From 51bccd5b74c0aaf71cde8f60e23297f78a554a21 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Fri, 5 May 2023 22:33:05 +0200
Subject: [PATCH] migrate pepe services to chungus

---
 nixos/components/network/tinc/private.nix     |  1 +
 nixos/machines/chungus/configuration.nix      | 21 ++++---
 nixos/machines/chungus/hass-mqtt.nix          | 15 +++++
 nixos/machines/chungus/hass-zigbee2mqtt.nix   | 56 +++++++++++++++++++
 nixos/machines/chungus/hass.nix               | 16 ++++++
 nixos/machines/chungus/media-jellyfin.nix     | 34 +++++++++++
 nixos/machines/chungus/media-share.nix        | 28 ++++++++++
 .../chungus/{tdarr.nix => media-tdarr.nix}    | 24 +-------
 .../chungus/{tinc.nix => network-tinc.nix}    |  0
 nixos/machines/pepe/configuration.nix         |  9 ++-
 10 files changed, 170 insertions(+), 34 deletions(-)
 create mode 100644 nixos/machines/chungus/hass-mqtt.nix
 create mode 100644 nixos/machines/chungus/hass-zigbee2mqtt.nix
 create mode 100644 nixos/machines/chungus/hass.nix
 create mode 100644 nixos/machines/chungus/media-jellyfin.nix
 create mode 100644 nixos/machines/chungus/media-share.nix
 rename nixos/machines/chungus/{tdarr.nix => media-tdarr.nix} (70%)
 rename nixos/machines/chungus/{tinc.nix => network-tinc.nix} (100%)

diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix
index f40eded..4160682 100644
--- a/nixos/components/network/tinc/private.nix
+++ b/nixos/components/network/tinc/private.nix
@@ -37,6 +37,7 @@ let
     "tts.chungus" = hosts.chungus;
     "tdarr.chungus" = hosts.chungus;
     "sync.chungus" = hosts.chungus;
+    "flix.chungus" = hosts.chungus;
   };
   network = "private";
 in
diff --git a/nixos/machines/chungus/configuration.nix b/nixos/machines/chungus/configuration.nix
index 643790e..fa604ea 100644
--- a/nixos/machines/chungus/configuration.nix
+++ b/nixos/machines/chungus/configuration.nix
@@ -5,23 +5,26 @@
     ./hardware-configuration.nix
     ../../system/server
     ./disko-config.nix
-
     ./packages.nix
-    ./tinc.nix
 
-    #./mail-fetcher.nix
-    #./hass.nix
-    #./zigbee2mqtt.nix
+    #./network-wireguard.nix
+    ./network-tinc.nix
+
+    ./hass.nix
+    ./hass-zigbee2mqtt.nix
+    ./hass-mqtt.nix
+    #./hass-wifi.nix
+
     #./syncthing.nix
-    #./wifi-access-point.nix
+    #./mail-fetcher.nix
 
     #./borg.nix
     #./taskwarrior-pushover.nix
 
-    ./tdarr.nix
-    #./jellyfin.nix
+    ./media-share.nix
+    ./media-tdarr.nix
+    ./media-jellyfin.nix
 
-    #./wireguard.nix
 
     # logging
     ./loki.nix
diff --git a/nixos/machines/chungus/hass-mqtt.nix b/nixos/machines/chungus/hass-mqtt.nix
new file mode 100644
index 0000000..8a317d6
--- /dev/null
+++ b/nixos/machines/chungus/hass-mqtt.nix
@@ -0,0 +1,15 @@
+{ lib, ... }: {
+
+  services.mosquitto = {
+    enable = true;
+    listeners = [{
+      acl = [ "pattern readwrite #" ];
+      omitPasswordAuth = true;
+      settings.allow_anonymous = true;
+    }];
+  };
+
+  # open for tasmota
+  networking.firewall.allowedTCPPorts = [ 1883 ];
+
+}
diff --git a/nixos/machines/chungus/hass-zigbee2mqtt.nix b/nixos/machines/chungus/hass-zigbee2mqtt.nix
new file mode 100644
index 0000000..8749a64
--- /dev/null
+++ b/nixos/machines/chungus/hass-zigbee2mqtt.nix
@@ -0,0 +1,56 @@
+{ pkgs, lib, config, private_assets, ... }:
+
+{
+  imports = [ ./hass-mqtt.nix ];
+
+  services.zigbee2mqtt = {
+    enable = true;
+    dataDir = "/srv/zigbee2mqtt";
+    settings = {
+
+      # Home Assistant integration (MQTT discovery)
+      homeassistant = true;
+
+      # allow new devices to join
+      permit_join = false;
+
+      # MQTT settings
+      mqtt = {
+        # MQTT base topic for zigbee2mqtt MQTT messages
+        base_topic = "zigbee2mqtt";
+        # MQTT server URL
+        server = "mqtt://127.0.0.1:1883";
+        # MQTT server authentication, uncomment if required:
+        user = "zigbee";
+        password = lib.fileContents "${private_assets}/zigbee/home-assistant-password";
+      };
+
+      # Serial settings
+      serial = {
+        #port = "/dev/ttyACM0";
+        port = "/dev/ttyUSB0";
+        # disable LED of CC2531 USB sniffer
+        #disable_led = true;
+      };
+
+      # you own network key,
+      # 16 numbers between 0 and 255
+      # see https://www.zigbee2mqtt.io/how_tos/how_to_secure_network.html
+      advanced = {
+        network_key = import "${private_assets}/zigbee/networkKey.nix";
+        log_output = [ "console" ];
+        log_level = "warn";
+        pan_id = 1337;
+        # add last seen information
+        last_seen = "ISO_8601_local";
+      };
+
+      # configure web ui
+      frontend.port = 9666;
+      frontend.host = "0.0.0.0";
+      experimental.new_api = true;
+
+    };
+  };
+
+}
diff --git a/nixos/machines/chungus/hass.nix b/nixos/machines/chungus/hass.nix
new file mode 100644
index 0000000..0397905
--- /dev/null
+++ b/nixos/machines/chungus/hass.nix
@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+{
+
+  virtualisation.oci-containers = {
+    containers.homeassistant = {
+      volumes = [ "/srv/home-assistant:/config" ];
+      environment.TZ = "Europe/Berlin";
+      image = "ghcr.io/home-assistant/home-assistant:stable"; # Warning: if the tag does not change, the image will not be updated
+      extraOptions = [ "--network=host" ];
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8123 ];
+  networking.firewall.allowedUDPPorts = [ 8123 ];
+
+}
diff --git a/nixos/machines/chungus/media-jellyfin.nix b/nixos/machines/chungus/media-jellyfin.nix
new file mode 100644
index 0000000..d07748f
--- /dev/null
+++ b/nixos/machines/chungus/media-jellyfin.nix
@@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+    group = "media";
+    user = "media";
+  };
+  #hardware.opengl = {
+  #  enable = true;
+  #  driSupport = true;
+  #  driSupport32Bit = true;
+  #};
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."flix.${config.networking.hostName}.private" = {
+      serverAliases = [ "flix.${config.networking.hostName}" ];
+      extraConfig = ''
+        # Security / XSS Mitigation Headers
+        # NOTE: X-Frame-Options may cause issues with the webOS app
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Content-Type-Options "nosniff";
+      '';
+      locations."/" = {
+        recommendedProxySettings = true;
+        proxyWebsockets = true;
+        proxyPass = "http://localhost:8096";
+      };
+    };
+  };
+
+}
diff --git a/nixos/machines/chungus/media-share.nix b/nixos/machines/chungus/media-share.nix
new file mode 100644
index 0000000..4364a57
--- /dev/null
+++ b/nixos/machines/chungus/media-share.nix
@@ -0,0 +1,28 @@
+{ config, ... }:
+{
+
+  # To set password:
+  # nix-shell -p samba --run "smbpasswd -a media"
+  custom.samba-share.enable = true;
+  custom.samba-share.private = {
+    media = {
+      folder = "/media";
+      users = "media";
+    };
+    temp = {
+      folder = "/srv/tdarr/transcode_cache";
+      users = "media";
+    };
+  };
+
+  users.groups."media".gid = config.ids.gids.transmission;
+  users.users."media" = {
+    uid = config.ids.uids.transmission;
+    group = "media";
+  };
+
+  services.permown."/media" = {
+    owner = "media";
+    group = "media";
+  };
+}
diff --git a/nixos/machines/chungus/tdarr.nix b/nixos/machines/chungus/media-tdarr.nix
similarity index 70%
rename from nixos/machines/chungus/tdarr.nix
rename to nixos/machines/chungus/media-tdarr.nix
index ccc1d0b..407ef8f 100644
--- a/nixos/machines/chungus/tdarr.nix
+++ b/nixos/machines/chungus/media-tdarr.nix
@@ -1,28 +1,8 @@
 { config, lib, pkgs, ... }:
 {
 
-  # To set password:
-  # nix-shell -p samba --run "smbpasswd -a media"
-  custom.samba-share.enable = true;
-  custom.samba-share.private.media = {
-    folder = "/media";
-    users = "media";
-  };
-
-  users.groups."media".gid = config.ids.gids.transmission;
-  users.users."media" = {
-    uid = config.ids.uids.transmission;
-    group = "media";
-  };
-
-  services.permown."/media" = {
-    owner = "media";
-    group = "media";
-  };
-
   # https://docs.tdarr.io/docs/installation/docker/run-compose
   virtualisation.oci-containers = {
-    # backend = "podman";
     containers.tdarr = {
       volumes = [
         "/srv/tdarr/server:/app/server"
@@ -39,8 +19,8 @@
         inContainer = "true";
         nodeName = "ServerNode";
         TZ = "Europe/London";
-        PUID = toString config.ids.uids.transmission;
-        PGID = toString config.ids.gids.transmission;
+        PUID = toString config.users.users.media.uid;
+        PGID = toString config.users.groups.media.gid;
       };
       ports = [
         "8265:8265" # WebUI
diff --git a/nixos/machines/chungus/tinc.nix b/nixos/machines/chungus/network-tinc.nix
similarity index 100%
rename from nixos/machines/chungus/tinc.nix
rename to nixos/machines/chungus/network-tinc.nix
diff --git a/nixos/machines/pepe/configuration.nix b/nixos/machines/pepe/configuration.nix
index b973c90..39180b0 100644
--- a/nixos/machines/pepe/configuration.nix
+++ b/nixos/machines/pepe/configuration.nix
@@ -7,8 +7,10 @@
 
     ./mail-fetcher.nix
     ./packages.nix
-    ./hass.nix
-    ./zigbee2mqtt.nix
+
+    #./hass.nix
+    #./zigbee2mqtt.nix
+
     #./kodi.nix
     ./syncthing.nix
     ./tinc.nix
@@ -32,7 +34,8 @@
     ./telegraf.nix
 
     ./home-display.nix
-    ./tdarr.nix
+
+    #./tdarr.nix
 
   ];