From 161dc2d411724938ce0893443db5dd4d9e917699 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Sat, 28 Dec 2024 01:45:31 -0600 Subject: [PATCH] traefik --- flake.lock | 34 +++++- flake.nix | 14 +-- hosts/nas/apps.nix | 23 +--- hosts/nas/apps/arrs/default.nix | 15 ++- hosts/nas/apps/ollama/default.nix | 31 +++++ hosts/nas/apps/traefik/default.nix | 162 ++++++++++++++++++++++++++ hosts/nas/configuration.nix | 3 + hosts/nas/services.nix | 8 +- modules/apps/nextcloud/default.nix | 30 ----- modules/apps/nextcloud/options.nix | 67 ----------- modules/apps/swag/default.nix | 47 -------- modules/apps/swag/options.nix | 77 ------------ modules/default.nix | 4 - modules/services/jellyfin/default.nix | 17 --- 14 files changed, 251 insertions(+), 281 deletions(-) create mode 100644 hosts/nas/apps/ollama/default.nix create mode 100644 hosts/nas/apps/traefik/default.nix delete mode 100644 modules/apps/nextcloud/default.nix delete mode 100644 modules/apps/nextcloud/options.nix delete mode 100644 modules/apps/swag/default.nix delete mode 100644 modules/apps/swag/options.nix delete mode 100644 modules/services/jellyfin/default.nix diff --git a/flake.lock b/flake.lock index ca3963d..8da3843 100644 --- a/flake.lock +++ b/flake.lock @@ -220,11 +220,11 @@ ] }, "locked": { - "lastModified": 1735053786, - "narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=", + "lastModified": 1735343815, + "narHash": "sha256-p7IJP/97zJda/wwCn1T2LJBz4olF5LjNf4uwhuyvARo=", "owner": "nix-community", "repo": "home-manager", - "rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84", + "rev": "b7a7cd5dd1a74a9fe86ed4e016f91c78483b527a", "type": "github" }, "original": { @@ -233,6 +233,27 @@ "type": "github" } }, + "home-manager-stable": { + "inputs": { + "nixpkgs": [ + "nixpkgs-stable" + ] + }, + "locked": { + "lastModified": 1735344290, + "narHash": "sha256-oJDtWPH1oJT34RJK1FSWjwX4qcGOBRkcNQPD0EbSfNM=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "613691f285dad87694c2ba1c9e6298d04736292d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1734945620, @@ -437,11 +458,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1734649271, - "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=", + "lastModified": 1735291276, + "narHash": "sha256-NYVcA06+blsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507", + "rev": "634fd46801442d760e09493a794c4f15db2d0cbb", "type": "github" }, "original": { @@ -545,6 +566,7 @@ "inputs": { "authentik-nix": "authentik-nix", "home-manager": "home-manager", + "home-manager-stable": "home-manager-stable", "impermanence": "impermanence", "lanzaboote": "lanzaboote", "nix-darwin": "nix-darwin", diff --git a/flake.nix b/flake.nix index 29ac9d0..207598a 100644 --- a/flake.nix +++ b/flake.nix @@ -30,10 +30,10 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - # home-manager-stable = { - # url = "github:nix-community/home-manager/release-24.11"; - # inputs.nixpkgs.follows = "nixpkgs-stable"; - # }; + home-manager-stable = { + url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs-stable"; + }; # Lanzaboote lanzaboote = { @@ -69,7 +69,7 @@ lanzaboote, impermanence, home-manager, - # home-manager-stable, + home-manager-stable, nixos-hardware, nix-darwin, nixos-apple-silicon, @@ -116,7 +116,7 @@ }; # NAS - "jallen-nas" = nixpkgs-unstable.lib.nixosSystem { + "jallen-nas" = nixpkgs-stable.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs outputs; @@ -125,7 +125,7 @@ impermanence.nixosModules.impermanence ./hosts/nas/configuration.nix ./hosts/nas/impermanence.nix - home-manager.nixosModules.home-manager + home-manager-stable.nixosModules.home-manager { home-manager.useGlobalPkgs = false; home-manager.useUserPackages = true; diff --git a/hosts/nas/apps.nix b/hosts/nas/apps.nix index 2653a2f..730b8b9 100644 --- a/hosts/nas/apps.nix +++ b/hosts/nas/apps.nix @@ -4,10 +4,11 @@ ./apps/arrs ./apps/jellyfin/jellyfin.nix ./apps/jellyseerr/jellyseerr.nix - ./apps/paperless - ../../modules - ./apps/nextcloud + ./apps/ollama + ./apps/paperless + ./apps/traefik + ../../modules ]; nas-apps = { @@ -17,8 +18,6 @@ environmentFiles = [ config.sops.secrets."jallen-nas/collabora".path ]; }; - deluge.enable = false; - free-games-claimer.enable = true; jackett.enable = true; @@ -26,7 +25,7 @@ manyfold.enable = true; mariadb = { - enable = true; + enable = false; environmentFiles = [ config.sops.secrets."jallen-nas/mariadb/db_pass".path config.sops.secrets."jallen-nas/mariadb/root_pass".path @@ -41,17 +40,7 @@ port2 = "4080"; }; - nextcloud = { - enable = false; - httpPort = "9981"; - httpsPort = "9943"; - }; - - ollama.enable = true; - - open-webui.enable = true; - - swag.enable = true; + open-webui.enable = false; tdarr.enable = true; diff --git a/hosts/nas/apps/arrs/default.nix b/hosts/nas/apps/arrs/default.nix index 509522e..3591daa 100644 --- a/hosts/nas/apps/arrs/default.nix +++ b/hosts/nas/apps/arrs/default.nix @@ -3,7 +3,7 @@ let radarrPort = 7878; sonarrPort = 8989; - sabnzbdPort = 8080; + sabnzbdPort = 8280; radarrDataDir = "/var/lib/radarr"; downloadDir = "/downloads"; incompleteDir = "/downloads-incomplete"; @@ -12,9 +12,15 @@ let mediaDir = "/media"; arrUserId = config.users.users.nix-apps.uid; arrGroupId = config.users.groups.jallen-nas.gid; - sonarrPkg = pkgs.unstable.sonarr; + # sonarrPkg = pkgs.stable.sonarr; in { + nixpkgs.config.permittedInsecurePackages = [ + "aspnetcore-runtime-6.0.36" + "aspnetcore-runtime-wrapped-6.0.36" + "dotnet-sdk-6.0.428" + "dotnet-sdk-wrapped-6.0.428" + ]; containers.arrs = { autoStart = true; @@ -23,14 +29,13 @@ in localAddress = "10.0.1.51"; config = { config, pkgs, lib, ... }: { + nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ "aspnetcore-runtime-6.0.36" "aspnetcore-runtime-wrapped-6.0.36" "dotnet-sdk-6.0.428" "dotnet-sdk-wrapped-6.0.428" ]; - - nixpkgs.config.allowUnfree = true; # Enable radarr service services.radarr = { @@ -48,7 +53,7 @@ in user = "arrs"; group = "media"; dataDir = sonarrDataDir; - package = sonarrPkg; + # package = sonarrPkg; }; # Enable Sabnzbd service diff --git a/hosts/nas/apps/ollama/default.nix b/hosts/nas/apps/ollama/default.nix new file mode 100644 index 0000000..e8bbd40 --- /dev/null +++ b/hosts/nas/apps/ollama/default.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + services.ollama = { + enable = true; + port = 11434; + user = "nix-apps"; + group = "jallen-nas"; + openFirewall = true; + acceleration = "cuda"; + home = "/media/nas/ssd/nix-app-data/ollama"; + }; + + services.open-webui = { + enable = true; + port = 8888; + openFirewall = true; + stateDir = "/media/nas/ssd/nix-app-data/open-webui"; + environment = { + OAUTH_CLIENT_ID = "P4YrtPrdwoQkwYs4e5AHQx7xiz4FV6OpT24rjqXa"; + OAUTH_CLIENT_SECRET = "XpZ1Y9RUMD6FVxBSxg8evHkRYuSUJ3saN99uCFfeNo4Z8vrmnqZBHJQzSSCFig1fgqEYCr3SmcOvCHGHUsz9FJT2aZFlZxKv6bZZpuMQYASHiQtuX2pTVEspiNab3129"; + OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration"; + OPENID_PROVIDER_NAME = "authentik"; + ENABLE_OAUTH_SIGNUP = "true"; + OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "true"; + ANONYMIZED_TELEMETRY = "False"; + DO_NOT_TRACK = "True"; + SCARF_NO_ANALYTICS = "True"; + OLLAMA_API_BASE_URL = "http://127.0.0.1:11434"; + }; + }; +} \ No newline at end of file diff --git a/hosts/nas/apps/traefik/default.nix b/hosts/nas/apps/traefik/default.nix new file mode 100644 index 0000000..e1751be --- /dev/null +++ b/hosts/nas/apps/traefik/default.nix @@ -0,0 +1,162 @@ +{ config, ... }: +let + traefikDataDir = "/var/lib/traefik"; + traefikUserId = config.users.users.nix-apps.uid; + traefikGroupId = config.users.groups.jallen-nas.gid; + domain = "mjallen.dev"; + + authentikUrl = "http://10.0.1.18:9000"; + collaboraUrl = "http://10.0.1.18:9980"; + cloudUrl = "http://10.0.2.18:80"; + jellyfinUrl = "http://10.0.1.18:8096"; + jellyseerrUrl = "http://10.0.1.18:5055"; +in +{ + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + 8080 + ]; + allowedUDPPorts = [ + 80 + 443 + 8080 + ]; + }; + + services.traefik = { + enable = true; + dataDir = "/media/nas/ssd/nix-app-data/traefik"; + group = "jallen-nas"; + environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops + + staticConfigOptions = { + entryPoints = { + web = { + address = ":80"; + asDefault = true; + http.redirections.entrypoint = { + to = "websecure"; + scheme = "https"; + }; + }; + + websecure = { + address = ":443"; + asDefault = true; + http.tls.certResolver = "letsencrypt"; + }; + }; + + log = { + level = "INFO"; + }; + + certificatesResolvers.letsencrypt.acme = { + email = "jalle008@proton.me"; + storage = "${config.services.traefik.dataDir}/acme.json"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = [ + "1.1.1.1:53" + "8.8.8.8:53" + ]; + }; + }; + + api.dashboard = true; + # Access the Traefik dashboard on :8080 of your server + # api.insecure = true; + }; + + dynamicConfigOptions = { + http = { + middlewares = { + authentik = { + forwardAuth = { + tls.insecureSkipVerify = true; + address = "https://authentik.${domain}/outpost.goauthentik.io/auth/traefik"; + trustForwardHeader = true; + authResponseHeaders = [ + "X-authentik-username" + "X-authentik-groups" + "X-authentik-email" + "X-authentik-name" + "X-authentik-uid" + "X-authentik-jwt" + "X-authentik-meta-jwks" + "X-authentik-meta-outpost" + "X-authentik-meta-provider" + "X-authentik-meta-app" + "X-authentik-meta-version" + ]; + }; + }; + }; + + services = { + authentik.loadBalancer.servers = [ + { + url = authentikUrl; + } + ]; + collabora.loadBalancer.servers = [ + { + url = collaboraUrl; + } + ]; + cloud.loadBalancer.servers = [ + { + url = cloudUrl; + } + ]; + jellyfin.loadBalancer.servers = [ + { + url = jellyfinUrl; + } + ]; + jellyseerr.loadBalancer.servers = [ + { + url = jellyseerrUrl; + } + ]; + }; + + routers = { + authentik = { + entryPoints = ["websecure"]; + rule = "Host(`authentik.${domain}`)"; + service = "authentik"; + tls.certResolver = "letsencrypt"; + }; + collabora = { + entryPoints = ["websecure"]; + rule = "Host(`office.${domain}`)"; + service = "collabora"; + tls.certResolver = "letsencrypt"; + }; + cloud = { + entryPoints = ["websecure"]; + rule = "Host(`cloud.${domain}`)"; + service = "cloud"; + tls.certResolver = "letsencrypt"; + }; + jellyfin = { + entryPoints = ["websecure"]; + rule = "Host(`jellyfin.${domain}`)"; + service = "jellyfin"; + tls.certResolver = "letsencrypt"; + }; + jellyseerr = { + entryPoints = ["websecure"]; + rule = "Host(`jellyseerr.${domain}`)"; + service = "jellyseerr"; + tls.certResolver = "letsencrypt"; + }; + }; + }; + }; + }; + # todo: fail2ban/etc +} \ No newline at end of file diff --git a/hosts/nas/configuration.nix b/hosts/nas/configuration.nix index 7f0fd06..e01e1b5 100755 --- a/hosts/nas/configuration.nix +++ b/hosts/nas/configuration.nix @@ -153,7 +153,10 @@ in "authentik-client-api-2024.6.4" "authentik-website-2024.6.4" "authentik-proxy-2024.6.4" + "aspnetcore-runtime-6.0.36" "aspnetcore-runtime-wrapped-6.0.36" + "dotnet-sdk-6.0.428" + "dotnet-sdk-wrapped-6.0.428" ]; }; }; diff --git a/hosts/nas/services.nix b/hosts/nas/services.nix index c5f6080..d1f41ba 100644 --- a/hosts/nas/services.nix +++ b/hosts/nas/services.nix @@ -7,7 +7,7 @@ in services = { minecraft-server = { - enable = true; + enable = false; eula = true; declarative = true; openFirewall = true; @@ -201,7 +201,7 @@ in }; grafana = { - enable = true; + enable = false; settings.server = { http_port = 2342; domain = "10.0.1.18"; @@ -212,12 +212,12 @@ in }; nix-serve = { - enable = true; + enable = false; secretKeyFile = "/var/cache-priv-key.pem"; }; prometheus = { - enable = true; + enable = false; port = 8000; exporters = { node = { diff --git a/modules/apps/nextcloud/default.nix b/modules/apps/nextcloud/default.nix deleted file mode 100644 index e52df16..0000000 --- a/modules/apps/nextcloud/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, config, ... }: -with lib; -let - cfg = config.nas-apps.nextcloud; -in -{ - imports = [ ./options.nix ]; - - config = mkIf cfg.enable { - virtualisation.oci-containers.containers."${cfg.name}" = { - autoStart = cfg.autoStart; - image = cfg.image; - extraOptions = [ "--device=nvidia.com/gpu=0" ]; - ports = [ - "${cfg.httpPort}:80" - "${cfg.httpsPort}:443" - ]; - volumes = [ - "${cfg.configPath}:/config" - "${cfg.dataPath}:/data" - "${cfg.tmpPath}:/data-tmp" - ]; - environment = { - PUID = cfg.puid; - PGID = cfg.pgid; - TZ = cfg.timeZone; - }; - }; - }; -} diff --git a/modules/apps/nextcloud/options.nix b/modules/apps/nextcloud/options.nix deleted file mode 100644 index e130966..0000000 --- a/modules/apps/nextcloud/options.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ lib, ... }: -with lib; -{ - options.nas-apps.nextcloud = { - enable = mkEnableOption "nextcloud docker service"; - - autoStart = mkOption { - type = types.bool; - default = true; - }; - - httpPort = mkOption { - type = types.str; - default = "80"; - }; - - httpsPort = mkOption { - type = types.str; - default = "443"; - }; - - name = mkOption { - type = types.str; - default = "nextcloud"; - }; - - image = mkOption { - type = types.str; - default = "linuxserver/nextcloud"; - }; - - configPath = mkOption { - type = types.str; - default = "/media/nas/ssd/ssd_app_data/nextcloud"; - }; - - dataPath = mkOption { - type = types.str; - default = "/media/nas/main/nextcloud"; - }; - - tmpPath = mkOption { - type = types.str; - default = "/media/nas/ssd/nix-app-data/tmp"; - }; - - redisSock = mkOption { - type = types.str; - default = ""; - }; - - puid = mkOption { - type = types.str; - default = "911"; - }; - - pgid = mkOption { - type = types.str; - default = "1000"; - }; - - timeZone = mkOption { - type = types.str; - default = "America/Chicago"; - }; - }; -} diff --git a/modules/apps/swag/default.nix b/modules/apps/swag/default.nix deleted file mode 100644 index 0d9598d..0000000 --- a/modules/apps/swag/default.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ lib, config, ... }: -with lib; -let - cfg = config.nas-apps.swag; -in -{ - imports = [ ./options.nix ]; - - config = mkIf cfg.enable { - - networking.firewall = { - allowedTCPPorts = [ - cfg.httpPort - cfg.httpsPort - 81 - ]; - allowedUDPPorts = [ - cfg.httpPort - cfg.httpsPort - 81 - ]; - }; - - virtualisation.oci-containers.containers."${cfg.name}" = { - autoStart = cfg.autoStart; - image = cfg.image; - ports = [ - "${toString cfg.httpPort}:80" - "${toString cfg.httpsPort}:443" - "81:81" - ]; - extraOptions = [ "--cap-add=NET_ADMIN" ]; - volumes = [ "${cfg.configPath}:/config" ]; - environment = { - PUID = cfg.puid; - PGID = cfg.pgid; - TZ = cfg.timeZone; - EMAIL = cfg.email; - URL = cfg.url; - VALIDATION = cfg.validation; - DNSPLUGIN = cfg.dnsPlugin; - SUBDOMAINS = cfg.subdomains; - DOCKER_MODS = "linuxserver/mods:swag-dashboard"; - }; - }; - }; -} diff --git a/modules/apps/swag/options.nix b/modules/apps/swag/options.nix deleted file mode 100644 index 77329ed..0000000 --- a/modules/apps/swag/options.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib, ... }: -with lib; -{ - options.nas-apps.swag = { - enable = mkEnableOption "swag docker service"; - - autoStart = mkOption { - type = types.bool; - default = true; - }; - - httpPort = mkOption { - type = types.int; - default = 80; - }; - - httpsPort = mkOption { - type = types.int; - default = 443; - }; - - name = mkOption { - type = types.str; - default = "swag"; - }; - - image = mkOption { - type = types.str; - default = "linuxserver/swag"; - }; - - configPath = mkOption { - type = types.str; - default = "/media/nas/ssd/ssd_app_data/swag"; - }; - - puid = mkOption { - type = types.str; - default = "911"; - }; - - pgid = mkOption { - type = types.str; - default = "1000"; - }; - - timeZone = mkOption { - type = types.str; - default = "America/Chicago"; - }; - - email = mkOption { - type = types.str; - default = "jalle008@proton.me"; - }; - - url = mkOption { - type = types.str; - default = "mjallen.dev"; - }; - - validation = mkOption { - type = types.str; - default = "dns"; - }; - - dnsPlugin = mkOption { - type = types.str; - default = "cloudflare"; - }; - - subdomains = mkOption { - type = types.str; - default = "wildcard"; - }; - }; -} diff --git a/modules/default.nix b/modules/default.nix index 055f2bd..3989c1f 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -3,7 +3,6 @@ imports = [ ./samba ./apps/collabora - ./apps/deluge ./apps/discover-wrapped ./apps/free-games-claimer ./apps/jackett @@ -11,10 +10,7 @@ ./apps/mariadb ./apps/mongodb ./apps/netbootxyz - ./apps/nextcloud - ./apps/ollama ./apps/open-webui - ./apps/swag ./apps/tdarr ./apps/your-spotify ]; diff --git a/modules/services/jellyfin/default.nix b/modules/services/jellyfin/default.nix deleted file mode 100644 index a3a54c5..0000000 --- a/modules/services/jellyfin/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, ... }: -{ - services.jellyfin = { - enable = true; - openFirewall = true; - user = "nix-apps"; - group = "jallen-nas"; - dataDir = "/media/nas/ssd/nix-app-data/jellyfin/data"; - configDir = "/media/nas/ssd/nix-app-data/jellyfin/config"; - }; - - environment.systemPackages = [ - pkgs.jellyfin - pkgs.jellyfin-web - pkgs.jellyfin-ffmpeg - ]; -} \ No newline at end of file