Add modules/server/containers/apps/.todo.md

flake.lock

@@ -45,11 +45,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775037210,
+        "lastModified": 1777780666,
-        "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=",
+        "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "06648f4902343228ce2de79f291dd5a58ee12146",
+        "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
         "type": "github"
       },
       "original": {
@@ -103,11 +103,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1776983936,
+        "lastModified": 1778143761,
-        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
+        "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
         "type": "github"
       },
       "original": {
@@ -139,11 +139,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777771528,
+        "lastModified": 1777851538,
-        "narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=",
+        "narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51",
+        "rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
         "type": "github"
       },
       "original": {
@@ -174,11 +174,11 @@
     },
     "nixUnstable": {
       "locked": {
-        "lastModified": 1777641297,
+        "lastModified": 1778274207,
-        "narHash": "sha256-WNGcmeOZ8Tr9dq6ztCspYbzWFswr2mPebM9LpsfGxPk=",
+        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0",
+        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
         "type": "github"
       },
       "original": {
@@ -190,11 +190,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1777428379,
+        "lastModified": 1778003029,
-        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
+        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "755f5aa91337890c432639c60b6064bb7fe67769",
+        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
         "type": "github"
       },
       "original": {
@@ -221,11 +221,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1777578337,
+        "lastModified": 1777954456,
-        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
@@ -241,11 +241,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1777763626,
+        "lastModified": 1778376280,
-        "narHash": "sha256-UFwZDbdMezNnxZwikhDR4EWiCPUiEmPXHmqLOrcG34g=",
+        "narHash": "sha256-pL2F2FF2FN7zWr5o/vG7GiYOSjp+DUNyPIYqNaLQFFs=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "3873764e5896bd6da6cf0df17172849ea51ac5eb",
+        "rev": "828688994167eb57628c98fd1d7e1223b079cda1",
         "type": "github"
       },
       "original": {
@@ -274,11 +274,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777338324,
+        "lastModified": 1777944972,
-        "narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=",
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
         "type": "github"
       },
       "original": {

modules/server/containers/apps/.todo.md

@@ -0,0 +1,4 @@
+# Missing
+
+RSS: TTRSS / FreshRSS
+Monitoring: Telegraf + InfluxDB

modules/server/containers/apps/authentik.nix

@@ -24,7 +24,7 @@ in {
     server = builder.mkContainer {
       subdomain = containerCfg.subdomain;
       image = "ghcr.io/goauthentik/server:${version}";
-      port = containerCfg.port;
+      port = 9000;
       ip = containerCfg.ip;
       secret = name;
       extraEnv = {
@@ -44,7 +44,7 @@ in {
       };
       overrides = {
         cmd = [ "server" ];
-        ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
+        ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:9000" ] else [];
         volumes = [
           "${serverCfg.configPath}/authentik/media:/media"
           "${serverCfg.configPath}/authentik/templates:/templates"

modules/server/containers/apps/collabora.nix

@@ -7,14 +7,14 @@ in {
     server = builder.mkContainer {
       subdomain = containerCfg.subdomain;
       image = "collabora/code:${version}";
-      port = containerCfg.port;
+      port = 8080;
       ip = containerCfg.ip;
       secret = name;
       extraEnv = {
         "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";
         "server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
         "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
-        "VIRTUAL_PORT" = "${toString containerCfg.port}";
+        "VIRTUAL_PORT" = "8080";
         "VIRTUAL_PROTO" = "http";
         "DONT_GEN_SSL_CERT" = "true";
         "RESOLVE_TO_PROXY_IP" = "true";

modules/server/containers/apps/ethercalc.nix

@@ -0,0 +1,56 @@
+{ config, containerCfg, pkgs, lib, builder, name,... }:
+let 
+  serverCfg = config.syscfg.server;
+  ethercalc_exe = pkgs.ethercalc;
+  settings = pkgs.writeText"settings.json" (builtins.toJSON {
+    title= "\${TITLE:Ethercalc}";
+  });
+  image = pkgs.dockerTools.streamLayeredImage {
+    name = "ethercalc";
+    tag = ethercalc_exe.version;
+    config = {
+      Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
+      ExposedPorts = { "8080/tcp" = {}; };
+    };
+  };
+in {
+  paths = [];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      imageStream = image;
+      port = 8080;
+      ip = containerCfg.ip;
+      secret = name;
+      extraEnv = {
+        TITLE = "Calc";
+        PORT = "8080";
+        DB_TYPE = "postgres";
+        DB_HOST = builder.host;
+        DB_NAME = "ethercalc_db";
+        DB_USER = "ethercalc_user";
+        DB_CHARSET = "utf8mb4";
+        TRUST_PROXY = "true";
+        DEFAULT_CALC_TEXT = "";
+        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+      };
+      overrides = {
+        cmd = [ "--settings" "/etc/ethercalc/settings.json" "--apikey" "./APIKEY.txt" ];
+        volumes = [
+          "${settings}:/etc/ethercalc/settings.json"
+        ];
+       };
+    };
+  };
+
+  setup = {
+    trigger = "server";
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      EXEC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} ethercalc-server sh -c"
+      $EXEC "echo \"$APIKEY\" > ./APIKEY.txt"
+    '';
+  };
+
+}

modules/server/containers/apps/etherpad.nix

@@ -69,14 +69,9 @@ let
   image = pkgs.dockerTools.streamLayeredImage {
     name = "etherpad";
     tag = etherpad_exe.version;
-
     config = {
       Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
-      ExposedPorts = { "${toString containerCfg.port}/tcp" = {}; };
+      ExposedPorts = { "8080/tcp" = {}; };
-      Env = [
-        "NODE_ENV=production"
-      ];
-
     };
   };
 in {
@@ -86,12 +81,12 @@ in {
     server = builder.mkContainer {
       subdomain = containerCfg.subdomain;
       imageStream = image;
-      port = containerCfg.port;
+      port = 8080;
       ip = containerCfg.ip;
       secret = name;
       extraEnv = {
         TITLE = "Pad";
-        PORT = toString containerCfg.port;
+        PORT ="8080";
         DB_TYPE = "postgres";
         DB_HOST = builder.host;
         DB_NAME = "etherpad_db";
@@ -104,7 +99,7 @@ in {
         SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
       };
       overrides = {
-        cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "$APIKEY"];
+        cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "./APIKEY.txt" ];
         volumes = [
           "${settings}:/etc/etherpad/settings.json"
         ];
@@ -112,4 +107,13 @@ in {
     };
   };
 
+  setup = {
+    trigger = "server";
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      EXEC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} etherpad-server sh -c"
+      $EXEC "echo \"$APIKEY\" > ./APIKEY.txt"
+    '';
+  };
+
 }

modules/server/containers/apps/frigate.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/gitea.nix

@@ -0,0 +1,85 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "latest";
+  serverCfg = config.syscfg.server;
+in {
+    
+  paths = [{
+    path="${serverCfg.dataPath}/gitea/data";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "gitea/gitea:${version}";
+      port = 8080;
+      ip = containerCfg.ip;
+      secret = name;
+      
+      extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
+        GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
+        GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
+        GITEA__repository__DISABLE_STARS = "true";
+        GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
+        # GITEA__ui__THEMES = "";
+        # GITEA__ui__DEFAULT_THEME = "";
+
+        # GITEA__security__SECRET_KEY = "SECRET_ENV";
+        # GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
+        # GITEA__database__PASSWD = "SECRET_ENV";
+        # GITEA__mailer__PASSWD="SECRET_ENV";
+
+        GITEA__database__DB_TYPE = "postgres"; 
+        GITEA__database__HOST = builder.host;
+        GITEA__database__NAME = "gitea_db";
+        GITEA__database__USER = "gitea_user";
+
+
+        GITEA__mailer__ENABLED = "true";
+        GITEA__mailer__FROM = "";
+        GITEA__mailer__PROTOCOL = "smtps";
+        GITEA__mailer__SMTP_ADDR = "";
+        GITEA__mailer__SMTP_PORT = "";
+        GITEA__mailer__USER= "";
+
+        GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
+        GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.hostDomain}/";
+        GITEA__server__PROTOCOL = "http";
+        # GITEA__server__USE_PROXY_PROTOCOL = true;
+        GITEA__server__HTTP_PORT = "8080";
+        GITEA__server__LFS_START_SERVER = "true";
+        GITEA__security__INSTALL_LOCK = "true";
+
+      } // ( if serverCfg.containers?authentik then {
+        GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
+        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
+        GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
+        GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
+        GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/outpost.goauthentik.io/";
+        GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
+        GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
+        GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
+        GITEA__security__RREVERSE_PROXY_LIMIT = "1";
+        GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
+      } else {});
+      extraLabels = {
+        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.hostDomain}`) && Path(`/user/login`) ";
+        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
+        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+      };
+
+      overrides = {
+        volumes = [
+          "${serverCfg.dataPath}/gitea/data:/data"
+        ];
+        ports = [ "2222:22" ]; 
+      };
+    };
+  };
+}

modules/server/containers/apps/handbrake.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/homeassistant.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/invidious.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/jellyfin.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/nextcloud.nix

@@ -18,7 +18,7 @@ in {
     server = builder.mkContainer {
       subdomain = containerCfg.subdomain;
       image = "nextcloud:${version}";
-      port = containerCfg.port;
+      port = 8080;
       ip = containerCfg.ip;
       secret = name;
       extraEnv = {
@@ -47,7 +47,7 @@ in {
         "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
       ];
       overrides = {
-        ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
+        ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else [];
         volumes = [
           "${serverCfg.dataPath}/nextcloud/www:/var/www/html"
           "${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"

modules/server/containers/apps/searxng.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/servarr.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/traefik.nix

@@ -27,17 +27,17 @@ in {
       extraLabels = {
         "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
         "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
-        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
+                
-
+        "traefik.http.routers.${containerCfg.subdomain}.middlewares" =  if serverCfg.containers?authentik then "authentik" else "";
-        "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
-        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.hostDomain}";
-        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.hostDomain}";
-        
         "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
         "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
         "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
         "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
-      };
+      } // (if containerCfg.extra ? provider || serverCfg.hostDomain != "localhost" then {
+        "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
+        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.hostDomain}";
+        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.hostDomain}";
+      } else {});
       extraEnv = { };
       overrides = {
         cmd = [ 
@@ -55,14 +55,16 @@ in {
           "--entrypoints.web.http.redirections.entrypoint.scheme=https"
           "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
           "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
+        ] ++ (if containerCfg.extra ? provider then [
           "--certificatesresolvers.default.acme.email=acme@${serverCfg.hostDomain}"
-          "--certificatesresolvers.default.acme.tlschallenge=false"
-          "--certificatesresolvers.default.acme.httpchallenge=false"
           "--certificatesresolvers.default.acme.dnschallenge=true"
           "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
           "--certificatesresolvers.default.acme.storage=/custom/acme.json"
-        ];
+        ] else (if serverCfg.hostDomain != "localhost" then [
-        ports = [ "443:443" "80:80" ];
+          "--certificatesresolvers.default.acme.httpchallenge=false"
+          "--certificatesresolvers.default.acme.tlschallenge=true"
+        ] else [ ]));
+        ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
         volumes = [
           "/var/run/podman/podman.sock:/var/run/docker.sock"
           # "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"

modules/server/containers/apps/transmission.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/trmnl.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/server/containers/apps/umami.nix

@@ -0,0 +1,3 @@
+{...}:{
+    
+}

modules/shared/sops/default.nix

@@ -1,28 +1,17 @@
 { config, lib, pkgs, ... }:
 let
-  isCI = builtins.elem config.syscfg.hostname [ "ci" "sandbox" ];
+  listNames = config.syscfg.server.db;
-  keyFilePath = (if isCI then
+  containerNames = lib.mapAttrsToList (name: cfg: name) 
-    "/var/lib/sops-nix/mock-key.txt"
+    (lib.filterAttrs (name: cfg: ((cfg.db or false) || (cfg.sops or false))) config.syscfg.server.containers);
-  else
+  allApps = lib.unique (listNames ++ containerNames);
-    "/var/lib/sops-nix/age-key.txt");
+in{
-  sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml);
+    sops.secrets = {
-in {
+      CUSTOM = { 
-  environment.systemPackages = with pkgs; [ sops ];
+        mode = "0444";
-  environment.sessionVariables.SOPS_AGE_KEY_FILE = keyFilePath;
+        sopsFile = ./server.yaml; 
-
+      };
-  sops.defaultSopsFile = sopsFilePath;
+    } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
-  sops.age.keyFile = keyFilePath;
+      mode = "0444";
-  sops.age.generateKey = true;
+      sopsFile = ./server.yaml;
-
+    }));
-  sops.secrets = lib.mkMerge [
-  {
-    wifi = { };
-    "${config.syscfg.hostname}_ssh_priv" = {
-      mode = "0400";
-      owner = config.users.users.${config.syscfg.defaultUser}.name;
-      group = config.users.users.${config.syscfg.defaultUser}.group;
-    };
-    "${config.syscfg.hostname}_wg_priv" = { };
-  }
-];
 }

modules/shared/syscfg/default.nix

@@ -114,7 +114,6 @@ let
           ip = mkOption { type = types.nullOr types.str; default = null;};
           subdomain = mkOption { type = types.nullOr types.str; default=null;};
           port = mkOption { type = types.nullOr types.port; default = null; };
-          pubPort = mkOption { type = types.nullOr types.port; default = null; };
           extra = mkOption { type = types.attrs; default = {}; };
         };
       });