Blunkall-Technologies/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Begin Dendritic rewrite

Browse Source
This commit is contained in:
Nathan
2026-03-06 16:24:53 -06:00
parent f3a90a0fe8
commit c1684a80f7
99 changed files with 4375 additions and 4643 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
system/default.nix
View File

@@ -1,115 +1,112 @@
{ config, lib, pkgs, nixpkgs, ... }: {
{ ... }: {
imports = let
dir = builtins.readDir ./.;
in builtins.map (x: ./${x}) (builtins.filter
(file: (dir.${file} == "directory"))
(builtins.attrNames dir)
);
flake.nixosModules.default = { config, lib, pkgs, nixpkgs, ... }: {
options.sysconfig = with lib; {
host = mkOption {
type = with types; nullOr str;
default = null;
};
graphical = mkOption {
type = with types; bool;
default = config.hardware.graphics.enable;
};
remoteBuildHost = mkOption {
type = with types; bool;
default = false;
};
remoteBuildClient = mkOption {
type = with types; bool;
default = false;
};
};
config = {
networking.hostName = lib.mkDefault config.sysconfig.host;
nix = {
nixPath = [ "nixpkgs=${nixpkgs}" ];
channel.enable = false;
settings = {
experimental-features = [ "nix-command" "flakes" ];
builders-use-substitutes = lib.mkIf config.sysconfig.remoteBuildClient true;
trusted-users = lib.mkIf config.sysconfig.remoteBuildHost [ "remote-builder" ];
substituters = lib.mkIf config.sysconfig.programs.hyprland.enable ["https://hyprland.cachix.org"];
trusted-substituters = lib.mkIf config.sysconfig.programs.hyprland.enable ["https://hyprland.cachix.org"];
trusted-public-keys = lib.mkIf config.sysconfig.programs.hyprland.enable ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="];
options.sysconfig = with lib; {
host = mkOption {
type = with types; nullOr str;
default = null;
};
graphical = mkOption {
type = with types; bool;
default = config.hardware.graphics.enable;
};
remoteBuildHost = mkOption {
type = with types; bool;
default = false;
};
remoteBuildClient = mkOption {
type = with types; bool;
default = false;
};
};
distributedBuilds = config.sysconfig.remoteBuildClient;
buildMachines = lib.mkIf config.sysconfig.remoteBuildClient [
config = {
networking.hostName = lib.mkDefault config.sysconfig.host;
nix = {
nixPath = [ "nixpkgs=${nixpkgs}" ];
channel.enable = false;
settings = {
experimental-features = [ "nix-command" "flakes" ];
builders-use-substitutes = lib.mkIf config.sysconfig.remoteBuildClient true;
trusted-users = lib.mkIf config.sysconfig.remoteBuildHost [ "remote-builder" ];
substituters = lib.mkIf config.sysconfig.programs.hyprland.enable ["https://hyprland.cachix.org"];
trusted-substituters = lib.mkIf config.sysconfig.programs.hyprland.enable ["https://hyprland.cachix.org"];
trusted-public-keys = lib.mkIf config.sysconfig.programs.hyprland.enable ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="];
};
distributedBuilds = config.sysconfig.remoteBuildClient;
buildMachines = lib.mkIf config.sysconfig.remoteBuildClient [
{
hostName = "esotericbytes.com";
sshUser = "remote-builder";
sshKey = config.sops.secrets."remoteBuildKey".path;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
"benchmark"
"big-parallel"
"kvm"
];
systems = [ "x86_64-linux" "aarch64-linux" ];
}
];
};
];
};
users.users."remote-builder" = lib.mkIf config.sysconfig.remoteBuildHost {
isNormalUser = true;
createHome = false;
};
users.users."remote-builder" = lib.mkIf config.sysconfig.remoteBuildHost {
isNormalUser = true;
createHome = false;
};
sops.secrets = let
dir = builtins.readDir ../machines;
in lib.mkIf config.sysconfig.remoteBuildHost (builtins.listToAttrs
(builtins.map
(y: { name = "remoteBuildClientKeys/${y}"; value = { sopsFile = ./secrets.yaml; }; })
(builtins.filter
(x: dir.${x} == "directory" && (import ../machines/${x} { config = {}; inputs = {}; inherit lib pkgs; }).config.sysconfig.remoteBuildClient)
(builtins.attrNames dir)
)
)
);
sops.templates."remote-builder" = lib.mkIf config.sysconfig.remoteBuildHost {
content = builtins.concatStringsSep ''''\n'' (builtins.map
(y: config.sops.placeholder.${y})
(builtins.filter
(x: (builtins.match "^remoteBuildClientKeys/.+" x) != null)
(builtins.attrNames config.sops.secrets)
sops.secrets = let
dir = builtins.readDir ../machines;
in lib.mkIf config.sysconfig.remoteBuildHost (builtins.listToAttrs
(builtins.map
(y: { name = "remoteBuildClientKeys/${y}"; value = { sopsFile = ./secrets.yaml; }; })
(builtins.filter
(x: dir.${x} == "directory" && (import ../machines/${x} { config = {}; inputs = {}; inherit lib pkgs; }).config.sysconfig.remoteBuildClient)
(builtins.attrNames dir)
)
)
);
path = "/etc/ssh/authorized_keys.d/remote-builder";
owner = "remote-builder";
};
sops = {
age.keyFile = "/var/lib/sops/age/keys.txt";
defaultSopsFormat = "yaml";
};
time.timeZone = lib.mkDefault "America/Chicago";
sops.templates."remote-builder" = lib.mkIf config.sysconfig.remoteBuildHost {
content = builtins.concatStringsSep ''''\n'' (builtins.map
(y: config.sops.placeholder.${y})
(builtins.filter
(x: (builtins.match "^remoteBuildClientKeys/.+" x) != null)
(builtins.attrNames config.sops.secrets)
)
);
path = "/etc/ssh/authorized_keys.d/remote-builder";
owner = "remote-builder";
};
i18n = lib.mkDefault {
defaultLocale = "en_US.UTF-8";
sops = {
age.keyFile = "/var/lib/sops/age/keys.txt";
defaultSopsFormat = "yaml";
};
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
time.timeZone = lib.mkDefault "America/Chicago";
i18n = lib.mkDefault {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
};
};
};
}
};

6
system/etc/default.nix
View File

@@ -1,6 +1,10 @@
{ ... }: {
config = {
flake.nixosModules.default = { ... }: {
config = {
};
};
}

14
system/packages/default.nix
View File

@@ -1,7 +1,11 @@
{ pkgs, disko, ... }: {
{ inputs, ... }: {
environment.systemPackages = with pkgs; [
sops
disko.packages.${pkgs.stdenv.hostPlatform.system}.disko-install
];
flake.nixosModules.default = { pkgs, ... }: {
environment.systemPackages = with pkgs; [
sops
inputs.disko.packages.${pkgs.stdenv.hostPlatform.system}.disko-install
];
};
}

9
system/programs/default.nix
View File

@@ -1,9 +0,0 @@
{ ... }: {
imports = [
./hyprland
./hyprpanel
./steam
];
}

34
system/programs/hyprland/default.nix
View File

@@ -1,28 +1,32 @@
{ config, lib, pkgs, hyprland, ... }: {
{ ... }: {
options.sysconfig.programs.hyprland.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
flake.nixosModules.default = { config, lib, pkgs, hyprland, ... }: {
config = lib.mkIf config.sysconfig.programs.hyprland.enable {
options.sysconfig.programs.hyprland.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
sysconfig.services.sddm.enable = lib.mkDefault true;
config = lib.mkIf config.sysconfig.programs.hyprland.enable {
environment.sessionVariables.NIXOS_OZONE_WL = "1";
sysconfig.services.sddm.enable = lib.mkDefault true;
programs.hyprland = {
enable = true;
environment.sessionVariables.NIXOS_OZONE_WL = "1";
withUWSM = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
withUWSM = true;
systemd.setPath.enable = true;
xwayland.enable = true;
package = hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
systemd.setPath.enable = true;
portalPackage = hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
package = hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
portalPackage = hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
};
};
};
}

52
system/programs/hyprpanel/default.nix
View File

@@ -1,30 +1,34 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
options.sysconfig.programs.hyprpanel.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
flake.nixosModules.default = { config, lib, pkgs, ... }: {
config = lib.mkIf config.sysconfig.programs.hyprpanel.enable {
services = {
upower.enable = true;
gvfs.enable = true;
power-profiles-daemon.enable = true;
options.sysconfig.programs.hyprpanel.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
environment.systemPackages = with pkgs; [
bluez
bluez-tools
libgtop
dart-sass
wl-clipboard
gtksourceview
libsoup_3
brightnessctl
swww
hyprpicker
hyprsunset
wf-recorder
];
config = lib.mkIf config.sysconfig.programs.hyprpanel.enable {
services = {
upower.enable = true;
gvfs.enable = true;
power-profiles-daemon.enable = true;
};
environment.systemPackages = with pkgs; [
bluez
bluez-tools
libgtop
dart-sass
wl-clipboard
gtksourceview
libsoup_3
brightnessctl
swww
hyprpicker
hyprsunset
wf-recorder
];
};
};
}

22
system/programs/steam/default.nix
View File

@@ -1,14 +1,18 @@
{ config, lib, ... }: {
{ ... }: {
options.sysconfig.programs.steam.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
flake.nixosModules.default = { config, lib, ... }: {
config = lib.mkIf config.sysconfig.programs.steam.enable {
programs.steam = {
enable = true;
options.sysconfig.programs.steam.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.programs.steam.enable {
programs.steam = {
enable = true;
};
};
};
}

42
system/services/avahi/default.nix
View File

@@ -1,23 +1,27 @@
{ config, lib, ... }: {
{ ... }: {
options = {
sysconfig.services.avahi.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
flake.nixosModules.default = { config, lib, ... }: {
options = {
sysconfig.services.avahi.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.services.avahi.enable {
services.avahi = {
enable = true;
ipv4 = true;
ipv6 = true;
openFirewall = true;
nssmdns4 = true;
wideArea = true;
};
};
};
config = lib.mkIf config.sysconfig.services.avahi.enable {
services.avahi = {
enable = true;
ipv4 = true;
ipv6 = true;
openFirewall = true;
nssmdns4 = true;
wideArea = true;
};
};
}

9
system/services/default.nix
View File

@@ -1,9 +0,0 @@
{ ... }: {
imports = let
dir = builtins.readDir ./.;
in builtins.map (x: ./${x}) (builtins.filter
(file: (dir.${file} == "directory"))
(builtins.attrNames dir)
);
}

54
system/services/dynamicDNS/default.nix
View File

@@ -1,40 +1,44 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
options.sysconfig.services.dynamicDNS.enable = with lib; mkOption {
flake.nixosModules.default = { config, lib, pkgs, ... }: {
type = with types; bool;
default = false;
};
options.sysconfig.services.dynamicDNS.enable = with lib; mkOption {
config = lib.mkIf config.sysconfig.services.dynamicDNS.enable {
systemd.timers.dynamicDNS = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "1h";
Unit = "dynamicDNS.service";
};
type = with types; bool;
default = false;
};
systemd.services.dynamicDNS = {
config = lib.mkIf config.sysconfig.services.dynamicDNS.enable {
name = "dynamicDNS.service";
systemd.timers.dynamicDNS = {
serviceConfig = {
wantedBy = [ "timers.target" ];
Type = "oneshot";
timerConfig = {
LoadCredential = [ "cloudflare-api-key" ];
OnBootSec = "5m";
OnUnitActiveSec = "1h";
Unit = "dynamicDNS.service";
};
};
script = '''';
systemd.services.dynamicDNS = {
name = "dynamicDNS.service";
serviceConfig = {
Type = "oneshot";
LoadCredential = [ "cloudflare-api-key" ];
};
script = '''';
};
};
};
}

54
system/services/kdePlasma6/default.nix
View File

@@ -1,31 +1,35 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
options.sysconfig.services.kdePlasma6.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
flake.nixosModules.default = { config, lib, pkgs, ... }: {
config = lib.mkIf config.sysconfig.services.kdePlasma6.enable {
services.desktopManager.plasma6.enable = true;
options.sysconfig.services.kdePlasma6.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
sysconfig.services.sddm.enable = lib.mkDefault true;
config = lib.mkIf config.sysconfig.services.kdePlasma6.enable {
environment.systemPackages = with pkgs; [
kdePackages.discover # Optional: Install if you use Flatpak or fwupd firmware update sevice
kdePackages.kcalc # Calculator
kdePackages.kcharselect # Tool to select and copy special characters from all installed fonts
kdePackages.kcolorchooser # A small utility to select a color
kdePackages.kolourpaint # Easy-to-use paint program
kdePackages.ksystemlog # KDE SystemLog Application
kdePackages.sddm-kcm # Configuration module for SDDM
kdiff3 # Compares and merges 2 or 3 files or directories
kdePackages.isoimagewriter # Optional: Program to write hybrid ISO files onto USB disks
kdePackages.partitionmanager # Optional Manage the disk devices, partitions and file systems on your computer
hardinfo2 # System information and benchmarks for Linux systems
haruna # Open source video player built with Qt/QML and libmpv
wayland-utils # Wayland utilities
wl-clipboard # Command-line copy/paste utilities for Wayland
];
services.desktopManager.plasma6.enable = true;
sysconfig.services.sddm.enable = lib.mkDefault true;
environment.systemPackages = with pkgs; [
kdePackages.discover # Optional: Install if you use Flatpak or fwupd firmware update sevice
kdePackages.kcalc # Calculator
kdePackages.kcharselect # Tool to select and copy special characters from all installed fonts
kdePackages.kcolorchooser # A small utility to select a color
kdePackages.kolourpaint # Easy-to-use paint program
kdePackages.ksystemlog # KDE SystemLog Application
kdePackages.sddm-kcm # Configuration module for SDDM
kdiff3 # Compares and merges 2 or 3 files or directories
kdePackages.isoimagewriter # Optional: Program to write hybrid ISO files onto USB disks
kdePackages.partitionmanager # Optional Manage the disk devices, partitions and file systems on your computer
hardinfo2 # System information and benchmarks for Linux systems
haruna # Open source video player built with Qt/QML and libmpv
wayland-utils # Wayland utilities
wl-clipboard # Command-line copy/paste utilities for Wayland
];
};
};
}

42
system/services/netbird/default.nix
View File

@@ -1,26 +1,30 @@
{ config, lib, nixpkgs-us, ... }: {
{ ... }: {
options.sysconfig = {
services.netbird.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
flake.nixosModules.default = { config, lib, nixpkgs-us, ... }: {
config = let
pkgs-us = import nixpkgs-us {
system = "x86_64-linux";
};
in lib.mkIf config.sysconfig.services.netbird.enable {
options.sysconfig = {
services.netbird = {
enable = config.sysconfig.services.netbird.enable;
ui = {
enable = true;
package = pkgs-us.netbird-ui;
services.netbird.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = let
pkgs-us = import nixpkgs-us {
system = "x86_64-linux";
};
in lib.mkIf config.sysconfig.services.netbird.enable {
services.netbird = {
enable = config.sysconfig.services.netbird.enable;
ui = {
enable = true;
package = pkgs-us.netbird-ui;
};
package = pkgs-us.netbird;
};
package = pkgs-us.netbird;
};
};
}

52
system/services/novnc/default.nix
View File

@@ -1,30 +1,34 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.services.novnc.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
{ ... }: {
config = lib.mkIf config.sysconfig.services.novnc.enable {
systemd.services.novnc = {
enable = true;
flake.nixosModules.default = { config, lib, pkgs, ... }: {
path = with pkgs; [
novnc
ps
];
script = ''
novnc --listen 80 --vnc 127.0.0.1:5900
'';
serviceConfig = {
Type = "exec";
};
wantedBy = [ "multi-user.target" ];
options.sysconfig.services.novnc.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
networking.firewall.allowedTCPPorts = [ 80 ];
config = lib.mkIf config.sysconfig.services.novnc.enable {
systemd.services.novnc = {
enable = true;
path = with pkgs; [
novnc
ps
];
script = ''
novnc --listen 80 --vnc 127.0.0.1:5900
'';
serviceConfig = {
Type = "exec";
};
wantedBy = [ "multi-user.target" ];
};
networking.firewall.allowedTCPPorts = [ 80 ];
};
};
}

42
system/services/ollama/default.nix
View File

@@ -1,25 +1,29 @@
{ config, lib, nixpkgs-us, ... }: {
{ ... }: {
options = {
sysconfig.services.ollama.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
flake.nixosModules.default = { config, lib, nixpkgs-us, ... }: {
config = lib.mkIf config.sysconfig.services.ollama.enable {
services.ollama = {
enable = true;
acceleration = "cuda";
environmentVariables = {
OLLAMA_CONTEXT_LENGTH = lib.mkDefault "16000";
options = {
sysconfig.services.ollama.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.services.ollama.enable {
services.ollama = {
enable = true;
acceleration = "cuda";
environmentVariables = {
OLLAMA_CONTEXT_LENGTH = lib.mkDefault "16000";
};
package = let
pkgs-us = import nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.ollama-cuda;
};
package = let
pkgs-us = import nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.ollama-cuda;
};
};
}

32
system/services/openssh/default.nix
View File

@@ -1,22 +1,26 @@
{ config, lib, ... }: {
{ ... }: {
options = {
sysconfig.services.openssh.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
flake.nixosModules.default = { config, lib, ... }: {
options = {
sysconfig.services.openssh.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
};
config = lib.mkIf (config.sysconfig.services.openssh.enable || config.sysconfig.remoteBuildHost) {
config = lib.mkIf (config.sysconfig.services.openssh.enable || config.sysconfig.remoteBuildHost) {
services.openssh = {
enable = true;
openFirewall = lib.mkDefault true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
services.openssh = {
enable = true;
openFirewall = lib.mkDefault true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
};
};
}

75
system/services/pipewire/default.nix
View File

@@ -1,51 +1,54 @@
{ config, lib, pkgs, ... }: {
options = {
sysconfig.services.pipewire.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
{ ... }: {
config = lib.mkIf config.sysconfig.services.pipewire.enable {
flake.nixosModules.default = { config, lib, pkgs, ... }: {
options = {
sysconfig.services.pipewire.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.services.pipewire.enable {
# Enable sound with pipewire.
#sound.enable = true;
#sound.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
package = pkgs.pipewire;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
extraConfig.pipewire-pulse."92-low-latency" = {
context.modules = [
{
name = "libpipewire-module-protocol-pulse";
args = {
pulse.min.req = "32/48000";
pulse.default.req = "32/48000";
pulse.max.req = "32/48000";
pulse.min.quantum = "32/48000";
pulse.max.quantum = "32/48000";
security.rtkit.enable = true;
services.pipewire = {
enable = true;
package = pkgs.pipewire;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
extraConfig.pipewire-pulse."92-low-latency" = {
context.modules = [
{
name = "libpipewire-module-protocol-pulse";
args = {
pulse.min.req = "32/48000";
pulse.default.req = "32/48000";
pulse.max.req = "32/48000";
pulse.min.quantum = "32/48000";
pulse.max.quantum = "32/48000";
};
}
];
stream.properties = {
node.latency = "32/48000";
resample.quality = 1;
};
}
];
stream.properties = {
node.latency = "32/48000";
resample.quality = 1;
};
};
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
wireplumber.enable = true;
wireplumber.enable = true;
};
};
};
}

53
system/services/sddm/default.nix
View File

@@ -1,34 +1,37 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
options.sysconfig.services.sddm.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
flake.nixosModules.default = { config, lib, pkgs, ... }: {
config = lib.mkIf config.sysconfig.services.sddm.enable {
options.sysconfig.services.sddm.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
qt.enable = true;
config = lib.mkIf config.sysconfig.services.sddm.enable {
environment.systemPackages = with pkgs; [ (sddm-astronaut.override { embeddedTheme = "pixel_sakura"; }) ];
qt.enable = true;
services.displayManager.sddm = {
enable = true;
wayland.enable = true;
autoNumlock = true;
theme = "sddm-astronaut-theme"; #"${inputs.tokyo-night-sddm-theme { inherit pkgs; }}";
enableHidpi = true;
/*extraPackages = with pkgs; [
libsForQt5.qtsvg
libsForQt5.qtquickcontrols2
libsForQt5.qtgraphicaleffects
];*/
environment.systemPackages = with pkgs; [ (sddm-astronaut.override { embeddedTheme = "pixel_sakura"; }) ];
package = lib.mkDefault pkgs.kdePackages.sddm;
extraPackages = with pkgs; [
kdePackages.qtsvg
kdePackages.qtvirtualkeyboard
kdePackages.qtmultimedia
];
services.displayManager.sddm = {
enable = true;
wayland.enable = true;
autoNumlock = true;
theme = "sddm-astronaut-theme"; #"${inputs.tokyo-night-sddm-theme { inherit pkgs; }}";
enableHidpi = true;
/*extraPackages = with pkgs; [
libsForQt5.qtsvg
libsForQt5.qtquickcontrols2
libsForQt5.qtgraphicaleffects
];*/
package = lib.mkDefault pkgs.kdePackages.sddm;
extraPackages = with pkgs; [
kdePackages.qtsvg
kdePackages.qtvirtualkeyboard
kdePackages.qtmultimedia
];
};
};
};
}

107
system/services/wyoming/default.nix
View File

@@ -1,66 +1,69 @@
{ config, lib, ... }: {
{ ... }: {
options.sysconfig.services.wyoming = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
piper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
openwakeword = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
faster-whisper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
satellite = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
flake.nixosModules.default = { config, lib, ... }: {
config = lib.mkIf config.sysconfig.services.wyoming.enable {
services.wyoming = {
piper = lib.mkIf config.sysconfig.services.wyoming.piper {
servers.piper = {
enable = true;
voice = "en-us-ryan-medium";
uri = "tcp://0.0.0.0:11435";
};
options.sysconfig.services.wyoming = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
piper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
openwakeword = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
faster-whisper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
satellite = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
openwakeword = lib.mkIf config.sysconfig.services.wyoming.openwakeword {
enable = true;
uri = "tcp://0.0.0.0:11432";
config = lib.mkIf config.sysconfig.services.wyoming.enable {
threshold = 0.5;
customModelsDirectories = [
services.wyoming = {
piper = lib.mkIf config.sysconfig.services.wyoming.piper {
servers.piper = {
enable = true;
voice = "en-us-ryan-medium";
uri = "tcp://0.0.0.0:11435";
};
};
openwakeword = lib.mkIf config.sysconfig.services.wyoming.openwakeword {
enable = true;
uri = "tcp://0.0.0.0:11432";
threshold = 0.5;
customModelsDirectories = [
#./wake_words
];
};
];
};
faster-whisper = lib.mkIf config.sysconfig.services.wyoming.faster-whisper {
servers.whisper = {
faster-whisper = lib.mkIf config.sysconfig.services.wyoming.faster-whisper {
servers.whisper = {
enable = true;
device = "auto";
language = "en";
model = "medium.en";
uri = "tcp://0.0.0.0:11433";
};
};
satellite = lib.mkIf config.sysconfig.services.wyoming.satellite {
enable = true;
device = "auto";
language = "en";
model = "medium.en";
uri = "tcp://0.0.0.0:11433";
uri = "tcp://0.0.0.0:11431";
};
};
satellite = lib.mkIf config.sysconfig.services.wyoming.satellite {
enable = true;
uri = "tcp://0.0.0.0:11431";
};
};
};
}

232
system/users/default.nix
View File

@@ -1,144 +1,140 @@
{ config, lib, pkgs, ... } @ inputs: {
{ ... }: {
imports = let
dir = builtins.readDir ./.;
in builtins.map (x: ./${x}) (builtins.filter
(file: (dir.${file} == "directory"))
(builtins.attrNames dir)
);
options.sysconfig = with lib; {
sshHostKeys = lib.mkOption {
type = with lib.types; attrsOf str;
default = {};
};
flake.nixosModules.default = { config, lib, pkgs, ... } @ inputs: {
users = let
options.sysconfig = with lib; {
userType = types.submodule ({ name, ... }: {
options = with lib; {
name = mkOption {
sshHostKeys = lib.mkOption {
type = with lib.types; attrsOf str;
default = {};
};
users = let
userType = types.submodule ({ name, ... }: {
options = with lib; {
name = mkOption {
type = with types; passwdEntry str;
default = name;
};
};
home-manager = {
home-manager = {
enable = mkOption {
type = with types; bool;
default = false;
type = with types; bool;
default = false;
};
standalone = mkOption {
type = with types; bool;
default = true;
description = "is this home-manager standalone?";
type = with types; bool;
default = true;
description = "is this home-manager standalone?";
};
extraModules = mkOption {
type = with types; listOf raw;
default = [];
};
};
isSuperuser = mkOption {
type = with types; bool;
default = false;
description = "sudo?";
};
usePresets = mkOption {
type = with types; bool;
default = true;
description = "search for predefined settings?";
};
ssh = {
keys = mkOption {
type = with types; listOf str;
default = [];
description = "public keys used to login as this user";
};
hosts = mkOption {
type = with types; listOf str;
default = [];
description = "user@host's used to login as this user";
};
};
uid = mkOption {
type = with types; nullOr int;
default = null;
};
hashedPasswordFile = mkOption {
type = with types; nullOr str;
default = null;
};
extraGroups = mkOption {
type = with types; listOf str;
type = with types; listOf raw;
default = [];
};
};
};
shell = mkOption {
type = with types; package;
default = pkgs.shadow;
};
};
});
isSuperuser = mkOption {
type = with types; bool;
default = false;
description = "sudo?";
};
in lib.mkOption {
type = with lib.types; attrsOf userType;
default = {};
usePresets = mkOption {
type = with types; bool;
default = true;
description = "search for predefined settings?";
};
ssh = {
keys = mkOption {
type = with types; listOf str;
default = [];
description = "public keys used to login as this user";
};
hosts = mkOption {
type = with types; listOf str;
default = [];
description = "user@host's used to login as this user";
};
};
uid = mkOption {
type = with types; nullOr int;
default = null;
};
hashedPasswordFile = mkOption {
type = with types; nullOr str;
default = null;
};
extraGroups = mkOption {
type = with types; listOf str;
default = [];
};
shell = mkOption {
type = with types; package;
default = pkgs.shadow;
};
};
});
in lib.mkOption {
type = with lib.types; attrsOf userType;
default = {};
};
};
};
config = lib.mkIf (config.sysconfig.host != "android") {
users.users = builtins.mapAttrs (x: y: let
cfg = config.sysconfig.users.${x};
in {
name = cfg.name;
isNormalUser = true;
uid = cfg.uid;
hashedPasswordFile = lib.mkIf (cfg.hashedPasswordFile != null) cfg.hashedPasswordFile;
shell = cfg.shell;
extraGroups = cfg.extraGroups ++ (if cfg.isSuperuser then [ "wheel" ] else []);
openssh.authorizedKeys.keys = lib.mkIf config.sysconfig.services.openssh.enable (cfg.ssh.keys ++ (map (z: config.sysconfig.sshHostKeys.${z}) cfg.ssh.hosts));
packages = with pkgs; lib.mkIf (cfg.home-manager.enable && cfg.home-manager.standalone) [ home-manager ];
}) config.sysconfig.users;
programs.fuse.userAllowOther = true;
config = lib.mkIf (config.sysconfig.host != "android") {
users.users = builtins.mapAttrs (x: y: let
cfg = config.sysconfig.users.${x};
in {
name = cfg.name;
isNormalUser = true;
uid = cfg.uid;
hashedPasswordFile = lib.mkIf (cfg.hashedPasswordFile != null) cfg.hashedPasswordFile;
shell = cfg.shell;
extraGroups = cfg.extraGroups ++ (if cfg.isSuperuser then [ "wheel" ] else []);
openssh.authorizedKeys.keys = lib.mkIf config.sysconfig.services.openssh.enable (cfg.ssh.keys ++ (map (z: config.sysconfig.sshHostKeys.${z}) cfg.ssh.hosts));
packages = with pkgs; lib.mkIf (cfg.home-manager.enable && cfg.home-manager.standalone) [ home-manager ];
}) config.sysconfig.users;
home-manager = {
backupFileExtension = "backup";
extraSpecialArgs = { inherit inputs; };
useUserPackages = true;
sharedModules = [];
users = builtins.listToAttrs (builtins.map
(x: {
name = x;
value = (lib.mkMerge ([
programs.fuse.userAllowOther = true;
(if let
dir = builtins.readDir ./.;
in dir ? ${x} && dir.${x} == "directory" then
import ../../homes/${x}/home-manager
else {})
home-manager = {
backupFileExtension = "backup";
extraSpecialArgs = { inherit inputs; };
useUserPackages = true;
sharedModules = [];
users = builtins.listToAttrs (builtins.map
(x: {
name = x;
value = (lib.mkMerge ([
(if inputs ? ${x} then inputs.${x} else {})
(if let
dir = builtins.readDir ./.;
in dir ? ${x} && dir.${x} == "directory" then
import ../../homes/${x}/home-manager
else {})
] ++ config.sysconfig.users.${x}.home-manager.extraModules));
})
(builtins.filter
(y: (config.sysconfig.users.${y}.home-manager.enable && !config.sysconfig.users.${y}.home-manager.standalone))
(builtins.attrNames config.sysconfig.users)
)
);
(if inputs ? ${x} then inputs.${x} else {})
] ++ config.sysconfig.users.${x}.home-manager.extraModules));
})
(builtins.filter
(y: (config.sysconfig.users.${y}.home-manager.enable && !config.sysconfig.users.${y}.home-manager.standalone))
(builtins.attrNames config.sysconfig.users)
)
);
};
};
};
}

39
system/users/nathan/default.nix
View File

@@ -1,24 +1,27 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
config = lib.mkIf (
config.sysconfig.users ? nathan && config.sysconfig.users.nathan.usePresets
) {
sops.secrets."nathan/pass".neededForUsers = true;
flake.nixosModules.default = { config, lib, pkgs, ... }: {
users.users.nathan = {
shell = lib.mkDefault pkgs.zsh;
name = lib.mkDefault "nathan";
isNormalUser = lib.mkDefault true;
#hashedPasswordFile = lib.mkIf (cfg.hashedPasswordFile != null) cfg.hashedPasswordFile;
extraGroups = [ "networkmanager" "docker" "libvirtd" ];
openssh.authorizedKeys.keys = with config.sysconfig.users.nathan; lib.mkIf config.sysconfig.services.openssh.enable (
ssh.keys ++ (map (z: config.sysconfig.sshHostKeys.${z}) ssh.hosts)
);
packages = lib.mkIf (
config.sysconfig.users.nathan.home-manager.enable && config.sysconfig.users.nathan.home-manager.standalone
) [ pkgs.home-manager ];
config = lib.mkIf (
config.sysconfig.users ? nathan && config.sysconfig.users.nathan.usePresets
) {
sops.secrets."nathan/pass".neededForUsers = true;
users.users.nathan = {
shell = lib.mkDefault pkgs.zsh;
name = lib.mkDefault "nathan";
isNormalUser = lib.mkDefault true;
#hashedPasswordFile = lib.mkIf (cfg.hashedPasswordFile != null) cfg.hashedPasswordFile;
extraGroups = [ "networkmanager" "docker" "libvirtd" ];
openssh.authorizedKeys.keys = with config.sysconfig.users.nathan; lib.mkIf config.sysconfig.services.openssh.enable (
ssh.keys ++ (map (z: config.sysconfig.sshHostKeys.${z}) ssh.hosts)
);
packages = lib.mkIf (
config.sysconfig.users.nathan.home-manager.enable && config.sysconfig.users.nathan.home-manager.standalone
) [ pkgs.home-manager ];
};
};
};
}

53
system/virtualization/containers/code-server/default.nix
View File

@@ -1,40 +1,43 @@
{ config, lib, ... }: {
{ ... }: {
options.sysconfig.containers.code-server.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
flake.nixosModules.default = { config, lib, ... }: {
config = lib.mkIf config.sysconfig.containers.code-server.enable {
options.sysconfig.containers.code-server.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
containers.code-server = {
config = lib.mkIf config.sysconfig.containers.code-server.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.31";
containers.code-server = {
config = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.31";
services.code-server = {
enable = true;
hashedPassword = "1$WFYzcW1TNmpYM1ZKU3lielNCaXAyRkF2K3FjPQ$bSeeV4bvL2uiDYKiQjBLJPAO13/gNjYVgw8YKFtTQDI";
config = {
disableUpdateCheck = true;
services.code-server = {
enable = true;
disableTelemetry = true;
hashedPassword = "1$WFYzcW1TNmpYM1ZKU3lielNCaXAyRkF2K3FjPQ$bSeeV4bvL2uiDYKiQjBLJPAO13/gNjYVgw8YKFtTQDI";
disableGettingStartedOverride = true;
disableUpdateCheck = true;
auth = "none";
disableTelemetry = true;
host = "0.0.0.0";
disableGettingStartedOverride = true;
auth = "none";
host = "0.0.0.0";
};
networking.firewall.allowedTCPPorts = [ 4444 ];
system.stateVersion = "25.05";
};
networking.firewall.allowedTCPPorts = [ 4444 ];
system.stateVersion = "25.05";
};
};
};

32
system/virtualization/containers/default.nix
View File

@@ -1,32 +0,0 @@
{ ... }: {
imports = let
dir = builtins.readDir ./.;
in builtins.map (x: ./${x}) (builtins.filter
(file: (dir.${file} == "directory"))
(builtins.attrNames dir)
);
/*imports = [
./gitlab
./gitea
./traefik
./nginx
./jellyfin
./pihole
./nextcloud
./ntfy
./homeassistant
./rustdesk
./netbird
./keycloak
./ollama
./openwebui
./n8n
./wyoming
./code-server
./novnc
./minecraft
#./sandbox
];*/
}

167
system/virtualization/containers/gitea/default.nix
View File

@@ -1,105 +1,110 @@
{ config, lib, ... }: {
{ ... }: {
options.sysconfig.containers.gitea.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
flake.nixosModules.default = { config, lib, ... }: {
config = lib.mkIf config.sysconfig.containers.gitea.enable {
networking = {
nat.internalInterfaces = [ "ve-gitea" ];
};
sops.secrets = {
"gitea/dbpass" = {};
options.sysconfig.containers.gitea.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
containers.gitea = {
config = lib.mkIf config.sysconfig.containers.gitea.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.20";
bindMounts = {
"/etc/gitea/data" = {
hostPath = "/ssd1/Gitea/data";
isReadOnly = false;
};
networking = {
nat.internalInterfaces = [ "ve-gitea" ];
};
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."gitea/dbpass".path}"
];
config = {
sops.secrets = {
"gitea/dbpass" = {};
};
systemd.services.secrets_setup = {
wantedBy = [ "gitea.service" ];
containers.gitea = {
serviceConfig = {
LoadCredential = [
"dbpass"
];
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.20";
bindMounts = {
"/etc/gitea/data" = {
hostPath = "/ssd1/Gitea/data";
isReadOnly = false;
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitea/dbpass
chown gitea:gitea /etc/gitea/*
'';
};
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."gitea/dbpass".path}"
];
services.gitea = {
enable = true;
config = {
stateDir = "/etc/gitea/data";
systemd.services.secrets_setup = {
wantedBy = [ "gitea.service" ];
dump.enable = false;
appName = "Gitea";
settings = {
server = {
DOMAIN = "gitea.esotericbytes.com";
HTTP_PORT = 3000;
ROOT_URL = "https://gitea.esotericbytes.com/";
serviceConfig = {
LoadCredential = [
"dbpass"
];
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = false;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
};
session.COOKIE_SECURE = true;
cron = {
ENABLED = true;
RUN_AT_START = true;
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitea/dbpass
chown gitea:gitea /etc/gitea/*
'';
};
database = {
passwordFile = "/etc/gitea/dbpass";
type = "postgres";
services.gitea = {
enable = true;
stateDir = "/etc/gitea/data";
dump.enable = false;
appName = "Gitea";
settings = {
server = {
DOMAIN = "gitea.esotericbytes.com";
HTTP_PORT = 3000;
ROOT_URL = "https://gitea.esotericbytes.com/";
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = false;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
};
session.COOKIE_SECURE = true;
cron = {
ENABLED = true;
RUN_AT_START = true;
};
};
database = {
passwordFile = "/etc/gitea/dbpass";
type = "postgres";
};
};
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
ports = [ 2222 ];
};
networking.firewall.allowedTCPPorts = [ 3000 ];
system.stateVersion = "24.11";
};
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
ports = [ 2222 ];
};
networking.firewall.allowedTCPPorts = [ 3000 ];
system.stateVersion = "24.11";
};
};
};

172
system/virtualization/containers/gitlab/default.nix
View File

@@ -1,172 +0,0 @@
{ config, lib, ... }: {
options.sysconfig.containers.gitlab.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.containers.gitlab.enable {
sops.secrets = {
"gitlab/db_pass" = {};
"gitlab/root_pass" = {};
"gitlab/secrets/secret" = {};
"gitlab/secrets/otp" = {};
"gitlab/secrets/db" = {};
"gitlab/secrets/jws" = {};
"gitlab/oidc/id" = {};
"gitlab/oidc/secret" = {};
};
services.openssh.ports = [
2222
];
networking.firewall.allowedTCPPorts = [
22
2222
];
containers.gitlab = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.16";
forwardPorts = [
{
containerPort = 22;
hostPort = 22;
}
];
bindMounts = {
"/etc/gitlab/data" = {
hostPath = "/ssd1/Gitlab/data";
isReadOnly = false;
};
};
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."gitlab/db_pass".path}"
"--load-credential=rootpass:${config.sops.secrets."gitlab/root_pass".path}"
"--load-credential=secret:${config.sops.secrets."gitlab/secrets/secret".path}"
"--load-credential=otp:${config.sops.secrets."gitlab/secrets/otp".path}"
"--load-credential=db:${config.sops.secrets."gitlab/secrets/db".path}"
"--load-credential=jws:${config.sops.secrets."gitlab/secrets/jws".path}"
"--load-credential=oidc_id:${config.sops.secrets."gitlab/oidc/id".path}"
"--load-credential=oidc_secret:${config.sops.secrets."gitlab/oidc/secret".path}"
];
config = {
systemd.services.secrets_setup = {
wantedBy = [ "gitlab.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
"rootpass"
"secret"
"db"
"otp"
"jws"
"oidc_id"
"oidc_secret"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitlab/dbpass
cat ''${CREDENTIALS_DIRECTORY}/rootpass > /etc/gitlab/rootpass
cat ''${CREDENTIALS_DIRECTORY}/secret > /etc/gitlab/secret
cat ''${CREDENTIALS_DIRECTORY}/db > /etc/gitlab/db
cat ''${CREDENTIALS_DIRECTORY}/otp > /etc/gitlab/otp
cat ''${CREDENTIALS_DIRECTORY}/jws > /etc/gitlab/jws
cat ''${CREDENTIALS_DIRECTORY}/oidc_id > /etc/gitlab/oidc-id
cat ''${CREDENTIALS_DIRECTORY}/oidc_secret > /etc/gitlab/oidc-secret
chown gitlab:gitlab /etc/gitlab/*
'';
};
services.gitlab = {
enable = true;
#https = true;
#port = 443;
host = "gitlab.blunkall.us";
databasePasswordFile = "/etc/gitlab/dbpass";
initialRootPasswordFile = "/etc/gitlab/rootpass";
statePath = "/etc/gitlab/data";
secrets = {
secretFile = "/etc/gitlab/secret";
otpFile = "/etc/gitlab/otp";
dbFile = "/etc/gitlab/db";
jwsFile = "/etc/gitlab/jws";
};
extraConfig = {
gitlab = {
default_project_features = {
builds = false;
};
};
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = [ "openid_connect" ];
sync_email_from_provider = "openid_connect";
sync_profile_from_provider = [ "openid_connect" ];
sync_profile_attributes = [ "email" ];
auto_link_saml_user = true;
auto_link_user = [ "openid_connect" ];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "Authentik SSO";
args = {
name = "openid_connect";
scope = [ "openid" "profile" "email" ];
response_type = "code";
issuer = "https://auth.blunkall.us/application/o/gitlab/";
discovery = true;
client_auth_method = "query";
uid_field = "preferred_username";
send_scope_to_token_endpoint = true;
pkce = true;
client_options = {
identifier = { _secret = "/etc/gitlab/oidc-id"; };
secret = { _secret = "/etc/gitlab/oidc-secret"; };
redirect_uri = "https://gitlab.blunkall.us/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"gitlab.blunkall.us" = {
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
};
services.openssh.enable = true;
systemd.services.gitlab-backup.environment.BACKUP = "dump";
networking.firewall.allowedTCPPorts = [ 22 80 ];
system.stateVersion = "24.05";
};
};
};
}

108
system/virtualization/containers/minecraft/default.nix
View File

@@ -1,108 +0,0 @@
{ config, lib, pkgs, nix-minecraft, ... }: {
options.sysconfig = {
containers.minecraft.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.containers.minecraft.enable {
networking = {
firewall = {
allowedTCPPorts = [ 25565 ];
allowedUDPPorts = [ 25565 ];
};
};
nixpkgs.overlays = [ nix-minecraft.overlay ];
containers.minecraft = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.29";
forwardPorts = [
{
containerPort = 25565;
hostPort = 25565;
protocol = "tcp";
}
{
containerPort = 25565;
hostPort = 25565;
protocol = "udp";
}
];
config = {
imports = [
nix-minecraft.nixosModules.minecraft-servers
];
environment.systemPackages = with pkgs; [ tmux ];
services.minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "/var/lib/mcservers";
managementSystem.systemd-socket.enable = true; #temp
servers = {
vanilla = {
enable = true;
package = pkgs.fabricServers.fabric-1_21_8;
serverProperties = {
server-port = 25565;
gamemode = "survival";
difficulty = 2;
white-list = true;
motd = "Didn't see that coming huh?";
};
whitelist = {
"MeasureTwice66" = "a4032062-293d-484d-a790-9f52475836bb";
"651sonic" = "936a3fb0-4548-4557-975b-7794e97a3afc";
"Griffin12_" = "6a1f56d9-f712-4723-a031-e5437a389bb3";
};
autoStart = true;
};
modded = {
enable = false;
#package = pkgs.fabricServers.fabric-1_21_1.override { loaderVersion = "0.16.14"; };
package = pkgs.fabricServers.fabric-1_21_1;
jvmOpts = [ "-Xms8000M" "-Xmx12000M" ];
serverProperties = {
server-port = 25566;
gamemode = "survival";
white-list = true;
allow-flight = true;
motd = "Ex-plo-sion!!!";
};
whitelist = {
"MeasureTwice66" = "a4032062-293d-484d-a790-9f52475836bb";
"651sonic" = "936a3fb0-4548-4557-975b-7794e97a3afc";
"Griffin12_" = "6a1f56d9-f712-4723-a031-e5437a389bb3";
};
autoStart = true;
symlinks = {
"mods" = ./mods;
};
};
};
};
system.stateVersion = "25.05";
};
};
};
}

61
system/virtualization/containers/nginx/default.nix
View File

@@ -1,42 +1,45 @@
{ config, lib, ... }: {
options.sysconfig.containers."esotericbytes.com".enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
{ ... }: {
config = lib.mkIf config.sysconfig.containers."esotericbytes.com".enable {
flake.nixosModules.default = { config, lib, ... }: {
containers.esotericbytes-com = {
options.sysconfig.containers."esotericbytes.com".enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.13";
config = lib.mkIf config.sysconfig.containers."esotericbytes.com".enable {
bindMounts = {
"/var/www/data" = {
hostPath = "/ssd1/esotericbytes-com/data";
isReadOnly = false;
};
};
containers.esotericbytes-com = {
config = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.13";
services.nginx = {
enable = true;
virtualHosts = {
"esotericbytes.com" = {
enableACME = false;
forceSSL = false;
root = "/var/www/data";
};
bindMounts = {
"/var/www/data" = {
hostPath = "/ssd1/esotericbytes-com/data";
isReadOnly = false;
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
config = {
system.stateVersion = "24.05";
services.nginx = {
enable = true;
virtualHosts = {
"esotericbytes.com" = {
enableACME = false;
forceSSL = false;
root = "/var/www/data";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "24.05";
};
};
};
};

73
system/virtualization/containers/novnc/default.nix
View File

@@ -1,51 +1,54 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.containers.novnc.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
{ ... }: {
config = lib.mkIf config.sysconfig.containers.novnc.enable {
flake.nixosModules.default = { config, lib, pkgs, ... }: {
networking = {
firewall.interfaces."ve-novnc" = {
allowedTCPPorts = [ 5900 ];
allowedUDPPorts = [ 5900 ];
};
options.sysconfig.containers.novnc.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
containers.novnc = {
config = lib.mkIf config.sysconfig.containers.novnc.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.30";
networking = {
firewall.interfaces."ve-novnc" = {
allowedTCPPorts = [ 5900 ];
allowedUDPPorts = [ 5900 ];
};
};
config = {
containers.novnc = {
systemd.services.novnc = {
enable = true;
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.30";
path = with pkgs; [
novnc
ps
];
config = {
script = ''
novnc --listen 80 --vnc 192.168.100.10:5900
'';
systemd.services.novnc = {
enable = true;
serviceConfig = {
Type = "exec";
path = with pkgs; [
novnc
ps
];
script = ''
novnc --listen 80 --vnc 192.168.100.10:5900
'';
serviceConfig = {
Type = "exec";
};
wantedBy = [ "multi-user.target" ];
};
wantedBy = [ "multi-user.target" ];
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "25.05";
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "25.05";
};
};
};

57
system/virtualization/containers/ntfy/default.nix
View File

@@ -1,42 +1,45 @@
{ config, lib, ... }: {
{ ... }: {
options.sysconfig.containers.ntfy.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
flake.nixosModules.default = { config, lib, ... }: {
config = lib.mkIf config.sysconfig.containers.ntfy.enable {
options.sysconfig.containers.ntfy.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
containers.ntfy = {
config = lib.mkIf config.sysconfig.containers.ntfy.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.19";
containers.ntfy = {
config = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.19";
services.ntfy-sh = {
enable = true;
settings = {
base-url = "https://ntfy.esotericbytes.com";
config = {
listen-http = ":80";
services.ntfy-sh = {
behind-proxy = true;
enable = true;
upstream-base-url = "https://ntfy.sh";
settings = {
auth-default-access = "deny-all";
base-url = "https://ntfy.esotericbytes.com";
listen-http = ":80";
behind-proxy = true;
upstream-base-url = "https://ntfy.sh";
auth-default-access = "deny-all";
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "24.05";
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "24.05";
};
};
};

143
system/virtualization/containers/rustdesk/default.nix
View File

@@ -1,84 +1,87 @@
{ config, lib, ... }: {
{ ... }: {
options.sysconfig.containers.rustdesk.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
flake.nixosModules.default = { config, lib, ... }: {
config = lib.mkIf config.sysconfig.containers.rustdesk.enable {
options.sysconfig.containers.rustdesk.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
/*networking = {
firewall.allowedTCPPorts = [ 21115 21116 21117 21118 21119 ];
firewall.allowedUDPPorts = [ 21116 ];
};*/
containers.rustdesk = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.27";
/* forwardPorts = [
{
containerPort = 21115;
hostPort = 21115;
protocol = "tcp";
}
{
containerPort = 21116;
hostPort = 21116;
protocol = "tcp";
}
{
containerPort = 21116;
hostPort = 21116;
protocol = "udp";
}
{
containerPort = 21117;
hostPort = 21117;
protocol = "tcp";
}
{
containerPort = 21118;
hostPort = 21118;
protocol = "tcp";
}
config = lib.mkIf config.sysconfig.containers.rustdesk.enable {
{
containerPort = 21119;
hostPort = 21119;
protocol = "tcp";
}
/*networking = {
firewall.allowedTCPPorts = [ 21115 21116 21117 21118 21119 ];
firewall.allowedUDPPorts = [ 21116 ];
};*/
containers.rustdesk = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.27";
/* forwardPorts = [
{
containerPort = 21115;
hostPort = 21115;
protocol = "tcp";
}
{
containerPort = 21116;
hostPort = 21116;
protocol = "tcp";
}
{
containerPort = 21116;
hostPort = 21116;
protocol = "udp";
}
{
containerPort = 21117;
hostPort = 21117;
protocol = "tcp";
}
{
containerPort = 21118;
hostPort = 21118;
protocol = "tcp";
}
{
containerPort = 21119;
hostPort = 21119;
protocol = "tcp";
}
];*/
config = {
];*/
config = {
services.rustdesk-server = {
enable = true;
openFirewall = true;
relay = {
services.rustdesk-server = {
enable = true;
extraArgs = [
"-k"
"AAAAC3NzaC1lZDI1NTE5AAAAIIPztDjwgB3xCza5+p5z1jpGVYoVQNl3fqD69pPCm0NA"
];
openFirewall = true;
relay = {
enable = true;
extraArgs = [
"-k"
"AAAAC3NzaC1lZDI1NTE5AAAAIIPztDjwgB3xCza5+p5z1jpGVYoVQNl3fqD69pPCm0NA"
];
};
signal = {
enable = true;
#relayHosts = [ "esotericbytes.com" ];
relayHosts = [ "192.168.100.27" ];
extraArgs = [
"-k"
"AAAAC3NzaC1lZDI1NTE5AAAAIIPztDjwgB3xCza5+p5z1jpGVYoVQNl3fqD69pPCm0NA"
];
};
};
signal = {
enable = true;
#relayHosts = [ "esotericbytes.com" ];
relayHosts = [ "192.168.100.27" ];
extraArgs = [
"-k"
"AAAAC3NzaC1lZDI1NTE5AAAAIIPztDjwgB3xCza5+p5z1jpGVYoVQNl3fqD69pPCm0NA"
];
};
system.stateVersion = "24.05";
};
system.stateVersion = "24.05";
};
};
};

135
system/virtualization/containers/sandbox/default.nix
View File

@@ -1,79 +1,82 @@
{ config, lib, self, ... }: {
options.sysconfig.containers.sandbox.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
{ ... }: {
config = lib.mkIf config.sysconfig.containers.sandbox.enable {
flake.nixosModules.default = { config, lib, self, ... }: {
networking = {
nat.internalInterfaces = [ "ve-sandbox" ];
options.sysconfig.containers.sandbox.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
containers.sandbox = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.32";
config = lib.mkIf config.sysconfig.containers.sandbox.enable {
ephemeral = true;
networking = {
timeoutStartSec = "3min";
flake = "${self}";
/*bindMounts = {
"/dev/nvidia0" = {
hostPath = "/dev/nvidia0";
isReadOnly = false;
};
"/dev/nvidiactl" = {
hostPath = "/dev/nvidiactl";
isReadOnly = false;
};
"/dev/nvidia-uvm" = {
hostPath = "/dev/nvidia-uvm";
isReadOnly = false;
};
"/dev/nvidia-modeset" = {
hostPath = "/dev/nvidia-modeset";
isReadOnly = false;
};
"/dev/nvidia-uvm-tools" = {
hostPath = "/dev/nvidia-uvm-tools";
isReadOnly = false;
};
nat.internalInterfaces = [ "ve-sandbox" ];
};
containers.sandbox = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.32";
ephemeral = true;
timeoutStartSec = "3min";
flake = "${self}";
/*bindMounts = {
"/dev/nvidia0" = {
hostPath = "/dev/nvidia0";
isReadOnly = false;
};
"/dev/nvidiactl" = {
hostPath = "/dev/nvidiactl";
isReadOnly = false;
};
"/dev/nvidia-uvm" = {
hostPath = "/dev/nvidia-uvm";
isReadOnly = false;
};
"/dev/nvidia-modeset" = {
hostPath = "/dev/nvidia-modeset";
isReadOnly = false;
};
"/dev/nvidia-uvm-tools" = {
hostPath = "/dev/nvidia-uvm-tools";
isReadOnly = false;
};
};
allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rw";
}
{
node = "/dev/nvidiactl";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm";
modifier = "rw";
}
{
node = "/dev/nvidia-modeset";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm-tools";
modifier = "rw";
}
];*/
config = {
};
allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rw";
}
{
node = "/dev/nvidiactl";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm";
modifier = "rw";
}
{
node = "/dev/nvidia-modeset";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm-tools";
modifier = "rw";
}
];*/
config = {
};
};
};
}

191
system/virtualization/containers/wyoming/default.nix
View File

@@ -1,61 +1,63 @@
{ config, lib, ... }: {
{ ... }: {
options.sysconfig.containers.wyoming = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
piper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
openwakeword = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
faster-whisper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
satellite = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
flake.nixosModules.default = { config, lib, ... }: {
config = lib.mkIf config.sysconfig.containers.wyoming.enable {
containers.wyoming = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.26";
bindMounts = lib.mkIf config.sysconfig.containers.wyoming.faster-whisper {
"/dev/nvidia0" = {
hostPath = "/dev/nvidia0";
isReadOnly = false;
};
"/dev/nvidiactl" = {
hostPath = "/dev/nvidiactl";
isReadOnly = false;
};
"/dev/nvidia-uvm" = {
hostPath = "/dev/nvidia-uvm";
isReadOnly = false;
};
"/dev/nvidia-modeset" = {
hostPath = "/dev/nvidia-modeset";
isReadOnly = false;
};
"/dev/nvidia-uvm-tools" = {
hostPath = "/dev/nvidia-uvm-tools";
isReadOnly = false;
};
options.sysconfig.containers.wyoming = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
piper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
openwakeword = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
faster-whisper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
satellite = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
allowedDevices = lib.mkIf config.sysconfig.containers.wyoming.faster-whisper [
config = lib.mkIf config.sysconfig.containers.wyoming.enable {
containers.wyoming = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.26";
bindMounts = lib.mkIf config.sysconfig.containers.wyoming.faster-whisper {
"/dev/nvidia0" = {
hostPath = "/dev/nvidia0";
isReadOnly = false;
};
"/dev/nvidiactl" = {
hostPath = "/dev/nvidiactl";
isReadOnly = false;
};
"/dev/nvidia-uvm" = {
hostPath = "/dev/nvidia-uvm";
isReadOnly = false;
};
"/dev/nvidia-modeset" = {
hostPath = "/dev/nvidia-modeset";
isReadOnly = false;
};
"/dev/nvidia-uvm-tools" = {
hostPath = "/dev/nvidia-uvm-tools";
isReadOnly = false;
};
};
allowedDevices = lib.mkIf config.sysconfig.containers.wyoming.faster-whisper [
{
node = "/dev/nvidia0";
modifier = "rw";
@@ -76,56 +78,57 @@
node = "/dev/nvidia-uvm-tools";
modifier = "rw";
}
];
];
config = {
config = {
networking.firewall = {
allowedTCPPorts = [ 11431 11432 11433 11435 ];
};
services.wyoming = {
networking.firewall = {
allowedTCPPorts = [ 11431 11432 11433 11435 ];
};
piper = lib.mkIf config.sysconfig.containers.wyoming.piper {
services.wyoming = {
servers.piper = {
piper = lib.mkIf config.sysconfig.containers.wyoming.piper {
servers.piper = {
enable = true;
voice = "en-us-ryan-medium";
uri = "tcp://0.0.0.0:11435";
};
};
openwakeword = lib.mkIf config.sysconfig.containers.wyoming.openwakeword {
enable = true;
voice = "en-us-ryan-medium";
uri = "tcp://0.0.0.0:11435";
uri = "tcp://0.0.0.0:11432";
threshold = 0.5;
customModelsDirectories = [
#./wake_words
];
};
faster-whisper = lib.mkIf config.sysconfig.containers.wyoming.faster-whisper {
servers.whisper = {
enable = true;
device = "auto";
language = "en";
model = "medium.en";
uri = "tcp://0.0.0.0:11433";
};
};
satellite = lib.mkIf config.sysconfig.containers.wyoming.satellite {
enable = true;
uri = "tcp://0.0.0.0:11431";
#user = "nathan";
vad.enable = false;
};
};
openwakeword = lib.mkIf config.sysconfig.containers.wyoming.openwakeword {
enable = true;
uri = "tcp://0.0.0.0:11432";
threshold = 0.5;
customModelsDirectories = [
#./wake_words
];
};
faster-whisper = lib.mkIf config.sysconfig.containers.wyoming.faster-whisper {
servers.whisper = {
enable = true;
device = "auto";
language = "en";
model = "medium.en";
uri = "tcp://0.0.0.0:11433";
};
};
satellite = lib.mkIf config.sysconfig.containers.wyoming.satellite {
enable = true;
uri = "tcp://0.0.0.0:11431";
#user = "nathan";
vad.enable = false;
};
system.stateVersion = "25.05";
};
system.stateVersion = "25.05";
};
};
};
};
}

9
system/virtualization/default.nix
View File

@@ -1,9 +0,0 @@
{ ... }: {
imports = let
dir = builtins.readDir ./.;
in builtins.map (x: ./${x}) (builtins.filter
(file: (dir.${file} == "directory"))
(builtins.attrNames dir)
);
}

405
system/virtualization/docker/authentik/default.nix
View File

@@ -1,4 +1,6 @@
{ config, lib, pkgs, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, pkgs, ... }: let
hostPort = 9005;
@@ -6,232 +8,233 @@
name = "authentik";
in {
in {
options.sysconfig.docker.authentik.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
options.sysconfig.docker.authentik.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker.authentik.enable && config.sysconfig.docker.enable) {
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
config = lib.mkIf (config.sysconfig.docker.authentik.enable && config.sysconfig.docker.enable) {
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
};
};
sops.secrets = {
"authentik/pass" = {};
"authentik/secret_key" = {};
};
sops.secrets = {
"authentik/pass" = {};
"authentik/secret_key" = {};
};
sops.templates."authentik.env" = {
content = ''
PG_PASS=${config.sops.placeholder."authentik/pass"}
sops.templates."authentik.env" = {
content = ''
PG_PASS=${config.sops.placeholder."authentik/pass"}
SECRET_KEY=${config.sops.placeholder."authentik/secret_key"}
'';
};
'';
};
virtualisation.oci-containers.containers."authentik-postgresql" = {
image = "docker.io/library/postgres:16-alpine";
environment = {
"POSTGRES_DB" = "authentik";
"POSTGRES_PASSWORD" = "\${PG_PASS}";
"POSTGRES_USER" = "authentik";
virtualisation.oci-containers.containers."authentik-postgresql" = {
image = "docker.io/library/postgres:16-alpine";
environment = {
"POSTGRES_DB" = "authentik";
"POSTGRES_PASSWORD" = "\${PG_PASS}";
"POSTGRES_USER" = "authentik";
};
environmentFiles = [ config.sops.templates."authentik.env".path ];
volumes = [
"authentik_database:/var/lib/postgresql/data:rw"
];
log-driver = "journald";
extraOptions = [
"--health-cmd=pg_isready -d \${POSTGRES_DB} -U \${POSTGRES_USER}"
"--health-interval=30s"
"--health-retries=5"
"--health-start-period=20s"
"--health-timeout=5s"
"--network-alias=postgresql"
"--network=authentik_default"
];
};
environmentFiles = [ config.sops.templates."authentik.env".path ];
volumes = [
"authentik_database:/var/lib/postgresql/data:rw"
];
log-driver = "journald";
extraOptions = [
"--health-cmd=pg_isready -d \${POSTGRES_DB} -U \${POSTGRES_USER}"
"--health-interval=30s"
"--health-retries=5"
"--health-start-period=20s"
"--health-timeout=5s"
"--network-alias=postgresql"
"--network=authentik_default"
];
};
systemd.services."docker-authentik-postgresql" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
systemd.services."docker-authentik-postgresql" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-authentik_default.service"
"docker-volume-authentik_database.service"
];
requires = [
"docker-network-authentik_default.service"
"docker-volume-authentik_database.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
];
};
after = [
"docker-network-authentik_default.service"
"docker-volume-authentik_database.service"
];
requires = [
"docker-network-authentik_default.service"
"docker-volume-authentik_database.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
];
};
virtualisation.oci-containers.containers."authentik-server" = {
image = "ghcr.io/goauthentik/server:2025.12.2";
environment = {
"AUTHENTIK_POSTGRESQL__HOST" = "postgresql";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "\${PG_PASS}";
"AUTHENTIK_POSTGRESQL__USER" = "authentik";
"AUTHENTIK_SECRET_KEY" = "\${SECRET_KEY}";
};
environmentFiles = [ config.sops.templates."authentik.env".path ];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "websecure,localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.101.1:${builtins.toString hostPort}";
virtualisation.oci-containers.containers."authentik-server" = {
image = "ghcr.io/goauthentik/server:2025.12.2";
environment = {
"AUTHENTIK_POSTGRESQL__HOST" = "postgresql";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "\${PG_PASS}";
"AUTHENTIK_POSTGRESQL__USER" = "authentik";
"AUTHENTIK_SECRET_KEY" = "\${SECRET_KEY}";
};
environmentFiles = [ config.sops.templates."authentik.env".path ];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "websecure,localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.middlewares.authentik.forwardauth.address" = "https://auth.esotericbytes.com/outpost.goauthentik.io/auth/traefik";
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.101.1:${builtins.toString hostPort}";
"traefik.http.middlewares.authentik.forwardauth.address" = "https://auth.esotericbytes.com/outpost.goauthentik.io/auth/traefik";
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
};
volumes = [
"/etc/Authentik/custom-templates:/templates:rw"
"/etc/Authentik/data:/data:rw"
];
ports = [
"${builtins.toString hostPort}:9000/tcp"
#"9443:9443/tcp"
];
cmd = [ "server" ];
dependsOn = [
"authentik-postgresql"
];
log-driver = "journald";
extraOptions = [
"--network-alias=server"
"--network-alias=authentik-server"
"--network-alias=${name}"
];
networks = [
"docker-main"
"authentik_default"
];
};
volumes = [
"/etc/Authentik/custom-templates:/templates:rw"
"/etc/Authentik/data:/data:rw"
];
ports = [
"${builtins.toString hostPort}:9000/tcp"
#"9443:9443/tcp"
];
cmd = [ "server" ];
dependsOn = [
"authentik-postgresql"
];
log-driver = "journald";
extraOptions = [
"--network-alias=server"
"--network-alias=authentik-server"
"--network-alias=${name}"
];
networks = [
"docker-main"
"authentik_default"
];
};
systemd.services."docker-authentik-server" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
systemd.services."docker-authentik-server" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-authentik_default.service"
"docker-network-setup.service"
];
requires = [
"docker-network-authentik_default.service"
"docker-network-setup.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
];
};
after = [
"docker-network-authentik_default.service"
"docker-network-setup.service"
];
requires = [
"docker-network-authentik_default.service"
"docker-network-setup.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
];
};
virtualisation.oci-containers.containers."authentik-worker" = {
image = "ghcr.io/goauthentik/server:2025.12.2";
environment = {
"AUTHENTIK_POSTGRESQL__HOST" = "postgresql";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "\${PG_PASS}";
"AUTHENTIK_POSTGRESQL__USER" = "authentik";
"AUTHENTIK_SECRET_KEY" = "\${SECRET_KEY}";
virtualisation.oci-containers.containers."authentik-worker" = {
image = "ghcr.io/goauthentik/server:2025.12.2";
environment = {
"AUTHENTIK_POSTGRESQL__HOST" = "postgresql";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "\${PG_PASS}";
"AUTHENTIK_POSTGRESQL__USER" = "authentik";
"AUTHENTIK_SECRET_KEY" = "\${SECRET_KEY}";
};
environmentFiles = [ config.sops.templates."authentik.env".path ];
volumes = [
"/etc/Authentik/certs:/certs:rw"
"/etc/Authentik/custom-templates:/templates:rw"
"/etc/Authentik/data:/data:rw"
"/var/run/docker.sock:/var/run/docker.sock:rw"
];
cmd = [ "worker" ];
dependsOn = [
"authentik-postgresql"
];
user = "root";
log-driver = "journald";
extraOptions = [
"--network-alias=worker"
"--network=authentik_default"
];
};
environmentFiles = [ config.sops.templates."authentik.env".path ];
volumes = [
"/etc/Authentik/certs:/certs:rw"
"/etc/Authentik/custom-templates:/templates:rw"
"/etc/Authentik/data:/data:rw"
"/var/run/docker.sock:/var/run/docker.sock:rw"
];
cmd = [ "worker" ];
dependsOn = [
"authentik-postgresql"
];
user = "root";
log-driver = "journald";
extraOptions = [
"--network-alias=worker"
"--network=authentik_default"
];
};
systemd.services."docker-authentik-worker" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
systemd.services."docker-authentik-worker" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-authentik_default.service"
];
requires = [
"docker-network-authentik_default.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
];
};
after = [
"docker-network-authentik_default.service"
];
requires = [
"docker-network-authentik_default.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
];
};
# Networks
systemd.services."docker-network-authentik_default" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "docker network rm -f authentik_default";
systemd.services."docker-network-authentik_default" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "docker network rm -f authentik_default";
};
script = ''
docker network inspect authentik_default || docker network create authentik_default
'';
partOf = [ "docker-compose-authentik-root.target" ];
wantedBy = [ "docker-compose-authentik-root.target" ];
};
script = ''
docker network inspect authentik_default || docker network create authentik_default
'';
partOf = [ "docker-compose-authentik-root.target" ];
wantedBy = [ "docker-compose-authentik-root.target" ];
};
# Volumes
systemd.services."docker-volume-authentik_database" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
systemd.services."docker-volume-authentik_database" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect authentik_database || docker volume create authentik_database --driver=local
'';
partOf = [ "docker-compose-authentik-root.target" ];
wantedBy = [ "docker-compose-authentik-root.target" ];
};
script = ''
docker volume inspect authentik_database || docker volume create authentik_database --driver=local
'';
partOf = [ "docker-compose-authentik-root.target" ];
wantedBy = [ "docker-compose-authentik-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."docker-compose-authentik-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
systemd.targets."docker-compose-authentik-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
wantedBy = [ "multi-user.target" ];
};
};
}

93
system/virtualization/docker/default.nix
View File

@@ -1,61 +1,58 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
options.sysconfig.docker = {
enable = with lib; mkOption {
type = with types; bool;
default = false;
};
flake.nixosModules.default = { config, lib, pkgs, ... }: {
nvidia = with lib; mkOption {
type = with types; bool;
default = false;
};
};
imports = let
dir = builtins.readDir ./.;
in builtins.map (x: ./${x}) (builtins.filter
(file: (dir.${file} == "directory"))
(builtins.attrNames dir)
);
config = lib.mkIf config.sysconfig.docker.enable {
networking.nat.internalInterfaces = [ "docker0" "docker-main" ];
virtualisation = {
docker = {
enable = true;
storageDriver = "btrfs";
options.sysconfig.docker = {
enable = with lib; mkOption {
type = with types; bool;
default = false;
};
oci-containers = {
backend = "docker";
nvidia = with lib; mkOption {
type = with types; bool;
default = false;
};
};
hardware.nvidia-container-toolkit.enable = config.sysconfig.docker.nvidia;
config = lib.mkIf config.sysconfig.docker.enable {
systemd.services."docker-network-setup" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "docker network rm -f docker-main";
networking.nat.internalInterfaces = [ "docker0" "docker-main" ];
virtualisation = {
docker = {
enable = true;
storageDriver = "btrfs";
};
oci-containers = {
backend = "docker";
};
};
script = ''
docker network inspect docker-main ||
docker network create -d bridge docker-main \
--attachable --subnet 192.168.101.0/24 --ip-range 192.168.101.0/24 \
--gateway 192.168.101.1 \
-o "com.docker.network.bridge.name"="docker-main" \
-o "com.docker.network.bridge.trusted_host_interfaces"="wt0:ve-netbird:ve-traefik"
'';
wantedBy = [ "docker-net.target" ];
};
systemd.targets."docker-net" = {
wantedBy = [ "multi-user.target" ];
hardware.nvidia-container-toolkit.enable = config.sysconfig.docker.nvidia;
systemd.services."docker-network-setup" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "docker network rm -f docker-main";
};
script = ''
docker network inspect docker-main ||
docker network create -d bridge docker-main \
--attachable --subnet 192.168.101.0/24 --ip-range 192.168.101.0/24 \
--gateway 192.168.101.1 \
-o "com.docker.network.bridge.name"="docker-main" \
-o "com.docker.network.bridge.trusted_host_interfaces"="wt0:ve-netbird:ve-traefik"
'';
wantedBy = [ "docker-net.target" ];
};
systemd.targets."docker-net" = {
wantedBy = [ "multi-user.target" ];
};
};
};
}

265
system/virtualization/docker/gitea/default.nix
View File

@@ -1,151 +1,154 @@
{ config, lib, pkgs, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, pkgs, ... }: let
subdomain = "gitea";
name = "gitea";
in {
in {
options.sysconfig.docker."${name}".enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker."${name}".enable && config.sysconfig.docker.enable) {
virtualisation.oci-containers.containers."${name}" = {
image = "docker.gitea.com/gitea:1.25.4";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.port" = "3000";
"traefik.tcp.routers.${name}-ssh.entrypoints" = "gitea-ssh";
"traefik.tcp.routers.${name}-ssh.rule" = "HostSNI(`*`)";
"traefik.tcp.routers.${name}-ssh.service" = "${name}-ssh";
"traefik.tcp.services.${name}-ssh.loadbalancer.server.port" = "22";
};
ports = [
];
extraOptions = [
"--ip=192.168.101.20"
];
volumes = [
"vol_gitea:/data"
];
environment = {
};
options.sysconfig.docker."${name}".enable = with lib; mkOption {
type = with types; bool;
default = false;
};
virtualisation.oci-containers.containers."${name}-db" = {
image = "docker.io/library/postgres:14";
config = lib.mkIf (config.sysconfig.docker."${name}".enable && config.sysconfig.docker.enable) {
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${name}-db";
virtualisation.oci-containers.containers."${name}" = {
image = "docker.gitea.com/gitea:1.25.4";
networks = [
"docker-main"
];
# unstable, waiting for 26.05
#pull = "newer";
labels = {
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.port" = "3000";
"traefik.tcp.routers.${name}-ssh.entrypoints" = "gitea-ssh";
"traefik.tcp.routers.${name}-ssh.rule" = "HostSNI(`*`)";
"traefik.tcp.routers.${name}-ssh.service" = "${name}-ssh";
"traefik.tcp.services.${name}-ssh.loadbalancer.server.port" = "22";
};
ports = [
];
extraOptions = [
"--ip=192.168.101.20"
];
volumes = [
"vol_gitea:/data"
];
environment = {
};
};
ports = [
];
extraOptions = [
"--ip=192.168.101.21"
];
virtualisation.oci-containers.containers."${name}-db" = {
image = "docker.io/library/postgres:14";
volumes = [
"/etc/gitea/db:/var/lib/postgresql/data"
];
# unstable, waiting for 26.05
#pull = "newer";
environment = {
hostname = "${name}-db";
networks = [
"docker-main"
];
labels = {
};
ports = [
];
extraOptions = [
"--ip=192.168.101.21"
];
volumes = [
"/etc/gitea/db:/var/lib/postgresql/data"
];
environment = {
};
};
systemd.services."docker-gitea" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-gitea.service"
"docker-gitea-db.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-gitea.service"
"docker-gitea-db.service"
];
partOf = [
"docker-compose-gitea-root.target"
];
wantedBy = [
"docker-compose-gitea-root.target"
];
};
systemd.services."docker-gitea-db" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
];
requires = [
"docker-network-setup.service"
];
partOf = [
"docker-compose-gitea-root.target"
];
wantedBy = [
"docker-compose-gitea-root.target"
];
};
systemd.services."docker-volume-gitea" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_gitea || docker volume create vol_gitea --driver=local
'';
partOf = [ "docker-compose-gitea-root.target" ];
wantedBy = [ "docker-compose-gitea-root.target" ];
};
};
systemd.services."docker-gitea" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-gitea.service"
"docker-gitea-db.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-gitea.service"
"docker-gitea-db.service"
];
partOf = [
"docker-compose-gitea-root.target"
];
wantedBy = [
"docker-compose-gitea-root.target"
];
};
systemd.services."docker-gitea-db" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
];
requires = [
"docker-network-setup.service"
];
partOf = [
"docker-compose-gitea-root.target"
];
wantedBy = [
"docker-compose-gitea-root.target"
];
};
systemd.services."docker-volume-gitea" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_gitea || docker volume create vol_gitea --driver=local
'';
partOf = [ "docker-compose-gitea-root.target" ];
wantedBy = [ "docker-compose-gitea-root.target" ];
};
};
}

87
system/virtualization/docker/home-assistant/default.nix
View File

@@ -1,58 +1,61 @@
{ config, lib, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, ... }: let
subdomain = "hass";
name = "home-assistant";
in {
in {
options.sysconfig.docker.home-assistant.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
options.sysconfig.docker.home-assistant.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker.home-assistant.enable && config.sysconfig.docker.enable) {
environment.etc."home-assistant/configuration.yaml".source = ./configuration.yaml;
config = lib.mkIf (config.sysconfig.docker.home-assistant.enable && config.sysconfig.docker.enable) {
virtualisation.oci-containers.containers.home-assistant = {
image = "ghcr.io/home-assistant/home-assistant:stable";
environment.etc."home-assistant/configuration.yaml".source = ./configuration.yaml;
# unstable, waiting for 26.05
#pull = "newer";
virtualisation.oci-containers.containers.home-assistant = {
image = "ghcr.io/home-assistant/home-assistant:stable";
hostname = "${subdomain}.esotericbytes.com";
# unstable, waiting for 26.05
#pull = "newer";
networks = [
"docker-main"
];
hostname = "${subdomain}.esotericbytes.com";
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "8123";
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "8123";
};
environment = {
TZ = "America/Chicago";
};
extraOptions = [
"--ip=192.168.101.13"
];
ports = [
];
volumes = [
"vol_home-assistant:/config/"
"/etc/home-assistant/configuration.yaml:/config/configuration.yaml"
];
};
environment = {
TZ = "America/Chicago";
};
extraOptions = [
"--ip=192.168.101.13"
];
ports = [
];
volumes = [
"vol_home-assistant:/config/"
"/etc/home-assistant/configuration.yaml:/config/configuration.yaml"
];
};
};
}

211
system/virtualization/docker/jellyfin/default.nix
View File

@@ -1,117 +1,120 @@
{ config, lib, pkgs, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, pkgs, ... }: let
subdomain = "watch";
name = "jellyfin";
in {
in {
options.sysconfig.docker.jellyfin.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker.jellyfin.enable && config.sysconfig.docker.enable) {
networking.firewall.allowedUDPPorts = [ 7359 ];
virtualisation.oci-containers.containers.jellyfin = {
image = "jellyfin/jellyfin:10.11.6";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
ports = [
"7359:7359/udp"
];
volumes = [
"vol_jellyfin-config:/config"
"vol_jellyfin-cache:/cache"
"/etc/jellyfin/media:/media"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "websecure,localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.port" = "8096";
};
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
"--device=nvidia.com/gpu=all"
"--ip=192.168.101.21"
];
environment = {
JELLYFIN_PublishedServerUrl = "https://${subdomain}.esotericbytes.com";
};
options.sysconfig.docker.jellyfin.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
systemd.services."docker-jellyfin" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-jellyfin-config.service"
"docker-volume-jellyfin-cache.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-jellyfin-config.service"
"docker-volume-jellyfin-cache.service"
];
partOf = [
"docker-compose-jellyfin-root.target"
];
wantedBy = [
"docker-compose-jellyfin-root.target"
];
};
config = lib.mkIf (config.sysconfig.docker.jellyfin.enable && config.sysconfig.docker.enable) {
systemd.services."docker-volume-jellyfin-config" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_jellyfin-config || docker volume create vol_jellyfin-config --driver=local
'';
partOf = [ "docker-compose-jellyfin-root.target" ];
wantedBy = [ "docker-compose-jellyfin-root.target" ];
};
systemd.services."docker-volume-jellyfin-cache" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_jellyfin-cache || docker volume create vol_jellyfin-cache --driver=local
'';
partOf = [ "docker-compose-jellyfin-root.target" ];
wantedBy = [ "docker-compose-jellyfin-root.target" ];
};
networking.firewall.allowedUDPPorts = [ 7359 ];
systemd.targets."docker-compose-jellyfin-root" = {
wantedBy = [ "multi-user.target" ];
};
virtualisation.oci-containers.containers.jellyfin = {
image = "jellyfin/jellyfin:10.11.6";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
ports = [
"7359:7359/udp"
];
volumes = [
"vol_jellyfin-config:/config"
"vol_jellyfin-cache:/cache"
"/etc/jellyfin/media:/media"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "websecure,localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.port" = "8096";
};
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
"--device=nvidia.com/gpu=all"
"--ip=192.168.101.21"
];
environment = {
JELLYFIN_PublishedServerUrl = "https://${subdomain}.esotericbytes.com";
};
};
systemd.services."docker-jellyfin" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-jellyfin-config.service"
"docker-volume-jellyfin-cache.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-jellyfin-config.service"
"docker-volume-jellyfin-cache.service"
];
partOf = [
"docker-compose-jellyfin-root.target"
];
wantedBy = [
"docker-compose-jellyfin-root.target"
];
};
systemd.services."docker-volume-jellyfin-config" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_jellyfin-config || docker volume create vol_jellyfin-config --driver=local
'';
partOf = [ "docker-compose-jellyfin-root.target" ];
wantedBy = [ "docker-compose-jellyfin-root.target" ];
};
systemd.services."docker-volume-jellyfin-cache" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_jellyfin-cache || docker volume create vol_jellyfin-cache --driver=local
'';
partOf = [ "docker-compose-jellyfin-root.target" ];
wantedBy = [ "docker-compose-jellyfin-root.target" ];
};
systemd.targets."docker-compose-jellyfin-root" = {
wantedBy = [ "multi-user.target" ];
};
};
};
}

181
system/virtualization/docker/n8n/default.nix
View File

@@ -1,102 +1,105 @@
{ config, lib, pkgs, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, pkgs, ... }: let
subdomain = "n8n";
name = "n8n";
in {
in {
options.sysconfig.docker."${name}".enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker."${name}".enable && config.sysconfig.docker.enable) {
virtualisation.oci-containers.containers."${name}" = {
image = "docker.n8n.io/n8nio/n8n";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.port" = "5678";
};
ports = [
];
extraOptions = [
"--ip=192.168.101.2"
];
volumes = [
"vol_n8n:/etc/n8n"
];
environment = {
GENERIC_TIMEZONE = "America/Chicago";
TZ = "America/Chicago";
N8N_DIAGNOSTICS_ENABLED = "false";
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
N8N_TEMPLATES_ENABLED = "false";
EXTERNAL_FRONTEND_HOOKS_URLS = "";
N8N_DIAGNOSTICS_CONFIG_FRONTEND = "";
N8N_DIAGNOSTICS_CONFIG_BACKEND = "";
N8N_SECURE_COOKIE = "false";
};
options.sysconfig.docker."${name}".enable = with lib; mkOption {
type = with types; bool;
default = false;
};
systemd.services."docker-n8n" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-n8n.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-n8n.service"
];
partOf = [
"docker-compose-n8n-root.target"
];
wantedBy = [
"docker-compose-n8n-root.target"
];
};
config = lib.mkIf (config.sysconfig.docker."${name}".enable && config.sysconfig.docker.enable) {
systemd.services."docker-volume-n8n" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
virtualisation.oci-containers.containers."${name}" = {
image = "docker.n8n.io/n8nio/n8n";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.port" = "5678";
};
ports = [
];
extraOptions = [
"--ip=192.168.101.2"
];
volumes = [
"vol_n8n:/etc/n8n"
];
environment = {
GENERIC_TIMEZONE = "America/Chicago";
TZ = "America/Chicago";
N8N_DIAGNOSTICS_ENABLED = "false";
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
N8N_TEMPLATES_ENABLED = "false";
EXTERNAL_FRONTEND_HOOKS_URLS = "";
N8N_DIAGNOSTICS_CONFIG_FRONTEND = "";
N8N_DIAGNOSTICS_CONFIG_BACKEND = "";
N8N_SECURE_COOKIE = "false";
};
};
script = ''
docker volume inspect vol_n8n || docker volume create vol_n8n --driver=local
'';
partOf = [ "docker-compose-n8n-root.target" ];
wantedBy = [ "docker-compose-n8n-root.target" ];
systemd.services."docker-n8n" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-n8n.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-n8n.service"
];
partOf = [
"docker-compose-n8n-root.target"
];
wantedBy = [
"docker-compose-n8n-root.target"
];
};
systemd.services."docker-volume-n8n" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_n8n || docker volume create vol_n8n --driver=local
'';
partOf = [ "docker-compose-n8n-root.target" ];
wantedBy = [ "docker-compose-n8n-root.target" ];
};
};
};
}

407
system/virtualization/docker/netbird/default.nix
View File

@@ -1,229 +1,232 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
options.sysconfig.docker.netbird.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
flake.nixosModules.default = { config, lib, pkgs, ... }: {
config = lib.mkIf (config.sysconfig.docker.netbird.enable && config.sysconfig.docker.enable) {
networking.firewall.allowedUDPPorts = [ 3478 ];
sops.secrets."netbird/secret_key" = {};
sops.templates."netbird-relay.env" = {
content = ''
NB_AUTH_SECRET=${config.sops.placeholder."netbird/secret_key"}
NB_LOG_LEVEL=info
NB_LISTEN_ADDRESS=:80
NB_EXPOSED_ADDRESS=rels://vpn.esotericbytes.com:443
NB_ENABLE_STUN=true
NB_STUN_LOG_LEVEL=info
NB_STUN_PORTS=3478
'';
options.sysconfig.docker.netbird.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
environment.etc."netbird/management.json".source = ./config/management.json;
config = lib.mkIf (config.sysconfig.docker.netbird.enable && config.sysconfig.docker.enable) {
networking.firewall.allowedUDPPorts = [ 3478 ];
sops.secrets."netbird/secret_key" = {};
sops.templates."netbird-relay.env" = {
content = ''
NB_AUTH_SECRET=${config.sops.placeholder."netbird/secret_key"}
NB_LOG_LEVEL=info
NB_LISTEN_ADDRESS=:80
NB_EXPOSED_ADDRESS=rels://vpn.esotericbytes.com:443
NB_ENABLE_STUN=true
NB_STUN_LOG_LEVEL=info
NB_STUN_PORTS=3478
'';
};
environment.etc."netbird/management.json".source = ./config/management.json;
# Containers
virtualisation.oci-containers.containers."netbird-dashboard" = {
image = "netbirdio/dashboard:v2.30.1";
environment = {
"AUTH_AUDIENCE" = "netbird-dashboard";
"AUTH_AUTHORITY" = "https://vpn.esotericbytes.com/oauth2";
"AUTH_CLIENT_ID" = "netbird-dashboard";
"AUTH_CLIENT_SECRET" = "";
"AUTH_REDIRECT_URI" = "/nb-auth";
"AUTH_SILENT_REDIRECT_URI" = "/nb-silent-auth";
"AUTH_SUPPORTED_SCOPES" = "openid profile email groups";
"LETSENCRYPT_DOMAIN" = "none";
"NETBIRD_MGMT_API_ENDPOINT" = "https://vpn.esotericbytes.com";
"NETBIRD_MGMT_GRPC_API_ENDPOINT" = "https://vpn.esotericbytes.com";
"NGINX_SSL_PORT" = "443";
"USE_AUTH0" = "false";
virtualisation.oci-containers.containers."netbird-dashboard" = {
image = "netbirdio/dashboard:v2.30.1";
environment = {
"AUTH_AUDIENCE" = "netbird-dashboard";
"AUTH_AUTHORITY" = "https://vpn.esotericbytes.com/oauth2";
"AUTH_CLIENT_ID" = "netbird-dashboard";
"AUTH_CLIENT_SECRET" = "";
"AUTH_REDIRECT_URI" = "/nb-auth";
"AUTH_SILENT_REDIRECT_URI" = "/nb-silent-auth";
"AUTH_SUPPORTED_SCOPES" = "openid profile email groups";
"LETSENCRYPT_DOMAIN" = "none";
"NETBIRD_MGMT_API_ENDPOINT" = "https://vpn.esotericbytes.com";
"NETBIRD_MGMT_GRPC_API_ENDPOINT" = "https://vpn.esotericbytes.com";
"NGINX_SSL_PORT" = "443";
"USE_AUTH0" = "false";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.netbird-dashboard.entrypoints" = "websecure";
"traefik.http.routers.netbird-dashboard.priority" = "1";
"traefik.http.routers.netbird-dashboard.rule" = "Host(`vpn.esotericbytes.com`)";
"traefik.http.routers.netbird-dashboard.tls" = "true";
"traefik.http.services.netbird-dashboard.loadbalancer.server.port" = "80";
};
log-driver = "journald";
extraOptions = [
"--network-alias=dashboard"
"--network=docker-main"
"--ip=192.168.101.5"
];
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.netbird-dashboard.entrypoints" = "websecure";
"traefik.http.routers.netbird-dashboard.priority" = "1";
"traefik.http.routers.netbird-dashboard.rule" = "Host(`vpn.esotericbytes.com`)";
"traefik.http.routers.netbird-dashboard.tls" = "true";
"traefik.http.services.netbird-dashboard.loadbalancer.server.port" = "80";
systemd.services."docker-netbird-dashboard" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
partOf = [
"docker-compose-netbird-root.target"
];
wantedBy = [
"docker-compose-netbird-root.target"
];
};
log-driver = "journald";
extraOptions = [
"--network-alias=dashboard"
"--network=docker-main"
"--ip=192.168.101.5"
];
};
systemd.services."docker-netbird-dashboard" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
virtualisation.oci-containers.containers."netbird-management" = {
image = "netbirdio/management:0.64.4";
volumes = [
"/etc/netbird/management.json:/etc/netbird/management.json:rw"
"netbird_netbird_management:/var/lib/netbird:rw"
];
cmd = [ "--port" "80" "--log-file" "console" "--log-level" "info" "--disable-anonymous-metrics=false" "--single-account-mode-domain=netbird.selfhosted" "--dns-domain=netbird.selfhosted" "--idp-sign-key-refresh-enabled" ];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.netbird-api.entrypoints" = "websecure";
"traefik.http.routers.netbird-api.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/api`)";
"traefik.http.routers.netbird-api.service" = "netbird-api";
"traefik.http.routers.netbird-api.tls" = "true";
"traefik.http.routers.netbird-mgmt-grpc.entrypoints" = "websecure";
"traefik.http.routers.netbird-mgmt-grpc.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/management.ManagementService/`)";
"traefik.http.routers.netbird-mgmt-grpc.service" = "netbird-mgmt-grpc";
"traefik.http.routers.netbird-mgmt-grpc.tls" = "true";
"traefik.http.routers.netbird-mgmt-ws.entrypoints" = "websecure";
"traefik.http.routers.netbird-mgmt-ws.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/ws-proxy/management`)";
"traefik.http.routers.netbird-mgmt-ws.service" = "netbird-mgmt-ws";
"traefik.http.routers.netbird-mgmt-ws.tls" = "true";
"traefik.http.routers.netbird-oauth2.entrypoints" = "websecure";
"traefik.http.routers.netbird-oauth2.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/oauth2`)";
"traefik.http.routers.netbird-oauth2.service" = "netbird-oauth2";
"traefik.http.routers.netbird-oauth2.tls" = "true";
"traefik.http.services.netbird-api.loadbalancer.server.port" = "80";
"traefik.http.services.netbird-mgmt-grpc.loadbalancer.server.port" = "80";
"traefik.http.services.netbird-mgmt-grpc.loadbalancer.server.scheme" = "h2c";
"traefik.http.services.netbird-mgmt-ws.loadbalancer.server.port" = "80";
"traefik.http.services.netbird-oauth2.loadbalancer.server.port" = "80";
};
log-driver = "journald";
extraOptions = [
"--network-alias=management"
"--network=docker-main"
"--ip=192.168.101.4"
];
};
partOf = [
"docker-compose-netbird-root.target"
];
wantedBy = [
"docker-compose-netbird-root.target"
];
};
virtualisation.oci-containers.containers."netbird-management" = {
image = "netbirdio/management:0.64.4";
volumes = [
"/etc/netbird/management.json:/etc/netbird/management.json:rw"
"netbird_netbird_management:/var/lib/netbird:rw"
];
cmd = [ "--port" "80" "--log-file" "console" "--log-level" "info" "--disable-anonymous-metrics=false" "--single-account-mode-domain=netbird.selfhosted" "--dns-domain=netbird.selfhosted" "--idp-sign-key-refresh-enabled" ];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.netbird-api.entrypoints" = "websecure";
"traefik.http.routers.netbird-api.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/api`)";
"traefik.http.routers.netbird-api.service" = "netbird-api";
"traefik.http.routers.netbird-api.tls" = "true";
"traefik.http.routers.netbird-mgmt-grpc.entrypoints" = "websecure";
"traefik.http.routers.netbird-mgmt-grpc.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/management.ManagementService/`)";
"traefik.http.routers.netbird-mgmt-grpc.service" = "netbird-mgmt-grpc";
"traefik.http.routers.netbird-mgmt-grpc.tls" = "true";
"traefik.http.routers.netbird-mgmt-ws.entrypoints" = "websecure";
"traefik.http.routers.netbird-mgmt-ws.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/ws-proxy/management`)";
"traefik.http.routers.netbird-mgmt-ws.service" = "netbird-mgmt-ws";
"traefik.http.routers.netbird-mgmt-ws.tls" = "true";
"traefik.http.routers.netbird-oauth2.entrypoints" = "websecure";
"traefik.http.routers.netbird-oauth2.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/oauth2`)";
"traefik.http.routers.netbird-oauth2.service" = "netbird-oauth2";
"traefik.http.routers.netbird-oauth2.tls" = "true";
"traefik.http.services.netbird-api.loadbalancer.server.port" = "80";
"traefik.http.services.netbird-mgmt-grpc.loadbalancer.server.port" = "80";
"traefik.http.services.netbird-mgmt-grpc.loadbalancer.server.scheme" = "h2c";
"traefik.http.services.netbird-mgmt-ws.loadbalancer.server.port" = "80";
"traefik.http.services.netbird-oauth2.loadbalancer.server.port" = "80";
systemd.services."docker-netbird-management" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-volume-netbird_netbird_management.service"
];
requires = [
"docker-volume-netbird_netbird_management.service"
];
partOf = [
"docker-compose-netbird-root.target"
];
wantedBy = [
"docker-compose-netbird-root.target"
];
};
log-driver = "journald";
extraOptions = [
"--network-alias=management"
"--network=docker-main"
"--ip=192.168.101.4"
];
};
systemd.services."docker-netbird-management" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-volume-netbird_netbird_management.service"
];
requires = [
"docker-volume-netbird_netbird_management.service"
];
partOf = [
"docker-compose-netbird-root.target"
];
wantedBy = [
"docker-compose-netbird-root.target"
];
};
virtualisation.oci-containers.containers."netbird-relay" = {
image = "netbirdio/relay:0.64.4";
virtualisation.oci-containers.containers."netbird-relay" = {
image = "netbirdio/relay:0.64.4";
environmentFiles = [ config.sops.templates."netbird-relay.env".path ];
environmentFiles = [ config.sops.templates."netbird-relay.env".path ];
ports = [
"3478:3478/udp"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.netbird-relay.entrypoints" = "websecure";
"traefik.http.routers.netbird-relay.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/relay`)";
"traefik.http.routers.netbird-relay.tls" = "true";
"traefik.http.services.netbird-relay.loadbalancer.server.port" = "80";
ports = [
"3478:3478/udp"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.netbird-relay.entrypoints" = "websecure";
"traefik.http.routers.netbird-relay.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/relay`)";
"traefik.http.routers.netbird-relay.tls" = "true";
"traefik.http.services.netbird-relay.loadbalancer.server.port" = "80";
};
log-driver = "journald";
extraOptions = [
"--network-alias=relay"
"--network=docker-main"
"--ip=192.168.101.3"
];
};
log-driver = "journald";
extraOptions = [
"--network-alias=relay"
"--network=docker-main"
"--ip=192.168.101.3"
];
};
systemd.services."docker-netbird-relay" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
systemd.services."docker-netbird-relay" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
partOf = [
"docker-compose-netbird-root.target"
];
wantedBy = [
"docker-compose-netbird-root.target"
];
};
partOf = [
"docker-compose-netbird-root.target"
];
wantedBy = [
"docker-compose-netbird-root.target"
];
};
virtualisation.oci-containers.containers."netbird-signal" = {
image = "netbirdio/signal:0.64.4";
labels = {
"traefik.enable" = "true";
"traefik.http.routers.netbird-signal-grpc.entrypoints" = "websecure";
"traefik.http.routers.netbird-signal-grpc.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/signalexchange.SignalExchange/`)";
"traefik.http.routers.netbird-signal-grpc.service" = "netbird-signal-grpc";
"traefik.http.routers.netbird-signal-grpc.tls" = "true";
"traefik.http.routers.netbird-signal-ws.entrypoints" = "websecure";
"traefik.http.routers.netbird-signal-ws.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/ws-proxy/signal`)";
"traefik.http.routers.netbird-signal-ws.service" = "netbird-signal-ws";
"traefik.http.routers.netbird-signal-ws.tls" = "true";
"traefik.http.services.netbird-signal-grpc.loadbalancer.server.port" = "10000";
"traefik.http.services.netbird-signal-grpc.loadbalancer.server.scheme" = "h2c";
"traefik.http.services.netbird-signal-ws.loadbalancer.server.port" = "80";
virtualisation.oci-containers.containers."netbird-signal" = {
image = "netbirdio/signal:0.64.4";
labels = {
"traefik.enable" = "true";
"traefik.http.routers.netbird-signal-grpc.entrypoints" = "websecure";
"traefik.http.routers.netbird-signal-grpc.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/signalexchange.SignalExchange/`)";
"traefik.http.routers.netbird-signal-grpc.service" = "netbird-signal-grpc";
"traefik.http.routers.netbird-signal-grpc.tls" = "true";
"traefik.http.routers.netbird-signal-ws.entrypoints" = "websecure";
"traefik.http.routers.netbird-signal-ws.rule" = "Host(`vpn.esotericbytes.com`) && PathPrefix(`/ws-proxy/signal`)";
"traefik.http.routers.netbird-signal-ws.service" = "netbird-signal-ws";
"traefik.http.routers.netbird-signal-ws.tls" = "true";
"traefik.http.services.netbird-signal-grpc.loadbalancer.server.port" = "10000";
"traefik.http.services.netbird-signal-grpc.loadbalancer.server.scheme" = "h2c";
"traefik.http.services.netbird-signal-ws.loadbalancer.server.port" = "80";
};
log-driver = "journald";
extraOptions = [
"--network-alias=signal"
"--network=docker-main"
];
};
log-driver = "journald";
extraOptions = [
"--network-alias=signal"
"--network=docker-main"
];
};
systemd.services."docker-netbird-signal" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
systemd.services."docker-netbird-signal" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
partOf = [
"docker-compose-netbird-root.target"
];
wantedBy = [
"docker-compose-netbird-root.target"
];
};
partOf = [
"docker-compose-netbird-root.target"
];
wantedBy = [
"docker-compose-netbird-root.target"
];
};
# Volumes
systemd.services."docker-volume-netbird_netbird_management" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
systemd.services."docker-volume-netbird_netbird_management" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect netbird_netbird_management || docker volume create netbird_netbird_management
'';
partOf = [ "docker-compose-netbird-root.target" ];
wantedBy = [ "docker-compose-netbird-root.target" ];
};
script = ''
docker volume inspect netbird_netbird_management || docker volume create netbird_netbird_management
'';
partOf = [ "docker-compose-netbird-root.target" ];
wantedBy = [ "docker-compose-netbird-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."docker-compose-netbird-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
systemd.targets."docker-compose-netbird-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
wantedBy = [ "multi-user.target" ];
};
};
}

203
system/virtualization/docker/nextcloud/default.nix
View File

@@ -1,115 +1,118 @@
{ config, lib, pkgs, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, pkgs, ... }: let
subdomain = "cloud";
name = "nextcloud";
in {
in {
options.sysconfig.docker.nextcloud.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker.nextcloud.enable && config.sysconfig.docker.enable) {
virtualisation.oci-containers.containers."nextcloud-aio-mastercontainer" = {
image = "ghcr.io/nextcloud-releases/all-in-one:20260122_105751";
serviceName = "docker-nextcloud";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
ports = [
];
volumes = [
"nextcloud_aio_mastercontainer:/mnt/docker-aio-config"
"/run/docker.sock:/var/run/docker.sock:ro"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "websecure,localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.routers.${name}.middlewares" = "nextcloud-chain";
"traefik.http.middlewares.https-redirect.redirectScheme.scheme" = "https";
"traefik.http.middlewares.nextcloud-secure-headers.headers.hostsProxyHeaders" = "X-Forwarded-Host";
"traefik.http.middlewares.nextcloud-secure-headers.headers.referrerPolicy" = "same-origin";
"traefik.http.middlewares.nextcloud-chain.chain.middlewares" = "https-redirect,nextcloud-secure-headers";
#"traefik.http.services.${name}.loadbalancer.server.port" = "11000";
"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.101.1:11000";
};
extraOptions = [
"--ip=192.168.101.17"
];
environment = {
APACHE_PORT = "11000";
APACHE_IP = "0.0.0.0";
APACHE_ADDITIONAL_NETWORK = "docker-main";
SKIP_DOMAIN_VALIDATION = "true";
TALK_PORT = "3479";
};
options.sysconfig.docker.nextcloud.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
systemd.services."docker-nextcloud" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
config = lib.mkIf (config.sysconfig.docker.nextcloud.enable && config.sysconfig.docker.enable) {
virtualisation.oci-containers.containers."nextcloud-aio-mastercontainer" = {
image = "ghcr.io/nextcloud-releases/all-in-one:20260122_105751";
serviceName = "docker-nextcloud";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
ports = [
];
volumes = [
"nextcloud_aio_mastercontainer:/mnt/docker-aio-config"
"/run/docker.sock:/var/run/docker.sock:ro"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "websecure,localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.routers.${name}.middlewares" = "nextcloud-chain";
"traefik.http.middlewares.https-redirect.redirectScheme.scheme" = "https";
"traefik.http.middlewares.nextcloud-secure-headers.headers.hostsProxyHeaders" = "X-Forwarded-Host";
"traefik.http.middlewares.nextcloud-secure-headers.headers.referrerPolicy" = "same-origin";
"traefik.http.middlewares.nextcloud-chain.chain.middlewares" = "https-redirect,nextcloud-secure-headers";
#"traefik.http.services.${name}.loadbalancer.server.port" = "11000";
"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.101.1:11000";
};
extraOptions = [
"--ip=192.168.101.17"
];
environment = {
APACHE_PORT = "11000";
APACHE_IP = "0.0.0.0";
APACHE_ADDITIONAL_NETWORK = "docker-main";
SKIP_DOMAIN_VALIDATION = "true";
TALK_PORT = "3479";
};
};
after = [
"docker-network-setup.service"
"docker-volume-nextcloud.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-nextcloud.service"
];
partOf = [
"docker-compose-nextcloud-root.target"
];
wantedBy = [
"docker-compose-nextcloud-root.target"
];
};
systemd.services."docker-volume-nextcloud" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
systemd.services."docker-nextcloud" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-nextcloud.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-nextcloud.service"
];
partOf = [
"docker-compose-nextcloud-root.target"
];
wantedBy = [
"docker-compose-nextcloud-root.target"
];
};
script = ''
docker volume inspect nextcloud_aio_mastercontainer || docker volume create nextcloud_aio_mastercontainer --driver=local
'';
partOf = [ "docker-compose-nextcloud-root.target" ];
wantedBy = [ "docker-compose-nextcloud-root.target" ];
};
systemd.targets."docker-compose-nextcloud-root" = {
wantedBy = [ "multi-user.target" ];
};
systemd.services."docker-volume-nextcloud" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect nextcloud_aio_mastercontainer || docker volume create nextcloud_aio_mastercontainer --driver=local
'';
partOf = [ "docker-compose-nextcloud-root.target" ];
wantedBy = [ "docker-compose-nextcloud-root.target" ];
};
systemd.targets."docker-compose-nextcloud-root" = {
wantedBy = [ "multi-user.target" ];
};
};
};
}

107
system/virtualization/docker/ollama/default.nix
View File

@@ -1,4 +1,6 @@
{ config, lib, pkgs, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, pkgs, ... }: let
hostPort = 11434;
@@ -6,67 +8,68 @@
name = "ollama";
in {
in {
options.sysconfig.docker.ollama.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker.ollama.enable && config.sysconfig.docker.enable) {
environment.systemPackages = with pkgs; [
ollama
];
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
"ve-openwebui" = {
allowedTCPPorts = [ hostPort ];
};
options.sysconfig.docker.ollama.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
virtualisation.oci-containers.containers.ollama = {
image = "ollama/ollama:latest";
config = lib.mkIf (config.sysconfig.docker.ollama.enable && config.sysconfig.docker.enable) {
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
environment.systemPackages = with pkgs; [
ollama
];
ports = [
"${builtins.toString hostPort}:11434"
];
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
volumes = [
"vol_ollama:/root/.ollama"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.ollama.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "11434";
"ve-openwebui" = {
allowedTCPPorts = [ hostPort ];
};
};
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
"--device=nvidia.com/gpu=all"
"--ip=192.168.101.22"
];
virtualisation.oci-containers.containers.ollama = {
image = "ollama/ollama:latest";
environment = {
OLLAMA_CONTEXT_LENGTH = lib.mkDefault "32000";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
ports = [
"${builtins.toString hostPort}:11434"
];
volumes = [
"vol_ollama:/root/.ollama"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.ollama.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "11434";
};
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
"--device=nvidia.com/gpu=all"
"--ip=192.168.101.22"
];
environment = {
OLLAMA_CONTEXT_LENGTH = lib.mkDefault "32000";
};
};
};
};

165
system/virtualization/docker/openwebui/default.nix
View File

@@ -1,96 +1,99 @@
{ config, lib, pkgs, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, pkgs, ... }: let
subdomain = "ai";
name = "openwebui";
in {
in {
options.sysconfig.docker.openwebui.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker.openwebui.enable && config.sysconfig.docker.enable) {
virtualisation.oci-containers.containers.openwebui = {
image = "ghcr.io/open-webui/open-webui:v0.7.2";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
/*ports = [
"${builtins.toString hostPort}:8080"
];*/
volumes = [
"vol_openwebui:/app/backend/data"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.port" = "8080";
};
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
"--device=nvidia.com/gpu=all"
"--ip=192.168.101.8"
];
environment = {
};
options.sysconfig.docker.openwebui.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
systemd.services."docker-openwebui" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
config = lib.mkIf (config.sysconfig.docker.openwebui.enable && config.sysconfig.docker.enable) {
virtualisation.oci-containers.containers.openwebui = {
image = "ghcr.io/open-webui/open-webui:v0.7.2";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
/*ports = [
"${builtins.toString hostPort}:8080"
];*/
volumes = [
"vol_openwebui:/app/backend/data"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.port" = "8080";
};
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
"--device=nvidia.com/gpu=all"
"--ip=192.168.101.8"
];
environment = {
};
};
after = [
"docker-network-setup.service"
"docker-volume-openwebui.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-openwebui.service"
];
partOf = [
"docker-compose-openwebui-root.target"
];
wantedBy = [
"docker-compose-openwebui-root.target"
];
};
systemd.services."docker-volume-openwebui" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
systemd.services."docker-openwebui" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-openwebui.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-openwebui.service"
];
partOf = [
"docker-compose-openwebui-root.target"
];
wantedBy = [
"docker-compose-openwebui-root.target"
];
};
script = ''
docker volume inspect vol_openwebui || docker volume create vol_openwebui --driver=local
'';
partOf = [ "docker-compose-openwebui-root.target" ];
wantedBy = [ "docker-compose-openwebui-root.target" ];
};
systemd.targets."docker-compose-openwebui-root" = {
wantedBy = [ "multi-user.target" ];
};
systemd.services."docker-volume-openwebui" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_openwebui || docker volume create vol_openwebui --driver=local
'';
partOf = [ "docker-compose-openwebui-root.target" ];
wantedBy = [ "docker-compose-openwebui-root.target" ];
};
systemd.targets."docker-compose-openwebui-root" = {
wantedBy = [ "multi-user.target" ];
};
};
};
}

0
system/virtualization/docker/passbolt/docker-compose.nix → system/virtualization/docker/passbolt/docker-compose.nix-txt
View File

123
system/virtualization/docker/pihole/default.nix
View File

@@ -1,4 +1,6 @@
{ config, lib, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, ... }: let
hostPort = 9001;
@@ -6,76 +8,77 @@
name = "pihole";
in {
in {
options.sysconfig.docker.pihole.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker.pihole.enable && config.sysconfig.docker.enable) {
virtualisation.docker.daemon.settings.dns = [ "192.168.101.12" ];
environment.etc."resolv.conf" = {
enable = true;
text = ''
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 1.0.0.1
options edns0
'';
user = "root";
mode = "0664";
};
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
options.sysconfig.docker.pihole.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
virtualisation.oci-containers.containers.pihole = {
image = "pihole/pihole:latest";
config = lib.mkIf (config.sysconfig.docker.pihole.enable && config.sysconfig.docker.enable) {
# unstable, waiting for 26.05
#pull = "newer";
virtualisation.docker.daemon.settings.dns = [ "192.168.101.12" ];
hostname = "${subdomain}.esotericbytes.com";
environment.etc."resolv.conf" = {
enable = true;
text = ''
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 1.0.0.1
options edns0
'';
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "80";
user = "root";
mode = "0664";
};
extraOptions = [
"--ip=192.168.101.12"
];
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
};
ports = [
"${builtins.toString hostPort}:80"
"127.0.0.1:53:53/tcp"
"127.0.0.1:53:53/udp"
];
virtualisation.oci-containers.containers.pihole = {
image = "pihole/pihole:latest";
volumes = [
"vol_pihole:/etc/pihole"
];
# unstable, waiting for 26.05
#pull = "newer";
environment = {
FTLCONF_webserver_api_password = "7567";
FTLCONF_dns_listeningMode = "ALL";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "80";
};
extraOptions = [
"--ip=192.168.101.12"
];
ports = [
"${builtins.toString hostPort}:80"
"127.0.0.1:53:53/tcp"
"127.0.0.1:53:53/udp"
];
volumes = [
"vol_pihole:/etc/pihole"
];
environment = {
FTLCONF_webserver_api_password = "7567";
FTLCONF_dns_listeningMode = "ALL";
};
};
};
};

93
system/virtualization/docker/portainer/default.nix
View File

@@ -1,4 +1,6 @@
{ config, lib, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, ... }: let
hostPort = 9000;
@@ -6,57 +8,58 @@
name = "portainer";
in {
in {
options.sysconfig.docker.portainer.enable = with lib; mkOption {
type = with types; bool;
default = true;
};
config = lib.mkIf (config.sysconfig.docker.portainer.enable && config.sysconfig.docker.enable) {
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
options.sysconfig.docker.portainer.enable = with lib; mkOption {
type = with types; bool;
default = true;
};
virtualisation.oci-containers.containers.portainer = {
image = "portainer/portainer-ce:latest";
config = lib.mkIf (config.sysconfig.docker.portainer.enable && config.sysconfig.docker.enable) {
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "9000";
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
};
ports = [
"127.0.0.1:8000:8000"
"${builtins.toString hostPort}:9000"
];
extraOptions = [
"--ip=192.168.101.10"
];
virtualisation.oci-containers.containers.portainer = {
image = "portainer/portainer-ce:latest";
volumes = [
"vol_portainer:/data"
"/run/docker.sock:/var/run/docker.sock"
];
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "9000";
};
ports = [
"127.0.0.1:8000:8000"
"${builtins.toString hostPort}:9000"
];
extraOptions = [
"--ip=192.168.101.10"
];
volumes = [
"vol_portainer:/data"
"/run/docker.sock:/var/run/docker.sock"
];
};
};
};
}

0
system/virtualization/docker/rustdesk/docker-compose.nix → system/virtualization/docker/rustdesk/docker-compose.nix-txt
View File

81
system/virtualization/docker/searxng/default.nix
View File

@@ -1,58 +1,61 @@
{ config, lib, ... }: let
{ ... }: {
flake.nixosModules.default = { config, lib, ... }: let
subdomain = "searxng";
name = "searxng";
in {
in {
options.sysconfig.docker.searxng.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
options.sysconfig.docker.searxng.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker.searxng.enable && config.sysconfig.docker.enable) {
environment.etc."searxng/settings.yml".source = ./settings.yml;
config = lib.mkIf (config.sysconfig.docker.searxng.enable && config.sysconfig.docker.enable) {
virtualisation.oci-containers.containers.searxng = {
image = "searxng/searxng:latest";
environment.etc."searxng/settings.yml".source = ./settings.yml;
# unstable, waiting for 26.05
#pull = "newer";
virtualisation.oci-containers.containers.searxng = {
image = "searxng/searxng:latest";
hostname = "${subdomain}.esotericbytes.com";
# unstable, waiting for 26.05
#pull = "newer";
networks = [
"docker-main"
];
hostname = "${subdomain}.esotericbytes.com";
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "8080";
};
networks = [
"docker-main"
];
ports = [
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
extraOptions = [
"--ip=192.168.101.9"
];
#"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "8080";
};
volumes = [
"vol_searxng_settings:/etc/searxng/"
"vol_searxng_data:/var/cache/searxng/"
"/etc/searxng/settings.yml:/etc/searxng/settings.yml"
];
ports = [
];
environment = {
SEARXNG_SECRET = "2e8b4fcf4c0f46b097496f2d5715dbb061bd5cac78c64d0f5a0bee27f013f3c0";
extraOptions = [
"--ip=192.168.101.9"
];
volumes = [
"vol_searxng_settings:/etc/searxng/"
"vol_searxng_data:/var/cache/searxng/"
"/etc/searxng/settings.yml:/etc/searxng/settings.yml"
];
environment = {
SEARXNG_SECRET = "2e8b4fcf4c0f46b097496f2d5715dbb061bd5cac78c64d0f5a0bee27f013f3c0";
};
};
};
};

187
system/virtualization/docker/traefik/default.nix
View File

@@ -1,108 +1,111 @@
{ config, lib, ... }: {
{ ... }: {
options.sysconfig.docker.traefik.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
flake.nixosModules.default = { config, lib, ... }: {
config = lib.mkIf (config.sysconfig.docker.traefik.enable && config.sysconfig.docker.enable) {
networking.firewall.allowedTCPPorts = [ 80 81 443 444 2222 ];
sops.secrets = {
"traefik/cf_email" = {};
"traefik/cf_api_key" = {};
options.sysconfig.docker.traefik.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
sops.templates."traefik.env" = {
content = ''
CF_API_EMAIL=${config.sops.placeholder."traefik/cf_email"}
config = lib.mkIf (config.sysconfig.docker.traefik.enable && config.sysconfig.docker.enable) {
networking.firewall.allowedTCPPorts = [ 80 81 443 444 2222 ];
sops.secrets = {
"traefik/cf_email" = {};
"traefik/cf_api_key" = {};
};
sops.templates."traefik.env" = {
content = ''
CF_API_EMAIL=${config.sops.placeholder."traefik/cf_email"}
CF_DNS_API_TOKEN=${config.sops.placeholder."traefik/cf_api_key"}
'';
};
environment.etc = (builtins.listToAttrs (builtins.map (x: {
name = "traefik/${x}";
value = {
source = ./config/${x};
mode = "0664";
};
}) (builtins.attrNames (builtins.readDir ./config))));
/*environment.etc."traefik/traefik.yml" = {
source = ./config/traefik.yml;
};
environment.etc."traefik/routing.yml" = {
source = ./config/routing.yml;
};*/
virtualisation.oci-containers.containers.traefik = {
image = "traefik:v3.6";
environment = {
TRAEFIK_CERTIFICATESRESOLVERS_CLOUDFLARE_ACME_EMAIL = "\${CF_API_EMAIL}";
};
environmentFiles = [ config.sops.templates."traefik.env".path ];
volumes = [
"/etc/traefik/:/etc/traefik/"
"/run/docker.sock:/var/run/docker.sock"
];
networks = [
"docker-main"
];
ports = [
"80:80"
"81:81"
"443:443"
"444:444"
"2222:2222"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.dashboard.rule" = "Host(`traefik.esotericbytes.com`)";
"traefik.http.routers.dashboard.entrypoints" = "websecure,localsecure";
"traefik.http.routers.dashboard.service" = "api@internal";
"traefik.http.routers.dashboard.tls.certResolver" = "cloudflare";
'';
};
extraOptions = [
"--ip=192.168.101.11"
];
environment.etc = (builtins.listToAttrs (builtins.map (x: {
name = "traefik/${x}";
value = {
source = ./config/${x};
mode = "0664";
};
}) (builtins.attrNames (builtins.readDir ./config))));
log-driver = "journald";
};
systemd.services."docker-traefik" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
/*environment.etc."traefik/traefik.yml" = {
source = ./config/traefik.yml;
};
environment.etc."traefik/routing.yml" = {
source = ./config/routing.yml;
};*/
virtualisation.oci-containers.containers.traefik = {
image = "traefik:v3.6";
environment = {
TRAEFIK_CERTIFICATESRESOLVERS_CLOUDFLARE_ACME_EMAIL = "\${CF_API_EMAIL}";
};
environmentFiles = [ config.sops.templates."traefik.env".path ];
volumes = [
"/etc/traefik/:/etc/traefik/"
"/run/docker.sock:/var/run/docker.sock"
];
networks = [
"docker-main"
];
ports = [
"80:80"
"81:81"
"443:443"
"444:444"
"2222:2222"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.dashboard.rule" = "Host(`traefik.esotericbytes.com`)";
"traefik.http.routers.dashboard.entrypoints" = "websecure,localsecure";
"traefik.http.routers.dashboard.service" = "api@internal";
"traefik.http.routers.dashboard.tls.certResolver" = "cloudflare";
};
extraOptions = [
"--ip=192.168.101.11"
];
log-driver = "journald";
};
systemd.services."docker-traefik" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
];
requires = [
"docker-network-setup.service"
];
partOf = [
"docker-compose-traefik-root.target"
];
wantedBy = [
"docker-compose-traefik-root.target"
];
};
after = [
"docker-network-setup.service"
];
requires = [
"docker-network-setup.service"
];
partOf = [
"docker-compose-traefik-root.target"
];
wantedBy = [
"docker-compose-traefik-root.target"
];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."docker-compose-traefik-root" = {
wantedBy = [ "multi-user.target" ];
systemd.targets."docker-compose-traefik-root" = {
wantedBy = [ "multi-user.target" ];
};
};
};
}

46
system/virtualization/virtual-machines/default.nix
View File

@@ -1,31 +1,27 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
options.sysconfig.virtual-machines.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
flake.nixosModules.default = { config, lib, pkgs, ... }: {
imports = let
dir = builtins.readDir ./.;
in builtins.map (x: ./${x}) (builtins.filter
(file: (dir.${file} == "directory"))
(builtins.attrNames dir)
);
config = lib.mkIf config.sysconfig.virtual-machines.enable {
programs.virt-manager.enable = true;
virtualisation = {
libvirtd = {
enable = true;
qemu.swtpm.enable = true;
};
spiceUSBRedirection.enable = true;
options.sysconfig.virtual-machines.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
environment.systemPackages = with pkgs; lib.mkIf config.sysconfig.graphical [
virt-viewer
];
config = lib.mkIf config.sysconfig.virtual-machines.enable {
programs.virt-manager.enable = true;
virtualisation = {
libvirtd = {
enable = true;
qemu.swtpm.enable = true;
};
spiceUSBRedirection.enable = true;
};
environment.systemPackages = with pkgs; lib.mkIf config.sysconfig.graphical [
virt-viewer
];
};
};
}

22
system/virtualization/virtual-machines/home-assistant/default.nix
View File

@@ -1,13 +1,17 @@
{ config, lib, ... }: {
{ ... }: {
flake.nixosModules.default = { config, lib, ... }: {
options.sysconfig.virtual-machines.home-assistant = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.virtual-machines.home-assistant.enable {
options.sysconfig.virtual-machines.home-assistant = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.virtual-machines.home-assistant.enable {
};
}