add freshrss to hetzner-arm, add nix-output-monitor to default profile

2024-04-02 17:40:20 +02:00 · 2024-04-02 17:40:20 +02:00 · ace4e0950f
parent 4f6c49ab5c
commit ace4e0950f
10 changed files with 157 additions and 1 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
+use flake
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,4 @@
 result
 *.qcow2
 *~x
- 
+.direnv 
--- a/hosts/hetzner-arm/containers/rss/default.nix
+++ b/hosts/hetzner-arm/containers/rss/default.nix
@ -0,0 +1,55 @@
+{
+  self,
+  hostPath,
+  tree,
+  inputs,
+  config,
+  pkgs,
+  ...
+}: let
+  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
+  hostIP = containerAddresses.host;
+  containerIP = containerAddresses.containers.rss;
+in {
+  containers.rss = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = hostIP;
+    localAddress = containerIP;
+
+    specialArgs = {
+      inherit inputs;
+      inherit tree;
+      inherit self;
+      inherit hostPath;
+    };
+
+    config = {...}: {
+      nixpkgs.pkgs = pkgs;
+
+      imports = with tree;
+        [
+          presets.nixos.containerBase
+          ./secrets.nix
+        ]
+        ++ (with hosts.hetzner-arm.containers.rss.profiles; [
+          freshrss
+          restic
+        ]);
+
+      networking.firewall.allowedTCPPorts = [80];
+
+      home-manager.users.root.home.stateVersion = "23.05";
+      system.stateVersion = "23.05";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."freshrss.owo.monster" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://${containerIP}:80";
+    };
+  };
+}
--- a/hosts/hetzner-arm/containers/rss/profiles/freshrss.nix
+++ b/hosts/hetzner-arm/containers/rss/profiles/freshrss.nix
@ -0,0 +1,11 @@
+{config, ...}: let
+  inherit (config.services.secrets) secrets;
+in {
+  services.freshrss = {
+    enable = true;
+    defaultUser = "chaos";
+    baseUrl = "https://freshrss.owo.monster";
+    virtualHost = "127.0.0.1";
+    passwordFile = secrets.chaos_password.path;
+  };
+}
--- a/hosts/hetzner-arm/containers/rss/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/rss/profiles/restic.nix
@ -0,0 +1,35 @@
+{
+  self,
+  pkgs,
+  config,
+  ...
+}: let
+  backupSchedules = import "${self}/data/backupSchedules.nix";
+  inherit (config.services.secrets) secrets;
+in {
+  environment.systemPackages = with pkgs; [
+    restic
+    (pkgs.writeShellScriptBin "restic-rss" ''
+      env \
+        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
+        $(cat ${secrets.restic_env.path}) \
+      ${pkgs.restic}/bin/restic $@
+    '')
+  ];
+
+  services.restic.backups.rss = {
+    user = "root";
+    paths = [
+      "/var/lib/freshrss"
+    ];
+
+    # repository is overrided in environmentFile to contain auth
+    # make sure to keep up to date when changing repository
+    repository = "rest:https://storage-restic.owo.monster/RSS";
+    passwordFile = "${secrets.restic_password.path}";
+    environmentFile = "${secrets.restic_env.path}";
+
+    pruneOpts = ["--keep-last 50"];
+    timerConfig = backupSchedules.restic.high;
+  };
+}
--- a/hosts/hetzner-arm/containers/rss/secrets.nix
+++ b/hosts/hetzner-arm/containers/rss/secrets.nix
@ -0,0 +1,49 @@
+{pkgs, ...}: {
+  services.secrets = {
+    enable = true;
+
+    packages = with pkgs; [
+      apacheHttpd
+    ];
+
+    vaultLogin = {
+      enable = true;
+      loginUsername = "hetzner-arm-container-rss";
+    };
+
+    autoSecrets = {
+      enable = true;
+    };
+
+    requiredVaultPaths = [
+      "passwords/data/freshrss"
+
+      "api-keys/data/storage/restic/RSS"
+      "private-public-keys/data/restic/RSS"
+    ];
+
+    secrets = {
+      vault_password = {
+        manual = true;
+      };
+
+      chaos_password = {
+        fetchScript = ''
+          simple_get "/passwords/freshrss" .password > "$secretFile"
+        '';
+      };
+
+      restic_password = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/RSS" .password > "$secretFile"
+        '';
+      };
+      restic_env = {
+        fetchScript = ''
+          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/RSS" .restic)
+          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/TSS" > "$secretFile"
+        '';
+      };
+    };
+  };
+}
--- a/hosts/hetzner-arm/data/containerAddresses.nix
+++ b/hosts/hetzner-arm/data/containerAddresses.nix
@ -11,5 +11,6 @@
    owncast = "10.0.1.9";
    jellyfin = "10.0.1.10";
    grocy = "10.0.1.11";
+    rss = "10.0.1.12";
  };
 }
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -31,6 +31,7 @@ in {
      "owncast"
      "jellyfin"
      "grocy"
+      "rss"
    ] (name: ./containers + "/${name}"))
    ++ (with hosts.hetzner-arm.profiles; [
      staticSites
--- a/outputs.nix
+++ b/outputs.nix
@ -41,6 +41,7 @@ in
                bat
                nix
                vault-bin
+                nix-output-monitor
              ])
              ++ (with self.packages."${system}"; [
                mk-enc-usb
--- a/profiles/base/nix.nix
+++ b/profiles/base/nix.nix
@ -9,6 +9,8 @@
  inherit (lib.lists) optional;
  inherit (lib.modules) mkIf;
 in {
+  environment.systemPackages = with pkgs; [ nix-output-monitor ];
+
  nix = {
    nixPath = ["nixpkgs=${inputs.nixpkgs}"];
    extraOptions =