manatee: Add romm module

hosts/manatee/modules/certs/default.nix

@@ -33,6 +33,19 @@
           "--http-timeout=60"
         ];
       };
+
+      "romm.ppp.pm" = {
+        dnsProvider = "hetzner";
+        environmentFile = config.age.secrets.hetzner-dns.path;
+        group = "nginx";
+
+        extraLegoFlags = [
+          "--dns.resolvers=1.1.1.1:53,8.8.8.8:53"
+          "--dns.propagation-wait=60s"
+          "--dns-timeout=60"
+          "--http-timeout=60"
+        ];
+      };
     };
   };
 

hosts/manatee/modules/default.nix

@@ -18,9 +18,10 @@ in
       transmission.enable = true;
       audiobookshelf.enable = true;
       jellyfin.enable = true;
-      immich.enable = true;
+      immich.enable = false;
       navidrome.enable = true;
       komga.enable = true;
+      romm.enable = true;
       homepage.enable = true;
     };
   };

hosts/manatee/modules/home-assistant/default.nix

@@ -195,7 +195,7 @@ in
           ];
 
           script = ''
-            SUBDOMAINS="ha komga"
+            SUBDOMAINS="ha komga romm"
             INTERFACE="enp3s0"
 
             CURRENT_IP=$(curl -s --fail --interface "$INTERFACE" ifconfig.me)

hosts/manatee/modules/komga/default.nix

@@ -143,13 +143,13 @@ in
 
       "komga-reading-stats-claude-api-key" = {
         file = ../../../../secrets/manatee/komga-reading-stats-claude-api-key.age;
-        owner = "komga-reading-stats";
+        mode = "0440";                      
         group = "komga-reading-stats";
       };
 
       "komga-reading-stats-komga-api-key" = {
         file = ../../../../secrets/manatee/komga-reading-stats-komga-api-key.age;
-        owner = "komga-reading-stats";
+        mode = "0440";                      
         group = "komga-reading-stats";
       };
     };

hosts/manatee/modules/romm/default.nix

@@ -0,0 +1,213 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.romm.enable;
+  nginxEnabled = config.mod.nginx.enable;
+
+  configFile = pkgs.writeText "romm-config.yml" ''
+    filesystem:
+      skip_hash_calculation: false
+    exclude:
+      roms:
+        single_file:
+          extensions:
+            - xml
+            - txt
+            - nfo
+            - dat
+            - jpg
+            - png
+          names:
+            - '._*'
+            - 'Thumbs.db'
+            - '.DS_Store'
+  '';
+in
+{
+  options = {
+    mod.romm = {
+      enable = lib.mkEnableOption "Enable romm module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    mod.homepage.services = [
+      {
+        name = "RomM";
+        port = 8085;
+        description = "ROM library manager";
+      }
+    ];
+
+    systemd.tmpfiles.rules = [
+      "d /var/lib/romm 0755 root root -"
+      "d /var/lib/romm/db 0755 root root -"
+      "d /var/lib/romm/redis 0755 999 1000 -"
+      "d /var/lib/romm/resources 0755 root root -"
+      "d /var/lib/romm/assets 0755 root root -"
+    ];
+
+    systemd.services.romm-net = {
+      description = "Create Podman network for RomM";
+      after = [ "podman.service" ];
+      requires = [ "podman.service" ];
+      before = [
+        "podman-romm.service"
+        "podman-romm-db.service"
+        "podman-romm-redis.service"
+      ];
+      requiredBy = [
+        "podman-romm.service"
+        "podman-romm-db.service"
+        "podman-romm-redis.service"
+      ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "/run/current-system/sw/bin/podman network create romm-net";
+        ExecStop = "/run/current-system/sw/bin/podman network rm -f romm-net";
+      };
+    };
+
+    virtualisation.oci-containers = {
+      backend = "podman";
+
+      containers.romm-db = {
+        image = "mariadb:latest";
+
+        environment = {
+          MARIADB_DATABASE = "romm";
+          MARIADB_USER = "romm";
+        };
+
+        environmentFiles = [
+          config.age.secrets.romm-db-password.path
+        ];
+
+        volumes = [
+          "/var/lib/romm/db:/var/lib/mysql"
+        ];
+
+        extraOptions = [
+          "--network=romm-net"
+        ];
+      };
+
+      containers.romm-redis = {
+        image = "redis:alpine";
+
+        volumes = [
+          "/var/lib/romm/redis:/data"
+        ];
+
+        extraOptions = [
+          "--network=romm-net"
+          "--user=root"
+        ];
+      };
+
+      containers.romm = {
+        image = "rommapp/romm:latest";
+
+        dependsOn = [
+          "romm-db"
+          "romm-redis"
+        ];
+
+        environment = {
+          DB_HOST = "romm-db";
+          DB_PORT = "3306";
+          DB_NAME = "romm";
+          DB_USER = "romm";
+          REDIS_HOST = "romm-redis";
+          REDIS_PORT = "6379";
+          ROMM_AUTH_ENABLED = "true";
+        };
+
+        environmentFiles = [
+          config.age.secrets.romm-auth-secret-key.path
+          config.age.secrets.romm-db-password.path
+          config.age.secrets.romm-metadata-api-keys.path
+        ];
+
+        ports = [
+          "127.0.0.1:8086:8080"
+        ];
+
+        volumes = [
+          "${configFile}:/romm/config/config.yml:ro"
+          "/mnt/media/public/games:/romm/library"
+          "/var/lib/romm/resources:/romm/resources"
+          "/var/lib/romm/assets:/romm/assets"
+        ];
+
+        extraOptions = [
+          "--network=romm-net"
+        ];
+      };
+    };
+
+    services.nginx = lib.mkIf nginxEnabled {
+      virtualHosts."romm-local" = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8085;
+          }
+        ];
+
+        extraConfig = ''
+          client_max_body_size 0;
+        '';
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8086";
+          proxyWebsockets = true;
+        };
+      };
+
+      virtualHosts."romm.ppp.pm" = {
+        forceSSL = true;
+        useACMEHost = "romm.ppp.pm";
+
+        extraConfig = ''
+          client_max_body_size 0;
+        '';
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8086";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
+    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
+    networking.firewall.allowedTCPPorts = [ 8085 ];
+
+    age.secrets = {
+      "romm-auth-secret-key" = {
+        file = ../../../../secrets/manatee/romm-auth-secret-key.age;
+        owner = "root";
+        group = "root";
+      };
+
+      "romm-db-password" = {
+        file = ../../../../secrets/manatee/romm-db-password.age;
+        owner = "root";
+        group = "root";
+      };
+
+      "romm-metadata-api-keys" = {
+        file = ../../../../secrets/manatee/romm-metadata-api-keys.age;
+        owner = "root";
+        group = "root";
+      };
+    };
+  };
+}

secrets/manatee/romm-metadata-api-keys.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 wkRvNA 5d22LU+2Mn6fq8SHOCwDht/ebnI2uOk6WKf+t1kwwCM
+hCGnLoCy1PX5PJx2IjQnyESmtKM6wVQmyS6aHNhkb1g
+-> ssh-ed25519 +oNaHQ gPUMsavbGVPOuvTtNgoDuzrT+q0I7Wbkd6QK5z4oUGc
+M3HhrugFlNQkL7WxF1qrW+ocGRqOXid32AVVYLSSxPI
+--- TGURCDEIuSFCfXBHxzFHA2svHES7Ubagy1uYjbWCO7g
+gá¿Ó†Ò™±£Q
âö
+oF[H:t aÆr3úZ0ßx�@:˜0Ó´¡µÂI[Õ\í=º@eâPí�W€Ã†§rX,¶âÈÇ*sš$c:�FlÎÙ±z|B#

secrets/secrets.nix

@@ -39,6 +39,9 @@ in {
   "manatee/komga-bookmanager-credentials.age".publicKeys = [ manatee alex];
   "manatee/komga-reading-stats-claude-api-key.age".publicKeys = [ manatee alex];
   "manatee/komga-reading-stats-komga-api-key.age".publicKeys = [ manatee alex];
+  "manatee/romm-auth-secret-key.age".publicKeys = [ manatee alex ];
+  "manatee/romm-db-password.age".publicKeys = [ manatee alex ];
+  "manatee/romm-metadata-api-keys.age".publicKeys = [ manatee alex ];
 
   "backwards/root.backwards.age".publicKeys = [ backwards alex ];
   "backwards/root.backwards.pub.age".publicKeys = [ backwards alex ];