add o2 and update cardian · okk.moe/homelab@ce1769b

+1

hosts/rk1-node-1.nix

··· 10 10 ../modules/tangled-spindle.nix 11 11 ../modules/garage.nix 12 12 ../modules/cardian.nix 13 + ../modules/openobserve.nix 13 14 ]; 14 15 15 16 system.stateVersion = "25.11";

+3

modules/caddy.nix

··· 178 178 reverse_proxy rk1-node-1:3909 179 179 } 180 180 ''; 181 + "observe.goo.garden" = vhost '' 182 + reverse_proxy rk1-node-1:5080 183 + ''; 181 184 "ntfy.goo.garden" = vhost '' 182 185 reverse_proxy cm4-node-2:2586 183 186 '';

+7 -3

modules/cardian.nix

··· 1 1 { config, ... }: 2 2 { 3 3 virtualisation.oci-containers.containers.cardian = { 4 - image = "ghcr.io/okkdev/cardian:7.4.6"; 4 + image = "ghcr.io/okkdev/cardian:7.6.0"; 5 5 environmentFiles = [ config.sops.templates."cardian.env".path ]; 6 6 volumes = [ 7 7 "/var/lib/cardian:/db" ··· 11 11 sops.templates."cardian.env".content = '' 12 12 CARDIAN_TOKEN=${config.sops.placeholder.cardian-token} 13 13 BONK_URL=${config.sops.placeholder.cardian-bonk-url} 14 - SENTRY_URL=${config.sops.placeholder.cardian-sentry-url} 14 + OTEL_EXPORTER_OTLP_ENDPOINT=http://rk1-node-1:5080/api/default 15 + OTEL_AUTH=${config.sops.placeholder.openobserve-otel-auth} 16 + OTEL_STREAM_NAME=cardian 17 + PUSH_URL=${config.sops.placeholder.cardian-push-url} 15 18 ''; 16 19 sops.secrets.cardian-token = { }; 17 20 sops.secrets.cardian-bonk-url = { }; 18 - sops.secrets.cardian-sentry-url = { }; 21 + sops.secrets.cardian-push-url = { }; 22 + sops.secrets.openobserve-otel-auth = { }; 19 23 20 24 systemd.tmpfiles.rules = [ 21 25 "d /var/lib/cardian 0750 root root -"

+1

modules/common.nix

··· 11 11 { 12 12 imports = [ 13 13 ./beszel/agent.nix 14 + ./otel-collector.nix 14 15 ./restic.nix 15 16 ]; 16 17

-1

modules/home-assistant.nix

··· 61 61 frontend.port = 8124; 62 62 }; 63 63 }; 64 - 65 64 sops.templates."zigbee2mqtt-secret.yaml" = { 66 65 content = "mqtt_password: ${config.sops.placeholder.zigbee2mqtt-mosquitto-password}"; 67 66 owner = "zigbee2mqtt";

+35

modules/openobserve.nix

··· 1 + { 2 + config, 3 + pkgs, 4 + ... 5 + }: 6 + { 7 + systemd.services.openobserve = { 8 + description = "OpenObserve observability platform"; 9 + after = [ "network.target" ]; 10 + wantedBy = [ "multi-user.target" ]; 11 + serviceConfig = { 12 + Type = "simple"; 13 + ExecStart = "${pkgs.openobserve}/bin/openobserve"; 14 + DynamicUser = true; 15 + StateDirectory = "openobserve"; 16 + EnvironmentFile = config.sops.templates."openobserve.env".path; 17 + Environment = [ 18 + "ZO_DATA_DIR=/var/lib/openobserve" 19 + "ZO_HTTP_PORT=5080" 20 + "ZO_HTTP_ADDR=[::]" 21 + ]; 22 + Restart = "on-failure"; 23 + RestartSec = "5s"; 24 + }; 25 + }; 26 + 27 + sops.templates."openobserve.env".content = '' 28 + ZO_ROOT_USER_EMAIL=${config.sops.placeholder.openobserve-root-email} 29 + ZO_ROOT_USER_PASSWORD=${config.sops.placeholder.openobserve-root-password} 30 + ''; 31 + sops.secrets.openobserve-root-email = { }; 32 + sops.secrets.openobserve-root-password = { }; 33 + 34 + networking.firewall.allowedTCPPorts = [ 5080 ]; 35 + }

+35

modules/otel-collector.nix

··· 1 + { 2 + config, 3 + pkgs, 4 + ... 5 + }: 6 + { 7 + services.opentelemetry-collector = { 8 + enable = true; 9 + package = pkgs.opentelemetry-collector-contrib; 10 + settings = { 11 + receivers.journald = { 12 + convert_message_bytes = true; 13 + }; 14 + exporters.otlphttp = { 15 + endpoint = "http://rk1-node-1:5080/api/default"; 16 + headers = { 17 + stream-name = "system_logs"; 18 + Authorization = "Basic \${env:OTEL_AUTH}"; 19 + }; 20 + }; 21 + service.pipelines.logs = { 22 + receivers = [ "journald" ]; 23 + exporters = [ "otlphttp" ]; 24 + }; 25 + }; 26 + }; 27 + 28 + systemd.services.opentelemetry-collector.serviceConfig.EnvironmentFile = 29 + config.sops.templates."otel-collector.env".path; 30 + 31 + sops.templates."otel-collector.env".content = '' 32 + OTEL_AUTH=${config.sops.placeholder.openobserve-otel-auth} 33 + ''; 34 + sops.secrets.openobserve-otel-auth = { }; 35 + }

+1

modules/tranquil-pds.nix

··· 36 36 systemd.services.tranquil-pds = { 37 37 after = [ "mnt-nas.mount" ]; 38 38 requires = [ "mnt-nas.mount" ]; 39 + environment.NO_COLOR = "1"; 39 40 }; 40 41 41 42 sops.templates."tranquil-pds.env".content = ''

+6 -3

secrets/secrets.yaml

··· 44 44 vaultwarden-oidc-client-secret: ENC[AES256_GCM,data:8768G1aahatoGO/p93uze0p+bH/qh5dSv0Fmoyk+fRM=,iv:Aa6TLX2+P+v68Lt15Lbln1Y/m+Cd52BB5O6rstNpOys=,tag:B1B2Srp51kYGDXZnPCuxhQ==,type:str] 45 45 cardian-token: ENC[AES256_GCM,data:yA/Bx36ljsPr6PCcxox4rvUVJyXukwcm1qP/1qecYYDBhobmpbQCRvjh3OQKnHSfZqna6te24lcAzhmU6AmfsJpaLcI9Kg==,iv:njXyuhrEY4BbtYl8HFpx2/YBOmBOpGzyBpfn0On0A2A=,tag:rrcs3lG3AteQFzk0pScEiQ==,type:str] 46 46 cardian-bonk-url: ENC[AES256_GCM,data:NM0ECFLnIcU3g29zPDlmdUgbHVt8jpE8ZHb1R3dBF+xoVJb73nNu0IdSp/kAkJC8yguLsBei0dWAHRqL1UaOqwbDlbGnZA==,iv:O+/Z2RYBWyg1ehsZWRLtadF8iFE6vb7caSCMJySWpmY=,tag:Zye0Wk0dQsy5IcSuE2GB5Q==,type:str] 47 - cardian-sentry-url: ENC[AES256_GCM,data:rBHw0gs8hOE5lU6B2QoU8CUF/hWyBC4pKA8gXqX1hjyDoDOzEh0GGEB2BaDdQ+BphLR6kSBZPe1QTc1ZnSUiZIK5RAC2Q6GK3xBUUgyrBTILrcNQOpt+pXAxjtQ=,iv:1WKvXbbVexG8KxtLkWjn6VwnUvDr64sgaFG3f2bVgZ8=,tag:jrkn7mb6rUiwh98Ic/3iSg==,type:str] 47 + cardian-push-url: ENC[AES256_GCM,data:jHTTvv5sKRwmZRMhDgaWgHz51jMRUCZx/oAWIUjDRH+A4yTetJBhF4vm5IJ2X3it3i23E6fxxWv1mJf7J9jixiX+UYzUSwGHGSnmFMyRmR1NtUxq3iiwVm3l,iv:zGijBLTZA6DIaTeOaMMPy2v5z4Gx3mUjFxIVwqfG8q8=,tag:OrmvZrY7pSUcF4Fn9dzeBg==,type:str] 48 48 ntfy-auth-users: ENC[AES256_GCM,data:0BDtabnXuVbBeYdqGQmydocmZeHpg2Bc36AskoMb7crpxB+XWEKzQnHlqWNB4zoVAe5YQSbeWoqtgxHGJdHKxHUWj3uG3w==,iv:LXfj/LDbMcqvMfpbJnX6obLEUrO7UYaBDNS77OVijUo=,tag:KU9VEk58h1rG2MyjDFJQYA==,type:str] 49 + openobserve-root-email: ENC[AES256_GCM,data:Ht1L4WnyBR0dLvDof8Kr,iv:Wcc3+IkSzw7bfElwJO7VqsA3/aF55/EaV8kS7awWuxI=,tag:w8zVAavSVxQcR/+Sr1soNg==,type:str] 50 + openobserve-root-password: ENC[AES256_GCM,data:0xis+bzROQYGfOXQI7wigjbQkGvIIOU6bewER3kMFMcnt6Mu6j3FeMC7d07GGjI=,iv:QEPPSSxpktLxPgqA6iiKyGbthwL9yfFStuF1gv5xBDI=,tag:Ds7B1sWr0DLox/IgxqnXTw==,type:str] 51 + openobserve-otel-auth: ENC[AES256_GCM,data:urMwnwyITZPHELfUb2rFDaGch6LHgCI3PmDxSml4UfaXGcfN1135cPWGY1o=,iv:HCq4/38F6IOU+Xp2Gu0iKB2bsQNUfsGRVoTNmlbauMM=,tag:KnTYFsvkS8sx9PD0VNcahQ==,type:str] 49 52 mumble-password: ENC[AES256_GCM,data:/GA5G4CEVQ==,iv:Ri70GW9Ln7vv3Nf0CSNW0PwypLUNvh+kvJjUqu393ig=,tag:NY+u/RxcKudlaZStgnGVTw==,type:str] 50 53 backup-repository: ENC[AES256_GCM,data:v6tUjTwVsym8i52jcapjSRXPIjX2xNFY+bZRkHnVsp4AebcksHzHEDX6N4BF3OuQ2KepOfHngMn61Mk=,iv:HPV+8aCPpvFnytja6RUA7hJdtz2BMI1zsH01w1J9r2w=,tag:znMIFmrcsKTIq2TowhAV0w==,type:str] 51 54 backup-identity: ENC[AES256_GCM,data:8TJP7vSWJAj56AcczQhMRoQqahxM4EGzPm+wk1apMD+L3pybXh/4LPp0DNcGugOb3RPTyjki6jZArDgiirS+ltbldaNQPZaZ4cFrtiJVt8D/iQlsgM9tR8oC7bcR4KV+UoVeeXJN0fWqy5U+IzJ87ZRKKyb9i8WKhPuWFIftb4KqZRyada7jhl/SzwuoIcw9BagMJPLv6BaUmNp1j5fOHvo7RseImiIqsbVo37NTqMMQf7PKM5gsMU6bbeAMjtdeC2RNVG21eop8JlO5uYVyjGxyl5wfU+PwMSRc+XNpgeVEv9mjdo6dkG3QC2poHZ77ot4py6HzQPUZjwLyFsr0ccC4e6e0PNOBtTPtku/LnXHsV45LB9Q3X7t9VSYCTtlJul2W8huZuCRnv7crvIUW21ZMTWiwMbqNEqDUJTBcPLDi42Ea4CvA+I6ODJP8n5g7GTHW0ggy6FtjVXH5DzhzJJULQ27kq97EWi43bSRv0N+N5C1viM+j+hs6tM5eQ15niRVB,iv:YpRoGlD8YFxZ+RChb6T4Eh665AMTTeTJXRFR0xa7l3k=,tag:FWOVonF+SYbbgQoopa2lhA==,type:str] ··· 96 99 ajA5bDZCY1BnblVYRGQ1QTE2S2I4M2cKSIGmFBP6sqiiM+cvTMQuZHit9fN5Vffk 97 100 1pWz8xSen/tqoywqipRf3LqzFb2K7Bx15vwazHbm6LJJa+ZQaruVMg== 98 101 -----END AGE ENCRYPTED FILE----- 99 - lastmodified: "2026-04-16T19:37:29Z" 100 - mac: ENC[AES256_GCM,data:++EY/RF5dwbBF54rkxt1ZOp6EyVij1xmnboVnrXzaPrnMS+fpd8DbC06Z2O6weDBSu0Elki57nTUYlm9e9OSMzioI3HKVYdsu4kw6Q+q9hQx7XbB1I8KPyN2aLMMVmqzp8pA2lEW2Pjso03v0loojz+WKFON8NiZj1sc+tAVjMM=,iv:VFUKbik3vIWkV9eiFHVGQCLA8ZT+2tTDF/Jg02wQqHM=,tag:GG6Pi5tpzMMbtb/Nqhvu/w==,type:str] 102 + lastmodified: "2026-04-18T22:39:12Z" 103 + mac: ENC[AES256_GCM,data:b5X20ugC9IsAKW5/C8G3tXgEcnLCIpbiVqpX/EBLtPyUKwt/qqX35AT+1b3ypMZueqReWIb/X8TIDgJc73OvguLRuD3FUQ76+deBvgVZzVF+IMWuL1/7zbfrKlZDMXLdhtbVliX+QhBoTbuyQ8iiOOH6MJIGkUwbJ2ZI0XfiwEg=,iv:93jN1VR2KRyZedknX5ylNyVyGFv2Sdcy/fOFVbLJ6wo=,tag:EFaGjYLwwVIQieBYY5PuPw==,type:str] 101 104 unencrypted_suffix: _unencrypted 102 105 version: 3.12.2

Configure Feed

Configure Feed