feat(nixos-server): Enable cleanuperr, move secrets to modules that u…

…se them

hosts/server/cleanuperr.nix

@@ -0,0 +1,13 @@
+{ config, ... }:
+let envFile = config.age.secrets.cleanuperr_env.path;
+in {
+  age.secrets.cleanuperr_env.file = ../../secrets/cleanuperr_env.age;
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers.cleanuperr = {
+      autoStart = true;
+      image = "ghcr.io/flmorg/cleanuperr:latest";
+      environmentFiles = [ envFile ];
+    };
+  };
+}

hosts/server/content.nix

@@ -4,6 +4,7 @@
     ./deluge.nix
     # port 8082
     ./homepage.nix
+    ./cleanuperr.nix
   ];
   services = {
     jellyfin = {

hosts/server/default.nix

@@ -23,7 +23,6 @@
 
   imports = [
     ./hardware-configuration.nix
-    ./secrets.nix
     ./content.nix
     ./nas.nix
     ./containers.nix

hosts/server/deluge.nix

@@ -3,6 +3,7 @@ let
   configDir = "/var/lib/delugevpn";
   wireguardConfigPath = config.age.secrets.mullvad_wireguard.path;
 in {
+  age.secrets.mullvad_wireguard.file = ../../secrets/mullvad_wireguard.age;
 
   systemd.tmpfiles.rules = [
     "d ${configDir} 055 delugevpn delugevpn - -"
@@ -17,33 +18,31 @@ in {
   };
   virtualisation.oci-containers = {
     backend = "podman";
-    containers = {
-      delugevpn = {
-        autoStart = true;
-        image = "ghcr.io/binhex/arch-delugevpn";
-        extraOptions =
-          [ "--sysctl=net.ipv4.conf.all.src_valid_mark=1" "--privileged=true" ];
-        ports = [ "8112:8112" "8118:8118" "58846:58846" "58946:58946" ];
-        volumes = [ "/mnt/jellyfin:/data" "${configDir}:/config" ];
-        environment = {
-          VPN_ENABLED = "yes";
-          VPN_PROV = "custom";
-          VPN_CLIENT = "wireguard";
-          STRICT_PORT_FORWARD = "yes";
-          ENABLE_PRIVOXY = "yes";
-          LAN_NETWORK = "192.168.189.0/24";
-          NAME_SERVERS =
-            "84.200.69.80,37.235.1.174,1.1.1.1,37.235.1.177,84.200.70.40,1.0.0.1";
-          DELUGE_DAEMON_LOG_LEVEL = "info";
-          DELUGE_WEB_LOG_LEVEL = "info";
-          DELUGE_ENABLE_WEBUI_PASSWORD = "yes";
-          VPN_INPUT_PORTS = "";
-          VPN_OUTPUT_PORTS = "";
-          DEBUG = "false";
-          UMASK = "000";
-          PUID = "0";
-          PGID = "0";
-        };
+    containers.delugevpn = {
+      autoStart = true;
+      image = "ghcr.io/binhex/arch-delugevpn";
+      extraOptions =
+        [ "--sysctl=net.ipv4.conf.all.src_valid_mark=1" "--privileged=true" ];
+      ports = [ "8112:8112" "8118:8118" "58846:58846" "58946:58946" ];
+      volumes = [ "/mnt/jellyfin:/data" "${configDir}:/config" ];
+      environment = {
+        VPN_ENABLED = "yes";
+        VPN_PROV = "custom";
+        VPN_CLIENT = "wireguard";
+        STRICT_PORT_FORWARD = "yes";
+        ENABLE_PRIVOXY = "yes";
+        LAN_NETWORK = "192.168.189.0/24";
+        NAME_SERVERS =
+          "84.200.69.80,37.235.1.174,1.1.1.1,37.235.1.177,84.200.70.40,1.0.0.1";
+        DELUGE_DAEMON_LOG_LEVEL = "info";
+        DELUGE_WEB_LOG_LEVEL = "info";
+        DELUGE_ENABLE_WEBUI_PASSWORD = "yes";
+        VPN_INPUT_PORTS = "";
+        VPN_OUTPUT_PORTS = "";
+        DEBUG = "false";
+        UMASK = "000";
+        PUID = "0";
+        PGID = "0";
       };
     };
   };

hosts/server/homepage.nix

@@ -1,4 +1,5 @@
 { config, ... }: {
+  age.secrets.homepage.file = ../../secrets/homepage.age;
   services.homepage-dashboard = {
     enable = true;
     openFirewall = true;

hosts/server/wireguard.nix

@@ -4,6 +4,7 @@ let
   wireguard_interface = "wgvpn";
   external_interface = "enp0s31f6";
 in {
+  age.secrets.wireguard_server.file = ../../secrets/wireguard_server.age;
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   services.dnsmasq = {
     enable = true;

secrets.nix

@@ -14,4 +14,5 @@ in {
   "secrets/mullvad_wireguard.age".publicKeys = users ++ systems;
   "secrets/homepage.age".publicKeys = users ++ systems;
   "secrets/wireguard_server.age".publicKeys = users ++ systems;
+  "secrets/cleanuperr_env.age".publicKeys = users ++ systems;
 }