xeovalyte/nix
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added pingvin and vaultwarden

Browse Source
This commit is contained in:
Timo Boomers 2025-04-29 17:35:13 +02:00
parent b6a91b7dcb
commit 40a5f794ea
11 changed files with 239 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.sops.yaml Normal file
View File

@ -0,0 +1,7 @@
keys:
- &v-th-ctr-01 age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *v-th-ctr-01

37
flake.lock generated
View File

@ -395,6 +395,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1744868846,
"narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1743703532, "lastModified": 1743703532,
"narHash": "sha256-s1KLDALEeqy+ttrvqV3jx9mBZEvmthQErTVOAzbjHZs=", "narHash": "sha256-s1KLDALEeqy+ttrvqV3jx9mBZEvmthQErTVOAzbjHZs=",
@ -421,6 +437,7 @@
"nixpkgs-stable" "nixpkgs-stable"
], ],
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"stylix": "stylix" "stylix": "stylix"
} }
}, },
@ -445,6 +462,24 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1745310711,
"narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stylix": { "stylix": {
"inputs": { "inputs": {
"base16": "base16", "base16": "base16",
@ -457,7 +492,7 @@
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"systems": "systems", "systems": "systems",
"tinted-foot": "tinted-foot", "tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty", "tinted-kitty": "tinted-kitty",

4
flake.nix
View File

@ -22,9 +22,11 @@
nixos-cosmic = { nixos-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic"; url = "github:lilyinstarlight/nixos-cosmic";
}; };
sops-nix.url = "github:Mic92/sops-nix";
}; };
outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, home-manager, nix-colors, stylix, nixos-cosmic, ... }: outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, home-manager, nix-colors, stylix, nixos-cosmic, sops-nix, ... }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
overlay-unstable = final: prev: { overlay-unstable = final: prev: {

3
hosts/v-th-ctr-01/home.nix
View File

@ -27,6 +27,7 @@
services.nextcloud-sync.enable = false; services.nextcloud-sync.enable = false;
services.podman.enable = true; services.podman.enable = true;
services.sops.enable = true;
theming.fonts.enable = false; theming.fonts.enable = false;
theming.stylix.enable = false; theming.stylix.enable = false;
@ -45,6 +46,8 @@
immich.enable = true; immich.enable = true;
homepage.enable = true; homepage.enable = true;
uptime-kuma.enable = true; uptime-kuma.enable = true;
pingvin-share.enable = true;
vaultwarden.enable = true;
}; };
}; };

17
modules/home/containers/caddy.nix
View File

@ -66,6 +66,23 @@ in {
handle @uptime-kuma { handle @uptime-kuma {
reverse_proxy uptime-kuma:3001 reverse_proxy uptime-kuma:3001
} }
@pingvin-share host share.tbmrs.nl
handle @pingvin-share {
reverse_proxy pingvin-share:3000
}
}
*.local.tbmrs.nl {
tls {
dns transip xeovalyte /etc/caddy/acme_key
resolvers 1.1.1.1
}
@vaultwarden
handle @vaultwarden {
reverse_proxy vaultwarden:80
}
} }
''; '';
}; };

9
modules/home/containers/homepage.nix
View File

@ -81,6 +81,15 @@ in {
container = "immich-server"; container = "immich-server";
}; };
} }
{
"Pingvin" = {
href = "https://share.tbmrs.nl";
description = "File sharing";
icon = "pingvin-share";
server = "podman";
container = "pingvin-share";
};
}
]; ];
} }
]; ];

69
modules/home/containers/pingvin-share.nix Normal file
View File

@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.settings.containers.pingvin-share;
in {
options = {
settings.containers.pingvin-share.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable Pingvin share container
'';
};
};
config = mkIf cfg.enable {
settings.services.sops.enable = true;
services.podman.containers.pingvin-share = {
image = "ghcr.io/stonith404/pingvin-share";
network = "proxy";
volumes = [
"%h/containers/pingvin-share/data:/opt/app/backend/data"
# "%h/containers/pingvin-share/config.yaml:/opt/app/config.yaml"
"${config.sops.templates."container-pingvin.yaml".path}:/opt/app/config.yaml"
];
environment = {
TRUST_PROXY = true;
};
userNS = "keep-id";
extraConfig = {
Unit = {
After = [
"sops-nix.service"
];
};
};
};
sops.templates = {
"container-pingvin.yaml" = {
content = /*yaml*/ ''
general:
secureCookies: "true"
appUrl: https://share.tbmrs.nl
showHomePage: "false"
share:
allowRegistration: "true"
maxSize: "10000000000"
oauth:
disablePassword: "false"
oidc-enabled: "true"
oidc-discoveryUri: "https://auth.tbmrs.nl/oauth2/openid/pingvin/.well-known/openid-configuration"
oidc-clientId: pingvin
oidc-clientSecret: "${config.sops.placeholder."containers/pingvin-share/oidc-secret"}"
initUser:
enabled: "true"
username: "admin"
email: "admin@example.com"
password: "my-secure-password"
isAdmin: true
ldapDN: ""
'';
};
};
};
}

30
modules/home/containers/vaultwarden.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.settings.containers.vaultwarden;
in {
options = {
settings.containers.vaultwarden.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable Vaultwarden container
'';
};
};
config = mkIf cfg.enable {
services.podman.containers.vaultwarden = {
image = "ghcr.io/dani-garcia/vaultwarden:latest";
network = "proxy";
volumes = [
"%h/containers/vaultwarden/data:/data"
];
environment = {
DOMAIN = "https://vault.local.tbmrs.nl";
};
};
};
}

3
modules/home/default.nix
View File

@ -16,6 +16,7 @@
./services/nextcloud.nix ./services/nextcloud.nix
./services/podman.nix ./services/podman.nix
./services/sops.nix
./theming/fonts.nix ./theming/fonts.nix
./theming/stylix.nix ./theming/stylix.nix
@ -31,5 +32,7 @@
./containers/immich.nix ./containers/immich.nix
./containers/homepage.nix ./containers/homepage.nix
./containers/uptime-kuma.nix ./containers/uptime-kuma.nix
./containers/pingvin-share.nix
./containers/vaultwarden.nix
]; ];
} }

38
modules/home/services/sops.nix Normal file
View File

@ -0,0 +1,38 @@
{ lib, config, inputs, pkgs, ... }:
with lib;
let
cfg = config.settings.services.sops;
in {
options = {
settings.services.sops.enable = lib.mkOption {
type = lib.types.bool;
description = ''
Enable sops secret management
'';
default = false;
};
};
imports = [
inputs.sops-nix.homeManagerModules.sops
];
config = mkIf cfg.enable {
home.packages = with pkgs; [
sops
age
];
sops = {
age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password!
defaultSopsFile = ../../../secrets/secrets.yaml;
secrets = {
"containers/pingvin-share/oidc-secret" = { };
};
};
};
}

24
secrets/secrets.yaml Normal file
View File

@ -0,0 +1,24 @@
example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str]
containers:
pingvin-share:
oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV
aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4
NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF
bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE
ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-28T10:30:25Z"
mac: ENC[AES256_GCM,data:+0xSa0mD9hLgJ1bihW1v/j6HyLgOWQFBcbuv74yORHoa7gNWNAA8JtlrpWAMfWJPP9zXgUicw3hj9Z9ZGDSbEIpaDRDxcrc8HNFQEq7iOhJJCoBmeXzB5XOkeh6Xf33rR713xjL+FssMhXxCKZfEKYrC/G23JdxlLoVoT/M7lH8=,iv:s7G5jB6dHJNsPiz9TVkjNLrnX4FbS+PbbQeNC3JBg2M=,tag:gSPq6099NJqf7TSPNUxPFg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4