Compare commits

...

2 Commits

Author SHA1 Message Date
1b0b37c13c defiant: Update to NixOS 24.11 2024-12-01 12:31:01 +01:00
b4b74227c3 defiant: Add koillection 2024-12-01 12:30:43 +01:00
6 changed files with 77 additions and 9 deletions

View File

@ -23,6 +23,7 @@
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/home-assistant.nix ./services/home-assistant.nix
./services/keycloak.nix ./services/keycloak.nix
./services/koillection.nix
./services/matrix ./services/matrix
./services/microbin.nix ./services/microbin.nix
# ./services/minecraft.nix # ./services/minecraft.nix

View File

@ -5,7 +5,6 @@
boot = { boot = {
zfs.extraPools = [ "tank" ]; zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
}; };
services.prometheus.exporters.zfs.enable = true; services.prometheus.exporters.zfs.enable = true;

View File

@ -16,17 +16,17 @@ in {
settings = { settings = {
cache = "local"; cache = "local";
hostname = "iam.feal.no"; hostname = "https://iam.feal.no";
hostname-strict-backchannel = true; hostname-backchannel-dynamic = false;
http-enable = true; http-enabled = true;
http-host = "127.0.1.2"; http-host = "127.0.1.2";
http-port = 5060; http-port = 5060;
proxy = "edge"; proxy-headers = "xforwarded";
}; };
}; };
# The main reverse proxy is defined in ./nginx.nix # The main reverse proxy is defined in ./nginx.nix
services.nginx.virtualHosts.${cfg.hostname} = { services.nginx.virtualHosts.${cfg.hostname} = {
locations."= /".return = "302 https://${cfg.hostname}/realms/feal.no/account"; locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
}; };
} }

View File

@ -0,0 +1,59 @@
{ config, pkgs, lib, ... }:
let
domain = "koillection.home.feal.no";
port = 5023;
in {
virtualisation.oci-containers.containers = {
koillection = {
image = "koillection/koillection";
ports = [
"127.0.1.2:${toString port}:80"
];
environment = {
APP_DEBUG = "0";
APP_ENV = "prod";
HTTPS_ENABLED = "0";
UPLOAD_MAX_FILESIZE = "512M";
PHP_MEMORY_LIMIT = "512M";
PHP_TZ = "Europe/Oslo";
CORS_ALLOW_ORIGIN = "https?://(localhost|koillection\\.home\\.feal\\.no)(:[0-9]+)?$";
JWT_SECRET_KEY = "%kernel.project_dir%/config/jwt/private.pem";
JWT_PUBLIC_KEY = "%kernel.project_dir%/config/jwt/public.pem";
DB_DRIVER = "pdo_pgsql";
DB_NAME = "koillection";
DB_HOST = "host.docker.internal";
DB_USER = "koillection";
# DB_PASSWORD = "koillection"; # Set in sops envfile
DB_PORT = "5432";
DB_VERSION = "16";
};
environmentFiles = [
config.sops.secrets."koillection/envfile".path
];
extraOptions = [
"--add-host=host.docker.internal:host-gateway"
];
};
};
sops.secrets."koillection/envfile" = { };
services.postgresql = {
ensureDatabases = [ "koillection" ];
ensureUsers = [ {
name = "koillection";
ensureDBOwnership = true;
} ];
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://127.0.1.2:${toString port}";
};
}

View File

@ -2,7 +2,11 @@
{ {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = false; enableTCPIP = true;
authentication = ''
host all all 172.16.0.0/12 md5
'';
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
@ -14,5 +18,8 @@
databases = [ ]; databases = [ ];
}; };
# Docker containers on this host can reach postgres
networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
environment.systemPackages = [ config.services.postgresql.package ]; environment.systemPackages = [ config.services.postgresql.package ];
} }

View File

@ -18,6 +18,8 @@ restic:
vaultwarden: ENC[AES256_GCM,data:tZKf1jeQPBASruDP67NrVfwFoAZ20whQIHf1SWIQz0s=,iv:kyfqvEf/DiAGHAU99HVGri15kluewijkSPOCGKjxIaQ=,tag:tmDQPH2IjjUV5wLegXXybg==,type:str] vaultwarden: ENC[AES256_GCM,data:tZKf1jeQPBASruDP67NrVfwFoAZ20whQIHf1SWIQz0s=,iv:kyfqvEf/DiAGHAU99HVGri15kluewijkSPOCGKjxIaQ=,tag:tmDQPH2IjjUV5wLegXXybg==,type:str]
keycloak: keycloak:
postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str] postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str]
koillection:
envfile: ENC[AES256_GCM,data:3wq6xiULzELDxtDsBfPbKrnEsAEoG9oQREyaEoe0AVpJziVMrhEQruLCl1F/,iv:IscSmKD8nwQ2HmNnC+54rZrWMimdYPLCArmt/ToTdNM=,tag:J3QYTUtJhpn+R8hpqkA9zg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -42,8 +44,8 @@ sops:
RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ== fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-05T08:43:32Z" lastmodified: "2024-12-01T10:13:16Z"
mac: ENC[AES256_GCM,data:UMaxVqcS9SK/OclUe5k547zScx5BhAJt4f87Sfw2Ctdx6ZJRbju4310TeZUygzge4/OrCywD+9R09FzR65OBvIDxvUIqOblqzrYiHK6xRUSkUtLJEb8gzD7ycsccHaHpLYom0zbSixmMUDSthn2rexQixin9gUGVq+x9I3Z/sPk=,iv:oZAcTHjeFQjxZrNmQmJS3kJiXs1IcDbYJOo44kI3f5Y=,tag:7GINKR+6WMhlDAzeDOyrog==,type:str] mac: ENC[AES256_GCM,data:SFZz05/9Wb5o9X0ieNxrk4LJkCniliQ7ykWR+ocLw+At9Ye620JQTYFHfpzT/h+aRdborgkRtldw0c5+UOzx9+F3HtoWsrK04uQ1qso8YjO87qEqlVenVPuOVUuvyVtPQOWyLrHOOPkLSrj0a1NQdPSsfxcC04DhSkiW4RTNWXw=,iv:zp6HP14YZYt8BNj7jPPM+cb5cBZThijfcaqDZ6rH5Hg=,tag:W+/XKoj61yUXL+PC5YXQlg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1