ntopng and adguard now work

configuration.nix

@@ -32,7 +32,7 @@
     # "net.bridge.bridge-nf-call-iptables" = 1;
     # "net.bridge.bridge-nf-call-ip6tables" = 1;
   };
-  
+
   boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.forceImportRoot = false;
 
@@ -55,20 +55,34 @@
     }
   ];
   networking.defaultGateway = "192.168.69.1";
-  networking.nameservers = [ "1.1.1.1" ];
+  #networking.nameservers = [ "1.1.1.1" ];
   networking.firewall.enable = true;
   networking.firewall.allowedTCPPorts = [
     22
+    53
     80
     443
     2222 # forgejo ssh
-    3000 # forgejo frontend
+    8184 # forgejo frontend
     8123 # homeassistant
     5580 # homeassistant matter
     2283 # immich
     3003 # immich ml
+    1984 # frigate go2rtc
+    8971 # frigate
+    8554 # frigate rtsp
+    8555 # frigate rtsp
+    2055 # ntopng sink
+    8182 # ntopng frontend
+    3000 # adguardhome frontend
+    8183 # adguardhome frontend
     9000
   ];
+  networking.firewall.allowedUDPPorts = [
+    53
+    8555 # frigate rtsp
+    2055 # ntopng sink
+  ];
 
   # Users
   users.users.root = {
@@ -99,6 +113,7 @@
     inetutils
     smartmontools
     parted
+    borgbackup
 
     nil
   ];
@@ -115,15 +130,16 @@
   hardware.bluetooth.enable = true;
   services.blueman.enable = true;
 
-
   security.acme = {
     acceptTerms = true;
     defaults.email = "mail@kempinger.xyz";
     certs."kempinger.at".domain = "*.kempinger.at";
   };
 
-  services.resolved.enable = true;
+  #services.resolved.enable = true;
-  
+
+  services.fail2ban.enable = true;
+
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;
@@ -181,7 +197,7 @@
         DOMAIN = "git.kempinger.at";
         # You need to specify this to remove the port from URLs in the web UI.
         ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
-        HTTP_PORT = 3000;
+        HTTP_PORT = 8184;
         DISABLE_SSH = false;
         SSH_PORT = 2222;
         START_SSH_SERVER = true;
@@ -204,6 +220,40 @@
       #   USER = "noreply@${srv.DOMAIN}";
       # };
     };
+    dump = {
+      enable = true;
+      backupDir = "/backup/forgejo";
+      age = "6 months";
+      interval = "weekly";
+    };
+  };
+
+  # services.borgbackup.jobs."forgejo" = {
+  #   paths = config.services.forgejo.repositoryRoot;
+  #   repo = "/backup/forgejo";
+  #   startAt = "Sat 04:00";
+  #   compression = "zstd";
+  #   encryption.mode = "none";
+  #   prune.keep = {
+  #     last = 2;
+  #   };
+  # };
+
+  services.immich = {
+    enable = true;
+    accelerationDevices = null;
+    port = 2283;
+  };
+
+  services.borgbackup.jobs."immich" = {
+    paths = config.services.immich.mediaLocation;
+    repo = "/backup/immich";
+    startAt = "Sat 04:00";
+    compression = "zstd";
+    encryption.mode = "none";
+    prune.keep = {
+      last = 2;
+    };
   };
 
   # systemd.services.forgejo.preStart =
@@ -230,6 +280,7 @@
       volumes = [
         "home-assistant:/config"
         "/run/dbus:/run/dbus:ro"
+        "/backup/home-assistant:/config/backups"
       ];
       environment.TZ = "Europe/Berlin";
       # Note: The image will not be updated on rebuilds, unless the version label changes
@@ -256,14 +307,87 @@
         "--privileged"
       ];
     };
+
+    containers.frigate = {
+      #autoStart = true;
+      volumes = [
+        "frigate:/config"
+        "/run/dbus:/run/dbus:ro"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      environment.FRIGATE_RTSP_PASSWORD = "password123";
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "ghcr.io/blakeblackshear/frigate:stable";
+      extraOptions = [
+        "--shm-size=512m"
+        "--network=host"
+      ];
+    };
+    containers.mosquitto = {
+      #autoStart = true;
+      volumes = [
+        "mosquitto:/mosquitto"
+        "/run/dbus:/run/dbus:ro"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "eclipse-mosquitto";
+      extraOptions = [
+        "--network=host"
+      ];
+    };
+    containers.netflow2ng = {
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "synfinatic/netflow2ng:v0.1.0";
+      cmd = [
+        "-a"
+        "0.0.0.0:2055"
+        "-m"
+        "0.0.0.0:8181"
+        "-z"
+        "tcp://127.0.0.1:5556"
+        "--log-level"
+        "debug"
+        "--tlv"
+      ];
+      extraOptions = [
+        "--network=host"
+      ];
+    };
   };
 
-  services.immich = {
+  services.ntopng = {
     enable = true;
-    accelerationDevices = null;
+    httpPort = 8182;
-    port = 2283;
+    interfaces = [ "tcp://0.0.0.0:5556" ];
-    #host = "immich.kempinger.at";
+    extraConfig = ''
-    #openFirewall = true;
+      --dns-mode 1
+      --local-networks "185.27.122.0/24=WAN,192.168.69.0/24=LAN"'';
+  };
+
+  services.influxdb.enable = true;
+
+  services.geoipupdate = {
+    enable = true;
+    settings = {
+      AccountID = 1284637;
+      DatabaseDirectory = "/var/lib/GeoIP";
+      LicenseKey = {
+        _secret = "/root/maxmind_license_key";
+      };
+      EditionIDs = [
+        "GeoLite2-ASN"
+        "GeoLite2-City"
+        "GeoLite2-Country"
+      ];
+    };
+  };
+
+  services.adguardhome = {
+    enable = true;
+    # You can select any ip and port, just make sure to open firewalls where needed
+    host = "0.0.0.0";
+    port = 8183;
   };
 
   # Nix settings

flake.lock

@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763835633,
+        "lastModified": 1768564909,
-        "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=",
+        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "050e09e091117c3d7328c7b2b7b577492c43c134",
+        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
         "type": "github"
       },
       "original": {

hardware-configuration.nix

@@ -1,13 +1,25 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules =
+  boot.initrd.availableKernelModules = [
-    [ "nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
+    "nvme"
+    "ahci"
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
@@ -20,18 +32,19 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/467A-A4E4";
     fsType = "vfat";
-    options = [ "fmask=0022" "dmask=0022" ];
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
   };
 
   swapDevices = [ ];
-  
+
   fileSystems."/backup" = {
     device = "backup";
     fsType = "zfs";
   };
 
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode =
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }