Aner Zakobar
2f0d0b5e4c
Replaces the Helm/k3s setup with a declarative NixOS configuration targeting
a Raspberry Pi 4. Services run as podman containers under systemd, with data
on an external HD at /mnt/data. Key components:
- flake.nix: multi-host flake with pi-main (aarch64) and a placeholder for a
second machine
- modules/common.nix: shared system config (nix, podman, sops, SSH)
- modules/storage.nix: external HD mount with per-service subdirs
- modules/caddy.nix: Caddy with cloudflare DNS-01 ACME + authelia forward_auth
- modules/cloudflared.nix: Cloudflare tunnel for remote access
- modules/backup.nix: restic daily backups with NC maintenance mode pre-hook
- modules/services/{openldap,authelia,gitea,nextcloud,phpldapadmin}.nix: core services
- modules/services/{jellyfin,transmission}.nix: media services (disabled by default)
- secrets/: sops-nix scaffold with .sops.yaml age key config
- hosts/pi-main/: hardware config + service selection for the Pi
- PORTING.md: step-by-step migration guide (SD card → data restore → verify)
106 lines
4.0 KiB
Nix
106 lines
4.0 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
# External hard-drive storage module.
|
|
#
|
|
# Each host sets:
|
|
# homey.storage.device = "/dev/disk/by-id/usb-WD_..."; (by-id is stable across reboots)
|
|
# homey.storage.mountPoint = "/mnt/data"; (default)
|
|
#
|
|
# All service data lives under <mountPoint>/<service-name>/, so the whole
|
|
# dataset can be browsed, backed up, or restored with plain filesystem tools.
|
|
#
|
|
# Directory layout under mountPoint:
|
|
# openldap/
|
|
# etc-ldap-slapd.d/ ← /etc/ldap/slapd.d in container
|
|
# var-lib-ldap/ ← /var/lib/ldap in container
|
|
# authelia/
|
|
# config/ ← /config in container (sqlite db etc.)
|
|
# gitea/
|
|
# data/ ← /data in container
|
|
# nextcloud/
|
|
# html/ ← /var/www/html in container
|
|
# db/ ← /var/lib/postgresql/data in postgres container
|
|
# jellyfin/
|
|
# config/
|
|
# media/
|
|
# movies/
|
|
# tvshows/
|
|
# general/
|
|
# complete/
|
|
# transmission/
|
|
# config/
|
|
# restic-cache/ ← restic local cache (not the backup destination)
|
|
|
|
let
|
|
cfg = config.homey.storage;
|
|
in
|
|
{
|
|
options.homey.storage = {
|
|
device = lib.mkOption {
|
|
type = lib.types.str;
|
|
example = "/dev/disk/by-id/usb-WD_Elements_12345-0:0";
|
|
description = ''
|
|
Block device for the external hard drive.
|
|
Use /dev/disk/by-id/ paths for stable identification across reboots.
|
|
Leave empty to skip automount (useful during initial setup).
|
|
'';
|
|
default = "";
|
|
};
|
|
|
|
mountPoint = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "/mnt/data";
|
|
description = "Where the external HD is mounted. All service data lives here.";
|
|
};
|
|
|
|
fsType = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "ext4";
|
|
description = "Filesystem type of the external drive.";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf (cfg.device != "") {
|
|
# Mount the external drive
|
|
fileSystems."${cfg.mountPoint}" = {
|
|
device = cfg.device;
|
|
fsType = cfg.fsType;
|
|
options = [
|
|
"defaults"
|
|
"nofail" # Don't block boot if drive is absent
|
|
"noatime" # Better performance / less SD wear
|
|
"x-systemd.automount"
|
|
"x-systemd.idle-timeout=0"
|
|
];
|
|
};
|
|
|
|
# Ensure the mount point directory exists
|
|
systemd.tmpfiles.rules = [
|
|
"d ${cfg.mountPoint} 0755 root root -"
|
|
|
|
# Service subdirectories — created on boot so containers can start
|
|
# even before any data is restored into them.
|
|
"d ${cfg.mountPoint}/openldap 0750 root root -"
|
|
"d ${cfg.mountPoint}/openldap/etc-ldap-slapd.d 0750 root root -"
|
|
"d ${cfg.mountPoint}/openldap/var-lib-ldap 0750 root root -"
|
|
"d ${cfg.mountPoint}/authelia 0750 root root -"
|
|
"d ${cfg.mountPoint}/authelia/config 0750 root root -"
|
|
"d ${cfg.mountPoint}/gitea 0750 root root -"
|
|
"d ${cfg.mountPoint}/gitea/data 0750 root root -"
|
|
"d ${cfg.mountPoint}/nextcloud 0750 root root -"
|
|
"d ${cfg.mountPoint}/nextcloud/html 0750 root root -"
|
|
"d ${cfg.mountPoint}/nextcloud/db 0750 root root -"
|
|
"d ${cfg.mountPoint}/jellyfin 0750 root root -"
|
|
"d ${cfg.mountPoint}/jellyfin/config 0750 root root -"
|
|
"d ${cfg.mountPoint}/media 0755 root root -"
|
|
"d ${cfg.mountPoint}/media/movies 0755 root root -"
|
|
"d ${cfg.mountPoint}/media/tvshows 0755 root root -"
|
|
"d ${cfg.mountPoint}/media/general 0755 root root -"
|
|
"d ${cfg.mountPoint}/media/complete 0755 root root -"
|
|
"d ${cfg.mountPoint}/transmission 0750 root root -"
|
|
"d ${cfg.mountPoint}/transmission/config 0750 root root -"
|
|
"d ${cfg.mountPoint}/restic-cache 0700 root root -"
|
|
];
|
|
};
|
|
}
|