tdpeuter/bos55-nix-config-cicd
1
Fork 0
forked from Bos55/nix-config
Code Pull requests 1 Releases Packages Activity Actions

Compare commits

base: tdpeuter:dev
Branches Tags
tdpeuter:dev
tdpeuter:feat/coder
tdpeuter:feat/solidtime
tdpeuter:feat/penpot
tdpeuter:main
Bos55:dev
Bos55:feat/coder
Bos55:feat/penpot
Bos55:main
..
compare: tdpeuter:feat/coder
Branches Tags
tdpeuter:dev
tdpeuter:feat/coder
tdpeuter:feat/solidtime
tdpeuter:feat/penpot
tdpeuter:main
Bos55:dev
Bos55:feat/coder
Bos55:feat/penpot
Bos55:main

3 commits
dev ... feat/coder

Author SHA1 Message Date
Tibo De Peuter
ae777ec460
fix(coder): Reverse proxy domains 2025-10-11 15:29:58 +02:00
Tibo De Peuter
c5f857f0f1 Merge branch 'dev' into feat/coder 2025-10-07 23:06:44 +02:00
Tibo De Peuter
ef55596de6 feat(coder): Add module 2025-10-07 23:02:48 +02:00
17 changed files with 335 additions and 249 deletions
Download patch file Download diff file Expand all files Collapse all files

48
.github/workflows/build.yml vendored
View file

@ -1,48 +0,0 @@
name: "Build"
on:
pull_request:
push:
env:
RUNNER_TOOL_CACHE: /toolcache
jobs:
determine-hosts:
name: "Determining hosts to build"
runs-on: ubuntu-latest
container:
image: catthehacker/ubuntu:act-latest
outputs:
hosts: ${{ steps.hosts.outputs.hostnames }}
steps:
- uses: actions/checkout@v5
- uses: https://github.com/cachix/install-nix-action@v31
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: "Determine hosts"
id: hosts
run: |
hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)"
printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}"
build:
runs-on: ubuntu-latest
container:
image: catthehacker/ubuntu:act-latest
needs: determine-hosts
strategy:
matrix:
hostname: [
Development
Testing
]
steps:
- uses: actions/checkout@v5
- uses: https://github.com/cachix/install-nix-action@v31
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: "Build host"
run: |
nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel"

17
.github/workflows/test.yml vendored
View file

@ -1,17 +0,0 @@
name: "Test"
on:
pull_request:
push:
jobs:
tests:
if: false
runs-on: ubuntu-latest
container:
image: catthehacker/ubuntu:act-latest
steps:
- uses: actions/checkout@v5
- uses: https://github.com/cachix/install-nix-action@v31
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: "My custom step"
run: nix run nixpkgs#hello

2
.gitignore vendored
View file

@ -1,2 +0,0 @@
.idea
result

12
flake.lock generated
View file

@ -20,11 +20,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1760524057, "lastModified": 1759381078,
"narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=", "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5", "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -48,11 +48,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760393368, "lastModified": 1759188042,
"narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", "narHash": "sha256-f9QC2KKiNReZDG2yyKAtDZh0rSK2Xp1wkPzKbHeQVRU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", "rev": "9fcfabe085281dd793589bdc770a2e577a3caa5d",
"type": "github" "type": "github"
}, },
"original": { "original": {

9
hosts/Binnenpost/default.nix
View file

@ -16,7 +16,6 @@
apps = { apps = {
speedtest.enable = true; speedtest.enable = true;
technitiumDNS.enable = true; technitiumDNS.enable = true;
traefik.enable = true;
}; };
virtualisation.guest.enable = true; virtualisation.guest.enable = true;
}; };
@ -77,14 +76,6 @@
}; };
}; };
virtualisation.oci-containers.containers.traefik.labels = {
"traefik.http.routers.roxanne.rule" = "Host(`roxanne.depeuter.dev`)";
"traefik.http.services.roxanne.loadbalancer.server.url" = "https://192.168.0.13:8006";
"traefik.http.routers.hugo.rule" = "Host(`hugo.depeuter.dev`)";
"traefik.http.services.hugo.loadbalancer.server.url" = "https://192.168.0.11:444";
};
system.stateVersion = "24.05"; system.stateVersion = "24.05";
}; };
} }

9
hosts/Development/default.nix
View file

@ -5,12 +5,13 @@
homelab = { homelab = {
apps = { apps = {
bind9.enable = true; bind9.enable = true;
homepage = {
enable = true;
exposePort = true;
};
traefik.enable = true; traefik.enable = true;
plex.enable = true; plex.enable = true;
coder = {
enable = true;
accessUrl = "https://code.depeuter.dev";
wildcardAccessUrl = "*.code.depeuter.dev";
};
}; };
virtualisation.guest.enable = true; virtualisation.guest.enable = true;
}; };

7
hosts/Gitea/default.nix
View file

@ -5,13 +5,6 @@
homelab = { homelab = {
apps.gitea.enable = true; apps.gitea.enable = true;
virtualisation.guest.enable = true; virtualisation.guest.enable = true;
users.admin = {
enable = true;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrp6aM62Bf7bj1YM5AlAWuNrANU3N5e8+LtbbpmZPKS"
];
};
}; };
networking = { networking = {

32
hosts/Ingress/default.nix
View file

@ -68,12 +68,7 @@ prefixLength = 24;
# List services that you want to enable. # List services that you want to enable.
services = { services = {
# Enable Nginx as a reverse proxy # Enable Nginx as a reverse proxy
nginx = let nginx = {
nextcloud = {
host = "192.168.0.23";
officePort = 8080;
};
in {
enable = true; enable = true;
# Use recommended settings # Use recommended settings
@ -85,7 +80,7 @@ prefixLength = 24;
# Only allow PFS-enabled ciphers with AES256 # Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
upstreams.docservice.servers."${nextcloud.host}:${toString nextcloud.officePort}" = {}; upstreams.docservice.servers."192.168.0.14:8080" = {};
appendHttpConfig = '' appendHttpConfig = ''
map $http_x_forwarded_proto $the_scheme { map $http_x_forwarded_proto $the_scheme {
@ -117,14 +112,14 @@ prefixLength = 24;
forceSSL = true; forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://${nextcloud.host}"; proxyPass = "http://192.168.0.14";
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
fastcgi_request_buffering off; fastcgi_request_buffering off;
''; '';
}; };
"/office/" = { "/office/" = {
proxyPass = "http://${nextcloud.host}:${toString nextcloud.officePort}/"; proxyPass = "http://192.168.0.14:8080/";
priority = 500; priority = 500;
recommendedProxySettings = false; recommendedProxySettings = false;
extraConfig = '' extraConfig = ''
@ -142,6 +137,12 @@ prefixLength = 24;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
''; '';
}; };
"calendar.depeuter.dev" = {
useACMEHost = "depeuter.dev";
locations."/".return = "301 https://cloud.depeuter.dev/apps/calendar";
};
"tasks.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/tasks";
"notes.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/notes";
"home.depeuter.dev" = { "home.depeuter.dev" = {
enableACME = true; enableACME = true;
@ -157,17 +158,12 @@ prefixLength = 24;
}; };
}; };
"jelly.depeuter.dev" = let "jelly.depeuter.dev" = {
jellyfin = {
host = "192.168.0.94";
port = 8096;
};
in {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://${jellyfin.host}:${toString jellyfin.port}"; proxyPass = "http://192.168.0.94:8096";
extraConfig = '' extraConfig = ''
# Proxy main Jellyfin traffic # Proxy main Jellyfin traffic
proxy_set_header Host $host; proxy_set_header Host $host;
@ -182,7 +178,7 @@ prefixLength = 24;
''; '';
}; };
"/socket" = { "/socket" = {
proxyPass = "http://${jellyfin.host}:${toString jellyfin.port}"; proxyPass = "http://192.168.0.91:8096";
extraConfig = '' extraConfig = ''
# Proxy Jellyfin Websockets traffic # Proxy Jellyfin Websockets traffic
proxy_http_version 1.1; proxy_http_version 1.1;
@ -244,7 +240,7 @@ prefixLength = 24;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://192.168.0.22:10102"; proxyPass = "http://192.168.0.22:10102";
proxyWebsockets = true; proxyWebSockets = true;
}; };
"~ ^/admin".return = 403; "~ ^/admin".return = 403;
}; };

7
hosts/Vaultwarden/default.nix
View file

@ -9,13 +9,6 @@
name = "Hugo's Vault"; name = "Hugo's Vault";
}; };
virtualisation.guest.enable = true; virtualisation.guest.enable = true;
users.admin = {
enable = true;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
];
};
}; };
networking = { networking = {

178
modules/apps/arr/default.nix
View file

@ -12,16 +12,7 @@ let
PGID = toString config.users.groups.media.gid; PGID = toString config.users.groups.media.gid;
UMASK = "002"; UMASK = "002";
in { in {
options.homelab.apps.arr = let options.homelab.apps.arr = {
mkAppOption = appName: {
enable = lib.mkEnableOption "${appName} using Docker";
exposePorts = lib.mkOption {
type = lib.types.bool;
description = "Expose ${appName} port";
default = cfg.exposePorts;
};
};
in {
enable = lib.mkEnableOption "Arr Stack using Docker"; enable = lib.mkEnableOption "Arr Stack using Docker";
exposePorts = lib.mkOption { exposePorts = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
@ -30,11 +21,46 @@ in {
default = ! config.homelab.apps.traefik.enable; default = ! config.homelab.apps.traefik.enable;
}; };
bazarr = mkAppOption "Bazarr"; bazarr = {
prowlarr = mkAppOption "Prowlarr"; enable = lib.mkEnableOption "Bazarr using Docker";
qbittorrent = mkAppOption "qBittorrent"; exposePorts = lib.mkOption {
radarr = mkAppOption "Radarr"; type = lib.types.bool;
sonarr = mkAppOption "Sonarr"; description = "Expose Bazarr port";
default = cfg.exposePorts;
};
};
prowlarr = {
enable = lib.mkEnableOption "Prowlarr using Docker";
exposePorts = lib.mkOption {
type = lib.types.bool;
description = "Expose Prowlarr port";
default = cfg.exposePorts;
};
};
qbittorrent = {
enable = lib.mkEnableOption "qBittorrent using Docker";
exposePorts = lib.mkOption {
type = lib.types.bool;
description = "Expose qBittorrent port";
default = cfg.exposePorts;
};
};
radarr = {
enable = lib.mkEnableOption "Radarr using Docker";
exposePorts = lib.mkOption {
type = lib.types.bool;
description = "Expose Radarr port";
default = cfg.exposePorts;
};
};
sonarr = {
enable = lib.mkEnableOption "Sonarr using Docker";
exposePorts = lib.mkOption {
type = lib.types.bool;
description = "Expose Sonarr port";
default = cfg.exposePorts;
};
};
}; };
config = { config = {
@ -61,9 +87,9 @@ in {
virtualisation.containers.enable = lib.mkIf inUse true; virtualisation.containers.enable = lib.mkIf inUse true;
}; };
fileSystems = let fileSystems = lib.mkIf inUse {
mkFileSystem = device: { "/srv/bazarr-backup" = lib.mkIf cfg.bazarr.enable {
inherit device; device = "192.168.0.11:/mnt/BIG/BACKUP/BAZARR";
fsType = "nfs"; fsType = "nfs";
options = [ options = [
"rw" "rw"
@ -76,14 +102,75 @@ in {
]; ];
}; };
hugoBackup = "192.168.0.11:/mnt/BIG/BACKUP"; "/srv/prowlarr-backup" = lib.mkIf cfg.prowlarr.enable {
in lib.mkIf inUse { device = "192.168.0.11:/mnt/BIG/BACKUP/PROWLARR";
"/srv/bazarr-backup" = lib.mkIf cfg.bazarr.enable (mkFileSystem "${hugoBackup}/BAZARR"); fsType = "nfs";
"/srv/prowlarr-backup" = lib.mkIf cfg.bazarr.enable (mkFileSystem "${hugoBackup}/PROWLARR"); options = [
"/srv/qbittorrent" = lib.mkIf cfg.qbittorrent.enable (mkFileSystem "192.168.0.11:/mnt/SMALL/CONFIG/QBITTORRENT"); "rw"
"/srv/radarr-backup" = lib.mkIf cfg.radarr.enable (mkFileSystem "${hugoBackup}/RADARR"); "auto"
"/srv/sonarr-backup" = lib.mkIf cfg.sonarr.enable (mkFileSystem "${hugoBackup}/SONARR"); "nfsvers=4.2"
"/srv/torrent" = mkFileSystem "192.168.0.11:/mnt/SMALL/MEDIA/TORRENT"; "rsize=1048576" "wsize=1048576"
"hard"
"timeo=600" "retrans=2"
"_netdev" "nosuid" "tcp"
];
};
"/srv/qbittorrent" = lib.mkIf cfg.qbittorrent.enable {
device = "192.168.0.11:/mnt/SMALL/CONFIG/QBITTORRENT";
fsType = "nfs";
options = [
"rw"
"auto"
"nfsvers=4.2"
"rsize=1048576" "wsize=1048576"
"hard"
"timeo=600" "retrans=2"
"_netdev" "nosuid" "tcp"
];
};
"/srv/radarr-backup" = lib.mkIf cfg.radarr.enable {
device = "192.168.0.11:/mnt/BIG/BACKUP/RADARR";
fsType = "nfs";
options = [
"rw"
"auto"
"nfsvers=4.2"
"rsize=1048576" "wsize=1048576"
"hard"
"timeo=600" "retrans=2"
"_netdev" "nosuid" "tcp"
];
};
"/srv/sonarr-backup" = lib.mkIf cfg.sonarr.enable {
device = "192.168.0.11:/mnt/BIG/BACKUP/SONARR";
fsType = "nfs";
options = [
"rw"
"auto"
"nfsvers=4.2"
"rsize=1048576" "wsize=1048576"
"hard"
"timeo=600" "retrans=2"
"_netdev" "nosuid" "tcp"
];
};
"/srv/torrent" = {
device = "192.168.0.11:/mnt/SMALL/MEDIA/TORRENT";
fsType = "nfs";
options = [
"rw"
"auto"
"nfsvers=4.2"
"rsize=1048576" "wsize=1048576"
"hard"
"timeo=600" "retrans=2"
"_netdev" "nosuid" "tcp"
];
};
}; };
# Make sure the Docker network exists. # Make sure the Docker network exists.
@ -108,24 +195,45 @@ in {
}; };
# Create a user for each app. # Create a user for each app.
users.users = let users.users = {
mkUser = uid: { bazarr = lib.mkIf cfg.bazarr.enable {
uid = lib.mkForce uid; uid = lib.mkForce 3003;
isSystemUser = true; isSystemUser = true;
group = config.users.groups.media.name; group = config.users.groups.media.name;
home = "/var/empty"; home = "/var/empty";
shell = null; shell = null;
}; };
in { prowlarr = lib.mkIf cfg.prowlarr.enable {
bazarr = lib.mkIf cfg.bazarr.enable (mkUser 3003); uid = lib.mkForce 3004;
prowlarr = lib.mkIf cfg.prowlarr.enable (mkUser 3004); isSystemUser = true;
qbittorrent = lib.mkIf cfg.qbittorrent.enable (mkUser 3005) // { group = config.users.groups.media.name;
home = "/var/empty";
shell = null;
};
qbittorrent = lib.mkIf cfg.qbittorrent.enable {
uid = lib.mkForce 3005;
isSystemUser = true;
group = config.users.groups.media.name;
extraGroups = [ extraGroups = [
config.users.groups.apps.name config.users.groups.apps.name
]; ];
home = "/var/empty";
shell = null;
};
radarr = lib.mkIf cfg.radarr.enable {
uid = lib.mkForce 3006;
isSystemUser = true;
group = config.users.groups.media.name;
home = "/var/empty";
shell = null;
};
sonarr = lib.mkIf cfg.sonarr.enable {
uid = lib.mkForce 3007;
isSystemUser = true;
group = config.users.groups.media.name;
home = "/var/empty";
shell = null;
}; };
radarr = lib.mkIf cfg.radarr.enable (mkUser 3006);
sonarr = lib.mkIf cfg.sonarr.enable (mkUser 3007);
}; };
virtualisation.oci-containers.containers = let virtualisation.oci-containers.containers = let

5
modules/apps/bind9/db.depeuter.dev
View file

@ -1,6 +1,6 @@
$TTL 604800 $TTL 604800
@ IN SOA ns1 admin ( @ IN SOA ns1 admin (
15 ; Serial 18 ; Serial
604800 ; Refresh 604800 ; Refresh
86400 ; Retry 86400 ; Retry
2419200 ; Expire 2419200 ; Expire
@ -40,6 +40,9 @@ sonarr IN A 192.168.0.33
; Development VM ; Development VM
plex IN A 192.168.0.91 plex IN A 192.168.0.91
code IN A 192.168.0.91
*.code IN A 192.168.0.91
; Catchalls ; Catchalls
*.production IN A 192.168.0.31 *.production IN A 192.168.0.31
*.development IN A 192.168.0.91 *.development IN A 192.168.0.91

148
modules/apps/coder/default.nix Normal file
View file

@ -0,0 +1,148 @@
{ config, lib, pkgs, ... }:
let
cfg = config.homelab.apps.coder;
postgresUser = "coder";
postgresPassword = "ChangeMe";
postgresDb = "coder";
networkName = "coder";
proxyNet = config.homelab.apps.traefik.sharedNetworkName;
coderVersion = "v2.25.3";
coderDbVersion = "17.6";
in {
options.homelab.apps.coder = {
enable = lib.mkEnableOption "Coder (Docker)";
port = lib.mkOption {
type = lib.types.port;
default = 7080;
description = "Port to expose Coder on.";
};
accessUrl = lib.mkOption {
type = lib.types.str;
description = "The URL to access Coder at.";
};
wildcardAccessUrl = lib.mkOption {
type = lib.types.str;
description = "A wildcard URL to access Coder at (e.g. for workspaces).";
};
db.port = lib.mkOption {
type = lib.types.either lib.types.bool lib.types.port;
default = false;
description = "Port to expose the database on. Set to false to not expose.";
};
};
config = lib.mkIf cfg.enable {
homelab.virtualisation.containers.enable = true;
systemd.services."docker-${networkName}-create-network" = {
description = "Create Docker network for ${networkName}";
requiredBy = [
"docker-coder.service"
"docker-coderDb.service"
];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
if ! ${pkgs.docker}/bin/docker network ls | grep -q ${networkName}; then
${pkgs.docker}/bin/docker network create ${networkName}
fi
'';
};
virtualisation.oci-containers.containers = {
coder = let
coderPort = 7080;
in {
hostname = "coder";
image = "ghcr.io/coder/coder:${coderVersion}";
autoStart = true;
dependsOn = [
"coderDb"
];
extraOptions = [
"--group-add" "131" # Add docker group to access the socket
# Modify DNS
"--dns=192.168.0.91"
];
ports = [
"${toString cfg.port}:${toString coderPort}/tcp"
];
networks = [
networkName
proxyNet
];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
labels = {
"traefik.enable" = "true";
"traefik.docker.network" = proxyNet;
"traefik.http.routers.coder.rule" = "HostRegexp(`.+\.code\.depeuter\.dev`) || Host(`code.depeuter.dev`)";
"traefik.http.services.coder.loadbalancer.server.port" = toString coderPort;
};
environment = {
CODER_PG_CONNECTION_URL = "postgresql://${postgresUser}:${postgresPassword}@coder-db/${postgresDb}?sslmode=disable";
# Required if you are not using the tunnel
CODER_ACCESS_URL = cfg.accessUrl;
CODER_WILDCARD_ACCESS_URL = cfg.wildcardAccessUrl;
CODER_DISABLE_PATH_APPS = "false"; # TODO Enable me!
CODER_HTTP_ADDRESS = "0.0.0.0:${toString coderPort}";
CODER_TLS_ENABLE = "false";
# TODO Enable me!
#CODER_REDIRECT_TO_ACCESS_URL = "true";
# Disable telemetry
CODER_TELEMETRY_ENABLED = "false";
};
};
coderDb = {
hostname = "coder-db";
image = "postgres:${coderDbVersion}";
autoStart = true;
extraOptions = [
''--health-cmd="pg_isready -U ${postgresUser} -d ${postgresDb}"''
"--health-interval=5s"
"--health-timeout=5s"
"--health-retries=5"
];
ports = lib.mkIf cfg.db.port [
"${toString cfg.db.port}:5432/tcp"
];
networks = [
networkName
];
volumes = [
"coder_data:/var/lib/postgresql/data"
];
environment = {
POSTGRES_USER = postgresUser;
POSTGRES_PASSWORD = postgresPassword;
POSTGRES_DB = postgresDb;
};
};
traefik.cmd = [
"--entrypoints.websecure.http.tls.domains[2].main=code.depeuter.dev"
"--entrypoints.websecure.http.tls.domains[2].sans=*.code.depeuter.dev"
];
};
virtualisation.docker.daemon.settings = {
dns = [
"192.168.0.91"
];
};
};
}

2
modules/apps/default.nix
View file

@ -4,9 +4,9 @@
./bind9 ./bind9
./calibre ./calibre
./changedetection ./changedetection
./coder
./freshrss ./freshrss
./gitea ./gitea
./homepage
./jellyfin ./jellyfin
./plex ./plex
./speedtest ./speedtest

79
modules/apps/homepage/default.nix
View file

@ -1,79 +0,0 @@
{ config, lib, ... }:
let
cfg = config.homelab.apps.homepage;
PUID = toString config.users.users.homepage.uid;
PGID = toString config.users.groups.apps.gid;
homepage-config = "/srv/homepage-config";
proxyNet = config.homelab.apps.traefik.sharedNetworkName;
in {
options.homelab.apps.homepage = {
enable = lib.mkEnableOption "homepage";
port = lib.mkOption {
type = lib.types.int;
default = 3000;
description = "homepage WebUI port";
};
exposePort = lib.mkEnableOption "expose homepage port";
};
config = lib.mkIf cfg.enable {
homelab = {
users.apps.enable = true;
virtualisation.containers.enable = true;
};
users.users.homepage = {
uid = lib.mkForce 3018;
isSystemUser = true;
group = config.users.groups.apps.name;
home = "/var/empty";
shell = null;
};
fileSystems."${homepage-config}" = {
device = "192.168.0.11:/mnt/SMALL/CONFIG/HOMEPAGE";
fsType = "nfs";
options = [
"rw"
"auto"
"nfsvers=4.2"
"async" "soft" "timeo=100" "retry=50" "actimeo=1800" "lookupcache=all"
"nosuid" "tcp"
];
};
virtualisation.oci-containers.containers.homepage = let
host = "homepage.${config.networking.domain}";
in {
hostname = "homepage";
image = "ghcr.io/gethomepage/homepage:v1.10.1";
autoStart = true;
user = "${toString PUID}:${toString PGID}";
ports = lib.mkIf cfg.exposePort [
"${toString cfg.port}:3000/tcp"
];
networks = [
proxyNet
];
volumes = [
"${homepage-config}:/app/config"
# "/var/run/docker.sock:/var/run/docker.sock:ro" # For docker integrations
];
labels = {
"traefik.enable" = "true";
"traefik.docker.network" = proxyNet;
"traefik.http.routers.homepage.rule" = "Host(`${host}`)";
"traefik.http.services.homepage.loadbalancer.server.port" = toString cfg.port;
};
environment = {
inherit PUID PGID;
HOMEPAGE_ALLOWED_HOSTS = "${host},192.168.0.91:3000";
};
};
};
}

2
modules/apps/vaultwarden/default.nix
View file

@ -8,7 +8,7 @@ in {
options.homelab.apps.vaultwarden = { options.homelab.apps.vaultwarden = {
enable = lib.mkEnableOption "Vaultwarden"; enable = lib.mkEnableOption "Vaultwarden";
port = lib.mkOption { port = lib.mkOption {
type = lib.types.int; type = lib.types.port;
default = 10102; default = 10102;
description = "Vaultwarden WebUI port"; description = "Vaultwarden WebUI port";
}; };

20
users/admin/default.nix
View file

@ -3,30 +3,24 @@
let let
cfg = config.homelab.users.admin; cfg = config.homelab.users.admin;
in { in {
options.homelab.users.admin = { options.homelab.users.admin.enable = lib.mkEnableOption "user System Administrator";
enable = lib.mkEnableOption "user System Administrator";
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [
# HomeLab > NixOS > admin > ssh
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWIOOEqTy8cWKpENVbzD4p7bsQgQb/Dgpzk8i0dZ00T"
];
};
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
nix.settings.trusted-users = [ nix.settings.trusted-users = [
config.users.users.gh0st.name config.users.users.admin.name
]; ];
users.users.gh0st = { users.users.admin = {
description = "System Administrator"; description = "System Administrator";
isNormalUser = true; isNormalUser = true;
extraGroups = [ extraGroups = [
config.users.groups.wheel.name # Enable 'sudo' for the user. config.users.groups.wheel.name # Enable 'sudo' for the user.
]; ];
initialPassword = "ChangeMe"; initialPassword = "ChangeMe";
openssh.authorizedKeys.keys = cfg.authorizedKeys; openssh.authorizedKeys.keys = [
# HomeLab > NixOS > admin > ssh
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWIOOEqTy8cWKpENVbzD4p7bsQgQb/Dgpzk8i0dZ00T"
];
packages = with pkgs; [ packages = with pkgs; [
curl curl
git git

7
users/backup/default.nix
View file

@ -13,8 +13,13 @@ in {
"docker" # Allow access to the docker socket. "docker" # Allow access to the docker socket.
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
# TODO ChangeMe
# Tibo-NixFat
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
# Hugo # Hugo
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAxR813vqq5zbu1NHrIybu5Imlu3k0rDCGxHiuGEhPoVV9c5FpnKNGLCi3ctm15ZcVBX4HcponYsKRBsCzM2pI4uXjxhHkLzbss5LttFuSzv5v/QHfLW1bvyJEMBEPxguGqAydAeWrBFdI9uHBEXeb325uKxMKBZHYvvpyAQ115c1wKy1bL8BfR0LTkhsFqexRvI86q59AVrAU/KFf6RXO0T9QA6H/vyWLlIPc7Ta+tSWwQ68bMmS5Pwn8q58tOAOAd6Lpt4TqUDJSppPjLEPKyKC6ShwMdEjwmwpEG0hxfsvaU8XERyQbSbEE9sLHRA2LoEdtMx3J8nzX3AwYUNspsqIv6NQZksnVqJ8OfL45ngUFcSJ6kBsUvCZfzEUGUTJ6Js0v84NOIXxNG/ZfPsk6ArXm3dvj2TYeK8llO6wpJnMMyztmmiODWoj9tepZSij44IgVM5wdWYIK/RZoYTsCQbmvJFfB8jhyJnf/7F19Vo5+LwhmCOsQh/KEK0F1DVc= admin@Hugo"
]; ];
}; };
}; };