add grocy

2024-02-08 20:21:35 +00:00 · 2024-02-08 20:21:35 +00:00 · 221b765adf
parent f62522bd63
commit 221b765adf
11 changed files with 170 additions and 1 deletions
--- a/hosts/hetzner-arm/containers/grocy/default.nix
+++ b/hosts/hetzner-arm/containers/grocy/default.nix
@ -0,0 +1,58 @@
 {
  self,
  hostPath,
  tree,
  inputs,
  pkgs,
  config,
  ...
 }: let
  containerName = "grocy";
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.${containerName};
 in {
  containers.grocy = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };
    config = {...}: {
      nixpkgs.pkgs = pkgs;
      imports = with tree;
        [
          presets.nixos.containerBase
          ./secrets.nix
        ]
        ++ (with hosts.hetzner-arm.containers.grocy.profiles; [
          grocy
          restic
        ]);
      networking.firewall.allowedTCPPorts = [80];
      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };
  services.nginx.virtualHosts."grocy.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${containerIP}:80";
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/hetzner-arm/containers/grocy/profiles/grocy.nix
+++ b/hosts/hetzner-arm/containers/grocy/profiles/grocy.nix
@ -0,0 +1,12 @@
 {...}: {
  services.grocy = {
    enable = true;
    hostName = "grocy.owo.monster";
    nginx.enableSSL = false;
    settings = {
      currency = "GBP";
      culture = "en_GB";
      calendar.firstDayOfWeek = 1;
    };
  };
 }
--- a/hosts/hetzner-arm/containers/grocy/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/grocy/profiles/restic.nix
@ -0,0 +1,39 @@
 {
  pkgs,
  config,
  ...
 }: let
  secrets = config.services.secrets.secrets;
 in {
  environment.systemPackages = with pkgs; [
    restic
    (pkgs.writeShellScriptBin "restic-grocy" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
        $(cat ${secrets.restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];
  services.restic.backups.grocy = {
    user = "root";
    paths = [
      "/var/lib/grocy"
    ];
    # repository is overrided in environmentFile to contain auth
    # make sure to keep up to date when changing repository
    repository = "rest:https://storage-restic.owo.monster/Grocy";
    passwordFile = "${secrets.restic_password.path}";
    environmentFile = "${secrets.restic_env.path}";
    pruneOpts = [
      "--keep-last 5"
    ];
    timerConfig = {
      OnBootSec = "10m";
      OnCalendar = "8h";
    };
  };
 }
--- a/hosts/hetzner-arm/containers/grocy/secrets.nix
+++ b/hosts/hetzner-arm/containers/grocy/secrets.nix
@ -0,0 +1,37 @@
 {...}: {
  services.secrets = {
    enable = true;
    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm-container-grocy";
    };
    autoSecrets = {
      enable = true;
    };
    requiredVaultPaths = [
      "api-keys/data/storage/restic/Grocy"
      "private-public-keys/data/restic/Grocy"
    ];
    secrets = {
      vault_password = {
        manual = true;
      };
      restic_password = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Grocy" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Grocy" .restic)
          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Grocy" > "$secretFile"
        '';
      };
    };
  };
 }
--- a/hosts/hetzner-arm/containers/storage/data/ports.nix
+++ b/hosts/hetzner-arm/containers/storage/data/ports.nix
@ -20,6 +20,7 @@ in {
  restic_caldav = restic + 7;
  restic_owncast = restic + 8;
  restic_jellyfin = restic + 9;
  restic_grocy = restic + 10;
  http_music = http + 0;
  http_public = http + 1;
--- a/hosts/hetzner-arm/containers/storage/data/rclone_config.template
+++ b/hosts/hetzner-arm/containers/storage/data/rclone_config.template
--- a/hosts/hetzner-arm/containers/storage/default.nix
+++ b/hosts/hetzner-arm/containers/storage/default.nix
@ -124,6 +124,7 @@ in {
      "/CalDAV/".proxyPass = "http://${containerIP}:${toString ports.restic_caldav}";
      "/Owncast/".proxyPass = "http://${containerIP}:${toString ports.restic_owncast}";
      "/Jellyfin/".proxyPass = "http://${containerIP}:${toString ports.restic_jellyfin}";
      "/Grocy/".proxyPass = "http://${containerIP}:${toString ports.restic_grocy}";
    };
    extraConfig = ''
      client_max_body_size ${clientMaxBodySize};
--- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
+++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
@ -223,6 +223,16 @@ in {
          "--baseurl=/Jellyfin/"
        ];
      }
      {
        id = "restic-grocy";
        remote = "StorageBox:Backups/Restic/Grocy";
        type = "restic";
        extraArgs = [
          "--addr=0.0.0.0:${toString ports.restic_grocy}"
          "--htpasswd=${secrets.restic_grocy_htpasswd.path}"
          "--baseurl=/Grocy/"
        ];
      }
    ];
  };
 }
--- a/hosts/hetzner-arm/containers/storage/secrets.nix
+++ b/hosts/hetzner-arm/containers/storage/secrets.nix
@ -35,6 +35,7 @@
      "api-keys/data/storage/restic/CalDAV"
      "api-keys/data/storage/restic/Owncast"
      "api-keys/data/storage/restic/Jellyfin"
      "api-keys/data/storage/restic/Grocy"
      "api-keys/data/storage/webdav/Main"
      "api-keys/data/storage/webdav/Media"
@ -182,6 +183,14 @@
        '';
      };
      restic_grocy_htpasswd = {
        user = "storage";
        group = "storage";
        fetchScript = ''
          simple_get_htpasswd "/api-keys/storage/restic/Grocy" "$secretFile"
        '';
      };
      webdav_main_htpasswd = {
        user = "storage";
        group = "storage";
@ -222,7 +231,7 @@
        user = "storage";
        group = "storage";
        fetchScript = ''
-          cp ${./rclone_config.template} "$secretFile"
+          cp ${./data/rclone_config.template} "$secretFile"
          STORAGEBOX_PASSWORD=$(simple_get_obscure /api-keys/hetzner/storagebox .password)
          sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" "$secretFile"
--- a/hosts/hetzner-arm/data/containerAddresses.nix
+++ b/hosts/hetzner-arm/data/containerAddresses.nix
@ -10,5 +10,6 @@
    caldav = "10.0.1.8";
    owncast = "10.0.1.9";
    jellyfin = "10.0.1.10";
    grocy = "10.0.1.11";
  };
 }
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -30,6 +30,7 @@ in {
      "caldav"
      "owncast"
      "jellyfin"
      "grocy"
    ] (name: ./containers + "/${name}"))
    ++ (with hosts.hetzner-arm.profiles; [
      staticSites