gitea container, traefik cleanup and sops
This commit is contained in:
@@ -36,7 +36,7 @@ in
|
||||
config = {
|
||||
dataDir = dataDir;
|
||||
openId = {
|
||||
issuer = "https://authentik.mjallen.dev/application/o/actual-budget/";
|
||||
issuer = "https://authentik.mjallen.dev/application/o/actual-budget/"; # TODO
|
||||
client_id = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
|
||||
client_secret = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
|
||||
server_hostname = "https://actual.mjallen.dev";
|
||||
@@ -56,18 +56,6 @@ in
|
||||
useHostResolvConf = lib.mkForce false;
|
||||
};
|
||||
|
||||
# Create and set permissions for required directories
|
||||
# system.activationScripts.actual-dirs = ''
|
||||
# mkdir -p /var/lib/private/actual-data
|
||||
|
||||
# chown -R nobody:nogroup /var/lib/private/actual-data
|
||||
|
||||
# chmod -R 775 /var/lib/private/actual-data
|
||||
|
||||
# ln -sf /var/lib/private/actual /var/lib/actual-data
|
||||
|
||||
# '';
|
||||
|
||||
services.resolved.enable = true;
|
||||
system.stateVersion = "23.11";
|
||||
};
|
||||
|
||||
@@ -1,30 +1,104 @@
|
||||
{ config, ... }:
|
||||
let
|
||||
hostAddress = "10.0.1.18";
|
||||
localAddress = "10.0.4.18";
|
||||
httpPort = 3000;
|
||||
sshPort = 2222;
|
||||
rootUrl = "https://gitea.mjallen.dev/";
|
||||
stateDir = "/media/nas/ssd/nix-app-data/gitea";
|
||||
dataDir = "/var/lib/gitea";
|
||||
secretsDir = "/run/secrets/jallen-nas/gitea";
|
||||
mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
|
||||
metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
|
||||
in
|
||||
{
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
stateDir = "/media/nas/ssd/nix-app-data/gitea";
|
||||
useWizard = false;
|
||||
mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
|
||||
metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "jallen-nas";
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
HTTP_PORT = 3000;
|
||||
PROTOCOL = "http";
|
||||
ROOT_URL = "https://gitea.mjallen.dev/";
|
||||
SSH_PORT = 2222;
|
||||
containers.gitea = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = hostAddress;
|
||||
localAddress = localAddress;
|
||||
|
||||
bindMounts = {
|
||||
${dataDir} = {
|
||||
hostPath = stateDir;
|
||||
isReadOnly = false;
|
||||
};
|
||||
service = {
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
ENABLE_CAPTCHA = false;
|
||||
DISABLE_REGISTRATION = true;
|
||||
ENABLE_OPENID_SIGNIN = false;
|
||||
ENABLE_LDAP_SIGNIN = false;
|
||||
ENABLE_SSH_SIGNIN = true;
|
||||
ENABLE_BUILTIN_SSH_SERVER = true;
|
||||
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
|
||||
secrets = {
|
||||
hostPath = secretsDir;
|
||||
isReadOnly = true;
|
||||
mountPoint = secretsDir;
|
||||
};
|
||||
};
|
||||
|
||||
config = { lib, ... }:
|
||||
{
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
stateDir = dataDir;
|
||||
useWizard = false;
|
||||
mailerPasswordFile = mailerPasswordFile;
|
||||
metricsTokenFile = metricsTokenFile;
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "jallen-nas";
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
HTTP_PORT = httpPort;
|
||||
PROTOCOL = "http";
|
||||
ROOT_URL = rootUrl;
|
||||
SSH_PORT = sshPort;
|
||||
};
|
||||
service = {
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
ENABLE_CAPTCHA = false;
|
||||
DISABLE_REGISTRATION = true;
|
||||
ENABLE_OPENID_SIGNIN = false;
|
||||
ENABLE_LDAP_SIGNIN = false;
|
||||
ENABLE_SSH_SIGNIN = true;
|
||||
ENABLE_BUILTIN_SSH_SERVER = true;
|
||||
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users.gitea = {
|
||||
extraGroups = [ "keys" ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ httpPort sshPort 22 ];
|
||||
};
|
||||
# Use systemd-resolved inside the container
|
||||
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
|
||||
useHostResolvConf = lib.mkForce false;
|
||||
};
|
||||
|
||||
# Create and set permissions for required directories
|
||||
system.activationScripts.gitea-dirs = ''
|
||||
mkdir -p /var/lib/gitea
|
||||
chown -R gitea:gitea /var/lib/gitea
|
||||
chmod -R 775 /var/lib/gitea
|
||||
mkdir -p /run/secrets/jallen-nas
|
||||
chown -R gitea:gitea /run/secrets/jallen-nas
|
||||
chmod -R 775 /run/secrets/jallen-nas
|
||||
'';
|
||||
|
||||
services.resolved.enable = true;
|
||||
system.stateVersion = "23.11";
|
||||
};
|
||||
};
|
||||
|
||||
networking.nat = {
|
||||
forwardPorts = [
|
||||
{
|
||||
destination = "${localAddress}:${toString httpPort}";
|
||||
sourcePort = httpPort;
|
||||
}
|
||||
{
|
||||
destination = "${localAddress}:${toString sshPort}";
|
||||
sourcePort = sshPort;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
@@ -2,6 +2,7 @@
|
||||
let
|
||||
domain = "mjallen.dev";
|
||||
|
||||
# Forward services
|
||||
authUrl = "http://10.0.1.18:9000/outpost.goauthentik.io";
|
||||
authentikUrl = "http://10.0.1.18:9000";
|
||||
onlyofficeUrl = "http://10.0.2.18:9980";
|
||||
@@ -12,34 +13,87 @@ let
|
||||
openWebUIUrl = "http://10.0.1.18:8888";
|
||||
paperlessUrl = "http://10.0.1.20:28981";
|
||||
cacheUrl = "http://10.0.1.18:5000";
|
||||
giteaUrl = "http://10.0.1.18:3000";
|
||||
giteaUrl = "http://10.0.4.18:3000";
|
||||
actualUrl = "http://10.0.3.18:3333";
|
||||
lubeloggerUrl = "http://10.0.1.18:6754";
|
||||
|
||||
# Plugins
|
||||
traefikPlugins = {
|
||||
bouncer = {
|
||||
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
|
||||
version = "v1.4.2";
|
||||
};
|
||||
geoblock = {
|
||||
moduleName = "github.com/PascalMinder/geoblock";
|
||||
version = "v0.2.5";
|
||||
};
|
||||
};
|
||||
|
||||
crowdsecAppsecHost = "10.0.1.18:7422";
|
||||
crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
|
||||
|
||||
# Ports
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
traefikPort = 8080;
|
||||
metricsPort = 8082;
|
||||
|
||||
forwardPorts = [
|
||||
httpPort
|
||||
httpsPort
|
||||
traefikPort
|
||||
metricsPort
|
||||
];
|
||||
|
||||
# misc
|
||||
letsEncryptEmail = "jalle008@proton.me";
|
||||
dataDir = "/media/nas/ssd/nix-app-data/traefik";
|
||||
authentikAddress = "http://10.0.1.18:9000/outpost.goauthentik.io/auth/traefik";
|
||||
group = [ config.users.users.nix-apps.group.name ];
|
||||
in
|
||||
{
|
||||
sops = {
|
||||
secrets = {
|
||||
"jallen-nas/traefik/crowdsec-lapi-key" = {
|
||||
owner = config.users.users.traefik.name;
|
||||
group = config.users.users.traefik.group;
|
||||
restartUnits = [ "traefik.service" ];
|
||||
};
|
||||
"jallen-nas/traefik/cloudflare-dns-api-token" = { };
|
||||
"jallen-nas/traefik/cloudflare-zone-api-token" = { };
|
||||
"jallen-nas/traefik/cloudflare-api-key" = { };
|
||||
"jallen-nas/traefik/cloudflare-email" = { };
|
||||
};
|
||||
templates = {
|
||||
"traefik.env" = {
|
||||
content = ''
|
||||
CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
|
||||
CLOUDFLARE_ZONE_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
|
||||
CLOUDFLARE_API_KEY = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
|
||||
CLOUDFLARE_EMAIL = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
|
||||
'';
|
||||
owner = config.users.users.traefik.name;
|
||||
group = config.users.users.traefik.group;
|
||||
restartUnits = [ "traefik.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
8080
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
80
|
||||
443
|
||||
8080
|
||||
];
|
||||
allowedTCPPorts = forwardPorts;
|
||||
allowedUDPPorts = forwardPorts;
|
||||
};
|
||||
|
||||
services.traefik = {
|
||||
enable = true;
|
||||
dataDir = "/media/nas/ssd/nix-app-data/traefik";
|
||||
group = "jallen-nas";
|
||||
dataDir = dataDir;
|
||||
group = "jallen-nas";#group;
|
||||
environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
|
||||
|
||||
staticConfigOptions = {
|
||||
entryPoints = {
|
||||
web = {
|
||||
address = ":80";
|
||||
address = ":${toString httpPort}";
|
||||
asDefault = true;
|
||||
http.redirections.entrypoint = {
|
||||
to = "websecure";
|
||||
@@ -48,13 +102,13 @@ in
|
||||
};
|
||||
|
||||
websecure = {
|
||||
address = ":443";
|
||||
address = ":${toString httpsPort}";
|
||||
asDefault = true;
|
||||
http.tls.certResolver = "letsencrypt";
|
||||
};
|
||||
|
||||
metrics = {
|
||||
address = ":8082"; # Port for metrics
|
||||
address = ":${toString metricsPort}"; # Port for metrics
|
||||
};
|
||||
};
|
||||
|
||||
@@ -72,7 +126,7 @@ in
|
||||
};
|
||||
|
||||
certificatesResolvers.letsencrypt.acme = {
|
||||
email = "jalle008@proton.me";
|
||||
email = letsEncryptEmail;
|
||||
storage = "${config.services.traefik.dataDir}/acme.json";
|
||||
dnsChallenge = {
|
||||
provider = "cloudflare";
|
||||
@@ -88,16 +142,7 @@ in
|
||||
api.insecure = true;
|
||||
|
||||
experimental = {
|
||||
plugins = {
|
||||
bouncer = {
|
||||
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
|
||||
version = "v1.4.2";
|
||||
};
|
||||
geoblock = {
|
||||
moduleName = "github.com/PascalMinder/geoblock";
|
||||
version = "v0.2.5";
|
||||
};
|
||||
};
|
||||
plugins = traefikPlugins;
|
||||
};
|
||||
};
|
||||
|
||||
@@ -107,7 +152,7 @@ in
|
||||
authentik = {
|
||||
forwardAuth = {
|
||||
tls.insecureSkipVerify = true;
|
||||
address = "http://10.0.1.18:9000/outpost.goauthentik.io/auth/traefik";
|
||||
address = authentikAddress;
|
||||
trustForwardHeader = true;
|
||||
authResponseHeaders = [
|
||||
"X-authentik-username"
|
||||
@@ -133,10 +178,10 @@ in
|
||||
plugin = {
|
||||
bouncer = {
|
||||
crowdsecAppsecEnabled = true;
|
||||
crowdsecAppsecHost = "10.0.1.18:7422";
|
||||
crowdsecAppsecHost = crowdsecAppsecHost;
|
||||
crowdsecAppsecFailureBlock = true;
|
||||
crowdsecAppsecUnreachableBlock = true;
|
||||
crowdsecLapiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
|
||||
crowdsecLapiKeyFile = crowdsecLapiKeyFile;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -114,14 +114,16 @@ in
|
||||
restartUnits = [ "container@paperless.service" ];
|
||||
};
|
||||
"jallen-nas/gitea/mail-key" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
restartUnits = [ "gitea.service" ];
|
||||
owner = "root";
|
||||
group = "keys";
|
||||
mode = "0440";
|
||||
restartUnits = [ "container@gitea.service" ];
|
||||
};
|
||||
"jallen-nas/gitea/metrics-key" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
restartUnits = [ "gitea.service" ];
|
||||
owner = "root";
|
||||
group = "keys";
|
||||
mode = "0440";
|
||||
restartUnits = [ "container@gitea.service" ];
|
||||
};
|
||||
"jallen-nas/free-games/eg-email" = { };
|
||||
"jallen-nas/free-games/eg-pass" = { };
|
||||
|
||||
Reference in New Issue
Block a user