From bdb4ad8160557fa71321f30c995495216fc17ce0 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Wed, 1 Oct 2025 16:33:55 +0200 Subject: [PATCH 01/10] Updates --- modules/apps/arr/default.nix | 2 +- modules/apps/jellyfin/default.nix | 24 +++++++++--------------- modules/services/actions/default.nix | 2 +- 3 files changed, 11 insertions(+), 17 deletions(-) diff --git a/modules/apps/arr/default.nix b/modules/apps/arr/default.nix index 3b05429..e2c0df5 100644 --- a/modules/apps/arr/default.nix +++ b/modules/apps/arr/default.nix @@ -343,7 +343,7 @@ in { port = 7878; in lib.mkIf cfg.radarr.enable { hostname = "radarr"; - image = "ghcr.io/hotio/radarr:release-5.28.0.10205"; + image = "ghcr.io/hotio/radarr:testing-5.28.0.10205"; autoStart = true; ports = lib.mkIf cfg.radarr.exposePorts [ "${toString port}:${toString port}/tcp" diff --git a/modules/apps/jellyfin/default.nix b/modules/apps/jellyfin/default.nix index 5b4081a..011f56b 100644 --- a/modules/apps/jellyfin/default.nix +++ b/modules/apps/jellyfin/default.nix @@ -4,6 +4,7 @@ let cfg = config.homelab.apps.jellyfin; networkName = "jellyfin"; + inherit (config.homelab.fileSystems) media; UID = 3008; GID = config.users.groups.media.gid; @@ -12,6 +13,11 @@ in { config = lib.mkIf cfg.enable { homelab = { + fileSystems.media.video = { + enable = true; + permissions = [ "read" ]; + }; + users = { apps.enable = true; media.enable = true; @@ -32,18 +38,6 @@ in { ]; }; - "/srv/video" = { - device = "192.168.0.11:/mnt/SMALL/MEDIA/VIDEO"; - fsType = "nfs"; - options = [ - "ro" - "nfsvers=4.2" - "async" "soft" - "timeo=100" "retry=50" "actimeo=1800" "lookupcache=all" - "nosuid" "tcp" - ]; - }; - "/srv/homevideo" = { device = "192.168.0.11:/mnt/BIG/MEDIA/HOMEVIDEO/ARCHIVE"; fsType = "nfs"; @@ -101,7 +95,7 @@ in { virtualisation.oci-containers.containers = { jellyfin = { hostname = "jellyfin"; - image = "jellyfin/jellyfin:10.10.0"; + image = "jellyfin/jellyfin:10.10.7"; user = "${toString UID}:${toString GID}"; autoStart = true; ports = [ @@ -117,7 +111,7 @@ in { "cache:/cache" "/srv/audio:/media/audio" - "/srv/video:/media/video" + "${media.video.hostPath}:/media/video" "/srv/homevideo:/media/homevideo" "/srv/photo:/media/photo" ]; @@ -144,7 +138,7 @@ in { feishinPort = "9180"; in { hostname = "feishin"; - image = "ghcr.io/jeffvli/feishin:0.7.1"; + image = "ghcr.io/jeffvli/feishin:0.19.0"; autoStart = true; ports = [ "${feishinPort}:9180/tcp" # Web player (HTTP) diff --git a/modules/services/actions/default.nix b/modules/services/actions/default.nix index 338b963..ea6b025 100644 --- a/modules/services/actions/default.nix +++ b/modules/services/actions/default.nix @@ -44,6 +44,6 @@ in { ]; }; }; - }; } + From d2a0da648c5c1e7f4ae1f2be02431bf4116a5bb2 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Wed, 1 Oct 2025 16:36:14 +0200 Subject: [PATCH 02/10] feat(solidtime): Add module --- modules/apps/solidtime/default.nix | 238 +++++++++++++++++++++++++++++ 1 file changed, 238 insertions(+) create mode 100644 modules/apps/solidtime/default.nix diff --git a/modules/apps/solidtime/default.nix b/modules/apps/solidtime/default.nix new file mode 100644 index 0000000..9174df4 --- /dev/null +++ b/modules/apps/solidtime/default.nix @@ -0,0 +1,238 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.homelab.apps.solidtime; + + networkName = "solidtime"; + internalNetworkName = "solidtime-internal"; + + version = "0.8.0"; + + port = 8000; + user = "1000:1000"; + + # dbExternalPort = ...; + dbInternalPort = 5432; + + gotenbergPort = 3000; + + inherit (config.virtualisation.oci-containers) containers; + + volumes = [ + "solidtime-storage:/var/www/html/storage" + "solidtime-logs:/var/www/html/storage/logs" + "solidtime-app:/var/www/html/storage/app" + ]; + + # laravel.env + laravelEnv = { + APP_NAME = "Solidtime"; + VITE_APP_NAME = laravelEnv.APP_NAME; + APP_ENV = "production"; + APP_DEBUG = "false"; + APP_URL = "http://localhost:${toString port}"; + APP_FORCE_HTTPS = "false"; + APP_ENABLE_REGISTRATION = "false"; + TRUSTED_PROXIES = "0.0.0.0/0,2000:0:0:0:0:0:0:0/3"; + + # Logging + LOG_CHANNEL = "stderr_daily"; + LOG_LEVEL = "debug"; + + # Database + DB_CONNECTION = "pgsql"; + DB_HOST = containers.solidtimeDb.hostname; + DB_PORT = toString dbInternalPort; + DB_SSL_MODE = "require"; + DB_DATABASE = "solidtime"; + DB_USERNAME = "solidtime"; + DB_PASSWORD = "ChangeMe"; + + # Mail + #MAIL_MAILER = "smtp"; + #MAIL_HOST = "smtp.gmail.com"; + #MAIL_PORT = "465"; + #MAIL_ENCRYPTION = "tls"; + #MAIL_FROM_ADDRESS = "no-reply@time.depeuter.dev"; + MAIL_FROM_NAME = laravelEnv.APP_NAME; + #MAIL_USERNAME = "kmtl.hugo@gmail.com"; + #MAIL_PASSWORD = "fhfxoequhhqidrhd"; + + # Queue + QUEUE_CONNECTION = "database"; + + # File storage + FILESYSTEM_DISK = "local"; + PUBLIC_FILESYSTEM_DISK = "public"; + + # Services + GOTENBERG_URL = "http://${containers.solidtimeGotenberg.hostname}:${toString gotenbergPort}"; + }; + +in { + options.homelab.apps.solidtime.enable = lib.mkEnableOption "Solidtime time tracker using Docker"; + + config = lib.mkIf cfg.enable { + homelab.virtualisation.containers.enable = true; + + # Make sure the Docker network exists. + systemd.services = { + "docker-${networkName}-create-network" = { + description = "Create Docker network for ${networkName}"; + requiredBy = [ + "${containers.solidtime.serviceName}.service" + ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + if ! ${pkgs.docker}/bin/docker network ls | grep -q ${networkName}; then + ${pkgs.docker}/bin/docker network create ${networkName} + fi + ''; + }; + "docker-${internalNetworkName}-create-network" = { + description = "Create Docker network for ${internalNetworkName}"; + requiredBy = [ + "${containers.solidtime.serviceName}.service" + "${containers.solidtimeScheduler.serviceName}.service" + "${containers.solidtimeQueue.serviceName}.service" + "${containers.solidtimeDb.serviceName}.service" + "${containers.solidtimeGotenberg.serviceName}.service" + ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + if ! ${pkgs.docker}/bin/docker network ls | grep -q ${internalNetworkName}; then + ${pkgs.docker}/bin/docker network create ${internalNetworkName} + fi + ''; + }; + }; + + virtualisation.oci-containers.containers = { + solidtime = { + hostname = "solidtime"; + image = "solidtime/solidtime:${version}"; + autoStart = true; + inherit user; + ports = [ + # Open ports if you don't use Traefik + "${toString port}:8000" + ]; + extraOptions = [ + "--network=${networkName}" + "--network=${internalNetworkName}" + + # Healthecks + # test: [ "CMD-SHELL", "curl --fail http://localhost:8000/health-check/up || exit 1" ] + ''--health-cmd=curl --fail http://localhost:8000/health-check/up || exit 1'' + ]; + inherit volumes; + dependsOn = [ + "solidtimeDb" + ]; + environmentFiles = [ + "/home/admin/.solidtime.env" + ]; + environment = laravelEnv // { + CONTAINER_MODE = "http"; + }; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.solidtime.rule" = "Host(`time.${config.networking.hostName}.depeuter.dev`)"; + "traefik.http.services.solidtime.loadbalancer.server.port" = toString port; + }; + }; + solidtimeScheduler = { + hostname = "scheduler"; + image = "solidtime/solidtime:${version}"; + inherit user; + autoStart = true; + extraOptions = [ + "--network=${internalNetworkName}" + + # Healthchecks + # test: [ "CMD-SHELL", "supervisorctl status scheduler:scheduler_00" ] + ''--health-cmd="supervisorctl status scheduler:scheduler_00"'' + ]; + inherit volumes; + dependsOn = [ + "solidtimeDb" + ]; + environmentFiles = [ + "/home/admin/.solidtime.env" + ]; + environment = laravelEnv // { + CONTAINER_MODE = "scheduler"; + }; + }; + solidtimeQueue = { + hostname = "queue"; + image = "solidtime/solidtime:${version}"; + inherit user; + autoStart = true; + extraOptions = [ + "--network=${internalNetworkName}" + + # Healthchecks + # test: [ "CMD-SHELL", "supervisorctl status worker:worker_00" ] + ''--health-cmd="supervisorctl status worker:worker_00"'' + ]; + inherit volumes; + dependsOn = [ + "solidtimeDb" + ]; + environmentFiles = [ + "/home/admin/.solidtime.env" + ]; + environment = laravelEnv // { + CONTAINER_MODE = "worker"; + WORKER_COMMAND = "php /var/www/html/artisan queue:work"; + }; + }; + solidtimeDb = { + hostname = "database"; + image = "postgres:15"; + autoStart = true; + ports = [ + # "${toString dbExternalPort}:${toString dbInternalPort}" + ]; + extraOptions = [ + "--network=${internalNetworkName}" + + # Healthchecks + # test: - CMD - pg_isready - '-q' - '-d' - '${DB_DATABASE}' - '-U' - '${DB_USERNAME}' retries: 3 timeout: 5s + ''--health-cmd="pg_isready -q -d ${laravelEnv.DB_DATABASE} -U ${laravelEnv.DB_USERNAME}"'' + "--health-retries=3" + "--health-timeout=5s" + ]; + volumes = [ + "solidtime-db:/var/lib/postgresql/data" + ]; + environment = { + PGPASSWORD = laravelEnv.DB_PASSWORD; + POSTGRES_DB = laravelEnv.DB_DATABASE; + POSTGRES_USER = laravelEnv.DB_USERNAME; + POSTGRES_PASSWORD = laravelEnv.DB_PASSWORD; + }; + }; + solidtimeGotenberg = { + hostname = "gotenberg"; + image = "gotenberg/gotenberg:8"; + autoStart = true; + extraOptions = [ + "--network=${internalNetworkName}" + + # Healthchecks + # test: [ "CMD", "curl", "--silent", "--fail", "http://localhost:3000/health" ] + ''--health-cmd="curl --silent --fail http://localhost:${toString gotenbergPort}/health"'' + ]; + }; + }; + }; +} + From 04b4254a72c7b104a28b23ae40bd107e2d158f97 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Tue, 10 Feb 2026 08:30:11 +0100 Subject: [PATCH 03/10] chore(soldtime): Cleanup options --- hosts/Development/default.nix | 1 + modules/apps/default.nix | 1 + modules/apps/solidtime/default.nix | 67 ++++++++++++++++++------------ 3 files changed, 42 insertions(+), 27 deletions(-) diff --git a/hosts/Development/default.nix b/hosts/Development/default.nix index fda8e57..77f6758 100644 --- a/hosts/Development/default.nix +++ b/hosts/Development/default.nix @@ -11,6 +11,7 @@ }; traefik.enable = true; plex.enable = true; + solidtime.enable = true; }; virtualisation.guest.enable = true; }; diff --git a/modules/apps/default.nix b/modules/apps/default.nix index f62dca7..385f915 100644 --- a/modules/apps/default.nix +++ b/modules/apps/default.nix @@ -9,6 +9,7 @@ ./homepage ./jellyfin ./plex + ./solidtime ./speedtest ./technitium-dns ./traefik diff --git a/modules/apps/solidtime/default.nix b/modules/apps/solidtime/default.nix index 9174df4..17193a3 100644 --- a/modules/apps/solidtime/default.nix +++ b/modules/apps/solidtime/default.nix @@ -5,10 +5,10 @@ let networkName = "solidtime"; internalNetworkName = "solidtime-internal"; + proxyNet = config.homelab.apps.traefiik.sharedNetworkName; version = "0.8.0"; - port = 8000; user = "1000:1000"; # dbExternalPort = ...; @@ -30,7 +30,7 @@ let VITE_APP_NAME = laravelEnv.APP_NAME; APP_ENV = "production"; APP_DEBUG = "false"; - APP_URL = "http://localhost:${toString port}"; + APP_URL = "http://localhost:${toString cfg.port}"; APP_FORCE_HTTPS = "false"; APP_ENABLE_REGISTRATION = "false"; TRUSTED_PROXIES = "0.0.0.0/0,2000:0:0:0:0:0:0:0/3"; @@ -70,7 +70,15 @@ let }; in { - options.homelab.apps.solidtime.enable = lib.mkEnableOption "Solidtime time tracker using Docker"; + options.homelab.apps.solidtime = { + enable = lib.mkEnableOption "Solidtime time tracker using Docker"; + port = lib.mkOption { + type = lib.types.int; + default = 8000; + description = "Solidtime WebUI port"; + }; + exposePort = lib.mkEnableOption "Expose Soldtime port"; + }; config = lib.mkIf cfg.enable { homelab.virtualisation.containers.enable = true; @@ -117,52 +125,54 @@ in { solidtime = { hostname = "solidtime"; image = "solidtime/solidtime:${version}"; - autoStart = true; inherit user; + autoStart = true; + dependsOn = [ + "solidtimeDb" + ]; ports = [ # Open ports if you don't use Traefik - "${toString port}:8000" + "${toString cfg.port}:8000" + ]; + networks = [ + networkName + internalNetworkName ]; extraOptions = [ - "--network=${networkName}" - "--network=${internalNetworkName}" - # Healthecks # test: [ "CMD-SHELL", "curl --fail http://localhost:8000/health-check/up || exit 1" ] ''--health-cmd=curl --fail http://localhost:8000/health-check/up || exit 1'' ]; inherit volumes; - dependsOn = [ - "solidtimeDb" - ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.solidtime.rule" = "Host(`time.${config.networking.hostName}.depeuter.dev`)"; + "traefik.http.services.solidtime.loadbalancer.server.port" = toString cfg.port; + }; environmentFiles = [ "/home/admin/.solidtime.env" ]; environment = laravelEnv // { CONTAINER_MODE = "http"; }; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.solidtime.rule" = "Host(`time.${config.networking.hostName}.depeuter.dev`)"; - "traefik.http.services.solidtime.loadbalancer.server.port" = toString port; - }; }; solidtimeScheduler = { hostname = "scheduler"; image = "solidtime/solidtime:${version}"; inherit user; autoStart = true; + dependsOn = [ + "solidtimeDb" + ]; + networks = [ + internalNetworkName + ]; extraOptions = [ - "--network=${internalNetworkName}" - # Healthchecks # test: [ "CMD-SHELL", "supervisorctl status scheduler:scheduler_00" ] ''--health-cmd="supervisorctl status scheduler:scheduler_00"'' ]; inherit volumes; - dependsOn = [ - "solidtimeDb" - ]; environmentFiles = [ "/home/admin/.solidtime.env" ]; @@ -175,9 +185,10 @@ in { image = "solidtime/solidtime:${version}"; inherit user; autoStart = true; + networks = [ + internalNetworkName + ]; extraOptions = [ - "--network=${internalNetworkName}" - # Healthchecks # test: [ "CMD-SHELL", "supervisorctl status worker:worker_00" ] ''--health-cmd="supervisorctl status worker:worker_00"'' @@ -201,9 +212,10 @@ in { ports = [ # "${toString dbExternalPort}:${toString dbInternalPort}" ]; + networks = [ + internalNetworkName + ]; extraOptions = [ - "--network=${internalNetworkName}" - # Healthchecks # test: - CMD - pg_isready - '-q' - '-d' - '${DB_DATABASE}' - '-U' - '${DB_USERNAME}' retries: 3 timeout: 5s ''--health-cmd="pg_isready -q -d ${laravelEnv.DB_DATABASE} -U ${laravelEnv.DB_USERNAME}"'' @@ -224,9 +236,10 @@ in { hostname = "gotenberg"; image = "gotenberg/gotenberg:8"; autoStart = true; + networks = [ + internalNetworkName + ]; extraOptions = [ - "--network=${internalNetworkName}" - # Healthchecks # test: [ "CMD", "curl", "--silent", "--fail", "http://localhost:3000/health" ] ''--health-cmd="curl --silent --fail http://localhost:${toString gotenbergPort}/health"'' From 84c94afda46feab5947f5050b0fb9def869ea6a4 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Tue, 10 Feb 2026 08:37:32 +0100 Subject: [PATCH 04/10] chore(solidtime): Update to 0.9.0 --- modules/apps/solidtime/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/apps/solidtime/default.nix b/modules/apps/solidtime/default.nix index 17193a3..0a62900 100644 --- a/modules/apps/solidtime/default.nix +++ b/modules/apps/solidtime/default.nix @@ -7,7 +7,7 @@ let internalNetworkName = "solidtime-internal"; proxyNet = config.homelab.apps.traefiik.sharedNetworkName; - version = "0.8.0"; + version = "0.9.0"; user = "1000:1000"; @@ -140,8 +140,8 @@ in { ]; extraOptions = [ # Healthecks - # test: [ "CMD-SHELL", "curl --fail http://localhost:8000/health-check/up || exit 1" ] - ''--health-cmd=curl --fail http://localhost:8000/health-check/up || exit 1'' + # test: [ "CMD", "curl", "--fail", "http://localhost:8000/health-check/up" ] + ''--health-cmd=curl --fail http://localhost:8000/health-check/up'' ]; inherit volumes; labels = { @@ -169,8 +169,8 @@ in { ]; extraOptions = [ # Healthchecks - # test: [ "CMD-SHELL", "supervisorctl status scheduler:scheduler_00" ] - ''--health-cmd="supervisorctl status scheduler:scheduler_00"'' + # test: [ "CMD", "healthcheck" ] + ''--health-cmd="healthcheck"'' ]; inherit volumes; environmentFiles = [ @@ -190,8 +190,8 @@ in { ]; extraOptions = [ # Healthchecks - # test: [ "CMD-SHELL", "supervisorctl status worker:worker_00" ] - ''--health-cmd="supervisorctl status worker:worker_00"'' + # test: [ "CMD", "healthcheck" ] + ''--health-cmd="healthcheck"'' ]; inherit volumes; dependsOn = [ From 687b85eeefe14c553f6cda03c3c57c7ce716229f Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Tue, 10 Feb 2026 09:08:11 +0100 Subject: [PATCH 05/10] feat(solidtime): Preload Docker images --- modules/apps/solidtime/default.nix | 42 +++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 7 deletions(-) diff --git a/modules/apps/solidtime/default.nix b/modules/apps/solidtime/default.nix index 0a62900..3348e0b 100644 --- a/modules/apps/solidtime/default.nix +++ b/modules/apps/solidtime/default.nix @@ -18,6 +18,15 @@ let inherit (config.virtualisation.oci-containers) containers; + solidtimeImageName = "solidtime/solidtime"; + solidtimeImage = "${solidtimeImageName}:${version}"; + solidtimeImageFile = pkgs.dockerTools.pullImage { + imageName = solidtimeImageName; + finalImageTag = version; + imageDigest = "sha256:5601b81f63ece49cdc4110f90f7624b0cc4ba87448b3e4bddce904457822a4ef"; + sha256 = "sha256-/VwuJGczs41XeItNamLahLt/ypUQHTn9AcwneVw/3YY="; + }; + volumes = [ "solidtime-storage:/var/www/html/storage" "solidtime-logs:/var/www/html/storage/logs" @@ -124,7 +133,8 @@ in { virtualisation.oci-containers.containers = { solidtime = { hostname = "solidtime"; - image = "solidtime/solidtime:${version}"; + image = solidtimeImage; + imageFile = solidtimeImageFile; inherit user; autoStart = true; dependsOn = [ @@ -158,7 +168,8 @@ in { }; solidtimeScheduler = { hostname = "scheduler"; - image = "solidtime/solidtime:${version}"; + image = solidtimeImage; + imageFile = solidtimeImageFile; inherit user; autoStart = true; dependsOn = [ @@ -182,7 +193,8 @@ in { }; solidtimeQueue = { hostname = "queue"; - image = "solidtime/solidtime:${version}"; + image = solidtimeImage; + imageFile = solidtimeImageFile; inherit user; autoStart = true; networks = [ @@ -205,9 +217,17 @@ in { WORKER_COMMAND = "php /var/www/html/artisan queue:work"; }; }; - solidtimeDb = { + solidtimeDb = let + imageName = "postgres"; + finalImageTag = "15"; + in { hostname = "database"; - image = "postgres:15"; + image = "${imageName}:${finalImageTag}"; + imageFile = pkgs.dockerTools.pullImage { + inherit imageName finalImageTag; + imageDigest = "sha256:98fe06b500b5eb29e45bf8c073eb0ca399790ce17b1d586448edc4203627d342"; + sha256 = "sha256-AZ4VkOlROX+nR/MjDjsA4xdHzmtKjiBAtsp2Q6IdOvg="; + }; autoStart = true; ports = [ # "${toString dbExternalPort}:${toString dbInternalPort}" @@ -232,9 +252,17 @@ in { POSTGRES_PASSWORD = laravelEnv.DB_PASSWORD; }; }; - solidtimeGotenberg = { + solidtimeGotenberg = let + imageName = "gotenberg/gotenberg"; + finalImageTag = "8.26.0"; + in { hostname = "gotenberg"; - image = "gotenberg/gotenberg:8"; + image = "${imageName}:${finalImageTag}"; + imageFile = pkgs.dockerTools.pullImage { + inherit imageName finalImageTag; + imageDigest = "sha256:328551506b3dec3ff6381dd47e5cd72a44def97506908269e201a8fbfa1c12c0"; + sha256 = "sha256-1zz4xDAgXxHUnkCVIfjHTgXb82EFEx+5am6Cu9+eZj4="; + }; autoStart = true; networks = [ internalNetworkName From 58f2ea9b74731144f1f375419ad1b7f43980cfec Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Tue, 10 Feb 2026 09:25:16 +0100 Subject: [PATCH 06/10] chore(solidtime): Update to 0.10.0 --- modules/apps/solidtime/default.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/apps/solidtime/default.nix b/modules/apps/solidtime/default.nix index 3348e0b..725d32d 100644 --- a/modules/apps/solidtime/default.nix +++ b/modules/apps/solidtime/default.nix @@ -7,8 +7,6 @@ let internalNetworkName = "solidtime-internal"; proxyNet = config.homelab.apps.traefiik.sharedNetworkName; - version = "0.9.0"; - user = "1000:1000"; # dbExternalPort = ...; @@ -19,12 +17,13 @@ let inherit (config.virtualisation.oci-containers) containers; solidtimeImageName = "solidtime/solidtime"; + version = "0.10.0"; solidtimeImage = "${solidtimeImageName}:${version}"; solidtimeImageFile = pkgs.dockerTools.pullImage { imageName = solidtimeImageName; finalImageTag = version; - imageDigest = "sha256:5601b81f63ece49cdc4110f90f7624b0cc4ba87448b3e4bddce904457822a4ef"; - sha256 = "sha256-/VwuJGczs41XeItNamLahLt/ypUQHTn9AcwneVw/3YY="; + imageDigest = "sha256:817d3a366ecc39f0473d7154372afa82dd4e6e50c66d70be45804892c8421cbb"; + sha256 = "sha256-h5aCKaquUF/EVsOHaLOHrn1HAoXZYPhAbJ+e4cmjSA8="; }; volumes = [ From c04bce06b66b588ad2d3a67c3e1f64f63c963263 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Fri, 6 Feb 2026 14:15:19 +0100 Subject: [PATCH 07/10] feat: Test Action Including commits: * chore: Disable test workflow * Determine hosts * Build each host * Add NixOS to build step as well * More specific hostnames * fix json elements * try different way * Debug matrix * run on push * use var directly * fix mappings * fix mappings * add toolcache * Change names and ordere * Debugging * Debugging extra step * Debugging needs outputs * Debugging needs outputs hosts * Preserve quotes * printf escaped * Using EOF * test * escape? * without json parse * hardcoding * change build command * Testing --- .github/workflows/build.yml | 43 +++++++++++++++++++++++++++++++++++++ .github/workflows/test.yml | 17 +++++++++++++++ .gitignore | 1 + 3 files changed, 61 insertions(+) create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..74d6457 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,43 @@ +name: "Build" +on: + pull_request: + push: + +jobs: + determine-hosts: + name: "Determining hosts to build" + runs-on: ubuntu-latest + container: catthehacker/ubuntu:act-24.04 + outputs: + hosts: ${{ steps.hosts.outputs.hostnames }} + steps: + - uses: actions/checkout@v5 + - uses: https://github.com/cachix/install-nix-action@v31 + with: + nix_path: nixpkgs=channel:nixos-unstable + - name: "Determine hosts" + id: hosts + run: | + hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)" + printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}" + + build: + runs-on: ubuntu-latest + container: catthehacker/ubuntu:act-24.04 + needs: determine-hosts + strategy: + matrix: + hostname: [ + Development, + Testing + ] + + steps: + - uses: actions/checkout@v5 + - uses: https://github.com/cachix/install-nix-action@v31 + with: + nix_path: nixpkgs=channel:nixos-unstable + - name: "Build host" + run: | + nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel" --verbose + diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..8cb0f4b --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,17 @@ +name: "Test" +on: + pull_request: + push: +jobs: + tests: + if: false + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + steps: + - uses: actions/checkout@v5 + - uses: https://github.com/cachix/install-nix-action@v31 + with: + nix_path: nixpkgs=channel:nixos-unstable + - name: "My custom step" + run: nix run nixpkgs#hello diff --git a/.gitignore b/.gitignore index 485dee6..8daf605 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .idea +result From 47245b2b965c3eeeb4edd8f25d02405cfd425b08 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Thu, 5 Mar 2026 20:17:50 +0100 Subject: [PATCH 08/10] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/544961dfcce86422ba200ed9a0b00dd4b1486ec5?narHash=sha256-EVAqOteLBFmd7pKkb0%2BFIUyzTF61VKi7YmvP1tw4nEw%3D' (2025-10-15) → 'github:NixOS/nixpkgs/80bdc1e5ce51f56b19791b52b2901187931f5353?narHash=sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN%2BUHzW1jc%3D' (2026-03-04) • Updated input 'sops-nix': 'github:Mic92/sops-nix/ab8d56e85b8be14cff9d93735951e30c3e86a437?narHash=sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E%3D' (2025-10-13) → 'github:Mic92/sops-nix/1d9b98a29a45abe9c4d3174bd36de9f28755e3ff?narHash=sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw%3D' (2026-03-02) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 67df8c4..da5c167 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1760524057, - "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=", + "lastModified": 1772624091, + "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5", + "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1760393368, - "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", + "lastModified": 1772495394, + "narHash": "sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", + "rev": "1d9b98a29a45abe9c4d3174bd36de9f28755e3ff", "type": "github" }, "original": { From 5a031b48ed6931460084244f1a395397ecafbcb9 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Thu, 5 Mar 2026 20:26:33 +0100 Subject: [PATCH 09/10] fix(vaultwarden): Update image - fix webui not loading --- modules/apps/vaultwarden/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/apps/vaultwarden/default.nix b/modules/apps/vaultwarden/default.nix index 4510299..907dda4 100644 --- a/modules/apps/vaultwarden/default.nix +++ b/modules/apps/vaultwarden/default.nix @@ -13,12 +13,12 @@ in { description = "Vaultwarden WebUI port"; }; domain = lib.mkOption { - type = lib.types.string; + type = lib.types.str; example = "https://vault.depeuter.dev"; description = "Domain to configure Vaultwarden on"; }; name = lib.mkOption { - type = lib.types.string; + type = lib.types.str; example = "Hugo's Vault"; description = "Service name to use for invitations and mail"; }; @@ -77,7 +77,7 @@ in { dataDir = "/data"; in { hostname = "vaultwarden"; - image = "vaultwarden/server:1.34.3-alpine"; + image = "vaultwarden/server:1.35.4-alpine"; autoStart = true; ports = [ "${toString cfg.port}:80/tcp" From 3648b4d5359e67ca5689ec70f7d1e978f1926945 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Tue, 17 Mar 2026 21:44:54 +0100 Subject: [PATCH 10/10] meta: add AI agent rules and skills Create a modular, context-aware style guide for AI code assistants. - Add nixos-architecture skill for .nix file generation and networking patterns - Add dns-management rule to enforce Bind9 SOA serial increments - Add cicd-networking rule for direct-IP runner authentication - Add git-workflow rule to enforce conventional and atomic commits --- .agent/rules/ci-cd-networking-constraints.md | 13 ++++++ .agent/rules/dns-management.md | 14 ++++++ .agent/rules/git-workflow.md | 21 +++++++++ .agent/skills/nixos-architecture/SKILL.md | 47 ++++++++++++++++++++ 4 files changed, 95 insertions(+) create mode 100644 .agent/rules/ci-cd-networking-constraints.md create mode 100644 .agent/rules/dns-management.md create mode 100644 .agent/rules/git-workflow.md create mode 100644 .agent/skills/nixos-architecture/SKILL.md diff --git a/.agent/rules/ci-cd-networking-constraints.md b/.agent/rules/ci-cd-networking-constraints.md new file mode 100644 index 0000000..89c1866 --- /dev/null +++ b/.agent/rules/ci-cd-networking-constraints.md @@ -0,0 +1,13 @@ +--- +name: cicd-networking +description: Networking constraints for CI/CD workflow files (Gitea/GitHub Actions). +globs: [".github/workflows/.yml", ".github/workflows/.yaml", ".gitea/workflows/.yml", ".gitea/workflows/.yaml"] +--- + +# Bos55 CI/CD Networking Constraints + +When generating or modifying CI/CD workflows, strictly follow these networking practices: + +1. **IP-Based Login for Reliability** + - When CI runners (like Gitea Actions) need to interact with internal services for authentication or deployment, always use direct IP addresses (e.g., `192.168.0.25`) for machine-to-machine login steps. + - **Why?** This bypasses potential DNS resolution issues or delays within the isolated runner environment, ensuring maximum robustness during automated CI/CD runs. diff --git a/.agent/rules/dns-management.md b/.agent/rules/dns-management.md new file mode 100644 index 0000000..e8e6a7b --- /dev/null +++ b/.agent/rules/dns-management.md @@ -0,0 +1,14 @@ +--- +name: dns-management +description: Hard constraints for modifying Bind9 DNS zone files. +globs: ["db.", ".zone"] +--- + +# Bos55 DNS Management Constraints + +When modifying or generating Bind9 zone files, you MUST strictly adhere to the following rules: + +1. **Serial Increment (CRITICAL)** + - Every single time you modify a Bind9 zone file (e.g., `db.depeuter.dev`), you MUST increment the Serial number in the SOA record. Failure to do so will cause DNS propagation to fail. +2. **Domain Name Specificity** + - Prefer a single, well-defined explicit domain (e.g., `nix-cache.depeuter.dev`) instead of creating multiple aliases or using magic values. Keep records clean and explicit. diff --git a/.agent/rules/git-workflow.md b/.agent/rules/git-workflow.md new file mode 100644 index 0000000..6d41ee2 --- /dev/null +++ b/.agent/rules/git-workflow.md @@ -0,0 +1,21 @@ +--- +name: git-workflow +description: Rules for generating Git commit messages and managing branch workflows. +globs: ["COMMIT_EDITMSG", ".git/*"] +--- + +# Git Workflow Constraints + +When generating commit messages, reviewing code for a commit, or planning a branch workflow, strictly follow these standards: + +1. **Commit Formatting** + - **Conventional Commits**: You MUST format all commit messages using conventional prefixes: `feat:`, `fix:`, `docs:`, `refactor:`, `ci:`, `meta:`. + - **Clarity**: Ensure the message clearly explains *what* changed and *why*. +2. **Atomic Commits** + - Group changes by a single logical concern. + - NEVER mix documentation updates, core infrastructure code, and style guide changes in the same commit. + - Ensure that the generated commit is easily revertible without breaking unrelated features. +3. **Branching Workflow** + - Always assume changes will be pushed to a feature branch to create a Pull Request. + - Do not suggest or generate commands that push directly to the main branch. + diff --git a/.agent/skills/nixos-architecture/SKILL.md b/.agent/skills/nixos-architecture/SKILL.md new file mode 100644 index 0000000..2eb63bf --- /dev/null +++ b/.agent/skills/nixos-architecture/SKILL.md @@ -0,0 +1,47 @@ +--- +name: bos55-nix-architecture +description: Implementation patterns for NixOS configurations, networking, and service modules. +globs: [".nix", "hosts/**/", "modules//*", "secrets//*"] +--- + +# NixOS Architecture Skill + +When generating or modifying NixOS configuration files for the Bos55 project, strictly adhere to the following architectural patterns: + +## 1. Minimal Hardcoding & Dynamic Discovery + +- **Local IP Ownership**: Define IPv4/IPv6 addresses **only** within their respective host configuration files (e.g., `hosts//default.nix`). Do not use global IP mapping modules. +- **Inter-Host Discovery**: Resolve a host's IP or port by evaluating its configuration at build time. Never hardcode another host's IP. + **Pattern Example**: + ``` + let + bcConfig = inputs.self.nixosConfigurations.BinaryCache.config; + bcIp = (pkgs.lib.head bcConfig.networking.interfaces.ens18.ipv4.addresses).address; + in "http://${bcIp}:8080" + ``` +- **Unified Variables**: Use local variables (e.g., `let dbName = "attic"; in ...`) for shared values between host services and containers to ensure consistency. + +## 2. Modular Service Encapsulation + +- **Self-Contained Modules**: Service modules (`modules/services//default.nix`) must manage their own configurations. Prefer `lib.mkOption` over hardcoded strings for domains, ports, and credentials. +- **Firewall Responsibility**: Open ports (e.g., TCP 8080, SSH 22) directly within the service module based on its own options. Do not open service ports manually in host files. +- **Remote Builders**: Define `nix.settings.trusted-users`, `builder` user, and SSH rules directly within the service module if it supports remote building (e.g., Attic). + +## 3. Networking & Connectivity + +- **Container-to-Host**: Host services must connect to companion containers using the container name, not the bridge IP or `localhost`. +- **Host Resolution**: Map the container name to `127.0.0.1` using `networking.extraHosts` in the host service module to route traffic seamlessly. +- **Domain Deferral**: Client modules must defer their default domain settings to the server module's defined domain option. + +## 4. Secrets Management + +- **Sops-Nix Exclusivity**: Manage all secrets via `sops-nix`. +- **Centralized Config**: Rely on `modules/common/default.nix` for fleet-wide settings like `defaultSopsFile` and `age.keyFile`. +- **References**: Always reference credentials dynamically using `config.sops.secrets."path/to/secret".path`. + +## 5. Security & Documentation + +- **Supply Chain Protection**: Always verify and lock Nix flake inputs. Use fixed-output derivations for external resource downloads. +- **Assumptions Documentation**: Clearly document environment assumptions (e.g., Proxmox virtualization, Tailscale networking, and specific IP ranges) in host or service READMEs. +- **Project Structure**: Maintain the strict separation of `hosts/`, `modules/`, `users/`, and `secrets/` to ensure clear ownership and security boundaries. +