changedetection.io

author: Gregor Kleen <gkleen@yggdrasil.li> 2025-12-09 10:27:01 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2025-12-09 10:27:01 +0100
commit: 5d879efa0c9ed73d7f6f19acebb87843c86a46e2 (patch)
tree: 22f4302c5adcb8dfc76d86f6656fae542746c5a4
parent: c2c76862d348b4a32a0292bad0b954672c9e162d (diff)
download: nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.tar
nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.tar.gz
nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.tar.bz2
nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.tar.xz
nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.zip
11 files changed, 200 insertions, 4 deletions
diff --git a/hosts/surtr/changedetection-io.nix b/hosts/surtr/changedetection-io.nix
new file mode 100644
index 00000000..bfdedee1
--- /dev/null
+++ b/hosts/surtr/changedetection-io.nix
@@ -0,0 +1,66 @@
+{ config, ... }:
+{
+  config = {
+    security.acme.rfc2136Domains = {
+      "changedetection.yggdrasil.li" = {
+        restartUnits = ["nginx.service"];
+      };
+    };
+    services.nginx = {
+      upstreams."changedetection-io" = {
+        servers = {
+          "[2a03:4000:52:ada:4:1::]:5001" = {};
+        };
+        extraConfig = ''
+          keepalive 8;
+        '';
+      };
+      virtualHosts = {
+        "changedetection.yggdrasil.li" = {
+          kTLS = true;
+          http3 = true;
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/changedetection.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/changedetection.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/changedetection.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            charset utf-8;
+          '';
+          locations = {
+            "/".extraConfig = ''
+              proxy_pass http://changedetection-io;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              client_max_body_size 0;
+              proxy_request_buffering off;
+              proxy_buffering off;
+            '';
+          };
+        };
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "changedetection.yggdrasil.li.key.pem:${config.security.acme.certs."changedetection.yggdrasil.li".directory}/key.pem"
+          "changedetection.yggdrasil.li.pem:${config.security.acme.certs."changedetection.yggdrasil.li".directory}/fullchain.pem"
+          "changedetection.yggdrasil.li.chain.pem:${config.security.acme.certs."changedetection.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 1c66df2b..4a9bd6fe 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -8,6 +8,7 @@ with lib;
    ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
    ./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix
    ./paperless.nix ./hledger.nix ./audiobookshelf.nix ./kimai.nix
+    ./changedetection-io.nix
  ];
  config = {
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 8aca2b97..96599901 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -157,7 +157,7 @@ in {
        ${concatMapStringsSep "\n" mkZone [
          { domain = "yggdrasil.li";
            addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
-            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li"];
+            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li" "changedetection.yggdrasil.li"];
          }
          { domain = "nights.email";
            addACLs = { "nights.email" = ["ymir_acme_acl"]; };
diff --git a/hosts/surtr/dns/keys/changedetection.yggdrasil.li_acme b/hosts/surtr/dns/keys/changedetection.yggdrasil.li_acme
new file mode 100644
index 00000000..dcc7f85b
--- /dev/null
+++ b/hosts/surtr/dns/keys/changedetection.yggdrasil.li_acme
@@ -0,0 +1,18 @@
+{
+        "data": "ENC[AES256_GCM,data:QWZAer8xKZvAGl3HxaIdsOT1n3os4EDyQoZOU3YzwDpPfweVRhhBfyAg7M6rMRj8K8ffkkRWatDmgyHV1R43GfNyb1sLjqdqPysYXxC8KlP22WlT+1xstQ2q1KYmeN6VEKF0q+QOMMPRvwQbSQ0eC4mXcE+WgQSTVywjab9hQuc8vin69RbFxbhepxYLXT1rzQpLlxFmUNZBcLpSqsHkSDa2B0d4j2kIvSl2BuUgb3QJwgyNS5pGbnfyVfmus7p5+/pVFCe5EwTVjwgpn/cpIB0mu1Bbt9r0EvCkYXI6wKcLDVbfdV7KsA==,iv:wjHpcClpybzCIi3JhxgXTd5nW9y223pJn2rBde/2cy8=,tag:etfnmj+HhIKeZMGjxE5jiw==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWkk2Z0FUNlNoaFVaSFEr\nSE54eUpHaTNzTTdjaytJemtQUW1mWjJNUGhzCkU1OGlNb3pidVFKalVCZUhBODNi\nMjcxR0xLUDRwYkZ5V2I1Q3Z6Y2pmRWMKLS0tIGNzaGNiTEMvdEhBMDRZY2pDQzNu\nWkpkcVNYVjJZQS9QRHEyOUx6RVpQVjAKKGjVrfeovCIml2hExydC9Cd7PyungtpJ\nCdXfrvzP/OtoBSiEDQGC2VafwKkZ98dQqVRnfVApDoxdVQ8vIrxmKQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbUNBV1NYZEtKaDlzUVBF\nU2IrZ3dSWS9keVE1ak9qWkppc1hOY3JpMjEwCmNUbVJJMFNObmptVGQ0K1ovanVm\nc1dzN0VRVThyVWxPWTFLbldPQnE3Z2sKLS0tIEdWRENRRFROSm5SQ04yTG1wZWJ2\nNDMxK1ArYmdiQWJZV0d2TElZcFZLNVEKtmVrSIOcP4Ek1WW85f2/dNVYQMz9XqZ3\n0J04kqvkHZuM8PiBDg2l2rSh0xhHz3xb1iBhAddLXEjeEfy6o9HKyg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-12-08T12:46:12Z",
+                "mac": "ENC[AES256_GCM,data:waY6IDfabZ8B8069liXh7RXjgUTpOdr4U9VQK5xYRujAlI//Ea5lM2ODHJ7PrAkZsK0TGB9ezN8SA5QpxYZwOcpxg45jNbTALxZsZMEzrtCy4wSiBdiLvRoTXvwMZsnsaQEGk2ij2rEqNEOYYBFapBoIz2w5kbEZrrhVRHSkNME=,iv:tpU++qliONinepku/gdPJQ/h2NdyNw3GY+RV+6UM07U=,tag:yieMw3BOC134zAIqb1Fvjg==,type:str]",
+                "version": "3.11.0"
+        }
+}
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index 500194ae..5234576f 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025060700 ; serial
+  2025120800 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -109,6 +109,14 @@ _acme-challenge.kimai	IN	NS	ns.yggdrasil.li.
 kimai                   IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
+changedetection                 IN      A       202.61.241.61
+changedetection                 IN      AAAA    2a03:4000:52:ada::
+changedetection                 IN      MX      0 surtr.yggdrasil.li
+changedetection                 IN      TXT     "v=spf1 redirect=surtr.yggdrasil.li"
+_acme-challenge.changedetection IN      NS      ns.yggdrasil.li.
+changedetection                 IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
 vidhar                  IN      AAAA    2a03:4000:52:ada:4:1::
 vidhar                  IN      MX      0 ymir.yggdrasil.li
 vidhar                  IN      TXT     "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/tls/tsig_keys/changedetection.yggdrasil.li b/hosts/surtr/tls/tsig_keys/changedetection.yggdrasil.li
new file mode 100644
index 00000000..ac332fe5
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/changedetection.yggdrasil.li
@@ -0,0 +1,18 @@
+{
+        "data": "ENC[AES256_GCM,data:OD12OI11EpjWIGtCGzSIeFXIht1tM7YrEbo3XqcxD0XFaZ3CrELJgru9gtN/,iv:SXPNed6CUWCUDomJbx1kOjvxTBoHrgb6tKw9Jb/Qa0M=,tag:RiueVMBSdAF96d6190bwfg==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwR3FGdks2TUtkSUJLcG1v\nbXZmWFZNVmc3a0x5d2tPNmpJVDJPQmIyNkFNClAwNzI0aHE5SFdaQ0RoZnE0ZEx5\nL3IzQTRpd0g4cHJSUHlrbGtRK283SEkKLS0tIDdLVzE0SFgvS0l1eDd5SHVQQ1By\nNmZ1M0cxSnNxTE5OdHBLZ2FFRWhXdUkKTykJ2kRJPrcPwuw3ufNaCJ6pOuvtDUcl\noHizOV+Yco7nhKtINE93mD4xIiER0i5h7lpKOTUGgjzhjJP2DR7ifw==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNVRmMVIvVVZ4SkVMUC9o\nOVMxekNiZTRJWTExMHU5Q3lOaVFkbnhGT3lrCmM3ZjNSV056WjlTeEZzdHpKL1Fl\nbFF4R1phSitzWlY2dFJuRDFvK09LWm8KLS0tIEZINU5KallPdnZsZEh6WUxJYW1K\ncEV0ZkJVK2JiZ1ZtSTZRQUtiaGFBTEkKC6DQLWqY4WrRCSRrWAqlvjw6lp0Y+XGo\nrwxWMwyEocizMR6i//a5P8RBPnvzAEHbXMobI4mSDyfIdezWUX/QNA==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-12-08T12:46:13Z",
+                "mac": "ENC[AES256_GCM,data:FLdO6Bz74+aTd9ns8ysbcrNdwogJvnm/sRRTLntf5zAH16MyI+QbsBo2LORWr5O3t24+EfmZBhMsfj/AXvqkcMFjPwIhALQpPjjT2JfAsLFtSUqZRjBNKYkfoLlTUKb083RgDjEUIVGgsZzJLCyFtfZP0NXicTUsUz9mRZCYwYU=,iv:sSPuuoE3qgt+Qhh76rZtSCBnHYLK3AN7IljUDkr14AE=,tag:56rYSDonQwfKjNR5fBgQiA==,type:str]",
+                "version": "3.11.0"
+        }
+}
diff --git a/hosts/vidhar/changedetection-io/changedetection-io_env b/hosts/vidhar/changedetection-io/changedetection-io_env
new file mode 100644
index 00000000..626c6f0e
--- /dev/null
+++ b/hosts/vidhar/changedetection-io/changedetection-io_env
@@ -0,0 +1,19 @@
+{
+        "data": "ENC[AES256_GCM,data:blHQ1oSNZfw7Xpkconzv7ft18WVSkINjoqnZAfKWsaTszMfYzZWNJ1uQ17UnfTmGJqvzaBBsToiOxzxUQBztamFY+CWXy3AqqqwgI5rOo14AiuvpCj7NvOA/7WVgq6RUoBaE9ao=,iv:RWvPBN5mIVzP2QQzNvU8ciTzRDBVhAk8Qu+6QuNO8/E=,tag:Q3jnhD+aZ7Qr8oUsdyRnLA==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UUhJUmpoZTloWXRpVk1Y\nb3FYTEI4T0V6RGlyL3NoK3JXMEJKeUwraFEwCjBTZTBwUUVUbkt4Y1N6ajZiN2dF\nd2pHTFA0dHFYMjVFZnZhdnhrdW11Z2sKLS0tIFA2NllMUFk0ZENGblhMaXpiVmo4\nelZTRWdsVFIyRmRGTURTRmg4cWdsWVUKMY10ZEzhcZAC95W35e3To/DXkCptZeNG\nkmVVtP0VzE3AM2oA+W957MRX81PHKb27We6OmxGrIYITsz4Atjj+Vg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcVFmN3JHdE5HamYzSUlX\nVXBTM1QxZG9RU2V4SlphWUw4QTJoMDJ3QzNVCkhVbUZELzZ3eDZ3aWIxMDFqTUh4\nWncwUUs3dFBUOTVjUmZYL21CNnhSZ1EKLS0tIDJXRUpmVHBxUmRLWnpZOHNQaWdK\ndEF2Z00xUmJBczM2TmZ3N2Y2RmxFaW8KYVV1Q6gxC4TR5VzytLY3zo7O0QsXAYEc\nW9kifMY8dy7zDt1X8BNAO94nLqTDPFJ68uhra3QG5e4z6WHyoF5iLg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-12-08T15:07:34Z",
+                "mac": "ENC[AES256_GCM,data:jQeuCBHj3ZKxYhRrADE4qskvcKzTcVV6lhAT8o1mxbb8RSdCsrAKnEC8o74TmMP7D5rup3jx73YoOPC71yDJLm+TXiIIHQWlPpiNRCrkBUcioJQbmQmiioRbKkojzb5q4ike2UOMcBUlv1q/ztlOk+av0nW607JV5/gDxuGE0tA=,iv:fOtYfrb3ubb3PU99p2l8sseja45r1ZMzIJG9Uhqn/xc=,tag:F3KFy1oIbVUBMwzNALbz5g==,type:str]",
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.11.0"
+        }
+}
diff --git a/hosts/vidhar/changedetection-io/default.nix b/hosts/vidhar/changedetection-io/default.nix
new file mode 100644
index 00000000..c6812747
--- /dev/null
+++ b/hosts/vidhar/changedetection-io/default.nix
@@ -0,0 +1,50 @@
+{ config, pkgs, ... }:
+{
+  config = {
+    services.changedetection-io = {
+      enable = true;
+      behindProxy = true;
+      # playwrightSupport = true;
+      baseURL = "https://changedetection.yggdrasil.li";
+      listenAddress = "2a03:4000:52:ada:4:1::";
+      port = 5001;
+      environmentFile = config.sops.secrets."changedetection-io_env".path;
+    };
+    sops.secrets."changedetection-io_env" = {
+      format = "binary";
+      sopsFile = ./changedetection-io_env;
+    };
+    systemd.services.changedetection-io = {
+      path = with pkgs; [
+        poppler-utils
+      ];
+      serviceConfig = {
+        Environment = [
+          "PLAYWRIGHT_DRIVER_URL=ws://10.88.0.5:3000"
+          "DISABLE_VERSION_CHECK=true"
+          "MINIMUM_SECONDS_RECHECK_TIME=0"
+        ];
+      };
+    };
+    virtualisation.oci-containers.containers = {
+      changedetection-io-playwright = {
+        image = "dgtlmoon/sockpuppetbrowser";
+        pull = "newer";
+        environment = {
+          SCREEN_WIDTH = "1920";
+          SCREEN_HEIGHT = "1024";
+          SCREEN_DEPTH = "16";
+          MAX_CONCURRENT_CHROME_PROCESSES = "10";
+          STATS_REFRESH_SECONDS = "600";
+        };
+        extraOptions = [
+          "--ip=10.88.0.5"
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 1c60ed22..c54d57cd 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai ./changedetection-io
    tmpfs-root zfs
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
@@ -387,6 +387,8 @@ with lib;
    environment.systemPackages = with pkgs; [iotop vmtouch];
+    virtualisation.oci-containers.backend = "podman";
    systemd.sysusers.enable = false;
    system.stateVersion = "21.05";
  };
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index dd750394..44b6b7a9 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -61,6 +61,7 @@ table inet filter {
  counter fw-lan {}
  counter fw-ppp {}
  counter fw-kimai {}
+  counter fw-podman {}
  counter fw-cups {}
@@ -97,6 +98,7 @@ table inet filter {
  counter hledger-rx {}
  counter audiobookshelf-rx {}
  counter kimai-rx {}
+  counter changedetection-rx {}
  counter established-rx {}
@@ -130,6 +132,7 @@ table inet filter {
  counter hledger-tx {}
  counter audiobookshelf-tx {}
  counter kimai-tx {}
+  counter changedetection-tx {}
  counter tx {}
@@ -154,9 +157,11 @@ table inet filter {
    oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
    iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept
    iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept
+    iifname podman0 ip saddr 10.88.0.5 oifname @pppInterface@ counter name fw-podman accept
    iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept
    iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+    iifname @pppInterface@ oifname podman0 ip daddr 10.88.0.5 ct state { established, related } counter name fw-podman accept
    iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
    iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
@@ -187,7 +192,7 @@ table inet filter {
    iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
    iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
-    iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
+    iifname { lan, mgmt, wifibh, yggdrasil, podman0 } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
    iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
@@ -214,6 +219,7 @@ table inet filter {
    iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
    iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
    iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
+    iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
    ct state { established, related } counter name established-rx accept
@@ -266,6 +272,7 @@ table inet filter {
    iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
    iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
    iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
+    iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
    counter name tx
diff --git a/overlays/changedetection-io.nix b/overlays/changedetection-io.nix
new file mode 100644
index 00000000..95e8985e
--- /dev/null
+++ b/overlays/changedetection-io.nix
@@ -0,0 +1,7 @@
+{ final, prev, ... }: {
+  changedetection-io = prev.changedetection-io.overrideAttrs (oldAttrs: {
+    propagatedBuildInputs = (oldAttrs.propagatedBuildInputs or []) ++ (with final.python3.pkgs; [
+      playwright
+    ]);
+  });
+}
author	Gregor Kleen <gkleen@yggdrasil.li>	2025-12-09 10:27:01 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2025-12-09 10:27:01 +0100
commit	5d879efa0c9ed73d7f6f19acebb87843c86a46e2 (patch)
tree	22f4302c5adcb8dfc76d86f6656fae542746c5a4
parent	c2c76862d348b4a32a0292bad0b954672c9e162d (diff)
download	nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.tar nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.tar.gz nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.tar.bz2 nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.tar.xz nixos-5d879efa0c9ed73d7f6f19acebb87843c86a46e2.zip

diff --git a/hosts/surtr/changedetection-io.nix b/hosts/surtr/changedetection-io.nix new file mode 100644 index 00000000..bfdedee1 --- /dev/null +++ b/hosts/surtr/changedetection-io.nix
@@ -0,0 +1,66 @@
		1	{ config, ... }:
		2
		3	{
		4	config = {
		5	security.acme.rfc2136Domains = {
		6	"changedetection.yggdrasil.li" = {
		7	restartUnits = ["nginx.service"];
		8	};
		9	};
		10
		11	services.nginx = {
		12	upstreams."changedetection-io" = {
		13	servers = {
		14	"[2a03:4000:52:ada:4:1::]:5001" = {};
		15	};
		16	extraConfig = ''
		17	keepalive 8;
		18	'';
		19	};
		20	virtualHosts = {
		21	"changedetection.yggdrasil.li" = {
		22	kTLS = true;
		23	http3 = true;
		24	forceSSL = true;
		25	sslCertificate = "/run/credentials/nginx.service/changedetection.yggdrasil.li.pem";
		26	sslCertificateKey = "/run/credentials/nginx.service/changedetection.yggdrasil.li.key.pem";
		27	sslTrustedCertificate = "/run/credentials/nginx.service/changedetection.yggdrasil.li.chain.pem";
		28	extraConfig = ''
		29	charset utf-8;
		30	'';
		31
		32	locations = {
		33	"/".extraConfig = ''
		34	proxy_pass http://changedetection-io;
		35
		36	proxy_http_version 1.1;
		37	proxy_set_header Upgrade $http_upgrade;
		38	proxy_set_header Connection "upgrade";
		39
		40	proxy_redirect off;
		41	proxy_set_header Host $host;
		42	proxy_set_header X-Real-IP $remote_addr;
		43	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		44	proxy_set_header X-Forwarded-Host $server_name;
		45	proxy_set_header X-Forwarded-Proto $scheme;
		46
		47	client_max_body_size 0;
		48	proxy_request_buffering off;
		49	proxy_buffering off;
		50	'';
		51	};
		52	};
		53	};
		54	};
		55
		56	systemd.services.nginx = {
		57	serviceConfig = {
		58	LoadCredential = [
		59	"changedetection.yggdrasil.li.key.pem:${config.security.acme.certs."changedetection.yggdrasil.li".directory}/key.pem"
		60	"changedetection.yggdrasil.li.pem:${config.security.acme.certs."changedetection.yggdrasil.li".directory}/fullchain.pem"
		61	"changedetection.yggdrasil.li.chain.pem:${config.security.acme.certs."changedetection.yggdrasil.li".directory}/chain.pem"
		62	];
		63	};
		64	};
		65	};
		66	}


diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 1c66df2b..4a9bd6fe 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -8,6 +8,7 @@ with lib;
8	./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql	8	./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
9	./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix	9	./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix
10	./paperless.nix ./hledger.nix ./audiobookshelf.nix ./kimai.nix	10	./paperless.nix ./hledger.nix ./audiobookshelf.nix ./kimai.nix
		11	./changedetection-io.nix
11	];	12	];
12		13
13	config = {	14	config = {


diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 8aca2b97..96599901 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix
@@ -157,7 +157,7 @@ in {
157	${concatMapStringsSep "\n" mkZone [	157	${concatMapStringsSep "\n" mkZone [
158	{ domain = "yggdrasil.li";	158	{ domain = "yggdrasil.li";
159	addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };	159	addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
160	acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li"];	160	acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li" "changedetection.yggdrasil.li"];
161	}	161	}
162	{ domain = "nights.email";	162	{ domain = "nights.email";
163	addACLs = { "nights.email" = ["ymir_acme_acl"]; };	163	addACLs = { "nights.email" = ["ymir_acme_acl"]; };


diff --git a/hosts/surtr/dns/keys/changedetection.yggdrasil.li_acme b/hosts/surtr/dns/keys/changedetection.yggdrasil.li_acme new file mode 100644 index 00000000..dcc7f85b --- /dev/null +++ b/hosts/surtr/dns/keys/changedetection.yggdrasil.li_acme
@@ -0,0 +1,18 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:QWZAer8xKZvAGl3HxaIdsOT1n3os4EDyQoZOU3YzwDpPfweVRhhBfyAg7M6rMRj8K8ffkkRWatDmgyHV1R43GfNyb1sLjqdqPysYXxC8KlP22WlT+1xstQ2q1KYmeN6VEKF0q+QOMMPRvwQbSQ0eC4mXcE+WgQSTVywjab9hQuc8vin69RbFxbhepxYLXT1rzQpLlxFmUNZBcLpSqsHkSDa2B0d4j2kIvSl2BuUgb3QJwgyNS5pGbnfyVfmus7p5+/pVFCe5EwTVjwgpn/cpIB0mu1Bbt9r0EvCkYXI6wKcLDVbfdV7KsA==,iv:wjHpcClpybzCIi3JhxgXTd5nW9y223pJn2rBde/2cy8=,tag:etfnmj+HhIKeZMGjxE5jiw==,type:str]",
		3	"sops": {
		4	"age": [
		5	{
		6	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		7	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWkk2Z0FUNlNoaFVaSFEr\nSE54eUpHaTNzTTdjaytJemtQUW1mWjJNUGhzCkU1OGlNb3pidVFKalVCZUhBODNi\nMjcxR0xLUDRwYkZ5V2I1Q3Z6Y2pmRWMKLS0tIGNzaGNiTEMvdEhBMDRZY2pDQzNu\nWkpkcVNYVjJZQS9QRHEyOUx6RVpQVjAKKGjVrfeovCIml2hExydC9Cd7PyungtpJ\nCdXfrvzP/OtoBSiEDQGC2VafwKkZ98dQqVRnfVApDoxdVQ8vIrxmKQ==\n-----END AGE ENCRYPTED FILE-----\n"
		8	},
		9	{
		10	"recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbUNBV1NYZEtKaDlzUVBF\nU2IrZ3dSWS9keVE1ak9qWkppc1hOY3JpMjEwCmNUbVJJMFNObmptVGQ0K1ovanVm\nc1dzN0VRVThyVWxPWTFLbldPQnE3Z2sKLS0tIEdWRENRRFROSm5SQ04yTG1wZWJ2\nNDMxK1ArYmdiQWJZV0d2TElZcFZLNVEKtmVrSIOcP4Ek1WW85f2/dNVYQMz9XqZ3\n0J04kqvkHZuM8PiBDg2l2rSh0xhHz3xb1iBhAddLXEjeEfy6o9HKyg==\n-----END AGE ENCRYPTED FILE-----\n"
		12	}
		13	],
		14	"lastmodified": "2025-12-08T12:46:12Z",
		15	"mac": "ENC[AES256_GCM,data:waY6IDfabZ8B8069liXh7RXjgUTpOdr4U9VQK5xYRujAlI//Ea5lM2ODHJ7PrAkZsK0TGB9ezN8SA5QpxYZwOcpxg45jNbTALxZsZMEzrtCy4wSiBdiLvRoTXvwMZsnsaQEGk2ij2rEqNEOYYBFapBoIz2w5kbEZrrhVRHSkNME=,iv:tpU++qliONinepku/gdPJQ/h2NdyNw3GY+RV+6UM07U=,tag:yieMw3BOC134zAIqb1Fvjg==,type:str]",
		16	"version": "3.11.0"
		17	}
		18	}


diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 500194ae..5234576f 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1	$ORIGIN yggdrasil.li.	1	$ORIGIN yggdrasil.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2025060700 ; serial	4	2025120800 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -109,6 +109,14 @@ _acme-challenge.kimai IN NS ns.yggdrasil.li.
109		109
110	kimai IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"	110	kimai IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
111		111
		112	changedetection IN A 202.61.241.61
		113	changedetection IN AAAA 2a03:4000:52:ada::
		114	changedetection IN MX 0 surtr.yggdrasil.li
		115	changedetection IN TXT "v=spf1 redirect=surtr.yggdrasil.li"
		116	_acme-challenge.changedetection IN NS ns.yggdrasil.li.
		117
		118	changedetection IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
		119
112	vidhar IN AAAA 2a03:4000:52:ada:4:1::	120	vidhar IN AAAA 2a03:4000:52:ada:4:1::
113	vidhar IN MX 0 ymir.yggdrasil.li	121	vidhar IN MX 0 ymir.yggdrasil.li
114	vidhar IN TXT "v=spf1 redirect=yggdrasil.li"	122	vidhar IN TXT "v=spf1 redirect=yggdrasil.li"


diff --git a/hosts/surtr/tls/tsig_keys/changedetection.yggdrasil.li b/hosts/surtr/tls/tsig_keys/changedetection.yggdrasil.li new file mode 100644 index 00000000..ac332fe5 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/changedetection.yggdrasil.li
@@ -0,0 +1,18 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:OD12OI11EpjWIGtCGzSIeFXIht1tM7YrEbo3XqcxD0XFaZ3CrELJgru9gtN/,iv:SXPNed6CUWCUDomJbx1kOjvxTBoHrgb6tKw9Jb/Qa0M=,tag:RiueVMBSdAF96d6190bwfg==,type:str]",
		3	"sops": {
		4	"age": [
		5	{
		6	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		7	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwR3FGdks2TUtkSUJLcG1v\nbXZmWFZNVmc3a0x5d2tPNmpJVDJPQmIyNkFNClAwNzI0aHE5SFdaQ0RoZnE0ZEx5\nL3IzQTRpd0g4cHJSUHlrbGtRK283SEkKLS0tIDdLVzE0SFgvS0l1eDd5SHVQQ1By\nNmZ1M0cxSnNxTE5OdHBLZ2FFRWhXdUkKTykJ2kRJPrcPwuw3ufNaCJ6pOuvtDUcl\noHizOV+Yco7nhKtINE93mD4xIiER0i5h7lpKOTUGgjzhjJP2DR7ifw==\n-----END AGE ENCRYPTED FILE-----\n"
		8	},
		9	{
		10	"recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNVRmMVIvVVZ4SkVMUC9o\nOVMxekNiZTRJWTExMHU5Q3lOaVFkbnhGT3lrCmM3ZjNSV056WjlTeEZzdHpKL1Fl\nbFF4R1phSitzWlY2dFJuRDFvK09LWm8KLS0tIEZINU5KallPdnZsZEh6WUxJYW1K\ncEV0ZkJVK2JiZ1ZtSTZRQUtiaGFBTEkKC6DQLWqY4WrRCSRrWAqlvjw6lp0Y+XGo\nrwxWMwyEocizMR6i//a5P8RBPnvzAEHbXMobI4mSDyfIdezWUX/QNA==\n-----END AGE ENCRYPTED FILE-----\n"
		12	}
		13	],
		14	"lastmodified": "2025-12-08T12:46:13Z",
		15	"mac": "ENC[AES256_GCM,data:FLdO6Bz74+aTd9ns8ysbcrNdwogJvnm/sRRTLntf5zAH16MyI+QbsBo2LORWr5O3t24+EfmZBhMsfj/AXvqkcMFjPwIhALQpPjjT2JfAsLFtSUqZRjBNKYkfoLlTUKb083RgDjEUIVGgsZzJLCyFtfZP0NXicTUsUz9mRZCYwYU=,iv:sSPuuoE3qgt+Qhh76rZtSCBnHYLK3AN7IljUDkr14AE=,tag:56rYSDonQwfKjNR5fBgQiA==,type:str]",
		16	"version": "3.11.0"
		17	}
		18	}


diff --git a/hosts/vidhar/changedetection-io/changedetection-io_env b/hosts/vidhar/changedetection-io/changedetection-io_env new file mode 100644 index 00000000..626c6f0e --- /dev/null +++ b/hosts/vidhar/changedetection-io/changedetection-io_env
@@ -0,0 +1,19 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:blHQ1oSNZfw7Xpkconzv7ft18WVSkINjoqnZAfKWsaTszMfYzZWNJ1uQ17UnfTmGJqvzaBBsToiOxzxUQBztamFY+CWXy3AqqqwgI5rOo14AiuvpCj7NvOA/7WVgq6RUoBaE9ao=,iv:RWvPBN5mIVzP2QQzNvU8ciTzRDBVhAk8Qu+6QuNO8/E=,tag:Q3jnhD+aZ7Qr8oUsdyRnLA==,type:str]",
		3	"sops": {
		4	"age": [
		5	{
		6	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		7	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UUhJUmpoZTloWXRpVk1Y\nb3FYTEI4T0V6RGlyL3NoK3JXMEJKeUwraFEwCjBTZTBwUUVUbkt4Y1N6ajZiN2dF\nd2pHTFA0dHFYMjVFZnZhdnhrdW11Z2sKLS0tIFA2NllMUFk0ZENGblhMaXpiVmo4\nelZTRWdsVFIyRmRGTURTRmg4cWdsWVUKMY10ZEzhcZAC95W35e3To/DXkCptZeNG\nkmVVtP0VzE3AM2oA+W957MRX81PHKb27We6OmxGrIYITsz4Atjj+Vg==\n-----END AGE ENCRYPTED FILE-----\n"
		8	},
		9	{
		10	"recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcVFmN3JHdE5HamYzSUlX\nVXBTM1QxZG9RU2V4SlphWUw4QTJoMDJ3QzNVCkhVbUZELzZ3eDZ3aWIxMDFqTUh4\nWncwUUs3dFBUOTVjUmZYL21CNnhSZ1EKLS0tIDJXRUpmVHBxUmRLWnpZOHNQaWdK\ndEF2Z00xUmJBczM2TmZ3N2Y2RmxFaW8KYVV1Q6gxC4TR5VzytLY3zo7O0QsXAYEc\nW9kifMY8dy7zDt1X8BNAO94nLqTDPFJ68uhra3QG5e4z6WHyoF5iLg==\n-----END AGE ENCRYPTED FILE-----\n"
		12	}
		13	],
		14	"lastmodified": "2025-12-08T15:07:34Z",
		15	"mac": "ENC[AES256_GCM,data:jQeuCBHj3ZKxYhRrADE4qskvcKzTcVV6lhAT8o1mxbb8RSdCsrAKnEC8o74TmMP7D5rup3jx73YoOPC71yDJLm+TXiIIHQWlPpiNRCrkBUcioJQbmQmiioRbKkojzb5q4ike2UOMcBUlv1q/ztlOk+av0nW607JV5/gDxuGE0tA=,iv:fOtYfrb3ubb3PU99p2l8sseja45r1ZMzIJG9Uhqn/xc=,tag:F3KFy1oIbVUBMwzNALbz5g==,type:str]",
		16	"unencrypted_suffix": "_unencrypted",
		17	"version": "3.11.0"
		18	}
		19	}


diff --git a/hosts/vidhar/changedetection-io/default.nix b/hosts/vidhar/changedetection-io/default.nix new file mode 100644 index 00000000..c6812747 --- /dev/null +++ b/hosts/vidhar/changedetection-io/default.nix
@@ -0,0 +1,50 @@
		1	{ config, pkgs, ... }:
		2
		3	{
		4	config = {
		5	services.changedetection-io = {
		6	enable = true;
		7	behindProxy = true;
		8	# playwrightSupport = true;
		9	baseURL = "https://changedetection.yggdrasil.li";
		10	listenAddress = "2a03:4000:52:ada:4:1::";
		11	port = 5001;
		12	environmentFile = config.sops.secrets."changedetection-io_env".path;
		13	};
		14
		15	sops.secrets."changedetection-io_env" = {
		16	format = "binary";
		17	sopsFile = ./changedetection-io_env;
		18	};
		19
		20	systemd.services.changedetection-io = {
		21	path = with pkgs; [
		22	poppler-utils
		23	];
		24	serviceConfig = {
		25	Environment = [
		26	"PLAYWRIGHT_DRIVER_URL=ws://10.88.0.5:3000"
		27	"DISABLE_VERSION_CHECK=true"
		28	"MINIMUM_SECONDS_RECHECK_TIME=0"
		29	];
		30	};
		31	};
		32
		33	virtualisation.oci-containers.containers = {
		34	changedetection-io-playwright = {
		35	image = "dgtlmoon/sockpuppetbrowser";
		36	pull = "newer";
		37	environment = {
		38	SCREEN_WIDTH = "1920";
		39	SCREEN_HEIGHT = "1024";
		40	SCREEN_DEPTH = "16";
		41	MAX_CONCURRENT_CHROME_PROCESSES = "10";
		42	STATS_REFRESH_SECONDS = "600";
		43	};
		44	extraOptions = [
		45	"--ip=10.88.0.5"
		46	];
		47	};
		48	};
		49	};
		50	}


diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 1c60ed22..c54d57cd 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
4		4
5	{	5	{
6	imports = with flake.nixosModules.systemProfiles; [	6	imports = with flake.nixosModules.systemProfiles; [
7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai	7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai ./changedetection-io
8	tmpfs-root zfs	8	tmpfs-root zfs
9	initrd-all-crypto-modules default-locale openssh rebuild-machines	9	initrd-all-crypto-modules default-locale openssh rebuild-machines
10	build-server	10	build-server
@@ -387,6 +387,8 @@ with lib;
387		387
388	environment.systemPackages = with pkgs; [iotop vmtouch];	388	environment.systemPackages = with pkgs; [iotop vmtouch];
389		389
		390	virtualisation.oci-containers.backend = "podman";
		391
390	systemd.sysusers.enable = false;	392	systemd.sysusers.enable = false;
391	system.stateVersion = "21.05";	393	system.stateVersion = "21.05";
392	};	394	};


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index dd750394..44b6b7a9 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -61,6 +61,7 @@ table inet filter {
61	counter fw-lan {}	61	counter fw-lan {}
62	counter fw-ppp {}	62	counter fw-ppp {}
63	counter fw-kimai {}	63	counter fw-kimai {}
		64	counter fw-podman {}
64		65
65	counter fw-cups {}	66	counter fw-cups {}
66		67
@@ -97,6 +98,7 @@ table inet filter {
97	counter hledger-rx {}	98	counter hledger-rx {}
98	counter audiobookshelf-rx {}	99	counter audiobookshelf-rx {}
99	counter kimai-rx {}	100	counter kimai-rx {}
		101	counter changedetection-rx {}
100		102
101	counter established-rx {}	103	counter established-rx {}
102		104
@@ -130,6 +132,7 @@ table inet filter {
130	counter hledger-tx {}	132	counter hledger-tx {}
131	counter audiobookshelf-tx {}	133	counter audiobookshelf-tx {}
132	counter kimai-tx {}	134	counter kimai-tx {}
		135	counter changedetection-tx {}
133		136
134	counter tx {}	137	counter tx {}
135		138
@@ -154,9 +157,11 @@ table inet filter {
154	oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept	157	oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
155	iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept	158	iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept
156	iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept	159	iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept
		160	iifname podman0 ip saddr 10.88.0.5 oifname @pppInterface@ counter name fw-podman accept
157		161
158	iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept	162	iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept
159	iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept	163	iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept
		164	iifname @pppInterface@ oifname podman0 ip daddr 10.88.0.5 ct state { established, related } counter name fw-podman accept
160		165
161	iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept	166	iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
162	iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept	167	iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
@@ -187,7 +192,7 @@ table inet filter {
187	iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept	192	iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
188	iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept	193	iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
189		194
190	iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept	195	iifname { lan, mgmt, wifibh, yggdrasil, podman0 } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
191		196
192	iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept	197	iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
193		198
@@ -214,6 +219,7 @@ table inet filter {
214	iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept	219	iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
215	iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept	220	iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
216	iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept	221	iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
		222	iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
217		223
218	ct state { established, related } counter name established-rx accept	224	ct state { established, related } counter name established-rx accept
219		225
@@ -266,6 +272,7 @@ table inet filter {
266	iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept	272	iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
267	iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept	273	iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
268	iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept	274	iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
		275	iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
269		276
270		277
271	counter name tx	278	counter name tx


diff --git a/overlays/changedetection-io.nix b/overlays/changedetection-io.nix new file mode 100644 index 00000000..95e8985e --- /dev/null +++ b/overlays/changedetection-io.nix
@@ -0,0 +1,7 @@
		1	{ final, prev, ... }: {
		2	changedetection-io = prev.changedetection-io.overrideAttrs (oldAttrs: {
		3	propagatedBuildInputs = (oldAttrs.propagatedBuildInputs or []) ++ (with final.python3.pkgs; [
		4	playwright
		5	]);
		6	});
		7	}