From 0cae9e4995eca1fe42b01109edfa201ebbecfc13 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Thu, 5 Oct 2023 23:44:58 +0200 Subject: [PATCH] sarek: intialize service config. Move firewall to base.nix --- base.nix | 2 ++ hosts/chapel/configuration.nix | 2 +- hosts/edison/configuration.nix | 1 - hosts/sarek/configuration.nix | 11 +++++------ hosts/sarek/services/flame.nix | 24 ++++++++++++++++++++++++ hosts/sarek/services/nginx.nix | 19 +++++++++++++++++++ hosts/voyager/configuration.nix | 11 ----------- 7 files changed, 51 insertions(+), 19 deletions(-) create mode 100644 hosts/sarek/services/flame.nix create mode 100644 hosts/sarek/services/nginx.nix diff --git a/base.nix b/base.nix index 40d5b79..2466628 100644 --- a/base.nix +++ b/base.nix @@ -68,6 +68,8 @@ ''; }; + networking.firewall.allowedTCPPorts = [ 22 ]; + users.users.felixalb = { isNormalUser = true; extraGroups = [ "wheel" ]; diff --git a/hosts/chapel/configuration.nix b/hosts/chapel/configuration.nix index 298cad1..dd12118 100644 --- a/hosts/chapel/configuration.nix +++ b/hosts/chapel/configuration.nix @@ -64,7 +64,7 @@ ) ]; - networking.firewall.allowedTCPPorts = [ 80 22 3100 ]; + networking.firewall.allowedTCPPorts = [ 80 3100 ]; # system.copySystemConfiguration = true; diff --git a/hosts/edison/configuration.nix b/hosts/edison/configuration.nix index 51b9321..1aa3db0 100644 --- a/hosts/edison/configuration.nix +++ b/hosts/edison/configuration.nix @@ -31,7 +31,6 @@ "nvidia-x11" "nvidia-settings" ]; - networking.firewall.allowedTCPPorts = [ 22 ]; system.stateVersion = "23.05"; } diff --git a/hosts/sarek/configuration.nix b/hosts/sarek/configuration.nix index b9d21f4..f7922af 100644 --- a/hosts/sarek/configuration.nix +++ b/hosts/sarek/configuration.nix @@ -7,7 +7,9 @@ ../../base.nix ../../common/metrics-exporters.nix + ./services/nginx.nix ./services/postgresql.nix + ./services/flame.nix ]; # Boot and console is handled by proxmoxLXC. @@ -27,13 +29,10 @@ hostId = "15dd36bc"; }; - sops.defaultSopsFile = ../../secrets/sarek/edison.yaml; + sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml; - environment.variables = { EDITOR = "vim"; }; - environment.systemPackages = with pkgs; [ - ]; - - networking.firewall.allowedTCPPorts = [ 22 ]; + virtualisation.docker.enable = true; + virtualisation.oci-containers.backend = "docker"; system.stateVersion = "23.05"; } diff --git a/hosts/sarek/services/flame.nix b/hosts/sarek/services/flame.nix new file mode 100644 index 0000000..455f8d1 --- /dev/null +++ b/hosts/sarek/services/flame.nix @@ -0,0 +1,24 @@ +{ config, pkgs, lib, ... }: +let + domain = "flame.home.feal.no"; + host = "127.0.1.2"; + port = "5005"; +in { + # Flame - Homelab dashboard/linktree + virtualisation.oci-containers.containers = { + flame = { + image = "pawelmalak/flame"; + ports = [ "${host}:${port}:5005" ]; + volumes = [ + "/var/lib/flame/data:/app/data/" + ]; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + locations."/" = { + proxyPass = "http://${host}:${port}"; + }; + }; + } + diff --git a/hosts/sarek/services/nginx.nix b/hosts/sarek/services/nginx.nix new file mode 100644 index 0000000..4c376d7 --- /dev/null +++ b/hosts/sarek/services/nginx.nix @@ -0,0 +1,19 @@ +{ config, values, ... }: +{ + services.nginx = { + enable = true; + enableReload = true; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + /* security.acme = { */ + /* acceptTerms = true; */ + /* email = "felix@albrigtsen.it"; */ + /* }; */ +} diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index c6a9095..c62fdf7 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -102,20 +102,9 @@ sslCertificateKey = "${certPath}.key"; }; - /* virtualisation.podman = { */ - /* enable = true; */ - /* dockerCompat = true; # Make `docker` shell alias */ - /* defaultNetwork.settings.dns_enabled = true; */ - /* }; */ - - /* virtualisation.oci-containers.backend = "podman"; */ - virtualisation.docker.enable = true; virtualisation.oci-containers.backend = "docker"; - - networking.firewall.allowedTCPPorts = [ 22 ]; - system.stateVersion = "22.11"; }