From 40a5f794ea0a0eb41f75ab5a5a652d94cbb0d7b3 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Tue, 29 Apr 2025 17:35:13 +0200 Subject: [PATCH] Added pingvin and vaultwarden --- .sops.yaml | 7 +++ flake.lock | 37 +++++++++++- flake.nix | 4 +- hosts/v-th-ctr-01/home.nix | 3 + modules/home/containers/caddy.nix | 17 ++++++ modules/home/containers/homepage.nix | 9 +++ modules/home/containers/pingvin-share.nix | 69 +++++++++++++++++++++++ modules/home/containers/vaultwarden.nix | 30 ++++++++++ modules/home/default.nix | 3 + modules/home/services/sops.nix | 38 +++++++++++++ secrets/secrets.yaml | 24 ++++++++ 11 files changed, 239 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml create mode 100644 modules/home/containers/pingvin-share.nix create mode 100644 modules/home/containers/vaultwarden.nix create mode 100644 modules/home/services/sops.nix create mode 100644 secrets/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..fb3acc6 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &v-th-ctr-01 age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *v-th-ctr-01 diff --git a/flake.lock b/flake.lock index 8651766..63b9297 100644 --- a/flake.lock +++ b/flake.lock @@ -395,6 +395,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1743703532, "narHash": "sha256-s1KLDALEeqy+ttrvqV3jx9mBZEvmthQErTVOAzbjHZs=", @@ -421,6 +437,7 @@ "nixpkgs-stable" ], "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix", "stylix": "stylix" } }, @@ -445,6 +462,24 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1745310711, + "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", @@ -457,7 +492,7 @@ "git-hooks": "git-hooks", "gnome-shell": "gnome-shell", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "systems": "systems", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", diff --git a/flake.nix b/flake.nix index b77a529..5e0f789 100644 --- a/flake.nix +++ b/flake.nix @@ -22,9 +22,11 @@ nixos-cosmic = { url = "github:lilyinstarlight/nixos-cosmic"; }; + + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, home-manager, nix-colors, stylix, nixos-cosmic, ... }: + outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, home-manager, nix-colors, stylix, nixos-cosmic, sops-nix, ... }: let system = "x86_64-linux"; overlay-unstable = final: prev: { diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index fff0b13..727121b 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -27,6 +27,7 @@ services.nextcloud-sync.enable = false; services.podman.enable = true; + services.sops.enable = true; theming.fonts.enable = false; theming.stylix.enable = false; @@ -45,6 +46,8 @@ immich.enable = true; homepage.enable = true; uptime-kuma.enable = true; + pingvin-share.enable = true; + vaultwarden.enable = true; }; }; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index b448266..a86310e 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -66,6 +66,23 @@ in { handle @uptime-kuma { reverse_proxy uptime-kuma:3001 } + + @pingvin-share host share.tbmrs.nl + handle @pingvin-share { + reverse_proxy pingvin-share:3000 + } + } + + *.local.tbmrs.nl { + tls { + dns transip xeovalyte /etc/caddy/acme_key + resolvers 1.1.1.1 + } + + @vaultwarden + handle @vaultwarden { + reverse_proxy vaultwarden:80 + } } ''; }; diff --git a/modules/home/containers/homepage.nix b/modules/home/containers/homepage.nix index 5e4626b..17a0dac 100644 --- a/modules/home/containers/homepage.nix +++ b/modules/home/containers/homepage.nix @@ -81,6 +81,15 @@ in { container = "immich-server"; }; } + { + "Pingvin" = { + href = "https://share.tbmrs.nl"; + description = "File sharing"; + icon = "pingvin-share"; + server = "podman"; + container = "pingvin-share"; + }; + } ]; } ]; diff --git a/modules/home/containers/pingvin-share.nix b/modules/home/containers/pingvin-share.nix new file mode 100644 index 0000000..d34e836 --- /dev/null +++ b/modules/home/containers/pingvin-share.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.settings.containers.pingvin-share; +in { + options = { + settings.containers.pingvin-share.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable Pingvin share container + ''; + }; + }; + + config = mkIf cfg.enable { + settings.services.sops.enable = true; + + services.podman.containers.pingvin-share = { + image = "ghcr.io/stonith404/pingvin-share"; + network = "proxy"; + volumes = [ + "%h/containers/pingvin-share/data:/opt/app/backend/data" + # "%h/containers/pingvin-share/config.yaml:/opt/app/config.yaml" + "${config.sops.templates."container-pingvin.yaml".path}:/opt/app/config.yaml" + ]; + environment = { + TRUST_PROXY = true; + }; + userNS = "keep-id"; + extraConfig = { + Unit = { + After = [ + "sops-nix.service" + ]; + }; + }; + }; + + sops.templates = { + "container-pingvin.yaml" = { + content = /*yaml*/ '' + general: + secureCookies: "true" + appUrl: https://share.tbmrs.nl + showHomePage: "false" + share: + allowRegistration: "true" + maxSize: "10000000000" + oauth: + disablePassword: "false" + oidc-enabled: "true" + oidc-discoveryUri: "https://auth.tbmrs.nl/oauth2/openid/pingvin/.well-known/openid-configuration" + oidc-clientId: pingvin + oidc-clientSecret: "${config.sops.placeholder."containers/pingvin-share/oidc-secret"}" + initUser: + enabled: "true" + username: "admin" + email: "admin@example.com" + password: "my-secure-password" + isAdmin: true + ldapDN: "" + ''; + }; + }; + }; +} diff --git a/modules/home/containers/vaultwarden.nix b/modules/home/containers/vaultwarden.nix new file mode 100644 index 0000000..8eeb548 --- /dev/null +++ b/modules/home/containers/vaultwarden.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.settings.containers.vaultwarden; +in { + options = { + settings.containers.vaultwarden.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable Vaultwarden container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.vaultwarden = { + image = "ghcr.io/dani-garcia/vaultwarden:latest"; + network = "proxy"; + volumes = [ + "%h/containers/vaultwarden/data:/data" + ]; + environment = { + DOMAIN = "https://vault.local.tbmrs.nl"; + }; + }; + }; +} diff --git a/modules/home/default.nix b/modules/home/default.nix index 8436fb2..4adb436 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -16,6 +16,7 @@ ./services/nextcloud.nix ./services/podman.nix + ./services/sops.nix ./theming/fonts.nix ./theming/stylix.nix @@ -31,5 +32,7 @@ ./containers/immich.nix ./containers/homepage.nix ./containers/uptime-kuma.nix + ./containers/pingvin-share.nix + ./containers/vaultwarden.nix ]; } diff --git a/modules/home/services/sops.nix b/modules/home/services/sops.nix new file mode 100644 index 0000000..8060f37 --- /dev/null +++ b/modules/home/services/sops.nix @@ -0,0 +1,38 @@ +{ lib, config, inputs, pkgs, ... }: + +with lib; + +let + cfg = config.settings.services.sops; +in { + options = { + settings.services.sops.enable = lib.mkOption { + type = lib.types.bool; + description = '' + Enable sops secret management + ''; + default = false; + }; + }; + + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + sops + age + ]; + + sops = { + age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password! + + defaultSopsFile = ../../../secrets/secrets.yaml; + + secrets = { + "containers/pingvin-share/oidc-secret" = { }; + }; + }; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..efde024 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,24 @@ +example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str] +containers: + pingvin-share: + oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV + aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4 + NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF + bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE + ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-28T10:30:25Z" + mac: ENC[AES256_GCM,data:+0xSa0mD9hLgJ1bihW1v/j6HyLgOWQFBcbuv74yORHoa7gNWNAA8JtlrpWAMfWJPP9zXgUicw3hj9Z9ZGDSbEIpaDRDxcrc8HNFQEq7iOhJJCoBmeXzB5XOkeh6Xf33rR713xjL+FssMhXxCKZfEKYrC/G23JdxlLoVoT/M7lH8=,iv:s7G5jB6dHJNsPiz9TVkjNLrnX4FbS+PbbQeNC3JBg2M=,tag:gSPq6099NJqf7TSPNUxPFg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4