Blunkall-Technologies/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Blunkall-Technologies:1a088bc50154bd1041493fad78e6a99cf2638f4e
Branches Tags
Blunkall-Technologies:master Blunkall-Technologies:dev
...
compare: Blunkall-Technologies:8697469f5fe8e528ad2d4a7f8c3f879c0f98bece
Branches Tags
Blunkall-Technologies:dev Blunkall-Technologies:master

3 Commits
1a088bc501 ... 8697469f5f

Author SHA1 Message Date
Nathan
8697469f5f add authentik middleware 2026-02-28 17:56:12 -06:00
Nathan
fa6abcfd98 add ssh key 2026-02-28 17:26:54 -06:00
Nathan
7f0629f313 work on docker gitea 2026-02-25 09:03:17 -06:00
15 changed files with 237 additions and 566 deletions
Expand all files Collapse all files

2
machines/homebox

Submodule machines/homebox updated: b2a72f1a24...1f7d5634bd

1
profiles/homebox/default.nix
View File

@@ -58,6 +58,7 @@
netbird.enable = true; netbird.enable = true;
ollama.enable = false; ollama.enable = false;
avahi.enable = true;
wyoming = { wyoming = {
enable = true; enable = true;
piper = true; piper = true;

11
profiles/jesstop/default.nix
View File

@@ -63,17 +63,6 @@
services.displayManager.enable = true; services.displayManager.enable = true;
services.avahi = {
enable = true;
ipv4 = true;
ipv6 = true;
openFirewall = true;
nssmdns4 = true;
wideArea = true;
};
# Enable CUPS to print documents. # Enable CUPS to print documents.
services.printing.enable = true; services.printing.enable = true;

12
profiles/laptop/default.nix
View File

@@ -54,6 +54,7 @@
pipewire.enable = mkDefault true; pipewire.enable = mkDefault true;
netbird.enable = mkDefault true; netbird.enable = mkDefault true;
ollama.enable = mkDefault true; ollama.enable = mkDefault true;
avahi.enable = mkDefault true;
}; };
programs = { programs = {
@@ -83,17 +84,6 @@
services.displayManager.enable = true; services.displayManager.enable = true;
services.avahi = {
enable = true;
ipv4 = true;
ipv6 = true;
openFirewall = true;
nssmdns4 = true;
wideArea = true;
};
environment.shells = with pkgs; [ zsh bashInteractive ]; environment.shells = with pkgs; [ zsh bashInteractive ];

10
profiles/pi4/default.nix
View File

@@ -115,16 +115,6 @@
''; '';
}; };
services.avahi = {
enable = true;
ipv4 = true;
ipv6 = true;
openFirewall = true;
nssmdns4 = true;
wideArea = true;
};
}; };
sops = { sops = {

23
system/services/avahi/default.nix Normal file
View File

@@ -0,0 +1,23 @@
{ config, lib, ... }: {
options = {
sysconfig.services.avahi.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.services.avahi.enable {
services.avahi = {
enable = true;
ipv4 = true;
ipv6 = true;
openFirewall = true;
nssmdns4 = true;
wideArea = true;
};
};
}

71
system/virtualization/containers/authentik/default.nix
View File

@@ -1,71 +0,0 @@
{ config, lib, ... }: {
options.sysconfig.containers.authentik.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.containers.authentik.enable {
sops.secrets."authentik/dbpass" = {};
networking = {
nat.internalInterfaces = [ "ve-authentik" ];
};
containers.authentik = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.35";
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."authentik/dbpass".path}"
];
bindMounts = {
"/etc/authentik" = {
hostPath = "/ssd1/Authentik";
isReadOnly = false;
};
};
config = {
networking.firewall.allowedTCPPorts = [ 9001 ];
systemd.services.secrets_setup = {
wantedBy = [ "authentik.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/authentik/dbpass
chown postgres:postgres /etc/authentik/dbpass
'';
};
services.authentik = {
enable = true;
environmentFile = "/etc/authentik/authentik.env";
settings = {
disable_startup_analytics = true;
avatars = "initials";
};
worker.listenHTTP = "0.0.0.0:9001";
};
system.stateVersion = "25.05";
};
};
};
}

39
system/virtualization/containers/jellyfin/default.nix
View File

@@ -1,39 +0,0 @@
{ config, lib, ... }: {
options.sysconfig.containers.jellyfin.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.containers.jellyfin.enable {
containers.jellyfin = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.14";
bindMounts = {
"/etc/jellyfin" = {
hostPath = "/ssd1/Jellyfin";
isReadOnly = false;
};
};
config = {
services.jellyfin = {
enable = true;
dataDir = "/etc/jellyfin/data";
configDir = "/etc/jellyfin/config";
logDir = "/etc/jellyfin/log";
openFirewall = true;
};
system.stateVersion = "24.05";
};
};
};
}

81
system/virtualization/containers/nextcloud/default.nix
View File

@@ -1,81 +0,0 @@
{ config, lib, ... }: {
options.sysconfig.containers.nextcloud.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.containers.nextcloud.enable {
sops.secrets."nextcloud/pass" = {};
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.15";
bindMounts = {
"/var/lib/nextcloud" = {
hostPath = "/ssd1/Nextcloud/data";
isReadOnly = false;
};
};
extraFlags = [
"--load-credential=nextcloud-admin-pass:${config.sops.secrets."nextcloud/pass".path}"
];
config = { config, lib, pkgs, ... }: {
systemd.services.secrets_setup = {
wantedBy = [ "nextcloud-setup.service" ];
serviceConfig = {
LoadCredential = [
"nextcloud-admin-pass"
];
};
script = ''
cat $CREDENTIALS_DIRECTORY/nextcloud-admin-pass > /etc/nextcloud-admin-pass
chown nextcloud:nextcloud /etc/nextcloud-admin-pass
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.virtualHosts."192.168.100.15".listen = [ { addr = "0.0.0.0"; port = 80; } ];
services.nextcloud = {
enable = true;
package = pkgs.nextcloud32;
hostName = "192.168.100.15";
config = {
adminpassFile = "/etc/nextcloud-admin-pass";
adminuser = "root";
dbtype = "mysql";
};
https = true;
home = "/var/lib/nextcloud";
appstoreEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit mail contacts calendar tasks user_oidc;
inherit impersonate end_to_end_encryption notes spreed music memories phonetrack;
};
extraAppsEnable = true;
settings = {
overwriteprotocol = "https";
trusted_domains = [ "nextcloud.esotericbytes.com" ];
trusted_proxies = [ "192.168.100.11" ];
default_phone_region = "US";
};
database.createLocally = true;
};
system.stateVersion = "24.05";
};
};
};
}

39
system/virtualization/containers/openwebui/default.nix
View File

@@ -1,39 +0,0 @@
{ config, lib, nixpkgs-us, ... }: {
options = {
sysconfig.containers.openwebui.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.containers.openwebui.enable {
containers.openwebui = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.33";
config = {
services.open-webui = {
enable = true;
package = let
pkgs-us = import nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.open-webui;
openFirewall = true;
host = "0.0.0.0";
};
system.stateVersion = "25.05";
};
};
};
}

292
system/virtualization/containers/traefik/default.nix
View File

@@ -1,292 +0,0 @@
{ config, lib, ... }: {
options.sysconfig.containers.traefik.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.containers.traefik.enable {
networking = {
hosts."192.168.100.11" = [
"esotericbytes.com"
"*.esotericbytes.com"
];
firewall.allowedTCPPorts = [ 22 80 443 ];
nat.internalInterfaces = [ "ve-traefik" ];
};
containers.traefik = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
forwardPorts = [
{
containerPort = 81;
hostPort = 80;
}
{
containerPort = 444;
hostPort = 443;
}
];
bindMounts = {
"/etc/traefik/data" = {
hostPath = "/ssd1/Traefik/data";
isReadOnly = false;
};
"/var/run/docker.sock" = lib.mkIf config.sysconfig.docker.enable {
hostPath = "/run/docker.sock";
isReadOnly = false;
};
};
config = {
environment.etc."resolv.conf" = {
enable = true;
text = ''
nameserver 1.1.1.1
nameserver 1.0.0.1
options edns0
'';
user = "root";
mode = "0664";
};
#virtualisation.docker.enable = lib.mkIf config.sysconfig.docker.enable true;
users.groups."docker" = lib.mkIf config.sysconfig.docker.enable {
name = "docker";
gid = 131;
members = [
"traefik"
];
};
services.traefik = {
enable = true;
group = lib.mkIf config.sysconfig.docker.enable "docker";
dataDir = "/etc/traefik/data";
environmentFiles = [
"/etc/traefik/data/traefik.env"
];
staticConfigOptions = {
serversTransport.insecureSkipVerify = true;
api = {
dashboard = true;
debug = true;
};
global = {
checknewversion = false;
sendanonymoususage = false;
};
providers.docker = lib.mkIf config.sysconfig.docker.enable {};
entryPoints = {
web = {
address = ":81";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":444";
asDefault = true;
http.tls = {
certResolver = "cloudflare";
domains = {
main = "esotericbytes.com";
sans = [
"*.esotericbytes.com"
];
};
};
};
local = {
address = ":80";
http.redirections.entryPoint = {
to = "localsecure";
scheme = "https";
};
};
localsecure = {
address = ":443";
asDefault = true;
http.tls = {
certResolver = "cloudflare";
domains = {
main = "esotericbytes.com";
sans = [
"*.esotericbytes.com"
];
};
};
};
};
log = {
level = "INFO";
filePath = "/etc/traefik/data/logs/traefik.log";
format = "json";
};
certificatesResolvers = {
cloudflare = {
acme = {
email = "nathanblunkall5@gmail.com";
storage = "/etc/traefik/data/acme.json";
keyType = "EC256";
dnsChallenge = {
provider = "cloudflare";
resolvers = [ "1.1.1.1:53" "1.0.0.1:53" ];
};
};
};
};
};
dynamicConfigOptions = {
http = {
routers = {
homepageSecure = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`esotericbytes.com`) || Host(`www.esotericbytes.com`)";
service = "homepage";
tls.certResolver = "cloudflare";
};
/*remote = {
entryPoints = [ "websecure" ];
rule = "Host(`remote.esotericbytes.com`)";
service = "novnc";
tls.certResolver = "cloudflare";
#middlewares = [ "authentik" ];
};*/
/*homeassistant = {
entryPoints = [ "localsecure" ];
rule = "Host(`hass.esotericbytes.com`)";
service = "homeassistant";
tls.certResolver = "cloudflare";
};*/
jellyfin = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`jellyfin.esotericbytes.com`)";
service = "jellyfin";
tls.certResolver = "cloudflare";
};
/*gitlab = {
entryPoints = [ "websecure" ];
rule = "Host(`gitlab.esotericbytes.com`)";
service = "gitlab";
tls.certResolver = "cloudflare";
};*/
gitea = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`gitea.esotericbytes.com`)";
service = "gitea";
tls.certResolver = "cloudflare";
};
nextcloud = {
entryPoints = [ "websecure" "localsecure" ];
rule = "Host(`nextcloud.esotericbytes.com`)";
service = "nextcloud";
tls.certResolver = "cloudflare";
middlewares = [
"nextcloud_redirectregex"
];
};
traefik = {
entryPoints = [ "localsecure" ];
rule = "Host(`traefik.esotericbytes.com`)";
service = "api@internal";
tls.certResolver = "cloudflare";
#middlewares = [ "authentik" ];
};
/*ntfy = {
entryPoints = [ "websecure" ];
rule = "Host(`ntfy.esotericbytes.com`)";
service = "ntfy";
tls.certResolver = "cloudflare";
};*/
openwebui = {
entryPoints = [ "localsecure" ];
rule = "Host(`ai.esotericbytes.com`)";
service = "openwebui";
tls.certResolver = "cloudflare";
};
code-server = {
entryPoints = [ "localsecure" ];
rule = "Host(`code.esotericbytes.com`)";
service = "code-server";
tls.certResolver = "cloudflare";
};
};
middlewares = {
nextcloud_redirectregex.redirectregex = {
permanent = true;
regex = "https://nextcloud.esotericbytes.com/.well-known/(?:card|cal)dav";
replacement = "https://nextcloud.esotericbytes.com/remote.php/dav";
};
};
services = {
#gitlab.loadBalancer.servers = [ { url = "http://192.168.100.16:80"; } ];
gitea.loadBalancer.servers = [ { url = "http://192.168.100.20:3000"; } ];
homepage.loadBalancer.servers = [ { url = "http://192.168.100.13:80"; } ];
jellyfin.loadBalancer.servers = [ { url = "http://192.168.100.14:8096"; } ];
#novnc.loadBalancer.servers = [ { url = "http://192.168.100.10:6080"; } ];
nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.15:80"; } ];
#ntfy.loadBalancer.servers = [ { url = "http://192.168.100.19"; } ];
openwebui.loadBalancer.servers = [ { url = "http://192.168.100.33:8080"; } ];
code-server.loadBalancer.servers = [ { url = "http://192.168.100.31:4444"; } ];
/*homeassistant.loadBalancer.servers = [ { url = "http://192.168.100.25:8123"; } ];*/
};
};
};
};
networking = {
firewall = {
allowedTCPPorts = [ 80 443 81 444 ];
allowedUDPPorts = [ 80 443 81 444 ];
};
useHostResolvConf = false;
};
system.stateVersion = "24.05";
};
};
};
}

6
system/virtualization/docker/authentik/default.nix
View File

@@ -95,6 +95,12 @@ in {
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; "traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.101.1:${builtins.toString hostPort}"; "traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.101.1:${builtins.toString hostPort}";
"traefik.http.middlewares.authentik.forwardauth.address" = "https://auth.esotericbytes.com/outpost.goauthentik.io/auth/traefik";
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
}; };
volumes = [ volumes = [
"/etc/Authentik/custom-templates:/templates:rw" "/etc/Authentik/custom-templates:/templates:rw"

152
system/virtualization/docker/gitea/default.nix
View File

@@ -1 +1,151 @@
{} { config, lib, pkgs, ... }: let
subdomain = "gitea";
name = "gitea";
in {
options.sysconfig.docker."${name}".enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker."${name}".enable && config.sysconfig.docker.enable) {
virtualisation.oci-containers.containers."${name}" = {
image = "docker.gitea.com/gitea:1.25.4";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.port" = "3000";
"traefik.tcp.routers.${name}-ssh.entrypoints" = "gitea-ssh";
"traefik.tcp.routers.${name}-ssh.rule" = "HostSNI(`*`)";
"traefik.tcp.routers.${name}-ssh.service" = "${name}-ssh";
"traefik.tcp.services.${name}-ssh.loadbalancer.server.port" = "22";
};
ports = [
];
extraOptions = [
"--ip=192.168.101.20"
];
volumes = [
"vol_gitea:/data"
];
environment = {
};
};
virtualisation.oci-containers.containers."${name}-db" = {
image = "docker.io/library/postgres:14";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${name}-db";
networks = [
"docker-main"
];
labels = {
};
ports = [
];
extraOptions = [
"--ip=192.168.101.21"
];
volumes = [
"/etc/gitea/db:/var/lib/postgresql/data"
];
environment = {
};
};
systemd.services."docker-gitea" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-gitea.service"
"docker-gitea-db.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-gitea.service"
"docker-gitea-db.service"
];
partOf = [
"docker-compose-gitea-root.target"
];
wantedBy = [
"docker-compose-gitea-root.target"
];
};
systemd.services."docker-gitea-db" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
];
requires = [
"docker-network-setup.service"
];
partOf = [
"docker-compose-gitea-root.target"
];
wantedBy = [
"docker-compose-gitea-root.target"
];
};
systemd.services."docker-volume-gitea" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_gitea || docker volume create vol_gitea --driver=local
'';
partOf = [ "docker-compose-gitea-root.target" ];
wantedBy = [ "docker-compose-gitea-root.target" ];
};
};
}

48
system/virtualization/docker/n8n/default.nix
View File

@@ -1,6 +1,4 @@
{ config, lib, ... }: let { config, lib, pkgs, ... }: let
hostPort = 9004;
subdomain = "n8n"; subdomain = "n8n";
@@ -15,12 +13,6 @@ in {
config = lib.mkIf (config.sysconfig.docker."${name}".enable && config.sysconfig.docker.enable) { config = lib.mkIf (config.sysconfig.docker."${name}".enable && config.sysconfig.docker.enable) {
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
};
virtualisation.oci-containers.containers."${name}" = { virtualisation.oci-containers.containers."${name}" = {
image = "docker.n8n.io/n8nio/n8n"; image = "docker.n8n.io/n8nio/n8n";
@@ -41,7 +33,6 @@ in {
"traefik.http.routers.${name}.service" = "${name}"; "traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; "traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
#"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
"traefik.http.services.${name}.loadbalancer.server.port" = "5678"; "traefik.http.services.${name}.loadbalancer.server.port" = "5678";
}; };
@@ -70,5 +61,42 @@ in {
N8N_SECURE_COOKIE = "false"; N8N_SECURE_COOKIE = "false";
}; };
}; };
systemd.services."docker-n8n" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-setup.service"
"docker-volume-n8n.service"
];
requires = [
"docker-network-setup.service"
"docker-volume-n8n.service"
];
partOf = [
"docker-compose-n8n-root.target"
];
wantedBy = [
"docker-compose-n8n-root.target"
];
};
systemd.services."docker-volume-n8n" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
docker volume inspect vol_n8n || docker volume create vol_n8n --driver=local
'';
partOf = [ "docker-compose-n8n-root.target" ];
wantedBy = [ "docker-compose-n8n-root.target" ];
};
}; };
} }

16
system/virtualization/docker/traefik/config/routing.yml
View File

@@ -7,6 +7,8 @@ http:
- "localsecure" - "localsecure"
rule: "Host(`esotericbytes.com`) || Host(`www.esotericbytes.com`)" rule: "Host(`esotericbytes.com`) || Host(`www.esotericbytes.com`)"
service: "homepage" service: "homepage"
middlewares:
- authentik
tls: tls:
certResolver: "cloudflare" certResolver: "cloudflare"
@@ -27,6 +29,15 @@ http:
tls: tls:
certResolver: "cloudflare" certResolver: "cloudflare"
octoprint:
entryPoints:
- "localsecure"
- "websecure"
rule: "Host(`3dp.esotericbytes.com`)"
service: "octoprint"
tls:
certResolver: "cloudflare"
services: services:
homepage: homepage:
loadBalancer: loadBalancer:
@@ -42,6 +53,11 @@ http:
loadBalancer: loadBalancer:
servers: servers:
- url: "http://192.168.100.20:3000" - url: "http://192.168.100.20:3000"
octoprint:
loadBalancer:
servers:
- url: "http://rpi-3dp.local"
tcp: tcp:
routers: routers: