wayne/system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
b73c284d65
system/modules/containers.nix

574 lines
18 KiB
Nix
Raw Normal View History

Containers and Refinements Oh my
2024-11-01 12:04:24 -04:00
# ssh-keygen -f /etc/ssh/ssh_host_ed25519_key
# ssh-keygen -f ~/.ssh/<name>.containers
# edit secrets file
# agenix -e secret.age
Misnux added.
2024-11-29 18:31:17 -05:00
{ inputs, config, lib, pkgs, pkgs-unstable, ... }:
Containers and Refinements Oh my
2024-11-01 12:04:24 -04:00
{
containers = {
nextcloud = {
privateNetwork = true;
Misnux added.
2024-11-29 18:31:17 -05:00
hostAddress = "192.168.12.40";
Containers and Refinements Oh my
2024-11-01 12:04:24 -04:00
localAddress = "192.168.12.71/24";
hostBridge = "br0";
Misnux added.
2024-11-29 18:31:17 -05:00
autoStart = false;
Containers and Refinements Oh my
2024-11-01 12:04:24 -04:00
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
Misnux added.
2024-11-29 18:31:17 -05:00
"/var/www" = {
hostPath = "/home/wayne/dev/whd";
isReadOnly = false;
};
Containers and Refinements Oh my
2024-11-01 12:04:24 -04:00
};
config = { config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 ];
imports = [ inputs.agenix.nixosModules.default ];
age = {
identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets."nextcloud" = {
file = ../secrets/nextcloud.age;
mode = "770";
owner = "nextcloud";
group = "nextcloud";
};
};
services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = true;
AllowUsers = [ "wayne" ]; # Allows all users by default. Can be [ "user1" "user2" ]
UseDns = true;
X11Forwarding = false;
PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
};
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud30;
hostName = "nextcloud";
https = false;
database.createLocally = true;
configureRedis = true;
autoUpdateApps.enable = true;
maxUploadSize = "16G";
extraAppsEnable = true;
appstoreEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
# List of apps we want to install and are already packaged in
# https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
inherit calendar contacts mail notes onlyoffice tasks qownnotesapi;
# Custom app installation example.
# cookbook = pkgs.fetchNextcloudApp rec {
# url =
# "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz";
# sha256 = "sha256-XgBwUr26qW6wvqhrnhhhhcN4wkI+eXDHnNSm1HDbP6M=";
# };
};
enableImagemagick = true;
settings = {
default_phone_region = "US";
trusted_domains = [ "localhost" "launchpad" "192.168.12.40" "192.168.12.71" ];
};
config = {
dbtype = "pgsql";
adminuser = "nextcloud";
adminpassFile = config.age.secrets.nextcloud.path;
};
};
system.stateVersion = "24.05";
};
};
livebook = {
Misnux added.
2024-11-29 18:31:17 -05:00
autoStart = false;
Containers and Refinements Oh my
2024-11-01 12:04:24 -04:00
privateNetwork = true;
hostBridge = "br0";
localAddress = "192.168.12.72/24";
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
};
config = { config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 ];
imports = [ inputs.agenix.nixosModules.default ];
age = {
identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets."whayes" = {
file = ../secrets/whayes.age;
mode = "770";
owner = "wayne";
group = "wayne";
};
};
services.livebook = {
enableUserService = true;
environment = {
LIVEBOOK_PORT = 20123;
LIVEBOOK_PASSWORD = config.age.secrets.whayes.path;
};
# See note below about security
environmentFile = "/var/lib/livebook.env";
extraPackages = with pkgs; [ gcc gnumake ];
};
system.stateVersion = "24.05";
};
};
grocy = {
Misnux added.
2024-11-29 18:31:17 -05:00
autoStart = false;
Containers and Refinements Oh my
2024-11-01 12:04:24 -04:00
privateNetwork = true;
hostBridge = "br0";
localAddress = "192.168.12.73/24";
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
};
config = { config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 ];
imports = [ inputs.agenix.nixosModules.default ];
age = {
identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets."whayes" = {
file = ../secrets/whayes.age;
mode = "770";
owner = "wayne";
group = "wayne";
};
};
services.grocy = {
enable = true;
hostName = "grocy";
settings = {
currency = "USD";
culture = "en";
};
nginx = {
enableSSL = false;
};
phpfpm = {
settings = {
catch_workers_output = true;
"listen.owner" = "nginx";
"php_admin_flag[log_errors]" = true;
"php_admin_value[error_log]" = "stderr";
pm = "dynamic";
"pm.max_children" = "32";
"pm.max_requests" = "500";
"pm.max_spare_servers" = "4";
"pm.min_spare_servers" = "2";
"pm.start_servers" = "2";
};
};
};
system.stateVersion = "24.05";
};
};
onlyoffice = {
Misnux added.
2024-11-29 18:31:17 -05:00
autoStart = false;
Containers and Refinements Oh my
2024-11-01 12:04:24 -04:00
privateNetwork = true;
hostBridge = "br0";
localAddress = "192.168.12.74/24";
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
};
config = { config, lib, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 ];
nixpkgs.config.allowUnfree = true;
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [ "corefonts" ];
fonts.packages = with pkgs; [
corefonts
];
imports = [ inputs.agenix.nixosModules.default ];
age = {
identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets."onlyoffice" = {
file = ../secrets/onlyoffice-jwt.age;
mode = "770";
owner = "onlyoffice";
group = "onlyoffice";
};
};
services.onlyoffice = {
enable = true;
port = 8000;
hostname = "onlyoffice";
package = pkgs.onlyoffice-documentserver;
jwtSecretFile = config.age.secrets.onlyoffice.path;
enableExampleServer = true;
examplePort = 8001;
};
system.stateVersion = "24.05";
};
};
Misnux added.
2024-11-29 18:31:17 -05:00
laravel = {
privateNetwork = true;
hostAddress = "192.168.12.40";
localAddress = "192.168.12.75/24";
hostBridge = "br0";
autoStart = false;
bindMounts = {
"/var/www" = {
hostPath = "/home/wayne/dev/laravel";
isReadOnly = false;
};
};
config = { config, pkgs, ... }:
{
networking.firewall = {
enable = false;
allowedTCPPorts = [ 80 5173 ];
allowedTCPPortRanges = [ { from = 8000; to = 9000; } ];
# allowedUDPPorts = [ 53 ];
};
networking = {
enableIPv6 = false;
extraHosts = ''
140.82.116.6 api.github.com
'';
};
# imports = [ inputs.agenix.nixosModules.default ];
# age = {
# identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# secrets."laravel" = {
# file = ../secrets/laravel.age;
# mode = "770";
# owner = "laravel";
# group = "laravel";
# };
# };
services.nginx = {
enable = false;
package = pkgs.nginx;
# user = "www-data";
virtualHosts.localhost = {
root = "/var/www/site";
locations."~ \\.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
fastcgi_index index.php;
'';
locations."/robots.txt" = {
extraConfig = ''
rewrite ^/(.*) $1;
return 200 "User-agent: *\nDisallow: /";
'';
};
};
};
services.mysql = {
enable = true;
package = pkgs.mariadb;
user = "mysql";
# configFile = '''';
};
services.phpfpm = {
phpPackage = pkgs.php83;
pools.mypool = {
user = "nobody";
settings = {
"pm" = "dynamic";
"listen.owner" = config.services.nginx.user;
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
};
# programs.zsh.enable = true;
users = {
groups = {
www-data = {};
mysql = {};
};
users = {
wayne = {
isNormalUser = true;
description = "Wayne Hayes";
extraGroups = [ "networkmanager" "wheel" "wayne" "www-data" "nginx" ];
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6q75AXShVjzWerPFU3l0YXIKViNF4eyragL+RQIRwdNDMzW34GgxFhtyLsmRB2jsykf4gx76zSyJoii0K4uhS761w5oDXz9mqHnBzJutDTyltLyfgLsFKY8V2sOtSracWx4y6QrtmBR3MKV642kg5mufVEmCMVxBU9oVpIOJUSW+XNYBawaSkl5SjDMLI7flj0v9Hb2dZqjQigDM1+UHxTzcMoZnR6hAzoZpPNMGyZXtrgEotNywNdpxCqRV9T/KvKHSIVYc1umiDXc+5fyRo9v7CzvYY3MvRKWbgUfTVQRmR2kqwsGAsV5W+PEUb8qqmTjPVXusKxKlpGgYfsvIZOv0LgOvQMemga8psFIS9F4YQ1xuc092bKi1LteC+ZlabMLRMux6Wbhjci+v9wnLfTyBQc6wr3wDFJoELKyaLnI7Cn0KHn0k+BiYCCr2TjKrz9XztL490vprYtvVumNFZ3rxewGnZSn/2czaFfQgnXt+9xQGWWo9TJGE5jq1jThnsIbH3G9JIQ1WhomMq6DDRhGMX2ZKDk/M9/fk0XN5nvQyJNmbiHy5srW/VANx8R9jjsVkvX29MXeK6dzpR4ImywXggpYMeHB6moy06cJUu5WoR8aLS/rO5LbZM2j14AMQ2ZK79QfUJSdloA1/HHlmnx7YtzZOebD6BCR7xgasGRw== wayne"];
packages = with pkgs; [];
# shell = pkgs.zsh;
};
};
};
environment.systemPackages = with pkgs; [
php83 php83Packages.composer nodejs_22 vim git
];
system.stateVersion = "24.05";
};
};
mailpit = {
privateNetwork = true;
hostAddress = "192.168.12.40";
localAddress = "192.168.12.76/24";
hostBridge = "br0";
autoStart = false;
# bindMounts = {
# "/var/www" = {
# hostPath = "/home/wayne/dev/laravel";
# isReadOnly = false;
# };
# };
config = { config, pkgs, pkgs-unstable, ... }:
{
networking.firewall = {
enable = false;
allowedTCPPorts = [ 1025 8025 ];
};
networking = {
enableIPv6 = false;
};
# imports = [ inputs.agenix.nixosModules.default ];
# age = {
# identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# secrets."laravel" = {
# file = ../secrets/laravel.age;
# mode = "770";
# owner = "laravel";
# group = "laravel";
# };
# };
services.nginx = {
enable = false;
package = pkgs.nginx;
# user = "www-data";
virtualHosts.localhost = {
root = "/var/www/site";
locations."~ \\.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
fastcgi_index index.php;
'';
locations."/robots.txt" = {
extraConfig = ''
rewrite ^/(.*) $1;
return 200 "User-agent: *\nDisallow: /";
'';
};
};
};
# services.mailpit = {
# instances = {
# vmail = {
# max = 100;
# smtp = "127.0.0.1:1025";
# listen = "127.0.0.1:8025";
# database = "mailpit.db";
# };
# };
# };
_module.args.pkgs-unstable = import inputs.nixpkgs-unstable {
inherit (pkgs.stdenv.hostPlatform) system;
inherit (config.nixpkgs) config;
};
environment.systemPackages =
(with pkgs; [
vim
])
++
(with pkgs-unstable; [
mailpit
]);
system.stateVersion = "24.11";
};
};
webserver = {
privateNetwork = true;
hostAddress = "192.168.12.40";
localAddress = "192.168.12.76/24";
hostBridge = "br0";
autoStart = false;
bindMounts = {
"/var/www" = {
hostPath = "/home/wayne/dev/whd/live";
isReadOnly = false;
};
};
# Testing to see if this even works
# forwardPorts = [
# { hostPort = 8080; containerPort = 80; protocol = "tcp";}
# { hostPort = 2222; containerPort = 22; protocol = "tcp";}
# ];
config = { config, pkgs, pkgs-unstable, ... }:
{
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 1025 3000 3001 8025 8080 2222 3306 ];
};
networking = {
enableIPv6 = false;
};
users = {
groups = {
www-data = {};
mysql = {};
php = {};
};
users = {
wayne = {
isNormalUser = true;
description = "Wayne Hayes";
extraGroups = [ "networkmanager" "wheel" "wayne" "www-data" "nginx" "php" ];
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6q75AXShVjzWerPFU3l0YXIKViNF4eyragL+RQIRwdNDMzW34GgxFhtyLsmRB2jsykf4gx76zSyJoii0K4uhS761w5oDXz9mqHnBzJutDTyltLyfgLsFKY8V2sOtSracWx4y6QrtmBR3MKV642kg5mufVEmCMVxBU9oVpIOJUSW+XNYBawaSkl5SjDMLI7flj0v9Hb2dZqjQigDM1+UHxTzcMoZnR6hAzoZpPNMGyZXtrgEotNywNdpxCqRV9T/KvKHSIVYc1umiDXc+5fyRo9v7CzvYY3MvRKWbgUfTVQRmR2kqwsGAsV5W+PEUb8qqmTjPVXusKxKlpGgYfsvIZOv0LgOvQMemga8psFIS9F4YQ1xuc092bKi1LteC+ZlabMLRMux6Wbhjci+v9wnLfTyBQc6wr3wDFJoELKyaLnI7Cn0KHn0k+BiYCCr2TjKrz9XztL490vprYtvVumNFZ3rxewGnZSn/2czaFfQgnXt+9xQGWWo9TJGE5jq1jThnsIbH3G9JIQ1WhomMq6DDRhGMX2ZKDk/M9/fk0XN5nvQyJNmbiHy5srW/VANx8R9jjsVkvX29MXeK6dzpR4ImywXggpYMeHB6moy06cJUu5WoR8aLS/rO5LbZM2j14AMQ2ZK79QfUJSdloA1/HHlmnx7YtzZOebD6BCR7xgasGRw== wayne"];
packages = with pkgs; [];
};
php = {
isSystemUser = true;
group = "php";
};
};
};
services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = true;
AllowUsers = [ "wayne" ]; # Allows all users by default. Can be [ "user1" "user2" ]
UseDns = true;
X11Forwarding = false;
PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
};
};
# services.mysql = {
# enable = false;
# package = pkgs.mariadb;
# user = "mysql";
# # configFile = '''';
# };
services.nginx = {
enable = true;
package = pkgs.nginx;
virtualHosts.localhost = {
root = "/var/www/public";
extraConfig = ''
index index.php, index.html;
'';
#
locations."/".extraConfig = ''
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Allow-Methods' 'GET, POST, HEAD, OPTIONS';
add_header 'Accept' 'application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8';
index index.php index.html;
try_files $uri $uri/ /index.php;
'';
locations."~ \\.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param APPLICATION_ENV development;
# fastcgi_intercept_errors off;
# fastcgi_buffer_size 16k;
# fastcgi_buffers 4 16k;
'';
locations."~ \\.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map|woff|woff2)$".extraConfig = ''
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
'';
locations."/robots.txt" = {
extraConfig = ''
rewrite ^/(.*) $1;
return 200 "User-agent: *\nDisallow: /";
'';
};
};
};
services.phpfpm = {
phpPackage = pkgs.php83;
pools.mypool = {
user = "nobody";
settings = {
"pm" = "dynamic";
"listen.owner" = config.services.nginx.user;
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
phpOptions = ''
extension=${pkgs.php83Extensions.xdebug}/lib/php/extensions/xdebug.so
'';
extraConfig = ''
'';
};
_module.args.pkgs-unstable = import inputs.nixpkgs-unstable {
inherit (pkgs.stdenv.hostPlatform) system;
inherit (config.nixpkgs) config;
};
environment.systemPackages = ( with pkgs; [
vim git
php83 php83Extensions.xdebug
nodejs_22 nodePackages.npm nodePackages.browser-sync
])
++
(with pkgs-unstable; [
mailpit
]);
system.stateVersion = "24.05";
};
};
Containers and Refinements Oh my
2024-11-01 12:04:24 -04:00
};
}
Reference in New Issue Copy Permalink