Split sops secrets management into separate files for each arion subdir

Rename dns traefik-net name to dmz
Add nas & file sharing arion compose
2024-03-06 11:35:13 +01:00 · 2024-03-06 11:16:42 +01:00 · 2024-03-06 11:16:14 +01:00
12 changed files with 239 additions and 105 deletions
--- a/hosts/franz/arion/default.nix
+++ b/hosts/franz/arion/default.nix
@ -4,24 +4,18 @@
  config,
  ...
 }: {
-  imports = [inputs.arion.nixosModules.arion];
+  imports = [
+    inputs.arion.nixosModules.arion
+    ./dns
+    ./infrastructure
+    ./nas
+    ./nextcloud
+    ./push
+  ];

  environment.systemPackages = with pkgs; [arion];

-  virtualisation.arion = {
-    backend = "docker";
-    projects = {
-      infrastructure.settings = {
-        imports = [./infrastructure/arion-compose.nix];
-      };
-      dns.settings = {
-        imports = [./dns/arion-compose.nix];
-      };
-      push.settings = {
-        imports = [./push/arion-compose.nix];
-      };
-    };
-  };
+  virtualisation.arion.backend = "docker";

  systemd.services.init-dmz-bridge-network = {
    description = "Create the network bridge dmz for the Docker stack.";
--- a/hosts/franz/arion/dns/arion-compose.nix
+++ b/hosts/franz/arion/dns/arion-compose.nix
@ -37,7 +37,7 @@
        "traefik.http.routers.pihole.entrypoints" = "websecure";
        "traefik.http.routers.pihole.rule" = "Host(`pihole.ghoscht.com`)";
        "traefik.http.services.pihole.loadbalancer.server.port" = "80";
-        "traefik.docker.network" = "traefik-net";
+        "traefik.docker.network" = "dmz";
        "traefik.http.routers.pihole.tls" = "true";
        "traefik.http.routers.pihole.tls.certresolver" = "letsencrypt";
      };
--- a/hosts/franz/arion/dns/default.nix
+++ b/hosts/franz/arion/dns/default.nix
@ -0,0 +1,7 @@
+{
+  virtualisation.arion = {
+    projects.dns.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}
--- a/hosts/franz/arion/infrastructure/default.nix
+++ b/hosts/franz/arion/infrastructure/default.nix
@ -0,0 +1,73 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.infrastructure.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."cloudflared/tunnel_token" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."traefik/acme_email" = {
+    owner = vars.user;
+  };
+  sops.secrets."traefik/cloudflare_email" = {
+    owner = vars.user;
+  };
+  sops.secrets."traefik/cloudflare_api_key" = {
+    owner = vars.user;
+  };
+
+  sops.templates."cloudflared.env" = {
+    path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
+    '';
+  };
+
+  sops.templates."traefik.env" = {
+    path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
+      CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
+    '';
+  };
+
+  sops.templates."traefik.toml" = {
+    path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      [entryPoints]
+        [entryPoints.web]
+          address = ":80"
+        [entryPoints.websecure]
+          address = ":443"
+      [api]
+        dashboard = true
+        insecure = true
+
+      [certificatesResolvers.letsencrypt.acme]
+        email = "${config.sops.placeholder."traefik/acme_email"}"
+        storage = "/letsencrypt/acme.json"
+        [certificatesResolvers.letsencrypt.acme.dnsChallenge]
+          provider = "cloudflare"
+          resolvers = ["1.1.1.1:53", "1.0.0.1:53"]
+
+      [serversTransport]
+        insecureSkipVerify = true
+
+      [providers.docker]
+        watch = true
+        network = "web"
+        exposedByDefault = false
+    '';
+  };
+}
--- a/hosts/franz/arion/nas/arion-compose.nix
+++ b/hosts/franz/arion/nas/arion-compose.nix
@ -0,0 +1,34 @@
+{pkgs, ...}: {
+  project.name = "nas";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    samba.service = {
+      image = "dperson/samba";
+      container_name = "samba";
+      ports = [
+        "137:137/udp"
+        "138:138/udp"
+        "139:139/tcp"
+        "445:445/tcp"
+      ];
+      environment = {
+        USERID = 1000;
+        GROUPID = 1000;
+        TZ = "Europe/Berlin";
+      };
+      command = "-s 'public;/mount;yes;no;yes' -p";
+      volumes = [
+        "/home/ghoscht:/mount"
+      ];
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}
--- a/hosts/franz/arion/nas/arion-pkgs.nix
+++ b/hosts/franz/arion/nas/arion-pkgs.nix
@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
--- a/hosts/franz/arion/nas/default.nix
+++ b/hosts/franz/arion/nas/default.nix
@ -0,0 +1,12 @@
+{
+  networking.firewall = {
+    allowedUDPPorts = [137 138];
+    allowedTCPPorts = [139 445];
+  };
+
+  virtualisation.arion = {
+    projects.nas.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}
--- a/hosts/franz/arion/nextcloud/arion-compose.nix
+++ b/hosts/franz/arion/nextcloud/arion-compose.nix
@ -0,0 +1,50 @@
+{pkgs, ...}: {
+  project.name = "nextcloud";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  networks.transport = {};
+
+  services = {
+    nextcloud.service = {
+      image = "nextcloud:latest";
+      container_name = "nextcloud";
+      useHostStore = true;
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.nextcloud.entrypoints" = "websecure";
+        "traefik.http.routers.nextcloud.rule" = "Host(`nextcloud.ghoscht.com`)";
+        "traefik.docker.network" = "dmz";
+        "traefik.http.routers.nextcloud.tls" = "true";
+        "traefik.http.routers.nextcloud.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/nextcloud/nextcloud_data:/var/www/html"
+      ];
+      environment = {MYSQL_HOST = "nextcloud-db";};
+      env_file = [
+        "/home/ghoscht/.docker/nextcloud/nextcloud.env"
+      ];
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+        "transport"
+      ];
+    };
+    db.service = {
+      image = "mariadb:10.5";
+      env_file = [
+        "/home/ghoscht/.docker/nextcloud/nextcloud.env"
+      ];
+      volumes = ["/home/ghoscht/.docker/nextcloud/nextcloud_db:/var/lib/mysql"];
+      restart = "unless-stopped";
+      command = "--transaction-isolation=READ-COMMITTED --binlog-format=ROW";
+      networks = [
+        "transport"
+      ];
+    };
+  };
+}
--- a/hosts/franz/arion/nextcloud/arion-pkgs.nix
+++ b/hosts/franz/arion/nextcloud/arion-pkgs.nix
@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
--- a/hosts/franz/arion/nextcloud/default.nix
+++ b/hosts/franz/arion/nextcloud/default.nix
@ -0,0 +1,34 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.nextcloud.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."nextcloud/mysql_root_password" = {
+    owner = vars.user;
+  };
+  sops.secrets."nextcloud/mysql_password" = {
+    owner = vars.user;
+  };
+  sops.secrets."nextcloud/mysql_database" = {
+    owner = vars.user;
+  };
+  sops.secrets."nextcloud/mysql_user" = {
+    owner = vars.user;
+  };
+
+  sops.templates."nextcloud.env" = {
+    path = "/home/${vars.user}/.docker/nextcloud/nextcloud.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}"
+      MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}"
+      MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}"
+      MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}"
+    '';
+  };
+}
--- a/hosts/franz/arion/push/default.nix
+++ b/hosts/franz/arion/push/default.nix
@ -0,0 +1,7 @@
+{
+  virtualisation.arion = {
+    projects.push.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}
--- a/hosts/franz/sops.nix
+++ b/hosts/franz/sops.nix
@ -15,93 +15,4 @@ in {
  sops.defaultSopsFile = ../../secrets/franz.yaml;
  sops.defaultSopsFormat = "yaml";
  sops.age.keyFile = "/home/${vars.user}/.config/sops/age/keys.txt";
-
-  sops.secrets."cloudflared/tunnel_token" = {
-    owner = vars.user;
-  };
-
-  sops.secrets."traefik/acme_email" = {
-    owner = vars.user;
-  };
-  sops.secrets."traefik/cloudflare_email" = {
-    owner = vars.user;
-  };
-  sops.secrets."traefik/cloudflare_api_key" = {
-    owner = vars.user;
-  };
-
-  sops.secrets."nextcloud/mysql_root_password" = {
-    owner = vars.user;
-  };
-  sops.secrets."nextcloud/mysql_password" = {
-    owner = vars.user;
-  };
-  sops.secrets."nextcloud/mysql_database" = {
-    owner = vars.user;
-  };
-  sops.secrets."nextcloud/mysql_user" = {
-    owner = vars.user;
-  };
-
-  sops.templates."cloudflared.env" = {
-    path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
-    '';
-  };
-
-  sops.templates."traefik.env" = {
-    path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
-      CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
-    '';
-  };
-
-  sops.templates."nextcloud.env" = {
-    path = "/home/${vars.user}/.docker/nas/nextcloud.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}"
-      MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}"
-      MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}"
-      MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}"
-    '';
-  };
-
-  sops.templates."traefik.toml" = {
-    path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      [entryPoints]
-        [entryPoints.web]
-          address = ":80"
-        [entryPoints.websecure]
-          address = ":443"
-      [api]
-        dashboard = true
-        insecure = true
-
-      [certificatesResolvers.letsencrypt.acme]
-        email = "${config.sops.placeholder."traefik/acme_email"}"
-        storage = "/letsencrypt/acme.json"
-        [certificatesResolvers.letsencrypt.acme.dnsChallenge]
-          provider = "cloudflare"
-          resolvers = ["1.1.1.1:53", "1.0.0.1:53"]
-
-      [serversTransport]
-        insecureSkipVerify = true
-
-      [providers.docker]
-        watch = true
-        network = "web"
-        exposedByDefault = false
-    '';
-  };
 }
Author	SHA1	Message	Date
GHOSCHT	fd4e1ce93d	Split sops secrets management into separate files for each arion subdir	2024-03-06 11:35:13 +01:00
GHOSCHT	d210f0eefb	Rename dns traefik-net name to dmz	2024-03-06 11:16:42 +01:00
GHOSCHT	26f369a9ee	Add nas & file sharing arion compose	2024-03-06 11:16:14 +01:00