Blunkall-Technologies/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

reorganize

Browse Source
This commit is contained in:
Nathan
2026-01-20 13:34:12 -06:00
parent c028bad2a6
commit 50d192c809
44 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
system/virtualization/containers/authentik/default.nix Normal file
View File

@@ -0,0 +1,71 @@
{ config, lib, sops-nix, ... }: {
options.sysconfig.virtualization.authentik.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.authentik.enable {
sops.secrets."authentik/dbpass" = {};
networking = {
nat.internalInterfaces = [ "ve-authentik" ];
};
containers.authentik = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.35";
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."authentik/dbpass".path}"
];
bindMounts = {
"/etc/authentik" = {
hostPath = "/ssd1/Authentik";
isReadOnly = false;
};
};
config = {
networking.firewall.allowedTCPPorts = [ 9001 ];
systemd.services.secrets_setup = {
wantedBy = [ "authentik.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/authentik/dbpass
chown postgres:postgres /etc/authentik/dbpass
'';
};
services.authentik = {
enable = true;
environmentFile = "/etc/authentik/authentik.env";
settings = {
disable_startup_analytics = true;
avatars = "initials";
};
worker.listenHTTP = "0.0.0.0:9001";
};
system.stateVersion = "25.05";
};
};
};
}

41
system/virtualization/containers/code-server/default.nix Normal file
View File

@@ -0,0 +1,41 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.code-server.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.code-server.enable {
containers.code-server = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.31";
config = {
services.code-server = {
enable = true;
hashedPassword = "1$WFYzcW1TNmpYM1ZKU3lielNCaXAyRkF2K3FjPQ$bSeeV4bvL2uiDYKiQjBLJPAO13/gNjYVgw8YKFtTQDI";
disableUpdateCheck = true;
disableTelemetry = true;
disableGettingStartedOverride = true;
auth = "none";
host = "0.0.0.0";
};
networking.firewall.allowedTCPPorts = [ 4444 ];
system.stateVersion = "25.05";
};
};
};
}

32
system/virtualization/containers/default.nix Normal file
View File

@@ -0,0 +1,32 @@
{ ... }: {
imports = let
dir = builtins.readDir ./.;
in builtins.map (x: ./${x}) (builtins.filter
(file: (dir.${file} == "directory"))
(builtins.attrNames dir)
);
/*imports = [
./gitlab
./gitea
./traefik
./nginx
./jellyfin
./pihole
./nextcloud
./ntfy
./homeassistant
./rustdesk
./netbird
./keycloak
./ollama
./openwebui
./n8n
./wyoming
./code-server
./novnc
./minecraft
#./sandbox
];*/
}

121
system/virtualization/containers/gitea/default.nix Normal file
View File

@@ -0,0 +1,121 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.gitea.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.gitea.enable {
networking = {
hosts."192.168.100.20" = [ "gitea.esotericbytes.com" ];
nat.internalInterfaces = [ "ve-gitea" ];
};
sops.secrets = {
"gitea/dbpass" = {};
};
services.openssh.ports = [
2222
];
networking.firewall.allowedTCPPorts = [
22
];
containers.gitea = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.20";
forwardPorts = [
{
containerPort = 22;
hostPort = 22;
}
];
bindMounts = {
"/etc/gitea/data" = {
hostPath = "/ssd1/Gitea/data";
isReadOnly = false;
};
};
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."gitea/dbpass".path}"
];
config = {
systemd.services.secrets_setup = {
wantedBy = [ "gitea.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitea/dbpass
chown gitea:gitea /etc/gitea/*
'';
};
services.gitea = {
enable = true;
stateDir = "/etc/gitea/data";
dump.enable = false;
appName = "Gitea";
settings = {
server = {
DOMAIN = "gitea.esotericbytes.com";
HTTP_PORT = 3000;
ROOT_URL = "https://gitea.esotericbytes.com/";
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = false;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
};
session.COOKIE_SECURE = true;
cron = {
ENABLED = true;
RUN_AT_START = true;
};
};
database = {
passwordFile = "/etc/gitea/dbpass";
type = "postgres";
};
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
networking.firewall.allowedTCPPorts = [ 22 3000 ];
system.stateVersion = "24.11";
};
};
};
}

172
system/virtualization/containers/gitlab/default.nix Normal file
View File

@@ -0,0 +1,172 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.gitlab.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.gitlab.enable {
sops.secrets = {
"gitlab/db_pass" = {};
"gitlab/root_pass" = {};
"gitlab/secrets/secret" = {};
"gitlab/secrets/otp" = {};
"gitlab/secrets/db" = {};
"gitlab/secrets/jws" = {};
"gitlab/oidc/id" = {};
"gitlab/oidc/secret" = {};
};
services.openssh.ports = [
2222
];
networking.firewall.allowedTCPPorts = [
22
2222
];
containers.gitlab = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.16";
forwardPorts = [
{
containerPort = 22;
hostPort = 22;
}
];
bindMounts = {
"/etc/gitlab/data" = {
hostPath = "/ssd1/Gitlab/data";
isReadOnly = false;
};
};
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."gitlab/db_pass".path}"
"--load-credential=rootpass:${config.sops.secrets."gitlab/root_pass".path}"
"--load-credential=secret:${config.sops.secrets."gitlab/secrets/secret".path}"
"--load-credential=otp:${config.sops.secrets."gitlab/secrets/otp".path}"
"--load-credential=db:${config.sops.secrets."gitlab/secrets/db".path}"
"--load-credential=jws:${config.sops.secrets."gitlab/secrets/jws".path}"
"--load-credential=oidc_id:${config.sops.secrets."gitlab/oidc/id".path}"
"--load-credential=oidc_secret:${config.sops.secrets."gitlab/oidc/secret".path}"
];
config = {
systemd.services.secrets_setup = {
wantedBy = [ "gitlab.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
"rootpass"
"secret"
"db"
"otp"
"jws"
"oidc_id"
"oidc_secret"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitlab/dbpass
cat ''${CREDENTIALS_DIRECTORY}/rootpass > /etc/gitlab/rootpass
cat ''${CREDENTIALS_DIRECTORY}/secret > /etc/gitlab/secret
cat ''${CREDENTIALS_DIRECTORY}/db > /etc/gitlab/db
cat ''${CREDENTIALS_DIRECTORY}/otp > /etc/gitlab/otp
cat ''${CREDENTIALS_DIRECTORY}/jws > /etc/gitlab/jws
cat ''${CREDENTIALS_DIRECTORY}/oidc_id > /etc/gitlab/oidc-id
cat ''${CREDENTIALS_DIRECTORY}/oidc_secret > /etc/gitlab/oidc-secret
chown gitlab:gitlab /etc/gitlab/*
'';
};
services.gitlab = {
enable = true;
#https = true;
#port = 443;
host = "gitlab.blunkall.us";
databasePasswordFile = "/etc/gitlab/dbpass";
initialRootPasswordFile = "/etc/gitlab/rootpass";
statePath = "/etc/gitlab/data";
secrets = {
secretFile = "/etc/gitlab/secret";
otpFile = "/etc/gitlab/otp";
dbFile = "/etc/gitlab/db";
jwsFile = "/etc/gitlab/jws";
};
extraConfig = {
gitlab = {
default_project_features = {
builds = false;
};
};
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = [ "openid_connect" ];
sync_email_from_provider = "openid_connect";
sync_profile_from_provider = [ "openid_connect" ];
sync_profile_attributes = [ "email" ];
auto_link_saml_user = true;
auto_link_user = [ "openid_connect" ];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "Authentik SSO";
args = {
name = "openid_connect";
scope = [ "openid" "profile" "email" ];
response_type = "code";
issuer = "https://auth.blunkall.us/application/o/gitlab/";
discovery = true;
client_auth_method = "query";
uid_field = "preferred_username";
send_scope_to_token_endpoint = true;
pkce = true;
client_options = {
identifier = { _secret = "/etc/gitlab/oidc-id"; };
secret = { _secret = "/etc/gitlab/oidc-secret"; };
redirect_uri = "https://gitlab.blunkall.us/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"gitlab.blunkall.us" = {
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
};
services.openssh.enable = true;
systemd.services.gitlab-backup.environment.BACKUP = "dump";
networking.firewall.allowedTCPPorts = [ 22 80 ];
system.stateVersion = "24.05";
};
};
};
}

43
system/virtualization/containers/homeassistant/default.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.homeassistant = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.virtualization.homeassistant.enable {
containers.home-assistant = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.25";
config = {
services.home-assistant = {
enable = true;
openFirewall = true;
extraComponents = [
"wyoming"
"ollama"
];
config = {
homeassistant.unit_system = "us_customary";
};
configWritable = true;
};
system.stateVersion = "25.05";
};
};
};
}

39
system/virtualization/containers/jellyfin/default.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.jellyfin.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.jellyfin.enable {
containers.jellyfin = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.14";
bindMounts = {
"/etc/jellyfin" = {
hostPath = "/ssd1/Jellyfin";
isReadOnly = false;
};
};
config = {
services.jellyfin = {
enable = true;
dataDir = "/etc/jellyfin/data";
configDir = "/etc/jellyfin/config";
logDir = "/etc/jellyfin/log";
openFirewall = true;
};
system.stateVersion = "24.05";
};
};
};
}

73
system/virtualization/containers/keycloak/default.nix Normal file
View File

@@ -0,0 +1,73 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.keycloak.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.keycloak.enable {
sops.secrets."keycloak/dbpass" = {};
containers.keycloak = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.22";
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."keycloak/dbpass".path}"
];
bindMounts = {
"/etc/keycloak" = {
hostPath = "/ssd1/Keycloak";
isReadOnly = false;
};
};
config = {
networking.firewall.allowedTCPPorts = [ 80 ];
systemd.services.secrets_setup = {
wantedBy = [ "keycloak.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/keycloak/dbpass
chown postgres:postgres /etc/keycloak/dbpass
'';
};
services.keycloak = {
enable = true;
database.passwordFile = "/etc/keycloak/dbpass";
settings = {
hostname = "auth.esotericbytes.com";
http-enabled = true;
proxy-headers = "xforwarded";
proxy-trusted-addresses = "192.168.100.11";
};
initialAdminPassword = "7567";
};
system.stateVersion = "25.05";
};
};
};
}

108
system/virtualization/containers/minecraft/default.nix Normal file
View File

@@ -0,0 +1,108 @@
{ config, lib, pkgs, nix-minecraft, ... }: {
options.sysconfig = {
virtualization.minecraft.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.virtualization.minecraft.enable {
networking = {
firewall = {
allowedTCPPorts = [ 25565 ];
allowedUDPPorts = [ 25565 ];
};
};
nixpkgs.overlays = [ nix-minecraft.overlay ];
containers.minecraft = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.29";
forwardPorts = [
{
containerPort = 25565;
hostPort = 25565;
protocol = "tcp";
}
{
containerPort = 25565;
hostPort = 25565;
protocol = "udp";
}
];
config = {
imports = [
nix-minecraft.nixosModules.minecraft-servers
];
environment.systemPackages = with pkgs; [ tmux ];
services.minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "/var/lib/mcservers";
managementSystem.systemd-socket.enable = true; #temp
servers = {
vanilla = {
enable = true;
package = pkgs.fabricServers.fabric-1_21_8;
serverProperties = {
server-port = 25565;
gamemode = "survival";
difficulty = 2;
white-list = true;
motd = "Didn't see that coming huh?";
};
whitelist = {
"MeasureTwice66" = "a4032062-293d-484d-a790-9f52475836bb";
"651sonic" = "936a3fb0-4548-4557-975b-7794e97a3afc";
"Griffin12_" = "6a1f56d9-f712-4723-a031-e5437a389bb3";
};
autoStart = true;
};
modded = {
enable = false;
#package = pkgs.fabricServers.fabric-1_21_1.override { loaderVersion = "0.16.14"; };
package = pkgs.fabricServers.fabric-1_21_1;
jvmOpts = [ "-Xms8000M" "-Xmx12000M" ];
serverProperties = {
server-port = 25566;
gamemode = "survival";
white-list = true;
allow-flight = true;
motd = "Ex-plo-sion!!!";
};
whitelist = {
"MeasureTwice66" = "a4032062-293d-484d-a790-9f52475836bb";
"651sonic" = "936a3fb0-4548-4557-975b-7794e97a3afc";
"Griffin12_" = "6a1f56d9-f712-4723-a031-e5437a389bb3";
};
autoStart = true;
symlinks = {
"mods" = ./mods;
};
};
};
};
system.stateVersion = "25.05";
};
};
};
}

44
system/virtualization/containers/n8n/default.nix Normal file
View File

@@ -0,0 +1,44 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.n8n.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.n8n.enable {
containers.n8n = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.21";
config = {
nixpkgs.config.allowUnfree = true;
services.n8n = {
enable = true;
openFirewall = true;
environment = {
N8N_DIAGNOSTICS_ENABLED = "false";
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
N8N_TEMPLATES_ENABLED = "false";
EXTERNAL_FRONTEND_HOOKS_URLS = "";
N8N_DIAGNOSTICS_CONFIG_FRONTEND = "";
N8N_DIAGNOSTICS_CONFIG_BACKEND = "";
N8N_SECURE_COOKIE = "false";
};
#webhookUrl = "https://n8n.blunkall.us/";
};
system.stateVersion = "25.05";
};
};
};
}

251
system/virtualization/containers/netbird/default.nix Normal file
View File

@@ -0,0 +1,251 @@
{ config, lib, nixpkgs-us, ... }: {
options.sysconfig = {
services.netbird.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
virtualization.netbird = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
};
config = let
pkgs-us = import nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in {
services.netbird = {
enable = config.sysconfig.services.netbird.enable;
ui = {
enable = true;
#package = pkgs-us.netbird-ui;
};
#package = pkgs-us.netbird;
};
networking = {
firewall = lib.mkIf config.sysconfig.virtualization.netbird.enable {
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 51100; to = 56100; }];
interfaces."ve-netbird" = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
};
nat.internalInterfaces = [ "ve-netbird" "wt0" ];
};
sops.secrets."netbird/coturnPass" = lib.mkIf config.sysconfig.virtualization.netbird.enable {};
containers.netbird = lib.mkIf config.sysconfig.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.23";
forwardPorts = [
{
hostPort = 3478;
containerPort = 3478;
protocol = "udp";
}
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 51100 + y) (56100 - 51100));
extraFlags = [
"--load-credential=coturnPass:${config.sops.secrets."netbird/coturnPass".path}"
];
config = {
services.nginx.virtualHosts."vpn.esotericbytes.com" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
ssl = false;
}
];
};
services.netbird = {
server = {
enable = true;
enableNginx = true;
domain = "vpn.esotericbytes.com";
dashboard = {
enable = true;
enableNginx = true;
settings = {
AUTH_AUTHORITY = "https://auth.esotericbytes.com/realms/General";
AUTH_CLIENT_ID = "netbird";
AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
AUTH_AUDIENCE = "netbird";
USE_AUTH0 = false;
NETBIRD_TOKEN_SOURCE = "accessToken";
};
package = pkgs-us.netbird-dashboard;
};
management = {
enable = true;
enableNginx = true;
disableAnonymousMetrics = true;
dnsDomain = "vpn";
turnDomain = "vpn.esotericbytes.com";
turnPort = 3478;
logLevel = "DEBUG";
oidcConfigEndpoint = "https://auth.esotericbytes.com/realms/General/.well-known/openid-configuration";
settings = {
"TURNConfig" = {
"Turns" = [
{
"Proto" = "udp";
"URI" = "turn:vpn.esotericbytes.com:3478";
"Username" = "netbird";
"Password"._secret = "/etc/netbird/coturnPass";
}
];
"Secret"._secret = "/etc/netbird/coturnPass";
};
"DataStoreEncryptionKey" = null;
"HttpConfig" = {
"Address" = "0.0.0.0:443";
"AuthIssuer" = "https://auth.esotericbytes.com/realms/General";
"AuthAudience" = "netbird";
"AuthKeysLocation" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/certs";
"AuthUserIDClaim" = "";
"CertFile" = "";
"CertKey" = "";
"IdpSignKeyRefreshEnabled" = false;
"OIDCConfigEndpoint" = "https://auth.esotericbytes.com/realms/General/.well-known/openid-configuration";
};
"DeviceAuthorizationFlow" = {
"Provider" = "none";
"ProviderConfig" = {
"Audience" = "netbird";
"AuthorizationEndpoint" = "";
"Domain" = "";
"ClientID" = "";
"ClientSecret" = "";
"TokenEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/token";
"DeviceAuthEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/auth/device";
"Scope" = "openid";
"UseIDToken" = false;
"RedirectURLs" = null;
};
};
"IdpManagerConfig" = {
"ManagerType" = "keycloak";
"ClientConfig" = {
"Issuer" = "https://auth.esotericbytes.com/realms/General";
"TokenEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/token";
"ClientID" = "netbird-backend";
"ClientSecret" = "QuqjTOAHKE6N6jJqkB1F1RGo3kqUhEdg";
"GrantType" = "client_credentials";
};
"ExtraConfig" = {
"AdminEndpoint" = "https://auth.esotericbytes.com/admin/realms/General";
};
"Auth0ClientCredentials" = null;
"AzureClientCredentials" = null;
"KeycloakClientCredentials" = null;
"ZitadelClientCredentials" = null;
};
"PKCEAuthorizationFlow" = {
"ProviderConfig" = {
"Audience" = "netbird";
"ClientID" = "netbird";
"ClientSecret" = "";
"Domain" = "";
"AuthorizationEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/auth";
"TokenEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/token";
"Scope" = "openid profile email offline_access api";
"RedirectURLs" = [
"http://localhost:53000"
];
"UseIDToken" = false;
"DisablePromptLogin" = false;
};
};
};
port = 443;
};
coturn = {
enable = true;
user = "netbird";
passwordFile = "/etc/netbird/coturnPass";
openPorts = map (x: x) (builtins.genList (y: 51100 + y) (56100 - 51100));
};
signal = {
enable = true;
enableNginx = true;
};
};
};
systemd.services.secrets_setup = {
wantedBy = [ "netbird-management.service" "coturn.service" ];
serviceConfig = {
LoadCredential = [
"coturnPass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/coturnPass > /etc/netbird/coturnPass
'';
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 51100; to = 56100; }];
};
system.stateVersion = "25.05";
};
};
};
}

81
system/virtualization/containers/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,81 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.nextcloud.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.nextcloud.enable {
sops.secrets."nextcloud/pass" = {};
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.15";
bindMounts = {
"/var/lib/nextcloud" = {
hostPath = "/ssd1/Nextcloud/data";
isReadOnly = false;
};
};
extraFlags = [
"--load-credential=nextcloud-admin-pass:${config.sops.secrets."nextcloud/pass".path}"
];
config = { config, lib, pkgs, ... }: {
systemd.services.secrets_setup = {
wantedBy = [ "nextcloud-setup.service" ];
serviceConfig = {
LoadCredential = [
"nextcloud-admin-pass"
];
};
script = ''
cat $CREDENTIALS_DIRECTORY/nextcloud-admin-pass > /etc/nextcloud-admin-pass
chown nextcloud:nextcloud /etc/nextcloud-admin-pass
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.virtualHosts."192.168.100.15".listen = [ { addr = "0.0.0.0"; port = 80; } ];
services.nextcloud = {
enable = true;
package = pkgs.nextcloud32;
hostName = "192.168.100.15";
config = {
adminpassFile = "/etc/nextcloud-admin-pass";
adminuser = "root";
dbtype = "mysql";
};
https = true;
home = "/var/lib/nextcloud";
appstoreEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit mail contacts calendar tasks user_oidc;
inherit impersonate end_to_end_encryption notes spreed music memories phonetrack;
};
extraAppsEnable = true;
settings = {
overwriteprotocol = "https";
trusted_domains = [ "nextcloud.esotericbytes.com" ];
trusted_proxies = [ "192.168.100.11" ];
default_phone_region = "US";
};
database.createLocally = true;
};
system.stateVersion = "24.05";
};
};
};
}

43
system/virtualization/containers/nginx/default.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, lib, ... }: {
options.sysconfig.virtualization."esotericbytes.com".enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization."esotericbytes.com".enable {
containers.esotericbytes-com = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.13";
bindMounts = {
"/var/www/data" = {
hostPath = "/ssd1/esotericbytes-com/data";
isReadOnly = false;
};
};
config = {
services.nginx = {
enable = true;
virtualHosts = {
"esotericbytes.com" = {
enableACME = false;
forceSSL = false;
root = "/var/www/data";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "24.05";
};
};
};
}

52
system/virtualization/containers/novnc/default.nix Normal file
View File

@@ -0,0 +1,52 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.virtualization.novnc.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.novnc.enable {
networking = {
firewall.interfaces."ve-novnc" = lib.mkIf config.sysconfig.virtualization.novnc.enable {
allowedTCPPorts = [ 5900 ];
allowedUDPPorts = [ 5900 ];
};
};
containers.novnc = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.30";
config = {
systemd.services.novnc = {
enable = true;
path = with pkgs; [
novnc
ps
];
script = ''
novnc --listen 80 --vnc 192.168.100.10:5900
'';
serviceConfig = {
Type = "exec";
};
wantedBy = [ "multi-user.target" ];
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "25.05";
};
};
};
}

43
system/virtualization/containers/ntfy/default.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.ntfy.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.ntfy.enable {
containers.ntfy = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.19";
config = {
services.ntfy-sh = {
enable = true;
settings = {
base-url = "https://ntfy.esotericbytes.com";
listen-http = ":80";
behind-proxy = true;
upstream-base-url = "https://ntfy.sh";
auth-default-access = "deny-all";
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "24.05";
};
};
};
}

40
system/virtualization/containers/openwebui/default.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, lib, pkgs, nixpkgs-us, ... }: {
options = {
sysconfig.virtualization.openwebui.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.virtualization.openwebui.enable {
containers.openwebui = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.33";
config = {
services.open-webui = {
enable = true;
#package = pkgs.open-webui;
package = let
pkgs-us = import nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.open-webui;
openFirewall = true;
host = "0.0.0.0";
};
system.stateVersion = "25.05";
};
};
};
}

85
system/virtualization/containers/rustdesk/default.nix Normal file
View File

@@ -0,0 +1,85 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.rustdesk.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.rustdesk.enable {
/*networking = {
firewall.allowedTCPPorts = [ 21115 21116 21117 21118 21119 ];
firewall.allowedUDPPorts = [ 21116 ];
};*/
containers.rustdesk = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.27";
/* forwardPorts = [
{
containerPort = 21115;
hostPort = 21115;
protocol = "tcp";
}
{
containerPort = 21116;
hostPort = 21116;
protocol = "tcp";
}
{
containerPort = 21116;
hostPort = 21116;
protocol = "udp";
}
{
containerPort = 21117;
hostPort = 21117;
protocol = "tcp";
}
{
containerPort = 21118;
hostPort = 21118;
protocol = "tcp";
}
{
containerPort = 21119;
hostPort = 21119;
protocol = "tcp";
}
];*/
config = {
services.rustdesk-server = {
enable = true;
openFirewall = true;
relay = {
enable = true;
extraArgs = [
"-k"
"AAAAC3NzaC1lZDI1NTE5AAAAIIPztDjwgB3xCza5+p5z1jpGVYoVQNl3fqD69pPCm0NA"
];
};
signal = {
enable = true;
#relayHosts = [ "esotericbytes.com" ];
relayHosts = [ "192.168.100.27" ];
extraArgs = [
"-k"
"AAAAC3NzaC1lZDI1NTE5AAAAIIPztDjwgB3xCza5+p5z1jpGVYoVQNl3fqD69pPCm0NA"
];
};
};
system.stateVersion = "24.05";
};
};
};
}

79
system/virtualization/containers/sandbox/default.nix Normal file
View File

@@ -0,0 +1,79 @@
{ config, lib, self, ... }: {
options.sysconfig.virtualization.sandbox.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.sandbox.enable {
networking = {
nat.internalInterfaces = [ "ve-sandbox" ];
};
containers.sandbox = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.32";
ephemeral = true;
timeoutStartSec = "3min";
flake = "${self}";
/*bindMounts = {
"/dev/nvidia0" = {
hostPath = "/dev/nvidia0";
isReadOnly = false;
};
"/dev/nvidiactl" = {
hostPath = "/dev/nvidiactl";
isReadOnly = false;
};
"/dev/nvidia-uvm" = {
hostPath = "/dev/nvidia-uvm";
isReadOnly = false;
};
"/dev/nvidia-modeset" = {
hostPath = "/dev/nvidia-modeset";
isReadOnly = false;
};
"/dev/nvidia-uvm-tools" = {
hostPath = "/dev/nvidia-uvm-tools";
isReadOnly = false;
};
};
allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rw";
}
{
node = "/dev/nvidiactl";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm";
modifier = "rw";
}
{
node = "/dev/nvidia-modeset";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm-tools";
modifier = "rw";
}
];*/
config = {
};
};
};
}

350
system/virtualization/containers/traefik/default.nix Normal file
View File

@@ -0,0 +1,350 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.traefik.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.traefik.enable {
networking = {
hosts."192.168.100.11" = [
"esotericbytes.com"
"*.esotericbytes.com"
];
firewall.allowedTCPPorts = [ 22 80 443 ];
nat.internalInterfaces = [ "ve-traefik" ];
};
containers.traefik = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
forwardPorts = [
{
containerPort = 81;
hostPort = 80;
}
{
containerPort = 444;
hostPort = 443;
}
];
bindMounts = {
"/etc/traefik/data" = {
hostPath = "/ssd1/Traefik/data";
isReadOnly = false;
};
"/var/run/docker.sock" = lib.mkIf config.sysconfig.docker.enable {
hostPath = "/run/docker.sock";
isReadOnly = false;
};
};
config = {
environment.etc."resolv.conf" = {
enable = true;
text = ''
nameserver 1.1.1.1
nameserver 1.0.0.1
options edns0
'';
user = "root";
mode = "0664";
};
#virtualisation.docker.enable = lib.mkIf config.sysconfig.docker.enable true;
users.groups."docker" = lib.mkIf config.sysconfig.docker.enable {
name = "docker";
gid = 131;
members = [
"traefik"
];
};
services.traefik = {
enable = true;
group = lib.mkIf config.sysconfig.docker.enable "docker";
dataDir = "/etc/traefik/data";
environmentFiles = [
"/etc/traefik/data/traefik.env"
];
staticConfigOptions = {
serversTransport.insecureSkipVerify = true;
api = {
dashboard = true;
debug = true;
};
global = {
checknewversion = false;
sendanonymoususage = false;
};
providers.docker = lib.mkIf config.sysconfig.docker.enable {};
entryPoints = {
web = {
address = ":81";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":444";
asDefault = true;
http.tls = {
certResolver = "cloudflare";
domains = {
main = "esotericbytes.com";
sans = [
"*.esotericbytes.com"
];
};
};
};
local = {
address = ":80";
http.redirections.entryPoint = {
to = "localsecure";
scheme = "https";
};
};
localsecure = {
address = ":443";
asDefault = true;
http.tls = {
certResolver = "cloudflare";
domains = {
main = "esotericbytes.com";
sans = [
"*.esotericbytes.com"
];
};
};
};
};
log = {
level = "INFO";
filePath = "/etc/traefik/data/logs/traefik.log";
format = "json";
};
certificatesResolvers = {
cloudflare = {
acme = {
email = "nathanblunkall5@gmail.com";
storage = "/etc/traefik/data/acme.json";
keyType = "EC256";
dnsChallenge = {
provider = "cloudflare";
resolvers = [ "1.1.1.1:53" "1.0.0.1:53" ];
};
};
};
};
};
dynamicConfigOptions = {
http = {
routers = {
homepageSecure = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`esotericbytes.com`) || Host(`www.esotericbytes.com`)";
service = "homepage";
tls.certResolver = "cloudflare";
};
/*remote = {
entryPoints = [ "websecure" ];
rule = "Host(`remote.esotericbytes.com`)";
service = "novnc";
tls.certResolver = "cloudflare";
#middlewares = [ "authentik" ];
};*/
homeassistant = {
entryPoints = [ "localsecure" ];
rule = "Host(`hass.esotericbytes.com`)";
service = "homeassistant";
tls.certResolver = "cloudflare";
};
jellyfin = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`jellyfin.esotericbytes.com`)";
service = "jellyfin";
tls.certResolver = "cloudflare";
};
auth = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`auth.esotericbytes.com`)";
service = "keycloak";
tls.certResolver = "cloudflare";
};
/*gitlab = {
entryPoints = [ "websecure" ];
rule = "Host(`gitlab.esotericbytes.com`)";
service = "gitlab";
tls.certResolver = "cloudflare";
};*/
gitea = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`gitea.esotericbytes.com`)";
service = "gitea";
tls.certResolver = "cloudflare";
};
nextcloud = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`nextcloud.esotericbytes.com`)";
service = "nextcloud";
tls.certResolver = "cloudflare";
middlewares = [
"nextcloud_redirectregex"
];
};
traefik = {
entryPoints = [ "localsecure" ];
rule = "Host(`traefik.esotericbytes.com`)";
service = "api@internal";
tls.certResolver = "cloudflare";
#middlewares = [ "authentik" ];
};
/*ntfy = {
entryPoints = [ "websecure" ];
rule = "Host(`ntfy.esotericbytes.com`)";
service = "ntfy";
tls.certResolver = "cloudflare";
};*/
/*pihole = {
entryPoints = [ "localsecure" ];
rule = "Host(`pihole.esotericbytes.com`)";
service = "pihole";
tls.certResolver = "cloudflare";
};
portainer = {
entryPoints = [ "localsecure" ];
rule = "Host(`portainer.esotericbytes.com`)";
service = "portainer";
tls.certResolver = "cloudflare";
};*/
netbird = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`vpn.esotericbytes.com`)";
service = "netbird";
tls.certResolver = "cloudflare";
};
n8n = {
entryPoints = [ "localsecure" ];
rule = "Host(`n8n.esotericbytes.com`)";
service = "n8n";
tls.certResolver = "cloudflare";
};
/*ollama = {
entryPoints = [ "localsecure" ];
rule = "Host(`ollama.esotericbytes.com`)";
service = "ollama";
tls.certResolver = "cloudflare";
};*/
openwebui = {
entryPoints = [ "localsecure" ];
rule = "Host(`ai.esotericbytes.com`)";
service = "openwebui";
tls.certResolver = "cloudflare";
};
code-server = {
entryPoints = [ "localsecure" ];
rule = "Host(`code.esotericbytes.com`)";
service = "code-server";
tls.certResolver = "cloudflare";
};
};
middlewares = {
nextcloud_redirectregex.redirectregex = {
permanent = true;
regex = "https://nextcloud.esotericbytes.com/.well-known/(?:card|cal)dav";
replacement = "https://nextcloud.esotericbytes.com/remote.php/dav";
};
};
services = {
#gitlab.loadBalancer.servers = [ { url = "http://192.168.100.16:80"; } ];
gitea.loadBalancer.servers = [ { url = "http://192.168.100.20:3000"; } ];
homepage.loadBalancer.servers = [ { url = "http://192.168.100.13:80"; } ];
jellyfin.loadBalancer.servers = [ { url = "http://192.168.100.14:8096"; } ];
authentik.loadBalancer.servers = [ { url = "http://192.168.100.10:9003"; } ];
#pihole.loadBalancer.servers = [ { url = "http://192.168.100.10:9001"; } ];
#portainer.loadBalancer.servers = [ { url = "http://192.168.100.10:9000"; } ];
keycloak.loadBalancer.servers = [ { url = "http://192.168.100.22:80"; } ];
#novnc.loadBalancer.servers = [ { url = "http://192.168.100.10:6080"; } ];
nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.15:80"; } ];
#ntfy.loadBalancer.servers = [ { url = "http://192.168.100.19"; } ];
netbird.loadBalancer = {
passHostHeader = true;
servers = [ { url = "http://192.168.100.23:80"; } ];
};
#ollama.loadBalancer.servers = [ { url = "http://192.168.100.10:11434"; } ];
openwebui.loadBalancer.servers = [ { url = "http://192.168.100.33:8080"; } ];
code-server.loadBalancer.servers = [ { url = "http://192.168.100.31:4444"; } ];
homeassistant.loadBalancer.servers = [ { url = "http://192.168.100.25:8123"; } ];
n8n.loadBalancer.servers = [ { url = "http://192.168.100.21:5678"; } ];
};
};
};
};
networking = {
firewall = {
allowedTCPPorts = [ 80 443 81 444 ];
allowedUDPPorts = [ 80 443 81 444 ];
};
useHostResolvConf = false;
};
system.stateVersion = "24.05";
};
};
};
}

131
system/virtualization/containers/wyoming/default.nix Normal file
View File

@@ -0,0 +1,131 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.wyoming = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
piper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
openwakeword = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
faster-whisper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
satellite = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.virtualization.wyoming.enable {
containers.wyoming = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.26";
bindMounts = lib.mkIf config.sysconfig.virtualization.wyoming.faster-whisper {
"/dev/nvidia0" = {
hostPath = "/dev/nvidia0";
isReadOnly = false;
};
"/dev/nvidiactl" = {
hostPath = "/dev/nvidiactl";
isReadOnly = false;
};
"/dev/nvidia-uvm" = {
hostPath = "/dev/nvidia-uvm";
isReadOnly = false;
};
"/dev/nvidia-modeset" = {
hostPath = "/dev/nvidia-modeset";
isReadOnly = false;
};
"/dev/nvidia-uvm-tools" = {
hostPath = "/dev/nvidia-uvm-tools";
isReadOnly = false;
};
};
allowedDevices = lib.mkIf config.sysconfig.virtualization.wyoming.faster-whisper [
{
node = "/dev/nvidia0";
modifier = "rw";
}
{
node = "/dev/nvidiactl";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm";
modifier = "rw";
}
{
node = "/dev/nvidia-modeset";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm-tools";
modifier = "rw";
}
];
config = {
networking.firewall = {
allowedTCPPorts = [ 11431 11432 11433 11435 ];
};
services.wyoming = {
piper = lib.mkIf config.sysconfig.virtualization.wyoming.piper {
servers.piper = {
enable = true;
voice = "en-us-ryan-medium";
uri = "tcp://0.0.0.0:11435";
};
};
openwakeword = lib.mkIf config.sysconfig.virtualization.wyoming.openwakeword {
enable = true;
uri = "tcp://0.0.0.0:11432";
threshold = 0.5;
customModelsDirectories = [
#./wake_words
];
};
faster-whisper = lib.mkIf config.sysconfig.virtualization.wyoming.faster-whisper {
servers.whisper = {
enable = true;
device = "auto";
language = "en";
model = "medium.en";
uri = "tcp://0.0.0.0:11433";
};
};
satellite = lib.mkIf config.sysconfig.virtualization.wyoming.satellite {
enable = true;
uri = "tcp://0.0.0.0:11431";
#user = "nathan";
vad.enable = false;
};
};
system.stateVersion = "25.05";
};
};
};
}