boron: run ollama service

flake.lock

@@ -34,11 +34,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731153869,
-        "narHash": "sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc=",
+        "lastModified": 1729826725,
+        "narHash": "sha256-w3WNlYxqWYsuzm/jgFPyhncduoDNjot28aC8j39TW0U=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "5c74ab862c8070cbf6400128a1b56abb213656da",
+        "rev": "7840909b00fbd5a183008a6eb251ea307fe4a76e",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731060864,
-        "narHash": "sha256-aYE7oAYZ+gPU1mPNhM0JwLAQNgjf0/JK1BF1ln2KBgk=",
+        "lastModified": 1729942962,
+        "narHash": "sha256-xzt7tb4YUw6VZXSCGw4sukirJSfYsIcFyvmhK5KMiKw=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5e40e02978e3bd63c2a6a9fa6fa8ba0e310e747f",
+        "rev": "58cd832497f9c87cb4889744b86aba4284fd0474",
         "type": "github"
       },
       "original": {
@@ -113,11 +113,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1730837930,
-        "narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
+        "lastModified": 1729894599,
+        "narHash": "sha256-nL9nzNE5/re/P+zOv7NX6bRm5e+DeS1HIufQUJ01w20=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
+        "rev": "93435d27d250fa986bfec6b2ff263161ff8288cb",
         "type": "github"
       },
       "original": {
@@ -128,11 +128,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1730403150,
-        "narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=",
+        "lastModified": 1729068498,
+        "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f",
+        "rev": "e337457502571b23e449bf42153d7faa10c0a562",
         "type": "github"
       },
       "original": {
@@ -144,11 +144,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1730919458,
-        "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
+        "lastModified": 1729742320,
+        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
+        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
         "type": "github"
       },
       "original": {
@@ -159,11 +159,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730963269,
-        "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=",
+        "lastModified": 1729691686,
+        "narHash": "sha256-BAuPWW+9fa1moZTU+jFh+1cUtmsuF8asgzFwejM4wac=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc",
+        "rev": "32e940c7c420600ef0d1ef396dc63b04ee9cad37",
         "type": "github"
       },
       "original": {
@@ -175,11 +175,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1730867498,
-        "narHash": "sha256-Ce3a1w7Qf+UEPjVJcXxeSiWyPMngqf1M2EIsmqiluQw=",
-        "rev": "9240e11a83307a6e8cf2254340782cba4aa782fd",
+        "lastModified": 1730411648,
+        "narHash": "sha256-peNkSyOkRzR2nEi3s86xGV/6eMwO1yxRidSdItaQ+Nw=",
+        "rev": "6c3f1f46fd7ce56f6949ca6f6c124a62a8740222",
         "type": "tarball",
-        "url": "https://gitea.hillion.co.uk/api/v1/repos/JakeHillion/nixpkgs/archive/9240e11a83307a6e8cf2254340782cba4aa782fd.tar.gz"
+        "url": "https://gitea.hillion.co.uk/api/v1/repos/JakeHillion/nixpkgs/archive/6c3f1f46fd7ce56f6949ca6f6c124a62a8740222.tar.gz"
       },
       "original": {
         "type": "tarball",

hosts/boron.cx.ts.hillion.co.uk/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, nixpkgs-unstable, ... }:
 
 {
   imports = [
@@ -124,6 +124,15 @@
     };
     users.users.jake.extraGroups = [ "podman" ];
 
+    ## Ollama
+    services.ollama = {
+      enable = true;
+      package = nixpkgs-unstable.legacyPackages.x86_64-linux.ollama;
+
+      models = "/data/ollama/models";
+      writablePaths = [ "/data/ollama/models" ];
+    };
+
     ## Networking
     boot.kernel.sysctl = {
       "net.ipv4.ip_forward" = true;

hosts/phoenix.st.ts.hillion.co.uk/default.nix

@@ -90,7 +90,7 @@ in
         in
         builtins.map (mkFolder) folderNames;
     };
-    services.resilio.directoryRoot = "/${zpool_name}/sync";
+    services.resilio.directoryRoot = "/${zpool_name}/users/jake/sync";
 
     ## Chia
     age.secrets."chia/farmer.key" = {
@@ -132,13 +132,6 @@ in
       interfaces.enp5s0.name = "eth1";
       interfaces.enp6s0.name = "eth2";
       interfaces.enp8s0.name = "eth3";
-
-      vlans = {
-        cameras = {
-          id = 3;
-          interface = "eth0";
-        };
-      };
     };
     networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
 

modules/ids.nix

@@ -10,7 +10,6 @@
       node-exporter = 188;
       step-ca = 198;
       isponsorblocktv = 199;
-      frigate = 200;
 
       ## Consistent People
       jake = 1000;
@@ -24,7 +23,6 @@
       node-exporter = 188;
       step-ca = 198;
       isponsorblocktv = 199;
-      frigate = 200;
 
       ## Consistent Groups
       mediaaccess = 1200;

modules/impermanence.nix

@@ -39,26 +39,19 @@ in
 
     services = {
       openssh.hostKeys = [
-        { path = "${cfg.base}/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
-        { path = "${cfg.base}/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
+        { path = "/data/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
+        { path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
       ];
       matrix-synapse.dataDir = "${cfg.base}/system/var/lib/matrix-synapse";
       gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
     };
 
     custom.chia = lib.mkIf config.custom.chia.enable {
-      path = lib.mkOverride 999 "${cfg.base}/chia";
-    };
-    custom.services.frigate = lib.mkIf config.custom.services.frigate.enable {
-      dataPath = lib.mkOverride 999 "${cfg.base}/frigate";
-    };
-
-    services.resilio = lib.mkIf config.services.resilio.enable {
-      directoryRoot = lib.mkOverride 999 "${cfg.base}/sync";
+      path = lib.mkOverride 999 "/data/chia";
     };
 
     services.plex = lib.mkIf config.services.plex.enable {
-      dataDir = lib.mkOverride 999 "${cfg.base}/plex";
+      dataDir = lib.mkOverride 999 "/data/plex";
     };
 
     services.home-assistant = lib.mkIf config.services.home-assistant.enable {
@@ -104,18 +97,18 @@ in
             name = x;
             value = {
               home = {
-                persistence."${cfg.base}/users/${x}" = {
+                persistence."/data/users/${x}" = {
                   allowOther = false;
 
                   files = cfg.userExtraFiles.${x} or [ ];
                   directories = cfg.userExtraDirs.${x} or [ ];
                 };
 
-                sessionVariables = lib.attrsets.optionalAttrs homeCfg.programs.zoxide.enable { _ZO_DATA_DIR = "${cfg.base}/users/${x}/.local/share/zoxide"; };
+                sessionVariables = lib.attrsets.optionalAttrs homeCfg.programs.zoxide.enable { _ZO_DATA_DIR = "/data/users/${x}/.local/share/zoxide"; };
               };
 
               programs = {
-                zsh.history.path = lib.mkOverride 999 "${cfg.base}/users/${x}/.zsh_history";
+                zsh.history.path = lib.mkOverride 999 "/data/users/${x}/.zsh_history";
               };
             };
           });
@@ -125,8 +118,8 @@ in
     systemd.tmpfiles.rules = lib.lists.flatten (builtins.map
       (user:
         let details = config.users.users.${user}; in [
-          "d ${cfg.base}/users/${user} 0700 ${user} ${details.group} - -"
-          "L ${details.home}/local - ${user} ${details.group} - ${cfg.base}/users/${user}"
+          "d /data/users/${user} 0700 ${user} ${details.group} - -"
+          "L ${details.home}/local - ${user} ${details.group} - /data/users/${user}"
         ])
       cfg.users);
   };

modules/locations.nix

@@ -21,7 +21,6 @@ in
         services = {
           authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
           downloads = "phoenix.st.ts.hillion.co.uk";
-          frigate = "phoenix.st.ts.hillion.co.uk";
           gitea = "boron.cx.ts.hillion.co.uk";
           homeassistant = "stinger.pop.ts.hillion.co.uk";
           mastodon = "";

modules/resilio.nix

@@ -1,12 +1,9 @@
-{ pkgs, lib, config, nixpkgs-unstable, ... }:
+{ pkgs, lib, config, ... }:
 
 let
   cfg = config.custom.resilio;
 in
 {
-  imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
-  disabledModules = [ "services/networking/resilio.nix" ];
-
   options.custom.resilio = {
     enable = lib.mkEnableOption "resilio";
 
@@ -83,13 +80,7 @@ in
         owner = "rslsync";
         group = "rslsync";
       };
-      age.secrets."resilio/restic/1.6T.key" = {
-        file = ../secrets/restic/1.6T.age;
-        owner = "rslsync";
-        group = "rslsync";
-      };
-
-      services.restic.backups."resilio-128G" = {
+      services.restic.backups."resilio" = {
         repository = "rest:https://restic.ts.hillion.co.uk/128G";
         user = "rslsync";
         passwordFile = config.age.secrets."resilio/restic/128G.key".path;
@@ -105,25 +96,11 @@ in
           "${config.services.resilio.directoryRoot}/.sync"
           "${config.services.resilio.directoryRoot}/*/.sync"
 
-          "${config.services.resilio.directoryRoot}/dad/media"
-          "${config.services.resilio.directoryRoot}/resources/media"
-        ];
-      };
-      services.restic.backups."resilio-1.6T" = {
-        repository = "rest:https://restic.ts.hillion.co.uk/1.6T";
-        user = "rslsync";
-        passwordFile = config.age.secrets."resilio/restic/1.6T.key".path;
-
-        timerConfig = {
-          OnBootSec = "30m";
-          OnUnitInactiveSec = "24h";
-          RandomizedDelaySec = "1h";
-        };
-
-        paths = [
-          "${config.services.resilio.directoryRoot}/resources/media/audiobooks"
-          "${config.services.resilio.directoryRoot}/resources/media/home"
+          "${config.services.resilio.directoryRoot}/resources/media/films"
           "${config.services.resilio.directoryRoot}/resources/media/iso"
+          "${config.services.resilio.directoryRoot}/resources/media/tv"
+
+          "${config.services.resilio.directoryRoot}/dad/media"
         ];
       };
     })

modules/services/authoritative_dns.nix

@@ -33,9 +33,8 @@ in
               86400 NS ns1.hillion.co.uk.
 
               ca                    21600 CNAME sodium.pop.ts.hillion.co.uk.
-              frigate               21600 CNAME ${config.custom.locations.locations.services.frigate}.
-              prometheus            21600 CNAME ${config.custom.locations.locations.services.prometheus}.
               restic                21600 CNAME ${config.custom.locations.locations.services.restic}.
+              prometheus            21600 CNAME ${config.custom.locations.locations.services.prometheus}.
 
               deluge.downloads      21600 CNAME ${config.custom.locations.locations.services.downloads}.
               prowlarr.downloads    21600 CNAME ${config.custom.locations.locations.services.downloads}.

modules/services/default.nix

@@ -4,7 +4,6 @@
   imports = [
     ./authoritative_dns.nix
     ./downloads.nix
-    ./frigate.nix
     ./gitea/default.nix
     ./homeassistant.nix
     ./isponsorblocktv.nix

modules/services/frigate.nix

@@ -1,126 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  cfg = config.custom.services.frigate;
-in
-{
-  options.custom.services.frigate = {
-    enable = lib.mkEnableOption "frigate";
-
-    dataPath = lib.mkOption {
-      type = lib.types.str;
-      default = "/var/lib/frigate";
-    };
-    recordingsPath = lib.mkOption {
-      type = lib.types.str;
-      default = "/practical-defiant-coffee/cctv";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    age.secrets."frigate/secrets.env".file = ../../secrets/frigate/secrets.env.age;
-
-    services.caddy = {
-      enable = true;
-
-      virtualHosts."frigate.ts.hillion.co.uk" = {
-        listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
-        extraConfig = ''
-          reverse_proxy unix///run/nginx-frigate/nginx.sock
-
-          tls {
-            ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
-          }
-        '';
-      };
-    };
-
-    users.users.frigate = {
-      group = "frigate";
-      home = cfg.dataPath;
-      createHome = true;
-      uid = config.ids.uids.frigate;
-    };
-    users.groups.frigate.gid = config.ids.gids.frigate;
-
-    users.users.nginx = {
-      group = "nginx";
-      uid = config.ids.uids.nginx;
-    };
-    users.groups.nginx.gid = config.ids.gids.nginx;
-
-    systemd.tmpfiles.rules = [
-      "d /run/nginx-frigate 0750 nginx caddy - -"
-    ];
-
-    containers."frigate" = {
-      autoStart = true;
-      ephemeral = true;
-      additionalCapabilities = [ "CAP_NET_ADMIN" ];
-
-      macvlans = [ "cameras" ];
-      bindMounts = {
-        "/run/agenix/frigate/secrets.env".hostPath = config.age.secrets."frigate/secrets.env".path;
-        "/run/nginx-frigate" = { hostPath = "/run/nginx-frigate"; isReadOnly = false; };
-
-        "/var/lib/frigate" = { hostPath = cfg.dataPath; isReadOnly = false; };
-        "/media/frigate/recordings" = { hostPath = cfg.recordingsPath; isReadOnly = false; };
-      };
-
-      config = (hostConfig: { config, pkgs, ... }: {
-        config = {
-          system.stateVersion = "24.05";
-
-          systemd.network = {
-            enable = true;
-            networks."10-cameras" = {
-              matchConfig.Name = "mv-cameras";
-              networkConfig.DHCP = "ipv4";
-              dhcpV4Config.ClientIdentifier = "mac";
-              linkConfig.MACAddress = "00:b7:43:f3:81:a0";
-            };
-          };
-          services.resolved.enable = false;
-
-          users.users.frigate.uid = hostConfig.ids.uids.frigate;
-          users.groups.frigate.gid = hostConfig.ids.gids.frigate;
-
-          services.nginx.virtualHosts."frigate.ts.hillion.co.uk".listen = lib.mkForce [
-            { addr = "unix:/run/nginx-frigate/nginx.sock"; }
-          ];
-
-          services.frigate = {
-            enable = true;
-            package = pkgs.frigate;
-            hostname = "frigate.ts.hillion.co.uk";
-
-            settings = {
-              record = {
-                enabled = true;
-                retain.mode = "motion";
-              };
-
-              cameras = {
-                living_room = {
-                  enabled = true;
-                  ffmpeg.inputs = [
-                    {
-                      path = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@10.133.145.2:554/h264Preview_01_sub";
-                      roles = [ "detect" ];
-                    }
-                    {
-                      path = "rtsp://admin:{FRIGATE_RTSP_PASSWORD}@10.133.145.2:554/h264Preview_01_main";
-                      roles = [ "record" ];
-                    }
-                  ];
-                };
-              };
-            };
-          };
-          systemd.services.frigate.serviceConfig.EnvironmentFile = "/run/agenix/frigate/secrets.env";
-        };
-      }) config;
-    };
-
-  };
-}

scripts/backups_hdd_sync.sh

@@ -7,7 +7,7 @@ HOST="restic.ts.hillion.co.uk"
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 cd "$DIR"
 
-rsync -ar --no-perms --delete-after --rsync-path='sudo -u restic rsync' --progress --exclude .cache $HOST:/practical-defiant-coffee/backups/restic/ restic
+rsync -ar --no-perms --delete-after --rsync-path='sudo -u restic rsync' --progress $HOST:/practical-defiant-coffee/backups/restic/ restic
 
 echo 'checking 128G'
 restic -r restic/128G check --read-data

secrets/frigate/secrets.env.age

@@ -1,31 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa JSzstA
-UxtA9OeecK4nVLsDq1BVy1NnWzf4ITfGqQdd31u1iTDhKhPmg8bvu4TuiVn+hD7/
-B2Ar0GOHXH/JB882Q8o2D2DlkVYfwkGmtSxnw/p/um05+l59JGi6zAkw3uSAGrMF
-rdte3EdlRrxCImxJVp6AvXEH3kXjT1BtDVBwARpLBGAONc++rwDIFeP56ras4hIa
-H2JReFBethNMMZCOa0jH1nUDoRVohdt2wD2KO4LuOxTK0qkRxky4Pwt/+MP26X4j
-Uo2FRLrgBb4DlqeNz9EQEnJeRS1Pz6GbzfqZi7f1LUoa5ifKuBobPe2sDBDvE0RR
-jFAHZp1Nir/FXEkfjPw2uOfdCUZRLQ2OQ5JLlb0BKo5hV202eGCTY3Fhf34JYkE2
-n++1I5oX2dX1qY9KDpj+LMASKWHtC7ayei9Mcr4Ee7m/dGq9y7Ipjw5aliFJd74n
-23idt0MgZbM6GPcqig/Mbz1EQTGwu99HN5wAp8jxusjAkMfmmqosLtkUii4hvKCa
-7YnbOJT/6AofZucuylfrJpD3uzkEyaKVlNeZUU82ROSKZK6VdILLB8WfWAMPAsH9
-bLXHtcUo3nF/eQ4P8DZhJM/8tUdg0at4LW4Rb/wQX72xMB2l0F6sqS741f5jjqN3
-gL0tSpYQXtB3ni1mBbj2jKq8+UUP6NpDwOU5p5pfK+I
--> ssh-rsa GxPFJQ
-cNBRc51b5Pw2KQq+EHQ4tCGSQQu+JMZHpJjoSAPx5sLd1DgGhE1x1F9h9CuSRFZh
-J6fh5xtr9l0rzae/IgSQgfaaq4KVgIC/TIiyLX1VN1MSgbrisMAFA1fu0N/mTJGJ
-XEiZI3RebiBxnfS3yJpBAdsFvZDw6o0xD2d1rSzN2dKFKNr9XGPNX1wUqERnWVQF
-B5fRpNiWygGPdBaXYDc5OC49vlCAkldaU2EvA1wEuesdTDDn9nisqAlgBBYXEDWq
-EBGgiITNyz+wI7ncSVW6JWr5TFfDNEtqGo1JS8nYnpVNHTgU4PbTpqq5fvlAy+hI
-gyIR51YZaJZNQhrQ/N4KYw
--> ssh-rsa K9mW1w
-c9vvvWH+MrbfNifQYOsfhiw1Ie6npjBVCMrx8YZJwtVmRy3RYjXYn6zcFH+xzSGr
-tC0WPwyQ1dqgUNTUdvxaGrSayo5WF2CNosjc66eMrqyG72pcpJwAqlNbWbDNHbm9
-nE3c6XBv0WnEq7G+nkRx0luD96twkor4LVzDa37MUtljNqJo1Puv2AcEylEqXCUX
-bKN78TlUOhCpec93ZIxQoE71+26qqpGNnwyTQkHII/RzMKZGQjtmdRtQiUPzVmxT
-/3WjnQm4vbeKjOeBjjIdV1Wc7dykBRE7rq/Oe8AGl/7FAnbe6c2Bav50OOL5/Tbo
-Fe5TZbOwFDc1ob3IezRI5Q
--> ssh-ed25519 RR/L5A Mvv5Y3bd2IqR1cffLQbJ3WuJCoGMpJaqf/TvV0kcYQs
-jRBAHCUuW6hBsuv0VjR+uSKmmqK5rsU4vUIuNHQyAiE
---- /Xx07JneqPgZUC0LrtSMMHAt9eSoB0KUHxQ+j8mkr6c
-).<2E><><EFBFBD>*<2A><><EFBFBD>?$M<15><>e1<65><31>"v84<38><34><EFBFBD><EFBFBD><EFBFBD><<3C>ގJ+<2B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ۃ<EFBFBD>Q<EFBFBD>"ӵz<D3B5>"<22><>ǠB,<2C><><EFBFBD><EFBFBD>
<01><>^k<><6B>I<EFBFBD>,<2C>B

secrets/secrets.nix

@@ -143,7 +143,4 @@ in
   "certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
   "certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
   "certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
-
-  # Frigate secrets
-  "frigate/secrets.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
 }