From b1528ae3a3d3f32a1d1f9b5fde236a414fd565ca Mon Sep 17 00:00:00 2001 From: Igor Rzegocki Date: Sun, 27 Oct 2024 14:31:14 +0100 Subject: [PATCH] feat: add firefly-iii --- machines/deedee/configuration.nix | 1 + machines/deedee/secrets.sops.yaml | 10 +- modules/system/containers/default.nix | 1 + .../system/containers/firefly-iii/default.nix | 121 ++++++++++++++++++ 4 files changed, 131 insertions(+), 2 deletions(-) create mode 100644 modules/system/containers/firefly-iii/default.nix diff --git a/machines/deedee/configuration.nix b/machines/deedee/configuration.nix index efc3997..2b3bc74 100644 --- a/machines/deedee/configuration.nix +++ b/machines/deedee/configuration.nix @@ -144,6 +144,7 @@ _: rec { authelia.enable = true; coredns.enable = true; firefoxsync.enable = true; + firefly-iii.enable = true; lldap.enable = true; maddy.enable = true; paperless-ngx.enable = true; diff --git a/machines/deedee/secrets.sops.yaml b/machines/deedee/secrets.sops.yaml index b180b84..f11b0ee 100644 --- a/machines/deedee/secrets.sops.yaml +++ b/machines/deedee/secrets.sops.yaml @@ -24,6 +24,12 @@ system: AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:VpfpyvLT9GD7j9opJBRGoClYkW0msX+VmkZcRIX36vbyl7b2Xnc9mHNOcQBFQKbmzMXvpOigcE4dkAS0Sje4lQ==,iv:biHN12Qf4DaLtylUqBThfXUAvdnzzCYmiJAdk7Eyd3w=,tag:JpP4OXejR6SZGxrrHIyOng==,type:str] AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:zbNkm26j8sLViarc5jFnKGolqGQZGkzYVjMtuxokJNVtBXOw1kL8d0hTmyZBCmIqxqe7AUwIGAE6zBB/TjRz6g==,iv:jBiyA5F5KuBRvk9zdstrqLTWjQJMgx7nJPbmfebfnxw=,tag:pXm28S/k7cO23GnSj4RG5w==,type:str] AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:6rFJAxj2e5dod4AlA2g6FoEJiIg8OMlx0i8/mBjvgnGR/DEaeWDQ5w==,iv:FGIwOjV2IiIxOTRzuEvmijIh+pLp3Aoxo8s7CLq9ky4=,tag:pXQHHHUWGQUAghxfuW3AXA==,type:str] + firefly-iii: + env: + APP_KEY: ENC[AES256_GCM,data:ks/31NYsRRo9SrEbRfeQhUxn9pRfvXYExhUY9y84TXA=,iv:vn8R/bJU2PFbQjOsKNRerj3uNAynjwInalWGCYjGVI0=,tag:ME3XtRW7EkpgiY/banycsQ==,type:str] + DB_PASSWORD: ENC[AES256_GCM,data:cTjz86AvlhssWmmmF2XpEsisCfAiIZgp6fitnQblYIV9gqh6sndgVg==,iv:hlfQLKkNNkLACazzRMZWqKomsUqH5/hOg1npbJaAayA=,tag:DQ/T364vG1a4rN8c4QC/BA==,type:str] + FIREFLY_III_TOKEN: ENC[AES256_GCM,data:yr+s0fvzYY+Rrx8HKbPYgOiYjeafLP9M+ohEse1CVfM=,iv:uNhTHVgNXB0kuiBZowNc7PA2iKtjqooFj6wFgEuoyKI=,tag:f0dXyaXPzOKLWTu/T/nRMw==,type:str] + REDIS_PASSWORD: null firefoxsync: env: FIREFOXSYNC__POSTGRES_PASSWORD: ENC[AES256_GCM,data:JbwOPfE0OrfplFtGrZRTlWn7z5/YA9jKH22waNIGUduHnxFfut6gWA==,iv:lex3Z+6bQWTjcQcO89Hj/wndXA13UM+sTLaq0j8Wupc=,tag:sgqbma6rLOkWN5FrwXrMVg==,type:str] @@ -91,8 +97,8 @@ sops: c3FoaFNzbjJubzlBckdDb2lNOUZtOGMKRbHxa1B3QAdredBMTd7W7g3kRz6l8uyV bBclsA8Gm7p+6ndV39sN+Daqm5MyggY1Prwv/Ukdd5Q+1C+XsEW6OQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-27T10:21:55Z" - mac: ENC[AES256_GCM,data:zF2fxyZ4X8E00xveCuAJQElhPRifbEwPP+VqW3z8DS+UJu55ZT+n8hjdX5LbPqQ/ZIXztgssqUMr5HYv0JZJCNgBsYe5fyKu2mulTAk1C6vItbpc3AkJo5lJakd5mVAlvqvIGN6qaz+oSuzY5UegN8FJZyF4VqDJxYVBEq9xmU0=,iv:T4XlgS83S7wrpH7OHE9ZqIVOzWagF4QYmht7zXXPrYc=,tag:CMlEbbbUgCWurESjENQPSA==,type:str] + lastmodified: "2024-10-27T12:48:55Z" + mac: ENC[AES256_GCM,data:HxVRmEpaNfxJ12R3D2nzLLNZxVMZnk3gL+AsXRSHcT1xnL+XueYS0y16XSPriMFv5XiFE9x5eHluKvnSA8AXMiP1M7K2Y9Goai/TescHRph35My75j7lnOA3bOjYfyJKj5WFYVb3/rdiAbinDSBafCQEtUIFNHH5KvZLB8aK6Cs=,iv:L6iZIEW61LD3MGD0dYypFKqAIioyHQeWxgm8ZOQdCWM=,tag:mCyFL3guwkazD2eNCD+idw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/system/containers/default.nix b/modules/system/containers/default.nix index a089f7f..a04abb0 100644 --- a/modules/system/containers/default.nix +++ b/modules/system/containers/default.nix @@ -2,6 +2,7 @@ _: { imports = [ ./authelia ./coredns + ./firefly-iii ./firefoxsync ./lldap ./maddy diff --git a/modules/system/containers/firefly-iii/default.nix b/modules/system/containers/firefly-iii/default.nix new file mode 100644 index 0000000..42078d6 --- /dev/null +++ b/modules/system/containers/firefly-iii/default.nix @@ -0,0 +1,121 @@ +{ + config, + lib, + pkgs, + svc, + ... +}: +let + cfg = config.mySystemApps.firefly-iii; + secretEnvs = [ + "APP_KEY" + "DB_PASSWORD" + "FIREFLY_III_TOKEN" + ]; +in +{ + options.mySystemApps.firefly-iii = { + enable = lib.mkEnableOption "firefly-iii container"; + backup = lib.mkEnableOption "postgresql backup" // { + default = true; + }; + sopsSecretPrefix = lib.mkOption { + type = lib.types.str; + description = "Prefix for sops secret, under which all ENVs will be appended."; + default = "system/apps/firefly-iii/env"; + }; + }; + + config = lib.mkIf cfg.enable { + warnings = [ (lib.mkIf (!cfg.backup) "WARNING: Backups for firefly-iii are disabled!") ]; + + sops.secrets = svc.mkContainerSecretsSops { + inherit (cfg) sopsSecretPrefix; + inherit secretEnvs; + + containerName = "firefly-iii"; + }; + + mySystemApps.postgresql.userDatabases = [ + { + username = "firefly"; + passwordFile = config.sops.secrets."${cfg.sopsSecretPrefix}/DB_PASSWORD".path; + databases = [ "firefly" ]; + } + ]; + + virtualisation.oci-containers.containers.firefly-iii = svc.mkContainer { + cfg = { + image = "ghcr.io/deedee-ops/firefly-iii:6.1.21@sha256:c8c7135b7fb2e6dd3d1a065a27246acc0b729f09d87cf7483d39302d6e58585f"; + environment = { + APP_URL = "https://firefly.${config.mySystem.rootDomain}"; + AUTHENTICATION_GUARD = "remote_user_guard"; + AUTHENTICATION_GUARD_EMAIL = "HTTP_REMOTE_EMAIL"; + AUTHENTICATION_GUARD_HEADER = "HTTP_REMOTE_EMAIL"; + DB_CONNECTION = "pgsql"; + DB_DATABASE = "firefly"; + DB_HOST = "host.docker.internal"; + DB_PORT = "5432"; + DB_USERNAME = "firefly"; + MAIL_ENCRYPTION = "null"; + MAIL_FROM = config.mySystem.notificationSender; + MAIL_HOST = "maddy"; + MAIL_MAILER = "smtp"; + MAIL_PORT = "25"; + SEND_TELEMETRY = "false"; + TRUSTED_PROXIES = "**"; + + CACHE_DRIVER = "redis"; + SESSION_DRIVER = "redis"; + REDIS_SCHEME = "tcp"; + REDIS_HOST = "host.docker.internal"; + REDIS_PORT = "6379"; + }; # // svc.mkContainerSecretsEnv { inherit secretEnvs; }; + extraOptions = [ + "--mount" + "type=tmpfs,destination=/config,tmpfs-mode=1777" + ]; + volumes = + svc.mkContainerSecretsVolumes { + inherit (cfg) sopsSecretPrefix; + inherit secretEnvs; + } + ++ [ + "${ + config.sops.secrets."${config.mySystemApps.redis.passFileSopsSecret}".path + }:/secrets/REDIS_PASSWORD:ro" + ]; + }; + }; + + services = { + nginx.virtualHosts.firefly-iii = svc.mkNginxVHost { + host = "firefly"; + proxyPass = "http://firefly-iii.docker:8080"; + }; + postgresqlBackup = lib.mkIf cfg.backup { databases = [ "firefly-iii" ]; }; + }; + + systemd = { + services.docker-firefly-iii-cron = { + description = "Trigger firefly iii cron."; + path = [ (pkgs.curlFull.override { c-aresSupport = true; }) ]; # c-aresSupport enables `--dns-servers` option + serviceConfig.Type = "simple"; + script = '' + curl --silent --show-error --fail --dns-servers 127.0.0.1:5533 "http://firefly-iii.docker:8080/api/v1/cron/$(cat ${ + config.sops.secrets."${cfg.sopsSecretPrefix}/FIREFLY_III_TOKEN".path + })" + ''; + }; + + timers.docker-firefly-iii-cron = { + description = "Firefly III cron timer."; + wantedBy = [ "timers.target" ]; + partOf = [ "docker-firefly-iii-cron.service" ]; + timerConfig.OnCalendar = "0:00"; + timerConfig.Persistent = "true"; + }; + }; + + }; +}