sarek: intialize service config. Move firewall to base.nix

2023-10-05 23:44:58 +02:00 · 2023-10-05 23:44:58 +02:00 · efbaf1ffed
commit efbaf1ffed
parent ef3cc3097e
7 changed files with 51 additions and 19 deletions
--- a/base.nix
+++ b/base.nix
@ -68,6 +68,8 @@
    '';
  };

+  networking.firewall.allowedTCPPorts = [ 22 ];
+
  users.users.felixalb = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
--- a/hosts/chapel/configuration.nix
+++ b/hosts/chapel/configuration.nix
@ -64,7 +64,7 @@
  )
  ];

-  networking.firewall.allowedTCPPorts = [ 80 22 3100 ];
+  networking.firewall.allowedTCPPorts = [ 80 3100 ];

  # system.copySystemConfiguration = true;

--- a/hosts/edison/configuration.nix
+++ b/hosts/edison/configuration.nix
@ -31,7 +31,6 @@
    "nvidia-x11"
    "nvidia-settings"
  ];
-  networking.firewall.allowedTCPPorts = [ 22 ];

  system.stateVersion = "23.05";
 }
--- a/hosts/sarek/configuration.nix
+++ b/hosts/sarek/configuration.nix
@ -7,7 +7,9 @@
      ../../base.nix
      ../../common/metrics-exporters.nix

+      ./services/nginx.nix
      ./services/postgresql.nix
+      ./services/flame.nix
  ];

  # Boot and console is handled by proxmoxLXC.
@ -27,13 +29,10 @@
    hostId = "15dd36bc";
  };

-  sops.defaultSopsFile = ../../secrets/sarek/edison.yaml;
+  sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml;

-  environment.variables = { EDITOR = "vim"; };
-  environment.systemPackages = with pkgs; [
-  ];
-
-  networking.firewall.allowedTCPPorts = [ 22 ];
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers.backend = "docker";

  system.stateVersion = "23.05";
 }
--- a/hosts/sarek/services/flame.nix
+++ b/hosts/sarek/services/flame.nix
@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "flame.home.feal.no";
+  host = "127.0.1.2";
+  port = "5005";
+in {
+   # Flame - Homelab dashboard/linktree
+   virtualisation.oci-containers.containers = {
+     flame = {
+       image = "pawelmalak/flame";
+       ports = [ "${host}:${port}:5005" ];
+       volumes = [
+         "/var/lib/flame/data:/app/data/"
+       ];
+     };
+   };
+
+   services.nginx.virtualHosts."${domain}" = {
+     locations."/" = {
+       proxyPass = "http://${host}:${port}";
+     };
+   };
+ }
+
--- a/hosts/sarek/services/nginx.nix
+++ b/hosts/sarek/services/nginx.nix
@ -0,0 +1,19 @@
+{ config, values, ... }:
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  /* security.acme = { */
+  /*   acceptTerms = true; */
+  /*   email = "felix@albrigtsen.it"; */
+  /* }; */
+}
--- a/hosts/voyager/configuration.nix
+++ b/hosts/voyager/configuration.nix
@ -103,20 +103,9 @@
    sslCertificateKey = "${certPath}.key";
  };

-  /* virtualisation.podman = { */
-  /*   enable = true; */
-  /*   dockerCompat = true; # Make `docker` shell alias */
-  /*   defaultNetwork.settings.dns_enabled = true; */
-  /* }; */
-
-  /* virtualisation.oci-containers.backend = "podman"; */
-
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";

-
-  networking.firewall.allowedTCPPorts = [ 22 ];
-
  system.stateVersion = "22.11";
 }