From f24fc3fea2aa66af82eefebc32f4dcbf75d6b328 Mon Sep 17 00:00:00 2001 From: TheWanderingCrow Date: Thu, 15 Jan 2026 22:59:57 -0500 Subject: [PATCH] I haven't slept for 24 hours I literally couldn't care less --- flake.lock | 8 +-- hosts/nixos/HandlerOne/default.nix | 2 - modules/quadlets/frigate/default.nix | 15 ++++- modules/services/actualbudget/default.nix | 2 - modules/services/fail2ban/default.nix | 3 - modules/services/mqtt/default.nix | 21 +++++-- modules/services/ollama/proxy.nix | 5 +- modules/services/openhab/default.nix | 69 +++++++++++------------ modules/services/system-logging/proxy.nix | 5 +- 9 files changed, 72 insertions(+), 58 deletions(-) diff --git a/flake.lock b/flake.lock index 71c5270..a8b862a 100644 --- a/flake.lock +++ b/flake.lock @@ -308,11 +308,11 @@ ] }, "locked": { - "lastModified": 1768333551, - "narHash": "sha256-6NHNKXhqYmd2qijZlzJQPL4Tj8m6BjtaapW+6JBSibM=", + "lastModified": 1768736546, + "narHash": "sha256-xaV4wHscyAmx81otKSk0KtjKrJLNQubcCsn4hFtnxMc=", "ref": "refs/heads/master", - "rev": "ae5835ad7cdeb9953b416de89bf265ac697f956d", - "revCount": 167, + "rev": "4a28f177c02450a7ef951fc4858e61e9cba67001", + "revCount": 171, "type": "git", "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets" }, diff --git a/hosts/nixos/HandlerOne/default.nix b/hosts/nixos/HandlerOne/default.nix index a47157e..e4fa243 100644 --- a/hosts/nixos/HandlerOne/default.nix +++ b/hosts/nixos/HandlerOne/default.nix @@ -47,8 +47,6 @@ # Hosted services "modules/services/mealie" "modules/services/actualbudget" - # "modules/services/frigate" - "modules/services/homepage" "modules/services/mqtt" "modules/services/lubelogger" "modules/services/trilium" diff --git a/modules/quadlets/frigate/default.nix b/modules/quadlets/frigate/default.nix index fada432..f10a131 100644 --- a/modules/quadlets/frigate/default.nix +++ b/modules/quadlets/frigate/default.nix @@ -25,6 +25,9 @@ let enabled = true; host = "host.containers.internal"; port = 1883; + topic_prefix = "frigate"; + user = "{FRIGATE_MQTT_USER}"; + password = "{FRIGATE_MQTT_PASSWORD}"; }; ui = { timezone = "America/New_York"; @@ -78,7 +81,7 @@ let #################### record = { enabled = true; - retain.days = 0; # as per official documentation + continuous.days = 0; # as per official documentation alerts.retain.days = 14; detections.retain.days = 14; }; @@ -146,11 +149,19 @@ in sops = { templates."frigate_env".content = '' FRIGATE_JWT_SECRET=${config.sops.placeholder."frigate/jwt"} + FRIGATE_MQTT_USER=${config.sops.placeholder."frigate/mqtt/user"} + FRIGATE_MQTT_PASSWORD=${config.sops.placeholder."frigate/mqtt/pass"} ''; secrets = { "frigate/jwt" = { sopsFile = "${sopsFolder}/services.yaml"; }; + "frigate/mqtt/user" = { + sopsFile = "${sopsFolder}/services.yaml"; + }; + "frigate/mqtt/pass" = { + sopsFile = "${sopsFolder}/services.yaml"; + }; }; }; systemd.tmpfiles.rules = [ @@ -163,7 +174,7 @@ in virtualisation.quadlet = { containers = { frigate.containerConfig = { - image = "ghcr.io/blakeblackshear/frigate:0.17.0-beta1"; + image = "ghcr.io/blakeblackshear/frigate:0.17.0-beta2"; environmentFiles = [ config.sops.templates."frigate_env".path ]; devices = [ "/dev/bus/usb:/dev/bus/usb" diff --git a/modules/services/actualbudget/default.nix b/modules/services/actualbudget/default.nix index ec86043..787256b 100644 --- a/modules/services/actualbudget/default.nix +++ b/modules/services/actualbudget/default.nix @@ -85,8 +85,6 @@ in reverse_proxy http://10.88.0.12 ''; "api.budget.wanderingcrow.net".extraConfig = '' - @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges - abort @block reverse_proxy http://10.88.0.13:5007 ''; }; diff --git a/modules/services/fail2ban/default.nix b/modules/services/fail2ban/default.nix index 3588cd9..2e86289 100644 --- a/modules/services/fail2ban/default.nix +++ b/modules/services/fail2ban/default.nix @@ -11,8 +11,5 @@ extraPackages = [ pkgs.curl ]; - ignoreIP = [ - inputs.nix-secrets.network.primary.publicIP - ]; }; } diff --git a/modules/services/mqtt/default.nix b/modules/services/mqtt/default.nix index 52404f2..21aaa1f 100644 --- a/modules/services/mqtt/default.nix +++ b/modules/services/mqtt/default.nix @@ -1,14 +1,27 @@ +{ inputs, config, ... }: +let + sopsFolder = inputs.nix-secrets + "/sops"; +in { + sops.secrets."frigate/mqtt/pass" = { + sopsFile = "${sopsFolder}/services.yaml"; + }; services.mosquitto = { enable = true; listeners = [ { - acl = ["pattern readwrite #"]; - omitPasswordAuth = true; - settings.allow_anonymous = true; + port = 1883; + users = { + frigate = { + passwordFile = config.sops.secrets."frigate/mqtt/pass".path; + acl = [ + "readwrite frigate/#" + ]; + }; + }; } ]; }; - networking.firewall.allowedTCPPorts = [1883]; + networking.firewall.allowedTCPPorts = [ 1883 ]; } diff --git a/modules/services/ollama/proxy.nix b/modules/services/ollama/proxy.nix index ecef18c..f3ca64d 100644 --- a/modules/services/ollama/proxy.nix +++ b/modules/services/ollama/proxy.nix @@ -1,8 +1,7 @@ -{inputs, ...}: { +{ inputs, ... }: +{ services.caddy = { enable = true; - #@block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges 72.213.172.231 - #abort @block virtualHosts."chat.wanderingcrow.net".extraConfig = '' reverse_proxy http://192.168.0.72:3000 ''; diff --git a/modules/services/openhab/default.nix b/modules/services/openhab/default.nix index 9794c83..6e2ee6d 100644 --- a/modules/services/openhab/default.nix +++ b/modules/services/openhab/default.nix @@ -1,41 +1,40 @@ let volumePath = "/overseer/services"; in - { - lib, - config, - inputs, - ... - }: { - systemd.tmpfiles.rules = [ - "d ${volumePath}/openhab" - "d ${volumePath}/openhab/conf" - "d ${volumePath}/openhab/userdata" - "d ${volumePath}/openhab/addons" - ]; - ########### - # Service # - ########### +{ + lib, + config, + inputs, + ... +}: +{ + systemd.tmpfiles.rules = [ + "d ${volumePath}/openhab" + "d ${volumePath}/openhab/conf" + "d ${volumePath}/openhab/userdata" + "d ${volumePath}/openhab/addons" + ]; + ########### + # Service # + ########### - virtualisation.oci-containers = { - backend = "podman"; - containers."openhab" = { - image = "openhab/openhab:milestone"; - extraOptions = ["--ip=10.88.0.9"]; - volumes = [ - "${volumePath}/openhab/conf:/openhab/conf" - "${volumePath}/openhab/userdata:/openhab/userdata" - "${volumePath}/openhab/addons:/openhab/addons" - ]; - }; + virtualisation.oci-containers = { + backend = "podman"; + containers."openhab" = { + image = "openhab/openhab:milestone"; + extraOptions = [ "--ip=10.88.0.9" ]; + volumes = [ + "${volumePath}/openhab/conf:/openhab/conf" + "${volumePath}/openhab/userdata:/openhab/userdata" + "${volumePath}/openhab/addons:/openhab/addons" + ]; }; + }; - services.caddy = { - enable = true; - virtualHosts."openhab.wanderingcrow.net".extraConfig = '' - @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges - abort @block - reverse_proxy http://10.88.0.9:8080 - ''; - }; - } + services.caddy = { + enable = true; + virtualHosts."openhab.wanderingcrow.net".extraConfig = '' + reverse_proxy http://10.88.0.9:8080 + ''; + }; +} diff --git a/modules/services/system-logging/proxy.nix b/modules/services/system-logging/proxy.nix index ac0f923..31ead83 100644 --- a/modules/services/system-logging/proxy.nix +++ b/modules/services/system-logging/proxy.nix @@ -2,12 +2,11 @@ config, inputs, ... -}: { +}: +{ services.caddy = { enable = true; virtualHosts."logs.wanderingcrow.net".extraConfig = '' - @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges - abort @block reverse_proxy http://${builtins.toString config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port} ''; };