diff --git a/hosts/franz/arion/default.nix b/hosts/franz/arion/default.nix index aa220a7..8a0e627 100644 --- a/hosts/franz/arion/default.nix +++ b/hosts/franz/arion/default.nix @@ -4,32 +4,18 @@ config, ... }: { - imports = [inputs.arion.nixosModules.arion]; + imports = [ + inputs.arion.nixosModules.arion + ./dns + ./infrastructure + ./nas + ./nextcloud + ./push + ]; environment.systemPackages = with pkgs; [arion]; - networking.firewall = { - allowedUDPPorts = [137 138]; - allowedTCPPorts = [139 445]; - }; - - virtualisation.arion = { - backend = "docker"; - projects = { - infrastructure.settings = { - imports = [./infrastructure/arion-compose.nix]; - }; - dns.settings = { - imports = [./dns/arion-compose.nix]; - }; - push.settings = { - imports = [./push/arion-compose.nix]; - }; - nas.settings = { - imports = [./nas/arion-compose.nix]; - }; - }; - }; + virtualisation.arion.backend = "docker"; systemd.services.init-dmz-bridge-network = { description = "Create the network bridge dmz for the Docker stack."; diff --git a/hosts/franz/arion/dns/default.nix b/hosts/franz/arion/dns/default.nix new file mode 100644 index 0000000..702a503 --- /dev/null +++ b/hosts/franz/arion/dns/default.nix @@ -0,0 +1,7 @@ +{ + virtualisation.arion = { + projects.dns.settings = { + imports = [./arion-compose.nix]; + }; + }; +} diff --git a/hosts/franz/arion/infrastructure/default.nix b/hosts/franz/arion/infrastructure/default.nix new file mode 100644 index 0000000..3d97c94 --- /dev/null +++ b/hosts/franz/arion/infrastructure/default.nix @@ -0,0 +1,73 @@ +{config, ...}: let + vars = import ../../../../vars.nix; +in { + virtualisation.arion = { + projects.infrastructure.settings = { + imports = [./arion-compose.nix]; + }; + }; + + sops.secrets."cloudflared/tunnel_token" = { + owner = vars.user; + }; + + sops.secrets."traefik/acme_email" = { + owner = vars.user; + }; + sops.secrets."traefik/cloudflare_email" = { + owner = vars.user; + }; + sops.secrets."traefik/cloudflare_api_key" = { + owner = vars.user; + }; + + sops.templates."cloudflared.env" = { + path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env"; + owner = vars.user; + mode = "0775"; + content = '' + TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}" + ''; + }; + + sops.templates."traefik.env" = { + path = "/home/${vars.user}/.docker/infrastructure/traefik.env"; + owner = vars.user; + mode = "0775"; + content = '' + CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}" + CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}" + ''; + }; + + sops.templates."traefik.toml" = { + path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml"; + owner = vars.user; + mode = "0775"; + content = '' + [entryPoints] + [entryPoints.web] + address = ":80" + [entryPoints.websecure] + address = ":443" + [api] + dashboard = true + insecure = true + + [certificatesResolvers.letsencrypt.acme] + email = "${config.sops.placeholder."traefik/acme_email"}" + storage = "/letsencrypt/acme.json" + [certificatesResolvers.letsencrypt.acme.dnsChallenge] + provider = "cloudflare" + resolvers = ["1.1.1.1:53", "1.0.0.1:53"] + + [serversTransport] + insecureSkipVerify = true + + [providers.docker] + watch = true + network = "web" + exposedByDefault = false + ''; + }; +} diff --git a/hosts/franz/arion/nas/default.nix b/hosts/franz/arion/nas/default.nix new file mode 100644 index 0000000..f533dd5 --- /dev/null +++ b/hosts/franz/arion/nas/default.nix @@ -0,0 +1,12 @@ +{ + networking.firewall = { + allowedUDPPorts = [137 138]; + allowedTCPPorts = [139 445]; + }; + + virtualisation.arion = { + projects.nas.settings = { + imports = [./arion-compose.nix]; + }; + }; +} diff --git a/hosts/franz/arion/nextcloud/default.nix b/hosts/franz/arion/nextcloud/default.nix new file mode 100644 index 0000000..c476a80 --- /dev/null +++ b/hosts/franz/arion/nextcloud/default.nix @@ -0,0 +1,34 @@ +{config, ...}: let + vars = import ../../../../vars.nix; +in { + virtualisation.arion = { + projects.nextcloud.settings = { + imports = [./arion-compose.nix]; + }; + }; + + sops.secrets."nextcloud/mysql_root_password" = { + owner = vars.user; + }; + sops.secrets."nextcloud/mysql_password" = { + owner = vars.user; + }; + sops.secrets."nextcloud/mysql_database" = { + owner = vars.user; + }; + sops.secrets."nextcloud/mysql_user" = { + owner = vars.user; + }; + + sops.templates."nextcloud.env" = { + path = "/home/${vars.user}/.docker/nextcloud/nextcloud.env"; + owner = vars.user; + mode = "0775"; + content = '' + MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}" + MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}" + MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}" + MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}" + ''; + }; +} diff --git a/hosts/franz/arion/push/default.nix b/hosts/franz/arion/push/default.nix new file mode 100644 index 0000000..7fb61ee --- /dev/null +++ b/hosts/franz/arion/push/default.nix @@ -0,0 +1,7 @@ +{ + virtualisation.arion = { + projects.push.settings = { + imports = [./arion-compose.nix]; + }; + }; +} diff --git a/hosts/franz/sops.nix b/hosts/franz/sops.nix index 9ace88d..eeba82d 100644 --- a/hosts/franz/sops.nix +++ b/hosts/franz/sops.nix @@ -15,93 +15,4 @@ in { sops.defaultSopsFile = ../../secrets/franz.yaml; sops.defaultSopsFormat = "yaml"; sops.age.keyFile = "/home/${vars.user}/.config/sops/age/keys.txt"; - - sops.secrets."cloudflared/tunnel_token" = { - owner = vars.user; - }; - - sops.secrets."traefik/acme_email" = { - owner = vars.user; - }; - sops.secrets."traefik/cloudflare_email" = { - owner = vars.user; - }; - sops.secrets."traefik/cloudflare_api_key" = { - owner = vars.user; - }; - - sops.secrets."nextcloud/mysql_root_password" = { - owner = vars.user; - }; - sops.secrets."nextcloud/mysql_password" = { - owner = vars.user; - }; - sops.secrets."nextcloud/mysql_database" = { - owner = vars.user; - }; - sops.secrets."nextcloud/mysql_user" = { - owner = vars.user; - }; - - sops.templates."cloudflared.env" = { - path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env"; - owner = vars.user; - mode = "0775"; - content = '' - TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}" - ''; - }; - - sops.templates."traefik.env" = { - path = "/home/${vars.user}/.docker/infrastructure/traefik.env"; - owner = vars.user; - mode = "0775"; - content = '' - CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}" - CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}" - ''; - }; - - sops.templates."nextcloud.env" = { - path = "/home/${vars.user}/.docker/nextcloud/nextcloud.env"; - owner = vars.user; - mode = "0775"; - content = '' - MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}" - MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}" - MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}" - MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}" - ''; - }; - - sops.templates."traefik.toml" = { - path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml"; - owner = vars.user; - mode = "0775"; - content = '' - [entryPoints] - [entryPoints.web] - address = ":80" - [entryPoints.websecure] - address = ":443" - [api] - dashboard = true - insecure = true - - [certificatesResolvers.letsencrypt.acme] - email = "${config.sops.placeholder."traefik/acme_email"}" - storage = "/letsencrypt/acme.json" - [certificatesResolvers.letsencrypt.acme.dnsChallenge] - provider = "cloudflare" - resolvers = ["1.1.1.1:53", "1.0.0.1:53"] - - [serversTransport] - insecureSkipVerify = true - - [providers.docker] - watch = true - network = "web" - exposedByDefault = false - ''; - }; }