mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

traefik

Browse Source
This commit is contained in:
mjallen18
2024-12-28 01:45:31 -06:00
parent 9caa802d46
commit 161dc2d411
14 changed files with 251 additions and 281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/nas/apps/arrs/default.nix
View File

@@ -3,7 +3,7 @@
let
radarrPort = 7878;
sonarrPort = 8989;
sabnzbdPort = 8080;
sabnzbdPort = 8280;
radarrDataDir = "/var/lib/radarr";
downloadDir = "/downloads";
incompleteDir = "/downloads-incomplete";
@@ -12,9 +12,15 @@ let
mediaDir = "/media";
arrUserId = config.users.users.nix-apps.uid;
arrGroupId = config.users.groups.jallen-nas.gid;
sonarrPkg = pkgs.unstable.sonarr;
# sonarrPkg = pkgs.stable.sonarr;
in
{
nixpkgs.config.permittedInsecurePackages = [
"aspnetcore-runtime-6.0.36"
"aspnetcore-runtime-wrapped-6.0.36"
"dotnet-sdk-6.0.428"
"dotnet-sdk-wrapped-6.0.428"
];
containers.arrs = {
autoStart = true;
@@ -23,14 +29,13 @@ in
localAddress = "10.0.1.51";
config = { config, pkgs, lib, ... }: {
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [
"aspnetcore-runtime-6.0.36"
"aspnetcore-runtime-wrapped-6.0.36"
"dotnet-sdk-6.0.428"
"dotnet-sdk-wrapped-6.0.428"
];
nixpkgs.config.allowUnfree = true;
# Enable radarr service
services.radarr = {
@@ -48,7 +53,7 @@ in
user = "arrs";
group = "media";
dataDir = sonarrDataDir;
package = sonarrPkg;
# package = sonarrPkg;
};
# Enable Sabnzbd service

31
hosts/nas/apps/ollama/default.nix Normal file
View File

@@ -0,0 +1,31 @@
{ pkgs, ... }:
{
services.ollama = {
enable = true;
port = 11434;
user = "nix-apps";
group = "jallen-nas";
openFirewall = true;
acceleration = "cuda";
home = "/media/nas/ssd/nix-app-data/ollama";
};
services.open-webui = {
enable = true;
port = 8888;
openFirewall = true;
stateDir = "/media/nas/ssd/nix-app-data/open-webui";
environment = {
OAUTH_CLIENT_ID = "P4YrtPrdwoQkwYs4e5AHQx7xiz4FV6OpT24rjqXa";
OAUTH_CLIENT_SECRET = "XpZ1Y9RUMD6FVxBSxg8evHkRYuSUJ3saN99uCFfeNo4Z8vrmnqZBHJQzSSCFig1fgqEYCr3SmcOvCHGHUsz9FJT2aZFlZxKv6bZZpuMQYASHiQtuX2pTVEspiNab3129";
OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
OPENID_PROVIDER_NAME = "authentik";
ENABLE_OAUTH_SIGNUP = "true";
OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "true";
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
};
};
}

162
hosts/nas/apps/traefik/default.nix Normal file
View File

@@ -0,0 +1,162 @@
{ config, ... }:
let
traefikDataDir = "/var/lib/traefik";
traefikUserId = config.users.users.nix-apps.uid;
traefikGroupId = config.users.groups.jallen-nas.gid;
domain = "mjallen.dev";
authentikUrl = "http://10.0.1.18:9000";
collaboraUrl = "http://10.0.1.18:9980";
cloudUrl = "http://10.0.2.18:80";
jellyfinUrl = "http://10.0.1.18:8096";
jellyseerrUrl = "http://10.0.1.18:5055";
in
{
networking.firewall = {
allowedTCPPorts = [
80
443
8080
];
allowedUDPPorts = [
80
443
8080
];
};
services.traefik = {
enable = true;
dataDir = "/media/nas/ssd/nix-app-data/traefik";
group = "jallen-nas";
environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
staticConfigOptions = {
entryPoints = {
web = {
address = ":80";
asDefault = true;
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
asDefault = true;
http.tls.certResolver = "letsencrypt";
};
};
log = {
level = "INFO";
};
certificatesResolvers.letsencrypt.acme = {
email = "jalle008@proton.me";
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
api.dashboard = true;
# Access the Traefik dashboard on <Traefik IP>:8080 of your server
# api.insecure = true;
};
dynamicConfigOptions = {
http = {
middlewares = {
authentik = {
forwardAuth = {
tls.insecureSkipVerify = true;
address = "https://authentik.${domain}/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true;
authResponseHeaders = [
"X-authentik-username"
"X-authentik-groups"
"X-authentik-email"
"X-authentik-name"
"X-authentik-uid"
"X-authentik-jwt"
"X-authentik-meta-jwks"
"X-authentik-meta-outpost"
"X-authentik-meta-provider"
"X-authentik-meta-app"
"X-authentik-meta-version"
];
};
};
};
services = {
authentik.loadBalancer.servers = [
{
url = authentikUrl;
}
];
collabora.loadBalancer.servers = [
{
url = collaboraUrl;
}
];
cloud.loadBalancer.servers = [
{
url = cloudUrl;
}
];
jellyfin.loadBalancer.servers = [
{
url = jellyfinUrl;
}
];
jellyseerr.loadBalancer.servers = [
{
url = jellyseerrUrl;
}
];
};
routers = {
authentik = {
entryPoints = ["websecure"];
rule = "Host(`authentik.${domain}`)";
service = "authentik";
tls.certResolver = "letsencrypt";
};
collabora = {
entryPoints = ["websecure"];
rule = "Host(`office.${domain}`)";
service = "collabora";
tls.certResolver = "letsencrypt";
};
cloud = {
entryPoints = ["websecure"];
rule = "Host(`cloud.${domain}`)";
service = "cloud";
tls.certResolver = "letsencrypt";
};
jellyfin = {
entryPoints = ["websecure"];
rule = "Host(`jellyfin.${domain}`)";
service = "jellyfin";
tls.certResolver = "letsencrypt";
};
jellyseerr = {
entryPoints = ["websecure"];
rule = "Host(`jellyseerr.${domain}`)";
service = "jellyseerr";
tls.certResolver = "letsencrypt";
};
};
};
};
};
# todo: fail2ban/etc
}