diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore index 1c3ddf8..86bf753 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ result *.qcow2 *~x - \ No newline at end of file +.direnv \ No newline at end of file diff --git a/hosts/hetzner-arm/containers/rss/default.nix b/hosts/hetzner-arm/containers/rss/default.nix new file mode 100644 index 0000000..e51818f --- /dev/null +++ b/hosts/hetzner-arm/containers/rss/default.nix @@ -0,0 +1,55 @@ +{ + self, + hostPath, + tree, + inputs, + config, + pkgs, + ... +}: let + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.rss; +in { + containers.rss = { + autoStart = true; + privateNetwork = true; + hostAddress = hostIP; + localAddress = containerIP; + + specialArgs = { + inherit inputs; + inherit tree; + inherit self; + inherit hostPath; + }; + + config = {...}: { + nixpkgs.pkgs = pkgs; + + imports = with tree; + [ + presets.nixos.containerBase + ./secrets.nix + ] + ++ (with hosts.hetzner-arm.containers.rss.profiles; [ + freshrss + restic + ]); + + networking.firewall.allowedTCPPorts = [80]; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."freshrss.owo.monster" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://${containerIP}:80"; + }; + }; +} diff --git a/hosts/hetzner-arm/containers/rss/profiles/freshrss.nix b/hosts/hetzner-arm/containers/rss/profiles/freshrss.nix new file mode 100644 index 0000000..924c9fa --- /dev/null +++ b/hosts/hetzner-arm/containers/rss/profiles/freshrss.nix @@ -0,0 +1,11 @@ +{config, ...}: let + inherit (config.services.secrets) secrets; +in { + services.freshrss = { + enable = true; + defaultUser = "chaos"; + baseUrl = "https://freshrss.owo.monster"; + virtualHost = "127.0.0.1"; + passwordFile = secrets.chaos_password.path; + }; +} diff --git a/hosts/hetzner-arm/containers/rss/profiles/restic.nix b/hosts/hetzner-arm/containers/rss/profiles/restic.nix new file mode 100644 index 0000000..f7656c5 --- /dev/null +++ b/hosts/hetzner-arm/containers/rss/profiles/restic.nix @@ -0,0 +1,35 @@ +{ + self, + pkgs, + config, + ... +}: let + backupSchedules = import "${self}/data/backupSchedules.nix"; + inherit (config.services.secrets) secrets; +in { + environment.systemPackages = with pkgs; [ + restic + (pkgs.writeShellScriptBin "restic-rss" '' + env \ + RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ + $(cat ${secrets.restic_env.path}) \ + ${pkgs.restic}/bin/restic $@ + '') + ]; + + services.restic.backups.rss = { + user = "root"; + paths = [ + "/var/lib/freshrss" + ]; + + # repository is overrided in environmentFile to contain auth + # make sure to keep up to date when changing repository + repository = "rest:https://storage-restic.owo.monster/RSS"; + passwordFile = "${secrets.restic_password.path}"; + environmentFile = "${secrets.restic_env.path}"; + + pruneOpts = ["--keep-last 50"]; + timerConfig = backupSchedules.restic.high; + }; +} diff --git a/hosts/hetzner-arm/containers/rss/secrets.nix b/hosts/hetzner-arm/containers/rss/secrets.nix new file mode 100644 index 0000000..3b1ea4c --- /dev/null +++ b/hosts/hetzner-arm/containers/rss/secrets.nix @@ -0,0 +1,49 @@ +{pkgs, ...}: { + services.secrets = { + enable = true; + + packages = with pkgs; [ + apacheHttpd + ]; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm-container-rss"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "passwords/data/freshrss" + + "api-keys/data/storage/restic/RSS" + "private-public-keys/data/restic/RSS" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + chaos_password = { + fetchScript = '' + simple_get "/passwords/freshrss" .password > "$secretFile" + ''; + }; + + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/RSS" .password > "$secretFile" + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/RSS" .restic) + echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/TSS" > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-arm/data/containerAddresses.nix b/hosts/hetzner-arm/data/containerAddresses.nix index 306f85c..049909a 100644 --- a/hosts/hetzner-arm/data/containerAddresses.nix +++ b/hosts/hetzner-arm/data/containerAddresses.nix @@ -11,5 +11,6 @@ owncast = "10.0.1.9"; jellyfin = "10.0.1.10"; grocy = "10.0.1.11"; + rss = "10.0.1.12"; }; } diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index ffdcafd..81dfd54 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -31,6 +31,7 @@ in { "owncast" "jellyfin" "grocy" + "rss" ] (name: ./containers + "/${name}")) ++ (with hosts.hetzner-arm.profiles; [ staticSites diff --git a/outputs.nix b/outputs.nix index 0fe5219..92760c7 100644 --- a/outputs.nix +++ b/outputs.nix @@ -41,6 +41,7 @@ in bat nix vault-bin + nix-output-monitor ]) ++ (with self.packages."${system}"; [ mk-enc-usb diff --git a/profiles/base/nix.nix b/profiles/base/nix.nix index a3d6c68..2d41cf4 100644 --- a/profiles/base/nix.nix +++ b/profiles/base/nix.nix @@ -9,6 +9,8 @@ inherit (lib.lists) optional; inherit (lib.modules) mkIf; in { + environment.systemPackages = with pkgs; [ nix-output-monitor ]; + nix = { nixPath = ["nixpkgs=${inputs.nixpkgs}"]; extraOptions =