diff --git a/.sops.yaml b/.sops.yaml index e69de29..c35109d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - ¬oh age1ckvmyqkwk69j64ev3fmckytz6k2dv79z4gn5qf6gxqyevp5yjfesdfkxmn +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *notoh \ No newline at end of file diff --git a/hosts/hime/default.nix b/hosts/hime/default.nix index b7c6cad..ea9dcff 100644 --- a/hosts/hime/default.nix +++ b/hosts/hime/default.nix @@ -22,7 +22,6 @@ xkbVariant = ""; }; - virtualisation.docker.enable = true; users = { defaultUserShell = pkgs.nushell; users.oh = { @@ -33,7 +32,6 @@ }; environment.systemPackages = with pkgs; [ - docker-compose hugo wget python3Full diff --git a/hosts/sakura/default.nix b/hosts/sakura/default.nix index f4c7ed7..880cdc9 100644 --- a/hosts/sakura/default.nix +++ b/hosts/sakura/default.nix @@ -6,6 +6,7 @@ imports = [ ./hardware-configuration.nix ../../modules + ../../modules/services ]; boot.loader = { @@ -16,7 +17,6 @@ useOSProber = false; }; }; - networking = { hostName = "sakura"; }; @@ -26,7 +26,6 @@ xkbVariant = ""; }; - virtualisation.docker.enable = true; users = { defaultUserShell = pkgs.nushell; users.notoh = { diff --git a/hosts/sutakku/default.nix b/hosts/sutakku/default.nix index 9690d22..1415327 100644 --- a/hosts/sutakku/default.nix +++ b/hosts/sutakku/default.nix @@ -26,7 +26,6 @@ xkbVariant = ""; }; - virtualisation.docker.enable = true; users = { defaultUserShell = pkgs.nushell; users.oh = { diff --git a/modules/default.nix b/modules/default.nix index 2702246..74b8690 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,5 +5,6 @@ ./nix.nix ./system.nix ./openssh.nix + ./virtualisation.nix ]; } diff --git a/modules/services/default.nix b/modules/services/default.nix new file mode 100644 index 0000000..8068404 --- /dev/null +++ b/modules/services/default.nix @@ -0,0 +1,10 @@ +{...}: { + imports = [ + ./traefik.nix + ./homepage.nix + ./searxng.nix + ./hugo.nix + ./stash.nix + ./foundryvtt.nix + ]; +} diff --git a/modules/services/foundryvtt.nix b/modules/services/foundryvtt.nix new file mode 100644 index 0000000..a319e05 --- /dev/null +++ b/modules/services/foundryvtt.nix @@ -0,0 +1,13 @@ +{inputs, ...}: { + virtualisation.oci-containers.containers.foundryvtt = { + image = "felddy/foundryvtt:release"; + ports = ["30000:30000"]; + volumes = [ + "/home/notoh/docker/foundryvtt:/data" + ]; + environment = { + FOUNDRY_USERNAME = inputs.sops.secrets.foundry-username; + FOUNDRY_PASSWORD = inputs.sops.secrets.foundry-password; + }; + }; +} diff --git a/modules/services/homepage.nix b/modules/services/homepage.nix new file mode 100644 index 0000000..ea065f5 --- /dev/null +++ b/modules/services/homepage.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: { + virtualisation.oci-containers.containers.homepage = { + ports = ["3000:3000"]; + image = "ghcr.io/benphelps/homepage"; + volumes = [ + "/home/notoh/docker/homepage:/app/config" + "/var/run/docker.sock:/var/run/docker.sock:ro" + ]; + }; +} diff --git a/modules/services/hugo.nix b/modules/services/hugo.nix new file mode 100644 index 0000000..fa60e40 --- /dev/null +++ b/modules/services/hugo.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [hugo]; + virtualisation.oci-containers.containers.hugo = { + image = "klakegg/hugo:0.101.0"; + cmd = ["server" "sh"]; + volumes = [ + "/home/notoh/docker/hugo:/src" + ]; + }; +} diff --git a/modules/services/searxng.nix b/modules/services/searxng.nix new file mode 100644 index 0000000..d71cf08 --- /dev/null +++ b/modules/services/searxng.nix @@ -0,0 +1,12 @@ +{...}: { + virtualisation.oci-containers.containers.searxng = { + image = "searxng/searxng"; + ports = ["8085:8080"]; + volumes = [ + "/home/notoh/docker/searxng:/etc/searxng:rw" + ]; + environment = { + INSTANCE_NAME = "test_instance"; + }; + }; +} diff --git a/modules/services/stash.nix b/modules/services/stash.nix new file mode 100644 index 0000000..dc90cbb --- /dev/null +++ b/modules/services/stash.nix @@ -0,0 +1,23 @@ +{...}: { + virtualisation.oci-containers.containers.stash = { + image = "stashapp/stash"; + ports = [ + "9999:9999" + ]; + environment = { + STASH_STASH = "/data/"; + STASH_GENERATED = "/generated/"; + STASH_METADATA = "/metadata/"; + STASH_CACHE = "/cache/"; + STASH_PORT = "9999"; + }; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/home/notoh/docker/stash/.config:/root/.stash" + "/home/notoh/docker/stash/data:/data" + "/home/notoh/docker/stash/.metadata:/metadata" + "/home/notoh/docker/stash/cache:/cache" + "/home/notoh/docker/stash/generated:/generated" + ]; + }; +} diff --git a/modules/services/traefik.nix b/modules/services/traefik.nix new file mode 100644 index 0000000..770c8cb --- /dev/null +++ b/modules/services/traefik.nix @@ -0,0 +1,72 @@ +{...}: { + networking.firewall.allowedTCPPorts = [80 443 8080]; + + services.traefik = { + enable = true; + group = "docker"; + dynamicConfigOptions = { + http = { + routers = { + api = { + rule = "PathPrefix(`/api/`)"; + entryPoints = ["websecure"]; + service = "api@internal"; + }; + homepage = { + rule = "Host(`homepage.lab`)"; + entrypoints = ["web"]; + service = "homepage@docker"; + }; + searxng = { + rule = "Host(`test`)"; + entrypoints = ["web"]; + service = "searxng@docker"; + }; + hugo = { + rule = "Host(`hugo.lab`)"; + entryPoints = ["websecure"]; + service = "hugo@docker"; + }; + stash = { + rule = "Host(`stash.lab`)"; + entrypoints = ["web"]; + service = "stash@docker"; + }; + }; + }; + }; + staticConfigOptions = { + api.dashboard = true; + api.insecure = true; + providers.docker = true; + global = { + checkNewVersion = false; + sendAnonymousUsage = false; + }; + entryPoints = { + websecure.address = ":443"; + web.address = ":80"; + }; + certificatesResolvers = { + staging.acme = { + email = "x3xr6n66@notohh.dev"; + storage = "/var/lib/traefik/acme.json"; + caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "cloudflare"; + delayBeforeCheck = 0; + }; + }; + production.acme = { + email = "x3xr6n66@notohh.dev"; + storage = "/var/lib/traefik/acme.json"; + caServer = "https://acme-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "cloudflare"; + delayBeforeCheck = 0; + }; + }; + }; + }; + }; +} diff --git a/modules/virtualisation.nix b/modules/virtualisation.nix new file mode 100644 index 0000000..7ba55dd --- /dev/null +++ b/modules/virtualisation.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [docker-compose]; + + virtualisation.oci-containers.backend = "docker"; + virtualisation.docker = { + enable = true; + enableOnBoot = true; + autoPrune = { + enable = true; + dates = "weekly"; + }; + listenOptions = [ + "/run/docker.sock" + ]; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index e69de29..9878019 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -0,0 +1,22 @@ +foundry-username: ENC[AES256_GCM,data:WgcWG577,iv:62k3mxXNAwvfugCE8uWfMIkG0TEmnW8YYMPF5Q5Q00g=,tag:hv2rqcwha12eZX2WmnKmMQ==,type:str] +foundry-password: ENC[AES256_GCM,data:xb2UNAhXvj0ayVsf3sTYTqH0n2FnEPQSqoli1zHVEIQ=,iv:B8Kh228CDIyggNweljqqU/CXfTpjQpxcz4J4MnKcgb4=,tag:KnsvAjvL4WGKEQKqlhYiZA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ckvmyqkwk69j64ev3fmckytz6k2dv79z4gn5qf6gxqyevp5yjfesdfkxmn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRyt5K0FUSDBjVnY3NTZz + T0NmeE9HREUrSTR5WWtLTzA5TWtndlpBd0FrClBZbzB5bGFxTFYrcEljd1NIZm9K + V3pOZldWTmx6WG4vQU44ZXJDQ29oNTAKLS0tIFhqa1RmeVcwbnhlaWdpOEFJeFBX + YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt + 5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-14T05:40:38Z" + mac: ENC[AES256_GCM,data:Yz8y7vgXcU3SWyQANTM835Od+za7QraqdEjkqVCVuySmACdt93HlT1YdRRnXFennvXnNIsr/J7td+X3tmIwJnOXxbLhSdtluLl0KC8rYjaLN9ijThbA0p6umY+0WMUqRNfugzFzM/3J2L6GbMhczS8+cZ94JsOGu+RNZlydAuVw=,iv:Aw3n05FbB9pV6SztHI6H7vGjbpUQrr4WG6HqjNDMCr8=,tag:mrr6QzeR9yHM9S2Ut7gzbg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3