🏡 my personal home lab
add bambuddy
+55
-8
+1
hosts/rk1-node-2.nix
+1
hosts/rk1-node-2.nix
+28
modules/bambuddy.nix
+28
modules/bambuddy.nix
···
1
+
{ config, ... }:
2
+
{
3
+
virtualisation.oci-containers = {
4
+
backend = "podman";
5
+
containers.bambuddy = {
6
+
image = "ghcr.io/maziggy/bambuddy:latest";
7
+
volumes = [
8
+
"/var/lib/bambuddy/data:/app/data"
9
+
"/var/lib/bambuddy/logs:/app/logs"
10
+
];
11
+
extraOptions = [
12
+
"--network=host"
13
+
"--cap-add=NET_BIND_SERVICE"
14
+
];
15
+
environment = {
16
+
TZ = config.time.timeZone;
17
+
PORT = "8001";
18
+
};
19
+
};
20
+
};
21
+
22
+
systemd.tmpfiles.rules = [
23
+
"d /var/lib/bambuddy/data 0750 root root -"
24
+
"d /var/lib/bambuddy/logs 0750 root root -"
25
+
];
26
+
27
+
networking.firewall.allowedTCPPorts = [ 8001 ];
28
+
}
+10
-5
modules/caddy.nix
+10
-5
modules/caddy.nix
···
1
1
{
2
2
config,
3
3
lib,
4
-
pkgs-stable,
4
+
pkgs,
5
5
...
6
6
}:
7
7
let
···
21
21
22
22
authentication portal ${name}_portal {
23
23
crypto default token lifetime 86400
24
+
crypto key sign-verify {''$${lib.toUpper name}_JWT_SHARED_KEY}
24
25
enable identity provider ${name}
25
26
cookie domain goo.garden
26
27
cookie insecure off
···
49
50
services.caddy = {
50
51
enable = true;
51
52
enableReload = true;
52
-
package = pkgs-stable.caddy.withPlugins {
53
-
plugins = [ "github.com/greenpau/caddy-security@v1.1.50" ];
54
-
hash = "sha256-8iTRB1sHWPwqNY3ds7NqWCJ5tkvWSRN474yeWXtBmgM=";
53
+
package = pkgs.caddy.withPlugins {
54
+
plugins = [ "github.com/greenpau/caddy-security@v1.1.61" ];
55
+
hash = "sha256-HKW2A/gh+xUboR+IxUjolvd7RjWa3hBjWNv730KwsH8=";
55
56
};
56
57
environmentFile = config.sops.templates."caddy.env".path;
57
58
globalConfig = ''
···
147
148
"wallos.goo.garden" = vhost ''
148
149
reverse_proxy rk1-node-2:8282
149
150
'';
151
+
"bambu.goo.garden" = vhost ''
152
+
reverse_proxy rk1-node-2:8001
153
+
'';
150
154
"knot.goo.garden" = vhost ''
151
155
reverse_proxy rk1-node-1:5555
152
156
'';
···
165
169
sops.templates."caddy.env".content = ''
166
170
TASKS_OIDC_CLIENT_ID=${config.sops.placeholder.tasks-oidc-client-id}
167
171
TASKS_OIDC_CLIENT_SECRET=${config.sops.placeholder.tasks-oidc-client-secret}
172
+
TASKS_JWT_SHARED_KEY=${config.sops.placeholder.tasks-jwt-shared-key}
168
173
'';
169
-
170
174
sops.secrets.tasks-oidc-client-id = { };
171
175
sops.secrets.tasks-oidc-client-secret = { };
176
+
sops.secrets.tasks-jwt-shared-key = { };
172
177
173
178
networking.firewall.allowedTCPPorts = [
174
179
80
+3
modules/fusion.nix
+3
modules/fusion.nix
+3
modules/kitchenowl.nix
+3
modules/kitchenowl.nix
···
19
19
kitchenowl = {
20
20
image = "tombursch/kitchenowl-backend:latest";
21
21
environmentFiles = [ config.sops.templates."kitchenowl.env".path ];
22
+
environment = {
23
+
TZ = config.time.timeZone;
24
+
};
22
25
volumes = [
23
26
"/var/lib/kitchenowl:/data"
24
27
"/run/postgresql:/run/postgresql"
+3
modules/rustical.nix
+3
modules/rustical.nix
+4
-1
modules/wallos.nix
+4
-1
modules/wallos.nix
···
1
-
{ ... }:
1
+
{ config, ... }:
2
2
{
3
3
virtualisation.oci-containers = {
4
4
backend = "podman";
···
10
10
"/var/lib/wallos/db:/var/www/html/db"
11
11
"/var/lib/wallos/logos:/var/www/html/images/uploads/logos"
12
12
];
13
+
environment = {
14
+
TZ = config.time.timeZone;
15
+
};
13
16
};
14
17
};
15
18
};
+3
-2
secrets/secrets.yaml
+3
-2
secrets/secrets.yaml
···
15
15
zigbee2mqtt-mosquitto-password-hashed: ENC[AES256_GCM,data:/jaOxL6CuAY6gyAD1sgb5Vp+jDAPkUbie2YcknEVMvIGR0di7RgVPhgUctzzyF9sicxZrid3b9iwWe9Q1c77GU45eKUtQfrWfqUnIf434g5bhuRJxsCzQ+u0SuyLbsQOUzTRZR/uCIovGY64suPYTQ==,iv:P0mmkdmnR66l9a748qsLIZaChsSbxzICTN+TJwOy5xw=,tag:rZtfK8eSrdFnb6yAfNfwHA==,type:str]
16
16
tasks-oidc-client-id: ENC[AES256_GCM,data:J0qy+sxD2d9Cfoi2PCoFARj4es42FJf08sve8VJzQKQCCLCa,iv:fmhUF8tFATwfrqE8Uj0AbrJgy/j6G0k6iB/lOt4eXGE=,tag:mlIO0sn8oVBVfTEHkghNAg==,type:str]
17
17
tasks-oidc-client-secret: ENC[AES256_GCM,data:uX/G+TdE2nAeQ5jbd6YUkdwigxxJMVQODlpgL330hhk=,iv:72sKHzrij9BOSYfh9TEHxS899CulH6pNzTmCMegZEac=,tag:fa5r9UV7clsbXxpC/AfTIg==,type:str]
18
+
tasks-jwt-shared-key: ENC[AES256_GCM,data:hPYpPanQiVfZ3wdupXkRMgSlUGAc8oz4xWj+Ne7EEi3Nxiz/u82Al3/E2MJibMs3tB+UW+RHsiS9xus6/NbCYA==,iv:xfufQo0lyz49Sd8brYL6HZV4ITw39gepWtCFNMMbcrU=,tag:3Npo79/sxFEITijdZjH4QA==,type:str]
18
19
rustical-oidc-client-id: ENC[AES256_GCM,data:dDA1SCH1/rOHqPNvoXX6GFRVE4zXhmq4EES2OnP0i6NK1WAI,iv:aZquya/FnGm3zXbvyxVvUfYRYN5yPvYtagfVYy4n1RU=,tag:w+usKIfoFqxacpIzFbMGpA==,type:str]
19
20
rustical-oidc-client-secret: ENC[AES256_GCM,data:savr1jjsi+cO6Rotx3zydTVl5qMiieOJ1Ue3+/IFBRQ=,iv:d3h/fuIfA2w3gnT0pCVSixaR1PbvfwwX/Pb3u+sDodc=,tag:YZgogP9Howbt2P7MVThegQ==,type:str]
20
21
screego-secret: ENC[AES256_GCM,data:25elrR88LTQFJz1T6Hj1qDwNnaFnAFxTKwiVZYxVQ66wGI70m22WCexOIVLsxz1xtSEgX0JGTVPSx7qU7ZE4yw==,iv:VV4PpBihmQRJ7CVMIL7jRIAQbwpW5/c6vJftUNp/9hM=,tag:stfLGZ8veoNChnei7U+2/A==,type:str]
···
78
79
ajA5bDZCY1BnblVYRGQ1QTE2S2I4M2cKSIGmFBP6sqiiM+cvTMQuZHit9fN5Vffk
79
80
1pWz8xSen/tqoywqipRf3LqzFb2K7Bx15vwazHbm6LJJa+ZQaruVMg==
80
81
-----END AGE ENCRYPTED FILE-----
81
-
lastmodified: "2026-04-02T17:45:28Z"
82
-
mac: ENC[AES256_GCM,data:+woZIqYy3LZzpw+a7J/dR8PRAUja9kuqCUgqRgbN4MdnaauT8zBW77bxBIJk238+a04yhXiZS+StdPZdPbnM6Co5f1plmO6ONg6lCflnVDDDyAuUTow5NMnlNueldCbPuz6jFWc69nv4rytQhEgmDguG2UZczAewPh3oxHB73AU=,iv:WOzYfFIUpXpWtvnHl1/bNWcLOt3WcWXO85aaqkGIc98=,tag:NxZqeV94XSkCxdHTtHDItg==,type:str]
82
+
lastmodified: "2026-04-06T22:13:26Z"
83
+
mac: ENC[AES256_GCM,data:dRnuptZlnB1UsHQUS9+6DHF3WYO9WDzP3KroaL/HkudVckMNU/sb2tq9NiFQeSf8GbgpMygOB004Y7NeIjZNje3HWyCwHxANgDKCKSX+2mVIv01tBvON88QbMWFsQExvk8BWPX2kuwrzufvT/EWiRm78SvkVENyUT9cqLC4keuo=,iv:ckWynpwZ5fzCeyiRFiZpI/4BbITLYp1MzuZCe82V2Lc=,tag:/1/SD5GqshJex1+XGHVCcQ==,type:str]
83
84
unencrypted_suffix: _unencrypted
84
85
version: 3.12.2