diff --git a/hosts/franz/arion/default.nix b/hosts/franz/arion/default.nix index 3cab51a..aa220a7 100644 --- a/hosts/franz/arion/default.nix +++ b/hosts/franz/arion/default.nix @@ -8,6 +8,11 @@ environment.systemPackages = with pkgs; [arion]; + networking.firewall = { + allowedUDPPorts = [137 138]; + allowedTCPPorts = [139 445]; + }; + virtualisation.arion = { backend = "docker"; projects = { @@ -20,6 +25,9 @@ push.settings = { imports = [./push/arion-compose.nix]; }; + nas.settings = { + imports = [./nas/arion-compose.nix]; + }; }; }; diff --git a/hosts/franz/arion/nas/arion-compose.nix b/hosts/franz/arion/nas/arion-compose.nix new file mode 100644 index 0000000..1461d58 --- /dev/null +++ b/hosts/franz/arion/nas/arion-compose.nix @@ -0,0 +1,34 @@ +{pkgs, ...}: { + project.name = "nas"; + + networks.dmz = { + name = "dmz"; + external = true; + }; + + services = { + samba.service = { + image = "dperson/samba"; + container_name = "samba"; + ports = [ + "137:137/udp" + "138:138/udp" + "139:139/tcp" + "445:445/tcp" + ]; + environment = { + USERID = 1000; + GROUPID = 1000; + TZ = "Europe/Berlin"; + }; + command = "-s 'public;/mount;yes;no;yes' -p"; + volumes = [ + "/home/ghoscht:/mount" + ]; + restart = "always"; + networks = [ + "dmz" + ]; + }; + }; +} diff --git a/hosts/franz/arion/nas/arion-pkgs.nix b/hosts/franz/arion/nas/arion-pkgs.nix new file mode 100644 index 0000000..69aad13 --- /dev/null +++ b/hosts/franz/arion/nas/arion-pkgs.nix @@ -0,0 +1,6 @@ +# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH +import { + # We specify the architecture explicitly. Use a Linux remote builder when + # calling arion from other platforms. + system = "x86_64-linux"; +} diff --git a/hosts/franz/arion/nextcloud/arion-compose.nix b/hosts/franz/arion/nextcloud/arion-compose.nix new file mode 100644 index 0000000..64a4daa --- /dev/null +++ b/hosts/franz/arion/nextcloud/arion-compose.nix @@ -0,0 +1,50 @@ +{pkgs, ...}: { + project.name = "nextcloud"; + + networks.dmz = { + name = "dmz"; + external = true; + }; + + networks.transport = {}; + + services = { + nextcloud.service = { + image = "nextcloud:latest"; + container_name = "nextcloud"; + useHostStore = true; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.nextcloud.entrypoints" = "websecure"; + "traefik.http.routers.nextcloud.rule" = "Host(`nextcloud.ghoscht.com`)"; + "traefik.docker.network" = "dmz"; + "traefik.http.routers.nextcloud.tls" = "true"; + "traefik.http.routers.nextcloud.tls.certresolver" = "letsencrypt"; + }; + volumes = [ + "/home/ghoscht/.docker/nextcloud/nextcloud_data:/var/www/html" + ]; + environment = {MYSQL_HOST = "nextcloud-db";}; + env_file = [ + "/home/ghoscht/.docker/nextcloud/nextcloud.env" + ]; + restart = "unless-stopped"; + networks = [ + "dmz" + "transport" + ]; + }; + db.service = { + image = "mariadb:10.5"; + env_file = [ + "/home/ghoscht/.docker/nextcloud/nextcloud.env" + ]; + volumes = ["/home/ghoscht/.docker/nextcloud/nextcloud_db:/var/lib/mysql"]; + restart = "unless-stopped"; + command = "--transaction-isolation=READ-COMMITTED --binlog-format=ROW"; + networks = [ + "transport" + ]; + }; + }; +} diff --git a/hosts/franz/arion/nextcloud/arion-pkgs.nix b/hosts/franz/arion/nextcloud/arion-pkgs.nix new file mode 100644 index 0000000..69aad13 --- /dev/null +++ b/hosts/franz/arion/nextcloud/arion-pkgs.nix @@ -0,0 +1,6 @@ +# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH +import { + # We specify the architecture explicitly. Use a Linux remote builder when + # calling arion from other platforms. + system = "x86_64-linux"; +} diff --git a/hosts/franz/sops.nix b/hosts/franz/sops.nix index 0e72d14..9ace88d 100644 --- a/hosts/franz/sops.nix +++ b/hosts/franz/sops.nix @@ -63,7 +63,7 @@ in { }; sops.templates."nextcloud.env" = { - path = "/home/${vars.user}/.docker/nas/nextcloud.env"; + path = "/home/${vars.user}/.docker/nextcloud/nextcloud.env"; owner = vars.user; mode = "0775"; content = ''