etorres/nixos
0
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e7845c480001044a76a9ac796875383f4977ea02
nixos/hosts/lax-01/default.nix

334 lines
8.6 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
pkgsUnstable,
inputs,
...
}:
{
imports = [
./disko.nix
];
network-static = {
enable = true;
hardwareAddress = "F2:3C:95:DE:D7:CA";
staticAddresses = [
"172.233.156.108/24"
"2a01:7e03::2000:c2ff:fee5:70e7/64"
];
staticRoutes = [
{
Gateway = "172.233.156.1";
GatewayOnLink = true;
}
{
Gateway = "fe80::1";
}
];
};
qemu.enable = false;
spice.enable = false;
network.enableTSExitNode = true;
sops.secrets = {
"HEALTHCHECKS_SECRETS" = {
sopsFile = ../../secrets/lax-01_healthchecks.env;
format = "binary";
owner = "healthchecks";
mode = "0400";
};
"borgmatic_pass/local" = { };
"borgmatic_pass/remote" = { };
"postgres_databases/authentik" = { };
"postgres_databases/healthchecks" = { };
"crowdsec/lapiKey" = {
owner = "traefik";
mode = "0400";
};
};
dockerserver.enable = true;
dbserver-postgresql.enable = true;
healthchecks = {
enable = true;
environmentFile = config.sops.secrets."HEALTHCHECKS_SECRETS".path;
};
ntfy.enable = true;
crowdsec-firewall-bouncer = {
enable = true;
};
crowdsec-traefik-bouncer = {
enable = true;
lapiKeyFile = config.sops.secrets."crowdsec/lapiKey".path;
};
traefik.redirectHttps = true;
services.traefik = {
staticConfigOptions = {
entryPoints = {
gitea-ssh = {
address = ":2200";
};
};
};
dynamicConfigOptions = {
http.routers = {
bookstack = {
entrypoints = [ "websecure" ];
rule = "Host(`kb.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
#eric-torres-com = {
# entrypoints = [ "websecure" ];
# rule = "Host(`eric-torres.com`)";
# service = "proxy-to-appserver";
# tls.certresolver = "production";
#};
changedetection = {
entrypoints = [ "websecure" ];
rule = "Host(`change.its-et.me`)";
middlewares = [ "authentik@file" ];
service = "proxy-to-appserver";
tls.certresolver = "production";
};
gitea = {
entrypoints = [ "websecure" ];
rule = "Host(`git.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
hortusfox = {
entrypoints = [ "websecure" ];
rule = "Host(`plants.its-et.me`)";
middlewares = [ "authentik@file" ];
service = "proxy-to-appserver";
tls.certresolver = "production";
};
immich = {
entrypoints = [ "websecure" ];
rule = "Host(`photos.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
its-et-me = {
entrypoints = [ "websecure" ];
rule = "Host(`its-et.me`)";
service = "proxy-to-webserver";
tls.certresolver = "production";
};
www-its-et-me = {
entrypoints = [ "websecure" ];
rule = "Host(`www.its-et.me`)";
middlewares = [ "strip-www@file" ];
service = "proxy-to-webserver";
tls.certresolver = "production";
};
karakeep = {
entrypoints = [ "websecure" ];
rule = "Host(`keep.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
linkwarden = {
entrypoints = [ "websecure" ];
rule = "Host(`bookmarks.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
lubelogger = {
entrypoints = [ "websecure" ];
rule = "Host(`ll.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
mealie = {
entrypoints = [ "websecure" ];
rule = "Host(`recipes.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
mealie2 = {
entrypoints = [ "websecure" ];
rule = "Host(`mealie.its-et.me`)";
middlewares = [ "redirect-mealie" ];
service = "proxy-to-appserver";
tls.certresolver = "production";
};
microbin = {
entrypoints = [ "websecure" ];
rule = "Host(`paste.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
miniflux = {
entrypoints = [ "websecure" ];
rule = "Host(`reader.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
paperless = {
entrypoints = [ "websecure" ];
rule = "Host(`paperless.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
peppermint = {
entrypoints = [ "websecure" ];
rule = "Host(`tickets.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
radicale = {
entrypoints = [ "websecure" ];
rule = "Host(`dav.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
stirling-pdf = {
entrypoints = [ "websecure" ];
rule = "Host(`pdf.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
vikunja = {
entrypoints = [ "websecure" ];
rule = "Host(`projects.its-et.me`)";
service = "proxy-to-appserver";
tls.certresolver = "production";
};
};
http.services = {
proxy-to-appserver = {
loadbalancer.servers = [
{
url = "http://app-01.tail755c5.ts.net";
}
];
};
proxy-to-webserver = {
loadbalancer.servers = [
{
url = "http://web-01.tail755c5.ts.net";
}
];
};
};
http.middlewares = {
authentik = {
forwardauth = {
address = "http://127.0.0.1:9000/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true;
authResponseHeaders = [
"X-authentik-username"
"X-authentik-groups"
"X-authentik-email"
"X-authentik-name"
"X-authentik-uid"
"X-authentik-jwt"
"X-authentik-meta-jwks"
"X-authentik-meta-outpost"
"X-authentik-meta-provider"
"X-authentik-meta-app"
"X-authentik-meta-version"
];
};
};
redirect-mealie = {
redirectRegex = {
regex = "^https?://mealie.its-et.me/(.*)";
replacement = "https://recipes.its-et.me/\${1}";
permanent = true;
};
};
};
tcp.routers = {
gitea-ssh = {
entrypoints = [ "gitea-ssh" ];
rule = "Hostsni(`*`)";
service = "gitea-ssh";
};
};
tcp.services = {
gitea-ssh = {
loadbalancer.servers = [
{
address = "app-01.tail755c5.ts.net:2200";
}
];
};
};
};
};
networking.firewall.allowedTCPPorts = [
2200 # for Gitea
];
borg-config = {
enable = true;
backupLabel = "lax-01";
localRepoPath = "ssh://borg@borg-01.tail755c5.ts.net/./";
remoteRepoPath = "ssh://fm1833@fm1833.rsync.net/./hosts/lax-01";
sourceDirectories = [
"/home/etorres"
];
hcPingUrlLocal = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-lax-01";
hcPingUrlRemote = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-lax-01-remote";
postgresqlDatabases = [
# Note this database is running in a docker container
{
name = "authentik";
username = "authentik";
password = ''{credential file ${config.sops.secrets."postgres_databases/authentik".path}}'';
hostname = "127.0.0.1";
port = 24000;
}
{
name = "healthchecks";
username = "healthchecks";
password = ''{credential file ${config.sops.secrets."postgres_databases/healthchecks".path}}'';
hostname = "127.0.0.1";
}
];
};
base.userSSHKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJc52bmxvqBOQJ8vRgI/Tz7PQU8a+4ai7/uB6j2tvJuP etorres@xenon"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEf44b6rxgLmCCTe6iIwNNGgsSfVLNmuhwtT1FGlCNp etorres@erics-mac"
];
}
Reference in New Issue View Git Blame Copy Permalink