traefik

2024-12-28 01:45:31 -06:00
parent 9caa802d46
commit 161dc2d411
14 changed files with 251 additions and 281 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -220,11 +220,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1735053786,
-        "narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=",
+        "lastModified": 1735343815,
+        "narHash": "sha256-p7IJP/97zJda/wwCn1T2LJBz4olF5LjNf4uwhuyvARo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84",
+        "rev": "b7a7cd5dd1a74a9fe86ed4e016f91c78483b527a",
        "type": "github"
      },
      "original": {
@@ -233,6 +233,27 @@
        "type": "github"
      }
    },
+    "home-manager-stable": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-stable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1735344290,
+        "narHash": "sha256-oJDtWPH1oJT34RJK1FSWjwX4qcGOBRkcNQPD0EbSfNM=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "613691f285dad87694c2ba1c9e6298d04736292d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-24.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "impermanence": {
      "locked": {
        "lastModified": 1734945620,
@@ -437,11 +458,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1734649271,
-        "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=",
+        "lastModified": 1735291276,
+        "narHash": "sha256-NYVcA06+blsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507",
+        "rev": "634fd46801442d760e09493a794c4f15db2d0cbb",
        "type": "github"
      },
      "original": {
@@ -545,6 +566,7 @@
      "inputs": {
        "authentik-nix": "authentik-nix",
        "home-manager": "home-manager",
+        "home-manager-stable": "home-manager-stable",
        "impermanence": "impermanence",
        "lanzaboote": "lanzaboote",
        "nix-darwin": "nix-darwin",
--- a/flake.nix
+++ b/flake.nix
@@ -30,10 +30,10 @@
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

-    # home-manager-stable = {
-    #   url = "github:nix-community/home-manager/release-24.11";
-    #   inputs.nixpkgs.follows = "nixpkgs-stable";
-    # };
+    home-manager-stable = {
+      url = "github:nix-community/home-manager/release-24.11";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };

    # Lanzaboote
    lanzaboote = {
@@ -69,7 +69,7 @@
      lanzaboote,
      impermanence,
      home-manager,
-      # home-manager-stable,
+      home-manager-stable,
      nixos-hardware,
      nix-darwin,
      nixos-apple-silicon,
@@ -116,7 +116,7 @@
        };

        # NAS
-        "jallen-nas" = nixpkgs-unstable.lib.nixosSystem {
+        "jallen-nas" = nixpkgs-stable.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs outputs;
@@ -125,7 +125,7 @@
            impermanence.nixosModules.impermanence
            ./hosts/nas/configuration.nix
            ./hosts/nas/impermanence.nix
-            home-manager.nixosModules.home-manager
+            home-manager-stable.nixosModules.home-manager
            {
              home-manager.useGlobalPkgs = false;
              home-manager.useUserPackages = true;
--- a/hosts/nas/apps.nix
+++ b/hosts/nas/apps.nix
@@ -4,10 +4,11 @@
    ./apps/arrs
    ./apps/jellyfin/jellyfin.nix
    ./apps/jellyseerr/jellyseerr.nix
-    ./apps/paperless
-    ../../modules
-
    ./apps/nextcloud
+    ./apps/ollama
+    ./apps/paperless
+    ./apps/traefik
+    ../../modules
  ];

  nas-apps = {
@@ -17,8 +18,6 @@
      environmentFiles = [ config.sops.secrets."jallen-nas/collabora".path ];
    };

-    deluge.enable = false;
-
    free-games-claimer.enable = true;

    jackett.enable = true;
@@ -26,7 +25,7 @@
    manyfold.enable = true;

    mariadb = {
-      enable = true;
+      enable = false;
      environmentFiles = [
        config.sops.secrets."jallen-nas/mariadb/db_pass".path
        config.sops.secrets."jallen-nas/mariadb/root_pass".path
@@ -41,17 +40,7 @@
      port2 = "4080";
    };

-    nextcloud = {
-      enable = false;
-      httpPort = "9981";
-      httpsPort = "9943";
-    };
-
-    ollama.enable = true;
-
-    open-webui.enable = true;
-
-    swag.enable = true;
+    open-webui.enable = false;

    tdarr.enable = true;

--- a/hosts/nas/apps/arrs/default.nix
+++ b/hosts/nas/apps/arrs/default.nix
@@ -3,7 +3,7 @@
 let
  radarrPort = 7878;
  sonarrPort = 8989;
-  sabnzbdPort = 8080;
+  sabnzbdPort = 8280;
  radarrDataDir = "/var/lib/radarr";
  downloadDir = "/downloads";
  incompleteDir = "/downloads-incomplete";
@@ -12,9 +12,15 @@ let
  mediaDir = "/media";
  arrUserId = config.users.users.nix-apps.uid;
  arrGroupId = config.users.groups.jallen-nas.gid;
-  sonarrPkg = pkgs.unstable.sonarr;
+  # sonarrPkg = pkgs.stable.sonarr;
 in
 {
+  nixpkgs.config.permittedInsecurePackages = [
+    "aspnetcore-runtime-6.0.36"
+    "aspnetcore-runtime-wrapped-6.0.36"
+    "dotnet-sdk-6.0.428"
+    "dotnet-sdk-wrapped-6.0.428"
+  ];

  containers.arrs = {
    autoStart = true;
@@ -23,14 +29,13 @@ in
    localAddress = "10.0.1.51";
    
    config = { config, pkgs, lib, ... }: {
+      nixpkgs.config.allowUnfree = true;
      nixpkgs.config.permittedInsecurePackages = [
        "aspnetcore-runtime-6.0.36"
        "aspnetcore-runtime-wrapped-6.0.36"
        "dotnet-sdk-6.0.428"
        "dotnet-sdk-wrapped-6.0.428"
      ];
-
-      nixpkgs.config.allowUnfree = true;
      
      # Enable radarr service
      services.radarr = {
@@ -48,7 +53,7 @@ in
        user = "arrs";
        group = "media";
        dataDir = sonarrDataDir;
-        package = sonarrPkg;
+        # package = sonarrPkg;
      };

      # Enable Sabnzbd service
--- a/hosts/nas/apps/ollama/default.nix
+++ b/hosts/nas/apps/ollama/default.nix
@@ -0,0 +1,31 @@
+{ pkgs, ... }:
+{
+  services.ollama = {
+    enable = true;
+    port = 11434;
+    user = "nix-apps";
+    group = "jallen-nas";
+    openFirewall = true;
+    acceleration = "cuda";
+    home = "/media/nas/ssd/nix-app-data/ollama";
+  };
+
+  services.open-webui = {
+    enable = true;
+    port = 8888;
+    openFirewall = true;
+    stateDir = "/media/nas/ssd/nix-app-data/open-webui";
+    environment = {
+      OAUTH_CLIENT_ID = "P4YrtPrdwoQkwYs4e5AHQx7xiz4FV6OpT24rjqXa";
+      OAUTH_CLIENT_SECRET = "XpZ1Y9RUMD6FVxBSxg8evHkRYuSUJ3saN99uCFfeNo4Z8vrmnqZBHJQzSSCFig1fgqEYCr3SmcOvCHGHUsz9FJT2aZFlZxKv6bZZpuMQYASHiQtuX2pTVEspiNab3129";
+      OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
+      OPENID_PROVIDER_NAME = "authentik";
+      ENABLE_OAUTH_SIGNUP = "true";
+      OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "true";
+      ANONYMIZED_TELEMETRY = "False";
+      DO_NOT_TRACK = "True";
+      SCARF_NO_ANALYTICS = "True";
+      OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
+    };
+  };
+}
--- a/hosts/nas/apps/traefik/default.nix
+++ b/hosts/nas/apps/traefik/default.nix
@@ -0,0 +1,162 @@
+{ config, ... }:
+let
+  traefikDataDir = "/var/lib/traefik";
+  traefikUserId = config.users.users.nix-apps.uid;
+  traefikGroupId = config.users.groups.jallen-nas.gid;
+  domain = "mjallen.dev";
+
+  authentikUrl  = "http://10.0.1.18:9000";
+  collaboraUrl  = "http://10.0.1.18:9980";
+  cloudUrl      = "http://10.0.2.18:80";
+  jellyfinUrl   = "http://10.0.1.18:8096";
+  jellyseerrUrl = "http://10.0.1.18:5055";
+in
+{
+  networking.firewall = {
+      allowedTCPPorts = [
+        80
+        443
+        8080
+      ];
+      allowedUDPPorts = [
+        80
+        443
+        8080
+      ];
+    };
+  
+  services.traefik = {
+    enable = true;
+    dataDir = "/media/nas/ssd/nix-app-data/traefik";
+    group = "jallen-nas";
+    environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
+    
+    staticConfigOptions = {
+      entryPoints = {
+        web = {
+          address = ":80";
+          asDefault = true;
+          http.redirections.entrypoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+
+        websecure = {
+          address = ":443";
+          asDefault = true;
+          http.tls.certResolver = "letsencrypt";
+        };
+      };
+
+      log = {
+        level = "INFO";
+      };
+
+      certificatesResolvers.letsencrypt.acme = {
+        email = "jalle008@proton.me";
+        storage = "${config.services.traefik.dataDir}/acme.json";
+        dnsChallenge = {
+          provider = "cloudflare";
+          resolvers = [
+            "1.1.1.1:53"
+            "8.8.8.8:53"
+          ];
+        };
+      };
+
+      api.dashboard = true;
+      # Access the Traefik dashboard on <Traefik IP>:8080 of your server
+      # api.insecure = true;
+    };
+
+    dynamicConfigOptions = {
+      http = {
+        middlewares = {
+          authentik = {
+            forwardAuth = {
+              tls.insecureSkipVerify = true;
+              address = "https://authentik.${domain}/outpost.goauthentik.io/auth/traefik";
+              trustForwardHeader = true;
+              authResponseHeaders = [
+                "X-authentik-username"
+                "X-authentik-groups"
+                "X-authentik-email"
+                "X-authentik-name"
+                "X-authentik-uid"
+                "X-authentik-jwt"
+                "X-authentik-meta-jwks"
+                "X-authentik-meta-outpost"
+                "X-authentik-meta-provider"
+                "X-authentik-meta-app"
+                "X-authentik-meta-version"
+              ];
+            };
+          };
+        };
+
+        services = {
+          authentik.loadBalancer.servers = [
+            {
+              url = authentikUrl;
+            }
+          ];
+          collabora.loadBalancer.servers = [
+            {
+              url = collaboraUrl;
+            }
+          ];
+          cloud.loadBalancer.servers = [
+            {
+              url = cloudUrl;
+            }
+          ];
+          jellyfin.loadBalancer.servers = [
+            {
+              url = jellyfinUrl;
+            }
+          ];
+          jellyseerr.loadBalancer.servers = [
+            {
+              url = jellyseerrUrl;
+            }
+          ];
+        };
+
+        routers = {
+          authentik = {
+            entryPoints = ["websecure"];
+            rule = "Host(`authentik.${domain}`)";
+            service = "authentik";
+            tls.certResolver = "letsencrypt";
+          };
+          collabora = {
+            entryPoints = ["websecure"];
+            rule = "Host(`office.${domain}`)";
+            service = "collabora";
+            tls.certResolver = "letsencrypt";
+          };
+          cloud = {
+            entryPoints = ["websecure"];
+            rule = "Host(`cloud.${domain}`)";
+            service = "cloud";
+            tls.certResolver = "letsencrypt";
+          };
+          jellyfin = {
+            entryPoints = ["websecure"];
+            rule = "Host(`jellyfin.${domain}`)";
+            service = "jellyfin";
+            tls.certResolver = "letsencrypt";
+          };
+          jellyseerr = {
+            entryPoints = ["websecure"];
+            rule = "Host(`jellyseerr.${domain}`)";
+            service = "jellyseerr";
+            tls.certResolver = "letsencrypt";
+          };
+        };
+      };
+    };
+  };
+  # todo: fail2ban/etc
+}
--- a/hosts/nas/configuration.nix
+++ b/hosts/nas/configuration.nix
@@ -153,7 +153,10 @@ in
        "authentik-client-api-2024.6.4"
        "authentik-website-2024.6.4"
        "authentik-proxy-2024.6.4"
+        "aspnetcore-runtime-6.0.36"
        "aspnetcore-runtime-wrapped-6.0.36"
+        "dotnet-sdk-6.0.428"
+        "dotnet-sdk-wrapped-6.0.428"
      ];
    };
  };
--- a/hosts/nas/services.nix
+++ b/hosts/nas/services.nix
@@ -7,7 +7,7 @@ in
  services = {

    minecraft-server = {
-      enable = true;
+      enable = false;
      eula = true;
      declarative = true;
      openFirewall = true;
@@ -201,7 +201,7 @@ in
    };

    grafana = {
-      enable = true;
+      enable = false;
      settings.server = {
        http_port = 2342;
        domain = "10.0.1.18";
@@ -212,12 +212,12 @@ in
    };
    
    nix-serve = {
-      enable = true;
+      enable = false;
      secretKeyFile = "/var/cache-priv-key.pem";
    };

    prometheus = {
-      enable = true;
+      enable = false;
      port = 8000;
      exporters = {
        node = {
--- a/modules/apps/nextcloud/default.nix
+++ b/modules/apps/nextcloud/default.nix
@@ -1,30 +0,0 @@
-{ lib, config, ... }:
-with lib;
-let
-  cfg = config.nas-apps.nextcloud;
-in
-{
-  imports = [ ./options.nix ];
-
-  config = mkIf cfg.enable {
-    virtualisation.oci-containers.containers."${cfg.name}" = {
-      autoStart = cfg.autoStart;
-      image = cfg.image;
-      extraOptions = [ "--device=nvidia.com/gpu=0" ];
-      ports = [
-        "${cfg.httpPort}:80"
-        "${cfg.httpsPort}:443"
-      ];
-      volumes = [
-        "${cfg.configPath}:/config"
-        "${cfg.dataPath}:/data"
-        "${cfg.tmpPath}:/data-tmp"
-      ];
-      environment = {
-        PUID = cfg.puid;
-        PGID = cfg.pgid;
-        TZ = cfg.timeZone;
-      };
-    };
-  };
-}
--- a/modules/apps/nextcloud/options.nix
+++ b/modules/apps/nextcloud/options.nix
@@ -1,67 +0,0 @@
-{ lib, ... }:
-with lib;
-{
-  options.nas-apps.nextcloud = {
-    enable = mkEnableOption "nextcloud docker service";
-
-    autoStart = mkOption {
-      type = types.bool;
-      default = true;
-    };
-
-    httpPort = mkOption {
-      type = types.str;
-      default = "80";
-    };
-
-    httpsPort = mkOption {
-      type = types.str;
-      default = "443";
-    };
-
-    name = mkOption {
-      type = types.str;
-      default = "nextcloud";
-    };
-
-    image = mkOption {
-      type = types.str;
-      default = "linuxserver/nextcloud";
-    };
-
-    configPath = mkOption {
-      type = types.str;
-      default = "/media/nas/ssd/ssd_app_data/nextcloud";
-    };
-
-    dataPath = mkOption {
-      type = types.str;
-      default = "/media/nas/main/nextcloud";
-    };
-
-    tmpPath = mkOption {
-      type = types.str;
-      default = "/media/nas/ssd/nix-app-data/tmp";
-    };
-
-    redisSock = mkOption {
-      type = types.str;
-      default = "";
-    };
-
-    puid = mkOption {
-      type = types.str;
-      default = "911";
-    };
-
-    pgid = mkOption {
-      type = types.str;
-      default = "1000";
-    };
-
-    timeZone = mkOption {
-      type = types.str;
-      default = "America/Chicago";
-    };
-  };
-}
--- a/modules/apps/swag/default.nix
+++ b/modules/apps/swag/default.nix
@@ -1,47 +0,0 @@
-{ lib, config, ... }:
-with lib;
-let
-  cfg = config.nas-apps.swag;
-in
-{
-  imports = [ ./options.nix ];
-
-  config = mkIf cfg.enable {
-
-    networking.firewall = {
-      allowedTCPPorts = [
-        cfg.httpPort
-        cfg.httpsPort
-        81
-      ];
-      allowedUDPPorts = [
-        cfg.httpPort
-        cfg.httpsPort
-        81
-      ];
-    };
-
-    virtualisation.oci-containers.containers."${cfg.name}" = {
-      autoStart = cfg.autoStart;
-      image = cfg.image;
-      ports = [
-        "${toString cfg.httpPort}:80"
-        "${toString cfg.httpsPort}:443"
-        "81:81"
-      ];
-      extraOptions = [ "--cap-add=NET_ADMIN" ];
-      volumes = [ "${cfg.configPath}:/config" ];
-      environment = {
-        PUID = cfg.puid;
-        PGID = cfg.pgid;
-        TZ = cfg.timeZone;
-        EMAIL = cfg.email;
-        URL = cfg.url;
-        VALIDATION = cfg.validation;
-        DNSPLUGIN = cfg.dnsPlugin;
-        SUBDOMAINS = cfg.subdomains;
-        DOCKER_MODS = "linuxserver/mods:swag-dashboard";
-      };
-    };
-  };
-}
--- a/modules/apps/swag/options.nix
+++ b/modules/apps/swag/options.nix
@@ -1,77 +0,0 @@
-{ lib, ... }:
-with lib;
-{
-  options.nas-apps.swag = {
-    enable = mkEnableOption "swag docker service";
-
-    autoStart = mkOption {
-      type = types.bool;
-      default = true;
-    };
-
-    httpPort = mkOption {
-      type = types.int;
-      default = 80;
-    };
-
-    httpsPort = mkOption {
-      type = types.int;
-      default = 443;
-    };
-
-    name = mkOption {
-      type = types.str;
-      default = "swag";
-    };
-
-    image = mkOption {
-      type = types.str;
-      default = "linuxserver/swag";
-    };
-
-    configPath = mkOption {
-      type = types.str;
-      default = "/media/nas/ssd/ssd_app_data/swag";
-    };
-
-    puid = mkOption {
-      type = types.str;
-      default = "911";
-    };
-
-    pgid = mkOption {
-      type = types.str;
-      default = "1000";
-    };
-
-    timeZone = mkOption {
-      type = types.str;
-      default = "America/Chicago";
-    };
-
-    email = mkOption {
-      type = types.str;
-      default = "jalle008@proton.me";
-    };
-
-    url = mkOption {
-      type = types.str;
-      default = "mjallen.dev";
-    };
-
-    validation = mkOption {
-      type = types.str;
-      default = "dns";
-    };
-
-    dnsPlugin = mkOption {
-      type = types.str;
-      default = "cloudflare";
-    };
-
-    subdomains = mkOption {
-      type = types.str;
-      default = "wildcard";
-    };
-  };
-}
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -3,7 +3,6 @@
  imports = [
    ./samba
    ./apps/collabora
-    ./apps/deluge
    ./apps/discover-wrapped
    ./apps/free-games-claimer
    ./apps/jackett
@@ -11,10 +10,7 @@
    ./apps/mariadb
    ./apps/mongodb
    ./apps/netbootxyz
-    ./apps/nextcloud
-    ./apps/ollama
    ./apps/open-webui
-    ./apps/swag
    ./apps/tdarr
    ./apps/your-spotify
  ];
--- a/modules/services/jellyfin/default.nix
+++ b/modules/services/jellyfin/default.nix
@@ -1,17 +0,0 @@
-{ pkgs, ... }:
-{
-  services.jellyfin = {
-    enable = true;
-    openFirewall = true;
-    user = "nix-apps";
-    group = "jallen-nas";
-    dataDir = "/media/nas/ssd/nix-app-data/jellyfin/data";
-    configDir = "/media/nas/ssd/nix-app-data/jellyfin/config";
-  };
-
-  environment.systemPackages = [
-    pkgs.jellyfin
-    pkgs.jellyfin-web
-    pkgs.jellyfin-ffmpeg
-  ];
-}