Enable autostart for newly added stacks

don't know how that happend, but it did...

hosts/franz/arion/default.nix

@@ -11,6 +11,9 @@
     ./nas
     ./nextcloud
     ./push
+    ./git
+    ./passwords
+    ./media
   ];
 
   environment.systemPackages = with pkgs; [arion];

hosts/franz/arion/git/arion-compose.nix

@@ -0,0 +1,59 @@
+{pkgs, ...}: {
+  project.name = "git";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  networks.transport = {};
+
+  services = {
+    forgejo.service = {
+      image = "codeberg.org/forgejo/forgejo:1.21.6-0";
+      container_name = "forgejo";
+      useHostStore = true;
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.forgejo.entrypoints" = "websecure";
+        "traefik.http.routers.forgejo.rule" = "Host(`git.ghoscht.com`)";
+        "traefik.http.services.forgejo.loadbalancer.server.port" = "3000";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.forgejo.tls" = "true";
+        "traefik.http.routers.forgejo.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/git/forgejo_data:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      ports = [
+        "2222:22"
+      ];
+      environment = {
+        USER_UID = 1000;
+        USER_GID = 1000;
+        GITEA__database__DB_TYPE = "postgres";
+        GITEA__database__HOST = "db:5432";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/git/forgejo.env"
+      ];
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+    db.service = {
+      image = "postgres:15.3-bullseye";
+      env_file = [
+        "/home/ghoscht/.docker/git/forgejo-db.env"
+      ];
+      volumes = ["/home/ghoscht/.docker/git/forgejo_db:/var/lib/postgresql/data"];
+      restart = "unless-stopped";
+      networks = [
+        "transport"
+      ];
+    };
+  };
+}

hosts/franz/arion/git/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/git/default.nix

@@ -0,0 +1,41 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.git.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."forgejo/db_password" = {
+    owner = vars.user;
+  };
+  sops.secrets."forgejo/db_user" = {
+    owner = vars.user;
+  };
+  sops.secrets."forgejo/db_database" = {
+    owner = vars.user;
+  };
+
+  sops.templates."forgejo.env" = {
+    path = "/home/${vars.user}/.docker/git/forgejo.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      GITEA__database__NAME="${config.sops.placeholder."forgejo/db_database"}"
+      GITEA__database__USER="${config.sops.placeholder."forgejo/db_user"}"
+      GITEA__database__PASSWD="${config.sops.placeholder."forgejo/db_password"}"
+    '';
+  };
+
+  sops.templates."forgejo-db.env" = {
+    path = "/home/${vars.user}/.docker/git/forgejo-db.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      POSTGRES_DB="${config.sops.placeholder."forgejo/db_database"}"
+      POSTGRES_USER="${config.sops.placeholder."forgejo/db_user"}"
+      POSTGRES_PASSWORD="${config.sops.placeholder."forgejo/db_password"}"
+    '';
+  };
+}

hosts/franz/arion/media/arion-compose.nix

@@ -0,0 +1,381 @@
+{pkgs, ...}: {
+  project.name = "media";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  docker-compose.volumes = {
+    jellyfin_cache = null;
+  };
+
+  services = {
+    jellyfin.service = {
+      image = "jellyfin/jellyfin:latest";
+      container_name = "jellyfin";
+      ports = [
+        "8096:8096"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.jellyfin.entrypoints" = "websecure";
+        "traefik.http.routers.jellyfin.rule" = "Host(`jellyfin.ghoscht.com`)";
+        "traefik.http.services.jellyfin.loadbalancer.server.port" = "8096";
+        "traefik.http.services.jellyfin.loadbalancer.passHostHeader" = "true";
+        "traefik.http.routers.jellyfin.tls" = "true";
+        "traefik.http.routers.jellyfin.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "jellyfin_cache:/cache"
+        "/home/ghoscht/.docker/media/jellyfin_data:/config"
+        "/home/ghoscht/.docker/media/data/tv:/tv"
+        "/home/ghoscht/.docker/media/data/anime:/anime"
+        "/home/ghoscht/.docker/media/data/movies:/movies"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+    navidrome.service = {
+      image = "deluan/navidrome:latest";
+      container_name = "navidrome";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.navidrome.entrypoints" = "websecure";
+        "traefik.http.routers.navidrome.rule" = "Host(`navidrome.ghoscht.com`)";
+        "traefik.http.services.navidrome.loadbalancer.server.port" = "4533";
+        "traefik.http.routers.navidrome.tls" = "true";
+        "traefik.http.routers.navidrome.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/navidrome_data:/data"
+        "/home/ghoscht/.docker/media/data/music:/music"
+      ];
+      environment = {
+        ND_SESSIONTIMEOUT = "336h";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/media/navidrome.env"
+      ];
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+    vpn.service = {
+      image = "haugene/transmission-openvpn";
+      container_name = "transmission";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.transmission.entrypoints" = "websecure";
+        "traefik.http.routers.transmission.rule" = "Host(`transmission.ghoscht.com`)";
+        "traefik.http.services.transmission.loadbalancer.server.port" = "9091";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.transmission.tls" = "true";
+        "traefik.http.routers.transmission.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/transmission_data:/config"
+        "/home/ghoscht/.docker/media/data:/data"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+        OPENVPN_PROVIDER = "WINDSCRIBE";
+        OPENVPN_CONFIG = "Vienna-Hofburg-udp";
+        OVPN_PROTOCOL = "udp";
+        OPENVPN_OPTS = "--pull-filter ignore ping --ping 10 --ping-restart 120";
+        LOCAL_NETWORK = "192.168.0.0/16";
+        TRANSMISSION_DOWNLOAD_DIR = "/data/torrents";
+        TRANSMISSION_INCOMPLETE_DIR = "/data/torrents/incomplete";
+        TRANSMISSION_WEB_UI = "flood-for-transmission";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/media/windscribe.env"
+      ];
+      capabilities = {
+        NET_ADMIN = true;
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+    prowlarr.service = {
+      image = "linuxserver/prowlarr:latest";
+      container_name = "prowlarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.prowlarr.entrypoints" = "websecure";
+        "traefik.http.routers.prowlarr.rule" = "Host(`prowlarr.ghoscht.com`)";
+        "traefik.http.services.prowlarr.loadbalancer.server.port" = "9696";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.prowlarr.tls" = "true";
+        "traefik.http.routers.prowlarr.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/prowlarr_data:/config"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+      };
+      restart = "always";
+    };
+    sonarr.service = {
+      image = "linuxserver/sonarr:latest";
+      container_name = "sonarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.sonarr.entrypoints" = "websecure";
+        "traefik.http.routers.sonarr.rule" = "Host(`sonarr.ghoscht.com`)";
+        "traefik.http.services.sonarr.loadbalancer.server.port" = "8989";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.sonarr.tls" = "true";
+        "traefik.http.routers.sonarr.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/sonarr_data:/config"
+        "/home/ghoscht/.docker/media/data:/data"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+    radarr.service = {
+      image = "linuxserver/radarr:latest";
+      container_name = "radarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.radarr.entrypoints" = "websecure";
+        "traefik.http.routers.radarr.rule" = "Host(`radarr.ghoscht.com`)";
+        "traefik.http.services.radarr.loadbalancer.server.port" = "7878";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.radarr.tls" = "true";
+        "traefik.http.routers.radarr.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/radarr_data:/config"
+        "/home/ghoscht/.docker/media/data:/data"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+    lidarr.service = {
+      image = "linuxserver/lidarr:latest";
+      container_name = "lidarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.lidarr.entrypoints" = "websecure";
+        "traefik.http.routers.lidarr.rule" = "Host(`lidarr.ghoscht.com`)";
+        "traefik.http.services.lidarr.loadbalancer.server.port" = "8686";
+        "traefik.http.routers.lidarr.service" = "lidarr";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.lidarr.tls" = "true";
+        "traefik.http.routers.lidarr.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/lidarr_data:/config"
+        "/home/ghoscht/.docker/media/data:/data"
+        "/home/ghoscht/.docker/media/lidarr_addons/custom-services.d:/custom-services.d"
+        "/home/ghoscht/.docker/media/lidarr_addons/custom-cont-init.d:/custom-cont-init.d"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+    bazarr.service = {
+      image = "hotio/bazarr:latest";
+      container_name = "bazarr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.bazarr.entrypoints" = "websecure";
+        "traefik.http.routers.bazarr.rule" = "Host(`bazarr.ghoscht.com`)";
+        "traefik.http.services.bazarr.loadbalancer.server.port" = "6767";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.bazarr.tls" = "true";
+        "traefik.http.routers.bazarr.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/bazarr_data:/config"
+        "/home/ghoscht/.docker/media/data:/data"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      networks = ["dmz"];
+      restart = "always";
+    };
+    jellyseerr.service = {
+      image = "fallenbagel/jellyseerr:latest";
+      container_name = "jellyseerr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.jellyseerr.entrypoints" = "websecure";
+        "traefik.http.routers.jellyseerr.rule" = "Host(`jellyseerr.ghoscht.com`)";
+        "traefik.http.services.jellyseerr.loadbalancer.server.port" = "5055";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.jellyseerr.tls" = "true";
+        "traefik.http.routers.jellyseerr.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/jellyseerr_data:/app/config"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      networks = ["dmz"];
+      restart = "always";
+    };
+    autobrr.service = {
+      image = "ghcr.io/autobrr/autobrr:latest";
+      container_name = "autobrr";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.autobrr.entrypoints" = "websecure";
+        "traefik.http.routers.autobrr.rule" = "Host(`autobrr.ghoscht.com`)";
+        "traefik.http.services.autobrr.loadbalancer.server.port" = "7474";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.autobrr.tls" = "true";
+        "traefik.http.routers.autobrr.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/jellyseerr_data:/app/config"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+        sonarr = {condition = "service_started";};
+        radarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+    deemix.service = {
+      image = "finniedj/deemix";
+      container_name = "deemix";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.deemix.entrypoints" = "websecure";
+        "traefik.http.routers.deemix.rule" = "Host(`deemix.ghoscht.com`)";
+        "traefik.http.services.deemix.loadbalancer.server.port" = "6595";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.deemix.tls" = "true";
+        "traefik.http.routers.deemix.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/media/jellyseerr_data:/app/config"
+      ];
+      environment = {
+        PUID = 1000;
+        PGID = 1000;
+        UMASK_SET = 022;
+        TZ = "Europe/Berlin";
+      };
+      network_mode = "service:vpn";
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+      };
+      restart = "always";
+    };
+    unpackerr.service = {
+      image = "golift/unpackerr";
+      container_name = "unpackerr";
+      volumes = [
+        "/home/ghoscht/.docker/media/data:/data"
+      ];
+      user = "1000:1000";
+      env_file = [
+        "/home/ghoscht/.docker/media/unpackerr.env"
+      ];
+      environment = {
+        TZ = "Europe/Berlin";
+        # General config
+        UN_DEBUG = "false";
+        UN_INTERVAL = "2m";
+        UN_START_DELAY = "1m";
+        UN_RETRY_DELAY = "5m";
+        UN_MAX_RETRIES = 3;
+        UN_PARALLEL = 1;
+        UN_FILE_MODE = 0644;
+        UN_DIR_MODE = 0755;
+        # Sonarr Config
+        UN_SONARR_0_URL = "http://transmission:8989";
+        UN_SONARR_0_PATHS_0 = "/data/torrents/tv";
+        UN_SONARR_0_PROTOCOLS = "torrent";
+        UN_SONARR_0_TIMEOUT = "10s";
+        UN_SONARR_0_DELETE_ORIG = "false";
+        UN_SONARR_0_DELETE_DELAY = "5m";
+        # Radarr Config
+        UN_RADARR_0_URL = "http://transmission:7878";
+        UN_RADARR_0_PATHS_0 = "/data/torrents/movies";
+        UN_RADARR_0_PROTOCOLS = "torrent";
+        UN_RADARR_0_TIMEOUT = "10s";
+        UN_RADARR_0_DELETE_ORIG = "false";
+        UN_RADARR_0_DELETE_DELAY = "5m";
+        # Lidarr Config
+        UN_LIDARR_0_URL = "http://transmission:8686";
+        UN_LIDARR_0_PATHS_0 = "/data/torrents/music";
+        UN_LIDARR_0_PROTOCOLS = "torrent";
+        UN_LIDARR_0_TIMEOUT = "10s";
+        UN_LIDARR_0_DELETE_ORIG = "false";
+        UN_LIDARR_0_DELETE_DELAY = "5m";
+      };
+      networks = ["dmz"];
+      depends_on = {
+        vpn = {condition = "service_healthy";};
+        prowlarr = {condition = "service_started";};
+        sonarr = {condition = "service_started";};
+        radarr = {condition = "service_started";};
+      };
+      restart = "always";
+    };
+  };
+}

hosts/franz/arion/media/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/media/default.nix

@@ -0,0 +1,73 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.media.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."navidrome/spotify_id" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."navidrome/spotify_secret" = {
+    owner = vars.user;
+  };
+  sops.secrets."navidrome/lastfm_api_key" = {
+    owner = vars.user;
+  };
+  sops.secrets."navidrome/lastfm_api_secret" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."windscribe/openvpn_username" = {
+    owner = vars.user;
+  };
+  sops.secrets."windscribe/openvpn_password" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."unpackerr/sonarr_api_key" = {
+    owner = vars.user;
+  };
+  sops.secrets."unpackerr/radarr_api_key" = {
+    owner = vars.user;
+  };
+  sops.secrets."unpackerr/lidarr_api_key" = {
+    owner = vars.user;
+  };
+
+  sops.templates."navidrome.env" = {
+    path = "/home/${vars.user}/.docker/media/navidrome.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      ND_SPOTIFY_ID="${config.sops.placeholder."navidrome/spotify_id"}"
+      ND_SPOTIFY_SECRET="${config.sops.placeholder."navidrome/spotify_secret"}"
+      ND_LASTFM_APIKEY="${config.sops.placeholder."navidrome/lastfm_api_key"}"
+      ND_LASTFM_SECRET="${config.sops.placeholder."navidrome/lastfm_api_secret"}"
+    '';
+  };
+
+  sops.templates."windscribe.env" = {
+    path = "/home/${vars.user}/.docker/media/windscribe.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      OPENVPN_USERNAME="${config.sops.placeholder."windscribe/openvpn_username"}"
+      OPENVPN_PASSWORD="${config.sops.placeholder."windscribe/openvpn_password"}"
+    '';
+  };
+
+  sops.templates."unpackerr.env" = {
+    path = "/home/${vars.user}/.docker/media/unpackerr.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      UN_SONARR_0_API_KEY="${config.sops.placeholder."unpackerr/sonarr_api_key"}"
+      UN_RADARR_0_API_KEY="${config.sops.placeholder."unpackerr/lidarr_api_key"}"
+      UN_LIDARR_0_API_KEY="${config.sops.placeholder."unpackerr/radarr_api_key"}"
+    '';
+  };
+}

hosts/franz/arion/passwords/arion-compose.nix

@@ -0,0 +1,32 @@
+{pkgs, ...}: {
+  project.name = "passwords";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    vaultwarden.service = {
+      image = "vaultwarden/server:latest";
+      container_name = "vaultwarden";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.vaultwarden.entrypoints" = "websecure";
+        "traefik.http.routers.vaultwarden.rule" = "Host(`vaultwarden.ghoscht.com`)";
+        "traefik.http.routers.vaultwarden.tls" = "true";
+        "traefik.http.routers.vaultwarden.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/infrastructure/vaultwarden_data/:/data"
+      ];
+      environment = {
+        DOMAIN = "http://vaultwarden.ghoscht.com";
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}

hosts/franz/arion/passwords/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/passwords/default.nix

@@ -0,0 +1,8 @@
+{config, ...}: let
+in {
+  virtualisation.arion = {
+    projects.password.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}

hosts/franz/arion/signal/arion-compose.nix

@@ -0,0 +1,44 @@
+{pkgs, ...}: {
+  project.name = "signal";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    mollysocket.service = {
+      image = "ghcr.io/mollyim/mollysocket:latest";
+      container_name = "mollysocket";
+      useHostStore = true;
+      ports = [
+        "8020:8020"
+      ];
+      command = "server";
+      working_dir = "/data";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.mollysocket.rule" = "Host(`signal.ghoscht.com`)";
+        "traefik.http.routers.mollysocket.entrypoints" = "websecure";
+        "traefik.http.services.mollysocket.loadbalancer.server.port" = "8020";
+        "traefik.http.routers.mollysocket.tls" = "true";
+        "traefik.http.routers.mollysocket.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/signal/mollysocket_data:/data"
+      ];
+      environment = {
+        MOLLY_DB = "/data/mollysocket.db";
+        MOLLY_ALLOWED_ENDPOINTS = "['https://push.ghoscht.com','*]";
+        MOLLY_ALLOWED_UUIDS = "['*']";
+        MOLLY_HOST = "0.0.0.0";
+        MOLLY_PORT = 8020;
+        RUST_LOG = "info";
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}

hosts/franz/arion/signal/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

hosts/franz/arion/signal/default.nix

@@ -0,0 +1,7 @@
+{config, ...}: {
+  virtualisation.arion = {
+    projects.infrastructure.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}

hosts/franz/arion/volman/arion-compose.nix

@@ -0,0 +1,16 @@
+{pkgs, ...}: {
+  project.name = "volman";
+
+  docker-compose.volumes = {};
+
+  services = {
+    volman.service = {
+      image = "ubuntu";
+      container_name = "volman";
+      useHostStore = true;
+      command = "sleep infinity";
+      volumes = [
+      ];
+    };
+  };
+}

hosts/franz/arion/volman/arion-pkgs.nix

@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}

rsc/docker/franz/git/forgejo_data/gitea/conf/app.ini

@@ -0,0 +1,62 @@
+APP_NAME = Forgejo: Beyond coding. We forge.
+RUN_MODE = prod
+
+[repository]
+ROOT = /data/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = localhost
+SSH_DOMAIN = localhost
+HTTP_PORT = 3000
+ROOT_URL = 
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = false
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = postgres
+HOST = db:5432
+NAME = gitea
+USER = gitea
+PASSWD = gitea
+LOG_SQL = false
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = false
+SECRET_KEY = 
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+
+[service]
+DISABLE_REGISTRATION = false
+REQUIRE_SIGNIN_VIEW = false
+
+[lfs]
+PATH = /data/git/lfs

secrets/franz.yaml

@@ -7,8 +7,24 @@ traefik:
 nextcloud:
     mysql_root_password: ENC[AES256_GCM,data:bCghTvvQ8eR76g1tTbtOE/MB8UcnVUsn5ooQ9+tKdB8=,iv:tmopYWAIVHNVcYYOWJy2uedP38nM5WR5nzD7pjD9w0Y=,tag:E8VIkOu2bWHxq94w7YyC2Q==,type:str]
     mysql_password: ENC[AES256_GCM,data:g+xf2rbj1HMMF0vLoXHlvrX2ct9/OXCystt42cdkodk=,iv:6Q7JAWR8WMmSKo21k+zmqGcSEnpTOoO38G66UMHc5qM=,tag:LQHHAH69EFk0v5LVBznjzA==,type:str]
-    mysql_database: ENC[AES256_GCM,data:2OP4bt4Tq09q,iv:l6k5lW0PsfciPv3uhVjxrILZ7hNGKQNPtF2QSmtlym0=,tag:HXYilVMhngdeMP1qQWDGBg==,type:str]
     mysql_user: ENC[AES256_GCM,data:AixE7ec9SjO4,iv:cnxCAt+MAr0BXixkqH77JC5kjb7p1vKZlD5hkemtKvE=,tag:/m8TBXht6RuB5QE4MFRUBA==,type:str]
+    mysql_database: ENC[AES256_GCM,data:2OP4bt4Tq09q,iv:l6k5lW0PsfciPv3uhVjxrILZ7hNGKQNPtF2QSmtlym0=,tag:HXYilVMhngdeMP1qQWDGBg==,type:str]
+forgejo:
+    db_password: ENC[AES256_GCM,data:1lpmX58=,iv:9TehYmpS3RQc0WsKVR4Tx36utL2e6avbc7BlK0+B178=,tag:xHRv+WJUch3jmRIWghjnPg==,type:str]
+    db_user: ENC[AES256_GCM,data:rYxa8nU=,iv:Lijug8gqMTnMG9WQsivyrO/IbgrAyWfG7IQ99x1Q5gA=,tag:OipZUyZiMh4PLbo7KJAksQ==,type:str]
+    db_database: ENC[AES256_GCM,data:br/OvQA=,iv:g2krpkX1XXXhT4FgzbeXp/MgcpHayndtBv+8dpmp03M=,tag:z5h/TSBXViFr3lNN15XFAA==,type:str]
+navidrome:
+    spotify_id: ENC[AES256_GCM,data:yTNp25CHtnFkvXhbvduVzkmenT3TjkpWR0ZhSTKOiAs=,iv:cuewBT/XfneiHUjlFCV0O/nzXHoEVO/JyfgqRACreEc=,tag:TOZ+GDqZ2SkibKhEhIcX7w==,type:str]
+    spotify_secret: ENC[AES256_GCM,data:sHYYHDgW0nNP7vCk0qOZdLOyetG4XbK7NaxYSt4kr68=,iv:p0+wW287UteJfJaiajX9/XOEkkm957Rs46hYaml6Of4=,tag:SsEyVYdPpO/yv9vF7Dj+HA==,type:str]
+    lastfm_api_key: ENC[AES256_GCM,data:Jk9zSyoq47p49v901nc70ERsb0LqTryb9QkTEQCmSPs=,iv:SUeoRcFY5ReTfeay8ubCMSaHMk/OQh6Z3wWJ7kEsrVs=,tag:9BAcx3f9rgGn+vsdlGtgiA==,type:str]
+    lastfm_api_secret: ENC[AES256_GCM,data:yI3OhYtrDBk4HKst1glPgVaUxcL+PsxW5Na9gnOBpa0=,iv:PJ3ryZMzZuilI2kI74LQ0z48vEwMvtl+AEm2kRTLJeg=,tag:fUHzpiIpTK3PMlEbCP15Fw==,type:str]
+windscribe:
+    openvpn_username: ENC[AES256_GCM,data:IoohrQdi3sh2M0ozweR30g==,iv:2kRhmQncEQV/TRYBRf4rY5OdCw0zsiOB12KdNfaQtME=,tag:gb1deA0DFa8fEg3HTmCYhQ==,type:str]
+    openvpn_password: ENC[AES256_GCM,data:H9ke5qGzQJscqg==,iv:Q2oasgApVfCOKBF4C6mQ/XPtHY0yfoBJfGVLUgWY4yY=,tag:OJP1ER1QiJyZmhkHLuXwuQ==,type:str]
+unpackerr:
+    sonarr_api_key: ENC[AES256_GCM,data:iENKLrYT7xbRrFAxN58VItZWhGfWjX1Nbu8zpFWA2ZI=,iv:WGFPGGoCvT993t9ROg1cRVPg8+qlDE92VpKfm9PNfpo=,tag:KBMggYqcUEhTg7yVaytysg==,type:str]
+    radarr_api_key: ENC[AES256_GCM,data:zFMPIFc682n0wj/UOI6BUag2wVVys3EXCcYNqatExJA=,iv:NwRUIHolFyw9P0iiNrgm6EV+GAp5sSLho1NEwv5DaHw=,tag:TpapILDy8Oad5XzudcXaeQ==,type:str]
+    lidarr_api_key: ENC[AES256_GCM,data:WZzb/Is7qdIq9qPEYt0FFXSucUx3qCv/isWwUyxDrB0=,iv:k0CFPUU4UmTmW0R/5sWgptbsfdLlglKze3EAyNi6t1E=,tag:aXUZd43krL9qKvs1uvJ4AA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +40,8 @@ sops:
             VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
             EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-03T19:42:11Z"
+    lastmodified: "2024-03-06T15:02:59Z"
-    mac: ENC[AES256_GCM,data:jMTVK6KR/qbOg1K8TyS4hKHcp0byv/KJSpvbg9y2c3skKNRDHwvb62xtSQHHDFtzqoegmLtxycqW29EneXeHrqwbxM2i/O1jdqacybnieIAVPixG6nN/onZ9f1Pqoc7TpX5Mgw5Fj6qxJUfT3u+susz31BsE1U4Za/+mimfZHdQ=,iv:JmM+hRclxgvIz80PM9zYLZ3NsIBOTkO4ItusgZzHjmE=,tag:cTpl5atAqz5yGDaKpkk3AQ==,type:str]
+    mac: ENC[AES256_GCM,data:jWfGV2lKFoDEX+1OUzbnzYE0zqzh6+GX/X9IsZ1igg6xMW7T1sfQwKrRBHUnRO6HTDd9ppcIsRkZo/tL76mmLRiOlMrsoWD8quzkSjJrW6whxQn0acyqVhIw3KZmmet8+ICV4lIuI006zr3vffPVkDAizhrl3jXnuLBO+8yADHs=,iv:cxozu5kuLU1wXWiu0RfxYJgYUkoMyEUSmfHXrrfCMhc=,tag:rUbr/h3FKmil6zRBSG4RSw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1