I haven't slept for 24 hours I literally couldn't care less

2026-01-20 22:14:14 -05:00 · 2026-01-15 22:59:57 -05:00 · 2026-01-15 22:59:57 -05:00 · f24fc3fea2
commit f24fc3fea2
parent 5b53eff0f3
9 changed files with 72 additions and 58 deletions
--- a/flake.lock
+++ b/flake.lock
@ -308,11 +308,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768333551,
-        "narHash": "sha256-6NHNKXhqYmd2qijZlzJQPL4Tj8m6BjtaapW+6JBSibM=",
+        "lastModified": 1768736546,
+        "narHash": "sha256-xaV4wHscyAmx81otKSk0KtjKrJLNQubcCsn4hFtnxMc=",
        "ref": "refs/heads/master",
-        "rev": "ae5835ad7cdeb9953b416de89bf265ac697f956d",
-        "revCount": 167,
+        "rev": "4a28f177c02450a7ef951fc4858e61e9cba67001",
+        "revCount": 171,
        "type": "git",
        "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets"
      },
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@ -47,8 +47,6 @@
      # Hosted services
      "modules/services/mealie"
      "modules/services/actualbudget"
-      #      "modules/services/frigate"
-      "modules/services/homepage"
      "modules/services/mqtt"
      "modules/services/lubelogger"
      "modules/services/trilium"
--- a/modules/quadlets/frigate/default.nix
+++ b/modules/quadlets/frigate/default.nix
@ -25,6 +25,9 @@ let
        enabled = true;
        host = "host.containers.internal";
        port = 1883;
+        topic_prefix = "frigate";
+        user = "{FRIGATE_MQTT_USER}";
+        password = "{FRIGATE_MQTT_PASSWORD}";
      };
      ui = {
        timezone = "America/New_York";
@ -78,7 +81,7 @@ let
      ####################
      record = {
        enabled = true;
-        retain.days = 0; # as per official documentation
+        continuous.days = 0; # as per official documentation
        alerts.retain.days = 14;
        detections.retain.days = 14;
      };
@ -146,11 +149,19 @@ in
  sops = {
    templates."frigate_env".content = ''
      FRIGATE_JWT_SECRET=${config.sops.placeholder."frigate/jwt"}
+      FRIGATE_MQTT_USER=${config.sops.placeholder."frigate/mqtt/user"}
+      FRIGATE_MQTT_PASSWORD=${config.sops.placeholder."frigate/mqtt/pass"}
    '';
    secrets = {
      "frigate/jwt" = {
        sopsFile = "${sopsFolder}/services.yaml";
      };
+      "frigate/mqtt/user" = {
+        sopsFile = "${sopsFolder}/services.yaml";
+      };
+      "frigate/mqtt/pass" = {
+        sopsFile = "${sopsFolder}/services.yaml";
+      };
    };
  };
  systemd.tmpfiles.rules = [
@ -163,7 +174,7 @@ in
  virtualisation.quadlet = {
    containers = {
      frigate.containerConfig = {
-        image = "ghcr.io/blakeblackshear/frigate:0.17.0-beta1";
+        image = "ghcr.io/blakeblackshear/frigate:0.17.0-beta2";
        environmentFiles = [ config.sops.templates."frigate_env".path ];
        devices = [
          "/dev/bus/usb:/dev/bus/usb"
--- a/modules/services/actualbudget/default.nix
+++ b/modules/services/actualbudget/default.nix
@ -85,8 +85,6 @@ in
        reverse_proxy http://10.88.0.12
      '';
      "api.budget.wanderingcrow.net".extraConfig = ''
-        @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges
-        abort @block
        reverse_proxy http://10.88.0.13:5007
      '';
    };
--- a/modules/services/fail2ban/default.nix
+++ b/modules/services/fail2ban/default.nix
@ -11,8 +11,5 @@
    extraPackages = [
      pkgs.curl
    ];
-    ignoreIP = [
-      inputs.nix-secrets.network.primary.publicIP
-    ];
  };
 }
--- a/modules/services/mqtt/default.nix
+++ b/modules/services/mqtt/default.nix
@ -1,14 +1,27 @@
+{ inputs, config, ... }:
+let
+  sopsFolder = inputs.nix-secrets + "/sops";
+in
 {
+  sops.secrets."frigate/mqtt/pass" = {
+    sopsFile = "${sopsFolder}/services.yaml";
+  };
  services.mosquitto = {
    enable = true;
    listeners = [
      {
-        acl = ["pattern readwrite #"];
-        omitPasswordAuth = true;
-        settings.allow_anonymous = true;
+        port = 1883;
+        users = {
+          frigate = {
+            passwordFile = config.sops.secrets."frigate/mqtt/pass".path;
+            acl = [
+              "readwrite frigate/#"
+            ];
+          };
+        };
      }
    ];
  };

-  networking.firewall.allowedTCPPorts = [1883];
+  networking.firewall.allowedTCPPorts = [ 1883 ];
 }
--- a/modules/services/ollama/proxy.nix
+++ b/modules/services/ollama/proxy.nix
@ -1,8 +1,7 @@
-{inputs, ...}: {
+{ inputs, ... }:
+{
  services.caddy = {
    enable = true;
-    #@block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges 72.213.172.231
-    #abort @block
    virtualHosts."chat.wanderingcrow.net".extraConfig = ''
      reverse_proxy http://192.168.0.72:3000
    '';
--- a/modules/services/openhab/default.nix
+++ b/modules/services/openhab/default.nix
@ -1,41 +1,40 @@
 let
  volumePath = "/overseer/services";
 in
-  {
-    lib,
-    config,
-    inputs,
-    ...
-  }: {
-    systemd.tmpfiles.rules = [
-      "d ${volumePath}/openhab"
-      "d ${volumePath}/openhab/conf"
-      "d ${volumePath}/openhab/userdata"
-      "d ${volumePath}/openhab/addons"
-    ];
-    ###########
-    # Service #
-    ###########
+{
+  lib,
+  config,
+  inputs,
+  ...
+}:
+{
+  systemd.tmpfiles.rules = [
+    "d ${volumePath}/openhab"
+    "d ${volumePath}/openhab/conf"
+    "d ${volumePath}/openhab/userdata"
+    "d ${volumePath}/openhab/addons"
+  ];
+  ###########
+  # Service #
+  ###########

-    virtualisation.oci-containers = {
-      backend = "podman";
-      containers."openhab" = {
-        image = "openhab/openhab:milestone";
-        extraOptions = ["--ip=10.88.0.9"];
-        volumes = [
-          "${volumePath}/openhab/conf:/openhab/conf"
-          "${volumePath}/openhab/userdata:/openhab/userdata"
-          "${volumePath}/openhab/addons:/openhab/addons"
-        ];
-      };
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers."openhab" = {
+      image = "openhab/openhab:milestone";
+      extraOptions = [ "--ip=10.88.0.9" ];
+      volumes = [
+        "${volumePath}/openhab/conf:/openhab/conf"
+        "${volumePath}/openhab/userdata:/openhab/userdata"
+        "${volumePath}/openhab/addons:/openhab/addons"
+      ];
    };
+  };

-    services.caddy = {
-      enable = true;
-      virtualHosts."openhab.wanderingcrow.net".extraConfig = ''
-        @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges
-        abort @block
-        reverse_proxy http://10.88.0.9:8080
-      '';
-    };
-  }
+  services.caddy = {
+    enable = true;
+    virtualHosts."openhab.wanderingcrow.net".extraConfig = ''
+      reverse_proxy http://10.88.0.9:8080
+    '';
+  };
+}
--- a/modules/services/system-logging/proxy.nix
+++ b/modules/services/system-logging/proxy.nix
@ -2,12 +2,11 @@
  config,
  inputs,
  ...
-}: {
+}:
+{
  services.caddy = {
    enable = true;
    virtualHosts."logs.wanderingcrow.net".extraConfig = ''
-      @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges
-      abort @block
      reverse_proxy http://${builtins.toString config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}
    '';
  };