move back to zaatar

systems/zaatar/atuin.nix

@@ -0,0 +1,16 @@
+{pkgs, ...}: {
+  services.postgresqlBackup = {
+    enable = true;
+    databases = ["atuin"];
+  };
+
+  services.postgresql.package = pkgs.postgresql_14;
+
+  services.atuin = {
+    host = "0.0.0.0";
+    openFirewall = true;
+    openRegistration = true;
+    port = 8888;
+    enable = true;
+  };
+}

systems/zaatar/backup.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  niveumLib = import ../../lib;
+  inherit (niveumLib) retiolumAddresses restic;
+  firewall = niveumLib.firewall lib;
+  dataDir = "/backup/restic";
+in {
+  services.restic.server = {
+    enable = true;
+    appendOnly = true;
+    inherit dataDir;
+    prometheus = true;
+    extraFlags = ["--no-auth"]; # auth is done via firewall
+    listenAddress = toString restic.port;
+  };
+
+  environment.systemPackages = [
+    (pkgs.writers.writeDashBin "restic-niveum" ''
+      exec ${pkgs.util-linux}/bin/runuser -u restic -g restic -- ${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${config.age.secrets.restic.path} "$@"
+    '')
+  ];
+
+  fileSystems."/backup" = {
+    device = "/dev/disk/by-id/ata-WDC_WD10JPVX-22JC3T0_WD-WXD1E5510MKW";
+    fsType = "ext4";
+  };
+
+  networking.firewall = let
+    dport = restic.port;
+    protocol = "tcp";
+    rules = [
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.kabsa.ipv4;
+      })
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.manakish.ipv4;
+      })
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.makanek.ipv4;
+      })
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.fatteh.ipv4;
+      })
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.ful.ipv4;
+      })
+    ];
+  in {
+    extraCommands = firewall.addRules rules;
+    extraStopCommands = firewall.removeRules rules;
+  };
+}

systems/zaatar/configuration.nix

@@ -91,5 +91,5 @@ in {
     retiolum = retiolumAddresses.zaatar;
   };
 
-  system.stateVersion = "22.05";
+  system.stateVersion = "23.11";
 }

systems/zaatar/hardware-configuration.nix

@@ -22,16 +22,18 @@
 
   fileSystems = {
     "/" = {
-      device = "/dev/disk/by-label/nixos";
+      device = "/dev/disk/by-uuid/5dcaa7fe-08e7-46a6-ac93-b267eeb144eb";
       fsType = "ext4";
     };
     "/boot" = {
-      device = "/dev/disk/by-label/boot";
+      device = "/dev/disk/by-uuid/CE3B-F4C6";
       fsType = "vfat";
     };
   };
 
-  swapDevices = [{device = "/dev/disk/by-label/swap";}];
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7b2a3e4c-e53f-4c53-b599-b6d6cff49f1f"; }
+    ];
 
   nix.settings.max-jobs = lib.mkDefault 4;
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

systems/zaatar/home-assistant.nix

@@ -0,0 +1,90 @@
+{config, pkgs, lib, ...}: let
+  port = 8123;
+  inherit (import ../../lib) restic;
+  volumeName = "home-assistant";
+  streams = import ../../lib/streams.nix {
+    di-fm-key = "%DI_FM_KEY%"; # TODO lib.strings.fileContents <secrets/di.fm/key>;
+  };
+  playlistDirectoryPath = "/var/lib/mpd/playlists";
+in {
+  networking.firewall.allowedTCPPorts = [port];
+
+  services.nginx.virtualHosts."home.kmein.r" = {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+    };
+  };
+
+  services.restic.backups.niveum = {
+    initialize = true;
+    inherit (restic) repository;
+    timerConfig = {
+      OnCalendar = "daily";
+      RandomizedDelaySec = "1h";
+    };
+    passwordFile = config.age.secrets.restic.path;
+    paths = [
+      "/var/lib/containers/storage/volumes/${volumeName}"
+    ];
+  };
+
+  age.secrets = {
+    di-fm-key.file = ../../secrets/di-fm-key.age;
+  };
+
+  systemd.services.mpd-playlists = {
+    before = ["podman-homeassistant.service"];
+    wantedBy = ["podman-homeassistant.service"];
+    script = let
+      tags = lib.lists.unique (lib.concatMap ({tags ? [], ...}: tags) streams);
+      tagStreams = tag: lib.filter ({tags ? [], ...}: lib.elem tag tags) streams;
+      makePlaylist = name: streams: pkgs.writeText "${name}.m3u" (lib.concatMapStringsSep "\n" (lib.getAttr "stream") streams);
+      playlistDirectory = pkgs.linkFarm "playlists" (
+        [
+          {
+            name = "all.m3u";
+            path = makePlaylist "all" streams;
+          }
+        ]
+        ++ map (tag: {
+          name = "${tag}.m3u";
+          path = makePlaylist tag (tagStreams tag);
+        })
+        tags
+      );
+    in ''
+      mkdir -p ${playlistDirectoryPath}
+
+      export DI_FM_KEY="$(cat "$CREDENTIALS_DIRECTORY/di-fm-key")"
+
+      rm -rf ${playlistDirectoryPath}
+      mkdir ${playlistDirectoryPath}
+
+      for m3u in $(ls ${playlistDirectory})
+      do
+        ${pkgs.gnused}/bin/sed s/%DI_FM_KEY%/"$DI_FM_KEY"/g ${playlistDirectory}/"$m3u" > ${playlistDirectoryPath}/"$(basename "$m3u")"
+      done
+    '';
+    serviceConfig = {
+      LoadCredential = [
+        "di-fm-key:${config.age.secrets.di-fm-key.path}"
+      ];
+    };
+  };
+
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers.homeassistant = {
+      volumes = [
+        "${volumeName}:/config"
+        "${playlistDirectoryPath}:/media"
+      ];
+      environment.TZ = "Europe/Berlin";
+      image = "ghcr.io/home-assistant/home-assistant:stable";
+      extraOptions = [
+        "--network=host"
+        "--device=/dev/ttyACM0:/dev/ttyACM0" # Example, change this to match your own hardware
+      ];
+    };
+  };
+}