ntopng and adguard now work

trying akvorado
2026-01-20 00:47:36 +01:00 · 2026-01-18 01:55:39 +01:00
3 changed files with 160 additions and 23 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -55,20 +55,34 @@
    }
  ];
  networking.defaultGateway = "192.168.69.1";
-  networking.nameservers = [ "1.1.1.1" ];
+  #networking.nameservers = [ "1.1.1.1" ];
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [
    22
+    53
    80
    443
    2222 # forgejo ssh
-    3000 # forgejo frontend
+    8184 # forgejo frontend
    8123 # homeassistant
    5580 # homeassistant matter
    2283 # immich
    3003 # immich ml
+    1984 # frigate go2rtc
+    8971 # frigate
+    8554 # frigate rtsp
+    8555 # frigate rtsp
+    2055 # ntopng sink
+    8182 # ntopng frontend
+    3000 # adguardhome frontend
+    8183 # adguardhome frontend
    9000
  ];
+  networking.firewall.allowedUDPPorts = [
+    53
+    8555 # frigate rtsp
+    2055 # ntopng sink
+  ];

  # Users
  users.users.root = {
@ -99,6 +113,7 @@
    inetutils
    smartmontools
    parted
+    borgbackup

    nil
  ];
@ -115,14 +130,15 @@
  hardware.bluetooth.enable = true;
  services.blueman.enable = true;

-
  security.acme = {
    acceptTerms = true;
    defaults.email = "mail@kempinger.xyz";
    certs."kempinger.at".domain = "*.kempinger.at";
  };

-  services.resolved.enable = true;
+  #services.resolved.enable = true;
+
+  services.fail2ban.enable = true;

  services.nginx = {
    enable = true;
@ -181,7 +197,7 @@
        DOMAIN = "git.kempinger.at";
        # You need to specify this to remove the port from URLs in the web UI.
        ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
-        HTTP_PORT = 3000;
+        HTTP_PORT = 8184;
        DISABLE_SSH = false;
        SSH_PORT = 2222;
        START_SSH_SERVER = true;
@ -204,6 +220,40 @@
      #   USER = "noreply@${srv.DOMAIN}";
      # };
    };
+    dump = {
+      enable = true;
+      backupDir = "/backup/forgejo";
+      age = "6 months";
+      interval = "weekly";
+    };
+  };
+
+  # services.borgbackup.jobs."forgejo" = {
+  #   paths = config.services.forgejo.repositoryRoot;
+  #   repo = "/backup/forgejo";
+  #   startAt = "Sat 04:00";
+  #   compression = "zstd";
+  #   encryption.mode = "none";
+  #   prune.keep = {
+  #     last = 2;
+  #   };
+  # };
+
+  services.immich = {
+    enable = true;
+    accelerationDevices = null;
+    port = 2283;
+  };
+
+  services.borgbackup.jobs."immich" = {
+    paths = config.services.immich.mediaLocation;
+    repo = "/backup/immich";
+    startAt = "Sat 04:00";
+    compression = "zstd";
+    encryption.mode = "none";
+    prune.keep = {
+      last = 2;
+    };
  };

  # systemd.services.forgejo.preStart =
@ -230,6 +280,7 @@
      volumes = [
        "home-assistant:/config"
        "/run/dbus:/run/dbus:ro"
+        "/backup/home-assistant:/config/backups"
      ];
      environment.TZ = "Europe/Berlin";
      # Note: The image will not be updated on rebuilds, unless the version label changes
@ -256,14 +307,87 @@
        "--privileged"
      ];
    };
+
+    containers.frigate = {
+      #autoStart = true;
+      volumes = [
+        "frigate:/config"
+        "/run/dbus:/run/dbus:ro"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      environment.FRIGATE_RTSP_PASSWORD = "password123";
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "ghcr.io/blakeblackshear/frigate:stable";
+      extraOptions = [
+        "--shm-size=512m"
+        "--network=host"
+      ];
+    };
+    containers.mosquitto = {
+      #autoStart = true;
+      volumes = [
+        "mosquitto:/mosquitto"
+        "/run/dbus:/run/dbus:ro"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "eclipse-mosquitto";
+      extraOptions = [
+        "--network=host"
+      ];
+    };
+    containers.netflow2ng = {
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "synfinatic/netflow2ng:v0.1.0";
+      cmd = [
+        "-a"
+        "0.0.0.0:2055"
+        "-m"
+        "0.0.0.0:8181"
+        "-z"
+        "tcp://127.0.0.1:5556"
+        "--log-level"
+        "debug"
+        "--tlv"
+      ];
+      extraOptions = [
+        "--network=host"
+      ];
+    };
  };

-  services.immich = {
+  services.ntopng = {
    enable = true;
-    accelerationDevices = null;
-    port = 2283;
-    #host = "immich.kempinger.at";
-    #openFirewall = true;
+    httpPort = 8182;
+    interfaces = [ "tcp://0.0.0.0:5556" ];
+    extraConfig = ''
+      --dns-mode 1
+      --local-networks "185.27.122.0/24=WAN,192.168.69.0/24=LAN"'';
+  };
+
+  services.influxdb.enable = true;
+
+  services.geoipupdate = {
+    enable = true;
+    settings = {
+      AccountID = 1284637;
+      DatabaseDirectory = "/var/lib/GeoIP";
+      LicenseKey = {
+        _secret = "/root/maxmind_license_key";
+      };
+      EditionIDs = [
+        "GeoLite2-ASN"
+        "GeoLite2-City"
+        "GeoLite2-Country"
+      ];
+    };
+  };
+
+  services.adguardhome = {
+    enable = true;
+    # You can select any ip and port, just make sure to open firewalls where needed
+    host = "0.0.0.0";
+    port = 8183;
  };

  # Nix settings
--- a/flake.lock
+++ b/flake.lock
@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1763835633,
-        "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=",
+        "lastModified": 1768564909,
+        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "050e09e091117c3d7328c7b2b7b577492c43c134",
+        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
        "type": "github"
      },
      "original": {
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -1,13 +1,25 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:

 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules =
-    [ "nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "ahci"
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
@ -20,7 +32,10 @@
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/467A-A4E4";
    fsType = "vfat";
-    options = [ "fmask=0022" "dmask=0022" ];
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
  };

  swapDevices = [ ];
@ -30,8 +45,6 @@
    fsType = "zfs";
  };

-
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
Author	SHA1	Message	Date
Stefan Kempinger	f9c6cf6f55	ntopng and adguard now work	2026-01-20 00:47:36 +01:00
Stefan Kempinger	2db9235ad0	trying akvorado	2026-01-18 01:55:39 +01:00