ghoscht/nix-config
ghoscht/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: ghoscht:fd4e1ce93dc4dbf9f40ac6d084809fb5dc5e5743
Branches Tags
ghoscht:main
ghoscht:structural-rework
ghoscht:old-structure
..
compare: ghoscht:fb666e0c557efebeef29b72ac69cf4ca457f10f0
Branches Tags
ghoscht:main
ghoscht:structural-rework
ghoscht:old-structure

No commits in common. "fd4e1ce93dc4dbf9f40ac6d084809fb5dc5e5743" and "fb666e0c557efebeef29b72ac69cf4ca457f10f0" have entirely different histories.
fd4e1ce93d ... fb666e0c55

12 changed files with 105 additions and 239 deletions
Show stats Expand all files Collapse all files

24
hosts/franz/arion/default.nix
View file

@ -4,18 +4,24 @@
config, config,
... ...
}: { }: {
imports = [ imports = [inputs.arion.nixosModules.arion];
inputs.arion.nixosModules.arion
./dns
./infrastructure
./nas
./nextcloud
./push
];
environment.systemPackages = with pkgs; [arion]; environment.systemPackages = with pkgs; [arion];
virtualisation.arion.backend = "docker"; virtualisation.arion = {
backend = "docker";
projects = {
infrastructure.settings = {
imports = [./infrastructure/arion-compose.nix];
};
dns.settings = {
imports = [./dns/arion-compose.nix];
};
push.settings = {
imports = [./push/arion-compose.nix];
};
};
};
systemd.services.init-dmz-bridge-network = { systemd.services.init-dmz-bridge-network = {
description = "Create the network bridge dmz for the Docker stack."; description = "Create the network bridge dmz for the Docker stack.";

2
hosts/franz/arion/dns/arion-compose.nix
View file

@ -37,7 +37,7 @@
"traefik.http.routers.pihole.entrypoints" = "websecure"; "traefik.http.routers.pihole.entrypoints" = "websecure";
"traefik.http.routers.pihole.rule" = "Host(`pihole.ghoscht.com`)"; "traefik.http.routers.pihole.rule" = "Host(`pihole.ghoscht.com`)";
"traefik.http.services.pihole.loadbalancer.server.port" = "80"; "traefik.http.services.pihole.loadbalancer.server.port" = "80";
"traefik.docker.network" = "dmz"; "traefik.docker.network" = "traefik-net";
"traefik.http.routers.pihole.tls" = "true"; "traefik.http.routers.pihole.tls" = "true";
"traefik.http.routers.pihole.tls.certresolver" = "letsencrypt"; "traefik.http.routers.pihole.tls.certresolver" = "letsencrypt";
}; };

7
hosts/franz/arion/dns/default.nix
View file

@ -1,7 +0,0 @@
{
virtualisation.arion = {
projects.dns.settings = {
imports = [./arion-compose.nix];
};
};
}

73
hosts/franz/arion/infrastructure/default.nix
View file

@ -1,73 +0,0 @@
{config, ...}: let
vars = import ../../../../vars.nix;
in {
virtualisation.arion = {
projects.infrastructure.settings = {
imports = [./arion-compose.nix];
};
};
sops.secrets."cloudflared/tunnel_token" = {
owner = vars.user;
};
sops.secrets."traefik/acme_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_api_key" = {
owner = vars.user;
};
sops.templates."cloudflared.env" = {
path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
owner = vars.user;
mode = "0775";
content = ''
TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
'';
};
sops.templates."traefik.env" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
owner = vars.user;
mode = "0775";
content = ''
CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
'';
};
sops.templates."traefik.toml" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
owner = vars.user;
mode = "0775";
content = ''
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[api]
dashboard = true
insecure = true
[certificatesResolvers.letsencrypt.acme]
email = "${config.sops.placeholder."traefik/acme_email"}"
storage = "/letsencrypt/acme.json"
[certificatesResolvers.letsencrypt.acme.dnsChallenge]
provider = "cloudflare"
resolvers = ["1.1.1.1:53", "1.0.0.1:53"]
[serversTransport]
insecureSkipVerify = true
[providers.docker]
watch = true
network = "web"
exposedByDefault = false
'';
};
}

34
hosts/franz/arion/nas/arion-compose.nix
View file

@ -1,34 +0,0 @@
{pkgs, ...}: {
project.name = "nas";
networks.dmz = {
name = "dmz";
external = true;
};
services = {
samba.service = {
image = "dperson/samba";
container_name = "samba";
ports = [
"137:137/udp"
"138:138/udp"
"139:139/tcp"
"445:445/tcp"
];
environment = {
USERID = 1000;
GROUPID = 1000;
TZ = "Europe/Berlin";
};
command = "-s 'public;/mount;yes;no;yes' -p";
volumes = [
"/home/ghoscht:/mount"
];
restart = "always";
networks = [
"dmz"
];
};
};
}

6
hosts/franz/arion/nas/arion-pkgs.nix
View file

@ -1,6 +0,0 @@
# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
import <nixpkgs> {
# We specify the architecture explicitly. Use a Linux remote builder when
# calling arion from other platforms.
system = "x86_64-linux";
}

12
hosts/franz/arion/nas/default.nix
View file

@ -1,12 +0,0 @@
{
networking.firewall = {
allowedUDPPorts = [137 138];
allowedTCPPorts = [139 445];
};
virtualisation.arion = {
projects.nas.settings = {
imports = [./arion-compose.nix];
};
};
}

50
hosts/franz/arion/nextcloud/arion-compose.nix
View file

@ -1,50 +0,0 @@
{pkgs, ...}: {
project.name = "nextcloud";
networks.dmz = {
name = "dmz";
external = true;
};
networks.transport = {};
services = {
nextcloud.service = {
image = "nextcloud:latest";
container_name = "nextcloud";
useHostStore = true;
labels = {
"traefik.enable" = "true";
"traefik.http.routers.nextcloud.entrypoints" = "websecure";
"traefik.http.routers.nextcloud.rule" = "Host(`nextcloud.ghoscht.com`)";
"traefik.docker.network" = "dmz";
"traefik.http.routers.nextcloud.tls" = "true";
"traefik.http.routers.nextcloud.tls.certresolver" = "letsencrypt";
};
volumes = [
"/home/ghoscht/.docker/nextcloud/nextcloud_data:/var/www/html"
];
environment = {MYSQL_HOST = "nextcloud-db";};
env_file = [
"/home/ghoscht/.docker/nextcloud/nextcloud.env"
];
restart = "unless-stopped";
networks = [
"dmz"
"transport"
];
};
db.service = {
image = "mariadb:10.5";
env_file = [
"/home/ghoscht/.docker/nextcloud/nextcloud.env"
];
volumes = ["/home/ghoscht/.docker/nextcloud/nextcloud_db:/var/lib/mysql"];
restart = "unless-stopped";
command = "--transaction-isolation=READ-COMMITTED --binlog-format=ROW";
networks = [
"transport"
];
};
};
}

6
hosts/franz/arion/nextcloud/arion-pkgs.nix
View file

@ -1,6 +0,0 @@
# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
import <nixpkgs> {
# We specify the architecture explicitly. Use a Linux remote builder when
# calling arion from other platforms.
system = "x86_64-linux";
}

34
hosts/franz/arion/nextcloud/default.nix
View file

@ -1,34 +0,0 @@
{config, ...}: let
vars = import ../../../../vars.nix;
in {
virtualisation.arion = {
projects.nextcloud.settings = {
imports = [./arion-compose.nix];
};
};
sops.secrets."nextcloud/mysql_root_password" = {
owner = vars.user;
};
sops.secrets."nextcloud/mysql_password" = {
owner = vars.user;
};
sops.secrets."nextcloud/mysql_database" = {
owner = vars.user;
};
sops.secrets."nextcloud/mysql_user" = {
owner = vars.user;
};
sops.templates."nextcloud.env" = {
path = "/home/${vars.user}/.docker/nextcloud/nextcloud.env";
owner = vars.user;
mode = "0775";
content = ''
MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}"
MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}"
MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}"
MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}"
'';
};
}

7
hosts/franz/arion/push/default.nix
View file

@ -1,7 +0,0 @@
{
virtualisation.arion = {
projects.push.settings = {
imports = [./arion-compose.nix];
};
};
}

89
hosts/franz/sops.nix
View file

@ -15,4 +15,93 @@ in {
sops.defaultSopsFile = ../../secrets/franz.yaml; sops.defaultSopsFile = ../../secrets/franz.yaml;
sops.defaultSopsFormat = "yaml"; sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/home/${vars.user}/.config/sops/age/keys.txt"; sops.age.keyFile = "/home/${vars.user}/.config/sops/age/keys.txt";
sops.secrets."cloudflared/tunnel_token" = {
owner = vars.user;
};
sops.secrets."traefik/acme_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_email" = {
owner = vars.user;
};
sops.secrets."traefik/cloudflare_api_key" = {
owner = vars.user;
};
sops.secrets."nextcloud/mysql_root_password" = {
owner = vars.user;
};
sops.secrets."nextcloud/mysql_password" = {
owner = vars.user;
};
sops.secrets."nextcloud/mysql_database" = {
owner = vars.user;
};
sops.secrets."nextcloud/mysql_user" = {
owner = vars.user;
};
sops.templates."cloudflared.env" = {
path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
owner = vars.user;
mode = "0775";
content = ''
TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
'';
};
sops.templates."traefik.env" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
owner = vars.user;
mode = "0775";
content = ''
CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
'';
};
sops.templates."nextcloud.env" = {
path = "/home/${vars.user}/.docker/nas/nextcloud.env";
owner = vars.user;
mode = "0775";
content = ''
MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}"
MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}"
MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}"
MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}"
'';
};
sops.templates."traefik.toml" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
owner = vars.user;
mode = "0775";
content = ''
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[api]
dashboard = true
insecure = true
[certificatesResolvers.letsencrypt.acme]
email = "${config.sops.placeholder."traefik/acme_email"}"
storage = "/letsencrypt/acme.json"
[certificatesResolvers.letsencrypt.acme.dnsChallenge]
provider = "cloudflare"
resolvers = ["1.1.1.1:53", "1.0.0.1:53"]
[serversTransport]
insecureSkipVerify = true
[providers.docker]
watch = true
network = "web"
exposedByDefault = false
'';
};
} }