diff --git a/common/_containers/forgejo.nix b/common/_containers/forgejo.nix deleted file mode 100644 index 92793a9..0000000 --- a/common/_containers/forgejo.nix +++ /dev/null @@ -1,196 +0,0 @@ -{ - config, - lib, - ... -}: -let - name = "forgejo"; - - hostDataDir = "/var/lib/${name}"; - - hostAddress = "10.0.0.1"; - containerAddress = "10.0.0.2"; - hostAddress6 = "fc00::1"; - containerAddress6 = "fc00::2"; - - binds = [ - # Postgres data, must use postgres user in container and host - { - host = "${hostDataDir}/postgres"; - # Adjust based on container postgres data dir - container = "/var/lib/postgresql/17"; - user = "postgres"; - uid = config.ids.uids.postgres; - gid = config.ids.gids.postgres; - } - # Postgres backups - { - host = "${hostDataDir}/backups/postgres"; - container = "/var/backup/postgresql"; - user = "postgres"; - uid = config.ids.uids.postgres; - gid = config.ids.gids.postgres; - } - # App data, uses custom user uid - { - host = "${hostDataDir}/data"; - container = "/var/lib/forgejo"; - user = "forgejo"; - uid = 115; - gid = 115; - } - ]; - uniqueUsers = lib.foldl' ( - acc: bind: if lib.lists.any (item: item.user == bind.user) acc then acc else acc ++ [ bind ] - ) [ ] binds; - users = { - users = lib.listToAttrs ( - lib.map (u: { - name = u.user; - value = { - isSystemUser = true; - name = u.user; - uid = u.uid; - group = u.user; - }; - }) uniqueUsers - ); - - groups = lib.listToAttrs ( - lib.map (g: { - name = g.user; - value.gid = g.gid; - }) uniqueUsers - ); - }; -in -{ - # Ensure users exists on host machine with same IDs as container - inherit users; - - # Ensure directories exist on host machine - system.activationScripts.createMediaServerDirs = '' - ${lib.concatStringsSep "\n" ( - lib.map (bind: '' - mkdir -p ${bind.host} - chown -R ${toString bind.user}:${toString bind.gid} ${bind.host} - chmod -R 750 ${bind.host} - '') binds - )} - ''; - - containers.${name} = { - ephemeral = true; - autoStart = true; - privateNetwork = true; - hostAddress = hostAddress; - localAddress = containerAddress; - hostAddress6 = hostAddress6; - localAddress6 = containerAddress6; - bindMounts = lib.foldl ( - acc: bind: - { - "${bind.container}" = { - hostPath = bind.host; - isReadOnly = false; - }; - } - // acc - ) { } binds; - config = - { config, pkgs, ... }: - { - system.stateVersion = "24.11"; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ - 3000 - 3032 - ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - services.resolved.enable = true; - - # Ensure users exist on container - inherit users; - - services.postgresql = { - enable = true; - package = pkgs.postgresql_17.withJIT; - enableJIT = true; - authentication = '' - local all all trust - host all all 127.0.0.1/8 trust - host all all ::1/128 trust - host all all fc00::1/128 trust - ''; - }; - - # Backup database - services.postgresqlBackup = { - enable = true; - }; - - services.forgejo = { - enable = true; - dump = { - enable = false; - type = "tar.gz"; - }; - database = { - type = "postgres"; - }; - settings = { - DEFAULT = { - APP_NAME = "Josh's Git"; - }; - server = { - PROTOCOL = "http"; - DOMAIN = "git.joshuabell.xyz"; - HTTP_ADDR = "0.0.0.0"; - HTTP_PORT = 3000; - - START_SSH_SERVER = true; - SSH_DOMAIN = "git.joshuabell.xyz"; - SSH_LISTEN_HOST = "0.0.0.0"; - SSH_LISTEN_PORT = 3032; # actual listen port - SSH_PORT = 3032; # used in UI - BUILTIN_SSH_SERVER_USER = "git"; - - LANDING_PAGE = "explore"; - }; - service = { - DISABLE_REGISTRATION = true; - ENABLE_BASIC_AUTHENTICATION = false; - DISABLE_USERS_PAGE = true; - DISABLE_ORGANIZATIONS_PAGE = true; - }; - repository = { - # ENABLE_PUSH_CREATE_USER = true; - # ENABLE_PUSH_CREATE_ORG = true; - DISABLE_STARS = true; - DEFAULT_PRIVATE = "private"; - }; - admin = { - DISABLE_REGULAR_ORG_CREATION = true; - USER_DISABLED_FEATURES = "deletion"; - }; - other = { - SHOW_FOOTER_POWERED_BY = false; - SHOW_FOOTER_VERSION = false; - SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; - }; - migrations = { - ALLOWED_DOMAINS = "*.github.com,github.com"; - ALLOW_LOCALNETWORKS = true; - }; - }; - }; - }; - }; -} diff --git a/common/_containers/obsidian_sync.md b/common/_containers/obsidian_sync.md deleted file mode 100644 index 98f7e11..0000000 --- a/common/_containers/obsidian_sync.md +++ /dev/null @@ -1,7 +0,0 @@ -docker run \ - -e hostname=https://obsidiansync.joshuabell.xyz \ - -e database=obsidian_sync \ - -e username=obsidian_admin \ - -e password=$REPLACE \ - docker.io/oleduc/docker-obsidian-livesync-couchdb:master \ - deno -A /scripts/generate_setupuri.ts diff --git a/common/_containers/obsidian_sync.nix b/common/_containers/obsidian_sync.nix deleted file mode 100644 index 42f8b52..0000000 --- a/common/_containers/obsidian_sync.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ - config, - pkgs, - ... -}: -let - cfg = config.services.obsidian_sync; -in -{ - options.services.obsidian_sync = - let - lib = pkgs.lib; - in - { - port = lib.mkOption { - type = lib.types.port; - default = 5984; - description = "Port number for Obsidian Sync CouchDB server"; - }; - dataDir = lib.mkOption { - type = lib.types.path; - default = "/var/lib/obsidian_sync"; - description = "Directory to store Obsidian Sync data"; - }; - serverUrl = lib.mkOption { - type = lib.types.str; - description = "URL of the Obsidian Sync server"; - }; - dockerEnvFiles = lib.mkOption { - type = lib.types.listOf lib.types.path; - default = [ ]; - description = "List of environment files to be used by the Obsidian Sync container. When provided you must supply chouchdb user/password env files they will not be supplied by default."; - }; - }; - - config = { - virtualisation.oci-containers.containers = { - ############# - # obsidian_sync # - ############# - obsidian_sync = { - user = "root"; - image = "docker.io/oleduc/docker-obsidian-livesync-couchdb:master"; - ports = [ - "${toString cfg.port}:${toString cfg.port}" - ]; - environment = { - SERVER_URL = cfg.serverUrl; - COUCHDB_DATABASE = "obsidian_sync"; - COUCHDB_USER = pkgs.lib.mkIf (cfg.dockerEnvFiles == [ ]) "adminu"; - COUCHDB_PASSWORD = pkgs.lib.mkIf (cfg.dockerEnvFiles == [ ]) "Password123"; - }; - environmentFiles = cfg.dockerEnvFiles; - volumes = [ - "${cfg.dataDir}/data:/opt/couchdb/data" - "${cfg.dataDir}/config:/opt/couchdb/etc/local.d" - ]; - }; - }; - }; -} diff --git a/common/flake.nix b/common/flake.nix index 9fcfe30..1b299be 100644 --- a/common/flake.nix +++ b/common/flake.nix @@ -56,9 +56,6 @@ }; }; }; - containers = { - forgejo = import ./_containers/forgejo.nix; - }; }; homeManagerModules = { zsh = import ./_home_manager/mods/zsh.nix; diff --git a/hosts/h001/containers/default.nix b/hosts/h001/containers/default.nix index 59cb9cd..bf033b0 100644 --- a/hosts/h001/containers/default.nix +++ b/hosts/h001/containers/default.nix @@ -1,13 +1,9 @@ -{ inputs }: -let - common = inputs.common; -in { ... }: { imports = [ - common.nixosModules.containers.forgejo + ./forgejo.nix ./opengist.nix ./homarr.nix ./zitadel.nix @@ -55,14 +51,7 @@ in virtualisation.oci-containers.backend = "podman"; - security.acme.acceptTerms = true; - security.acme.defaults.email = "admin@joshuabell.xyz"; services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; virtualHosts = { "localhost" = { locations."/" = { @@ -70,13 +59,6 @@ in }; }; - # forgejo http traffic - "git.joshuabell.xyz" = { - locations."/" = { - proxyPass = "http://10.0.0.2:3000"; - }; - }; - "_" = { default = true; locations."/" = { @@ -84,16 +66,6 @@ in }; }; }; - - # STREAMS - # Forgejo ssh - streamConfig = '' - server { - listen 3032; - proxy_pass 10.0.0.2:3032; - } - ''; - }; networking.firewall.allowedTCPPorts = [ diff --git a/hosts/h001/containers/forgejo.nix b/hosts/h001/containers/forgejo.nix index 92793a9..bc14238 100644 --- a/hosts/h001/containers/forgejo.nix +++ b/hosts/h001/containers/forgejo.nix @@ -65,6 +65,25 @@ let }; in { + services.nginx = { + virtualHosts = { + # forgejo http traffic + "git.joshuabell.xyz" = { + locations."/" = { + proxyPass = "http://10.0.0.2:3000"; + }; + }; + }; + # STREAMS + # Forgejo ssh + streamConfig = '' + server { + listen 3032; + proxy_pass 10.0.0.2:3032; + } + ''; + }; + # Ensure users exists on host machine with same IDs as container inherit users; diff --git a/hosts/h001/containers/opengist.nix b/hosts/h001/containers/opengist.nix index e529b94..c7fb282 100644 --- a/hosts/h001/containers/opengist.nix +++ b/hosts/h001/containers/opengist.nix @@ -29,6 +29,8 @@ in ''; services.nginx.virtualHosts."gist.joshuabell.xyz" = { + # enableACME = true; + # forceSSL = true; locations = { "/" = { proxyWebsockets = true; diff --git a/hosts/h001/containers/zitadel.nix b/hosts/h001/containers/zitadel.nix index 5c24427..9dc0aca 100644 --- a/hosts/h001/containers/zitadel.nix +++ b/hosts/h001/containers/zitadel.nix @@ -68,6 +68,8 @@ in options = { }; config = { services.nginx.virtualHosts."sso.joshuabell.xyz" = { + # enableACME = true; + # forceSSL = true; locations = { "/" = { proxyWebsockets = true; diff --git a/hosts/h001/flake.nix b/hosts/h001/flake.nix index 9a7b684..e88622d 100644 --- a/hosts/h001/flake.nix +++ b/hosts/h001/flake.nix @@ -43,7 +43,7 @@ ./hardware-configuration.nix ./mods ./nginx.nix - (import ./containers { inherit inputs; }) + ./containers ( { config, pkgs, ... }: { diff --git a/hosts/h001/mods/n8n.nix b/hosts/h001/mods/n8n.nix index 463919a..e80ed5e 100644 --- a/hosts/h001/mods/n8n.nix +++ b/hosts/h001/mods/n8n.nix @@ -6,6 +6,8 @@ config = { services.nginx.virtualHosts = { "n8n.joshuabell.xyz" = { + # enableACME = true; + # forceSSL = true; locations = { "/" = { proxyWebsockets = true; diff --git a/hosts/h001/mods/nixarr.nix b/hosts/h001/mods/nixarr.nix index e561c25..0f10ce6 100644 --- a/hosts/h001/mods/nixarr.nix +++ b/hosts/h001/mods/nixarr.nix @@ -47,35 +47,39 @@ services.nginx = { virtualHosts = { "jellyfin.joshuabell.xyz" = { + enableACME = true; + # forceSSL = true; locations."/" = { proxyWebsockets = true; proxyPass = "http://localhost:8096"; }; }; "media.joshuabell.xyz" = { + enableACME = true; + # forceSSL = true; locations."/" = { proxyWebsockets = true; proxyPass = "http://localhost:5055"; }; }; - "10.12.14.10" = { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:8096"; - }; - }; - "jellyfin.h001.local.joshuabell.xyz" = { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:8096"; - }; - }; - "media.h001.local.joshuabell.xyz" = { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:5055"; - }; - }; + # "10.12.14.10" = { + # locations."/" = { + # proxyWebsockets = true; + # proxyPass = "http://localhost:8096"; + # }; + # }; + # "jellyfin.h001.local.joshuabell.xyz" = { + # locations."/" = { + # proxyWebsockets = true; + # proxyPass = "http://localhost:8096"; + # }; + # }; + # "media.h001.local.joshuabell.xyz" = { + # locations."/" = { + # proxyWebsockets = true; + # proxyPass = "http://localhost:5055"; + # }; + # }; }; }; }; diff --git a/hosts/h001/mods/oauth2-proxy.nix b/hosts/h001/mods/oauth2-proxy.nix index bfb34fa..a2da192 100644 --- a/hosts/h001/mods/oauth2-proxy.nix +++ b/hosts/h001/mods/oauth2-proxy.nix @@ -45,11 +45,15 @@ in }; services.nginx.virtualHosts."sso-proxy.joshuabell.xyz" = { + # enableACME = true; + # forceSSL = true; locations = { "/" = { proxyWebsockets = true; - recommendedProxySettings = true; proxyPass = "http://127.0.0.1:4180"; + extraConfig = '' + proxy_set_header X-Forwarded-Proto https; + ''; }; }; }; diff --git a/hosts/h001/mods/openwebui.nix b/hosts/h001/mods/openwebui.nix index 6b9c994..2df829d 100644 --- a/hosts/h001/mods/openwebui.nix +++ b/hosts/h001/mods/openwebui.nix @@ -17,6 +17,8 @@ in options = { }; config = { services.nginx.virtualHosts."chat.joshuabell.xyz" = { + # enableACME = true; + # forceSSL = true; locations = { "/" = { proxyWebsockets = true; diff --git a/hosts/h001/mods/trilium.nix b/hosts/h001/mods/trilium.nix index 863246d..d532b6e 100644 --- a/hosts/h001/mods/trilium.nix +++ b/hosts/h001/mods/trilium.nix @@ -1,6 +1,5 @@ { inputs, - lib, ... }: let @@ -45,6 +44,8 @@ in }; services.nginx.virtualHosts = { "notes.joshuabell.xyz" = { + # enableACME = true; + # forceSSL = true; locations = { "/" = { proxyWebsockets = true; diff --git a/hosts/h001/nginx.nix b/hosts/h001/nginx.nix index 8a52091..052aa94 100644 --- a/hosts/h001/nginx.nix +++ b/hosts/h001/nginx.nix @@ -8,7 +8,14 @@ let }; in { + security.acme.acceptTerms = true; + security.acme.defaults.email = "admin@joshuabell.xyz"; services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; clientMaxBodySize = "500m"; virtualHosts = { "10.12.14.10" = {