update

Author: Vanderscycle

nix-darwin/flakes/monolith/configuration.nix

@@ -19,7 +19,8 @@
     ./hardware-configuration.nix
     ./fstab.nix
     ./traefik.nix
-    inputs.sops-nix.nixosModules.sops
+    ./sops.nix
+    ./services
   ];
 
   nix = {
@@ -83,96 +84,12 @@
     sops
     git
     vim
+    tree
     sysz
     samba
     openssl
   ];
 
-  # secrets
-  # if you change the secret strucutre you must first create the new secret and then rebuild and then change its reference in the config
-  sops = {
-    defaultSopsFile = ./secrets/secrets.yaml;
-    defaultSopsFormat = "yaml";
-
-    age.keyFile = "/home/${meta.username}/.config/sops/age/keys.txt";
-    secrets = {
-      # factorio
-      "factorio/game-password" = {
-        owner = meta.username;
-      };
-      "factorio/token" = {
-        owner = meta.username;
-      };
-      "factorio/admin" = {
-        owner = meta.username;
-      };
-      # paperless
-      "paperless/admin/password" = {
-        owner = meta.username;
-      };
-      "paperless/admin/username" = {
-        owner = meta.username;
-      };
-      "paperless/admin/email" = {
-        owner = meta.username;
-      };
-      # smb root user
-      "home-server/rice/password" = {
-        owner = "root";
-      };
-      "home-server/rice/user" = {
-        owner = "root";
-      };
-      # docker
-      "docker/homarr/enc_key" = {
-        owner = "root";
-      };
-      # smb systemd user
-      "home-server/systemd/password" = {
-        owner = meta.username;
-      };
-      "home-server/systemd/user" = {
-        owner = meta.username;
-      };
-      # nextcloud
-      "nextcloud/admin/password" = {
-        owner = "root";
-      };
-    };
-  };
-  systemd.services."smbcreds_fam_root" = {
-    script = ''
-      echo "user=$(cat ${config.sops.secrets."home-server/rice/user".path})" > /root/smbcreds_fam
-      echo "password=$(cat ${config.sops.secrets."home-server/rice/password".path})" >> /root/smbcreds_fam
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      User = "root";
-      WorkingDirectory = "/root/";
-    };
-    # Make it run immediately after each system rebuild
-    wantedBy = [ "multi-user.target" ];
-  };
-
-  # TODO: change the user
-  systemd.services."smbcreds_fam_general" = {
-    script = ''
-      echo "user=$(cat ${
-        config.sops.secrets."home-server/systemd/user".path
-      })" > "/home/${meta.username}/smbcreds_fam_user"
-      echo "password=$(cat ${
-        config.sops.secrets."home-server/systemd/password".path
-      })" >> "/home/${meta.username}/smbcreds_fam_user"
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      User = meta.username;
-      WorkingDirectory = "/home/${meta.username}";
-    };
-    # Make it run immediately after each system rebuild
-    wantedBy = [ "multi-user.target" ];
-  };
-
   systemd.tmpfiles.rules = [
     # Copy/Link the save file (use either C or L)
     "C /var/lib/factorio/saves/save1.zip - - - - ${builtins.path { path = ./save1.zip; }}"
@@ -272,13 +189,17 @@
   systemd.services.n8n.environment = {
     N8N_SECURE_COOKIE = "false";
     N8N_LISTEN_ADDRESS = "0.0.0.0";
-    # N8N_PATH = "/n8n";
+    N8N_METRICS = "true"; # prometheus
+    # N8N_PATH = "/n8n"; # base url
   };
   services.gitea = {
     enable = true;
     settings = {
       # server.ROOT_URL = "http://0.0.0.0/gitea/";
       server.HTTP_PORT = 3001;
+      metrics = {
+        ENABLED = true;
+      };
     };
   };
   environment.etc."nextcloud-admin-pass".text =
@@ -385,38 +306,27 @@
   services.prometheus = {
     enable = true;
     port = 4011;
-  };
-  # systemd.services.paperless = {
-  #   wants = [ "mnt-paperless.mount" ];
-  #   after = [ "mnt-paperless.mount" ];
-  #   serviceConfig = {
-  #     ProtectSystem = "no";
-  #     ProtectHome = false;
-  #     PrivateTmp = false;
-  #     PrivateDevices = false;
-  #     ReadOnlyPaths = [ ];
-  #     ReadWritePaths = [ "/mnt/paperless" ];
-  #   };
-  # };
-
-  services.paperless = {
-    enable = true;
-    port = 28981;
-    address = "localhost";
-    settings = {
-      # https://docs.paperless-ngx.com/configuration/
-      # PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
-      # PAPERLESS_STATIC_URL = "/paperless/";
-
-      # PAPERLESS_CONSUMPTION_DIR = "/mnt/paperless/consume";
-      # PAPERLESS_DATA_DIR = "/mnt/paperless/data";
-      # PAPERLESS_MEDIA_ROOT = "/mnt/paperless/media";
-      # PAPERLESS_STATICDIR = "/mnt/paperless/static";
-
-      PAPERLESS_ADMIN_USER = builtins.readFile config.sops.secrets."paperless/admin/username".path;
-      PAPERLESS_ADMIN_MAIL = builtins.readFile config.sops.secrets."paperless/admin/email".path;
-      PAPERLESS_ADMIN_PASSWORD = builtins.readFile config.sops.secrets."paperless/admin/password".path;
+    exporters.node = {
+      enable = true;
     };
+    scrapeConfigs = [
+      {
+        job_name = "n8n";
+        static_configs = [
+          {
+            targets = [ "n8n.homecloud.lan" ];
+          }
+        ];
+      }
+      {
+        job_name = "gitea";
+        static_configs = [
+          {
+            targets = [ "gitea.homecloud.lan" ];
+          }
+        ];
+      }
+    ];
   };
 
   services.transmission = {
@@ -447,9 +357,6 @@
   networking = {
     hosts = {
       "192.168.4.129" = [
-        "nextcloud.local"
-        "gitea.local"
-        "n8n.local"
       ];
     };
     defaultGateway = "192.168.4.1"; # Point to Proxmox

nix-darwin/flakes/monolith/secrets/secrets.yaml

@@ -1,40 +1,40 @@
-game-password: ENC[AES256_GCM,data:MQwNMfEk5VGFkvAwhYSZGw==,iv:ZmspiIzdMabZZR/51hVf2wybfKxm8zZEUGh831pBsYQ=,tag:s0NQPqquIb9EuW49bxx67A==,type:str]
-admin: ENC[AES256_GCM,data:N84wluTCsQEghAs=,iv:7d6ff9p7nQixuKmP2ZJQ4Oh90l8WO9qA0gX6g6YFiF0=,tag:wmH545nSEeE/aCvd8atSeg==,type:str]
-token: ENC[AES256_GCM,data:NRMmfGJxScikUGcTOWxWVcnb/CcAG7Iow0caHPuY,iv:MCcYF+odmJa7PIXGqIdR1T+0GCvsh1CEBazWFuawoms=,tag:zS1vpKyQOfFDgLwtnaB/UQ==,type:str]
+game-password: ENC[AES256_GCM,data:D3yA1Hhms+EKwmVashSh7w==,iv:K9uPoQAG3gu56NmlV6+iHu+eGpw3EYNtzZ+1Hz8ervQ=,tag:K6X6TJi+f0vQpFh2rKjcbg==,type:str]
+admin: ENC[AES256_GCM,data:ULENnDB0imv57Q0=,iv:00s70iks/MNEjKqIgXhiT+itarw2pTqIKgxugFfBFA8=,tag:zZ23xRF1gthaEyd1A9dMgw==,type:str]
+token: ENC[AES256_GCM,data:202352gHcQ2x8/ZzdQMi4t2HREZoclT+GpfkakwY,iv:UZJKrUYhjvClsLGPgSav0v0u1iDo/LjyTA6xuVXsnSE=,tag:713G5kTG4toZir71iL4iQQ==,type:str]
 factorio:
-    game-password: ENC[AES256_GCM,data:14xapHt2pjY/D03JmIvZ8g==,iv:1cZcMnGCHcimDRj1eIZkPO5/txO5PgzDl4hncFavvHM=,tag:JrR4pp/vMUqtSEbGRkQ55Q==,type:str]
-    admin: ENC[AES256_GCM,data:U9WOCnBSG01u5Ac=,iv:4mJyDg0PIDWgJUwEpWNO8BIjF/XH2z0bbdiLUoU9/sY=,tag:iH139ItX2hEhcMin5Th1/A==,type:str]
-    token: ENC[AES256_GCM,data:bX+R061FkP1FnSA/TzWCRnVc26FuUUZbvLZcW5YQ,iv:Oi/iZnEczUJxLpBqr1hc5O63+a0rdy9gUn8aqkcdRwM=,tag:zXNSdE1X/jdwEEY/w4cbPA==,type:str]
+    game-password: ENC[AES256_GCM,data:K4nW5eS+pcYXTT4x1r7kBQ==,iv:t9AkZLdW27WMUgPeZWKb3F4QsfozpTtQcMYmHYx7u+M=,tag:5Yc2B54RfW8YiBgnD/zFpw==,type:str]
+    admin: ENC[AES256_GCM,data:Btf2joNz2rMcfzs=,iv:+nErFlClsiS8u7zCyIUNvoSd1SrrX4tow+FvynBWCgU=,tag:phq7cOyMuA9dkyAUTyhD9g==,type:str]
+    token: ENC[AES256_GCM,data:J/hgqD83JpEfp20oRBkUO4zQXFpLjaZSM0fZxNT7,iv:2nNCxmn63nHjK+aZ7BR5WdZSw8sswIDVdtF7n3+Iw3A=,tag:/HJ/ywaEfDG+HaHXJMP0mg==,type:str]
 home-server:
     systemd:
-        user: ENC[AES256_GCM,data:wAn+d+TK,iv:7Vhr6nLkc5sdaABF44Ly/lsaSODRWiamRco/SVwYpUg=,tag:aZIhpZRQ+95ywBXxoR01PQ==,type:str]
-        password: ENC[AES256_GCM,data:m1bxR5u1edAxLg==,iv:Qj2R87hERS1Og52k7OvCrxtCGl7ncxJjofS86ShVsXc=,tag:No5oVG4bjLThzq8ZDoP4rQ==,type:str]
+        user: ENC[AES256_GCM,data:bxMVoR49,iv:8EOUrZUF1gTagkgKv1w1Hq+wdPbYhbNks2n7KvHoMNQ=,tag:ZkE1hahrZRWXo6QBdL5q+g==,type:str]
+        password: ENC[AES256_GCM,data:IxhNQRRYXxZHjg==,iv:kOYJU04kSghPgG/y9Ami3LZPoDpg/uZKNG9xb/XxYas=,tag:yYzcLIMmkekieQbZAZhOkw==,type:str]
     rice:
-        user: ENC[AES256_GCM,data:2twGfFja,iv:Q+rhT4t6MZB1PV5lmnhJgjA67v6K6ulJvPerJznbOGc=,tag:EZonu+RQbsRGq8t1ER3Wrw==,type:str]
-        password: ENC[AES256_GCM,data:nKX56agLCaORcw==,iv:ZgY8rW/A0112eCqxMFPlbvhYL0IekaeVmMztpvRgIN4=,tag:7IjUcp0K3NFWuM78AMiAcg==,type:str]
+        user: ENC[AES256_GCM,data:kfHkP5BU,iv:v7IhxiW9u9UukkPd8cbeydzjdTuNKTZHVgdQFZqniq0=,tag:YsKM8dQybrDPHMabRLM0HA==,type:str]
+        password: ENC[AES256_GCM,data:eMPay82SEjzRyQ==,iv:D3DFud1jqbOrk/hBQCXilgWORWmNhtKbS4Cjbeb4Bls=,tag:SOSmdCK9T6KU8FPYioZ8mw==,type:str]
 nextcloud:
     admin:
-        password: ENC[AES256_GCM,data:wnm+iv/TX2JJUQ==,iv:XDBMX8OBgF1PZU8fBiebNJH5lsFEU/yEz5SsxdptqjY=,tag:mVRm/FkcFMA3LxZSaxqBsA==,type:str]
+        password: ENC[AES256_GCM,data:tPhuahnM57THOg==,iv:iShg8ZZh18AQphI24X6551FDKT/acehfTdwPgQjOlb4=,tag:HNdPnmBt+Wt/USfW1jh4kg==,type:str]
 paperless:
     admin:
-        username: ENC[AES256_GCM,data:BIru0G4=,iv:BZDQ4ySXtvqXNu6Q+yl2QcvwbNtQqmcgDQE/XOCkOGg=,tag:Dd2CTyERsPPUlv/9yc/3xg==,type:str]
-        password: ENC[AES256_GCM,data:G4KTuD4mBm6u,iv:rt8VlAhaj86XGvthorGKm4hKkgMeBjQSTLLrkVoY0L0=,tag:VBX9xAlrwD78k+DXJWpsuA==,type:str]
-        email: ENC[AES256_GCM,data:hF+8wo8xhTr4wRuYnVC81aMDHKNWrWJLwul1L/vXmOYQ,iv:NYTju0fh7H2M621YWU8itM/UF3c4L0wU+iMsspXSubc=,tag:HPfG5FRlErfvgxGiDwy4oA==,type:str]
+        username: ENC[AES256_GCM,data:oc7yIA==,iv:nRxbFAT/caXU5LxfRP2b4S3hvCRZmGsYEZTctZMRGUw=,tag:NyrVH30z9Lbd4INAjmyQLg==,type:str]
+        password: ENC[AES256_GCM,data:d2FFhqV+Iwob,iv:CY6KzS1XFKq2M4P1Wh8wrNOrSoyJjY86m9guz4Z+FwE=,tag:z4UKmNLHJ0daqtELkTrPog==,type:str]
+        email: ENC[AES256_GCM,data:aqrMJtcdPlGA276DYl0nr5wRTvloJGI65j+8mPCNLlWZ,iv:Z8z5hgBjqQ47jUrAt6lmeGoP/By50/hfPB08WPbUjEI=,tag:AbLWOBNOdB5rqMtW27moqw==,type:str]
 docker:
     homarr:
-        enc_key: ENC[AES256_GCM,data:gD1LWBWsWmNOWCLRHB5PX+NN8Z9fY/5l2i/ij7oJQXpJBvTFKmxW5MIUCxNMtYBa4ixkicm9rfHUssrO2aCHGQ==,iv:dH3hP3kDsbzoIOViFxRVZEbvNobzIji4ApjMyb1jqK0=,tag:QF5OvSzx3U4ppXm+sNDKGQ==,type:str]
+        enc_key: ENC[AES256_GCM,data:Igole8lbilV4POI6bzHJ1khrkJ0PTG9tA9qEEyf/o+HI/zQd+hEqHjE/a5DjTU/8zKWZqkj/uyNTaau8htGaGw==,iv:QnGf3n+TxALNO/yMNmu/IM53fIX63nXAQt7BnZXdjUs=,tag:edSCkai3/IJYgRX1YY/79A==,type:str]
 sops:
     age:
         - recipient: age1df2u7xvze6rq5utz74ckx059wr3z97j484wc04063437h6hn4v6s9auec3
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NHNuTWhVOXo0K3I0M0x1
-            cWRWeFcyc2ZxendwRnNRazRadk5BU1VhaVR3CmgzcHFUa3duVnVVcUNST25SRjVD
-            UFgxR3RqcnIrd3Z4VFpOZTE2UUFqYVEKLS0tIFozellXRFlPZXIwWlk4VXRTY2NZ
-            OTZxZ0tzbmwvbDZ3b3ltOUphclBERVUKU9e+Rn4yXqqChk5JqfOkCSHX90Shkrh3
-            HTMLSw3ABXr/ttFfnzqRGMFhMuS6jawAMuInOIyNQKPWQ8NL6gIsqw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUWRIbVVtMkl4bGhZY2Y1
+            QjVCVHdPR2tqbGFJSzRiZCswa0FQTSthZEJvCmR0T2ZZTE5XUFFLeWtMOTh4KzNP
+            UlBXcGpEWEozTGkvVGtQZmZhYzJwV0EKLS0tIDEzb2kyUjNkSWJKZHZGb1g5ZkFU
+            REYvMG10ZlRXSTFZWnpQZW9pT1pSUDgKsu7T5fv2Y5te0HGGDI3s46vKdUU2GFJb
+            yRGvoGflnfRfmDS92QkyKaQIrwDA+S3/wCjXq6O651XCQFcC7tYqxg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-24T05:24:51Z"
-    mac: ENC[AES256_GCM,data:FYH0xDUwGJtZqBWErzSI9HDmTCy3HrYsbGvcEJUaG4f6PBcbiYz3PqZ71ec9v6u8YeZVBi6pA2QQS8rvJ73H/4knRw7sB3WAJ74YBPHcuLXy+bagPanzMCpff98rVr1yaDOC8dQlchPQTNnDPJFbxQ22Kh2vOMVBNOy8QDWyhUA=,iv:UwqBDb8BjDZS7R90eqtOG+KO56fyTQXR7kYZEjItmAQ=,tag:WaU/6gIx/KsaKUpQ9IoOLw==,type:str]
+    lastmodified: "2025-07-07T05:06:44Z"
+    mac: ENC[AES256_GCM,data:R1Hfxuzsq54ekijB4nUhmZPKjf3vFJ3NXZmEkexWLsexWSGyh9BVCUMWkKdHj6gFwJSvyE6h07FOh3pixzsLGaU9Pv4tobrwiQ6MLMovJzRaGAeWkhUejna93HZVe1mnFglxUXTZjpOtepdpha0Bhiti3IdTc4lIwjWeLpTRbWM=,iv:wtpM6MlPwbuZueAG0s4oeSNuqM0acHQx9TTHm9/vtz0=,tag:D51Wy8oR/106v0Mq7tyYXQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

nix-darwin/flakes/monolith/services/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./paperless.nix
+  ];
+}

nix-darwin/flakes/monolith/services/paperless.nix

@@ -0,0 +1,45 @@
+{ config, ... }:
+{
+  systemd.services.paperless = {
+    wants = [ "mnt-paperless.mount" ];
+    after = [ "mnt-paperless.mount" ];
+    serviceConfig = {
+      ProtectSystem = "no";
+      ProtectHome = false;
+      PrivateTmp = false;
+      PrivateDevices = false;
+      ReadOnlyPaths = [ ];
+      ReadWritePaths = [ "/mnt/paperless" ];
+    };
+  };
+
+  users.users.paperless = {
+    isNormalUser = false;
+    extraGroups = [
+      "smbaccess"
+    ];
+  };
+  environment.etc."paperless-admin-pass".text =
+    builtins.readFile
+      config.sops.secrets."paperless/admin/password".path;
+
+  services.paperless = {
+    passwordFile = "/etc/paperless-admin-pass";
+    enable = true;
+    port = 28981;
+    address = "127.0.0.1";
+    settings = {
+      # PAPERLESS_CONSUMPTION_DIR = "/mnt/paperless/consume";
+      # PAPERLESS_DATA_DIR = "/mnt/paperless/data";
+      # PAPERLESS_MEDIA_ROOT = "/mnt/paperless/media";
+      # PAPERLESS_STATICDIR = "/mnt/paperless/static";
+      # https://docs.paperless-ngx.com/configuration/
+      # PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
+      # PAPERLESS_STATIC_URL = "/paperless/";
+
+      # PAPERLESS_ADMIN_USER = builtins.readFile config.sops.secrets."paperless/admin/username".path;
+      # PAPERLESS_ADMIN_MAIL = builtins.readFile config.sops.secrets."paperless/admin/email".path;
+      # PAPERLESS_ADMIN_PASSWORD = builtins.readFile config.sops.secrets."paperless/admin/password".path;
+    };
+  };
+}