diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 485dee6..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -.idea diff --git a/flake.lock b/flake.lock index 67df8c4..ca6e418 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1760524057, - "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=", + "lastModified": 1759381078, + "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5", + "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1760393368, - "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", + "lastModified": 1759188042, + "narHash": "sha256-f9QC2KKiNReZDG2yyKAtDZh0rSK2Xp1wkPzKbHeQVRU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", + "rev": "9fcfabe085281dd793589bdc770a2e577a3caa5d", "type": "github" }, "original": { diff --git a/hosts/Binnenpost/default.nix b/hosts/Binnenpost/default.nix index 561fbe1..d78e2da 100644 --- a/hosts/Binnenpost/default.nix +++ b/hosts/Binnenpost/default.nix @@ -16,7 +16,6 @@ apps = { speedtest.enable = true; technitiumDNS.enable = true; - traefik.enable = true; }; virtualisation.guest.enable = true; }; @@ -77,14 +76,6 @@ }; }; - virtualisation.oci-containers.containers.traefik.labels = { - "traefik.http.routers.roxanne.rule" = "Host(`roxanne.depeuter.dev`)"; - "traefik.http.services.roxanne.loadbalancer.server.url" = "https://192.168.0.13:8006"; - - "traefik.http.routers.hugo.rule" = "Host(`hugo.depeuter.dev`)"; - "traefik.http.services.hugo.loadbalancer.server.url" = "https://192.168.0.11:444"; - }; - system.stateVersion = "24.05"; }; } diff --git a/hosts/Development/default.nix b/hosts/Development/default.nix index b2237b7..608a31c 100644 --- a/hosts/Development/default.nix +++ b/hosts/Development/default.nix @@ -7,6 +7,11 @@ bind9.enable = true; traefik.enable = true; plex.enable = true; + coder = { + enable = true; + accessUrl = "https://code.depeuter.dev"; + wildcardAccessUrl = "*.code.depeuter.dev"; + }; }; virtualisation.guest.enable = true; }; diff --git a/hosts/Gitea/default.nix b/hosts/Gitea/default.nix index c6c9b43..5b2492f 100644 --- a/hosts/Gitea/default.nix +++ b/hosts/Gitea/default.nix @@ -5,13 +5,6 @@ homelab = { apps.gitea.enable = true; virtualisation.guest.enable = true; - - users.admin = { - enable = true; - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrp6aM62Bf7bj1YM5AlAWuNrANU3N5e8+LtbbpmZPKS" - ]; - }; }; networking = { diff --git a/hosts/Vaultwarden/default.nix b/hosts/Vaultwarden/default.nix index 5ded575..d8115bc 100644 --- a/hosts/Vaultwarden/default.nix +++ b/hosts/Vaultwarden/default.nix @@ -9,13 +9,6 @@ name = "Hugo's Vault"; }; virtualisation.guest.enable = true; - - users.admin = { - enable = true; - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93" - ]; - }; }; networking = { diff --git a/modules/apps/arr/default.nix b/modules/apps/arr/default.nix index 7b530c3..e2c0df5 100644 --- a/modules/apps/arr/default.nix +++ b/modules/apps/arr/default.nix @@ -12,16 +12,7 @@ let PGID = toString config.users.groups.media.gid; UMASK = "002"; in { - options.homelab.apps.arr = let - mkAppOption = appName: { - enable = lib.mkEnableOption "${appName} using Docker"; - exposePorts = lib.mkOption { - type = lib.types.bool; - description = "Expose ${appName} port"; - default = cfg.exposePorts; - }; - }; - in { + options.homelab.apps.arr = { enable = lib.mkEnableOption "Arr Stack using Docker"; exposePorts = lib.mkOption { type = lib.types.bool; @@ -30,11 +21,46 @@ in { default = ! config.homelab.apps.traefik.enable; }; - bazarr = mkAppOption "Bazarr"; - prowlarr = mkAppOption "Prowlarr"; - qbittorrent = mkAppOption "qBittorrent"; - radarr = mkAppOption "Radarr"; - sonarr = mkAppOption "Sonarr"; + bazarr = { + enable = lib.mkEnableOption "Bazarr using Docker"; + exposePorts = lib.mkOption { + type = lib.types.bool; + description = "Expose Bazarr port"; + default = cfg.exposePorts; + }; + }; + prowlarr = { + enable = lib.mkEnableOption "Prowlarr using Docker"; + exposePorts = lib.mkOption { + type = lib.types.bool; + description = "Expose Prowlarr port"; + default = cfg.exposePorts; + }; + }; + qbittorrent = { + enable = lib.mkEnableOption "qBittorrent using Docker"; + exposePorts = lib.mkOption { + type = lib.types.bool; + description = "Expose qBittorrent port"; + default = cfg.exposePorts; + }; + }; + radarr = { + enable = lib.mkEnableOption "Radarr using Docker"; + exposePorts = lib.mkOption { + type = lib.types.bool; + description = "Expose Radarr port"; + default = cfg.exposePorts; + }; + }; + sonarr = { + enable = lib.mkEnableOption "Sonarr using Docker"; + exposePorts = lib.mkOption { + type = lib.types.bool; + description = "Expose Sonarr port"; + default = cfg.exposePorts; + }; + }; }; config = { @@ -61,9 +87,9 @@ in { virtualisation.containers.enable = lib.mkIf inUse true; }; - fileSystems = let - mkFileSystem = device: { - inherit device; + fileSystems = lib.mkIf inUse { + "/srv/bazarr-backup" = lib.mkIf cfg.bazarr.enable { + device = "192.168.0.11:/mnt/BIG/BACKUP/BAZARR"; fsType = "nfs"; options = [ "rw" @@ -76,14 +102,75 @@ in { ]; }; - hugoBackup = "192.168.0.11:/mnt/BIG/BACKUP"; - in lib.mkIf inUse { - "/srv/bazarr-backup" = lib.mkIf cfg.bazarr.enable (mkFileSystem "${hugoBackup}/BAZARR"); - "/srv/prowlarr-backup" = lib.mkIf cfg.bazarr.enable (mkFileSystem "${hugoBackup}/PROWLARR"); - "/srv/qbittorrent" = lib.mkIf cfg.qbittorrent.enable (mkFileSystem "192.168.0.11:/mnt/SMALL/CONFIG/QBITTORRENT"); - "/srv/radarr-backup" = lib.mkIf cfg.radarr.enable (mkFileSystem "${hugoBackup}/RADARR"); - "/srv/sonarr-backup" = lib.mkIf cfg.sonarr.enable (mkFileSystem "${hugoBackup}/SONARR"); - "/srv/torrent" = mkFileSystem "192.168.0.11:/mnt/SMALL/MEDIA/TORRENT"; + "/srv/prowlarr-backup" = lib.mkIf cfg.prowlarr.enable { + device = "192.168.0.11:/mnt/BIG/BACKUP/PROWLARR"; + fsType = "nfs"; + options = [ + "rw" + "auto" + "nfsvers=4.2" + "rsize=1048576" "wsize=1048576" + "hard" + "timeo=600" "retrans=2" + "_netdev" "nosuid" "tcp" + ]; + }; + + "/srv/qbittorrent" = lib.mkIf cfg.qbittorrent.enable { + device = "192.168.0.11:/mnt/SMALL/CONFIG/QBITTORRENT"; + fsType = "nfs"; + options = [ + "rw" + "auto" + "nfsvers=4.2" + "rsize=1048576" "wsize=1048576" + "hard" + "timeo=600" "retrans=2" + "_netdev" "nosuid" "tcp" + ]; + }; + + "/srv/radarr-backup" = lib.mkIf cfg.radarr.enable { + device = "192.168.0.11:/mnt/BIG/BACKUP/RADARR"; + fsType = "nfs"; + options = [ + "rw" + "auto" + "nfsvers=4.2" + "rsize=1048576" "wsize=1048576" + "hard" + "timeo=600" "retrans=2" + "_netdev" "nosuid" "tcp" + ]; + }; + + "/srv/sonarr-backup" = lib.mkIf cfg.sonarr.enable { + device = "192.168.0.11:/mnt/BIG/BACKUP/SONARR"; + fsType = "nfs"; + options = [ + "rw" + "auto" + "nfsvers=4.2" + "rsize=1048576" "wsize=1048576" + "hard" + "timeo=600" "retrans=2" + "_netdev" "nosuid" "tcp" + ]; + }; + + "/srv/torrent" = { + device = "192.168.0.11:/mnt/SMALL/MEDIA/TORRENT"; + fsType = "nfs"; + options = [ + "rw" + "auto" + "nfsvers=4.2" + "rsize=1048576" "wsize=1048576" + "hard" + "timeo=600" "retrans=2" + "_netdev" "nosuid" "tcp" + ]; + }; }; # Make sure the Docker network exists. @@ -108,24 +195,45 @@ in { }; # Create a user for each app. - users.users = let - mkUser = uid: { - uid = lib.mkForce uid; + users.users = { + bazarr = lib.mkIf cfg.bazarr.enable { + uid = lib.mkForce 3003; isSystemUser = true; group = config.users.groups.media.name; home = "/var/empty"; shell = null; }; - in { - bazarr = lib.mkIf cfg.bazarr.enable (mkUser 3003); - prowlarr = lib.mkIf cfg.prowlarr.enable (mkUser 3004); - qbittorrent = lib.mkIf cfg.qbittorrent.enable (mkUser 3005) // { + prowlarr = lib.mkIf cfg.prowlarr.enable { + uid = lib.mkForce 3004; + isSystemUser = true; + group = config.users.groups.media.name; + home = "/var/empty"; + shell = null; + }; + qbittorrent = lib.mkIf cfg.qbittorrent.enable { + uid = lib.mkForce 3005; + isSystemUser = true; + group = config.users.groups.media.name; extraGroups = [ config.users.groups.apps.name ]; + home = "/var/empty"; + shell = null; + }; + radarr = lib.mkIf cfg.radarr.enable { + uid = lib.mkForce 3006; + isSystemUser = true; + group = config.users.groups.media.name; + home = "/var/empty"; + shell = null; + }; + sonarr = lib.mkIf cfg.sonarr.enable { + uid = lib.mkForce 3007; + isSystemUser = true; + group = config.users.groups.media.name; + home = "/var/empty"; + shell = null; }; - radarr = lib.mkIf cfg.radarr.enable (mkUser 3006); - sonarr = lib.mkIf cfg.sonarr.enable (mkUser 3007); }; virtualisation.oci-containers.containers = let diff --git a/modules/apps/bind9/db.depeuter.dev b/modules/apps/bind9/db.depeuter.dev index 72f3825..d3b6b42 100644 --- a/modules/apps/bind9/db.depeuter.dev +++ b/modules/apps/bind9/db.depeuter.dev @@ -1,6 +1,6 @@ $TTL 604800 @ IN SOA ns1 admin ( - 15 ; Serial + 18 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire @@ -40,6 +40,9 @@ sonarr IN A 192.168.0.33 ; Development VM plex IN A 192.168.0.91 +code IN A 192.168.0.91 +*.code IN A 192.168.0.91 + ; Catchalls *.production IN A 192.168.0.31 *.development IN A 192.168.0.91 diff --git a/modules/apps/coder/default.nix b/modules/apps/coder/default.nix new file mode 100644 index 0000000..18751c8 --- /dev/null +++ b/modules/apps/coder/default.nix @@ -0,0 +1,148 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.homelab.apps.coder; + + postgresUser = "coder"; + postgresPassword = "ChangeMe"; + postgresDb = "coder"; + + networkName = "coder"; + proxyNet = config.homelab.apps.traefik.sharedNetworkName; + + coderVersion = "v2.25.3"; + coderDbVersion = "17.6"; +in { + options.homelab.apps.coder = { + enable = lib.mkEnableOption "Coder (Docker)"; + port = lib.mkOption { + type = lib.types.port; + default = 7080; + description = "Port to expose Coder on."; + }; + accessUrl = lib.mkOption { + type = lib.types.str; + description = "The URL to access Coder at."; + }; + wildcardAccessUrl = lib.mkOption { + type = lib.types.str; + description = "A wildcard URL to access Coder at (e.g. for workspaces)."; + }; + + db.port = lib.mkOption { + type = lib.types.either lib.types.bool lib.types.port; + default = false; + description = "Port to expose the database on. Set to false to not expose."; + }; + }; + + config = lib.mkIf cfg.enable { + homelab.virtualisation.containers.enable = true; + + systemd.services."docker-${networkName}-create-network" = { + description = "Create Docker network for ${networkName}"; + requiredBy = [ + "docker-coder.service" + "docker-coderDb.service" + ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + if ! ${pkgs.docker}/bin/docker network ls | grep -q ${networkName}; then + ${pkgs.docker}/bin/docker network create ${networkName} + fi + ''; + }; + + virtualisation.oci-containers.containers = { + coder = let + coderPort = 7080; + in { + hostname = "coder"; + image = "ghcr.io/coder/coder:${coderVersion}"; + autoStart = true; + dependsOn = [ + "coderDb" + ]; + extraOptions = [ + "--group-add" "131" # Add docker group to access the socket + + # Modify DNS + "--dns=192.168.0.91" + ]; + ports = [ + "${toString cfg.port}:${toString coderPort}/tcp" + ]; + networks = [ + networkName + proxyNet + ]; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.docker.network" = proxyNet; + "traefik.http.routers.coder.rule" = "HostRegexp(`.+\.code\.depeuter\.dev`) || Host(`code.depeuter.dev`)"; + "traefik.http.services.coder.loadbalancer.server.port" = toString coderPort; + }; + environment = { + CODER_PG_CONNECTION_URL = "postgresql://${postgresUser}:${postgresPassword}@coder-db/${postgresDb}?sslmode=disable"; + + # Required if you are not using the tunnel + CODER_ACCESS_URL = cfg.accessUrl; + CODER_WILDCARD_ACCESS_URL = cfg.wildcardAccessUrl; + CODER_DISABLE_PATH_APPS = "false"; # TODO Enable me! + + CODER_HTTP_ADDRESS = "0.0.0.0:${toString coderPort}"; + CODER_TLS_ENABLE = "false"; + + # TODO Enable me! + #CODER_REDIRECT_TO_ACCESS_URL = "true"; + + # Disable telemetry + CODER_TELEMETRY_ENABLED = "false"; + }; + }; + + coderDb = { + hostname = "coder-db"; + image = "postgres:${coderDbVersion}"; + autoStart = true; + extraOptions = [ + ''--health-cmd="pg_isready -U ${postgresUser} -d ${postgresDb}"'' + "--health-interval=5s" + "--health-timeout=5s" + "--health-retries=5" + ]; + ports = lib.mkIf cfg.db.port [ + "${toString cfg.db.port}:5432/tcp" + ]; + networks = [ + networkName + ]; + volumes = [ + "coder_data:/var/lib/postgresql/data" + ]; + environment = { + POSTGRES_USER = postgresUser; + POSTGRES_PASSWORD = postgresPassword; + POSTGRES_DB = postgresDb; + }; + }; + + traefik.cmd = [ + "--entrypoints.websecure.http.tls.domains[2].main=code.depeuter.dev" + "--entrypoints.websecure.http.tls.domains[2].sans=*.code.depeuter.dev" + ]; + }; + + virtualisation.docker.daemon.settings = { + dns = [ + "192.168.0.91" + ]; + }; + }; +} diff --git a/modules/apps/default.nix b/modules/apps/default.nix index 7c8b8f8..9974f68 100644 --- a/modules/apps/default.nix +++ b/modules/apps/default.nix @@ -4,6 +4,7 @@ ./bind9 ./calibre ./changedetection + ./coder ./freshrss ./gitea ./jellyfin diff --git a/modules/apps/vaultwarden/default.nix b/modules/apps/vaultwarden/default.nix index 4510299..4b1016e 100644 --- a/modules/apps/vaultwarden/default.nix +++ b/modules/apps/vaultwarden/default.nix @@ -8,7 +8,7 @@ in { options.homelab.apps.vaultwarden = { enable = lib.mkEnableOption "Vaultwarden"; port = lib.mkOption { - type = lib.types.int; + type = lib.types.port; default = 10102; description = "Vaultwarden WebUI port"; }; diff --git a/users/admin/default.nix b/users/admin/default.nix index dc01c81..4038266 100644 --- a/users/admin/default.nix +++ b/users/admin/default.nix @@ -3,30 +3,24 @@ let cfg = config.homelab.users.admin; in { - options.homelab.users.admin = { - enable = lib.mkEnableOption "user System Administrator"; - authorizedKeys = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ - # HomeLab > NixOS > admin > ssh - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWIOOEqTy8cWKpENVbzD4p7bsQgQb/Dgpzk8i0dZ00T" - ]; - }; - }; + options.homelab.users.admin.enable = lib.mkEnableOption "user System Administrator"; config = lib.mkIf cfg.enable { nix.settings.trusted-users = [ - config.users.users.gh0st.name + config.users.users.admin.name ]; - users.users.gh0st = { + users.users.admin = { description = "System Administrator"; isNormalUser = true; extraGroups = [ config.users.groups.wheel.name # Enable 'sudo' for the user. ]; initialPassword = "ChangeMe"; - openssh.authorizedKeys.keys = cfg.authorizedKeys; + openssh.authorizedKeys.keys = [ + # HomeLab > NixOS > admin > ssh + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWIOOEqTy8cWKpENVbzD4p7bsQgQb/Dgpzk8i0dZ00T" + ]; packages = with pkgs; [ curl git diff --git a/users/backup/default.nix b/users/backup/default.nix index acae033..8181d02 100644 --- a/users/backup/default.nix +++ b/users/backup/default.nix @@ -13,8 +13,13 @@ in { "docker" # Allow access to the docker socket. ]; openssh.authorizedKeys.keys = [ + # TODO ChangeMe + + # Tibo-NixFat + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg" + # Hugo - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAxR813vqq5zbu1NHrIybu5Imlu3k0rDCGxHiuGEhPoVV9c5FpnKNGLCi3ctm15ZcVBX4HcponYsKRBsCzM2pI4uXjxhHkLzbss5LttFuSzv5v/QHfLW1bvyJEMBEPxguGqAydAeWrBFdI9uHBEXeb325uKxMKBZHYvvpyAQ115c1wKy1bL8BfR0LTkhsFqexRvI86q59AVrAU/KFf6RXO0T9QA6H/vyWLlIPc7Ta+tSWwQ68bMmS5Pwn8q58tOAOAd6Lpt4TqUDJSppPjLEPKyKC6ShwMdEjwmwpEG0hxfsvaU8XERyQbSbEE9sLHRA2LoEdtMx3J8nzX3AwYUNspsqIv6NQZksnVqJ8OfL45ngUFcSJ6kBsUvCZfzEUGUTJ6Js0v84NOIXxNG/ZfPsk6ArXm3dvj2TYeK8llO6wpJnMMyztmmiODWoj9tepZSij44IgVM5wdWYIK/RZoYTsCQbmvJFfB8jhyJnf/7F19Vo5+LwhmCOsQh/KEK0F1DVc= admin@Hugo" ]; }; };