mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

traefik

Browse Source
This commit is contained in:
mjallen18
2024-12-28 01:45:31 -06:00
parent 9caa802d46
commit 161dc2d411
14 changed files with 251 additions and 281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
flake.lock generated
View File

@@ -220,11 +220,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735053786, "lastModified": 1735343815,
"narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=", "narHash": "sha256-p7IJP/97zJda/wwCn1T2LJBz4olF5LjNf4uwhuyvARo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84", "rev": "b7a7cd5dd1a74a9fe86ed4e016f91c78483b527a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -233,6 +233,27 @@
"type": "github" "type": "github"
} }
}, },
"home-manager-stable": {
"inputs": {
"nixpkgs": [
"nixpkgs-stable"
]
},
"locked": {
"lastModified": 1735344290,
"narHash": "sha256-oJDtWPH1oJT34RJK1FSWjwX4qcGOBRkcNQPD0EbSfNM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "613691f285dad87694c2ba1c9e6298d04736292d",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1734945620, "lastModified": 1734945620,
@@ -437,11 +458,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1734649271, "lastModified": 1735291276,
"narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=", "narHash": "sha256-NYVcA06+blsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507", "rev": "634fd46801442d760e09493a794c4f15db2d0cbb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -545,6 +566,7 @@
"inputs": { "inputs": {
"authentik-nix": "authentik-nix", "authentik-nix": "authentik-nix",
"home-manager": "home-manager", "home-manager": "home-manager",
"home-manager-stable": "home-manager-stable",
"impermanence": "impermanence", "impermanence": "impermanence",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",

14
flake.nix
View File

@@ -30,10 +30,10 @@
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
# home-manager-stable = { home-manager-stable = {
# url = "github:nix-community/home-manager/release-24.11"; url = "github:nix-community/home-manager/release-24.11";
# inputs.nixpkgs.follows = "nixpkgs-stable"; inputs.nixpkgs.follows = "nixpkgs-stable";
# }; };
# Lanzaboote # Lanzaboote
lanzaboote = { lanzaboote = {
@@ -69,7 +69,7 @@
lanzaboote, lanzaboote,
impermanence, impermanence,
home-manager, home-manager,
# home-manager-stable, home-manager-stable,
nixos-hardware, nixos-hardware,
nix-darwin, nix-darwin,
nixos-apple-silicon, nixos-apple-silicon,
@@ -116,7 +116,7 @@
}; };
# NAS # NAS
"jallen-nas" = nixpkgs-unstable.lib.nixosSystem { "jallen-nas" = nixpkgs-stable.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit inputs outputs; inherit inputs outputs;
@@ -125,7 +125,7 @@
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
./hosts/nas/configuration.nix ./hosts/nas/configuration.nix
./hosts/nas/impermanence.nix ./hosts/nas/impermanence.nix
home-manager.nixosModules.home-manager home-manager-stable.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = false; home-manager.useGlobalPkgs = false;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;

23
hosts/nas/apps.nix
View File

@@ -4,10 +4,11 @@
./apps/arrs ./apps/arrs
./apps/jellyfin/jellyfin.nix ./apps/jellyfin/jellyfin.nix
./apps/jellyseerr/jellyseerr.nix ./apps/jellyseerr/jellyseerr.nix
./apps/paperless
../../modules
./apps/nextcloud ./apps/nextcloud
./apps/ollama
./apps/paperless
./apps/traefik
../../modules
]; ];
nas-apps = { nas-apps = {
@@ -17,8 +18,6 @@
environmentFiles = [ config.sops.secrets."jallen-nas/collabora".path ]; environmentFiles = [ config.sops.secrets."jallen-nas/collabora".path ];
}; };
deluge.enable = false;
free-games-claimer.enable = true; free-games-claimer.enable = true;
jackett.enable = true; jackett.enable = true;
@@ -26,7 +25,7 @@
manyfold.enable = true; manyfold.enable = true;
mariadb = { mariadb = {
enable = true; enable = false;
environmentFiles = [ environmentFiles = [
config.sops.secrets."jallen-nas/mariadb/db_pass".path config.sops.secrets."jallen-nas/mariadb/db_pass".path
config.sops.secrets."jallen-nas/mariadb/root_pass".path config.sops.secrets."jallen-nas/mariadb/root_pass".path
@@ -41,17 +40,7 @@
port2 = "4080"; port2 = "4080";
}; };
nextcloud = { open-webui.enable = false;
enable = false;
httpPort = "9981";
httpsPort = "9943";
};
ollama.enable = true;
open-webui.enable = true;
swag.enable = true;
tdarr.enable = true; tdarr.enable = true;

15
hosts/nas/apps/arrs/default.nix
View File

@@ -3,7 +3,7 @@
let let
radarrPort = 7878; radarrPort = 7878;
sonarrPort = 8989; sonarrPort = 8989;
sabnzbdPort = 8080; sabnzbdPort = 8280;
radarrDataDir = "/var/lib/radarr"; radarrDataDir = "/var/lib/radarr";
downloadDir = "/downloads"; downloadDir = "/downloads";
incompleteDir = "/downloads-incomplete"; incompleteDir = "/downloads-incomplete";
@@ -12,9 +12,15 @@ let
mediaDir = "/media"; mediaDir = "/media";
arrUserId = config.users.users.nix-apps.uid; arrUserId = config.users.users.nix-apps.uid;
arrGroupId = config.users.groups.jallen-nas.gid; arrGroupId = config.users.groups.jallen-nas.gid;
sonarrPkg = pkgs.unstable.sonarr; # sonarrPkg = pkgs.stable.sonarr;
in in
{ {
nixpkgs.config.permittedInsecurePackages = [
"aspnetcore-runtime-6.0.36"
"aspnetcore-runtime-wrapped-6.0.36"
"dotnet-sdk-6.0.428"
"dotnet-sdk-wrapped-6.0.428"
];
containers.arrs = { containers.arrs = {
autoStart = true; autoStart = true;
@@ -23,14 +29,13 @@ in
localAddress = "10.0.1.51"; localAddress = "10.0.1.51";
config = { config, pkgs, lib, ... }: { config = { config, pkgs, lib, ... }: {
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"aspnetcore-runtime-6.0.36" "aspnetcore-runtime-6.0.36"
"aspnetcore-runtime-wrapped-6.0.36" "aspnetcore-runtime-wrapped-6.0.36"
"dotnet-sdk-6.0.428" "dotnet-sdk-6.0.428"
"dotnet-sdk-wrapped-6.0.428" "dotnet-sdk-wrapped-6.0.428"
]; ];
nixpkgs.config.allowUnfree = true;
# Enable radarr service # Enable radarr service
services.radarr = { services.radarr = {
@@ -48,7 +53,7 @@ in
user = "arrs"; user = "arrs";
group = "media"; group = "media";
dataDir = sonarrDataDir; dataDir = sonarrDataDir;
package = sonarrPkg; # package = sonarrPkg;
}; };
# Enable Sabnzbd service # Enable Sabnzbd service

31
hosts/nas/apps/ollama/default.nix Normal file
View File

@@ -0,0 +1,31 @@
{ pkgs, ... }:
{
services.ollama = {
enable = true;
port = 11434;
user = "nix-apps";
group = "jallen-nas";
openFirewall = true;
acceleration = "cuda";
home = "/media/nas/ssd/nix-app-data/ollama";
};
services.open-webui = {
enable = true;
port = 8888;
openFirewall = true;
stateDir = "/media/nas/ssd/nix-app-data/open-webui";
environment = {
OAUTH_CLIENT_ID = "P4YrtPrdwoQkwYs4e5AHQx7xiz4FV6OpT24rjqXa";
OAUTH_CLIENT_SECRET = "XpZ1Y9RUMD6FVxBSxg8evHkRYuSUJ3saN99uCFfeNo4Z8vrmnqZBHJQzSSCFig1fgqEYCr3SmcOvCHGHUsz9FJT2aZFlZxKv6bZZpuMQYASHiQtuX2pTVEspiNab3129";
OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
OPENID_PROVIDER_NAME = "authentik";
ENABLE_OAUTH_SIGNUP = "true";
OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "true";
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
};
};
}

162
hosts/nas/apps/traefik/default.nix Normal file
View File

@@ -0,0 +1,162 @@
{ config, ... }:
let
traefikDataDir = "/var/lib/traefik";
traefikUserId = config.users.users.nix-apps.uid;
traefikGroupId = config.users.groups.jallen-nas.gid;
domain = "mjallen.dev";
authentikUrl = "http://10.0.1.18:9000";
collaboraUrl = "http://10.0.1.18:9980";
cloudUrl = "http://10.0.2.18:80";
jellyfinUrl = "http://10.0.1.18:8096";
jellyseerrUrl = "http://10.0.1.18:5055";
in
{
networking.firewall = {
allowedTCPPorts = [
80
443
8080
];
allowedUDPPorts = [
80
443
8080
];
};
services.traefik = {
enable = true;
dataDir = "/media/nas/ssd/nix-app-data/traefik";
group = "jallen-nas";
environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
staticConfigOptions = {
entryPoints = {
web = {
address = ":80";
asDefault = true;
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
asDefault = true;
http.tls.certResolver = "letsencrypt";
};
};
log = {
level = "INFO";
};
certificatesResolvers.letsencrypt.acme = {
email = "jalle008@proton.me";
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
api.dashboard = true;
# Access the Traefik dashboard on <Traefik IP>:8080 of your server
# api.insecure = true;
};
dynamicConfigOptions = {
http = {
middlewares = {
authentik = {
forwardAuth = {
tls.insecureSkipVerify = true;
address = "https://authentik.${domain}/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true;
authResponseHeaders = [
"X-authentik-username"
"X-authentik-groups"
"X-authentik-email"
"X-authentik-name"
"X-authentik-uid"
"X-authentik-jwt"
"X-authentik-meta-jwks"
"X-authentik-meta-outpost"
"X-authentik-meta-provider"
"X-authentik-meta-app"
"X-authentik-meta-version"
];
};
};
};
services = {
authentik.loadBalancer.servers = [
{
url = authentikUrl;
}
];
collabora.loadBalancer.servers = [
{
url = collaboraUrl;
}
];
cloud.loadBalancer.servers = [
{
url = cloudUrl;
}
];
jellyfin.loadBalancer.servers = [
{
url = jellyfinUrl;
}
];
jellyseerr.loadBalancer.servers = [
{
url = jellyseerrUrl;
}
];
};
routers = {
authentik = {
entryPoints = ["websecure"];
rule = "Host(`authentik.${domain}`)";
service = "authentik";
tls.certResolver = "letsencrypt";
};
collabora = {
entryPoints = ["websecure"];
rule = "Host(`office.${domain}`)";
service = "collabora";
tls.certResolver = "letsencrypt";
};
cloud = {
entryPoints = ["websecure"];
rule = "Host(`cloud.${domain}`)";
service = "cloud";
tls.certResolver = "letsencrypt";
};
jellyfin = {
entryPoints = ["websecure"];
rule = "Host(`jellyfin.${domain}`)";
service = "jellyfin";
tls.certResolver = "letsencrypt";
};
jellyseerr = {
entryPoints = ["websecure"];
rule = "Host(`jellyseerr.${domain}`)";
service = "jellyseerr";
tls.certResolver = "letsencrypt";
};
};
};
};
};
# todo: fail2ban/etc
}

3
hosts/nas/configuration.nix
View File

@@ -153,7 +153,10 @@ in
"authentik-client-api-2024.6.4" "authentik-client-api-2024.6.4"
"authentik-website-2024.6.4" "authentik-website-2024.6.4"
"authentik-proxy-2024.6.4" "authentik-proxy-2024.6.4"
"aspnetcore-runtime-6.0.36"
"aspnetcore-runtime-wrapped-6.0.36" "aspnetcore-runtime-wrapped-6.0.36"
"dotnet-sdk-6.0.428"
"dotnet-sdk-wrapped-6.0.428"
]; ];
}; };
}; };

8
hosts/nas/services.nix
View File

@@ -7,7 +7,7 @@ in
services = { services = {
minecraft-server = { minecraft-server = {
enable = true; enable = false;
eula = true; eula = true;
declarative = true; declarative = true;
openFirewall = true; openFirewall = true;
@@ -201,7 +201,7 @@ in
}; };
grafana = { grafana = {
enable = true; enable = false;
settings.server = { settings.server = {
http_port = 2342; http_port = 2342;
domain = "10.0.1.18"; domain = "10.0.1.18";
@@ -212,12 +212,12 @@ in
}; };
nix-serve = { nix-serve = {
enable = true; enable = false;
secretKeyFile = "/var/cache-priv-key.pem"; secretKeyFile = "/var/cache-priv-key.pem";
}; };
prometheus = { prometheus = {
enable = true; enable = false;
port = 8000; port = 8000;
exporters = { exporters = {
node = { node = {

30
modules/apps/nextcloud/default.nix
View File

@@ -1,30 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.nextcloud;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
extraOptions = [ "--device=nvidia.com/gpu=0" ];
ports = [
"${cfg.httpPort}:80"
"${cfg.httpsPort}:443"
];
volumes = [
"${cfg.configPath}:/config"
"${cfg.dataPath}:/data"
"${cfg.tmpPath}:/data-tmp"
];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
};
};
}

67
modules/apps/nextcloud/options.nix
View File

@@ -1,67 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.nextcloud = {
enable = mkEnableOption "nextcloud docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
httpPort = mkOption {
type = types.str;
default = "80";
};
httpsPort = mkOption {
type = types.str;
default = "443";
};
name = mkOption {
type = types.str;
default = "nextcloud";
};
image = mkOption {
type = types.str;
default = "linuxserver/nextcloud";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/nextcloud";
};
dataPath = mkOption {
type = types.str;
default = "/media/nas/main/nextcloud";
};
tmpPath = mkOption {
type = types.str;
default = "/media/nas/ssd/nix-app-data/tmp";
};
redisSock = mkOption {
type = types.str;
default = "";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

47
modules/apps/swag/default.nix
View File

@@ -1,47 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.swag;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [
cfg.httpPort
cfg.httpsPort
81
];
allowedUDPPorts = [
cfg.httpPort
cfg.httpsPort
81
];
};
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [
"${toString cfg.httpPort}:80"
"${toString cfg.httpsPort}:443"
"81:81"
];
extraOptions = [ "--cap-add=NET_ADMIN" ];
volumes = [ "${cfg.configPath}:/config" ];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
EMAIL = cfg.email;
URL = cfg.url;
VALIDATION = cfg.validation;
DNSPLUGIN = cfg.dnsPlugin;
SUBDOMAINS = cfg.subdomains;
DOCKER_MODS = "linuxserver/mods:swag-dashboard";
};
};
};
}

77
modules/apps/swag/options.nix
View File

@@ -1,77 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.swag = {
enable = mkEnableOption "swag docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
httpPort = mkOption {
type = types.int;
default = 80;
};
httpsPort = mkOption {
type = types.int;
default = 443;
};
name = mkOption {
type = types.str;
default = "swag";
};
image = mkOption {
type = types.str;
default = "linuxserver/swag";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/swag";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
email = mkOption {
type = types.str;
default = "jalle008@proton.me";
};
url = mkOption {
type = types.str;
default = "mjallen.dev";
};
validation = mkOption {
type = types.str;
default = "dns";
};
dnsPlugin = mkOption {
type = types.str;
default = "cloudflare";
};
subdomains = mkOption {
type = types.str;
default = "wildcard";
};
};
}

4
modules/default.nix
View File

@@ -3,7 +3,6 @@
imports = [ imports = [
./samba ./samba
./apps/collabora ./apps/collabora
./apps/deluge
./apps/discover-wrapped ./apps/discover-wrapped
./apps/free-games-claimer ./apps/free-games-claimer
./apps/jackett ./apps/jackett
@@ -11,10 +10,7 @@
./apps/mariadb ./apps/mariadb
./apps/mongodb ./apps/mongodb
./apps/netbootxyz ./apps/netbootxyz
./apps/nextcloud
./apps/ollama
./apps/open-webui ./apps/open-webui
./apps/swag
./apps/tdarr ./apps/tdarr
./apps/your-spotify ./apps/your-spotify
]; ];

17
modules/services/jellyfin/default.nix
View File

@@ -1,17 +0,0 @@
{ pkgs, ... }:
{
services.jellyfin = {
enable = true;
openFirewall = true;
user = "nix-apps";
group = "jallen-nas";
dataDir = "/media/nas/ssd/nix-app-data/jellyfin/data";
configDir = "/media/nas/ssd/nix-app-data/jellyfin/config";
};
environment.systemPackages = [
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
];
}