diff --git a/Justfile b/Justfile index 6e1925e..a890929 100644 --- a/Justfile +++ b/Justfile @@ -64,7 +64,7 @@ terraform *args: terraform -chdir=./deploy/terraform/ {{ args }} edit-secret file: - EDITOR="code --wait" sops {{ file }} + EDITOR="zeditor --wait" sops {{ file }} push-result-to-cache: cachix push e10 result diff --git a/hosts/bastion/profiles/authelia/default.nix b/hosts/bastion/profiles/authelia/default.nix index 55eb334..59a098b 100644 --- a/hosts/bastion/profiles/authelia/default.nix +++ b/hosts/bastion/profiles/authelia/default.nix @@ -47,8 +47,11 @@ }; identity_providers.oidc = { - claims_policies.legacy.id_token = - [ "email" "email_verified" "preferred_username" "name" ]; + claims_policies = { + karakeep.id_token = [ "email" ]; + legacy.id_token = + [ "email" "email_verified" "preferred_username" "name" ]; + }; clients = [ { @@ -129,21 +132,23 @@ } { client_id = - "pV6drSFL4uNhslIfnTxi~oDMhqTIVVWM~307jSrBE9CNPuuwqMRDwYnW0PG6tYYL5HqCpFJu"; - client_name = "Actual Budget"; + "4_PUhlKbm03-XaIAR-tBOzaCkf6dQfhgBY-xnrewL5jsOCp0UXPsbSvnaxgLXEp6kKsqjqND"; + client_name = "Karakeep"; client_secret = - "$pbkdf2-sha512$310000$78au487f6p.HXge7fFeMcQ$FXpI9224tVfyMNkyLj3sqtP.gWUUN./gJemo3l0KcwjVseC0Wlqe50LsYtm6lBBzRXuBxAa/Jhw2q3EaIGMd3A"; + "$pbkdf2-sha512$310000$XuC9/i/.AWXy/G4A/aOazw$ZozktGPjpHfhmjEzdhNsjeLMw/XhbRK/ePqRPfzbTA04pEOlFTOon2s.yWYyuQv5wzCp0QUGHz2gkczfZsetyQ"; public = false; authorization_policy = "two_factor"; require_pkce = false; pkce_challenge_method = ""; - redirect_uris = [ "https://actual.e10.camp/openid/callback" ]; - scopes = [ "openid" "profile" "groups" "email" ]; + redirect_uris = + "https://karakeep.e10.camp/api/auth/callback/custom"; + scopes = [ "openid" "profile" "email" ]; response_types = [ "code" ]; grant_types = [ "authorization_code" ]; access_token_signed_response_alg = "none"; userinfo_signed_response_alg = "none"; token_endpoint_auth_method = "client_secret_basic"; + claims_policy = "karakeep"; } ]; }; @@ -151,9 +156,7 @@ session.cookies = [{ domain = "e10.camp"; authelia_url = "https://auth.e10.camp"; - inactivity = "1M"; - expiration = "3M"; - remember_me = "1y"; + expiration = "1y"; }]; access_control.rules = lib.mkBefore [ @@ -189,15 +192,6 @@ domain = "pdf.e10.camp"; policy = "two_factor"; } - { - domain = "bazarr.e10.camp"; - policy = "bypass"; - resources = [ "^/api([/?].*)?$" ]; - } - { - domain = "bazarr.e10.camp"; - policy = "two_factor"; - } { domain = "mazanoke.e10.camp"; policy = "two_factor"; diff --git a/hosts/bastion/profiles/caddy/default.nix b/hosts/bastion/profiles/caddy/default.nix index eba303f..4c721ed 100644 --- a/hosts/bastion/profiles/caddy/default.nix +++ b/hosts/bastion/profiles/caddy/default.nix @@ -101,7 +101,6 @@ "bazarr.e10.camp" = { host = hosts.htpc; port = hosts.htpc.config.services.bazarr.listenPort; - protected = true; }; "profilarr.e10.camp" = { @@ -261,11 +260,6 @@ inherit (hosts.controller.config.services.termix) port; }; - "actual.e10.camp" = { - host = hosts.matrix; - inherit (hosts.matrix.config.services.actual.settings) port; - }; - "bichon.e10.camp" = { host = hosts.matrix; inherit (hosts.matrix.config.services.bichon) port; @@ -283,6 +277,16 @@ ''; }; + "karakeep.e10.camp" = { + host = hosts.matrix; + port = hosts.matrix.config.services.karakeep.extraEnvironment.PORT; + }; + + "hass.e10.camp" = { + host = hosts.matrix; + port = 8123; + }; + "e10.video" = { host = hosts.htpc; inherit (hosts.htpc.config.services.plex) port; diff --git a/hosts/matrix/configuration.nix b/hosts/matrix/configuration.nix index e9a0a77..33137d6 100644 --- a/hosts/matrix/configuration.nix +++ b/hosts/matrix/configuration.nix @@ -9,13 +9,13 @@ profiles.media-management.immich.default profiles.networking.printing profiles.power.tripp-lite-smart1500lcd - profiles.services.actual.default profiles.services.attic-watch-store.default profiles.services.bichon profiles.services.bentopdf profiles.services.changedetection-io profiles.services.e10-land profiles.services.glance.default + profiles.services.home-assistant.default profiles.services.mazanoke profiles.services.miniflux.default profiles.services.netbox.default @@ -23,6 +23,7 @@ profiles.telemetry.prometheus-nut-exporter profiles.virtualisation.docker profiles.web-servers.caddy + profiles.services.karakeep.default ] ++ [ ./hardware-configuration.nix ./disk-config.nix ]; boot.loader.grub.devices = diff --git a/modules/nixos/services/eufy-security-ws/default.nix b/modules/nixos/services/eufy-security-ws/default.nix new file mode 100644 index 0000000..63fed2c --- /dev/null +++ b/modules/nixos/services/eufy-security-ws/default.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.services.eufy-security-ws; +in { + options.services.eufy-security-ws = { + enable = mkEnableOption "Enable Eufy"; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/eufy-security-ws"; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + }; + + port = mkOption { + type = types.port; + default = 3000; + }; + + configurationFile = mkOption { type = types.path; }; + + openFirewall = mkOption { + type = types.bool; + default = false; + }; + }; + + config = mkIf cfg.enable { + systemd.tmpfiles.settings."10-eufy-security-ws" = { + ${cfg.dataDir} = { + "d" = { + user = "eufy-security"; + group = "eufy-security"; + mode = "0700"; + }; + }; + }; + + systemd.services.eufy-security-ws = { + enable = true; + description = "eufy-security-ws"; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadTriggers = [ cfg.configurationFile ]; + serviceConfig = { + ExecStart = '' + ${pkgs.eufy-security-ws}/bin/eufy-security-server \ + --config ${cfg.configurationFile} \ + --host ${cfg.host} \ + --port ${toString cfg.port} + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + WorkingDirectory = "/var/lib/eufy-security-ws"; + User = "eufy-security"; + Group = "eufy-security"; + Restart = "on-failure"; + RestartForceExitStatus = "100"; + SuccessExitStatus = "100"; + }; + }; + + users = { + users.eufy-security = { + isSystemUser = true; + group = "eufy-security"; + }; + groups.eufy-security = { }; + }; + + networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; + }; +} diff --git a/modules/nixos/services/xteve/default.nix b/modules/nixos/services/xteve/default.nix deleted file mode 100644 index 2e45f17..0000000 --- a/modules/nixos/services/xteve/default.nix +++ /dev/null @@ -1,79 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let cfg = config.services.xteve; -in { - options.services.xteve = { - enable = mkEnableOption "Enable xTeVe"; - - package = mkOption { - type = types.package; - default = pkgs.xteve; - }; - - user = mkOption { - type = types.str; - default = "xteve"; - }; - - group = mkOption { - type = types.str; - default = "xteve"; - }; - - dataDir = mkOption { - type = types.str; - default = "/var/lib/xteve"; - }; - - port = mkOption { - type = types.port; - default = 34400; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - }; - }; - - config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" - "d '/tmp/xteve' 0700 ${cfg.user} ${cfg.group} - -" - ]; - - users.users = mkIf (cfg.user == "xteve") { - xteve = { - isSystemUser = true; - inherit (cfg) group; - home = cfg.dataDir; - uid = 3440; - }; - }; - - users.groups = mkIf (cfg.group == "xteve") { xteve.gid = 3440; }; - - systemd.services.xteve = { - description = "xTeVe"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - ExecStart = '' - ${cfg.package}/bin/xteve \ - -config ${cfg.dataDir} \ - -port ${toString cfg.port} - ''; - Restart = "on-failure"; - }; - }; - - networking.firewall = - mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; - }; -} diff --git a/modules/overlays/default.nix b/modules/overlays/default.nix index cd0b8e5..e8d9aff 100644 --- a/modules/overlays/default.nix +++ b/modules/overlays/default.nix @@ -21,7 +21,8 @@ inherit (nixpkgs-master) thanos; inherit (self'.packages) - bentopdf fileflows mongodb-ce-6_0; # caddy-with-plugins; + bentopdf fileflows mongodb-ce-6_0 + eufy-security-ws; # caddy-with-plugins; }; }; } diff --git a/modules/packages/default.nix b/modules/packages/default.nix index 6ef34d3..a2d4384 100644 --- a/modules/packages/default.nix +++ b/modules/packages/default.nix @@ -4,6 +4,7 @@ _: { bentopdf = pkgs.callPackage ./bentopdf { }; fileflows = pkgs.callPackage ./fileflows { }; mongodb-ce-6_0 = pkgs.callPackage ./mongodb-ce-6_0 { }; + eufy-security-ws = pkgs.callPackage ./eufy-security-ws { }; }; }; } diff --git a/modules/packages/eufy-security-ws/default.nix b/modules/packages/eufy-security-ws/default.nix new file mode 100644 index 0000000..f3f030f --- /dev/null +++ b/modules/packages/eufy-security-ws/default.nix @@ -0,0 +1,21 @@ +{ buildNpmPackage, fetchFromGitHub, lib, }: +buildNpmPackage rec { + pname = "eufy-security-ws"; + version = "1.9.7"; + + src = fetchFromGitHub { + owner = "bropat"; + repo = "eufy-security-ws"; + tag = version; + hash = "sha256-K9xSJ8W0doxgfXzvg+w32SgFfWuPPyrEUCq3BUE+0wQ="; + }; + + npmDepsHash = "sha256-/ck+R4cKFb0+CxmrjR+4riHmgdy0m8FUQvarn66QinA="; + + meta = { + description = + "Small server wrapper around eufy-security-client library to access it via a WebSocket"; + homepage = "https://github.com/bropat/eufy-security-ws"; + license = lib.licenses.mit; + }; +} diff --git a/modules/profiles/observability/gatus/default.nix b/modules/profiles/observability/gatus/default.nix index f3af925..508327f 100644 --- a/modules/profiles/observability/gatus/default.nix +++ b/modules/profiles/observability/gatus/default.nix @@ -182,7 +182,6 @@ in { config, lib, ... }: { name = "Bazarr"; url = "https://bazarr.e10.camp"; group = "HTPC"; - protected = true; }) (mkEndpoint { name = "SABnzbd"; @@ -297,13 +296,18 @@ in { config, lib, ... }: { protected = true; }) (mkEndpoint { - name = "Actual Budget"; - url = "https://actual.e10.camp"; + name = "Bichon"; + url = "https://bichon.e10.camp"; group = "Matrix"; }) (mkEndpoint { - name = "Bichon"; - url = "https://bichon.e10.camp"; + name = "Karakeep"; + url = "https://karakeep.e10.camp"; + group = "Matrix"; + }) + (mkEndpoint { + name = "Home Assistant"; + url = "https://hass.e10.camp"; group = "Matrix"; }) ]; diff --git a/modules/profiles/services/actual/default.nix b/modules/profiles/services/actual/default.nix deleted file mode 100644 index d45d701..0000000 --- a/modules/profiles/services/actual/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, ... }: { - sops.secrets = { - actual_oauth2_client_secret = { - sopsFile = ./secrets.json; - mode = "0777"; - }; - }; - - services.actual = { - enable = true; - openFirewall = true; - settings = { - loginMethod = "openid"; - openId = { - discoveryURL = "https://auth.e10.camp"; - client_id = - "pV6drSFL4uNhslIfnTxi~oDMhqTIVVWM~307jSrBE9CNPuuwqMRDwYnW0PG6tYYL5HqCpFJu"; - client_secret._secret = - config.sops.secrets.actual_oauth2_client_secret.path; - server_hostname = "https://actual.e10.camp"; - authMethod = "oauth2"; - }; - }; - }; -} diff --git a/modules/profiles/services/actual/secrets.json b/modules/profiles/services/actual/secrets.json deleted file mode 100644 index 98b0ff2..0000000 --- a/modules/profiles/services/actual/secrets.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "actual_oauth2_client_secret": "ENC[AES256_GCM,data:Ny8p1oDoj2mmvtKj6UYFXD3we/9I30Gpj2LZ680BVyIezNBiVVLV4ZtXa0+aZ1zltsRrZyGymAUKVodNpfEf4LprNoHGVbsq,iv:HGRTJdqLFqZWVYbTV/Fe+rMjxA6KFC+tt2l6Z7jro6Q=,tag:4cOPzA+A6WGVDL0KVf+qkQ==,type:str]", - "sops": { - "age": [ - { - "recipient": "age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaDdpazRsdklYOUxRczgz\nSWh3NkVyWjVzb1dicG8vOS92aHpyQmFTaW04CmVXU3FkdTFmUjEwMmZSRE5MeFQv\nK2lQenE0VDJzcDZqWngxSE12Q0FLME0KLS0tIGZjR1lPNzFpMVZ6ZjY3OGpOclNJ\nbGlPdkFFUVpOQ25mTTljci94VXBCVlkKe5dwlvQJWAPaK6iXWuekUcPqS08SwwJu\nhphgzz3ey/RIUFT68nH2DakF8Uokuy8Hn7+WVxkUBDt6i8xXRENblQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1g22ghnrdg858yv6w2ux8hgntj8gkdyjn28axdkmzyx38d4vx6geqj4px9a", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VkE4YlltYjFEUVVJY1hn\nckt0aUQ3TDVVV2ZPcUx0aGRlbE5FWFR6MFgwCjBaUkk4LzFvemVaNEVuNnJiZitT\nQUhDcStxK3hqUlhTa090TEtiNU9EN0EKLS0tIERYRTE1a2ozWHJGamw2NTFHVENu\nbG5mZHlWdlFya3J6ZS9qa24vYmNubkkKlNyVGzkEJ6MR1ZA/HIrIaNh992xc9uBy\nxMM4FdpZ3Y2MaYiGxLB2tX15roeJm7qW/2DPuteGReEmFiQA/LCkQQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1k5nzxq4ej2u9ls97c2dhlz96j2vghv0assz5g0p4npzyc8c8fqlqld72hg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZ0NyMWliTVBobEJtU0Fq\nNU1wUTE3aHMwbjRnYTJMVS9uUzdrejdPckdvCnlaRGw1K2pzUkJERXB3NVkwNE90\nQmhYalMrQ1JEeFQ2ZmxEeFcyMVdGMEUKLS0tIE95Tis5Tk5vZXFxSXdwZzhaZGo5\naXdJUk9nWFIvaURWbk8vYVJ1Z1dab1UK8j+mBNZQx10LWYggFRdzulgcOMprFKfR\n1YXjnC4XnitBrJsLV56ClefAokUHNHPu71vu/Vx1r0+LEpE2kWu0sA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTUp5UVJTV2ptekRLajMz\nalI2OXdIaXIxRVp3b1FtYlZQVzFTMjB1S1U4CnVpNStCL1lacTRzT2tWY0Rod3J5\ndEMydFRQMWFLRmg4S1BYbFRKS1kzTkEKLS0tIEY4czhPZSthWGNXQTZSWldleDdZ\nbUdKRklTcWUxd3hYNGhDWXVZdEJ1VWsKV0ccSoL3tSnVkgkvyuj84hkneoVAJEVQ\nWGwaWqsoLUtlBHP6h/zQw0y5RUWYDDC7ps43hvJahcsNq4xVvh7t2A==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMUZKOERUOVhxVzdJTGdP\na0lrUlNrRWgvNG93VTF4eGp4ZXVuNkx4UVZJCm1NUEg0UGxaRnhDRWNoZzE0MUhH\ndVlNV0hodmx2K01ldUNXRHNNN3duaUkKLS0tIHo0OGY1OHBOWEk5VEV2SHdsNTlG\nMU94WU8rTGtOMUUyVUJZL2p1ai9oNmsKSJirxeHyzlBgb5ZSW5U8NwESsxBV+4xM\n6Ek8uhU9Trb1QB5dTref2XahqYjp4y+PXQamIumvqORZh06k+r1uOQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age15jjykch8km3l8atssu0n9us6d2xg58z0ds9s0djtdh9l954sud5szqxv29", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdGdUUVhkUDYyNEpqdWVZ\nQjFJMVRMU1ZVNDg2Mm9tTnIxYkxwWExVZjFvClU2R01renlFTVNlV0lPWkNIUm9V\nalpYaStOWFFKWXZ6YWVaVjZXUktoWjAKLS0tIFNubEJqYXN4L0xwWkF0eHRNMjlm\nOHBMZXZyZFdXYThianEyNUtEZ3ZpajQK/oJ5gOL132pKbqMbt/vM3mnqXSMu3lZK\n8/KFQlXARYbPNC/oXf6Ebp0Msy/cNNAKSQWrM2tpwV0xMZd49UWdRg==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age10jhawn266e3wr6rx0lndkl9a47ewtk6jgh35d2582uu2l7dtn4tqdqc29c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR1NPdnV4bDRzL0tGZkgr\nOE9pM1BNek11TWFta3VqYXBJWXloaERwWWtzCnlNcHZKQkZXdUVacHMvOVltOU0x\nenYzcEQ0Y1psWG45eVFWNDlmaXVuTUEKLS0tIEpNbDAxZjFxdStnV0lhQ3FsWktT\nK3QyK012WEp3eVA2L2tlNDdrYVVUTWMK81aGvFTA87mMjrF/TCLyaKXFX/uHookG\nXzLClMg9y8E3gxwrlYy7FFwDxn0CcPhCx0tNZZJoDhF7pGA3Lw1U3Q==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1x708x83pjj7urp26pncx67fqz8a3htrf0umw7c00pvmxhl6y95lszjgd6r", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCc2hyY1RiamkvVUdDOW1V\nb045KzZGNjN2Z0xsRWdKMjY3aUtpSmVDM1NvCkw2TWhZdVBNL0NzVWlHTlFWYWZH\nVDRETmxLbFBOVHdPRDE4VzNGQXRtK0kKLS0tIEdOWFpDOWpscmVZT211OW1FZFRs\ndktmWTlTMk9wRFUzcjVCNFM3ZGEvT1kKoWiKcV384kpa3Dcax4UikYErXXbW91fz\nbm8mz9+zIFp+sVIdDV/GQaxBlAhRpXtoRJBXwq3lx0uaGfOq4BUxMg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2026-01-03T06:48:46Z", - "mac": "ENC[AES256_GCM,data:oF1TY/9HBXwsyhNPmiAuBtaQSYZcAM+A3XJ8jVpBIxpx2LbdZloc9WuAMl96Urm9ABmtyXS/zT5r3q8KlnQGnJtdr/ttrVoo1KCn+KfW4VbApsNyBnBqxwevexVGvjyjQqt7RRpRG9ZEt4bhcYzUu5Ey4JUYOGZiLMF8uDHnRfc=,iv:yHkA8VF+ybVJTkDAWPy7inLBiqpvL+hJkMw+mqWyCd8=,tag:Uzjq4YqdcY0CWeGk/G3Bpg==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.11.0" - } -} diff --git a/modules/profiles/services/eufy-security-ws/default.nix b/modules/profiles/services/eufy-security-ws/default.nix new file mode 100644 index 0000000..64e23ed --- /dev/null +++ b/modules/profiles/services/eufy-security-ws/default.nix @@ -0,0 +1,26 @@ +{ config, ... }: { + sops = { + secrets = { + eufy_username.sopsFile = ./secrets.json; + eufy_password.sopsFile = ./secrets.json; + }; + + templates."eufy_security_ws/configuration.json" = { + content = builtins.toJSON { + username = config.sops.placeholder.eufy_username; + password = config.sops.placeholder.eufy_password; + persistentDir = config.services.eufy-security-ws.dataDir; + country = "US"; + language = "en"; + }; + mode = "0777"; + }; + }; + + services.eufy-security-ws = { + enable = true; + configurationFile = + config.sops.templates."eufy_security_ws/configuration.json".path; + openFirewall = true; + }; +} diff --git a/modules/profiles/services/eufy-security-ws/secrets.json b/modules/profiles/services/eufy-security-ws/secrets.json new file mode 100644 index 0000000..e183c99 --- /dev/null +++ b/modules/profiles/services/eufy-security-ws/secrets.json @@ -0,0 +1,44 @@ +{ + "eufy_username": "ENC[AES256_GCM,data:XcfGGtU6xUF81wLumSJN83nJWg==,iv:M7llmQKN69+blkBecmi3AK+yuFhS9YGMAqmMlNAxPUY=,tag:ofEKqaa2r72klAgZivjQAA==,type:str]", + "eufy_password": "ENC[AES256_GCM,data:fCkY1OHvGLiQpG+ey2E7ABriDg==,iv:b3JS32MseeSXHii3AX2Rm5GGVlF3Pn7N50Bbu+KBYkA=,tag:uHwWosGBM7/a6PIkc7BPZA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZndMcG0rb2lGcTZMUmh4\ndUx4YXRkNnVycjk4WGVGYlFCYjRuNy91Z2djCnBpeTRkMGtQNnhMVVdUUml2c1Vu\nYW9jS01aR3VGdTFuejI4bEQzbXBhcW8KLS0tIDA0RHpBZ1hhM21nRFZBelVTSWxo\nMnhFWG1JNlNIcHFySUZwNVNuQTdRblkKEwPVam2XEQRTywk13OKybC1guv5dil9c\nBM5aspKKpRokZ/0o9jaPnSqPfBdLHzGsBVYJ6x/dVOlYO3OeyXqYaQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1g22ghnrdg858yv6w2ux8hgntj8gkdyjn28axdkmzyx38d4vx6geqj4px9a", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU0RPaythT0xxeHlJSHBF\nZzdSSmEzWXREd3RLQk5zN2JJUkxvaCtDUHdVCjM4aXMrZXBUS1ZnSUZhdWVEc1BH\nN28zemF5UzI0TWhUeXEvS0haYkZLWmMKLS0tIExXd25zQkJnaGlZbmxVOWhkSVRN\nM2JRckJDRUFiUmFsTFJDWStWc1FPR0EKiOI7hL760ouVnxEABvMcLvkpKhdmnSDc\nrcLOo+wXYStsk81F+PkX8oOTnFbFdY9CDRER+X7SS3HBh0HyJk2u1A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1k5nzxq4ej2u9ls97c2dhlz96j2vghv0assz5g0p4npzyc8c8fqlqld72hg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUM2gxUDVVbHE0Z0ErYWl5\neThHRGowcDFrcG8rN0J5b1RTdmZmTEl4SXlVCm03ajMraTdBNHFzbDR2dkpzU1VR\nZWFaMWFlWW1yVVIrZFNvcW1YYnRINTgKLS0tIEFReG9QTEtEYVNJVVdyNk0rcTBu\nQW1NNXlGUUdBVzh4dEFha0sxTTBqdzgKx525AWHgEc8LIT6mIIdbCZ4TkP+8XhO+\nQtQhhPrG9r4UvtI6mNIa6UVjUphihpjAVAcqhjXzXk+QGnaPUNhvig==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlY21aWklEYWdVNmpNVXRy\ncEhkeHo1WlBmcnE2Q2VLQmIySnMzT0kzeVZjCmFwSnRlcjNWUkxCbDJ1dkcwalcz\nUGVONWF1OFZpb2Z6UWgreXNZcng3VzQKLS0tIHFGUWZCaWFtZzlkNkhZT2EyeXMr\ncHRka3BzK3BzQVREeVZNeUR2WEN5cm8KRibc22WpkQwWDRX2FKiHwFShtc90JMVU\neE3LiqWW0lGi0AhcxlGCW+V0lRPqWnPHEKs1EPts/GXKWSZz30FEuA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bEZvRDN2RW4rZndrT1Br\nV0VoWWZCa1p2TFFxU3hHSnVjSGtpNjYxY0ZJCkRrZVVBcjJoK0xoV0ZVYmdtQXFK\nd1ZMeVQrdEdEQUhydFBtVDNMMFgyZ3cKLS0tIE51Zlgxb2p5RHN0Vi8vSUJqQ0ZD\nUy9tK00yWVZ4aHVJbjJEckx3YnkvMG8Kq4+Is7X6svPtOvqqI5LzmGDLnfJDtFFg\nB+WRAC+/VWlWAdejB9j4Z2N8114ashJquaAZ7OjcXvEXSiflBt10Ig==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15jjykch8km3l8atssu0n9us6d2xg58z0ds9s0djtdh9l954sud5szqxv29", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwWjg4eGtsVGp3S0dSSmx4\neVFxbWVSZm9VY2lZQXJZeExmWDJjTEdLZ2k0CjhEckJYMzBRRnl4K3daSjFYT3Jr\nNk1ZSGJnS2JEMnVzUTlXbURSbS9JbkEKLS0tIE1HMjRIa2pEanFPZDhlTHZOdWNL\naEpPdTFNejJQK0hwSURPbm1ScnYwSnMK2qY+jb7h+fHUUkmmudxp3H0Ybqbz9RD9\nmI6hqGRPh4/lO8flZsIegSQH+d0kVnPXLURbkvghzV8bEtJ0WX9ekw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10jhawn266e3wr6rx0lndkl9a47ewtk6jgh35d2582uu2l7dtn4tqdqc29c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdUVkLzZLWExuRFZhaHZZ\nYmFVQ1BiYm51ekl6TlkrekZiOHlkbWhoTnk4CmMyZFFOdGRtU1IvS2FkWVJoS1o0\nRHNIWlgwYzZ5QWZtS0hyci9VN3Q5Zm8KLS0tIEtsV2RlZUl2R3VJU3ovV2RWd0Y5\nK0s5eERuWVEwVnVORnYwbjh0dGhSc3cKBj6rOldgJCC9cAq4A/YEO2EaMY122S7B\n2C5SCo5FCFOuExo+VqeaHracq2ZFVZ2SkHL6heBoZ+6oomvCAZuw8A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1x708x83pjj7urp26pncx67fqz8a3htrf0umw7c00pvmxhl6y95lszjgd6r", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdUFwTElaenFpaHNGL2d6\nTnlmK2ZIbzZOSHczT3RSbmNGcUZjMmZYTTNjClFiVFlQYTFDKzRJcURQRGJ6dmVZ\nWHBNL25FMWNXT2VLOFNxZ3VQMUkrc2cKLS0tIHgyQ05GQ3ozT0hmckJlVXA5ZHNL\neFpEajNhUkxwRFZJcExKOGY2K1JmSzQKg7ZCzX7colfe81s5g1/wNMpFims2VN43\n0ehBFvqrU724tQeColXmd1NEVtojKpx9S0aMHVSM8OQ1CChY6XzjjQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-03T17:32:51Z", + "mac": "ENC[AES256_GCM,data:jT03UwToFFbmA2o3nFMuwGHTnjFa6zsDiAO+zED/mZm0DNK8+8UqXRXp+frlhDTgG35tcOgff9mGelJ84+pLvzQ9F0cgJ7wIwe8d1R/JgFFPG0LNIi+C+qAlfX12Z8pcD53LOAlwaTJ58ccVIfT7E58UwaMHf8Dg5qE2M8xtcyQ=,iv:SdHpwIxTPW8d30kFHSDbSxgacJSBNPFRRpF8c1ZpaG8=,tag:EN+wLGL7O6Dupi973OcCcw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/modules/profiles/services/glance/default.nix b/modules/profiles/services/glance/default.nix index b82fb16..89a3da5 100644 --- a/modules/profiles/services/glance/default.nix +++ b/modules/profiles/services/glance/default.nix @@ -42,11 +42,6 @@ }; }; in [ - (mkSite { - title = "Actual Budget"; - url = "https://actual.e10.camp"; - icon = "di:actual-budget"; - }) (mkSite { title = "Authelia"; url = "https://auth.e10.camp"; @@ -61,7 +56,6 @@ title = "Bazarr"; url = "https://bazarr.e10.camp"; icon = "di:bazarr"; - basicAuth = true; }) (mkSite { title = "BentoPDF"; @@ -101,6 +95,11 @@ url = "https://grafana.e10.camp"; icon = "di:grafana"; }) + (mkSite { + title = "Home Assistant"; + url = "https://hass.e10.camp"; + icon = "di:home-assistant"; + }) (mkSite { title = "Huntarr"; url = "https://huntarr.e10.camp"; @@ -117,6 +116,11 @@ url = "https://requests.e10.video"; icon = "di:jellyseerr"; }) + (mkSite { + title = "Karakeep"; + url = "https://karakeep.e10.camp"; + icon = "di:karakeep"; + }) (mkSite { title = "LLDAP"; url = "https://ldap.e10.camp"; diff --git a/modules/profiles/services/go2rtc.nix b/modules/profiles/services/go2rtc.nix new file mode 100644 index 0000000..7f6215b --- /dev/null +++ b/modules/profiles/services/go2rtc.nix @@ -0,0 +1,15 @@ +let port = 8555; +in { + services.go2rtc = { + enable = true; + settings = { + streams = { webrtc-eufy = "webrtc:http://localhost:3000"; }; + rtsp.listen = "0.0.0.0:${toString port}"; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 8555 ]; + allowedUDPPorts = [ 8555 ]; + }; +} diff --git a/modules/profiles/services/home-assistant/components/eufy_security.nix b/modules/profiles/services/home-assistant/components/eufy_security.nix new file mode 100644 index 0000000..967959b --- /dev/null +++ b/modules/profiles/services/home-assistant/components/eufy_security.nix @@ -0,0 +1,17 @@ +{ fetchFromGitHub, home-assistant, buildHomeAssistantComponent }: + +let pythonPkgs = home-assistant.python.pkgs; +in buildHomeAssistantComponent rec { + owner = "fuatakgun"; + domain = "eufy_security"; + version = "8.2.2"; + + src = fetchFromGitHub { + owner = "fuatakgun"; + repo = "eufy_security"; + tag = "v${version}"; + hash = "sha256-506rbpkwGPXyx7OQgLNLnbGsqxkfIxUa808J1PA3s0E="; + }; + + dependencies = with pythonPkgs; [ websocket-client aiortsp ]; +} diff --git a/modules/profiles/services/home-assistant/default.nix b/modules/profiles/services/home-assistant/default.nix new file mode 100644 index 0000000..79364d1 --- /dev/null +++ b/modules/profiles/services/home-assistant/default.nix @@ -0,0 +1,100 @@ +{ config, pkgs, profiles, ... }: { + imports = [ + profiles.services.matter-server + profiles.services.go2rtc + profiles.services.eufy-security-ws.default + ] ++ [ ./postgresql.nix ]; + + sops = { + secrets = { + hass_latitude.sopsFile = ./secrets.json; + hass_longitude.sopsFile = ./secrets.json; + hass_elevation.sopsFile = ./secrets.json; + hass_oauth_secret.sopsFile = ./secrets.json; + }; + + templates = { + hass_secrets = { + content = '' + latitude: ${config.sops.placeholder.hass_latitude} + longitude: ${config.sops.placeholder.hass_longitude} + elevation: ${config.sops.placeholder.hass_elevation} + + oauth_secret: ${config.sops.placeholder.hass_oauth_secret} + ''; + path = "/var/lib/hass/secrets.yaml"; + mode = "0777"; + }; + }; + }; + + services.home-assistant = { + enable = true; + openFirewall = true; + + # See the list of component packages here: + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/home-assistant/component-packages.nix + extraComponents = [ + "analytics" + "apple_tv" + "brother" + "ecobee" + "eufy" + "google_translate" + "homekit_controller" + "hue" + "ipp" + "isal" + "met" + "opower" + "radio_browser" + "sonos" + "tplink" + ]; + + extraPackages = python3Packages: + with python3Packages; [ + # HomeKit Bridge + aiohomekit + base36 + fnv-hash-fast + hap-python + pyqrcode + ]; + + customComponents = + [ (pkgs.callPackage ./components/eufy_security.nix { }) ]; + + config = { + default_config = { }; + + frontend.themes = "!include_dir_merge_named themes"; + + automation = "!include automations.yaml"; + script = "!include scripts.yaml"; + scene = "!include scenes.yaml"; + + homeassistant = { + time_zone = "America/New_York"; + name = "Home"; + latitude = "!secret latitude"; + longitude = "!secret longitude"; + elevation = "!secret elevation"; + unit_system = "us_customary"; + }; + http = { + use_x_forwarded_for = true; + trusted_proxies = [ "100.0.0.0/8" ]; + }; + }; + }; + + networking.firewall = { + allowedUDPPorts = [ 5353 ]; + allowedTCPPorts = [ 8123 1400 21063 21064 ]; + allowedTCPPortRanges = [{ + from = 21063; + to = 21068; + }]; + }; +} diff --git a/modules/profiles/services/home-assistant/postgresql.nix b/modules/profiles/services/home-assistant/postgresql.nix new file mode 100644 index 0000000..e14803c --- /dev/null +++ b/modules/profiles/services/home-assistant/postgresql.nix @@ -0,0 +1,22 @@ +{ profiles, ... }: { + imports = [ profiles.databases.postgresql ]; + + services.postgresql = { + ensureDatabases = [ "hass" ]; + ensureUsers = [{ + name = "hass"; + ensureDBOwnership = true; + }]; + }; + + services.postgresqlBackup.databases = [ "hass" ]; + + services.home-assistant = { + extraPackages = python3Packages: with python3Packages; [ psycopg2 ]; + + config.recorder = { + db_url = "postgresql:///hass?host=/run/postgresql"; + exclude = { entities = [ "sun.sun" "sensor.date" ]; }; + }; + }; +} diff --git a/modules/profiles/services/home-assistant/secrets.json b/modules/profiles/services/home-assistant/secrets.json new file mode 100644 index 0000000..835824d --- /dev/null +++ b/modules/profiles/services/home-assistant/secrets.json @@ -0,0 +1,46 @@ +{ + "hass_latitude": "ENC[AES256_GCM,data:aw7Soi+9Ij0=,iv:miDVTvvQnOrC7jXz1RzE5GKPttNXTdamoZPzhCdwaik=,tag:Nr36DvS2NzdQsT0P3K7TMQ==,type:str]", + "hass_longitude": "ENC[AES256_GCM,data:PzpHtlAphuo5,iv:Z+Xa6Qgi9asfiflXzeodf+ydeQ1C7PreKZ3mVhavLWI=,tag:FjBpdWQ3HIuDuysxMnZPPQ==,type:str]", + "hass_elevation": "ENC[AES256_GCM,data:FE0=,iv:gngtjh92TFbDM+vbMlk4oKU+hvgqNCpdW37crKhzstE=,tag:M4zllggHrwRvcumUfuOCBg==,type:str]", + "hass_oauth_secret": "ENC[AES256_GCM,data:n13VMKgd2n5gIz6IwcpPrgnpsdSyUMYN0pmcYE71XvNH43pCinKOd9feZlQVKmAIskNeXg469r/eQtTfjY01gkSmid9WH3Yc,iv:cf+yx6/XHO3aJjDLGrOLY4ZMMhUAPXoVfvUR7upT2VE=,tag:y/Rn7dHrB32SZ9OD9UCdAg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3NjNPc3JHaTYydlIzWnF2\nYXFITll0cVZVcUJ6YytHUUZBbXA2RzlPWlhrCjZVSU5HNk1GUnRDOVQrR1g3ODU2\nbVhiTnEyRG4yRFFoZ0Z0dlY1MzRPY2sKLS0tIFB0RTdyTkRCSjZMVUFIMVBUdVJH\nZWpsY3E4TXpuWUlFT2h4b1pITU82dW8K9vkX2wCX25l75Cro9BwEgu2GR2s8Twva\nfILDc9RqQ/1MlBqj0jWZw6cfIIXyoHXI7pqEuvdxWbWF/gFv/uRSxA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1g22ghnrdg858yv6w2ux8hgntj8gkdyjn28axdkmzyx38d4vx6geqj4px9a", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVURYQ2MvSVJKV1BQeCs3\nRGJES2JYejJjN3ZmVTI1UWVtUHNzR21vSkdvCkJtcWNKZ1ZreHI4Z1JGVzVYUXUw\nS0xWVFVOQStsMSsyNWpuUTNhNVJQSUkKLS0tIE9WRFVMbjdHVy9ZaFh0bjl0NjdU\nSFdjY1dNdU53WVphcnRHOXVwWk9nekkK/r1uPguM4/m+uE7QpKNk8tIiUsKWElki\nJXkOEcQx0XkU7ATLiKHeUD7j/NjOe6NJeBEjuns4EPes/mquOhA79w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1k5nzxq4ej2u9ls97c2dhlz96j2vghv0assz5g0p4npzyc8c8fqlqld72hg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNnFQK3ptTjhUREJIK0F2\nTzlUa0NHOGdtNUxOeGcrb2dTcy9STjlaU1g0ClFGb2JOemZhck5OaDMxRndNRll6\nUnpJMVQ5SHUzSmp1MkpaczZOYy9UdEEKLS0tIGpZMElEMXpjUFk4dVd6bDU2QjBL\nUWVjSWR1VzhOdkEza0FZSzhLbXVEYVEKOZmPRnBORt/TUl4Yonkc72EXchL+Vpwd\nORzxT+4p5tTdpS3469tMD/6V/VBXbBCGlONXOsaXi+AK/TS0MLMniA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhVWcwZjB0VnhNU3NiNzRO\nWllEdEJJM0I0VDZ1cE1TTGhBeDZzQ3l3TFU0ClBwQm1hb21nRjl4MWQwOFJZVDFl\neWUrMEg2by92emVHQld0bXp1OUJBamcKLS0tIGd4VEdsQ0JKTDB6b0tsZFdSOEZk\nWHlzUDJGdnBmQVF4amZHdkdveWRXejgKbmm312pagviQ7U+FKQkCgAoi3Gj7WBjz\nyemuCZvy26Oay3V3YB8tCLTOB2FL2efXb0VMJnlcDkhA0ZZM17bVJg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Zm9IVkY0eDlNV1RmNjQ4\nbjQwbndjVDk5cm9OdkRuaERzSkJ5Vm84UFRjCnhmS29Ed3ZFV3ZtYzJ6dUFzb2c0\nMkdKWkdFSjBKWnM3dExzYWw4Q2tTY2sKLS0tIHZXRmI1OUpidCtBc3ltcDRtTlZV\nWVg2bjlVYkZQYUl4elZMOGtoUG0vMTAKpOQLUdghoMLV2SXYEkDpqcWkkzdEZUGq\n3HMow2Y+Kb6cKDMozpH4dlG23FeIMOMaKT+gQtsfLmY8vGkpOk+bgw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15jjykch8km3l8atssu0n9us6d2xg58z0ds9s0djtdh9l954sud5szqxv29", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZll4VTN6b0JIS25zTlZq\neENJTHI0RkNQNVR4OW40cVA1U3ZvSTRCUlVJCnFxeUpYM1BEVVkwc3doZWtsZXJZ\nem1yZmR2TWcrMmg5RnV6VFIzWHo2QjAKLS0tIGRSMWx4ZEp2bEJLT1ZlVmZrNDJS\na1Z3dGc3Nnh0SGxmZEhjUXpqMFpTSUUKdEs3DQH5F3Apcybx6/vrkoHDB5p0bNqw\nPDe0Sh6rHjMIOI2GxIzkD0rFIRhFuZD71HSEALffMGw2ZaG4Wbn8lA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10jhawn266e3wr6rx0lndkl9a47ewtk6jgh35d2582uu2l7dtn4tqdqc29c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdWU4dHZKL3RDdGJyb09r\nbm1SM2pNNE1xTDA5eGwwaGFrR2tKTGQrbmdnCmR1QmdoZVVRTllGdEgzRHZic293\nV0s1Q2x5TjJxK1d3cUJLSHN5dUtiWjAKLS0tIHVQVEZ4TklDUnZiYWp0TWE2VU4y\nNno4ZjJxN0ZoS3dFSmRwS0tPVnZrYWMKEPvncTMr7dzb+06r0ZRTKVcEEvPnl5Ay\nUeQ5sl0QuxgWkVgMp5Xrtawb6q6QoaB8aH9fqyYwj0zA9zovL8a4ow==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1x708x83pjj7urp26pncx67fqz8a3htrf0umw7c00pvmxhl6y95lszjgd6r", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WHBxemhuSW9PVmNSdHZ2\nRmh2OGp3Z2k2NlZzdExieHhrWWVFZDRGVFNjCmpiUjdyUzlhelJzN3hmdTVubm10\ncEEybXNEeDMvd2QvMkxzV2NlalNJL2MKLS0tIExOVlNqQ1hYWVRNenFIZ1ZUbkVZ\nOTRrTlEzN0hMakQwSWM3NUdJMHR6QkkK1nOkgsYknJq3hIYQqKX3KbHsq/5/giKl\npGhnD0zvcfW/auOJHbiXimPJtUp6RlryyJMBmWHER6jlX7P3gI+45g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-02T15:13:40Z", + "mac": "ENC[AES256_GCM,data:Q7Vvy/B891y5q9Mbz9FUAn1FtgC+p5IV4ylWjmf3MvLlMrYXISv6AlIan393WP5zh3I2C/uxISlehQRFaFkdPm04SLObO3zfDpV5DrGqknIY/PAxKcXG0UxqSCPDCERfC/94Gwow0GbJazvRduNy7iwQ0ReUuYw7L7UuXUpVwPo=,iv:VH4l7h7o2lTTKuxOgtQd2S6m5ubb8jzBbpxwSWJqxlg=,tag:oetpF1dUETiN6pWROyOfng==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/modules/profiles/services/karakeep/default.nix b/modules/profiles/services/karakeep/default.nix new file mode 100644 index 0000000..d02797b --- /dev/null +++ b/modules/profiles/services/karakeep/default.nix @@ -0,0 +1,49 @@ +{ config, ... }: { + sops = { + secrets = { + karakeep_nextauth_secret.sopsFile = ./secrets.json; + karakeep_oauth_secret.sopsFile = ./secrets.json; + }; + + templates.karakeep_environment_file = { + content = '' + NEXTAUTH_SECRET=${config.sops.placeholder.karakeep_nextauth_secret} + OAUTH_CLIENT_SECRET=${config.sops.placeholder.karakeep_oauth_secret} + ''; + owner = "karakeep"; + }; + }; + + systemd.tmpfiles.settings."10-karakeep" = { + ${config.services.karakeep.extraEnvironment.DATA_DIR} = { + "d" = { + user = "karakeep"; + group = "karakeep"; + mode = "0700"; + }; + }; + }; + + services.karakeep = { + enable = true; + browser.enable = true; + meilisearch.enable = true; + extraEnvironment = { + PORT = "4900"; + DATA_DIR = "/var/lib/karakeep"; + + DISABLE_SIGNUPS = "true"; + DISABLE_PASSWORD_AUTH = "true"; + + NEXTAUTH_URL = "https://karakeep.e10.camp"; + + OAUTH_WELLKNOWN_URL = + "https://auth.e10.camp/.well-known/openid-configuration"; + OAUTH_CLIENT_ID = + "4_PUhlKbm03-XaIAR-tBOzaCkf6dQfhgBY-xnrewL5jsOCp0UXPsbSvnaxgLXEp6kKsqjqND"; + OAUTH_PROVIDER_NAME = "Authelia"; + OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true"; + }; + environmentFile = config.sops.templates.karakeep_environment_file.path; + }; +} diff --git a/modules/profiles/services/karakeep/secrets.json b/modules/profiles/services/karakeep/secrets.json new file mode 100644 index 0000000..ec44668 --- /dev/null +++ b/modules/profiles/services/karakeep/secrets.json @@ -0,0 +1,44 @@ +{ + "karakeep_nextauth_secret": "ENC[AES256_GCM,data:K+enpCT4LIascdouc4KVa4arU1YEOErsW0Y7pIBCApM3sQRmCuhqSTQAZBYqgxop,iv:GSaH++ji/eCrH/JTnMdYoZvcJPsXdEnFhshlAMSW6xw=,tag:XIXYvwS+NJe6ilRgQ+V0Bw==,type:str]", + "karakeep_oauth_secret": "ENC[AES256_GCM,data:E/TZE6yW8MT2uQGDjVMQexMcu8joONXRU8Dmo0wVzHR3rZQK8n3Dv1xZS9reKFfFs6J7hJo2FmxJxMiYTuwLREG7ejgmfmR7,iv:kRY3ZH3x2opJSCxJ5z35tmEY/28PQYdoNZ6fOf6dXzo=,tag:ZXOvs6Wppbb557QmDKKNGw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaTQyYzk1YVc5T2x3VXB0\nOUllYjNUclpNYjNmS0k0eUFpTzRicUx2bTBNCm84b1V0SURTd3oxUHArY0tBeWxl\nL1pMNWY2ekU1TGlOR05vcFAwU0FvQmMKLS0tIDhYMEorM3FGd21kWUZUYmpDeWRZ\ncjhTc0RDMzZVMGY3UHZzVVJJbHQ2MUkK5QV5l1AhtAWJC6oZFvfZT5IulXEHWG4N\nKdNTtgGDfnyXLneKSAz+PklB977s2qXya9nMa5hkNSlDayDRKqNlOg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1g22ghnrdg858yv6w2ux8hgntj8gkdyjn28axdkmzyx38d4vx6geqj4px9a", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTDFXNVRmNUVBVDRTaVB3\nVFhhZEtnL1lORjRyU0l2aHhHT2k5Q1dKNWhJCnI2ZTJGUE8xdzJTRU1qaDVOUjE1\nRGxjUWo2UHltSE9uVzNSU2FnUC9zdGMKLS0tIDlZeFgwTWdyYWFCUzVzYUZ6cE10\ncGwwUVlscDJrOUNYV0RXQXp2TTZGejQKpHf3PaVml+DZ3c2c2DvAFXp9o88WBOsr\n3M/A2k6Zf4h/zI72rXIKpr/UXfu9acB2mMg4EU+lT86ISb70EKyp5Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1k5nzxq4ej2u9ls97c2dhlz96j2vghv0assz5g0p4npzyc8c8fqlqld72hg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Sm8yQUJxNWMzRUhVdUI4\nbXZBMSt1bGhobERJNWdTdjVERnFYNU8wbGhzCkFUTTdkZnAvTmJnMkcxdXAxdHRo\nN0xRQjVjMDBxV3M4cHRieEE5RE9rTm8KLS0tIHNKdFZ0L0xPTzlmMUFsa3BmN2Ji\nNmNUUTlKTWRKcU02UFNlMUZpeFhBWGcKlF+gGIHouB8KEPBRKuXIv2DGoezDdSOE\n1ah3xqanjcskv0+mdmizxS2Fr5oRcafJ3J0wPjdRHq1dtgWIdc7MvA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdWlxa0ZZSzRZQ1RHSUtr\nOTdGSzlJV0lMM3dVNGxEZ3VQUFBlZ1dYalFBCjJhOWdOVmRwMlJqZEVreUpxS1Iy\nT2RmVC9HLzVOeWFSN2MzZkFkSjJWQXMKLS0tIDFXc0Q2Mkw5WkdoQmxyTmNBSEV4\nMHM3dTNjZlhoQU5QSUdqNjkra1hzNkkKFSuLLr+4cxYM4Av7c2EMtErhnemhmc7V\nd+/FiqfusOVMS4lN6TqQWQEC2GZ/Cl7RGMBn23VjZGMcjmSSVsy57Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdmVoWHREUDJZY09oaW1v\neGp6ZjcrUkorTkxYSXhacmtzQlVOQTRFbUdZCjI0elBiM0x4SVMvbnZJZSt1RDJ6\nQ2FjZHovY0RBQkJDTXY4c21QTUdPODgKLS0tIDdQUFoyMWtqTlFkbCtEUFlqZHN0\nRlFrNm1jWjQvblFlRzdFWmFvdzRYUmcKDwXrZuYDJL+pOJ3RHvN4lL21uGJE/yLV\nje08zQO6rm8q21CJABKPhzup0hpsU9D0haHq7BFt35oBdXmLB1a1tA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15jjykch8km3l8atssu0n9us6d2xg58z0ds9s0djtdh9l954sud5szqxv29", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQUR2cGE0Y0tiMThrOEJh\neHlGb1ViNlN5bGhMWEhrS0xRQzIxYUo0VzNRCkhtcVNwSUlRT2JrYmE0cFhzZlFT\naEkvcGxWb3FFMmI5TlN3ZmRsWVV0bDgKLS0tIDBBN0JJTU9jS1VlY1ZmejFQdDdY\nRzJXSmNxUmVJTlQ0UjFGMWpINDFEdGsK4mzAIsqg/+tl1MJrgCTyKlWkwGMyXvrj\ndHHOV/+5pSG+c90Q1+vDY27a0mG1S6gVLbArMtvFTL9WdHmCN0DyFg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10jhawn266e3wr6rx0lndkl9a47ewtk6jgh35d2582uu2l7dtn4tqdqc29c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYU12VjluMy9SSThQNS80\nRURPUVViTG54WjM1TDFCSVc3akpPc0lLV3ljCmpJNmVrakxKNzNpNHQ0b1dZMEdB\nOElwOUV2ZmJLeEt6OXNseEwzZVBhNEUKLS0tIGJFRWM5L0Y3VjZlMXJWMHozeEoy\nVUpCWnpZaGpKYkVBKzZKSHdGSE81SmsKXx+hT+nFrmuo+crnZjmggGrtwt6aPA+X\nmd72P87E6Rl0sxsGILkxoB4mSEyvf9LJgcE+jzbat/ITIExm1sL0Ng==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1x708x83pjj7urp26pncx67fqz8a3htrf0umw7c00pvmxhl6y95lszjgd6r", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TE8xZXp2Q2Y1b0x4OGRj\nTTJPVGM2T2J2a0NYeFg1MXFIdWtBdVVUYmdVClBNSUdsRHNFaFVTcTVaeDJKRnFO\nTzdMSmtpMWVFUisvTHVlL1cyMW9LYk0KLS0tIHJvbTI0c1YxT3crWUtNUWRnWlJl\nckxvZ080dGZyam5GZWJyZ1JoN3lNWWsKL9W93Ip5lmCgcQSQ94cXohnAVNLi5wN5\nbgDkl7JxUKMZ1R0FJcZyubv6uzT4XpMkMEZwtU8LUSx2YzzLMxT3Mw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-13T15:46:57Z", + "mac": "ENC[AES256_GCM,data:WY4N/xwy6KDOvudXU2MsOXL6JrtrFMbdfXJVtITYvABuRKPWrzY0SvuwljGCZtpJrjIVj/s/ErmyxTqdT3eTFNX3kymezy611lUFhSx8p2Nc5/U9iQosR3DWkU2gQMMMnJcCstrrdEeaHu1HBjWdKHBCj+OByrrkwE1NGuQP7VU=,iv:3KuBaQhmmSiruvDN+i7Mm3sIebYfB8g2dKk+vXvCze0=,tag:OugzUAxjihwXiuVa3+Fd7A==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/modules/profiles/services/matter-server.nix b/modules/profiles/services/matter-server.nix new file mode 100644 index 0000000..a05ff39 --- /dev/null +++ b/modules/profiles/services/matter-server.nix @@ -0,0 +1,6 @@ +{ + services.matter-server = { + enable = true; + openFirewall = true; + }; +}