sora/nixconfig
1
0
Fork 0
Code Issues 2 Pull Requests Actions Releases Activity

Compare commits

base: sora:main
Branches Tags
sora:main sora:dev
...
compare: sora:7cfd1bb24590b221cf5e50d121a911423bf84691
Branches Tags
sora:main sora:dev

276 Commits
main ... 7cfd1bb245

Author SHA1 Message Date
sora-ext
7cfd1bb245 Update modules/server/sops/example.server.yaml 2026-05-13 17:32:12 +02:00
sora-ext
85a6517609 Add modules/server/containers/data/authentik/ldap.yaml 2026-05-13 17:31:46 +02:00
sora-ext
d55756f8f8 Update modules/server/containers/apps/servarr.nix 2026-05-13 17:31:29 +02:00
sora-ext
18beb41cd8 Update modules/server/containers/apps/jellyfin.nix 2026-05-13 17:31:19 +02:00
sora-ext
78f01cf111 Update modules/server/containers/apps/invidious.nix 2026-05-13 17:31:07 +02:00
sora-ext
c582d89715 Add modules/server/containers/apps/influx.nix 2026-05-13 17:30:57 +02:00
sora-ext
4270b15f9d Update modules/server/containers/apps/immich.nix 2026-05-13 17:30:43 +02:00
sora-ext
a62bc660c5 Update modules/server/containers/apps/homeassistant.nix 2026-05-13 17:30:33 +02:00
sora-ext
973fd78c1b Update modules/server/containers/apps/frigate.nix 2026-05-13 17:30:24 +02:00
sora-ext
7e62883e66 Update modules/server/containers/apps/authentik.nix 2026-05-13 17:30:10 +02:00
sora-ext
feccc2c3e0 Update modules/server/containers/apps/.template.nix 2026-05-13 17:30:00 +02:00
sora-ext
0b02de0957 Update modules/server/containers/default.nix 2026-05-13 17:29:49 +02:00
sora-ext
721838df2b Update modules/server/containers/builder.nix 2026-05-13 17:29:33 +02:00
soraefir
8c800ad0d3 Jellyfin LDAP 2026-05-13 01:56:45 +02:00
soraefir
f7af832d8e fix jellyfin media path 2026-05-13 01:31:15 +02:00
soraefir
6ddf4a07cc fix umami db 2026-05-13 01:00:14 +02:00
soraefir
0df674647c sops 2026-05-13 00:50:22 +02:00
soraefir
7bead6b3ac fix umami 2026-05-13 00:41:36 +02:00
soraefir
f0befa87be test 2026-05-12 22:52:25 +02:00
soraefir
6d665ee59c add sops to servarr 2026-05-12 21:28:24 +02:00
soraefir
befe46c085 sops 2026-05-12 21:26:46 +02:00
soraefir
ba6d057600 Fix 2026-05-12 21:26:07 +02:00
soraefir
db5230bd69 typo 2026-05-12 21:25:01 +02:00
soraefir
e1a80bb7ce Add new modules 2026-05-12 21:24:02 +02:00
sora-ext
7d95ba04a9 Add modules/shared/syscfg/user.nix 2026-05-12 18:02:13 +02:00
sora-ext
9169205357 Add modules/shared/syscfg/make.nix 2026-05-12 18:02:01 +02:00
sora-ext
74721f6b09 Add modules/shared/syscfg/net.nix 2026-05-12 18:01:52 +02:00
sora-ext
668c0107f9 Add modules/shared/syscfg/server.nix 2026-05-12 18:01:44 +02:00
sora-ext
331291c54d Update modules/shared/syscfg/default.nix 2026-05-12 18:01:33 +02:00
sora-ext
d10f53e485 Add modules/server/containers/apps/immich.nix 2026-05-12 17:47:01 +02:00
sora-ext
82aea8268f Update modules/shared/syscfg/default.nix 2026-05-12 17:46:23 +02:00
sora-ext
050eaedca2 Update modules/server/sops/example.server.yaml 2026-05-12 17:46:11 +02:00
sora-ext
be9cb270aa Update modules/server/sops/default.nix 2026-05-12 17:45:59 +02:00
sora-ext
a5e0e96b52 Update modules/server/database/default.nix 2026-05-12 17:45:49 +02:00
sora-ext
4366232f18 Update modules/server/containers/apps/umami.nix 2026-05-12 17:45:34 +02:00
sora-ext
4398b1d888 Update modules/server/containers/apps/transmission.nix 2026-05-12 17:45:25 +02:00
sora-ext
c4b5c47aa4 Update modules/server/containers/apps/traefik.nix 2026-05-12 17:45:16 +02:00
sora-ext
ff64e6c231 Update modules/server/containers/apps/servarr.nix 2026-05-12 17:45:07 +02:00
sora-ext
e7d656141a Update modules/server/containers/apps/searxng.nix 2026-05-12 17:44:59 +02:00
sora-ext
cf3c2428fb Update modules/server/containers/apps/nextcloud.nix 2026-05-12 17:44:50 +02:00
sora-ext
a2dc050b1c Update modules/server/containers/apps/jellyfin.nix 2026-05-12 17:44:41 +02:00
sora-ext
8bf332caf2 Update modules/server/containers/apps/gitea.nix 2026-05-12 17:44:25 +02:00
sora-ext
20d3786547 Update modules/server/containers/apps/etherpad.nix 2026-05-12 17:44:18 +02:00
sora-ext
79422c180a Update modules/server/containers/apps/ethercalc.nix 2026-05-12 17:44:11 +02:00
sora-ext
65fc9c6df2 Update modules/server/containers/apps/collabora.nix 2026-05-12 17:44:03 +02:00
sora-ext
a59cbd13a3 Update modules/server/containers/apps/authentik.nix 2026-05-12 17:43:55 +02:00
sora-ext
5f04ef7ae5 Update modules/server/containers/apps/.todo.md 2026-05-12 17:43:48 +02:00
sora-ext
0aff508cda Add modules/server/containers/apps/.template.nix 2026-05-12 17:43:40 +02:00
sora-ext
30df106b94 Update modules/server/containers/default.nix 2026-05-12 17:43:28 +02:00
sora-ext
3abdb6d637 Update modules/server/containers/builder.nix 2026-05-12 17:43:18 +02:00
soraefir
cd4c727255 gitea runner 2026-05-12 01:06:14 +02:00
soraefir
26cb095014 Fix 2026-05-12 00:55:55 +02:00
soraefir
2a9113e07d fix calc 2026-05-12 00:50:25 +02:00
soraefir
42a170283d add sops 2026-05-12 00:45:07 +02:00
soraefir
3d4cdaf6e9 new stuff 2026-05-12 00:42:09 +02:00
soraefir
21d959b592 fix script admin 2026-05-11 23:00:07 +02:00
soraefir
0895d67489 fix gitea script 2026-05-11 22:57:43 +02:00
soraefir
86f1fc116c Fix gitea script 2026-05-11 22:55:03 +02:00
soraefir
b82033f857 gitea adminify 2026-05-11 22:45:34 +02:00
soraefir
fbe8399886 Fix 2026-05-11 22:11:26 +02:00
soraefir
036f1117be fix mkdir 2026-05-11 22:05:38 +02:00
soraefir
b3eb1de9e6 fix 2026-05-11 22:02:16 +02:00
soraefir
91c2928a56 Fix 2026-05-11 21:53:49 +02:00
soraefir
89ffc75db2 Fix sops APIKEY 2026-05-11 21:49:20 +02:00
soraefir
63fc0bde6e Fix port 2026-05-11 21:29:16 +02:00
soraefir
bc765ea0c6 Fix cloud port 2026-05-11 20:35:14 +02:00
soraefir
df236d4ec7 sh 2026-05-11 20:18:14 +02:00
soraefir
2f24725df4 add sh 2026-05-11 20:16:37 +02:00
soraefir
4708753085 Gitea 2026-05-11 19:22:06 +02:00
soraefir
370416edba Fix sops 2026-05-11 19:04:16 +02:00
soraefir
ee1dec3d44 rm port 2026-05-11 18:50:36 +02:00
sora-ext
b748db9550 Add modules/server/containers/apps/.todo.md 2026-05-11 18:47:46 +02:00
sora-ext
78381d15ff Update modules/server/containers/apps/authentik.nix 2026-05-11 18:47:46 +02:00
sora-ext
037d75af2a Update modules/server/containers/apps/collabora.nix 2026-05-11 18:47:46 +02:00
sora-ext
9e9338d136 Add modules/server/containers/apps/ethercalc.nix 2026-05-11 18:47:46 +02:00
sora-ext
cd19d8ac06 Update modules/server/containers/apps/etherpad.nix 2026-05-11 18:47:46 +02:00
sora-ext
6dda5f6bd5 Add modules/server/containers/apps/frigate.nix 2026-05-11 18:47:46 +02:00
sora-ext
836b890fab Add modules/server/containers/apps/gitea.nix 2026-05-11 18:47:46 +02:00
sora-ext
40ed44aa52 Add modules/server/containers/apps/handbrake.nix 2026-05-11 18:47:46 +02:00
sora-ext
2fcbf6adb3 Add modules/server/containers/apps/homeassistant.nix 2026-05-11 18:47:46 +02:00
sora-ext
f3fbf159b4 Add modules/server/containers/apps/invidious.nix 2026-05-11 18:47:46 +02:00
sora-ext
f3b8feb50d Update modules/server/containers/apps/nextcloud.nix 2026-05-11 18:47:46 +02:00
sora-ext
f6f51597cd Add modules/server/containers/apps/jellyfin.nix 2026-05-11 18:47:46 +02:00
sora-ext
5c7b5fcbfe Add modules/server/containers/apps/searxng.nix 2026-05-11 18:47:46 +02:00
sora-ext
07b6868d27 Add modules/server/containers/apps/servarr.nix 2026-05-11 18:47:46 +02:00
sora-ext
870b13ef36 Update modules/server/containers/apps/traefik.nix 2026-05-11 18:47:46 +02:00
sora-ext
4b8c8bdc51 Add modules/server/containers/apps/transmission.nix 2026-05-11 18:47:46 +02:00
sora-ext
c24628b574 Add modules/server/containers/apps/trmnl.nix 2026-05-11 18:47:46 +02:00
sora-ext
c1fb77a89f Add modules/server/containers/apps/umami.nix 2026-05-11 18:47:46 +02:00
sora-ext
94012aa44c Update modules/shared/sops/default.nix 2026-05-11 18:47:46 +02:00
sora-ext
5ff282e65c Update modules/shared/syscfg/default.nix 2026-05-11 18:47:46 +02:00
Renovate Bot
0bedb71d07 Lock file maintenance 2026-05-11 18:47:46 +02:00
Renovate Bot
47cbbc56cb Lock file maintenance 2026-05-11 18:47:46 +02:00
sora
e116efd45c Update modules/server/containers/apps/etherpad.nix 2026-05-11 03:03:52 +02:00
soraefir
ff498d15a3 fix 2026-05-11 02:51:27 +02:00
soraefir
90c596270f Fix 2026-05-11 02:49:57 +02:00
soraefir
458a9091d4 fix 2026-05-11 02:32:08 +02:00
soraefir
123d18d1e8 fix 2026-05-11 02:29:11 +02:00
soraefir
f05f7b0147 fix 2026-05-11 02:23:54 +02:00
soraefir
a41390dcee Fix key 2026-05-11 02:19:31 +02:00
soraefir
29478e2aed Fix api 2026-05-11 02:11:15 +02:00
soraefir
82b422883e Fix api 2026-05-11 01:56:11 +02:00
soraefir
4151e50a42 fix 2026-05-11 01:36:08 +02:00
soraefir
5afaf859b9 fix 2026-05-11 00:55:20 +02:00
soraefir
0cd20319fe fix script 2026-05-11 00:54:02 +02:00
soraefir
468cd34fca fix 2026-05-11 00:46:52 +02:00
soraefir
882d36ff83 typo 2026-05-11 00:45:43 +02:00
soraefir
dc2682c829 fix 2026-05-11 00:44:26 +02:00
soraefir
f354a99d56 test new setup script 2026-05-11 00:42:34 +02:00
soraefir
bf1fbea959 chmod and fix 2026-05-11 00:38:02 +02:00
soraefir
31addeda66 Opt dir 2026-05-11 00:33:38 +02:00
soraefir
d0ca9761d7 fix 2026-05-11 00:24:31 +02:00
soraefir
bbbb5831a8 etherpad api 2026-05-11 00:15:54 +02:00
soraefir
46f4b5288b Admin 2026-05-10 22:39:33 +02:00
soraefir
8293df4974 Fix 2026-05-10 22:36:43 +02:00
soraefir
08866273cc fix 2026-05-10 22:31:31 +02:00
soraefir
e2772e51d9 Fix group 2026-05-10 22:27:29 +02:00
soraefir
6bf856b702 WIP 2026-05-10 22:21:02 +02:00
soraefir
93199b4359 tmp fix 2026-05-10 22:11:53 +02:00
soraefir
d3ffacf4ca Fix admin 2026-05-10 22:08:03 +02:00
soraefir
ac0e28b5ab fix authentic flow 2026-05-10 22:02:11 +02:00
soraefir
e76f53d887 test template 2026-05-10 21:47:49 +02:00
soraefir
f67e142f53 fix envfile 2026-05-10 21:43:48 +02:00
soraefir
8165bf6935 Add force exec 2026-05-10 21:40:49 +02:00
soraefir
09539b5866 Add user setup script 2026-05-10 21:39:12 +02:00
soraefir
1b2a724a26 Fix idp & co, add base ak setup 2026-05-10 20:42:19 +02:00
soraefir
e6e6e4af49 Fix saml url 2026-05-10 19:56:05 +02:00
soraefir
e999a5bf2c Fix 2026-05-10 19:49:32 +02:00
soraefir
a57818e37e Fix db 2026-05-10 19:43:19 +02:00
soraefir
0e61b2fad4 saml name 2026-05-10 19:41:58 +02:00
soraefir
9016657699 import cert 2026-05-10 19:34:46 +02:00
soraefir
5462434558 Fix 2026-05-10 19:19:15 +02:00
soraefir
aa36fa812c Foix blueprint 2026-05-10 19:14:37 +02:00
soraefir
f5f28968c6 test blueprint fix 2026-05-10 18:58:13 +02:00
soraefir
4c2ef6e264 Fix blueprints 2026-05-10 18:51:58 +02:00
soraefir
fa808f3eb2 Fix nix mkdata 2026-05-10 18:44:58 +02:00
soraefir
7bc9ae1f2d Fix mkData 2026-05-10 18:42:03 +02:00
soraefir
e53be27e96 Fix 2026-05-10 18:36:20 +02:00
soraefir
88ab6e2007 typo 2026-05-10 18:34:23 +02:00
soraefir
864e698272 fix 2026-05-10 18:33:22 +02:00
soraefir
8961706503 fix 2026-05-10 18:31:56 +02:00
soraefir
c637fea0d0 Add authentik blueprints 2026-05-10 18:29:53 +02:00
soraefir
9813e7d49a Longer timeout 2026-05-10 12:29:46 +02:00
soraefir
ea6db4b9bf fix 2026-05-10 12:26:34 +02:00
soraefir
2eff0969e0 fix 2026-05-10 12:21:46 +02:00
soraefir
cf5648122d fix 2026-05-10 12:21:01 +02:00
soraefir
b10e7a5a93 fix 2026-05-10 12:04:03 +02:00
soraefir
882a43b705 cfg 2026-05-10 12:03:05 +02:00
soraefir
e9868a2513 fix 2026-05-10 12:02:02 +02:00
soraefir
43a0f903b0 Fix 2026-05-10 12:01:28 +02:00
soraefir
1b76ec20b4 fix 2026-05-10 11:59:37 +02:00
soraefir
6a7fcf6152 fix 2026-05-10 11:58:29 +02:00
soraefir
b6bc6dd138 dbg 2026-05-10 11:57:59 +02:00
soraefir
90f8387192 tmp ignore 2026-05-10 11:56:13 +02:00
soraefir
25604d6c14 test 2026-05-10 11:55:53 +02:00
soraefir
51d60de5c0 fix 2026-05-10 11:54:37 +02:00
soraefir
5e8cd65785 fix 2026-05-10 11:52:32 +02:00
soraefir
fa5845808b fix 2026-05-10 11:50:34 +02:00
soraefir
28c17d9bb6 colors 2026-05-10 11:49:18 +02:00
soraefir
89d2f9a48e typo2 2026-05-10 11:42:53 +02:00
soraefir
e58d323ea0 typo 2026-05-10 11:41:59 +02:00
soraefir
7465b6b24c script omprovement 2026-05-10 11:38:19 +02:00
soraefir
59c6b68501 Add cron 2026-05-09 19:40:22 +02:00
soraefir
9273387170 Script improvements 2026-05-09 19:35:05 +02:00
soraefir
55a08673f0 fix caldav 2026-05-09 19:25:06 +02:00
soraefir
5dbb95603d silence script verbosity 2026-05-09 19:20:35 +02:00
soraefir
d60f8dd56f improve script 2026-05-09 19:18:27 +02:00
soraefir
7d35cb319f Fix 2026-05-09 19:12:36 +02:00
soraefir
8d4caac83b group for nextcloud 2026-05-09 18:47:38 +02:00
soraefir
ad2b492b51 Fix service 2026-05-09 18:42:22 +02:00
soraefir
4b68accf2f fix nextcloud 2026-05-09 17:52:39 +02:00
soraefir
0d9c8a2974 fix 2026-05-09 17:51:06 +02:00
soraefir
63d2dddd1e setup scripts 2026-05-09 17:50:23 +02:00
soraefir
55d678df19 bump nextcloud 2026-05-09 13:33:56 +02:00
soraefir
88a4ab069e registries 2026-05-09 13:28:48 +02:00
soraefir
c54ed4a712 Admin user 2026-05-09 12:54:13 +02:00
soraefir
3db4517a3b temps 2026-05-09 12:43:16 +02:00
soraefir
f3dfe561ad add plugin 2026-05-09 12:38:04 +02:00
soraefir
b58da2b2e1 port fix 2026-05-09 12:12:42 +02:00
soraefir
28fa63919f Fix env 2026-05-09 12:09:27 +02:00
soraefir
cb7e29bfe0 container settings 2026-05-09 11:58:38 +02:00
soraefir
ea58be6fdc fix typo 2026-05-09 11:57:21 +02:00
soraefir
da51e61c05 escape 2026-05-09 11:56:42 +02:00
soraefir
1ca61b70d2 fix env 2026-05-09 11:53:29 +02:00
soraefir
eafafe876f postgres 2026-05-09 11:03:58 +02:00
soraefir
21adca1fbc tmp perm 2026-05-09 10:50:25 +02:00
soraefir
57efc58bc2 Fix user etherpad 2026-05-09 10:46:04 +02:00
soraefir
cd5deea849 etherpad 2026-05-09 10:45:16 +02:00
soraefir
9f5f8751e5 fix ddos 2026-05-09 10:32:18 +02:00
soraefir
f02adc6d93 fix 2026-05-09 10:24:13 +02:00
soraefir
b2f6d8cc9e Fix 2026-05-09 10:19:21 +02:00
soraefir
c18ac097fa test 2026-05-09 10:17:27 +02:00
soraefir
1fc9017e7e fix 2026-05-09 10:12:01 +02:00
soraefir
8ff90e54b8 fix 2026-05-09 10:11:21 +02:00
soraefir
fba3a24f16 custom image 2026-05-09 10:09:51 +02:00
soraefir
fcb97828f4 test custom img 2026-05-09 10:04:47 +02:00
soraefir
e04382742f cleanup traefik 2026-05-09 10:03:09 +02:00
soraefir
48b40d819b fix typo 2026-05-09 09:56:28 +02:00
soraefir
8b75968f11 fix tls 2026-05-09 09:55:30 +02:00
soraefir
dda8409329 cert 2026-05-09 09:46:18 +02:00
soraefir
9a0b5171b1 fix dns 2026-05-09 09:42:33 +02:00
soraefir
9abb5b2f26 logs 2026-05-09 09:35:41 +02:00
soraefir
8362599b54 traefik 2026-05-09 09:34:07 +02:00
soraefir
c1b9c12281 fix 2026-05-09 09:26:40 +02:00
soraefir
e4dcb0bd39 api port 2026-05-09 00:20:27 +02:00
soraefir
a31991c507 typo 2026-05-08 23:58:53 +02:00
soraefir
e1651cba2a traefik docker 2026-05-08 23:57:19 +02:00
soraefir
bb5ecbba73 acme 2026-05-08 23:54:20 +02:00
soraefir
0c79617647 test acme 2026-05-08 23:48:37 +02:00
soraefir
a3bc8b80c5 fix acme 2026-05-08 23:39:48 +02:00
soraefir
55fcf8b71a fix 2026-05-08 23:32:25 +02:00
soraefir
5aabd9acce Fix 2026-05-08 23:31:56 +02:00
soraefir
e652c12bf2 fix traefik 2026-05-08 23:30:04 +02:00
soraefir
4c684cf9b1 Fix portfw traefik 2026-05-08 23:18:43 +02:00
soraefir
0c60bbbaa8 rm deprecated 2026-05-08 23:14:51 +02:00
soraefir
097334b483 fix statfs 2026-05-08 23:10:52 +02:00
soraefir
bfd099d201 container registry 2026-05-08 23:05:25 +02:00
soraefir
1fe6e43046 sops 2026-05-08 22:56:05 +02:00
soraefir
23b8ad480e fix subdomain 2026-05-08 22:55:21 +02:00
soraefir
3d1fc2a2c9 traefik 2026-05-08 22:53:41 +02:00
soraefir
aacca16eb2 fix tmpfs 2026-05-08 21:05:08 +02:00
soraefir
5de459c347 fix nulls 2026-05-08 21:01:46 +02:00
soraefir
d898116ff4 fix nulls 2026-05-08 20:59:40 +02:00
soraefir
e2b688c836 fix sops 2026-05-08 20:54:54 +02:00
soraefir
b5d57bf9c8 test 2026-05-08 20:52:08 +02:00
soraefir
236f9dbdc3 Sops 2026-05-08 20:50:13 +02:00
soraefir
9696ca9a6d ipfw 2026-05-08 20:47:00 +02:00
soraefir
df523c48e5 rename and fix 2026-05-08 20:46:23 +02:00
soraefir
4d398d5596 sops 2026-05-08 20:36:26 +02:00
soraefir
5045291097 sops 2026-05-08 20:35:43 +02:00
soraefir
2dc1632a40 sops 2026-05-08 20:32:37 +02:00
soraefir
744a2b8563 Secrets 2026-05-08 20:31:12 +02:00
soraefir
b722d349af fix cloud 2026-05-08 20:28:22 +02:00
soraefir
7438905618 WIP 2026-05-08 20:25:51 +02:00
soraefir
908c144c73 add cloud 2026-05-08 20:25:14 +02:00
soraefir
6d353df19f fix collabora 2026-05-08 20:23:40 +02:00
soraefir
7194d91b1c WIP 2026-05-08 20:22:04 +02:00
soraefir
d3c301db36 Fix 2026-05-08 02:52:56 +02:00
soraefir
135d48d78c test 2026-05-08 02:47:19 +02:00
soraefir
d4292cd46d test 2026-05-08 02:45:33 +02:00
soraefir
4a4d3e3604 typo 2026-05-08 02:37:06 +02:00
soraefir
d076538901 test 2026-05-08 02:35:32 +02:00
soraefir
8fedaf18cd firewall? 2026-05-08 02:20:28 +02:00
soraefir
4c1f9f0e78 nft 2026-05-08 02:17:10 +02:00
soraefir
1a8eb085df fix db ? 2026-05-08 02:13:44 +02:00
soraefir
8a619d9fc6 env 2026-05-08 02:00:10 +02:00
soraefir
a76f920297 Fix 2026-05-08 01:58:37 +02:00
soraefir
fe93cb708e accept podman traffic 2026-05-08 01:49:31 +02:00
soraefir
cb29056296 Sops 2026-05-08 01:37:57 +02:00
soraefir
4bc68eeeaf more fix 2026-05-08 01:34:17 +02:00
soraefir
9cf9937cb7 wg nft 2026-05-08 01:26:53 +02:00
soraefir
593514c100 fix ssh 2026-05-08 01:21:56 +02:00
soraefir
6ad9a0b34c Env 2026-05-08 01:19:04 +02:00
soraefir
65e3568072 Db 2026-05-08 01:18:02 +02:00
soraefir
c55b06cca9 fix nft 2026-05-08 01:15:56 +02:00
soraefir
40dba4b959 Fix nftable 2026-05-08 01:15:27 +02:00
soraefir
bc8a9d42f9 Fix nftable 2026-05-08 01:09:51 +02:00
soraefir
cd5a1aeed4 temp fix 2026-05-08 01:08:59 +02:00
soraefir
0f2081486d Wops 2026-05-08 01:08:07 +02:00
soraefir
1c022d7642 Fix secret 2026-05-08 00:53:00 +02:00
soraefir
379f6befb3 fix 2026-05-08 00:44:13 +02:00
soraefir
868d2ce116 fix 2026-05-08 00:29:12 +02:00
soraefir
94fdfa2b33 Test acme 2026-05-08 00:17:46 +02:00
soraefir
a73ad174ea Fix 2026-05-08 00:14:41 +02:00
soraefir
fba5a79ce6 Fix parenthesis 2026-05-08 00:12:17 +02:00
soraefir
e8c9fc52fb Update 2026-05-08 00:06:21 +02:00
soraefir
8092bac6b7 nginx 2026-05-07 00:03:43 +02:00
soraefir
7d80478e83 more fixes authentik 2026-05-06 23:47:09 +02:00
soraefir
2cab462db5 Fix authentik worker 2026-05-06 23:45:21 +02:00
soraefir
0bb796fbe8 Fix cfg 2026-05-06 23:42:29 +02:00
soraefir
1f2cc94a0a Fix builder 2026-05-06 23:39:28 +02:00
soraefir
3caf507905 Fix attempt 2026-05-06 23:35:03 +02:00
soraefir
27a5566ac6 Rename file 2026-05-06 23:31:12 +02:00
soraefir
b439888fa8 Fix naming 2026-05-06 23:30:08 +02:00
soraefir
093497367a container builder 2026-05-06 23:28:49 +02:00
soraefir
1c0cfd1afe change podman building 2026-05-06 22:59:11 +02:00
53 changed files with 2218 additions and 620 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,3 +2,4 @@ result
age-key.txt age-key.txt
.decrypted~common.yaml .decrypted~common.yaml
.decrypted* .decrypted*
.tmp

48
flake.lock generated
View File

@@ -45,11 +45,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775037210, "lastModified": 1777780666,
"narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=", "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "06648f4902343228ce2de79f291dd5a58ee12146", "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -103,11 +103,11 @@
}, },
"hardware": { "hardware": {
"locked": { "locked": {
"lastModified": 1776983936, "lastModified": 1778143761,
"narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=", "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61", "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -139,11 +139,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777771528, "lastModified": 1777851538,
"narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=", "narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51", "rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -174,11 +174,11 @@
}, },
"nixUnstable": { "nixUnstable": {
"locked": { "locked": {
"lastModified": 1777641297, "lastModified": 1778274207,
"narHash": "sha256-WNGcmeOZ8Tr9dq6ztCspYbzWFswr2mPebM9LpsfGxPk=", "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0", "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -190,11 +190,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1777428379, "lastModified": 1778003029,
"narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=", "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "755f5aa91337890c432639c60b6064bb7fe67769", "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -221,11 +221,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1777578337, "lastModified": 1777954456,
"narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=", "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "15f4ee454b1dce334612fa6843b3e05cf546efab", "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -241,11 +241,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1777763626, "lastModified": 1778376280,
"narHash": "sha256-UFwZDbdMezNnxZwikhDR4EWiCPUiEmPXHmqLOrcG34g=", "narHash": "sha256-pL2F2FF2FN7zWr5o/vG7GiYOSjp+DUNyPIYqNaLQFFs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nur", "repo": "nur",
"rev": "3873764e5896bd6da6cf0df17172849ea51ac5eb", "rev": "828688994167eb57628c98fd1d7e1223b079cda1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -274,11 +274,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777338324, "lastModified": 1777944972,
"narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=", "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5", "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"type": "github" "type": "github"
}, },
"original": { "original": {

8
flake.nix
View File

@@ -17,19 +17,11 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# hyprland = {
# url = "github:hyprwm/Hyprland";
# inputs.nixpkgs.follows = "nixpkgs";
# };
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nix-colors.url = "github:misterio77/nix-colors"; nix-colors.url = "github:misterio77/nix-colors";
arion.url = "github:hercules-ci/arion";
arion.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = inputs: outputs = inputs:

1
generator.nix
View File

@@ -13,7 +13,6 @@
./modules/nixos ./modules/nixos
syscfg syscfg
./systems/${host} ./systems/${host}
inputs.arion.nixosModules.arion
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
{ {

1
modules/nixos/system/hw/virt/default.nix
View File

@@ -18,5 +18,6 @@
}; };
}; };
}; };
virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
}; };
} }

6
modules/nixos/system/network/base/default.nix
View File

@@ -7,11 +7,13 @@
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = allowedUDPPorts =
(if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
[ ]; [ ];
allowedTCPPorts = allowedTCPPorts =
(if config.syscfg.server ? web then [ 80 443 22 ] else [ ]) ++ (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
(if (config.syscfg.server != false) then [ 5432 6379 ] else [ ]) ++
[ ]; [ ];
}; };
}; };

46
modules/server/containers/apps/.template.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = "EXAMPLE";
tag = "0.0.0";
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "echo 1" ];
ExposedPorts = { };
};
};
templateData = builder.mkData { name = "template"; dir = "template"; vars = {
_ARGUMENT = "template";
};
};
in {
sops = false;
db = false;
paths = [{
path="${serverCfg.configPath}/example/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = { };
overrides = {
cmd = [ ];
volumes = [ ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."EXAMPLE".path;
script = pkgs.writeShellScript "setup" ''
...
'';
};
}

8
modules/server/containers/apps/.todo.md Normal file
View File

@@ -0,0 +1,8 @@
# Missing
RSS: TTRSS / FreshRSS
Monitoring: Telegraf + InfluxDB
https://github.com/tarampampam/error-pages ?
- JellyFin external mkData for config (system.xml)
- Transmission Cfg and API/Token handling

109
modules/server/containers/apps/authentik.nix Normal file
View File

@@ -0,0 +1,109 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "2026.2.2";
serverCfg = config.syscfg.server;
authentikData = builder.mkData {
name = "authentik"; dir = "authentik"; vars = {
NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
COOKIE_DOMAIN = "${serverCfg.hostDomain}";
AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
};
};
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.configPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.configPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:${version}";
port = 9000;
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
AUTHENTIK_EMAIL__PORT = "587";
AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.hostDomain}";
AUTHENTIK_EMAIL__USE_TLS = "true";
AUTHENTIK_EMAIL__USE_SSL = "false";
AUTHENTIK_EMAIL__TIMEOUT = "10";
AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.hostDomain}";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "server" ];
ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:9000" ] else [];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:${version}";
secret = "authentik";
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
ldap = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/ldap:${version}";
secret = name;
extraEnv = {
"AUTHENTIK_HOST" = "http://${builder.host}:9000";
"AUTHENTIK_INSECURE" = "false";
};
overrides = {
ports = [ "389:3389" "636:6636" ];
};
};
};
setup = {
trigger = "worker";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak"
$AK apply_blueprint /blueprints/custom/authentik.yaml
$AK apply_blueprint /blueprints/custom/traefik.yaml
$AK apply_blueprint /blueprints/custom/ldap.yaml
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
echo "Completed Authentik Setup"
'';
};
}

34
modules/server/containers/apps/collabora.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
sops = true;
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "collabora/code:${version}";
port = 9980;
secret = name;
extraEnv = {
"aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";
"server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
"username" = "collabora_user";
"VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
"VIRTUAL_PORT" = "9980";
"VIRTUAL_PROTO" = "http";
"DONT_GEN_SSL_CERT" = "true";
"RESOLVE_TO_PROXY_IP" = "true";
"extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
"dictionaries" = "en fr de jp no";
};
overrides = {
volumes = [
"${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
"${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
];
};
};
};
}

39
modules/server/containers/apps/ethercalc.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
ethercalc_exe = pkgs.ethercalc;
image = pkgs.dockerTools.streamLayeredImage {
name = "ethercalc";
tag = ethercalc_exe.version;
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
ExposedPorts = { "8080/tcp" = {}; };
};
};
in {
sops = true;
paths = [{
path="${serverCfg.dataPath}/ethercalc/";
mode = "0666";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = {
ETHERCALC_PORT = "8080";
#CONNECT TO REDIS
};
overrides = {
volumes = [
"${serverCfg.dataPath}/ethercalc:/data"
];
};
};
};
}

124
modules/server/containers/apps/etherpad.nix Normal file
View File

@@ -0,0 +1,124 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
etherpad_exe = pkgs.etherpad-lite;
settings = pkgs.writeText"settings.json" (builtins.toJSON {
title= "\${TITLE:Etherpad}";
showRecentPads = "\${SHOW_RECENT_PADS:true}";
favicon = "\${FAVICON:null}";
publicURL = "\${PUBLIC_URL:null}";
skinName = "\${SKIN_NAME:colibris}";
skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
ip = "\${IP:0.0.0.0}";
port = "\${PORT:9001}";
showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
enableMetrics = "\${ENABLE_METRICS:true}";
updates.tier = "off";
cleanup.enabled = false;
gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
enableDarkMode = "\${ENABLE_DARK_MODE:true}";
enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
dbType = "\${DB_TYPE:dirty}";
dbSettings = {
host = "\${DB_HOST:undefined}";
port = "\${DB_PORT:undefined}";
database = "\${DB_NAME:undefined}";
user = "\${DB_USER:undefined}";
password = "\${DB_PASS:undefined}";
charset = "\${DB_CHARSET:undefined}";
filename = "\${DB_FILENAME:var/dirty.db}";
collection = "\${DB_COLLECTION:undefined}";
url = "\${DB_URL:undefined}";
};
defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
padOptions = {
noColors = "\${PAD_OPTIONS_NO_COLORS:false}";
showControls = "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
showChat = "\${PAD_OPTIONS_SHOW_CHAT:true}";
showLineNumbers = "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
userName = "\${PAD_OPTIONS_USER_NAME:null}";
userColor = "\${PAD_OPTIONS_USER_COLOR:null}";
rtl = "\${PAD_OPTIONS_RTL:false}";
alwaysShowChat = "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
chatAndUsers = "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
lang = "\${PAD_OPTIONS_LANG:null}";
fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
};
requireSession = "\${REQUIRE_SESSION:false}";
editOnly = "\${EDIT_ONLY:false}";
minify = "\${MINIFY:true}";
requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
trustProxy = "\${TRUST_PROXY:true}";
ep_headerauth.username_header = "X-authentik-username";
users.admin = {
password = "\${ADMIN_PASSWORD:null}";
is_admin = true;
};
socketTransportProtocols = ["websocket" "polling"];
socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
indentationOnNewLine = true;
loglevel = "\${LOGLEVEL:INFO}";
lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
});
image = pkgs.dockerTools.streamLayeredImage {
name = "etherpad";
tag = etherpad_exe.version;
contents = [ pkgs.bashInteractive ];
config = {
Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
ExposedPorts = { "8080/tcp" = {}; };
};
};
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.configPath}/etherpad/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8080;
secret = name;
extraEnv = {
TITLE = "Pad";
PORT ="8080";
DB_TYPE = "postgres";
DB_HOST = builder.host;
DB_NAME = "etherpad_db";
DB_USER = "etherpad_user";
TRUST_PROXY = "true";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
overrides = {
cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
volumes = [
"${settings}:/etc/etherpad/settings.json"
"${serverCfg.configPath}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."ETHERPAD".path;
script = pkgs.writeShellScript "setup" ''
echo "$APIKEY" > ${serverCfg.configPath}/etherpad/APIKEY.txt
chmod 444 ${serverCfg.configPath}/etherpad/APIKEY.txt
'';
};
}

95
modules/server/containers/apps/frigate.nix Normal file
View File

@@ -0,0 +1,95 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
# Ensure the package is available (Nixpkgs includes frigate)
frigatePkg = pkgs.frigate;
image = pkgs.dockerTools.streamLayeredImage {
name = "frigate";
tag = frigatePkg.version;
contents = [
pkgs.bashInteractive
frigatePkg
pkgs.ffmpeg # Explicitly included for video stream processing
];
config = {
Entrypoint = [ "${frigatePkg}/bin/frigate" ];
Cmd = [ "start" ];
ExposedPorts = {
"5000/tcp" = {}; # Web UI / API
"8554/tcp" = {}; # RTSP Feeds
"8555/tcp" = {}; # WebRTC
};
Env = [
"FRIGATE_RTSP_PASSWORD=secret" # Base fallback, overridden by envFile/sops
];
};
};
in {
sops = true; # Enabled to safeguard sensitive camera RTSP stream credentials
db = false; # Internal SQLite is used by default in Frigate
paths = [
{
path = "${serverCfg.configPath}/frigate/";
mode = "0755";
}
{
path = "/var/lib/frigate/storage/";
mode = "0755"; # Dedicated path for heavy video recordings and media
}
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 5000;
secret = name;
extraEnv = {
PLUS_API_KEY = ""; # Optional: For Frigate Plus users
};
overrides = {
cmd = [ ];
volumes = [
"${serverCfg.configPath}/frigate:/config"
"/var/lib/frigate/storage:/media/frigate"
"/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
"/dev/dri:/dev/dri" # Passes Intel/AMD GPU for hardware video decoding
];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."FRIGATE_ENV".path;
script = pkgs.writeShellScript "setup-frigate" ''
mkdir -p "${serverCfg.configPath}/frigate"
mkdir -p "/var/lib/frigate/storage"
# Bootstrap a standard configuration layout if missing
if [ ! -f "${serverCfg.configPath}/frigate/config.yml" ]; then
cat <<EOF > "${serverCfg.configPath}/frigate/config.yml"
mqtt:
enabled: False # Set to True and define host if connecting to Home Assistant
database:
path: /config/frigate.db
cameras:
dummy_camera: # Replace with your actual RTSP stream details
enabled: false
ffmpeg:
inputs:
- path: rtsp://127.0.0.1:554/live
roles:
- detect
detect:
enabled: false
EOF
fi
'';
};
}

130
modules/server/containers/apps/gitea.nix Normal file
View File

@@ -0,0 +1,130 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "latest";
serverCfg = config.syscfg.server;
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.dataPath}/gitea/data";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.dataPath}/gitea/data-runner";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "gitea/gitea:${version}";
port = 8080;
secret = name;
extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
GITEA__repository__DISABLE_STARS = "true";
GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
# GITEA__ui__THEMES = "";
# GITEA__ui__DEFAULT_THEME = "";
# GITEA__security__SECRET_KEY = "SECRET_ENV";
# GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
# GITEA__database__PASSWD = "SECRET_ENV";
# GITEA__mailer__PASSWD="SECRET_ENV";
GITEA__database__DB_TYPE = "postgres";
GITEA__database__HOST = builder.host;
GITEA__database__NAME = "gitea_db";
GITEA__database__USER = "gitea_user";
GITEA__mailer__ENABLED = "true";
GITEA__mailer__FROM = "";
GITEA__mailer__PROTOCOL = "smtps";
GITEA__mailer__SMTP_ADDR = "";
GITEA__mailer__SMTP_PORT = "";
GITEA__mailer__USER= "";
GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.hostDomain}/";
GITEA__server__PROTOCOL = "http";
GITEA__server__HTTP_PORT = "8080";
GITEA__server__LFS_START_SERVER = "true";
GITEA__security__INSTALL_LOCK = "true";
} // ( if serverCfg.containers?authentik then {
GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/outpost.goauthentik.io/sign_out";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
GITEA__security__RREVERSE_PROXY_LIMIT = "1";
GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
} else {});
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.hostDomain}`) && Path(`/user/login`) ";
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
};
overrides = {
volumes = [
"${serverCfg.dataPath}/gitea/data:/data"
];
ports = [ "2222:22" ];
};
};
runner = builder.mkContainer {
image = "gitea/act_runner:${version}";
secret = name;
extraEnv = {
CONFIG_FILE="/data/config.yml";
GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
};
overrides = {
volumes = [
"${serverCfg.dataPath}/gitea/data-runner:/data"
"/var/run/podman/podman.sock:/var/run/docker.sock"
];
# ports = [ "8088:8088" ];
};
};
};
setup = {
trigger = "server";
envFile = config.sops.secrets."CUSTOM".path;
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
$GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
RUNNER_TOKEN=$($GT actions generate-runner-token)
$GTR register \
--instance "https://${containerCfg.subdomain}.${serverCfg.hostDomain}" \
--token "$RUNNER_TOKEN" \
--name "Runner" \
--labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
--no-interactive
echo "Completed Gitea Setup"
'';
};
}

3
modules/server/containers/apps/handbrake.nix Normal file
View File

@@ -0,0 +1,3 @@
{...}:{
}

43
modules/server/containers/apps/homeassistant.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.home-assistant.name;
tag = pkgs.home-assistant.version;
contents = [ ];
config = {
Entrypoint = [ "${pkgs.home-assistant}/bin/hass" ];
ExposedPorts = {
"8123/tcp" = {};
};
};
};
in {
sops = true;
db = false;
paths = [{
path = "${serverCfg.configPath}/homeassistant/";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8123;
secret = name;
extraEnv = {
TZ = config.time.timeZone or "UTC";
};
overrides = {
cmd = [ "--config" "/config" ];
volumes = [
"${serverCfg.configPath}/homeassistant/:/config"
"/run/dbus:/run/dbus:ro" # Required for Bluetooth/mDNS service discovery
];
};
};
};
}

57
modules/server/containers/apps/immich.nix Normal file
View File

@@ -0,0 +1,57 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
immichServerImage = pkgs.dockerTools.pullImage {
imageName = "ghcr.io/immich-app/immich-server";
imageDigest = "sha256:d5cb251d7c3bcbb8e5bb974c8de53f3e1f0efcb71e21bde1b66df872a0a2df3d";
sha256 = "0000000000000000000000000000000000000000000000000000";
};
immichMachineLearningImage = pkgs.dockerTools.pullImage {
imageName = "ghcr.io/immich-app/immich-machine-learning";
imageDigest = "sha256:4a25fdcd11c13bc33e8b4e7eef118bc23dbd4df012012ec6d7fb1eeef872ad4d";
sha256 = "0000000000000000000000000000000000000000000000000000";
};
in {
sops = false;
db = true;
paths = [{
path = "${serverCfg.configPath}/immich/cache";
mode = "0750";
}{
path = "${serverCfg.dataPath}/immich/";
mode = "0750";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = immichServerImage;
port = 2283;
secret = name;
extraEnv = {
DB_URL = "postgresql://immich_user:\${DB_PASS}@${builder.host}/immich_db";
IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
REDIS_HOSTNAME = builder.host;
};
overrides = {
volumes = [
"${serverCfg.dataPath}/immich:/usr/src/upload"
];
};
};
immich-ml = builder.mkContainer {
imageStream = immichMachineLearningImage;
port = 3003;
overrides = {
volumes = [
"${serverCfg.configPath}/immich/cache:/cache"
];
};
};
};
}

45
modules/server/containers/apps/influx.nix Normal file
View File

@@ -0,0 +1,45 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
influxPkg = pkgs.influxdb2;
image = pkgs.dockerTools.streamLayeredImage {
name = influxPkg.name;
tag = influxPkg.version;
contents = [ ];
config = {
Entrypoint = [ "${influxPkg}/bin/influxd" ];
ExposedPorts = {
"8086/tcp" = {}; # Combined Engine and UI port
};
};
};
in {
sops = true; # Highly recommended for initial admin passwords and setup tokens
db = false; # Using InfluxDB directly as the primary database
paths = [{
path = "${serverCfg.configPath}/influxdb/";
mode = "0700"; # Strict database permissions
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 8086;
secret = name;
extraEnv = {
INFLUXD_CONFIG_PATH = "var/lib/influxdb2/config";
INFLUXD_BOLT_PATH = "/var/lib/influxdb2/influxdb.bolt";
INFLUXD_ENGINE_PATH = "/var/lib/influxdb2/engine";
};
overrides = {
volumes = [
"${serverCfg.configPath}/influxdb/:/var/lib/influxdb2"
];
};
};
};
}

47
modules/server/containers/apps/invidious.nix Normal file
View File

@@ -0,0 +1,47 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
invidiousImage = pkgs.dockerTools.pullImage {
imageName = "quay.io/invidious/invidious";
imageDigest = "sha256:7b5cfca1b369cbb87a6c983a54d588cb375ff60c6d71b3e1f0e2f59265f2a1b9"; # Pin tag digest
sha256 = lib.fakeSha256;
};
companionImage = pkgs.dockerTools.pullImage {
imageName = "quay.io/invidious/inv-sig-helper";
imageDigest = "sha256:2d150b07b1406b3a0c25a5f1e8e25d6b46efbb12dbfde6125026bc9812a647ad";
sha256 = lib.fakeSha256;
};
in {
sops = true;
db = true;
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = invidiousImage;
port = 3000;
secret = name;
extraEnv = {
INVIDIOUS_DATABASE_URL = "postgres://invidious_user:\${DB_PASS}@${builder.host}/invidious_db";
INVIDIOUS_HMAC_KEY = "\${HMAC_KEY}";
INVIDIOUS_COMPANION_URL = "http://invidious-companion:12999";
INVIDIOUS_PO_TOKEN = "\${PO_TOKEN}";
INVIDIOUS_VISITOR_DATA = "\${VISITOR_DATA}";
INVIDIOUS_PORT = "3000";
INVIDIOUS_COMPANION_KEY = "\${INVIDIOUS_KEY}";
INVIDIOUS_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
#registration_enabled: false
};
};
companion = builder.mkContainer {
imageStream = companionImage;
port = 12999;
overrides = {
cmd = [ "--tcp" "0.0.0.0:12999" ];
};
};
};
}

68
modules/server/containers/apps/jellyfin.nix Normal file
View File

@@ -0,0 +1,68 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
name = pkgs.jellyfin.name;
tag = pkgs.jellyfin.version;
contents = [
pkgs.cacert
];
config = {
Entrypoint = [ "${pkgs.jellyfin}/bin/jellyfin" ];
ExposedPorts = { "8096/tcp" = { }; };
};
};
in {
paths = [
{
path = "${serverCfg.dataPath}/media/";
mode = "0755";
}
{
path = "${serverCfg.configPath}/jellyfin/";
mode = "0755";
}
];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
# imageFile = image;
port = 8096;
# secret = name;
extraEnv = {
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
# JELLYFIN_WEB_DIR = "${pkgs.jellyfin-web}/share/jellyfin-web";
JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
};
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
cmd = [
"--datadir" "/config/data"
"--cachedir" "/config/cache"
"--configdir" "/config/config"
"--logdir" "/config/log"
];
volumes = [
"${serverCfg.dataPath}/media:/media:ro"
"${serverCfg.configPath}/jellyfin:/config"
];
# If you have an Intel/AMD GPU for transcoding, add the device:
devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
};
};
};
#LDAP_DC_DOMAIN = "dc=ldap,dc=helcel,dc=net"
#HOST=...
#LDAP_BIND_USER=ldap-sa
#LDAP_BIND_PASSWORD=...
#LDAP_GROUP=flix
#LDAP_ADMIN=admin
}

199
modules/server/containers/apps/nextcloud.nix Normal file
View File

@@ -0,0 +1,199 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version = "31";
serverCfg = config.syscfg.server;
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.dataPath}/nextcloud/www";
owner = "33:33";
mode = "0755";
}{
path="${serverCfg.dataPath}/nextcloud/data";
owner = "33:33";
mode = "0755";
backup = true;
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "nextcloud:${version}";
port = 80;
secret = name;
extraEnv = {
REDIS_HOST = builder.host;
POSTGRES_HOST = builder.host;
POSTGRES_USER = "nextcloud_user";
POSTGRES_DB = "nextcloud_db";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
"NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
"SMTP_HOST" = serverCfg.mailServer;
"SMTP_NAME" = "mail_user";
"SMTP_PASSWORD" = "mail_password";
"MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}";
"MAIL_DOMAIN" = serverCfg.mailDomain;
"TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
};
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
};
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
volumes = [
"${serverCfg.dataPath}/nextcloud/www:/var/www/html"
"${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
];
};
};
};
setup = {
trigger = "server";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u www-data nextcloud-server php occ"
echo "Waiting for Nextcloud container to start..."
until $OCC status > /dev/null 2>&1; do
sleep 2
done
INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
if [ -z "$INSTALLED" ]; then
echo "Running first-time setup..."
$OCC maintenance:install \
--admin-user "$DEFAULT_ADMIN_USERNAME" \
--admin-pass "$DEFAULT_ADMIN_PASSWORD"
fi
if [ -z "$INSTALLED" ] || [ -f "/tmp/force-nextcloud-setup" ]; then
rm -f "/tmp/force-nextcloud-setup"
echo "Applying Settings..."
$OCC config:system:set default_phone_region --value="CH"
$OCC config:system:set overwriteprotocol --value="https"
$OCC config:app:set core backgroundjobs_mode --value="cron"
$OCC config:system:set maintenance_window_start --type=integer --value=1
$OCC config:system:set default_language --value="en"
$OCC config:system:set default_locale --value="en_CH"
echo "Applying Apps..."
$OCC app:disable activity || true
$OCC app:disable app_api || true
$OCC app:disable comments || true
$OCC app:disable firstrunwizard || true
$OCC config:system:set show_first_run_wizard --type=bool --value=false
$OCC app:disable nextcloud_announcements || true
$OCC app:disable oauth2 || true
$OCC app:disable recommendations || true
$OCC app:disable sharebymail || true
$OCC app:disable support || true
$OCC app:disable survey_client || true
$OCC app:disable updatenotification || true
$OCC app:disable user_status || true
$OCC app:install calendar || true
$OCC app:install calendar || true
$OCC app:install contacts || true
$OCC app:install camerarawpreviews || true
$OCC app:install cospend || true
$OCC app:install deck || true
$OCC app:install files_markdown || true
$OCC app:install forms || true
$OCC app:install groupfolders || true
$OCC app:install ownpad || true
$OCC app:install previewgenerator || true
$OCC app:install richdocuments || true
${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
# $OCC app:install side_menu || true
$OCC app:install spreed || true
$OCC app:install teamfolders || true
${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
echo "Applying Apps Settings..."
$OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
$OCC config:app:set cospend allow_federation --value="yes"
${lib.optionalString (serverCfg.containers ? ethercalc) ''
$OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
$OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}"
''}
${lib.optionalString (serverCfg.containers ? etherpad) ''
$OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
$OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.hostDomain}"
''}
${lib.optionalString (serverCfg.containers ? collabora) ''
$OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/"
$OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}"
$OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
''}
${lib.optionalString (serverCfg.containers ? authentik) ''
$OCC saml:config:set 1 --general-idp0_display_name="authentik"
$OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
$OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}"
$OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/sso/binding/redirect/"
$OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/slo/binding/redirect/"
AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
$OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT"
$OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
$OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
$OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
$OCC group:add admin || true
$OCC group:add cloud || true
$OCC config:app:set user_saml general-group_provisioning --value="0"
$OCC config:app:set user_saml general-require_provisioning_groups --value="1"
''}
# configure side_menu ...
FOLDERS=$($OCC teamfolders:list --format=json)
${builtins.concatStringsSep "\n" (map (name: ''
if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
$OCC teamfolders:create "${name}"
fi
'') containerCfg.extra.teamFolders or [])}
SERVERS=$($OCC federation:list-servers --format=json)
${builtins.concatStringsSep "\n" (map (domain: ''
if ! echo "$SERVERS" | grep -q "${domain}"; then
$OCC federation:add-server "https://${domain}"
fi
'') containerCfg.extra.federatedServers or [])}
$OCC config:app:set systemtags allow_user_creating --value="no"
echo "Applying Theme..."
$OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}"
${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
$OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
$OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
#$OCC theming:config logo {serverCfg.colorScheme.logo}
#$OCC theming:config logoheader {serverCfg.colorScheme.logo}
#$OCC theming:config background {serverCfg.colorScheme.bg}
else
echo "Nextcloud is already installed. Skipping setup."
fi
echo "Maintenance..."
$OCC app:update --all
$OCC maintenance:repair --include-expensive --no-interaction
$OCC db:add-missing-indices --no-interaction
echo "Completed Setup"
'';
};
cron = [ "*/5 * * * * root ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
}

92
modules/server/containers/apps/searxng.nix Normal file
View File

@@ -0,0 +1,92 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
version= "latest";
serverCfg = config.syscfg.server;
settings = pkgs.writeText"settings.yml" (pkgs.lib.generators.toYAML {}{
use_default_settings = true;
brand = {
issue_url = "";
docs_url = "";
public_instances = "";
wiki_url = "";
custom = {
links = {
"Home" = "https://${serverCfg.hostDomain}";
# "Status" = "https://status.${serverCfg.hostDomain}";
};
};
pwa_colors = {
theme_color_light = "${serverCfg.colorScheme.palette.base0C}";
background_color_light = "${serverCfg.colorScheme.palette.base07}";
theme_color_dark = "${serverCfg.colorScheme.palette.base0C}";
background_color_dark = "${serverCfg.colorScheme.palette.base02}";
theme_color_black = "${serverCfg.colorScheme.palette.base0C}";
background_color_black = "${serverCfg.colorScheme.palette.base01}";
};
};
general = {
debug = false;
instance_name = if containerCfg.extra ? instanceName then containerCfg.extra.instanceName else "SearXNG";
privacypolicy_url = false;
donation_url = false;
contact_url = false;
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = if containerCfg.extra ? autocomplete then containerCfg.extra.autocomplete else "";
languages = [ "all" "en" "en-US" "ja" "de-CH" "fr-CH" "nb" ];
};
server = {
# secret_key = ""; SET BY ENV VAR
};
ui = {
default_locale = if containerCfg.extra ? defaultLocale then containerCfg.extra.defaultLocale else "en";
# query_in_title = "true";
#default_theme = "custom";
custom_css = "footer { display: none !important; }";
};
# categories_as_tabs = {
# general = {};
# images ={};
# videos = {};
# news = {};
# files = {};
# };
plugins = {
"searx.plugins.infinite_scroll.SXNGPlugin".active = true;
"searx.plugins.tracker_url_remover.SXNGPlugin".active = true;
};
});
in {
sops = true;
# paths = [{
# path="${serverCfg.dataPath}/searxng/";
# mode = "0444";
# }];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "searxng/searxng:${version}";
port = 8080;
secret = name;
extraEnv = {
SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
SEARXNG_PORT = "8080";
SEARXNG_BIND_ADDRESS = "[::]";
SEARXNG_PUBLIC_INSTANCE = "false";
SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
#SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
};
overrides = {
cmd = [ ];
volumes = [
"${settings}:/etc/searxng/settings.yml"
# "/path/to/your/logo.png:/usr/local/searxng/searx/static/themes/simple/img/searxng.png
# "${serverCfg.dataPath}/searxng:/var/cache/searxng/"
];
};
};
};
}

83
modules/server/containers/apps/servarr.nix Normal file
View File

@@ -0,0 +1,83 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
mkServarrImage = appName: appPkg: binaryPath: pkgs.dockerTools.streamLayeredImage {
name = appPkg.name;
tag = appPkg.version;
contents = with pkgs; [ cacert openssl ];
config = {
Cmd = [ "${appPkg}/${binaryPath}" "-nobrowser" "-data=/config" ];
Env = [ "DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1" "HOME=/tmp" ];
};
};
images = {
prowlarr = mkServarrImage "prowlarr" pkgs.prowlarr "bin/Prowlarr";
radarr = mkServarrImage "radarr" pkgs.radarr "bin/Radarr";
sonarr = mkServarrImage "sonarr" pkgs.sonarr "bin/Sonarr";
bazarr = mkServarrImage "bazarr" pkgs.bazarr "bin/bazarr";
lidarr = mkServarrImage "lidarr" pkgs.lidarr "bin/Lidarr";
readarr = mkServarrImage "readarr" pkgs.readarr "bin/Readarr";
};
sharedVolumes = [
"${serverCfg.dataPath}/media:/media" # Fast hardlinking requires a single shared root
"${serverCfg.configPath}/servarr:/config-root"
];
in {
sops = true;
paths = [
{ path = "${serverCfg.dataPath}/media/"; mode = "0755"; }
{ path = "${serverCfg.configPath}/servarr/prowlarr"; mode = "0755"; }
{ path = "${serverCfg.configPath}/servarr/radarr"; mode = "0755"; }
{ path = "${serverCfg.configPath}/servarr/sonarr"; mode = "0755"; }
];
containers = {
prowlarr = builder.mkContainer {
subdomain = containerCfg.subdomain;
subpath = "prowlarr";
imageStream = images.prowlarr;
port = 9696;
secret = name;
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/prowlarr:/config" ];
};
radarr = builder.mkContainer {
subdomain = containerCfg.subdomain;
subpath = "radarr";
imageStream = images.radarr;
port = 7878;
secret = name;
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/radarr:/config" ];
};
sonarr = builder.mkContainer {
subdomain = containerCfg.subdomain;
subpath = "sonarr";
imageStream = images.sonarr;
port = 8989;
secret = name;
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/sonarr:/config" ];
};
};
# setup = {
# trigger = "prowlarr"; # Triggers atomic environment verification on main controller
# envFile = config.sops.secrets."SERVARR".path;
# script = pkgs.writeShellScript "setup-servarr" ''
# echo "Validating multi-container path permission nodes..."
# # mkdir -p ${serverCfg.configPath}/servarr/{prowlarr,radarr,sonarr}
# '';
# };
}

81
modules/server/containers/apps/traefik.nix Normal file
View File

@@ -0,0 +1,81 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = "traefik";
tag = pkgs.traefik.version;
contents = with pkgs;[ cacert tzdata ];
config = {
Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
WorkingDir = "/";
};
};
in {
sops = true;
paths = [{
path="${serverCfg.configPath}/traefik";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
imageStream = image;
subdomain = containerCfg.subdomain;
port = 8080;
secret = name;
extraLabels = {
"traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
"traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
"traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
"traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
} // (if containerCfg.extra ? provider || serverCfg.hostDomain != "localhost" then {
"traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.hostDomain}";
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.hostDomain}";
} else {});
extraEnv = { };
overrides = {
cmd = [
"--api"
"--log.level=INFO"
"--providers.docker=true"
"--global.checknewversion=false"
"--global.sendanonymoususage=false"
"--api.insecure=true"
"--api.dashboard=true"
"--providers.docker.exposedByDefault=false"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
"--entrypoints.web.http.redirections.entrypoint.to=web-secure"
"--entrypoints.web.http.redirections.entrypoint.scheme=https"
"--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
"--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
] ++ (if serverCfg.containers ? umami then [
"--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
"--experimental.plugins.umami-feeder.version=v1.4.1"
"--entrypoints.web-secure.http.middlewares=umami-global@docker"
] else []) ++ (if containerCfg.extra ? provider then [
"--certificatesresolvers.default.acme.email=acme@${serverCfg.hostDomain}"
"--certificatesresolvers.default.acme.dnschallenge=true"
"--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
"--certificatesresolvers.default.acme.storage=/custom/acme.json"
] else []) ++ (if serverCfg.hostDomain != "localhost" then [
"--certificatesresolvers.default.acme.httpchallenge=false"
"--certificatesresolvers.default.acme.tlschallenge=true"
] else []);
ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
volumes = [
"/var/run/podman/podman.sock:/var/run/docker.sock"
# "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.configPath}/traefik:/custom"
];
};
};
};
}

57
modules/server/containers/apps/transmission.nix Normal file
View File

@@ -0,0 +1,57 @@
{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
serverCfg = config.syscfg.server;
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.transmission_4.name;
tag = pkgs.transmission_4.version;
contents = [ pkgs.cacert ];
config = {
Cmd = [ "${pkgs.transmission_4}/bin/transmission-daemon" "--foreground" "--config-dir" "/config" ];
ExposedPorts = {
"9091/tcp" = {};
"51413/tcp" = {}; "51413/udp" = {};
};
};
};
in {
paths = [{
path = "${serverCfg.dataPath}/transmission/complete";
owner = "1000:1000";
mode = "0755";
}{
path = "${serverCfg.dataPath}/transmission/incomplete";
owner = "1000:1000";
mode = "0755";
}{
path = "${serverCfg.dataPath}/transmission/config";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
imageStream = image;
port = 9091;
extraEnv = {
PUID = "1000";
PGID = "1000";
TZ = "Europe/Zurich";
};
extraLabels = { } // (if serverCfg.containers ? authentik then {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
} else {});
overrides = {
cmd = [ ];
volumes = [
"${serverCfg.dataPath}/transmission/complete:/downloads/complete"
"${serverCfg.dataPath}/transmission/incomplete:/downloads/incomplete"
"${serverCfg.dataPath}/transmission/config:/config"
];
};
};
};
}

3
modules/server/containers/apps/trmnl.nix Normal file
View File

@@ -0,0 +1,3 @@
{...}:{
}

59
modules/server/containers/apps/umami.nix Normal file
View File

@@ -0,0 +1,59 @@
{ config, containerCfg, pkgs, lib, builder, name,... }:
let
serverCfg = config.syscfg.server;
# Umami image built from nixpkgs
image = pkgs.dockerTools.streamLayeredImage {
name = pkgs.umami.name;
tag = pkgs.umami.version;
contents = with pkgs; [ cacert openssl ];
config = {
# Umami in nixpkgs typically provides a binary or script to start the server
Entrypoint = [ "${pkgs.umami}/bin/umami-server" ];
ExposedPorts = { "3000/tcp" = {}; };
Env = [ "NODE_ENV=production" ];
};
};
in {
sops = true;
db = true;
paths = [{
path = "${serverCfg.configPath}/umami/";
mode = "0444";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "${pkgs.umami.name}:${pkgs.umami.version}";
imageStream = image;
port = 3000;
secret = name;
extraEnv = {
PORT = "3000";
# HOSTNAME = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
DATABASE_TYPE = "postgresql";
REDIS_URL = "redis://${builder.host}";
CLIENT_IP_HEADER = "X-Forwarded-For";
BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
# DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
};
extraLabels = {
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
"traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
} // ( if serverCfg.containers?authentik then {
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
} else {});
extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
];
overrides = {
cmd = [ "start" ]; # Specific command for the umami binary
};
};
};
}

53
modules/server/containers/builder.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, lib, pkgs, serverCfg }:
let
builder =
{ image ? null, imageStream ? null, imageFile ? null
, secret ? null
, subdomain ? null, subpath?null, port ? 0
, extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
, overrides ? { }
}:
let
routerName = if subpath != null
then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}"
else subdomain;
base = {
image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}"
else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
imageStream = imageStream;
imageFile = imageFile;
environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
environment = {} // extraEnv;
labels = (if subdomain!=null then ({
"traefik.enable" = "true";
"traefik.http.routers.${routerName}.entrypoints" = "web-secure";
"traefik.http.routers.${routerName}.rule" = if subpath != null
then "Host(`${subdomain}.${serverCfg.hostDomain}`) && PathPrefix(`/${subpath}`)"
else "Host(`${subdomain}.${serverCfg.hostDomain}`)";
"traefik.http.routers.${routerName}.tls" = "true";
} // lib.optionalAttrs (port!=null) {
"traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
}) else {
"traefik.enable" = "false";
}) // extraLabels;
extraOptions = extraOptions ++ [
"--add-host=host.containers.internal:host-gateway"
];
};
in lib.recursiveUpdate base overrides;
in {
mkContainer = builder;
mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
mkdir -p $out
cp -r ${./data + "/${dir}"}/. $out/
find $out -type f | while read file; do
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
substituteInPlace "$file" --replace "@${n}@" "${toString v}"
'') vars)}
done
'';
host = "host.containers.internal";
}

70
modules/server/containers/data/authentik/authentik.yaml Normal file
View File

@@ -0,0 +1,70 @@
version: 1
metadata:
name: "Initial User Setup"
labels:
blueprint-type: core
entries:
# Optionally, disable the default enrollment flow entirely
- model: authentik_flows.flow
identifiers:
slug: "default-source-enrollment"
attrs:
designation: "enrollment"
enabled: false
# --- GROUPS ---
- model: authentik_core.group
identifiers:
name: "admin"
attrs:
is_superuser: true
- model: authentik_core.group
identifiers:
name: "cloud"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "dev"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "flix"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "family"
attrs:
is_superuser: false
# --- ADMIN USERS ---
- model: authentik_core.user
identifiers:
username: !Env DEFAULT_ADMIN_USERNAME
attrs:
name: !Env DEFAULT_ADMIN_USERNAME
email: !Env DEFAULT_ADMIN_EMAIL
password: !Env DEFAULT_ADMIN_PASSWORD
path: "users"
groups:
- !Find [authentik_core.group, [name, "admin"]]
# Disable the Initial Setup Flow
- model: authentik_flows.flow
identifiers:
slug: "initial-setup"
attrs:
authentication: "require_superuser"
enabled: false
# Disable the default 'akadmin' if it exists
- model: authentik_core.user
identifiers:
username: "akadmin"
attrs:
is_active: false

41
modules/server/containers/data/authentik/ldap.yaml Normal file
View File

@@ -0,0 +1,41 @@
version: 1
metadata:
name: Pre-configured LDAP Outpost
entries:
# 1. Define the LDAP Provider
- model: authentik_providers_ldap.ldapprovider
identifiers:
name: ldap-provider
attrs:
base_dn: "DC=ldap,@AUTHENTIK_LDAP_DC_DOMAIN@"
search_group: null
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
# 2. Define the Token with a static Key
- model: authentik_core.token
identifiers:
identifier: ldap-outpost-static-token
attrs:
intent: api
# MANDATORY: Explicitly set your long, secure pre-shared token here
key: !Env AUTHENTIK_LDAP
user: 1 # Assigns to default akadmin user
# 3. Define the Outpost linking the Provider and the Token
- model: authentik_outposts.outpost
identifiers:
name: LDAP Outpost
attrs:
type: ldap
providers:
- !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
token:
!Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
config:
log_level: info

88
modules/server/containers/data/authentik/nextcloud.yaml Normal file
View File

@@ -0,0 +1,88 @@
version: 1
metadata:
name: nextcloud-saml-setup
entries:
# 1. Create the SAML Provider
- model: authentik_providers_saml.samlprovider
identifiers:
name: Nextcloud SAML
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-explicit-consent],
]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
# Adjust these URLs to match your Nextcloud domain
acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
issuer: https://@AUTHENTIK_DOMAIN@
sp_binding: post
# Map the attributes for Name, Email, and Groups
property_mappings:
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Name"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Email"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Groups"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: Username"],
]
- !Find [
authentik_core.propertymapping,
[name, "authentik default SAML Mapping: User ID"],
]
# - !Find [
# authentik_providers_saml.samlpropertymapping,
# [managed, "goauthentik.io/providers/saml/ms-name"],
# ]
# - !Find [
# authentik_providers_saml.samlpropertymapping,
# [managed, "goauthentik.io/providers/saml/ms-email"],
# ]
# - !Find [
# authentik_providers_saml.samlpropertymapping,
# [managed, "goauthentik.io/providers/saml/ms-groups"],
# ]
# - !Find [
# authentik_core.propertymapping,
# [managed, goauthentik.io/providers/saml/ms-name],
# ]
# - !Find [
# authentik_core.propertymapping,
# [managed, goauthentik.io/providers/saml/ms-email],
# ]
# - !Find [
# authentik_core.propertymapping,
# [managed, goauthentik.io/providers/saml/ms-groups],
# ]
# Select your signing certificate (default is usually self-signed)
signing_kp:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
sign_assertion: true
sign_response: false
# 2. Create the Application
- model: authentik_core.application
identifiers:
slug: nextcloud
attrs:
name: Nextcloud
provider:
!Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
group: "Cloud Services"

45
modules/server/containers/data/authentik/traefik.yaml Normal file
View File

@@ -0,0 +1,45 @@
version: 1
metadata:
name: domain-wide-proxy-setup
entries:
# 1. The Provider
- model: authentik_providers_proxy.proxyprovider
identifiers:
name: Domain Wide Proxy
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-implicit-consent],
]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
external_host: https://@AUTHENTIK_DOMAIN@
cookie_domain: "@COOKIE_DOMAIN@"
mode: forward_domain
intercept_header_auth: true
# 2. The Application (Required to link the provider)
- model: authentik_core.application
identifiers:
slug: authentik-proxy
attrs:
name: "Domain Auth Provider"
provider:
!Find [
authentik_providers_proxy.proxyprovider,
[name, Domain Wide Proxy],
]
# 3. Add to Outpost
- model: authentik_outposts.outpost
identifiers:
name: authentik Embedded Outpost
attrs:
providers:
- !Find [
authentik_providers_proxy.proxyprovider,
[name, Domain Wide Proxy],
]

29
modules/server/containers/data/jellyfin/LDAP-Auth.xml Normal file
View File

@@ -0,0 +1,29 @@
<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<LdapUsers />
<LdapServer>@HOST@</LdapServer>
<LdapPort>389</LdapPort>
<UseSsl>false</UseSsl>
<UseStartTls>false</UseStartTls>
<SkipSslVerify>true</SkipSslVerify>
<LdapBindUser>cn=@LDAP_BIND_USER@,ou=users,@LDAP_DC_DOMAIN@</LdapBindUser>
<LdapBindPassword>@LDAP_BIND_PASSWORD@</LdapBindPassword>
<LdapBaseDn>@LDAP_DC_DOMAIN@</LdapBaseDn>
<LdapSearchFilter>(memberOf=cn=@LDAP_GROUP@,ou=groups,@LDAP_DC_DOMAIN@)</LdapSearchFilter>
<LdapAdminBaseDn />
<LdapAdminFilter>(memberOf=cn=@LDAP_ADMIN@,ou=groups,@LDAP_DC_DOMAIN@)</LdapAdminFilter>
<EnableLdapAdminFilterMemberUid>false</EnableLdapAdminFilterMemberUid>
<LdapSearchAttributes>uid, cn, mail, displayName</LdapSearchAttributes>
<LdapClientCertPath />
<LdapClientKeyPath />
<LdapRootCaPath />
<CreateUsersFromLdap>true</CreateUsersFromLdap>
<AllowPassChange>false</AllowPassChange>
<LdapUidAttribute>uid</LdapUidAttribute>
<LdapUsernameAttribute>cn</LdapUsernameAttribute>
<LdapPasswordAttribute>userPassword</LdapPasswordAttribute>
<EnableLdapProfileImageSync>false</EnableLdapProfileImageSync>
<LdapProfileImageAttribute>jpegphoto</LdapProfileImageAttribute>
<EnableAllFolders>true</EnableAllFolders>
<EnabledFolders />
<PasswordResetUrl />

105
modules/server/containers/default.nix
View File

@@ -1,40 +1,75 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.syscfg.server.containers; serverCfg = config.syscfg.server;
enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg; builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
containerSetsList = lib.mapAttrsToList (name: containerCfg:
import (./defs + "/${name}.nix") {
inherit config pkgs lib containerCfg;
}
) enabledConfigs;
mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList);
allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
in
{
config = lib.mkIf ( enabledConfigs != {} ) {
virtualisation.oci-containers = { in{
backend = "podman"; config = lib.mkMerge [{
containers = mergedContainers; syscfg.server.loadedContainers = lib.mapAttrs (name: containerCfg:
}; (import (./apps + "/${name}.nix")) { inherit config pkgs lib containerCfg builder name; }
) config.syscfg.server.containers;
} (lib.mkIf ( serverCfg.containers != {} ) (
let
appsList = builtins.attrValues config.syscfg.server.loadedContainers;
mergedContainers = lib.concatMapAttrs (appName: app:
lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.containers
) config.syscfg.server.loadedContainers;
allPathConfigs = lib.concatMap (app: app.paths) appsList;
allSetupConfigs = lib.concatMap (app: if app.setup?script then [({name = app.name; envFile="";} // app.setup)] else []) appsList;
allCronsConfigs = lib.concatMap (app: app.cron) appsList;
in{
virtualisation.oci-containers = {
backend = "podman";
containers = mergedContainers;
};
system.activationScripts.container-setup-dirs = {
deps = [ "users" "groups" ];
text = lib.concatStringsSep "\n" (map (cfg:
let
effectiveCfg = {
owner = "root:root";
mode = "0400";
} // cfg;
in ''
${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
'') allPathConfigs);
};
systemd.services = {
podman-gc = {
description = "Podman garbage collection";
serviceConfig.Type = "oneshot";
script = ''
${pkgs.podman}/bin/podman container prune -f
${pkgs.podman}/bin/podman image prune -f
'';
startAt = "weekly";
};
} // lib.listToAttrs (lib.concatMap (e: [{
name = "${e.name}-setup";
value = {
description = "Run ${e.name} setup";
after = [ "podman-${e.name}-${e.trigger}.service" ];
wants = [ "podman-${e.name}-${e.trigger}.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
TimeoutStartSec = "360s";
EnvironmentFile = e.envFile;
ExecStart = e.script;
RemainAfterExit = true;
User = "root";
};
};
}]) allSetupConfigs );
services.cron = {
enable = true;
systemCronJobs = allCronsConfigs;
};
}))];
systemd.services.podman-gc = {
description = "Podman garbage collection";
serviceConfig.Type = "oneshot";
script = ''
${pkgs.podman}/bin/podman container prune -f
${pkgs.podman}/bin/podman image prune -f
'';
startAt = "weekly";
};
system.activationScripts.container-setup-dirs = {
deps = [ "users" "groups" ];
text = lib.concatStringsSep "\n" (map (cfg: ''
mkdir -p "${cfg.path}"
chown ${cfg.owner} "${cfg.path}"
chmod ${cfg.mode} "${cfg.path}"
'') allPathConfigs);
};
};
} }

84
modules/server/containers/defs/authentik.nix
View File

@@ -1,84 +0,0 @@
{ config, containerCfg, pkgs, lib, ... }:
let
serverCfg = config.syscfg.server;
in {
paths = [{
path="${serverCfg.dataPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.dataPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
auth_server = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_server";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.sso.entrypoints" = "web-secure";
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
"traefik.http.routers.sso.tls" = "true";
"traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
};
cmd = [ "server" ];
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
"--ip=${containerCfg.ip}"
];
ports = [
"9999:${toString containerCfg.port}"
];
};
auth_worker = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_worker";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
"/var/run/docker.sock:/var/run/docker.sock"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
};
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
];
cmd = [ "worker" ];
};
};
}

152
modules/server/containers/defs/cloud.nix
View File

@@ -1,152 +0,0 @@
{ config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
project.name = "cloud";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
cloud_nextcloud.service = {
image = "nextcloud:27";
container_name = "cloud";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"${serverCfg.configPath}/data/nextcloud:/var/www/html"
"${serverCfg.dataPath}/data/music:/media/music"
"${serverCfg.dataPath}/data/video:/media/video"
"${serverCfg.dataPath}/data/photo:/media/photo"
];
tmpfs = [ "/tmp" ];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.nextcloud.entrypoints" = "web-secure";
"traefik.http.routers.nextcloud.rule" =
"Host(`cloud.${serverCfg.hostDomain}`)";
"traefik.http.routers.nextcloud.tls" = "true";
"traefik.http.routers.nextcloud.middlewares" =
"sts_headers,nextcloud-caldav";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
"true";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
"^https://(.*)/.well-known/(card|cal)dav";
"traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
"https://$\${1}/remote.php/dav/";
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
"true";
};
};
cloud_office.service = {
image = "collabora/code:latest";
container_name = "cloud_office";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ ];
environment = {
username = "COLLABORA_USER";
password = "COLLABORA_PASSWORD";
aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
server_name = "office.${serverCfg.hostDomain}";
VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
VIRTUAL_PORT = "9980";
VIRTUAL_PROTO = "http";
DONT_GEN_SSL_CERT = "true";
RESOLVE_TO_PROXY_IP = "true";
NETWORK_ACCESS = "internal";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
dictionaries = "en fr de jp";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.collabora.entrypoints" = "web-secure";
"traefik.http.routers.collabora.rule" =
"Host(`office.${serverCfg.hostDomain}`)";
"traefik.http.routers.collabora.tls" = "true";
};
};
cloud_etherpad.service = {
image = "etherpad/etherpad:latest";
container_name = "etherpad";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
];
environment = {
NODE_ENV = "production";
TITLE = "Helcel-Pad";
DB_TYPE = "mysql";
DB_HOST = serverCfg.dbHost;
DB_PORT = serverCfg.dbPort;
DB_NAME = "etherpad";
DB_USER = "ETHERPAD_DB_USER";
DB_PASS = "ETHERPAD_DB_PASSWORD";
DB_CHARSET = "utf8mb4";
DEFAULT_PAD_TEXT = "P A D";
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.etherpad.entrypoints" = "web-secure";
"traefik.http.routers.etherpad.rule" =
"Host(`pad.${serverCfg.hostDomain}`)";
"traefik.http.routers.etherpad.tls" = "true";
};
};
cloud_ethercalc.service = {
image = "audreyt/ethercalc:latest";
container_name = "ethercalc";
restart = "unless-stopped";
networks = [ "external" "internal" ];
volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
];
environment = {
NODE_ENV = "production";
TITLE = "Helcel-Calc";
REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
REDIS_PORT_6379_TCP_PORT = "6379";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.ethercalc.entrypoints" = "web-secure";
"traefik.http.routers.ethercalc.rule" =
"Host(`calc.${serverCfg.hostDomain}`)";
"traefik.http.routers.ethercalc.tls" = "true";
};
};
cloud_redis.service = {
image = "redis:latest";
container_name = "ethercalc-redis";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
};
}

30
modules/server/containers/defs/sample.nix
View File

@@ -1,30 +0,0 @@
{ config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
project.name = "name";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
NAME.service = {
image = "NAME:latest";
container_name = "NAME";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
};
}

81
modules/server/containers/defs/traefik.nix
View File

@@ -1,81 +0,0 @@
{ config, pkgs, ... }: {
project.name = "traefik";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
traefik.service = {
image = "traefik:latest";
container_name = "traefik";
restart = "unless-stopped";
networks = [ "internal" "external" ];
command = [
"--api"
"--providers.docker=true"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
];
port = [ "443" "80" ];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
"${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
"${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.configPath}/traefik/acme.json:/acme.json"
];
environment = {
"INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
};
labels = { "traefik.enable" = "false"; };
};
matomo.service = {
image = "matomo:latest";
container_name = "matomo";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${serverCfg.configPath}/matomo:/var/www/html/config:rw"
"${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
];
environment = { };
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`matomo.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
searx.service = {
image = "searxng/searxng:latest";
container_name = "searx";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ "/etc/localtime:/etc/localtime:ro" ];
environment = {
"BASE_URL" = "https://searx.${serverCfg.hostDomain}";
"AUTOCOMPLETE" = "true";
"INSTANCE_NAME" = "searx${serverCfg.shortName}";
};
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`searx.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
};
}

9
modules/server/database/default.nix
View File

@@ -1,14 +1,10 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.db) config.syscfg.server.loadedContainers);
containerNames = lib.mapAttrsToList
(name: cfg: name)
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in { in {
config = lib.mkIf ( builtins.length allApps > 0) { config = lib.mkIf ( builtins.length allApps > 0) {
services.postgresql = { services.postgresql = {
@@ -62,7 +58,6 @@ in {
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-) PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
echo $PASS
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
echo " Successfully set password for ${name}_user" echo " Successfully set password for ${name}_user"
else else

20
modules/server/nftables/default.nix
View File

@@ -1,7 +1,8 @@
{ config, lib, ... }:
let
{ config, lib, ... }:{ cfg = config.syscfg.server;
config = lib.mkIf (config.syscfg.server.nftables.enable) { in {
config = lib.mkIf (cfg.ipfw.enable) {
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1;
@@ -9,13 +10,6 @@
networking.nftables.enable = true; networking.nftables.enable = true;
networking.nftables.ruleset = '' networking.nftables.ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
}
}
table inet nat { table inet nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
@@ -34,12 +28,12 @@
iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
'' ''
) config.syscfg.server.nftables.ports} ) cfg.ipfw.ports}
} }
chain postrouting { chain postrouting {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
} }
} }
''; '';

130
modules/server/nginx/default.nix Normal file
View File

@@ -0,0 +1,130 @@
{ config, lib, pkgs, ... }:
let
cfg = config.syscfg.server;
containers = cfg.containers;
faviconOverride = {
" ~* /favicon\.(ico|png|svg|jpg)$" = {
extraConfig = ''
add_header Content-Type image/svg+xml;
return 200 '<svg xmlns="http://www.w3.org/2000/svg" id="Layer_1" data-name="Layer 1" viewBox="0 0 50 50"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M30.83,5A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,28.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/></svg>';
'';
# proxyPass = "http://127.0.0.1:9000";
};
};
# Function to convert your container config into an NGINX vhost
mkVhost = container: {
forceSSL = true;
# quic = true;
# http3 = true;
useACMEHost = "${cfg.hostDomain}";
locations = faviconOverride // {
"/" = {
proxyPass = "http://${container.ip}:${toString container.port}";
proxyWebsockets = true; # Recommended for modern apps
};
};
};
in {
config = lib.mkIf ( config.syscfg.server.web) {
security.acme = {
acceptTerms = true;
defaults.email = "admin@domain.org";
certs."${cfg.hostDomain}" = {
domain = "*.${cfg.hostDomain}";
extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
dnsProvider = "infomaniak";
credentialsFile = config.sops.secrets."INFOMANIAK_API_KEY".path; # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
group = "nginx";
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
# appendHttpConfig = ''
# add_header Alt-Svc 'h3=":443"; ma=86400';
# '';
commonHttpConfig = ''
proxy_buffer_size 32k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 48k;
'';
virtualHosts = {
"_" = {
default = true;
forceSSL = true;
# quic = true;
# http3 = true;
useACMEHost = "${cfg.hostDomain}";
locations = {
"/" = {
extraConfig = ''
return 404;
'';
};
};
};
"sec.${cfg.hostDomain}" = {
forceSSL = true;
useACMEHost = "${cfg.hostDomain}";
locations = {
"/" = {
proxyWebsockets = true;
proxyPass= "http://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}";
extraConfig = ''
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-entitlements $authentik_entitlements;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
'';
};
"/outpost.goauthentik.io" = {
proxyWebsockets = true;
proxyPass = "http://${config.syscfg.server.containers.authentik.ip}:${toString config.syscfg.server.containers.authentik.port}/outpost.goauthentik.io";
extraConfig = ''
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
'';
};
};
extraConfig = ''
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 https://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
'';
};
} //lib.mapAttrs' (name: v:
lib.nameValuePair "${v.subdomain}.${cfg.hostDomain}" (mkVhost v)
) containers;
};
};
}

16
modules/server/sops/default.nix
View File

@@ -1,16 +1,16 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
listNames = config.syscfg.server.db; listNames = config.syscfg.server.db;
containerNames = lib.mapAttrsToList (name: cfg: name) containerNames = builtins.attrNames (lib.filterAttrs (appName: app: app.sops) config.syscfg.server.loadedContainers);
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in{ in{
config = lib.mkIf (config.syscfg.server.sops) {
sops.secrets = { sops.secrets = {
INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; }; CUSTOM = {
} // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: { mode = "0444";
owner = "postgres"; sopsFile = ./server.yaml;
};
} // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
mode = "0444";
sopsFile = ./server.yaml; sopsFile = ./server.yaml;
})); }));
};
} }

35
modules/server/sops/example.server.yaml Normal file
View File

@@ -0,0 +1,35 @@
CUSTOM: |
DEFAULT_ADMIN_USERNAME=...
DEFAULT_ADMIN_PASSWORD=...
DEFAULT_ADMIN_EMAIL=...
TRAEFIK: |
INFOMANIAK_ACCESS_TOKEN=...
AUTHENTIK: |
DB_PASSWORD=...
POSTGRES_PASSWORD=...
AUTHENTIK_SECRET_KEY=...
AUTHENTIK_EMAIL__PASSWORD=...
AUTHENTIK_TOKEN=...
NEXTCLOUD: |
DB_PASSWORD=...
POSTGRES_PASSWORD=...
COLLABORA: |
password=...
ETHERPAD: |
DB_PASSWORD=...
DB_PASS=...
ADMIN_PASSWORD=...
APIKEY=...
ETHERCALC: |
ETHERCALC_KEY=...
GITEA: |
DB_PASSWORD=...
GITEA__database__PASSWD=...
GITEA__security__SECRET_KEY=...
GITEA__security__INTERNAL_TOKEN=...
SEARXNG: |
SEARXNG_SECRET=...
UMAMI: |
DB_PASSWORD=...
DATABASE_URL=postgresql://username:mypassword@localhost:5432/mydb
APP_SECRET=...

17
modules/server/sops/server.yaml
View File

@@ -1,5 +1,14 @@
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str] CUSTOM: ENC[AES256_GCM,data:OVhE99dmudlV31Re2/fyFurXnRSM3RjbdVDxYp6oF4kazaseISlI4QjgIyyUNEAjeAST17Prv/t5GdyTUvoUICoVKmhQdRv5xFeB7ngTCdi7XoYW1r6HIXwz9wOf/UvPWLafSxSM,iv:/ikpvHH5sLZpTnNABUFjZoVLS+tBZSUYIUxxdXMCCcc=,tag:mS9uW33M355KErY1rQtvqQ==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str] TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:dZ+Kf85ZjaZ82coYNeNOXe5zfD2M9rEeOB6jDNoaKmo3jMABhnha+iBvYJTI2NltkGzymPJQI+JV8F6GdT1l6cqcR8p0nNjQjS1BMk0rR7n8RCp6MazUTJuIjbEq6zEUrA4SXquw5gZDEp4FLo010PhoLaLinHg8OoqzjDsTxdcKevbQWmZeefDBrwXWpz6BlkRIQA3KazVb0w7l1jDTIkozUIWbvtvtk5ccGjzx3b+wCC36QYFcHHtPvFZwMDHzFPVBd90hWc/BwFfvCExONmH0S7GLFTp7I5NsBnWpT0AHUHHc5PlSR2dUy9H2DZ3IkORdNVzOaqESbYKymuWTQBDQuyI9IJdt4Cac0CV9i6p8rFXL6fQyQKZ9djHX8orpyCUeJXqFs8I6et+IzpTeZcmdv/76Q9tomBBi4k4PRMXpeff8Bn02bOSb7RSaj5NVeWxIhZkh3sEXUeva5/yrAYT30mrLpbwzWoCaKrPCPLIcFxvNrYxPUo6kVVz1jSlBurvcKefbreJGqA==,iv:Hj7aBfDLSqRBzueN8b9F9TutpjMESFloqrnirSmnH9U=,tag:1ikt1JvuhIZCx68nh/VzMA==,type:str]
NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
COLLABORA: ENC[AES256_GCM,data:cLGEziks5dyxTF1jugfpQE0l0nSkDP7MpROzCxCM94jv49sguA+d/SnY1olE8ZP9iCBnlvbMZyNR7uYo88B92Pmv8wVWfeuhHiHFIXh5aaOxntpt80UMg3Jy,iv:gmFG7C893QPuZ4rEqllAlUpNIXMcGsf9+/QCPLhWLTM=,tag:WpKHCUk6zhQRfFX2d6OPbQ==,type:str]
ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWNWhDQlTc0ImJoK6efr2uyp3sVu3o+KlCNvUGhDOJ1you6socyTgRP0q7oLPC+Ln+bFP8gWG8v2nyEFY=,iv:YqvVjBFG/WZg1l4aMAiioOruWZ9zcTMr74DVW+1+2DQ=,tag:ePBXd4ddipJtxhFE1amfMg==,type:str]
GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str]
SEARXNG: ENC[AES256_GCM,data:gtKhEmMemzLRl4c3cYhMAQ+5vUth1IhWQeLvW1YtaG5TbhQHBR4PDREQOlGt+tlfGQrft+FeNhMSN/SKOp8gmScVWa+9qmltzxRGRpLm3m/VuBZvOlGdeUcKAX8zEH6A,iv:B2UEtjTRIjT6W+tH2gtcl6XMvZNgbvZUXTiBePGOu24=,tag:SHIF6eaWBLwy9RrEy1N9kg==,type:str]
UMAMI: ENC[AES256_GCM,data:l1eMel/8PlzDjnEbpgjXceu7l8zFnl6NPYihrzAJPoSl7fE794FfkmrEhm2tf+kI1HgpDnOVpAP847k3NFGWRtiIYwjHl2NFlw0UorMutzja7uBP5oktmjVZZs3SaZFSQaWMHPCP9b2+LiMVAZqhERHF5y4A4mwP+q5CUVTgLGnDaBFBX7hwV2KRCARNYtxHkA80cxxUx1yJD50WCqjhCl1to2jx6bE+eupZvKk6U0GmC4MiMHkCzpWdzdtLsLHP5yMxbXUCdDUKmMDWSrOTJULYSsE8R/dZH2DOwwkhS23tXY4ckSbOmruGTEbhbBk+LADBdk9ijD9oaa4gVnF6Vqoib0esUCt/9EJAizgTro7eFGgCcYH2dl2doPJq372ZioSoYD6jiSdrUyCUmKs4xGEocnvy8W/CVG4=,iv:4pM3CsuO+1jfFQ7b1S9PHjdlIpVXvDVurMswmwz9ZrU=,tag:a8hyyFJHyqmAjsURJcNt3Q==,type:str]
SERVARR: ENC[AES256_GCM,data:fukF7bejebMU7yp48fix,iv:CZkLyO8N8BqSk+0KDcMDrz1pbwaNH7Pg+NvNebdIdYM=,tag:AOMvnZOE0H6QDCmkPg3Kyw==,type:str]
sops: sops:
age: age:
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
@@ -20,8 +29,8 @@ sops:
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-06T01:10:20Z" lastmodified: "2026-05-12T23:00:07Z"
mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str] mac: ENC[AES256_GCM,data:g2Hbt81av0W6osMC3RcVPPkEPlrIeM4chlbQ1P+FrvxIQGWXvQlypnoYPLLBtfuXgUkASFJGQRM9dyUSvSwJczk3/HBoReZigyJRLNb5sfpF+YFHqplkX5hPDQ8iJDCWjpuIWiU0gH+hphm+V0nwB5o6iqeEkeZv8iIurEL/Des=,iv:hF4zb0fjonge/QmLpiOyghAMBAersVsWrOtk9oKPqbo=,tag:fusPQtNmQXS8u4/VB/L9SQ==,type:str]
pgp: pgp:
- created_at: "2026-05-05T23:46:27Z" - created_at: "2026-05-05T23:46:27Z"
enc: |- enc: |-

2
modules/shared/colors/default.nix
View File

@@ -1,4 +1,4 @@
{ config, ... }: { { ... }: {
imports = [ ./sorahiro.nix ]; imports = [ ./sorahiro.nix ];
colorScheme.palette.border-radius = "#8"; colorScheme.palette.border-radius = "#8";

2
modules/shared/colors/sorahiro.nix
View File

@@ -1,4 +1,4 @@
{ nix-colors, ... }: { ... }:
let use_pastelle = true; let use_pastelle = true;
in{ in{
# usage: a = "#${config.colorScheme.palette.base00}"; # usage: a = "#${config.colorScheme.palette.base00}";

164
modules/shared/syscfg/default.nix
View File

@@ -5,160 +5,9 @@ let
(name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix")) (name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix"))
(builtins.readDir systemsDir)); (builtins.readDir systemsDir));
userOpt = with lib; {
username = mkOption { type = types.str; };
pubssh = mkOption { type = types.str; default=""; };
wm = mkOption {
type = types.enum [ "Wayland" "X11" "-" ];
default = "-";
};
git = {
username = mkOption { type = types.str; default = "Anonymous";};
email = mkOption { type = types.str; default = "anonymous@domain"; };
key = mkOption { type = types.nullOr types.str; default=null; };
};
};
netOpt = with lib; {
ble = {
enable = mkOption {
type = types.bool;
default = false;
};
};
wlp = {
enable = mkOption {
type = types.bool;
default = false;
};
nif = mkOption {
type = types.str;
default = "";
};
};
wg = {
enable = mkOption {
type = types.bool;
default = false;
};
ip4 = mkOption {
type = types.str;
default = "";
};
ip6 = mkOption {
type = types.str;
default = "";
};
pubkey = mkOption {
type = types.str;
default = "";
};
};
};
makeOpt = with lib; {
cli = mkOption {
type = types.bool;
default = true;
};
gui = mkOption {
type = types.bool;
default = false;
};
virt = mkOption {
type = types.bool;
default = false;
};
power = mkOption {
type = types.bool;
default = false;
};
game = mkOption {
type = types.bool;
default = false;
};
develop = mkOption {
type = types.bool;
default = false;
};
};
serverOpt = with lib; {
hostDomain = mkOption { type = types.str; };
shortName = mkOption { type = types.str; };
mailDomain = mkOption { type = types.str; };
mailServer = mkOption { type = types.str; };
dbHost = mkOption {
type = types.str;
default = "localhost";
};
dbPort = mkOption {
type = types.str;
default = "3306";
};
configPath = mkOption {
type = types.str;
default = "/media/config";
};
dataPath = mkOption {
type = types.str;
default = "/media/data";
};
containers = mkOption {
type = types.attrsOf (types.submodule {
options = {
enable = mkOption { type = types.bool;default = false; };
db = mkOption { type = types.bool;default = false; };
ip = mkOption { type = types.str; };
port = mkOption { type = types.port; };
extraParam = mkOption { type = types.str; default = ""; };
};
});
default = {};
};
sops = mkOption {
type = types.bool;
default = false;
};
openssh = mkOption {
type = types.bool;
default = false;
};
wireguard = mkOption {
type = types.bool;
default = false;
};
web = mkOption {
type = types.bool;
default = false;
};
nftables = {
enable = mkOption {
type = types.bool;
default = false;
};
ifs = mkOption {
type = types.listOf types.str;
default = [ ];
};
ports = mkOption {
type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
default = [];
description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
example = [
[ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
[ "ens3" "10.10.1.2" "IPV6" 80 80 ]
[ "ens3" "10.10.1.2" "IPV6" 443 443 ]
];
};
};
db = mkOption {
type = types.listOf (types.str);
default = [ ];
};
};
in with lib; { in with lib; {
options.usercfg = userOpt; options.usercfg = import ./user.nix {inherit lib;};
options.syscfg = { options.syscfg = {
hostname = mkOption { type = types.str; }; hostname = mkOption { type = types.str; };
type = mkOption { type = mkOption {
@@ -170,20 +19,17 @@ in with lib; {
default = "x86_64-linux"; default = "x86_64-linux";
}; };
defaultUser = mkOption { type = types.str; }; defaultUser = mkOption { type = types.str; };
make = makeOpt; make = import ./make.nix {inherit lib;};
net = netOpt; net = import ./net.nix {inherit lib;};
users = mkOption { users = mkOption {
type = types.listOf (types.submodule { options = userOpt; }); type = types.listOf (types.submodule { options = import ./user.nix {inherit lib;}; });
default = [ ]; default = [ ];
}; };
peers = mkOption { peers = mkOption {
default = map (name: import (systemsDir + "/${name}/cfg.nix")) systemNames; default = map (name: import (systemsDir + "/${name}/cfg.nix")) systemNames;
}; };
server = mkOption { server = mkOption {
type = types.oneOf [ type = types.oneOf [ types.bool (types.submodule { options = import ./server.nix {inherit lib;}; }) ];
types.bool
(types.submodule { options = serverOpt; })
];
default = false; default = false;
}; };
}; };

9
modules/shared/syscfg/make.nix Normal file
View File

@@ -0,0 +1,9 @@
{ lib,... }:
with lib; {
cli = mkOption { type = types.bool; default = true; };
gui = mkOption { type = types.bool; default = false; };
virt = mkOption { type = types.bool; default = false; };
power = mkOption { type = types.bool; default = false; };
game = mkOption { type = types.bool; default = false; };
develop = mkOption { type = types.bool; default = false; };
}

14
modules/shared/syscfg/net.nix Normal file
View File

@@ -0,0 +1,14 @@
{ lib,... }:
with lib; {
ble.enable = mkOption { type = types.bool; default = false; };
wlp = {
enable = mkOption { type = types.bool; default = false; };
nif = mkOption { type = types.str; default = ""; };
};
wg = {
enable = mkOption { type = types.bool; default = false; };
ip4 = mkOption { type = types.str; default = ""; };
ip6 = mkOption { type = types.str; default = ""; };
pubkey = mkOption { type = types.str; default = ""; };
};
}

92
modules/shared/syscfg/server.nix Normal file
View File

@@ -0,0 +1,92 @@
{ lib,... }:
let
in with lib; {
hostDomain = mkOption { type = types.str; };
mailDomain = mkOption { type = types.str; };
mailServer = mkOption { type = types.str; };
configPath = mkOption {
type = types.str;
default = "/media/config";
};
dataPath = mkOption {
type = types.str;
default = "/media/data";
};
colorScheme = mkOption {
type = types.attrs;
default = (lib.evalModules { modules =[ { freeformType = with lib.types; attrsOf anything; } ../colors ];}).config.colorScheme ;
};
loadedContainers = lib.mkOption {
readOnly = true;
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
name = lib.mkOption {type = lib.types.str; default = name;};
sops = lib.mkOption {type = lib.types.bool; default = false;};
db = lib.mkOption {type = lib.types.bool; default = false;};
paths = lib.mkOption {type = lib.types.listOf lib.types.attrs; default = [ ];};
containers = lib.mkOption {type = lib.types.attrsOf lib.types.attrs; default = { };};
cron = lib.mkOption {type = lib.types.listOf lib.types.str; default = [ ];};
setup = {
trigger = lib.mkOption {type = lib.types.str; default = "";};
script = lib.mkOption {type = lib.types.nullOr lib.types.package; default = null;};
envFile = lib.mkOption {type = lib.types.nullOr lib.types.str; default = null;};
};
};
}));
};
containers = mkOption {
type = types.attrsOf (types.submodule {
options = {
subdomain = mkOption { type = types.nullOr types.str; default=null;};
subpath = mkOption { type = types.nullOr types.str; default=null;};
port = mkOption { type = types.nullOr types.port; default = null; };
extra = mkOption { type = types.attrs; default = {}; };
};
});
default = {};
};
openssh = mkOption {
type = types.bool;
default = false;
};
wireguard = mkOption {
type = types.bool;
default = false;
};
web = mkOption {
type = types.bool;
default = false;
};
ipfw = {
enable = mkOption {
type = types.bool;
default = false;
};
ifs = mkOption {
type = types.listOf types.str;
default = [ ];
};
ports = mkOption {
type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
default = [];
description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
example = [
[ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
[ "ens3" "10.10.1.2" "IPV6" 80 80 ]
[ "ens3" "10.10.1.2" "IPV6" 443 443 ]
];
};
};
db = mkOption {
type = types.listOf (types.str);
default = [ ];
};
}

14
modules/shared/syscfg/user.nix Normal file
View File

@@ -0,0 +1,14 @@
{ lib,... }:
with lib; {
username = mkOption { type = types.str; };
pubssh = mkOption { type = types.str; default=""; };
wm = mkOption {
type = types.enum [ "Wayland" "X11" "-" ];
default = "-";
};
git = {
username = mkOption { type = types.str; default = "Anonymous";};
email = mkOption { type = types.str; default = "anonymous@domain"; };
key = mkOption { type = types.nullOr types.str; default=null; };
};
}

2
systems/gateway/cfg.nix
View File

@@ -29,7 +29,7 @@
openssh = true; openssh = true;
wireguard = true; wireguard = true;
web = true; web = true;
nftables = { ipfw = {
enable = true; enable = true;
ifs = ["ens3" "wg0" ]; ifs = ["ens3" "wg0" ];
ports = [ ports = [

47
systems/sandbox/cfg.nix
View File

@@ -21,22 +21,51 @@
server = { server = {
openssh = true; openssh = true;
web = true; web = true;
sops = true;
hostDomain = "test.helcel.net"; hostDomain = "test.helcel.net";
shortName = "testcel";
mailDomain = "test@helcel"; mailDomain = "test@helcel";
mailServer = "infomaniak.ch"; mailServer = "infomaniak.ch";
dbHost = "localhost";
containers = { containers = {
#cloud = {enable = true;};
traefik = {
subdomain = "traefik";
extra={provider="infomaniak";};
};
authentik = { authentik = {
enable = true; subdomain = "sso";
db = true; port = 9000;
ip = "10.88.0.125"; };
port = 9000 ; nextcloud = {
subdomain = "cloud";
};
collabora = {
subdomain = "office";
};
etherpad = {
subdomain = "pad";
};
ethercalc = {
subdomain = "pad";
};
gitea = {
subdomain = "git";
};
searxng = {
subdomain = "searx";
};
jellyfin = {
subdomain = "flix";
};
transmission = {
subdomain = "rflix";
subpath = "p2p";
};
# servarr = {
# subdomain = "arr";
# };
umami = {
subdomain = "umami";
}; };
}; };
}; };