diff --git a/flake.lock b/flake.lock index 375294d..287740e 100644 --- a/flake.lock +++ b/flake.lock @@ -1385,11 +1385,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-swUtIf1jN3XSE4xExChj4M5rBWCSs08qqxXsJu1tZYs=", - "path": "/nix/store/9a8cd5lszck766cn37snl7w5qjf34a4l-source/home-manager", + "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/home-manager", "type": "path" }, "original": { - "path": "/nix/store/9a8cd5lszck766cn37snl7w5qjf34a4l-source/home-manager", + "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/home-manager", "type": "path" } }, @@ -2066,11 +2066,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=", - "path": "/nix/store/ya16wzrcrapfiml8wwygxaqpqvjqc32c-source/programs", + "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/programs", "type": "path" }, "original": { - "path": "/nix/store/ya16wzrcrapfiml8wwygxaqpqvjqc32c-source/programs", + "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/programs", "type": "path" } }, @@ -2142,11 +2142,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", - "path": "/nix/store/ya16wzrcrapfiml8wwygxaqpqvjqc32c-source/services/sddm", + "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/services/sddm", "type": "path" }, "original": { - "path": "/nix/store/ya16wzrcrapfiml8wwygxaqpqvjqc32c-source/services/sddm", + "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/services/sddm", "type": "path" } }, @@ -2213,12 +2213,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-a6apb0B+Ob0NtnxKA/Qsvc25wCwXz+AQRZeYw/7HBQc=", - "path": "/nix/store/9a8cd5lszck766cn37snl7w5qjf34a4l-source/system-config", + "narHash": "sha256-+lpkyF/b2w9P0vWDZdkv42PIlOxICLWdCms+U9HkH+4=", + "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/system-config", "type": "path" }, "original": { - "path": "/nix/store/9a8cd5lszck766cn37snl7w5qjf34a4l-source/system-config", + "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/system-config", "type": "path" } }, diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 0a74a31..0dd4e5f 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -167,6 +167,7 @@ "/var/lib/bluetooth" "/var/lib/nixos" "/var/lib/systemd/coredump" + "/var/lib/docker" "/etc/NetworkManager/system-connections" ]; files = [ @@ -190,6 +191,7 @@ "authentik/pass" = {}; "authentik/secret_key" = {}; + "pihole/pass" = {}; }; }; @@ -243,7 +245,11 @@ authentik.enable = true; + jellyfin.enable = true; + "blunkall.us".enable = true; + + pihole.enable = true; gitlab.enable = false; }; diff --git a/system-config/configuration/homebox/secrets/secrets.yaml b/system-config/configuration/homebox/secrets/secrets.yaml index 65662e2..279bc7d 100644 --- a/system-config/configuration/homebox/secrets/secrets.yaml +++ b/system-config/configuration/homebox/secrets/secrets.yaml @@ -3,6 +3,8 @@ nathan: authentik: pass: ENC[AES256_GCM,data:pTjpwRgdUVU5543T199P7Zoy,iv:93WpIK6qq+A1LhaQdBvMQ4jzuAOmMUt575y/p8m8Ugk=,tag:jTg/JED3vpdOVHF8LdIyLg==,type:str] secret_key: ENC[AES256_GCM,data:tIWDGtB/z7Ysizz9FPQJe2EeSTAxDPkeHJnaDfytDvbqvRaiCgg7qGpEF6hAQFdZ,iv:gloup5aI0qY+SYJt8V6lvUdE+18IWH09BXtz8dRi6JE=,tag:vFwF9h1Rsa/X1bjvdSRSfQ==,type:str] +pihole: + pass: ENC[AES256_GCM,data:hintZA==,iv:HA5K8mHYlLtf5s8iaLI/QRolYgcKwG8DWCH+LXnWI4k=,tag:DlnXxG0n9dBVpk2kILlPKg==,type:str] sops: kms: [] gcp_kms: [] @@ -18,8 +20,8 @@ sops: S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M 8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-10T15:37:25Z" - mac: ENC[AES256_GCM,data:8xtyW9Kp8ND/lojNIPwNdhw82zdfBQSQoiti7nvbZ9ubk0PIAzrxyRXFqZ7C+Lf+QX0qyC5ZWZBRF8SnuldqWaI3jGSfZsPNq8r4Nd0XD+I2ImDHTfVNtZBawgDc2QXd2YvOibgp6FkRJ7xAkJSmgxO0S/Q6l4pms/KvNlCkV4Q=,iv:v6M4n/wxcowY0jCObmpuA+yz+xe1LbKyYud/fT0YZJc=,tag:WW1aqb+f4EPxBJ9h1yzBRQ==,type:str] + lastmodified: "2024-11-11T17:49:35Z" + mac: ENC[AES256_GCM,data:sjv2jD36o02RWeuDcEnUbUGRiAVvH/Gv+TJw9sIydaMT3uSJklRZ3pct71NZQerxi0WLJLimjLJMJQjL65VzrCzA8oU1KT3cawUo1val3/9OUxcrFln9EOdm3569X4/iU+44cAn8Tz68kO2Cq4BxtyESMEpTv4WdKSCnAydZmTg=,iv:u7EHrQ4GfXIRzb0f0YN9a8J1HLEoHPNA7/mb2dh3hR4=,tag:PQOAqCF8fyjd26qsesC3gw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/system-config/services/containers/authentik/default.nix b/system-config/services/containers/authentik/default.nix index b76fe41..7cbf9a6 100644 --- a/system-config/services/containers/authentik/default.nix +++ b/system-config/services/containers/authentik/default.nix @@ -8,7 +8,7 @@ config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable { - sops.templates.".env" = { + sops.templates."authentik.env" = { content = '' POSTGRES_DB=authentik-db POSTGRES_USER=authentik-admin diff --git a/system-config/services/containers/default.nix b/system-config/services/containers/default.nix index 8e51741..5aea350 100644 --- a/system-config/services/containers/default.nix +++ b/system-config/services/containers/default.nix @@ -6,5 +6,7 @@ # ./authentik-nix ./authentik ./nginx + ./jellyfin + ./pihole ]; } diff --git a/system-config/services/containers/jellyfin/default.nix b/system-config/services/containers/jellyfin/default.nix index e69de29..3805c02 100644 --- a/system-config/services/containers/jellyfin/default.nix +++ b/system-config/services/containers/jellyfin/default.nix @@ -0,0 +1,37 @@ +{ config, lib, ... }: { + + options.sysconfig.opts.virtualization.jellyfin.enable = lib.options.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf config.sysconfig.opts.virtualization.jellyfin.enable { + + containers.jellyfin = { + + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.14"; + + bindMounts = { + "/etc/jellyfin" = { + hostPath = "/ssd1/Jellyfin"; + isReadOnly = false; + }; + }; + + config = { + + services.jellyfin = { + + enable = true; + dataDir = "/etc/jellyfin/data"; + configDir = "/etc/jellyfin/config"; + logDir = "/etc/jellyfin/log"; + openFirewall = true; + }; + }; + }; + }; +} diff --git a/system-config/services/containers/pihole/default.nix b/system-config/services/containers/pihole/default.nix index e69de29..f308d5c 100644 --- a/system-config/services/containers/pihole/default.nix +++ b/system-config/services/containers/pihole/default.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: { + + options.sysconfig.opts.virtualization.pihole.enable = lib.options.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf config.sysconfig.opts.virtualization.pihole.enable { + + sops.templates."pihole.env" = { + content = '' + WEBPASSWORD=${config.sops.placeholder."pihole/pass"} + ''; + + path = "/ssd1/Pihole/.env"; + }; + systemd.services.launchPihole = { + + enable = true; + + wantedBy = [ "multi-user.target" ]; + + script = '' + cd /ssd1/Pihole + ${pkgs.docker-compose}/bin/docker-compose up + ''; + }; + + containers.unbound = { + + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.15"; + + config = { + + services.unbound = { + enable = true; + + settings = { + server = { + interface = [ "127.0.0.1" ]; + + port = 5335; + + do-ipv4 = "yes"; + + do-udp = "yes"; + + do-tcp = "yes"; + + do-ipv6 = "no"; + + perfer-ipv6 = "no"; + + harden-glue = "yes"; + + harden-dnssec-stripped = "yes"; + + use-caps-for-id = "no"; + + edns-buffer-size = 1232; + + prefetch = "yes"; + + num-threads = 1; + + so-rcvbuf = "1m"; + + private-address = [ + "192.168.0.0/16" + "169.254.0.0/16" + "172.16.0.0/12" + "10.0.0.0/8" + "fd00::/8" + "fe80::/10" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/system-config/services/containers/traefik/default.nix b/system-config/services/containers/traefik/default.nix index a8980e2..a833166 100644 --- a/system-config/services/containers/traefik/default.nix +++ b/system-config/services/containers/traefik/default.nix @@ -14,9 +14,9 @@ hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; forwardPorts = [ - { - containerPort = 80; - hostPort = 80; + { + containerPort = 80; + hostPort = 80; } { containerPort = 443; @@ -87,7 +87,13 @@ websecure = { address = ":443"; asDefault = true; - http.tls.certResolver = "cloudflare"; + http.tls = { + certResolver = "cloudflare"; + domains = { + main = "blunkall.us"; + sans = [ "*.blunkall.us" "blunkall.us" ]; + }; + }; }; }; log = { @@ -119,33 +125,48 @@ dynamicConfigOptions = { http = { routers = { - homepageSecure = { + homepageSecure = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`blunkall.us`) || Host(`www.blunkall.us`)"; service = "homepage"; middlewares = [ "authentik" ]; - tls = { + /*tls = { certResolver = "cloudflare"; domains = { main = "blunkall.us"; - sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; + sans = [ "*.blunkall.us" ]; }; - }; + };*/ + }; + jellyfin = { + entryPoints = [ "localsecure" "websecure" ]; + rule = "Host(`jellyfin.blunkall.us`)"; + service = "jellyfin"; + /*middlewares = [ + "authentik" + ];*/ + /*tls = { + certResolver = "cloudflare"; + domains = { + main = "blunkall.us"; + sans = [ "*.blunkall.us" ]; + }; + };*/ }; auth = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`auth.blunkall.us`)"; service = "authentik"; - tls = { + /*tls = { certResolver = "cloudflare"; domains = { - main = "auth.blunkall.us"; - sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; + main = "blunkall.us"; + sans = [ "*.blunkall.us" ]; }; - }; + };*/ }; /*gitlab = { @@ -200,6 +221,8 @@ homepage.loadBalancer.servers = [ { url = "http://192.168.100.13:80"; } ]; + jellyfin.loadBalancer.servers = [ { url = "http://192.168.100.14:8096"; } ]; + authentik.loadBalancer.servers = [ { url = "http://192.168.100.10:9000"; } ]; }; }; @@ -207,6 +230,7 @@ }; networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 8080 ]; + networking.firewall.allowedUDPPorts = [ 80 443 ]; system.stateVersion = "24.05"; };