homelab framework module init (everything is a mess)

2025-07-28 02:05:13 +02:00 · 2025-07-28 02:05:13 +02:00 · bcbcc8b17b
commit bcbcc8b17b
parent 0347f4d325
94 changed files with 7289 additions and 436 deletions
--- a/hosts/photos/default.nix
+++ b/hosts/photos/default.nix
@ -0,0 +1,28 @@
+{
+  outputs,
+  name,
+  ...
+}: let
+in {
+  imports = [
+    outputs.nixosModules.ente
+    ./ente.nix
+    # ./minio.nix
+  ];
+
+  homelab = {
+    enable = true;
+    hostname = name;
+    tags = [name];
+
+    monitoring.enable = true;
+    motd.enable = true;
+    services = {
+      minio.enable = true;
+    };
+  };
+
+  deployment.tags = ["ente"];
+
+  system.stateVersion = "25.05";
+}
--- a/hosts/photos/ente.nix
+++ b/hosts/photos/ente.nix
@ -0,0 +1,73 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets."ente/minio/root_password".owner = "ente";
+  sops.secrets."ente/minio/root_user".owner = "ente";
+  sops.secrets."service_accounts/ente/password".owner = "ente";
+
+  environment.systemPackages = with pkgs; [
+    ente-cli
+  ];
+
+  services.ente.api = {
+    enable = true;
+    enableLocalDB = true;
+
+    domain = "ente-museum.procopius.dk";
+    settings = {
+      # apps = {
+      #   accounts = "https://accounts.procopius.dk";
+      #   cast = "https://cast.procopius.dk";
+      #   public-albums = "https://albums.procopius.dk";
+      # };
+
+      smtp = {
+        host = "mail.procopius.dk";
+        port = "465";
+        username = "ente@procopius.dk";
+        password._secret = config.sops.secrets."service_accounts/ente/password".path;
+        # The email address from which to send the email. Set this to an email
+        # address whose credentials you're providing.
+        email = "ente@procopius.dk";
+        # Optional override for the sender name in the emails. If specified, it will
+        # be used for all emails sent by the instance (default is email specific).
+        sender-name = "ente";
+      };
+      internal.admins = [
+        1580559962386438
+      ];
+      s3 = {
+        use_path_style_urls = true;
+        b2-eu-cen = {
+          endpoint = "https://ente-minio-api.procopius.dk";
+          region = "us-east-1";
+          bucket = "ente";
+          key._secret = config.sops.secrets."ente/minio/root_user".path;
+          secret._secret = config.sops.secrets."ente/minio/root_password".path;
+        };
+      };
+    };
+  };
+  services.ente.web = {
+    enable = true;
+    domains = {
+      api = "ente-museum.procopius.dk";
+      accounts = "ente-accounts.procopius.dk";
+      albums = "ente-albums.procopius.dk";
+      cast = "ente-cast.procopius.dk";
+      photos = "ente-photos.procopius.dk";
+      auth = "ente-auth.procopius.dk";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    3000
+    3001
+    3002
+    3003
+    3004
+    8080
+  ];
+}
--- a/hosts/photos/minio.nix
+++ b/hosts/photos/minio.nix
@ -0,0 +1,35 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  sops.secrets."ente/minio/root_user" = {};
+  sops.secrets."ente/minio/root_password" = {};
+
+  sops.templates."minio-root-credentials".content = ''
+    MINIO_ROOT_USER=${config.sops.placeholder."ente/minio/root_user"}
+    MINIO_ROOT_PASSWORD=${config.sops.placeholder."ente/minio/root_password"}
+  '';
+
+  services.minio = {
+    enable = true;
+    rootCredentialsFile = config.sops.templates."minio-root-credentials".path;
+  };
+
+  systemd.services.minio = {
+    environment.MINIO_SERVER_URL = "https://ente-minio-api.procopius.dk";
+    postStart = ''
+      # Wait until minio is up
+      ${lib.getExe pkgs.curl} --retry 5 --retry-connrefused --fail --no-progress-meter -o /dev/null "http://localhost:9000/minio/health/live"
+
+      # Make sure bucket exists
+      mkdir -p ${lib.escapeShellArg config.services.minio.dataDir}/ente
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    9000
+    9001
+  ];
+}