From 23278892c595edee9341e5d860bc815b4a4d0f01 Mon Sep 17 00:00:00 2001 From: notohh Date: Fri, 12 May 2023 08:18:42 -0400 Subject: [PATCH 1/6] feat: init basic scaffolding for docker migration --- hosts/hime/default.nix | 2 -- hosts/sakura/default.nix | 3 +-- hosts/sutakku/default.nix | 1 - modules/default.nix | 1 + modules/services/default.nix | 6 ++++++ modules/services/homepage.nix | 7 +++++++ modules/services/traefik.nix | 29 +++++++++++++++++++++++++++++ modules/virtualisation.nix | 16 ++++++++++++++++ 8 files changed, 60 insertions(+), 5 deletions(-) create mode 100644 modules/services/default.nix create mode 100644 modules/services/homepage.nix create mode 100644 modules/services/traefik.nix create mode 100644 modules/virtualisation.nix diff --git a/hosts/hime/default.nix b/hosts/hime/default.nix index b7c6cad..ea9dcff 100644 --- a/hosts/hime/default.nix +++ b/hosts/hime/default.nix @@ -22,7 +22,6 @@ xkbVariant = ""; }; - virtualisation.docker.enable = true; users = { defaultUserShell = pkgs.nushell; users.oh = { @@ -33,7 +32,6 @@ }; environment.systemPackages = with pkgs; [ - docker-compose hugo wget python3Full diff --git a/hosts/sakura/default.nix b/hosts/sakura/default.nix index f4c7ed7..880cdc9 100644 --- a/hosts/sakura/default.nix +++ b/hosts/sakura/default.nix @@ -6,6 +6,7 @@ imports = [ ./hardware-configuration.nix ../../modules + ../../modules/services ]; boot.loader = { @@ -16,7 +17,6 @@ useOSProber = false; }; }; - networking = { hostName = "sakura"; }; @@ -26,7 +26,6 @@ xkbVariant = ""; }; - virtualisation.docker.enable = true; users = { defaultUserShell = pkgs.nushell; users.notoh = { diff --git a/hosts/sutakku/default.nix b/hosts/sutakku/default.nix index 9690d22..1415327 100644 --- a/hosts/sutakku/default.nix +++ b/hosts/sutakku/default.nix @@ -26,7 +26,6 @@ xkbVariant = ""; }; - virtualisation.docker.enable = true; users = { defaultUserShell = pkgs.nushell; users.oh = { diff --git a/modules/default.nix b/modules/default.nix index 2702246..74b8690 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,5 +5,6 @@ ./nix.nix ./system.nix ./openssh.nix + ./virtualisation.nix ]; } diff --git a/modules/services/default.nix b/modules/services/default.nix new file mode 100644 index 0000000..bddacc8 --- /dev/null +++ b/modules/services/default.nix @@ -0,0 +1,6 @@ +{...}: { + imports = [ + ./traefik.nix + ./homepage.nix + ]; +} diff --git a/modules/services/homepage.nix b/modules/services/homepage.nix new file mode 100644 index 0000000..da9cb7f --- /dev/null +++ b/modules/services/homepage.nix @@ -0,0 +1,7 @@ +{pkgs, ...}: { + virtualisation.oci-containers.containers.homepage = { + ports = ["3000:3000"]; + image = "ghcr.io/benphelps/homepage"; + volumes = ["/home/notoh/docker/homepage:/app/config" "/var/run/docker.sock:/var/run/docker.sock:ro"]; + }; +} diff --git a/modules/services/traefik.nix b/modules/services/traefik.nix new file mode 100644 index 0000000..d6f25a4 --- /dev/null +++ b/modules/services/traefik.nix @@ -0,0 +1,29 @@ +{...}: { + networking.firewall.allowedTCPPorts = [80 443]; + + services.traefik = { + enable = true; + group = "docker"; + dynamicConfigOptions = { + http = { + routers = { + homepage = { + rule = "Host(`dashboard.lab`)"; + entryPoints = ["websecure"]; + service = "homepage"; + }; + }; + }; + }; + staticConfigOptions = { + global = { + checkNewVersion = false; + sendAnonymousUsage = false; + }; + entryPoints = { + websecure.address = ":443"; + web.address = ":80"; + }; + }; + }; +} diff --git a/modules/virtualisation.nix b/modules/virtualisation.nix new file mode 100644 index 0000000..7ba55dd --- /dev/null +++ b/modules/virtualisation.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [docker-compose]; + + virtualisation.oci-containers.backend = "docker"; + virtualisation.docker = { + enable = true; + enableOnBoot = true; + autoPrune = { + enable = true; + dates = "weekly"; + }; + listenOptions = [ + "/run/docker.sock" + ]; + }; +} From b53c9d597d3a8feb702ea73acbe0281421b68c98 Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 13 May 2023 23:20:28 -0400 Subject: [PATCH 2/6] feat: init more services --- modules/services/default.nix | 2 ++ modules/services/foundry.nix | 0 modules/services/homepage.nix | 5 ++++- modules/services/hugo.nix | 10 ++++++++++ modules/services/searxng.nix | 12 ++++++++++++ modules/services/stash.nix | 0 6 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 modules/services/foundry.nix create mode 100644 modules/services/hugo.nix create mode 100644 modules/services/searxng.nix create mode 100644 modules/services/stash.nix diff --git a/modules/services/default.nix b/modules/services/default.nix index bddacc8..c4605ac 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -2,5 +2,7 @@ imports = [ ./traefik.nix ./homepage.nix + ./searxng.nix + ./hugo.nix ]; } diff --git a/modules/services/foundry.nix b/modules/services/foundry.nix new file mode 100644 index 0000000..e69de29 diff --git a/modules/services/homepage.nix b/modules/services/homepage.nix index da9cb7f..ea065f5 100644 --- a/modules/services/homepage.nix +++ b/modules/services/homepage.nix @@ -2,6 +2,9 @@ virtualisation.oci-containers.containers.homepage = { ports = ["3000:3000"]; image = "ghcr.io/benphelps/homepage"; - volumes = ["/home/notoh/docker/homepage:/app/config" "/var/run/docker.sock:/var/run/docker.sock:ro"]; + volumes = [ + "/home/notoh/docker/homepage:/app/config" + "/var/run/docker.sock:/var/run/docker.sock:ro" + ]; }; } diff --git a/modules/services/hugo.nix b/modules/services/hugo.nix new file mode 100644 index 0000000..fa60e40 --- /dev/null +++ b/modules/services/hugo.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [hugo]; + virtualisation.oci-containers.containers.hugo = { + image = "klakegg/hugo:0.101.0"; + cmd = ["server" "sh"]; + volumes = [ + "/home/notoh/docker/hugo:/src" + ]; + }; +} diff --git a/modules/services/searxng.nix b/modules/services/searxng.nix new file mode 100644 index 0000000..d71cf08 --- /dev/null +++ b/modules/services/searxng.nix @@ -0,0 +1,12 @@ +{...}: { + virtualisation.oci-containers.containers.searxng = { + image = "searxng/searxng"; + ports = ["8085:8080"]; + volumes = [ + "/home/notoh/docker/searxng:/etc/searxng:rw" + ]; + environment = { + INSTANCE_NAME = "test_instance"; + }; + }; +} diff --git a/modules/services/stash.nix b/modules/services/stash.nix new file mode 100644 index 0000000..e69de29 From 9d7150f86438c7aca654c9ccf077df96d81b8d6e Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 13 May 2023 23:20:57 -0400 Subject: [PATCH 3/6] traefik: flesh out config options --- modules/services/traefik.nix | 46 ++++++++++++++++++++++++++++++++---- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/modules/services/traefik.nix b/modules/services/traefik.nix index d6f25a4..35cb865 100644 --- a/modules/services/traefik.nix +++ b/modules/services/traefik.nix @@ -1,5 +1,5 @@ {...}: { - networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [80 443 8080]; services.traefik = { enable = true; @@ -7,15 +7,33 @@ dynamicConfigOptions = { http = { routers = { - homepage = { - rule = "Host(`dashboard.lab`)"; + api = { + rule = "PathPrefix(`/api/`)"; entryPoints = ["websecure"]; - service = "homepage"; + service = "api@internal"; + }; + homepage = { + rule = "Host(`homepage.lab`)"; + entrypoints = ["web"]; + service = "homepage@docker"; + }; + searxng = { + rule = "Host(`test`)"; + entrypoints = ["web"]; + service = "searxng@docker"; + }; + hugo = { + rule = "Host(``)"; + entryPoints = ["websecure"]; + service = "hugo@docker"; }; }; }; }; staticConfigOptions = { + api.dashboard = true; + api.insecure = true; + providers.docker = true; global = { checkNewVersion = false; sendAnonymousUsage = false; @@ -24,6 +42,26 @@ websecure.address = ":443"; web.address = ":80"; }; + certificatesResolvers = { + staging.acme = { + email = "x3xr6n66@notohh.dev"; + storage = "/var/lib/traefik/acme.json"; + caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "cloudflare"; + delayBeforeCheck = 0; + }; + }; + production.acme = { + email = "x3xr6n66@notohh.dev"; + storage = "/var/lib/traefik/acme.json"; + caServer = "https://acme-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "cloudflare"; + delayBeforeCheck = 0; + }; + }; + }; }; }; } From 98d1856a967960cc711dcf37bc428b6c69f44647 Mon Sep 17 00:00:00 2001 From: notohh Date: Sun, 14 May 2023 00:50:11 -0400 Subject: [PATCH 4/6] services: init more services / traefik stuff --- modules/services/default.nix | 2 ++ modules/services/foundry.nix | 0 modules/services/foundryvtt.nix | 13 +++++++++++++ modules/services/stash.nix | 23 +++++++++++++++++++++++ modules/services/traefik.nix | 7 ++++++- 5 files changed, 44 insertions(+), 1 deletion(-) delete mode 100644 modules/services/foundry.nix create mode 100644 modules/services/foundryvtt.nix diff --git a/modules/services/default.nix b/modules/services/default.nix index c4605ac..8068404 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -4,5 +4,7 @@ ./homepage.nix ./searxng.nix ./hugo.nix + ./stash.nix + ./foundryvtt.nix ]; } diff --git a/modules/services/foundry.nix b/modules/services/foundry.nix deleted file mode 100644 index e69de29..0000000 diff --git a/modules/services/foundryvtt.nix b/modules/services/foundryvtt.nix new file mode 100644 index 0000000..8bb118f --- /dev/null +++ b/modules/services/foundryvtt.nix @@ -0,0 +1,13 @@ +{...}: { + virtualisation.oci-containers.containers.foundryvtt = { + image = "felddy/foundryvtt:release"; + ports = ["30000:30000"]; + volumes = [ + "/home/notoh/docker/foundryvtt:/data" + ]; + environment = { + FOUNDRY_USERNAME = ""; + FOUNDRY_PASSWORD = ""; + }; + }; +} diff --git a/modules/services/stash.nix b/modules/services/stash.nix index e69de29..dc90cbb 100644 --- a/modules/services/stash.nix +++ b/modules/services/stash.nix @@ -0,0 +1,23 @@ +{...}: { + virtualisation.oci-containers.containers.stash = { + image = "stashapp/stash"; + ports = [ + "9999:9999" + ]; + environment = { + STASH_STASH = "/data/"; + STASH_GENERATED = "/generated/"; + STASH_METADATA = "/metadata/"; + STASH_CACHE = "/cache/"; + STASH_PORT = "9999"; + }; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/home/notoh/docker/stash/.config:/root/.stash" + "/home/notoh/docker/stash/data:/data" + "/home/notoh/docker/stash/.metadata:/metadata" + "/home/notoh/docker/stash/cache:/cache" + "/home/notoh/docker/stash/generated:/generated" + ]; + }; +} diff --git a/modules/services/traefik.nix b/modules/services/traefik.nix index 35cb865..770c8cb 100644 --- a/modules/services/traefik.nix +++ b/modules/services/traefik.nix @@ -23,10 +23,15 @@ service = "searxng@docker"; }; hugo = { - rule = "Host(``)"; + rule = "Host(`hugo.lab`)"; entryPoints = ["websecure"]; service = "hugo@docker"; }; + stash = { + rule = "Host(`stash.lab`)"; + entrypoints = ["web"]; + service = "stash@docker"; + }; }; }; }; From 055557335b90f427049fcf44e233fe5e24aa35b5 Mon Sep 17 00:00:00 2001 From: notohh Date: Sun, 14 May 2023 01:48:15 -0400 Subject: [PATCH 5/6] feat: init sops --- .sops.yaml | 7 +++++++ secrets/secrets.yaml | 22 ++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/.sops.yaml b/.sops.yaml index e69de29..c35109d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - ¬oh age1ckvmyqkwk69j64ev3fmckytz6k2dv79z4gn5qf6gxqyevp5yjfesdfkxmn +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *notoh \ No newline at end of file diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index e69de29..9878019 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -0,0 +1,22 @@ +foundry-username: ENC[AES256_GCM,data:WgcWG577,iv:62k3mxXNAwvfugCE8uWfMIkG0TEmnW8YYMPF5Q5Q00g=,tag:hv2rqcwha12eZX2WmnKmMQ==,type:str] +foundry-password: ENC[AES256_GCM,data:xb2UNAhXvj0ayVsf3sTYTqH0n2FnEPQSqoli1zHVEIQ=,iv:B8Kh228CDIyggNweljqqU/CXfTpjQpxcz4J4MnKcgb4=,tag:KnsvAjvL4WGKEQKqlhYiZA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ckvmyqkwk69j64ev3fmckytz6k2dv79z4gn5qf6gxqyevp5yjfesdfkxmn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRyt5K0FUSDBjVnY3NTZz + T0NmeE9HREUrSTR5WWtLTzA5TWtndlpBd0FrClBZbzB5bGFxTFYrcEljd1NIZm9K + V3pOZldWTmx6WG4vQU44ZXJDQ29oNTAKLS0tIFhqa1RmeVcwbnhlaWdpOEFJeFBX + YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt + 5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-14T05:40:38Z" + mac: ENC[AES256_GCM,data:Yz8y7vgXcU3SWyQANTM835Od+za7QraqdEjkqVCVuySmACdt93HlT1YdRRnXFennvXnNIsr/J7td+X3tmIwJnOXxbLhSdtluLl0KC8rYjaLN9ijThbA0p6umY+0WMUqRNfugzFzM/3J2L6GbMhczS8+cZ94JsOGu+RNZlydAuVw=,iv:Aw3n05FbB9pV6SztHI6H7vGjbpUQrr4WG6HqjNDMCr8=,tag:mrr6QzeR9yHM9S2Ut7gzbg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 From 1b7aafd9a9fd6a7cd6198dd72a86fa74c9f3dfac Mon Sep 17 00:00:00 2001 From: notohh Date: Sun, 14 May 2023 01:48:33 -0400 Subject: [PATCH 6/6] foundry: use sops --- modules/services/foundryvtt.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/services/foundryvtt.nix b/modules/services/foundryvtt.nix index 8bb118f..a319e05 100644 --- a/modules/services/foundryvtt.nix +++ b/modules/services/foundryvtt.nix @@ -1,4 +1,4 @@ -{...}: { +{inputs, ...}: { virtualisation.oci-containers.containers.foundryvtt = { image = "felddy/foundryvtt:release"; ports = ["30000:30000"]; @@ -6,8 +6,8 @@ "/home/notoh/docker/foundryvtt:/data" ]; environment = { - FOUNDRY_USERNAME = ""; - FOUNDRY_PASSWORD = ""; + FOUNDRY_USERNAME = inputs.sops.secrets.foundry-username; + FOUNDRY_PASSWORD = inputs.sops.secrets.foundry-password; }; }; }