feat(nixcloud): add homebox

Author: DaRacci

hosts/server/nixcloud/default.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     "${modulesPath}/virtualisation/proxmox-lxc.nix"
+    ./homebox.nix
     ./immich.nix
     ./nextcloud.nix
   ];

hosts/server/nixcloud/homebox.nix

@@ -0,0 +1,48 @@
+{ config, lib, ... }:
+{
+  sops.secrets.HOMEBOX_ENV = {
+    owner = config.users.users.homebox.name;
+    inherit (config.users.users.homebox) group;
+  };
+
+  services = rec {
+    homebox = {
+      enable = true;
+      settings = {
+        HBOX_MODE = "production";
+
+        HBOX_WEB_HOST = "0.0.0.0";
+        HBOX_WEB_PORT = "7745";
+
+        HBOX_DATABASE_TYPE = "postgres";
+        HBOX_DATABASE_HOST = "nixio";
+        HBOX_DATABASE_PORT = "5432";
+        HBOX_DATABASE_USERNAME = "homebox";
+        HBOX_DATABASE_DATABASE = "homebox";
+      };
+    };
+
+    caddy.virtualHosts."photos".extraConfig = ''
+      reverse_proxy http://${homebox.settings.HBOX_WEB_HOST}:${toString homebox.settings.HBOX_WEB_PORT}
+    '';
+
+    postgresql = {
+      ensureDatabases = [ homebox.settings.HBOX_DATABASE_DATABASE ];
+      ensureUsers = [
+        {
+          name = homebox.settings.HBOX_DATABASE_USERNAME;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+  };
+
+  systemd.services = {
+    postgresql.postStart =
+      lib.mine.mkPostgresRolePass config.services.homebox.settings.HBOX_DATABASE_DATABASE
+        config.sops.secrets."POSTGRES/HOMEBOX_PASSWORD".path;
+
+    homebox.serviceConfig.EnvironmentFile = config.sops.secrets.HOMEBOX_ENV.path;
+  };
+}

hosts/server/nixcloud/secrets.yaml

@@ -2,11 +2,13 @@ SSH_PRIVATE_KEY: ENC[AES256_GCM,data:RHiQV12pn/5iSU+bUBALRqq51T6ubUABFMSPT/9v44I
 POSTGRES:
     NEXTCLOUD_PASSWORD: ENC[AES256_GCM,data:TYoCOI+T7WeNFSM6DXOlTL3IITWWqc3RzmUR7eJHrMPAwcVTRciyhyruDLI4HKpd,iv:6dvDcIPindlWhVYcl3u2Ld5Oj3+3UcZ+ALfzs4m5RB4=,tag:mibNvM4T7Sy6UZB/AsI7QQ==,type:str]
     IMMICH_PASSWORD: ENC[AES256_GCM,data:kW0vU1JtnJmd0ATWcUVuCMY4Ct/rhkk4WNldE6ZcrGYP7hXDWwumyeSbwPHHs+1s,iv:MooOWP25bgq7gQvJy+Kz6BxBQfeUsAqHbM80/FECKDw=,tag:7i5xxTyB52Z/n5FsW4oPGA==,type:str]
+    HBOX_PASSWORD: ENC[AES256_GCM,data:Mk7flhaxsrqb1MguutKn0Sli+qbbi7sBL/8IE4NG0CNleFPCqhxPdkxT3uXn+asb,iv:myqMWL30s4Bo8uluajf9duDFwtuIdDkDnWOKHxZ2POI=,tag:8R3V7InjCspP5GSfub6k0w==,type:str]
 NEXTCLOUD:
     admin-password: ENC[AES256_GCM,data:klTk4gwC0EIYm6Dajej0uwlPkBXTWeCQS6M0bG5GwVCaZnzK9DlIKl7dyYZ5U2kq,iv:vYVSvLVAUdSpVM9/GaIamIvRcuFDl1h1CZBeRxOiXr8=,tag:GKHmGNr4KbKvHvLUfSp/8w==,type:str]
     S3FS_AUTH: ENC[AES256_GCM,data:anEW/fwkwJY+l5XTdPBNn0CGSneRvh9jTB5QpOxLt8CJXwN4NnWXUUT7wEHgiNhsN6lt1+IwsQXvxZv8Ow==,iv:0/4NpkzUhc1a1QQ2LYu2Ei+pmufFVjaVcN8EpLeihm0=,tag:xDSvhyCjSLyZ7aeXihsDZQ==,type:str]
 IMMICH:
     ENV: ENC[AES256_GCM,data:m0VcEipCHGSdRX3vQJh2GLLEjaR3TyptLcJdr1SUkbp1WdZNwcz7Mbo/Zi0H0GKigquOOOPvsVWmc4Ym,iv:AP+XLrhTm0pAXzlMG3B4QFB4eGNdr4zUnyjG9We3l3A=,tag:29ny86uGv8GS9U2JvSMXHw==,type:str]
+HOMEBOX_ENV: ENC[AES256_GCM,data:vjaTv966APkC8M1C9ULNPKN6lg6LUSVX0OPCSTesPj2k9FXr5du/YVBMRtu1AfUsyTsUAFwXlca3IeeU27+jRxwkrTruEei/,iv:S7mmHTX0z9iLR1z+clP8KVSXafYMdOK8ilAUQglrTPQ=,tag:cx5HLONh9epK2M0idwW9Qg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -40,8 +42,8 @@ sops:
             QUFwenpVL1FPNThLa1ROTWVobksvZjQKbTjQj/SZCdngr+f6OtAEIyJA4oCYcQzC
             phJhd7EZdH4kbzpdKXe7RRO+QUhjZfdHHHLOcV4SL20/aVQvU93Dcg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-18T09:21:39Z"
-    mac: ENC[AES256_GCM,data:P5o98F9JeKSxXq0mbcVsYu9GHeGiVUlTcPclc4EB/wNZHj3lB0sZ2ZLQ5dY2ocEIAQo7c2kjNPFJWwaCIZlNCulgmU1bJ82W1/RXAzCgMmUFbME3c5jCYw3XGVjNvXgfa2DV9dM/DJLheeNLMXuZSH+2sM2tLEOQLgCZ/7lc77A=,iv:492kbDyg+I0+7QFRvf9w8+bf3x5CJt+iB8cFAcu79ms=,tag:KO+zeYJyuuF92cdJCIMDGQ==,type:str]
+    lastmodified: "2025-03-19T04:10:12Z"
+    mac: ENC[AES256_GCM,data:GKVo7u39qP4B7jagEacAul8k1fisxjPo1RurhbKoSnNMLQhRI3r+jrZ4ugHQxB0qjJsTirTmvpcsLTTCSBdZnYCEo66ZdiX1YTDC9aAJz1uUVoSt+Io/uNJxhziQApwFk5MnUYeNXK1RK8VKBorzha4mIKZMVawWSQ0DCc9tWC8=,iv:J9lta1efZDQ0su36NEu3zBcSLgRG9yJ1/9SG765H/u0=,tag:ryEhR+kPATEPEbcfO6bc3A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4

hosts/server/nixio/secrets.yaml

@@ -10,6 +10,7 @@ POSTGRES:
     ATTIC_PASSWORD: ENC[AES256_GCM,data:Clmy7H4L6GUWCYoh1CCOp7aVS/K5x0oWPG7yE+oBNYx37rO3Bj1ye2gU5RSjxztQ,iv:OPOWRbDR3zYqz5GKn9864QnGVaxJQpssT9UgjswI/uM=,tag:Zxf7mwsOvClN4I94VeFedQ==,type:str]
     NEXTCLOUD_PASSWORD: ENC[AES256_GCM,data:9QLlTdMi/WF8S9gux8ebLN01PnpFj2VPnDez54k8q16pvd3qBua+b+rMgnTxJW/v,iv:jsj29kffypfmw5oN6X+HbbJ+UVnCv7QdtEteVv487hY=,tag:Rpj4Rjs4jVncytD6F0zXbg==,type:str]
     IMMICH_PASSWORD: ENC[AES256_GCM,data:+16fgOHDp1kc7Ly2BK7VZLNRAoAeWXQyKGnKuix/YGcbSeCHeVlkQlpxGu40L6zN,iv:LaZA7xkVCy/5xUOPXTTwi1yjHC/28c7488x4PpRg8hc=,tag:u7tHoAUa0lg2w2knvKJ/Sw==,type:str]
+    HOMEBOX_PASSWORD: ENC[AES256_GCM,data:sReDtwSRc/aMTKLodGRIsxQ6BF99EBkk+/pxj9UO8lWvQcWRyNcg2uIerBNPukTI,iv:7OcSpsfvgfQd9/b2AAB+ovXAKg5dCC4One1p5OZmvoY=,tag:ukDY5/1jRjMRQy8gng2z1g==,type:str]
 COUCHDB_SETTINGS: ENC[AES256_GCM,data:6OKCakWsWV6osV08PvLqF+1dclBp+P8O9XsdPR8soervaXjsXn6kKp0mE72dTruJFJdfEaDP3+riXWcuJCdytR+D,iv:mIUJlPjYBfkwJxKVWDGfIzhcaFhiftrKc2VQfiTKFEg=,tag:rgSv6TRxYqEISWL96Jml4Q==,type:str]
 sops:
     kms: []
@@ -44,8 +45,8 @@ sops:
             WnplVitXTXBIcFFuYXNuL3lneFM2QXcKgpEM40wVTHFpi5DKyZt15gioxZPPmTvk
             uYQCCD9UsXJt2/X0/ph+5Tdd9qACOvtCm2yfwpwW3w/TTxoT+Z2ehQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-18T06:08:01Z"
-    mac: ENC[AES256_GCM,data:76kp6hUM3oEXrXWMlM8y8nwhBvwZ6O0l579qhwWK7+oc+CyRr2xqM4i1fPWRJd+BGK2c8NNgU/1k8L8j6Q6TgUl1K0hfCH7bx0I2JzNz9NJWHOcqv/XsTihgLC2AtKkRm6OqXyn+tcClVEYcli2bWWh8Dpd8JywxtqXgl+dCYQY=,iv:XuhM+yTZ+nwEtMpNHl3h+K6WXYlvaTkS+uFpEn8B9Zw=,tag:BPOVuIXX1Yb4MdMI5YdW5w==,type:str]
+    lastmodified: "2025-03-19T04:06:43Z"
+    mac: ENC[AES256_GCM,data:msX/KP8vX67nUIIxCXS9v0VbgD+54Y1w2ODY7wAKTBMV2lhWYgE92Y/s+q+S07iJlDh7X7Z9WE2Wi28SGpHqwb6HlH8yigfM37SzYdXWJncTKLC4LPz9+vAmKpJg0nuN+TTIh+nUFsXJwnbd0xLu1PbciiTRv1zkduxgtqxq6tQ=,iv:sTSJIBZ+4ya89kevh1z8toCwHL8h5grpFiNtJNgFrAw=,tag:VKOmVF4/4/q/lJbIzzlssg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4