From 5d879efa0c9ed73d7f6f19acebb87843c86a46e2 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 9 Dec 2025 10:27:01 +0100 Subject: changedetection.io --- .../changedetection-io/changedetection-io_env | 19 ++++++++ hosts/vidhar/changedetection-io/default.nix | 50 ++++++++++++++++++++++ hosts/vidhar/default.nix | 4 +- hosts/vidhar/network/ruleset.nft | 9 +++- 4 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 hosts/vidhar/changedetection-io/changedetection-io_env create mode 100644 hosts/vidhar/changedetection-io/default.nix (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/changedetection-io/changedetection-io_env b/hosts/vidhar/changedetection-io/changedetection-io_env new file mode 100644 index 00000000..626c6f0e --- /dev/null +++ b/hosts/vidhar/changedetection-io/changedetection-io_env @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:blHQ1oSNZfw7Xpkconzv7ft18WVSkINjoqnZAfKWsaTszMfYzZWNJ1uQ17UnfTmGJqvzaBBsToiOxzxUQBztamFY+CWXy3AqqqwgI5rOo14AiuvpCj7NvOA/7WVgq6RUoBaE9ao=,iv:RWvPBN5mIVzP2QQzNvU8ciTzRDBVhAk8Qu+6QuNO8/E=,tag:Q3jnhD+aZ7Qr8oUsdyRnLA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UUhJUmpoZTloWXRpVk1Y\nb3FYTEI4T0V6RGlyL3NoK3JXMEJKeUwraFEwCjBTZTBwUUVUbkt4Y1N6ajZiN2dF\nd2pHTFA0dHFYMjVFZnZhdnhrdW11Z2sKLS0tIFA2NllMUFk0ZENGblhMaXpiVmo4\nelZTRWdsVFIyRmRGTURTRmg4cWdsWVUKMY10ZEzhcZAC95W35e3To/DXkCptZeNG\nkmVVtP0VzE3AM2oA+W957MRX81PHKb27We6OmxGrIYITsz4Atjj+Vg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcVFmN3JHdE5HamYzSUlX\nVXBTM1QxZG9RU2V4SlphWUw4QTJoMDJ3QzNVCkhVbUZELzZ3eDZ3aWIxMDFqTUh4\nWncwUUs3dFBUOTVjUmZYL21CNnhSZ1EKLS0tIDJXRUpmVHBxUmRLWnpZOHNQaWdK\ndEF2Z00xUmJBczM2TmZ3N2Y2RmxFaW8KYVV1Q6gxC4TR5VzytLY3zo7O0QsXAYEc\nW9kifMY8dy7zDt1X8BNAO94nLqTDPFJ68uhra3QG5e4z6WHyoF5iLg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-08T15:07:34Z", + "mac": "ENC[AES256_GCM,data:jQeuCBHj3ZKxYhRrADE4qskvcKzTcVV6lhAT8o1mxbb8RSdCsrAKnEC8o74TmMP7D5rup3jx73YoOPC71yDJLm+TXiIIHQWlPpiNRCrkBUcioJQbmQmiioRbKkojzb5q4ike2UOMcBUlv1q/ztlOk+av0nW607JV5/gDxuGE0tA=,iv:fOtYfrb3ubb3PU99p2l8sseja45r1ZMzIJG9Uhqn/xc=,tag:F3KFy1oIbVUBMwzNALbz5g==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosts/vidhar/changedetection-io/default.nix b/hosts/vidhar/changedetection-io/default.nix new file mode 100644 index 00000000..c6812747 --- /dev/null +++ b/hosts/vidhar/changedetection-io/default.nix @@ -0,0 +1,50 @@ +{ config, pkgs, ... }: + +{ + config = { + services.changedetection-io = { + enable = true; + behindProxy = true; + # playwrightSupport = true; + baseURL = "https://changedetection.yggdrasil.li"; + listenAddress = "2a03:4000:52:ada:4:1::"; + port = 5001; + environmentFile = config.sops.secrets."changedetection-io_env".path; + }; + + sops.secrets."changedetection-io_env" = { + format = "binary"; + sopsFile = ./changedetection-io_env; + }; + + systemd.services.changedetection-io = { + path = with pkgs; [ + poppler-utils + ]; + serviceConfig = { + Environment = [ + "PLAYWRIGHT_DRIVER_URL=ws://10.88.0.5:3000" + "DISABLE_VERSION_CHECK=true" + "MINIMUM_SECONDS_RECHECK_TIME=0" + ]; + }; + }; + + virtualisation.oci-containers.containers = { + changedetection-io-playwright = { + image = "dgtlmoon/sockpuppetbrowser"; + pull = "newer"; + environment = { + SCREEN_WIDTH = "1920"; + SCREEN_HEIGHT = "1024"; + SCREEN_DEPTH = "16"; + MAX_CONCURRENT_CHROME_PROCESSES = "10"; + STATS_REFRESH_SECONDS = "600"; + }; + extraOptions = [ + "--ip=10.88.0.5" + ]; + }; + }; + }; +} diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 1c60ed22..c54d57cd 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -4,7 +4,7 @@ with lib; { imports = with flake.nixosModules.systemProfiles; [ - ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai + ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai ./changedetection-io tmpfs-root zfs initrd-all-crypto-modules default-locale openssh rebuild-machines build-server @@ -387,6 +387,8 @@ with lib; environment.systemPackages = with pkgs; [iotop vmtouch]; + virtualisation.oci-containers.backend = "podman"; + systemd.sysusers.enable = false; system.stateVersion = "21.05"; }; diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index dd750394..44b6b7a9 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -61,6 +61,7 @@ table inet filter { counter fw-lan {} counter fw-ppp {} counter fw-kimai {} + counter fw-podman {} counter fw-cups {} @@ -97,6 +98,7 @@ table inet filter { counter hledger-rx {} counter audiobookshelf-rx {} counter kimai-rx {} + counter changedetection-rx {} counter established-rx {} @@ -130,6 +132,7 @@ table inet filter { counter hledger-tx {} counter audiobookshelf-tx {} counter kimai-tx {} + counter changedetection-tx {} counter tx {} @@ -154,9 +157,11 @@ table inet filter { oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept + iifname podman0 ip saddr 10.88.0.5 oifname @pppInterface@ counter name fw-podman accept iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept + iifname @pppInterface@ oifname podman0 ip daddr 10.88.0.5 ct state { established, related } counter name fw-podman accept iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept @@ -187,7 +192,7 @@ table inet filter { iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept - iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept + iifname { lan, mgmt, wifibh, yggdrasil, podman0 } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept @@ -214,6 +219,7 @@ table inet filter { iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept + iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept ct state { established, related } counter name established-rx accept @@ -266,6 +272,7 @@ table inet filter { iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept + iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept counter name tx -- cgit v1.2.3