Add custom video backup & bump arion

videos which are so precious they are hard to get in case of a system
failure

Arion: Bump auth

Arion: Bump dashboard

Arion: Bump DNS

Arion: Bump git

Arion: Bump infrastructure

Arion: Bump media

Arion: Bump minio

Arion: Bump nextcloud

Arion: Bump

bump

hosts/franz/arion/auth/arion-compose.nix

@@ -1,5 +1,5 @@
 let
-  authentikImage = "ghcr.io/goauthentik/server:2024.10.4";
+  authentikImage = "ghcr.io/goauthentik/server:2024.12.0";
 in {
   project.name = "auth";
 

hosts/franz/arion/dashboard/arion-compose.nix

@@ -1,4 +1,4 @@
-{pkgs, ...}: {
+{
   project.name = "dashboard";
 
   networks.dmz = {
@@ -8,7 +8,7 @@
 
   services = {
     homarr.service = {
-      image = "ghcr.io/ajnart/homarr:0.15.3";
+      image = "ghcr.io/ajnart/homarr:0.15.10";
       container_name = "homarr";
       labels = {
         "traefik.enable" = "true";

hosts/franz/arion/dns/arion-compose.nix

@@ -1,4 +1,4 @@
-{pkgs, ...}: {
+{
   project.name = "dns";
 
   networks.dmz = {
@@ -20,7 +20,7 @@
 
   services = {
     pihole.service = {
-      image = "pihole/pihole:2024.03.1";
+      image = "pihole/pihole:2024.07.0";
       container_name = "pihole";
       hostname = "pihole";
       environment = {
@@ -59,7 +59,7 @@
       ];
     };
     unbound.service = {
-      image = "mvance/unbound:1.19.3";
+      image = "mvance/unbound:1.21.1";
       container_name = "unbound";
       volumes = [
         "/home/ghoscht/.docker/dns/unbound_data:/opt/unbound/etc/unbound"

hosts/franz/arion/git/arion-compose.nix

@@ -10,7 +10,7 @@
 
   services = {
     forgejo.service = {
-      image = "codeberg.org/forgejo/forgejo:9.0.2";
+      image = "codeberg.org/forgejo/forgejo:9.0.3";
       container_name = "forgejo";
       useHostStore = true;
       labels = {

hosts/franz/arion/infrastructure/arion-compose.nix

@@ -1,4 +1,4 @@
-{pkgs, ...}: {
+{
   project.name = "infrastructure";
 
   networks.dmz = {
@@ -12,7 +12,7 @@
 
   services = {
     traefik.service = {
-      image = "traefik:3.1.4";
+      image = "traefik:3.2.3";
       container_name = "traefik";
       useHostStore = true;
       ports = [

hosts/franz/arion/matrix/arion-compose.nix

@@ -1,113 +0,0 @@
-{pkgs, ...}: {
-  project.name = "matrix";
-
-  networks.dmz = {
-    name = "dmz";
-    external = true;
-  };
-
-  networks.transport = {};
-
-  services = {
-    synapse.service = {
-      image = "matrixdotorg/synapse:v1.118.0";
-      container_name = "synapse";
-      labels = {
-        "traefik.enable" = "true";
-
-        "traefik.http.services.synapse.loadbalancer.server.port" = "8008";
-        "traefik.http.routers.synapse.service" = "synapse";
-        "traefik.http.routers.synapse.entrypoints" = "websecure";
-        "traefik.http.routers.synapse.rule" = "Host(`synapse.ghoscht.com`)";
-        "traefik.docker.network" = "dmz";
-        "traefik.http.routers.synapse.tls" = "true";
-        "traefik.http.routers.synapse.tls.certresolver" = "letsencrypt";
-
-        "traefik.http.services.synapse-external.loadbalancer.server.port" = "8008";
-        "traefik.http.routers.synapse-external.service" = "synapse-external";
-        "traefik.http.routers.synapse-external.rule" = "Host(`synapse.ghoscht.com`)";
-        "traefik.http.routers.synapse-external.entrypoints" = "websecure-external";
-        "traefik.http.routers.synapse-external.tls" = "true";
-        "traefik.http.routers.synapse-external.tls.certresolver" = "letsencrypt";
-      };
-      volumes = [
-        "/storage/dataset/docker/matrix/synapse_data:/data"
-      ];
-      env_file = [
-        "/home/ghoscht/.docker/matrix/synapse.env"
-      ];
-      environment = {
-        UID = "1000";
-        GID = "1000";
-        TZ = "Europe/Berlin";
-      };
-      restart = "unless-stopped";
-      networks = [
-        "dmz"
-        "transport"
-      ];
-    };
-    postgres.service = {
-      image = "postgres:14";
-      env_file = [
-        "/home/ghoscht/.docker/matrix/synapse.env"
-      ];
-      volumes = [
-        "/storage/dataset/docker/matrix/synapse_db:/var/lib/postgresql/data"
-      ];
-      restart = "unless-stopped";
-      networks = [
-        "transport"
-      ];
-    };
-    matrix-nginx.service = {
-      container_name = "matrix-nginx";
-      image = "nginx:1.25.4";
-      volumes = [
-        "/storage/dataset/docker/matrix/nginx_data/matrix.conf:/etc/nginx/conf.d/matrix.conf"
-        "/storage/dataset/docker/matrix/nginx_data/www:/var/www/"
-      ];
-      labels = {
-        "traefik.enable" = "true";
-
-        "traefik.http.services.matrix.loadbalancer.server.port" = "80";
-        "traefik.http.routers.matrix.service" = "matrix";
-        "traefik.http.routers.matrix.entrypoints" = "websecure";
-        "traefik.http.routers.matrix.rule" = "Host(`matrix.ghoscht.com`)";
-        "traefik.docker.network" = "dmz";
-        "traefik.http.routers.matrix.tls" = "true";
-        "traefik.http.routers.matrix.tls.certresolver" = "letsencrypt";
-
-        "traefik.http.services.matrix-external.loadbalancer.server.port" = "80";
-        "traefik.http.routers.matrix-external.service" = "matrix-external";
-        "traefik.http.routers.matrix-external.rule" = "Host(`matrix.ghoscht.com`)";
-        "traefik.http.routers.matrix-external.entrypoints" = "websecure-external";
-        "traefik.http.routers.matrix-external.tls" = "true";
-        "traefik.http.routers.matrix-external.tls.certresolver" = "letsencrypt";
-      };
-      restart = "unless-stopped";
-      networks = [
-        "transport"
-        "dmz"
-      ];
-    };
-    element.service = {
-      image = "vectorim/element-web:v1.11.64";
-      volumes = [
-        "/storage/dataset/docker/matrix/element_data/element-config.json:/app/config.json"
-      ];
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.element.entrypoints" = "websecure";
-        "traefik.http.routers.element.rule" = "Host(`chat.ghoscht.com`)";
-        "traefik.docker.network" = "dmz";
-        "traefik.http.routers.element.tls" = "true";
-        "traefik.http.routers.element.tls.certresolver" = "letsencrypt";
-      };
-      restart = "unless-stopped";
-      networks = [
-        "dmz"
-      ];
-    };
-  };
-}

hosts/franz/arion/matrix/arion-pkgs.nix

@@ -1,6 +0,0 @@
-# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
-import <nixpkgs> {
-  # We specify the architecture explicitly. Use a Linux remote builder when
-  # calling arion from other platforms.
-  system = "x86_64-linux";
-}

hosts/franz/arion/matrix/default.nix

@@ -1,30 +0,0 @@
-{config, ...}: let
-  vars = import ../../../../vars.nix;
-in {
-  # virtualisation.arion = {
-  #   projects.matrix.settings = {
-  #     imports = [./arion-compose.nix];
-  #   };
-  # };
-
-  sops.secrets."matrix/postgres_password" = {
-    owner = vars.user;
-  };
-  sops.secrets."matrix/postgres_database" = {
-    owner = vars.user;
-  };
-  sops.secrets."matrix/postgres_user" = {
-    owner = vars.user;
-  };
-
-  sops.templates."synapse.env" = {
-    path = "/home/${vars.user}/.docker/matrix/synapse.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      POSTGRES_DB="${config.sops.placeholder."matrix/postgres_database"}"
-      POSTGRES_USER="${config.sops.placeholder."matrix/postgres_user"}"
-      POSTGRES_PASSWORD="${config.sops.placeholder."matrix/postgres_password"}"
-    '';
-  };
-}

hosts/franz/arion/media/arion-compose.nix

@@ -44,7 +44,7 @@
       ];
     };
     navidrome.service = {
-      image = "deluan/navidrome:0.53.3";
+      image = "deluan/navidrome:0.54.1";
       container_name = "navidrome";
       labels = {
         "traefik.enable" = "true";
@@ -146,7 +146,7 @@
       ];
     };
     prowlarr.service = {
-      image = "linuxserver/prowlarr:1.27.0";
+      image = "linuxserver/prowlarr:1.28.2";
       container_name = "prowlarr";
       labels = {
         "traefik.enable" = "true";
@@ -206,7 +206,7 @@
       restart = "always";
     };
     radarr.service = {
-      image = "linuxserver/radarr:5.15.1";
+      image = "linuxserver/radarr:5.16.3";
       container_name = "radarr";
       labels = {
         "traefik.enable" = "true";
@@ -237,7 +237,7 @@
       restart = "always";
     };
     lidarr.service = {
-      image = "linuxserver/lidarr:2.7.1";
+      image = "linuxserver/lidarr:2.8.2";
       container_name = "lidarr";
       labels = {
         "traefik.enable" = "true";
@@ -353,33 +353,6 @@
       };
       restart = "always";
     };
-    # deemix.service = {
-    #   image = "finniedj/deemix:latest";
-    #   container_name = "deemix";
-    #   labels = {
-    #     "traefik.enable" = "true";
-    #     "traefik.http.routers.deemix.entrypoints" = "websecure";
-    #     "traefik.http.routers.deemix.rule" = "Host(`deemix.ghoscht.com`)";
-    #     "traefik.http.services.deemix.loadbalancer.server.port" = "6595";
-    #     "traefik.docker.network" = "dmz";
-    #     "traefik.http.routers.deemix.tls" = "true";
-    #     "traefik.http.routers.deemix.tls.certresolver" = "letsencrypt";
-    #   };
-    #   volumes = [
-    #     "/home/ghoscht/.data/deemix:/downloads"
-    #   ];
-    #   environment = {
-    #     PUID = 1000;
-    #     PGID = 1000;
-    #     UMASK_SET = 022;
-    #     TZ = "Europe/Berlin";
-    #   };
-    #   network_mode = "service:vpn";
-    #   depends_on = {
-    #     vpn = {condition = "service_healthy";};
-    #   };
-    #   restart = "always";
-    # };
     unpackerr.service = {
       image = "golift/unpackerr:0.14.5";
       container_name = "unpackerr";

hosts/franz/arion/minio/arion-compose.nix

@@ -8,7 +8,7 @@
 
   services = {
     minio.service = {
-      image = "bitnami/minio:2024.5.10";
+      image = "bitnami/minio:2024.12.18";
       container_name = "minio";
       labels = {
         "traefik.enable" = "true";

hosts/franz/arion/nextcloud/arion-compose.nix

@@ -10,7 +10,7 @@
 
   services = {
     nextcloud.service = {
-      image = "nextcloud:28.0.4";
+      image = "nextcloud:30.0.4";
       container_name = "nextcloud";
       useHostStore = true;
       labels = {
@@ -30,6 +30,7 @@
       environment = {
         REDIS_HOST = "nextcloud-redis";
         REDIS_PORT = 6379;
+        TRUSTED_PROXIES = "172.27.0.9/24";
       };
       restart = "unless-stopped";
       networks = [

hosts/franz/arion/passwords/arion-compose.nix

@@ -8,7 +8,7 @@
 
   services = {
     vaultwarden.service = {
-      image = "vaultwarden/server:1.32.5";
+      image = "vaultwarden/server:1.32.7";
       container_name = "vaultwarden";
       labels = {
         "traefik.enable" = "true";

hosts/franz/arion/push/arion-compose.nix

@@ -1,4 +1,4 @@
-{pkgs, ...}: {
+{
   project.name = "push";
 
   networks.dmz = {
@@ -8,7 +8,7 @@
 
   services = {
     ntfy.service = {
-      image = "binwiederhier/ntfy:v2.10.0";
+      image = "binwiederhier/ntfy:v2.11.0";
       container_name = "ntfy";
       user = "1000:1000";
       command = "serve";

hosts/franz/arion/smarthome/arion-compose.nix

@@ -1,4 +1,4 @@
-{pkgs, ...}: {
+{
   project.name = "smarthome";
 
   networks.dmz = {
@@ -8,7 +8,7 @@
 
   services = {
     homeassistant.service = {
-      image = "ghcr.io/home-assistant/home-assistant:2024.4.1";
+      image = "ghcr.io/home-assistant/home-assistant:2024.12.5";
       container_name = "homeassistant";
       privileged = true;
       labels = {

hosts/franz/restic.nix

@@ -302,6 +302,14 @@ in {
           cron: '55 3 * * *' # Every Day at 3:55
           hooks:
             <<: *default_hooks
+        videos:
+          from: /home/ghoscht/Videos
+          to:
+            - zfs
+            - eustachius
+          cron: '55 3 * * *' # Every Day at 3:55
+          hooks:
+            <<: *default_hooks
       backends:
         zfs:
           type: local