os/hosts/pie/firefly.nix

157 lines
4.6 KiB
Nix

{
flake,
config,
pkgs,
lib,
...
}: let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
backupDir = "/var/lib/firefly/backup";
in {
age.secrets."firefly-secrets.env" = {
file = "${flake.self}/secrets/firefly-secrets.env.age";
mode = "400";
};
age.secrets."firefly-db-secrets.env" = {
file = "${flake.self}/secrets/firefly-db-secrets.env.age";
mode = "400";
};
age.secrets."firefly-importer-secrets.env" = {
file = "${flake.self}/secrets/firefly-importer-secrets.env.age";
mode = "400";
};
age.secrets."firefly-cron-secrets.env" = {
file = "${flake.self}/secrets/firefly-cron-secrets.env.age";
mode = "400";
};
security.acme.certs = {
"firefly.b12f.io" = {};
"firefly-importer.b12f.io" = {};
};
services.nginx.virtualHosts = {
"firefly.b12f.io" = {
forceSSL = true;
useACMEHost = "firefly.b12f.io";
extraConfig = "include /etc/nginx/conf-available/authelia-location.conf;";
# Make api calls skip the nginx proxy auth
locations."/api/v1".proxyPass = "http://127.0.0.1:8080";
locations."/".proxyPass = "http://127.0.0.1:8080";
locations."/".extraConfig = ''
include /etc/nginx/conf-available/proxy.conf;
include /etc/nginx/conf-available/authelia-authrequest.conf;
'';
};
"firefly-importer.b12f.io" = {
forceSSL = true;
useACMEHost = "firefly-importer.b12f.io";
extraConfig = "include /etc/nginx/conf-available/authelia-location.conf;";
locations."/".proxyPass = "http://127.0.0.1:8081";
locations."/".extraConfig = ''
include /etc/nginx/conf-available/proxy.conf;
include /etc/nginx/conf-available/authelia-authrequest.conf;
'';
};
};
systemd.services."docker-network-firefly" = let
docker = config.virtualisation.oci-containers.backend;
dockerBin = "${pkgs.${docker}}/bin/${docker}";
in {
serviceConfig.Type = "oneshot";
before = ["docker-firefly.service"];
script = ''
${dockerBin} network inspect firefly >/dev/null 2>&1 || ${dockerBin} network create firefly --subnet 172.20.0.0/24
'';
};
virtualisation = {
oci-containers = {
backend = "docker";
containers."firefly" = {
image = "fireflyiii/core:latest";
autoStart = true;
volumes = [
"/var/lib/firefly/upload:/var/www/html/storage/upload"
];
extraOptions = ["--network=firefly"];
environmentFiles = [
./.env.firefly
config.age.secrets."firefly-secrets.env".path
config.age.secrets."firefly-cron-secrets.env".path
];
ports = ["127.0.0.1:8080:8080"];
dependsOn = ["firefly-db"];
};
containers."firefly-db" = {
image = "postgres:16";
autoStart = true;
volumes = [
"/var/lib/firefly/db:/var/lib/postgresql/data"
];
extraOptions = ["--network=firefly"];
environmentFiles = [
config.age.secrets."firefly-db-secrets.env".path
];
};
containers."firefly-importer" = {
image = "fireflyiii/data-importer:latest";
autoStart = true;
extraOptions = ["--network=firefly"];
ports = ["127.0.0.1:8081:8080"];
environment = {
FIREFLY_III_URL = "https://firefly.b12f.io";
};
environmentFiles = [
./.env.firefly-importer
config.age.secrets."firefly-importer-secrets.env".path
];
dependsOn = ["firefly"];
};
containers."firefly-cron" = {
image = "alpine";
autoStart = true;
cmd = [
"sh"
"-c"
"echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/$STATIC_CRON_TOKEN\" | crontab - && crond -f -L /dev/stdout"
];
environmentFiles = [
config.age.secrets."firefly-cron-secrets.env".path
];
extraOptions = ["--network=firefly"];
};
};
};
systemd.tmpfiles.rules = [
"d '${backupDir}' 0700 root root - -"
];
services.restic.backups = {
firefly = {
paths = [
backupDir
"/var/lib/firefly/upload"
];
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/FireflyIII";
backupPrepareCommand = ''
${pkgs.docker-client}/bin/docker exec -t firefly-db pg_dumpall -c -U firefly > "${backupDir}/postgres.sql"
'';
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}