$secretFile"
cp ${./data/rclone_config.template} "$secretFile"
STORAGEBOX_PASSWORD=$(simple_get_obscure /api-keys/hetzner/storagebox .password)
sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" "$secretFile"

1
hosts/hetzner-arm/data/containerAddresses.nix
View file

@ -10,5 +10,6 @@
caldav = "10.0.1.8";
owncast = "10.0.1.9";
jellyfin = "10.0.1.10";
grocy = "10.0.1.11";
};
}

1
hosts/hetzner-arm/hetzner-arm.nix
View file

@ -30,6 +30,7 @@ in {
"caldav"
"owncast"
"jellyfin"
"grocy"
] (name: ./containers + "/${name}"))
++ (with hosts.hetzner-arm.profiles; [
staticSites