xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

some stuff

Browse source
This commit is contained in:
xunuwu 2024-05-10 19:39:17 +02:00
parent 68bee9a3aa
commit cd8343c0c4
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
38 changed files with 992 additions and 206 deletions
Download patch file Download diff file Expand all files Collapse all files

160
system/services/containers/experimental/default.nix
View file

@ -12,6 +12,25 @@
dockerSocket.enable = true;
};
security.acme = {
acceptTerms = true;
defaults = {
email = "xunuwu@gmail.com";
reloadServices = ["podman-caddy.service"];
};
certs = {
"xun.cam" = {
dnsProvider = "cloudflare";
credentialFiles = {
CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
};
extraDomainNames = [
"jellyfin.xun.cam"
];
};
};
};
virtualisation.oci-containers = {
backend = "podman";
@ -20,23 +39,31 @@
image = "qmcgaw/gluetun:v3";
volumes = [
"${config.sops.secrets.wireguard.path}:/gluetun/wireguard/wg0.conf"
#"${builtins.toFile "post-rules.txt" ''
# iptables -A INPUT -d 192.168.50.26 -p udp --sport
# ''}:/iptables/post-rules.txt"
];
ports = [
## This bypasses the firewall
## use 127.0.0.1:XXXX:XXXX if you only want it to be accessible locally
"127.0.0.1:1389:1389" # openldap
"127.0.0.1:1636:1636" # openldap
"127.0.0.1:8191:8191" # flaresolverr
"9117:9117" # jackett
"5030:5030" # slskd
"8096:8096" # jellyfin
"8080:8080" # qbittorrent webui
#"80:8336" # caddy
#"443:443" # caddy
#"443:443/udp" # caddy
"8336:8336" # jellyfin
];
environment = {
VPN_SERVICE_PROVIDER = "airvpn";
VPN_TYPE = "wireguard";
SERVER_COUNTRIES = "Netherlands";
FIREWALL_VPN_INPUT_PORTS = "11936,8096,14795";
FIREWALL_VPN_INPUT_PORTS = "11936,8336,14795";
};
extraOptions = [
@ -79,6 +106,7 @@
"/media/config/jellyfin/config:/config"
"/media/config/jellyfin/cache:/cache"
"/media/library:/library"
"/media/downloads:/library/downloads"
];
dependsOn = ["gluetun"];
extraOptions = [
@ -109,11 +137,132 @@
"--network=container:gluetun"
];
};
caddy = {
image = "caddy";
volumes = [
#alt.xun.cam:8336 {
#tls internal
#reverse_proxy
#localhost:5030
#}
"${builtins.toFile "Caddyfile" ''
https://jellyfin.xun.cam:8336 {
tls /etc/ssl/certs/xun.cam/cert.pem /etc/ssl/certs/xun.cam/key.pem
reverse_proxy localhost:8096
}
''}:/etc/caddy/Caddyfile"
#tls /etc/ssl/certs/cloudflare/cert.pem /etc/ssl/certs/cloudflare/key.pem
#"${config.sops.secrets.xun-cam-cert.path}:/etc/ssl/certs/cloudflare/cert.pem"
#"${config.sops.secrets.xun-cam-key.path}:/etc/ssl/certs/cloudflare/key.pem"
"/var/lib/acme/xun.cam:/etc/ssl/certs/xun.cam"
"/media/config/caddy/data:/data"
"/media/config/caddy/config:/config"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
#openldap = {
# image = "bitnami/openldap";
# environment = {
# "LDAP_ADMIN_USERNAME" = "admin";
# "LDAP_ADMIN_PASSWORD" = "adminpassword";
# "LDAP_USERS" = "user01,user02";
# "LDAP_PASSWORDS" = "password1,password2";
# };
# dependsOn = ["gluetun"];
# extraOptions = [
# "--network=container:gluetun"
# ];
#};
#authelia = {
# image = "authelia/authelia";
# environment = {
# AUTHELIA_JWT_SECRET_FILE = "/secrets/JWT_SECRET";
# AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET";
# AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD";
# AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY";
# };
# volumes = [
# "${config.sops.secrets.authelia_jwt_secret.path}:/secrets/JWT_SECRET"
# "${config.sops.secrets.authelia_session_secret.path}:/secrets/SESSION_SECRET"
# "${config.sops.secrets.authelia_storage_password.path}:/secrets/STORAGE_PASSWORD"
# "${config.sops.secrets.authelia_encryption_key.path}:/secrets/STORAGE_ENCRYPTION_KEY"
# "${builtins.toFile "users_database.yml" ''
# them: auto
# default_redirection_url: https://auth.xun.cam:8336
# authentication_backend:
# ldap:
# address: 'ldap://127.0.0.1:1389'
# implementation: 'custom'
# timeout: '5s
# session:
# domain: example.com
# redis:
# host: redis
# port: 6379
# storage:
# postgres:
# host: database
# database: authelia
# username: authelia
# notifier:
# smtp:
# host: smtp.xun.cam
# port: 8336
# username: auth@xun.cam
# sender: "Authelia <auth@xun.cam"
# ''}:/config/configuration.yml"
# "${builtins.toFile "configuration.yml" ''
# them: auto
# default_redirection_url: https://auth.xun.cam:8336
# authentication_backend:
# file:
# path: /config/users_database.yml
# #authentication_backend:
# # ldap:
# # address: 'ldap://127.0.0.1:1389'
# # implementation: 'custom'
# # timeout: '5s
# session:
# domain: example.com
# redis:
# host: redis
# port: 6379
# storage:
# postgres:
# host: database
# database: authelia
# username: authelia
# notifier:
# smtp:
# host: smtp.xun.cam
# port: 8336
# username: auth@xun.cam
# sender: "Authelia <auth@xun.cam"
# ''}:/config/configuration.yml"
# ];
# dependsOn = ["gluetun"];
# extraOptions = [
# "--network=container:gluetun"
# ];
#};
betanin = {
image = "sentriz/betanin";
environment = {
UID = "1001";
GID = "100";
UID = "1000";
GID = "1000";
};
ports = [
"9393:9393"
@ -124,7 +273,8 @@
"/media/config/betanin/beets:/b/.config/beets"
"${config.sops.secrets.betanin.path}:/b/.config/beets/config.yaml"
"/media/library/music:/music"
"/media/slskd/downloads:/downloads"
"/media/slskd/downloads:/downloads/slskd"
"/media/downloads/music:/downloads/misc"
];
};
};

4
system/services/containers/experimental/smbshare.nix
View file

@ -9,14 +9,14 @@
browseable = "yes";
"guest ok" = "yes";
"read only" = "yes";
"write-list" = "xun";
"write list" = "xun";
};
"library" = {
path = "/media/library";
browseable = "yes";
"guest ok" = "yes";
"read only" = "yes";
"write-list" = "xun";
"write list" = "xun";
};
};
};

1
system/services/ollama.nix
View file

@ -4,7 +4,6 @@
environmentVariables = {
HSA_OVERRIDE_GFX_VERSION = "10.3.0";
};
acceleration = "rocm";
listenAddress = "127.0.0.1:11434";
};
}

5
system/services/transmission.nix
View file

@ -1,5 +0,0 @@
{...}: {
services.transmission = {
enable = true;
};
}

77
system/services/wireguard.nix
View file

@ -1,77 +0,0 @@
{...}: {
#networking.wg-quick.interfaces."wg0".configFile = config.sops.secrets.wireguard.path;
# Sets tailscale to a high priority, to make sure tailscale
# traffic dosent go through wireguard (which wont work)
#systemd.services.tailscaled.serviceConfig = {
# ExecStartPost = "${pkgs.iproute2}/bin/ip rule add pref 65 table 52";
# ExecStopPost = "${pkgs.iproute2}/bin/ip rule del pref 65 table 52";
#};
## https://wiki.archlinux.org/title/WireGuard#systemd-networkd:_routing_all_traffic_over_WireGuard
#environment.systemPackages = [pkgs.wireguard-tools];
#systemd.network = {
# netdevs."99-wg0" = {
# netdevConfig = {
# Name = "wg0";
# Kind = "wireguard";
# Description = "WireGuard tunnel wg0";
# };
# wireguardConfig = {
# ListenPort = 51871;
# PrivateKeyFile = config.sops.secrets.wg-private.path;
# };
# wireguardPeers = [
# {
# wireguardPeerConfig = {
# PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
# PresharedKeyFile = config.sops.secrets.wg-preshared.path;
# AllowedIPs = [
# "0.0.0.0"
# ];
# Endpoint = "62.102.148.206:1637";
# };
# }
# ];
# };
# networks."50-wg0" = {
# name = "wg0";
# address = ["10.154.4.37/24"];
# dns = ["10.128.0.1"];
# domains = ["~."];
# networkConfig = {
# DNSDefaultRoute = true;
# };
# routingPolicyRules = [
# {
# routingPolicyRuleConfig = {
# FirewallMark = 34952;
# InvertRule = true;
# Table = 1000;
# Priority = 10;
# };
# }
# {
# ## Allow local connections
# routingPolicyRuleConfig = {
# To = "192.168.0.0/24";
# Priority = 9;
# };
# }
# ];
# routes = [
# {
# routeConfig = {
# Gateway = "10.128.0.1";
# GatewayOnLink = true;
# Table = 1000;
# };
# }
# ];
# };
#};
}