Arion: Add homeassistant grafana integration

Arion: Limit mollysocket to specific UUIDs
fixup! Arion: Enable autobrr oidc
2025-03-10 21:33:20 +01:00 · 2025-03-10 21:33:11 +01:00 · 2025-03-10 21:32:59 +01:00 · 2025-03-10 21:32:59 +01:00 · 2025-03-10 21:32:41 +01:00 · 2025-03-10 21:32:41 +01:00
18 changed files with 544 additions and 83 deletions
--- a/hosts/franz/arion/default.nix
+++ b/hosts/franz/arion/default.nix
@ -17,12 +17,12 @@
    ./smarthome
    ./signal
    ./feed
-    # ./matrix
    ./headscale
    ./auth
    ./minio
    ./stats
    ./wiki
+	 ./piped
  ];

  environment.systemPackages = with pkgs; [arion];
--- a/hosts/franz/arion/dns/arion-compose.nix
+++ b/hosts/franz/arion/dns/arion-compose.nix
@ -1,3 +1,6 @@
+let
+  unboundIpAddress = "172.29.1.5";
+in
 {
  project.name = "dns";

@ -20,14 +23,12 @@

  services = {
    pihole.service = {
-      image = "pihole/pihole:2024.07.0";
+      image = "pihole/pihole:2025.02.4";
      container_name = "pihole";
-      hostname = "pihole";
      environment = {
-        IPv6 = "True";
        TZ = "Europe/Berlin";
-        SKIPGRAVITYONBOOT = 1;
-        VIRTUAL_HOST = "pihole.ghoscht.com";
+        FTLCONF_dns_upstreams = unboundIpAddress;
+		  FTLCONF_webserver_api_password = "";
      };
      volumes = [
        "/home/ghoscht/.docker/dns/pihole_data:/etc/pihole"
@ -73,7 +74,7 @@
      ];
      environment = {
        PIHOLE_TOKEN = "505221025f9701f8a05cc22cbafeec897598b2924a9d665cbc10f0073d66da20";
-        PIHOLE_API = "http://pihole:80/admin/api.php";
+        PIHOLE_API = "http://pihole:80/api";
        # INTERVAL_SECONDS = "1";
        LOGGING_LEVEL = "DEBUG";
      };
@ -87,7 +88,7 @@
      restart = "always";
      networks = {
        dns = {
-          ipv4_address = "172.29.1.5";
+          ipv4_address = unboundIpAddress;
        };
      };
    };
--- a/hosts/franz/arion/homepage/arion-compose.nix
+++ b/hosts/franz/arion/homepage/arion-compose.nix
@ -0,0 +1,45 @@
+{
+  project.name = "homepage";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    webserver.service = {
+      image = "y4m4/s3www:v0.9.0";
+      container_name = "homepage";
+      labels = {
+        "traefik.enable" = "true";
+        "diun.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.homepage.loadbalancer.server.port" = "80";
+        "traefik.http.routers.homepage.service" = "homepage";
+        "traefik.http.routers.homepage.entrypoints" = "websecure";
+        "traefik.http.routers.homepage.rule" = "Host(`ghoscht.com`)";
+        "traefik.http.routers.homepage.tls" = "true";
+        "traefik.http.routers.homepage.tls.certresolver" = "letsencrypt";
+
+        "traefik.http.services.homepage-external.loadbalancer.server.port" = "80";
+        "traefik.http.routers.homepage-external.service" = "homepage-external";
+        "traefik.http.routers.homepage-external.rule" = "Host(`ghoscht.com`)";
+        "traefik.http.routers.homepage-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.homepage-external.tls" = "true";
+        "traefik.http.routers.homepage-external.tls.certresolver" = "letsencrypt";
+      };
+      environment = {
+        S3WWW_ENDPOINT = "https://files.ghoscht.com";
+        S3WWW_ADDRESS = "0.0.0.0:80";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/homepage/s3www.env"
+      ];
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}
--- a/hosts/franz/arion/homepage/arion-pkgs.nix
+++ b/hosts/franz/arion/homepage/arion-pkgs.nix
@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
--- a/hosts/franz/arion/homepage/default.nix
+++ b/hosts/franz/arion/homepage/default.nix
@ -0,0 +1,33 @@
+{ config, ... }:
+let
+  vars = import ../../../../vars.nix;
+in
+{
+  virtualisation.arion = {
+    projects.homepage.settings = {
+      imports = [ ./arion-compose.nix ];
+    };
+  };
+  sops.secrets = {
+    "autobrr/oidc_client_id" = {
+      owner = vars.user;
+    };
+    "autobrr/oidc_client_secret" = {
+      owner = vars.user;
+    };
+  };
+
+  sops.templates = {
+    "s3www.env" = {
+      path = "/home/${vars.user}/.docker/homepage/s3www.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        ND_SPOTIFY_ID="${config.sops.placeholder."navidrome/spotify_id"}"
+        ND_SPOTIFY_SECRET="${config.sops.placeholder."navidrome/spotify_secret"}"
+        ND_LASTFM_APIKEY="${config.sops.placeholder."navidrome/lastfm_api_key"}"
+        ND_LASTFM_SECRET="${config.sops.placeholder."navidrome/lastfm_api_secret"}"
+      '';
+    };
+  };
+}
--- a/hosts/franz/arion/media/arion-compose.nix
+++ b/hosts/franz/arion/media/arion-compose.nix
@ -363,7 +363,15 @@
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
+        AUTOBRR__CHECK_FOR_UPDATES = "false";
+        # OIDC
+        AUTOBRR__OIDC_ENABLED = "true";
+        AUTOBRR__OIDC_ISSUER = "https://auth.ghoscht.com/application/o/autobrr/";
+        AUTOBRR__OIDC_REDIRECT_URL = "https://autobrr.ghoscht.com/api/auth/oidc/callback";
      };
+      env_file = [
+        "/home/ghoscht/.docker/media/autobrr.env"
+      ];
      network_mode = "service:vpn";
      depends_on = {
        vpn = { condition = "service_healthy"; };
--- a/hosts/franz/arion/media/default.nix
+++ b/hosts/franz/arion/media/default.nix
@ -1,73 +1,95 @@
-{config, ...}: let
+{ config, ... }:
+let
  vars = import ../../../../vars.nix;
-in {
+in
+{
  virtualisation.arion = {
    projects.media.settings = {
-      imports = [./arion-compose.nix];
+      imports = [ ./arion-compose.nix ];
    };
  };

-  sops.secrets."navidrome/spotify_id" = {
-    owner = vars.user;
+  sops.secrets = {
+    "navidrome/spotify_id" = {
+      owner = vars.user;
+    };
+    "navidrome/spotify_secret" = {
+      owner = vars.user;
+    };
+    "navidrome/lastfm_api_key" = {
+      owner = vars.user;
+    };
+    "navidrome/lastfm_api_secret" = {
+      owner = vars.user;
+    };
+
+    "windscribe/openvpn_username" = {
+      owner = vars.user;
+    };
+    "windscribe/openvpn_password" = {
+      owner = vars.user;
+    };
+
+    "unpackerr/sonarr_api_key" = {
+      owner = vars.user;
+    };
+    "unpackerr/radarr_api_key" = {
+      owner = vars.user;
+    };
+    "unpackerr/lidarr_api_key" = {
+      owner = vars.user;
+    };
+
+    "autobrr/oidc_client_id" = {
+      owner = vars.user;
+    };
+    "autobrr/oidc_client_secret" = {
+      owner = vars.user;
+    };
  };

-  sops.secrets."navidrome/spotify_secret" = {
-    owner = vars.user;
-  };
-  sops.secrets."navidrome/lastfm_api_key" = {
-    owner = vars.user;
-  };
-  sops.secrets."navidrome/lastfm_api_secret" = {
-    owner = vars.user;
-  };
+  sops.templates = {
+    "navidrome.env" = {
+      path = "/home/${vars.user}/.docker/media/navidrome.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        ND_SPOTIFY_ID="${config.sops.placeholder."navidrome/spotify_id"}"
+        ND_SPOTIFY_SECRET="${config.sops.placeholder."navidrome/spotify_secret"}"
+        ND_LASTFM_APIKEY="${config.sops.placeholder."navidrome/lastfm_api_key"}"
+        ND_LASTFM_SECRET="${config.sops.placeholder."navidrome/lastfm_api_secret"}"
+      '';
+    };

-  sops.secrets."windscribe/openvpn_username" = {
-    owner = vars.user;
-  };
-  sops.secrets."windscribe/openvpn_password" = {
-    owner = vars.user;
-  };
+    "windscribe.env" = {
+      path = "/home/${vars.user}/.docker/media/windscribe.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        OPENVPN_USERNAME="${config.sops.placeholder."windscribe/openvpn_username"}"
+        OPENVPN_PASSWORD="${config.sops.placeholder."windscribe/openvpn_password"}"
+      '';
+    };

-  sops.secrets."unpackerr/sonarr_api_key" = {
-    owner = vars.user;
-  };
-  sops.secrets."unpackerr/radarr_api_key" = {
-    owner = vars.user;
-  };
-  sops.secrets."unpackerr/lidarr_api_key" = {
-    owner = vars.user;
-  };
+    "unpackerr.env" = {
+      path = "/home/${vars.user}/.docker/media/unpackerr.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        UN_SONARR_0_API_KEY="${config.sops.placeholder."unpackerr/sonarr_api_key"}"
+        UN_LIDARR_0_API_KEY="${config.sops.placeholder."unpackerr/lidarr_api_key"}"
+        UN_RADARR_0_API_KEY="${config.sops.placeholder."unpackerr/radarr_api_key"}"
+      '';
+    };

-  sops.templates."navidrome.env" = {
-    path = "/home/${vars.user}/.docker/media/navidrome.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      ND_SPOTIFY_ID="${config.sops.placeholder."navidrome/spotify_id"}"
-      ND_SPOTIFY_SECRET="${config.sops.placeholder."navidrome/spotify_secret"}"
-      ND_LASTFM_APIKEY="${config.sops.placeholder."navidrome/lastfm_api_key"}"
-      ND_LASTFM_SECRET="${config.sops.placeholder."navidrome/lastfm_api_secret"}"
-    '';
-  };
-
-  sops.templates."windscribe.env" = {
-    path = "/home/${vars.user}/.docker/media/windscribe.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      OPENVPN_USERNAME="${config.sops.placeholder."windscribe/openvpn_username"}"
-      OPENVPN_PASSWORD="${config.sops.placeholder."windscribe/openvpn_password"}"
-    '';
-  };
-
-  sops.templates."unpackerr.env" = {
-    path = "/home/${vars.user}/.docker/media/unpackerr.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      UN_SONARR_0_API_KEY="${config.sops.placeholder."unpackerr/sonarr_api_key"}"
-      UN_LIDARR_0_API_KEY="${config.sops.placeholder."unpackerr/lidarr_api_key"}"
-      UN_RADARR_0_API_KEY="${config.sops.placeholder."unpackerr/radarr_api_key"}"
-    '';
+    "autobrr.env" = {
+      path = "/home/${vars.user}/.docker/media/autobrr.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        AUTOBRR__OIDC_CLIENT_ID="${config.sops.placeholder."autobrr/oidc_client_id"}"
+        AUTOBRR__OIDC_CLIENT_SECRET="${config.sops.placeholder."autobrr/oidc_client_secret"}"
+      '';
+    };
  };
 }
--- a/hosts/franz/arion/piped/arion-compose.nix
+++ b/hosts/franz/arion/piped/arion-compose.nix
@ -0,0 +1,86 @@
+{
+  project.name = "piped";
+
+  networks = {
+    dmz = {
+      name = "dmz";
+      external = true;
+    };
+    transport = { };
+  };
+
+  services = {
+    proxy.service = {
+      image = "1337kavin/piped-proxy:latest";
+      labels = {
+        "traefik.enable" = "true";
+        "diun.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.piped-proxy.loadbalancer.server.port" = "8080";
+        "traefik.http.routers.piped-proxy.service" = "piped-proxy";
+        "traefik.http.routers.piped-proxy.entrypoints" = "websecure";
+        "traefik.http.routers.piped-proxy.rule" = "Host(`pipedproxy.ghoscht.com`)";
+        "traefik.http.routers.piped-proxy.tls" = "true";
+        "traefik.http.routers.piped-proxy.tls.certresolver" = "letsencrypt";
+
+        "pihole.custom-record" = "[[\"pipedproxy.ghoscht.com\", \"ghoscht.com\"]]";
+      };
+      environment = {
+        # UDS = "1";
+      };
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+    backend.service = {
+      image = "1337kavin/piped:latest";
+      container_name = "piped";
+      labels = {
+        "traefik.enable" = "true";
+        "diun.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.piped-api.loadbalancer.server.port" = "8080";
+        "traefik.http.routers.piped-api.service" = "piped-api";
+        "traefik.http.routers.piped-api.entrypoints" = "websecure";
+        "traefik.http.routers.piped-api.rule" = "Host(`pipedapi.ghoscht.com`)";
+        "traefik.http.routers.piped-api.tls" = "true";
+        "traefik.http.routers.piped-api.tls.certresolver" = "letsencrypt";
+
+        "pihole.custom-record" = "[[\"pipedapi.ghoscht.com\", \"ghoscht.com\"]]";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/piped/piped_config/config.properties:/app/config.properties:ro"
+      ];
+      depends_on = [ "db" "bg-helper" ];
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+    db.service = {
+      image = "postgres:17.2";
+      volumes = [
+        "/home/ghoscht/.docker/piped/piped_db:/var/lib/postgresql/data"
+      ];
+      env_file = [ "/home/ghoscht/.docker/piped/piped.env" ];
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+    bg-helper.service = {
+      image = "1337kavin/bg-helper-server:latest";
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+  };
+}
--- a/hosts/franz/arion/piped/arion-pkgs.nix
+++ b/hosts/franz/arion/piped/arion-pkgs.nix
@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
--- a/hosts/franz/arion/piped/default.nix
+++ b/hosts/franz/arion/piped/default.nix
@ -0,0 +1,35 @@
+{ config, ... }:
+let
+  vars = import ../../../../vars.nix;
+in
+{
+  virtualisation.arion = {
+    projects.piped.settings = {
+      imports = [ ./arion-compose.nix ];
+    };
+  };
+  sops.secrets = {
+    "piped/db_user" = {
+      owner = vars.user;
+    };
+    "piped/db_password" = {
+      owner = vars.user;
+    };
+    "piped/db_name" = {
+      owner = vars.user;
+    };
+  };
+
+  sops.templates = {
+    "piped.env" = {
+      path = "/home/${vars.user}/.docker/piped/piped.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        POSTGRES_USER="${config.sops.placeholder."piped/db_user"}"
+        POSTGRES_PASSWORD="${config.sops.placeholder."piped/db_password"}"
+        POSTGRES_DB="${config.sops.placeholder."piped/db_name"}"
+      '';
+    };
+  };
+}
--- a/hosts/franz/arion/recipes/arion-compose.nix
+++ b/hosts/franz/arion/recipes/arion-compose.nix
@ -0,0 +1,81 @@
+{
+  project.name = "recipes";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+  networks.internal = { };
+
+  services = {
+    mealie.service = {
+      image = "ghcr.io/mealie-recipes/mealie:v2.5.0";
+      container_name = "mealie";
+      # deploy.resources.limits.memory = "1000M";
+      labels = {
+        "traefik.enable" = "true";
+        "diun.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.mealie.loadbalancer.server.port" = "9000";
+        "traefik.http.routers.mealie.service" = "mealie";
+        "traefik.http.routers.mealie.entrypoints" = "websecure";
+        "traefik.http.routers.mealie.rule" = "Host(`recipes.ghoscht.com`)";
+        "traefik.http.routers.mealie.tls" = "true";
+        "traefik.http.routers.mealie.tls.certresolver" = "letsencrypt";
+
+        "pihole.custom-record" = "[[\"recipes.ghoscht.com\", \"ghoscht.com\"]]";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/recipes/mealie_data/:/app/data/"
+      ];
+      environment = {
+        ALLOW_SIGNUP = "false";
+        PUID = "1000";
+        PGID = "1000";
+        TZ = "Europe/Berlin";
+        BASE_URL = "https://recipes.ghoscht.com";
+        # Database Settings
+        DB_ENGINE = "postgres";
+        POSTGRES_SERVER = "postgres";
+        POSTGRES_PORT = "5432";
+        # OIDC
+        OIDC_AUTH_ENABLED = "true";
+        OIDC_CONFIGURATION_URL = "https://auth.ghoscht.com/application/o/mealie/.well-known/openid-configuration";
+        OIDC_PROVIDER_NAME = "Authentik";
+        OIDC_USER_GROUP = "Mealie User";
+        OIDC_ADMIN_GROUP = "Mealie Admin";
+        OIDC_AUTO_REDIRECT = "true";
+        OIDC_REMEMBER_ME = "true";
+      };
+      env_file = [ "/home/ghoscht/.docker/recipes/mealie.env" ];
+      restart = "always";
+      depends_on = [ "postgres" ];
+      networks = [
+        "dmz"
+        "internal"
+      ];
+    };
+    postgres.service = {
+      image = "postgres:17.2";
+      restart = "always";
+      volumes = [
+        "/home/ghoscht/.docker/recipes/postgres_data:/var/lib/postgresql/data"
+      ];
+      env_file = [ "/home/ghoscht/.docker/recipes/mealie_db.env" ];
+      healthcheck = {
+        test = [
+          "CMD-SHELL"
+          "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
+        ];
+        start_period = "20s";
+        interval = "30s";
+        retries = 5;
+        timeout = "5s";
+      };
+      networks = [
+        "internal"
+      ];
+    };
+  };
+}
--- a/hosts/franz/arion/recipes/arion-pkgs.nix
+++ b/hosts/franz/arion/recipes/arion-pkgs.nix
@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
--- a/hosts/franz/arion/recipes/default.nix
+++ b/hosts/franz/arion/recipes/default.nix
@ -0,0 +1,55 @@
+{ config, ... }:
+let
+  vars = import ../../../../vars.nix;
+in
+{
+  virtualisation.arion = {
+    projects.recipes.settings = {
+      imports = [ ./arion-compose.nix ];
+    };
+  };
+  sops.secrets = {
+    "recipes/db_user" = {
+      owner = vars.user;
+    };
+    "recipes/db_password" = {
+      owner = vars.user;
+    };
+    "recipes/db_name" = {
+      owner = vars.user;
+    };
+
+    "recipes/mealie_oidc_client_id" = {
+      owner = vars.user;
+    };
+    "recipes/mealie_oidc_client_secret" = {
+      owner = vars.user;
+    };
+  };
+
+  sops.templates = {
+    "mealie_db.env" = {
+      path = "/home/${vars.user}/.docker/recipes/mealie_db.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        POSTGRES_USER="${config.sops.placeholder."recipes/db_user"}"
+        POSTGRES_PASSWORD="${config.sops.placeholder."recipes/db_password"}"
+        POSTGRES_DB="${config.sops.placeholder."recipes/db_name"}"
+      '';
+    };
+    "mealie.env" = {
+      path = "/home/${vars.user}/.docker/recipes/mealie.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        OIDC_CLIENT_ID="${config.sops.placeholder."recipes/mealie_oidc_client_id"}"
+        OIDC_CLIENT_SECRET="${config.sops.placeholder."recipes/mealie_oidc_client_secret"}"
+
+        POSTGRES_USER="${config.sops.placeholder."recipes/db_user"}"
+        POSTGRES_PASSWORD="${config.sops.placeholder."recipes/db_password"}"
+        POSTGRES_DB="${config.sops.placeholder."recipes/db_name"}"
+      '';
+    };
+  };
+}
--- a/hosts/franz/arion/signal/arion-compose.nix
+++ b/hosts/franz/arion/signal/arion-compose.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{
  project.name = "signal";

  networks.dmz = {
@ -37,8 +37,7 @@
      };
      environment = {
        MOLLY_DB = "/data/mollysocket.db";
-        MOLLY_ALLOWED_ENDPOINTS = "[\"https://push.ghoscht.com\",\"*\"]";
-        MOLLY_ALLOWED_UUIDS = "[\"*\"]";
+        MOLLY_ALLOWED_ENDPOINTS = "[\"https://push.ghoscht.com\"]";
        MOLLY_HOST = "0.0.0.0";
        MOLLY_PORT = 8020;
        RUST_LOG = "info";
--- a/hosts/franz/arion/signal/default.nix
+++ b/hosts/franz/arion/signal/default.nix
@ -1,14 +1,21 @@
-{config, ...}: let
+{ config, ... }:
+let
  vars = import ../../../../vars.nix;
-in {
+in
+{
  virtualisation.arion = {
    projects.signal.settings = {
-      imports = [./arion-compose.nix];
+      imports = [ ./arion-compose.nix ];
    };
  };

-  sops.secrets."signal/vapid_privkey" = {
-    owner = vars.user;
+  sops.secrets = {
+    "signal/vapid_privkey" = {
+      owner = vars.user;
+    };
+    "signal/allowed_uuids" = {
+      owner = vars.user;
+    };
  };

  sops.templates."mollysocket.env" = {
@ -17,6 +24,7 @@ in {
    mode = "0775";
    content = ''
      MOLLY_VAPID_PRIVKEY="${config.sops.placeholder."signal/vapid_privkey"}"
+      MOLLY_ALLOWED_UUIDS="${config.sops.placeholder."signal/allowed_uuids"}"
    '';
  };
 }
--- a/hosts/franz/arion/smarthome/arion-compose.nix
+++ b/hosts/franz/arion/smarthome/arion-compose.nix
@ -79,5 +79,20 @@
        "dmz"
      ];
    };
+    influxdb.service = {
+      image = "influxdb:2.7.11";
+      volumes = [
+        "/home/ghoscht/.docker/smarthome/influxdb_data:/var/lib/influxdb2"
+        "/home/ghoscht/.docker/smarthome/influxdb_config:/etc/influxdb2"
+      ];
+      environment = {
+        DOCKER_INFLUXDB_INIT_MODE = "setup";
+      };
+		env_file=["/home/ghoscht/.docker/smarthome/influxdb.env"];
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
  };
 }
--- a/hosts/franz/arion/smarthome/default.nix
+++ b/hosts/franz/arion/smarthome/default.nix
@ -1,7 +1,39 @@
-{config, ...}: {
+{ config, ... }:
+let
+  vars = import ../../../../vars.nix;
+in
+{
  virtualisation.arion = {
    projects.smarthome.settings = {
-      imports = [./arion-compose.nix];
+      imports = [ ./arion-compose.nix ];
+    };
+  };
+  sops.secrets = {
+    "homeassistant/influxdb_username" = {
+      owner = vars.user;
+    };
+    "homeassistant/influxdb_password" = {
+      owner = vars.user;
+    };
+    "homeassistant/influxdb_org" = {
+      owner = vars.user;
+    };
+    "homeassistant/influxdb_bucket" = {
+      owner = vars.user;
+    };
+  };
+
+  sops.templates = {
+    "influxdb.env" = {
+      path = "/home/${vars.user}/.docker/smarthome/influxdb.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        DOCKER_INFLUXDB_INIT_USERNAME="${config.sops.placeholder."homeassistant/influxdb_username"}"
+        DOCKER_INFLUXDB_INIT_PASSWORD="${config.sops.placeholder."homeassistant/influxdb_password"}"
+        DOCKER_INFLUXDB_INIT_ORG="${config.sops.placeholder."homeassistant/influxdb_org"}"
+        DOCKER_INFLUXDB_INIT_BUCKET="${config.sops.placeholder."homeassistant/influxdb_bucket"}"
+      '';
    };
  };
 }
--- a/secrets/franz.yaml
+++ b/secrets/franz.yaml
@ -1,5 +1,9 @@
 cloudflared:
    tunnel_token: ENC[AES256_GCM,data:KEnrTkTCuicpUg51AHrAj08aexQKyPdS42QexuOeK/OeQ4/px3Xrz/95XYztEjdF5eg4c0GNnJidJ2nx7UlGYq+Wp8NINZtrOWB3Vm3pq/4pjdfyX7sMTCvrYE23/pT6kAC1KH/hkhFnauCeqgOlqBDe+I3kM0lVBzIakmSfnHNWJ3PzM9kFpRSD/EprzYyUJoFW7bKY3TlngheQhXc+v0rCMXj/EsZZQRS0L3sGkvbK/xA3PKKsBA==,iv:Xsx/CwGmkr5FoL8zOsfD6ZwhHq8qLgpKEihiAg1iCsI=,tag:mewbduDjTYsAR/f+4h3y4w==,type:str]
+homepage:
+    s3_access_key: ENC[AES256_GCM,data:TzBA50zm2oAWLZgjz+wTsUqLwf4=,iv:6c+u2uvfp+uMlDFpRuI7g4H0UK2LG4VSe7U6mR5lkg4=,tag:BEoq/fC20V647gQdPqdt4Q==,type:str]
+    s3_secret_key: ENC[AES256_GCM,data:OZv6h0tIMDlHnEwLbPoTWj8k4+BuJcGkk2qqJgo0Y2CZVmMKQvdesA==,iv:CLSWWgzAUQOQTzE6Wf46+K5nMUAX2Qh+2gmOD/XE/zw=,tag:TVHUAm/4UKeW65cNo/umvQ==,type:str]
+    s3_bucket: ENC[AES256_GCM,data:Zt41Txv1pSfbFqKgoewy,iv:PdeggrHPOWP70eWvfpvwK+FaUkYyJtBHdF5iNI7QA/8=,tag:L08wEvyl+TZzG+sNPhbPZA==,type:str]
 traefik:
    acme_email: ENC[AES256_GCM,data:EZHrh9Xa3KqrBGkebvCfOo+G3cuyEwG5rtisX6UkxzViUYM=,iv:YyaUhB49lML8CUN8/xyvw62wLWbDdmTvRXBdQ+EwbUY=,tag:7sBUPAaagLy8QSuGEnfviw==,type:str]
    cloudflare_email: ENC[AES256_GCM,data:MXd2rbFmRiQFb+N4d5Ncm0FxYg==,iv:bwVm5+j+zvdw4XecSnBIVWwmvaEkwQtI8J3XQpq/lOc=,tag:7ptLXgQ9pxkuWquPkYKgCA==,type:str]
@ -19,6 +23,9 @@ navidrome:
    spotify_secret: ENC[AES256_GCM,data:sHYYHDgW0nNP7vCk0qOZdLOyetG4XbK7NaxYSt4kr68=,iv:p0+wW287UteJfJaiajX9/XOEkkm957Rs46hYaml6Of4=,tag:SsEyVYdPpO/yv9vF7Dj+HA==,type:str]
    lastfm_api_key: ENC[AES256_GCM,data:Jk9zSyoq47p49v901nc70ERsb0LqTryb9QkTEQCmSPs=,iv:SUeoRcFY5ReTfeay8ubCMSaHMk/OQh6Z3wWJ7kEsrVs=,tag:9BAcx3f9rgGn+vsdlGtgiA==,type:str]
    lastfm_api_secret: ENC[AES256_GCM,data:yI3OhYtrDBk4HKst1glPgVaUxcL+PsxW5Na9gnOBpa0=,iv:PJ3ryZMzZuilI2kI74LQ0z48vEwMvtl+AEm2kRTLJeg=,tag:fUHzpiIpTK3PMlEbCP15Fw==,type:str]
+autobrr:
+    oidc_client_id: ENC[AES256_GCM,data:mHJVRE/2O2in20FyZH28QbnObQGrzXQoa1/1gsM8kWZYflj+Pfrs7g==,iv:CICLcYVk6n14H/+tbd4MKwDR9luvoFqKsndSXWMD7QE=,tag:uviOSGIqlv8xRSRufGl9ng==,type:str]
+    oidc_client_secret: ENC[AES256_GCM,data:IikaAsfusvA/rdiew2rFRB79egBVF/kOXSb4LtQ9T1Z+dZcK/bEaM8cjdKT0RBoUh/pSWN1VByVVmKI/n6DIN8M5FIK1zrc34NEVkr4Qtpqmd+u4xQciPF7qa+EJTNfcZ5SDCtGGE/Wy2MSfJ8XSqEtbSWfQ+UXyCS7Iq3tV81Y=,iv:jTXYHIpHUpi+1uUQduoPJSE8k9wpr2saXyCgKUwNoio=,tag:P5yjWs5EDqnPHN6d3NmJ6Q==,type:str]
 windscribe:
    openvpn_username: ENC[AES256_GCM,data:IoohrQdi3sh2M0ozweR30g==,iv:2kRhmQncEQV/TRYBRf4rY5OdCw0zsiOB12KdNfaQtME=,tag:gb1deA0DFa8fEg3HTmCYhQ==,type:str]
    openvpn_password: ENC[AES256_GCM,data:H9ke5qGzQJscqg==,iv:Q2oasgApVfCOKBF4C6mQ/XPtHY0yfoBJfGVLUgWY4yY=,tag:OJP1ER1QiJyZmhkHLuXwuQ==,type:str]
@ -48,8 +55,8 @@ homarr:
    oidc_client_secret: ENC[AES256_GCM,data:ykaMgcS1x/sMFPmi9vF8RdS7Dj8tTpNFybqwJ5MkK3OCIqYt5FtY8si7ZbKC4IMquOA4w3fWpHdygvFJwJOyNNvznWuasR1afhaAHIHb85J41GWCpMLWWZub+NUuU2pSudvUYk9LeDUBTKwtfHgr4DUzoQeBocG0httGFKBAXbo=,iv:vThB7ZCgEB5yQoiOYhDcHiGm0lYXy1LCJWunH5HwFq0=,tag:68jkMBnCc2e3bKWR/Hnnww==,type:str]
    oidc_client_id: ENC[AES256_GCM,data:2KxgJ7rFNru7rf8P9v/LOcA7TjH2ZFerc4PBmetrkB7hre9fHTa+TQ==,iv:9k0YuPNzEjTTBN0l/oyT5mtZKLCGWZ7ZJpE8g2SBu3E=,tag:C/hzffeOVgke1SQZHPjyrA==,type:str]
 minio:
-    root_user: ENC[AES256_GCM,data:Q5yRACtvoQ==,iv:GTLtwwQ5W50w6eDO+PuihNAHWm6xyM9uNa8mbGG3tWI=,tag:O3MUlh2d8iuFTPRq1PvTWw==,type:str]
-    root_password: ENC[AES256_GCM,data:0//dfGYkV80=,iv:h1b0R2QRpN/RI9kUBU0fiKLOI3PUYmisa7RH1ibSF4c=,tag:ln1cv5LQpb76vK5+eTvSuA==,type:str]
+    root_user: ENC[AES256_GCM,data:TDPfYVjLuwKdxx+8,iv:+nC7QxReua0R2vjraHWO4PpZFTZiktMI8yb73IblIMM=,tag:MAdHRU4pzptcvps+Sgd8Rw==,type:str]
+    root_password: ENC[AES256_GCM,data:Rbhf9f3JCS2Eg8XxGXmora0/NWhFKkGfG0+xQYKLig==,iv:DitbfGdSSz+iKU9szEhbWIDu/Umy6w+Q9dIJJJM0zLc=,tag:yulptZij/hiteoN4Anre5g==,type:str]
 diun:
    ntfy_access_token: ENC[AES256_GCM,data:37UYgaMlmpoMW74LqtxkuMqGQmCvLpVdJAgEmVxSULY=,iv:tZPlfIgo1vWvMPlQzCBPXj5xYDiTWJOsVwkxBjGNMDk=,tag:882g2UxFfg5VSKqAtEMk2Q==,type:str]
 crowdsec:
@ -69,6 +76,22 @@ wiki:
    db_name: ENC[AES256_GCM,data:Ns7vKJxeTw==,iv:GREMMRicS+1n/uk+KOeplqHn/ZdjjOjQ4d0qV5FICy8=,tag:CSeDTNjBiJ4G2VnytpNXiw==,type:str]
 signal:
    vapid_privkey: ENC[AES256_GCM,data:OaB+1baDLCXd7kqfQWwX8yBoqARuHFYWmtsiQ/ku8Om6ZKZkuoGVJP1FuQ==,iv:iQkYrRl3+pVzN6bjz1MPo+7prFJRHGkxHr5BjjDlFuM=,tag:vCMo14LZvVjCtJ4vGH0DOA==,type:str]
+    allowed_uuids: ENC[AES256_GCM,data:k+V3O/rcLzpyXMPy+eEPXgf/3fEOChzIFoc7ZZ0f7dqvEdVL71fbJyhm,iv:vbulQ50GiMYMrIQy1oKuekZNuqTxo/BV+qnrKYkYAfY=,tag:Vn2Y4EabCKC1iPnkIQab0w==,type:str]
+homeassistant:
+    influxdb_username: ENC[AES256_GCM,data:gWqvRLXCf23NTDzP/w==,iv:R/u6SjZqe7+ydeOPb1ggBpnrBHDvfPgbGxzUOHDg5fA=,tag:GxUpwoTIqFoHEgXu2tticg==,type:str]
+    influxdb_password: ENC[AES256_GCM,data:rwPC3buCszAIpQErwWwOhalh/Jg8Y5KO99Dfa1GTZy0=,iv:3RAaAhbppLEEUnMy7IrzOPol71Eps9dbysgFLtAkwnw=,tag:3YzfY8tcQvwnedQScMYz7A==,type:str]
+    influxdb_org: ENC[AES256_GCM,data:3qm1FuGs12cQdkY92A==,iv:uo2DUGqTtozZCKP43cY0TkWLHPi8fUHSWorgzThZ+D4=,tag:OkVHfIZla7uB1Dpc27lwdg==,type:str]
+    influxdb_bucket: ENC[AES256_GCM,data:qMuqM5HlnhaMPE185A==,iv:6gzdPI+iD1t2I/+wT7Z2i0MHtU418R95yvEyZdoHBs8=,tag:4n6F2PaxtRes+QuTmSuZVg==,type:str]
+recipes:
+    db_user: ENC[AES256_GCM,data:WeCe0reQSYk1,iv:03Fk5lyJIakTkcBfvg0wjEgS4wktwFm2WJKQa7o78vM=,tag:e2/skxRzmqHeqyPZH7mVTw==,type:str]
+    db_password: ENC[AES256_GCM,data:B7Oksjd8em2uqjPFt+OfgNJO6Eienh2b7hhgzHqRCng=,iv:d3aiiO3qaSipOpWTtpm7TxgcZASPilKH48blXpJGqxQ=,tag:wZWnOwg2//LLKrDvbgP08A==,type:str]
+    db_name: ENC[AES256_GCM,data:BB7GILZr,iv:ULBpNEN8DBFn/dftAeUOdHzCw3iZFzvuhf8mdVl9Ua4=,tag:qxdBcniQJZGd1kNykvUcXw==,type:str]
+    mealie_oidc_client_id: ENC[AES256_GCM,data:CruSaCLS2uR+621D63k4duyCnPHw0B5STu56jEpL5Zlyj7We0W5Fdw==,iv:4g3D8cJ0KPbresSEu6SWTU78ihH6HD8rT8QGli5U+zs=,tag:IzKHjYr1vFnNQp20UstN/g==,type:str]
+    mealie_oidc_client_secret: ENC[AES256_GCM,data:+s0eW3pHtHCvqG7Bg0hFaStPz84ZMEh7BY1nAQMaLMSsKmJ/lt17M1yb+zZy4ZrerMxYcSpurWG1uy3kuG+54QYWqg7x8VnAI7PLMFsNQJBqxLLMumspoLS1VuT9NyHXYsYywwUllHupTBEx+STg29TXsp4sNQr9gEXv44A4Srw=,iv:jsWhTib2MThCsff4+kgPbe5wN51hQF/72iVJaD04byE=,tag:EKfWPDstdKsnV2fzDOdB6g==,type:str]
+piped:
+    db_user: ENC[AES256_GCM,data:a2dWdck=,iv:+vXnc2YxsktGHY999dUVPl1VoD0vMI9YJm8eex28jp0=,tag:iX2sLcGSrOzcuqkm9hneNw==,type:str]
+    db_password: ENC[AES256_GCM,data:pDEa9xvfkq96HRYDOg==,iv:lkzKS1icIPN2edKj+GxyuvXWDk0DH9keyG0BTliB1vw=,tag:bbJU0LL7fyvLs8ZzJ/70Bg==,type:str]
+    db_name: ENC[AES256_GCM,data:V8YMpJp0z5aqWCvlwVF6UyDQ1vkQJ+WNL2PzVmRNdCA=,iv:hlJvArNHTxfX9z5z4c1thqo21xLhLljjvtCCyKi3cQQ=,tag:7y1TurJl6V/p47AcvnAteQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -84,8 +107,8 @@ sops:
            VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
            EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-18T20:43:51Z"
-    mac: ENC[AES256_GCM,data:RSaqAh5OpOK6WjJSLzi4uUSGdGphTuz8skfqY3YEb9woVNFUKgYMurISuvCTBz99qcXSZGBmbL7Ppu+cEJQGCRz6Vmtu+mql5FbP/iyEOJALMN6VuK6l84WFzzEnWnNrN49B/+aTwtwJ01DDwy6Ze9RqekEAyLjYoyc/C94TwN4=,iv:kGtHqjZNal2t6GxYAvIRVnjI2VFrMAC3K5W62Slqmnw=,tag:paPQz3LRVfizIX3YXH9uCQ==,type:str]
+    lastmodified: "2025-03-10T17:34:11Z"
+    mac: ENC[AES256_GCM,data:9KNHoGxYUpWkNrVlkIfuQUyMraBF6mWqwflLxGegC88hMwgJ0vcf70PFQ1Q3c6qAwzGskk5UnvpIRtT7LANulnu35P7a83wZzq51cnp1g1V+62XBac26l1MSz3m0PXAuY172XxljDkDbvfCaDASFhAWR+F/G/rtfbr16Lnv8GJM=,iv:1b1ccaGkUNLoQaj6UTg7FR1eOg0MO1dWkg/TYN3OeG8=,tag:JpgglIKlnTgmdgCHpPr9OA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4
Author	SHA1	Message	Date
GHOSCHT	3a0c029419	Arion: Add homeassistant grafana integration	2025-03-10 21:33:20 +01:00
GHOSCHT	9a9a1f947d	Arion: Limit mollysocket to specific UUIDs	2025-03-10 21:33:11 +01:00
GHOSCHT	bb038e237d	fixup! Arion: Enable autobrr oidc	2025-03-10 21:32:59 +01:00
GHOSCHT	92643a8990	fixup! Arion: Add homepage	2025-03-10 21:32:59 +01:00
GHOSCHT	db64b8d2fb	Arion: Add recipes	2025-03-10 21:32:41 +01:00
GHOSCHT	f5f9de6142	Arion: Add piped	2025-03-10 21:32:41 +01:00
GHOSCHT	abf44af6f0	Arion: Enable autobrr oidc	2025-03-10 21:24:24 +01:00
GHOSCHT	d84760a2c8	Arion: Add homepage	2025-03-10 21:24:07 +01:00
GHOSCHT	9656b617d3	Arion: Bump dns	2025-03-10 21:23:34 +01:00