From 52ce5660fa48bf6a5f71cafd42e9544bfac257d4 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Fri, 25 Apr 2025 19:41:14 +0200 Subject: [PATCH 1/7] updated inputs --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index f51e865..205d329 100644 --- a/flake.lock +++ b/flake.lock @@ -303,11 +303,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1745545895, - "narHash": "sha256-1C1pkAtoZ30J/a2Pn5OpgKN1dc/AoqlNK0SsF5al6UY=", + "lastModified": 1745579354, + "narHash": "sha256-+Yf7JrKIKMgKDi+zHvuTOJ8Raf7NNZINgBzFaOzYD3U=", "owner": "lilyinstarlight", "repo": "nixos-cosmic", - "rev": "96c8bca3ff32ca3f111cda1c9307e562465f25ba", + "rev": "41a1bf337bbd69e304ffbd7390293082336e8ebb", "type": "github" }, "original": { @@ -365,11 +365,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1745279238, - "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=", + "lastModified": 1745487689, + "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3", + "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1745462120, - "narHash": "sha256-TbVjPOl+Cg5vZ7TIn1KpQ8SOfHKD6OEgu84b6YSCfKE=", + "lastModified": 1745548521, + "narHash": "sha256-xyliq8oS5OnzXjHRGr92RtmrtYI/dflf2gSEo0wMFjc=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "79d3acd1a7e67fb9315fa5c5556eb6adf93dc2da", + "rev": "eb0afb4ac0720d55c29e88eb29432103d73ae11d", "type": "github" }, "original": { From 7a0797bcd8daa5ed544e07a4c8e4b8d61b0bab34 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Fri, 25 Apr 2025 20:08:18 +0200 Subject: [PATCH 2/7] added caddy container --- hosts/v-th-ctr-01/home.nix | 5 ++++- modules/home/containers/caddy.nix | 36 +++++++++++++++++++++++++++++++ modules/home/default.nix | 1 + 3 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 modules/home/containers/caddy.nix diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index fd4a296..76b9a45 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -35,7 +35,10 @@ desktop-environments.hyprland.enable = false; - containers.nginx.enable = true; + containers = { + nginx.enable = true; + caddy.enbale = true; + }; }; home.packages = with pkgs; [ diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix new file mode 100644 index 0000000..6338e68 --- /dev/null +++ b/modules/home/containers/caddy.nix @@ -0,0 +1,36 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.caddy; +in { + options = { + settings.containers.caddy.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable caddy container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.caddy = { + image = "ghcr.io/iarekylew00t/caddy-cloudflare:latest"; + ports = [ + "1080:80" + "1443:8443" + ]; + volumes = [ + "~/containers/caddy/Caddyfile:/etc/caddy/Caddyfile" + ]; + }; + + home.file."containers/caddy/Caddyfile".text = '' + localhost + + response "Hello, world!" + ''; + }; +} diff --git a/modules/home/default.nix b/modules/home/default.nix index 814c54a..c184e98 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -23,5 +23,6 @@ ./desktop-environments/hyprland/default.nix ./containers/nginx.nix + ./containers/caddy.nix ]; } From fcc9fe0773b692132be6c95f260e88226c2c4ef0 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Fri, 25 Apr 2025 21:09:55 +0200 Subject: [PATCH 3/7] Modified caddy to make a simple working code --- hosts/v-th-ctr-01/configuration.nix | 31 +++++++++++++++++++++++++++++ hosts/v-th-ctr-01/home.nix | 2 +- modules/home/containers/caddy.nix | 8 ++++---- 3 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 hosts/v-th-ctr-01/configuration.nix diff --git a/hosts/v-th-ctr-01/configuration.nix b/hosts/v-th-ctr-01/configuration.nix new file mode 100644 index 0000000..d2c230a --- /dev/null +++ b/hosts/v-th-ctr-01/configuration.nix @@ -0,0 +1,31 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ modulesPath, ... }: + +{ + imports = [ + # Include the default incus configuration. + "${modulesPath}/virtualisation/lxc-container.nix" + # Include the container-specific autogenerated configuration. + ]; + + networking = { + dhcpcd.enable = false; + useDHCP = false; + useHostResolvConf = false; + }; + + systemd.network = { + enable = true; + networks."50-eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; +} diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index 76b9a45..5538f19 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -37,7 +37,7 @@ containers = { nginx.enable = true; - caddy.enbale = true; + caddy.enable = true; }; }; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index 6338e68..669d2a2 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -23,14 +23,14 @@ in { "1443:8443" ]; volumes = [ - "~/containers/caddy/Caddyfile:/etc/caddy/Caddyfile" + "/home/deploy/containers/caddy/Caddyfile:/etc/caddy/Caddyfile:Z" ]; }; home.file."containers/caddy/Caddyfile".text = '' - localhost - - response "Hello, world!" + http://localhost { + respond "Hello there" + } ''; }; } From 8dbddaf62dd75fc4241158b4d8527bb1817218f2 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Sat, 26 Apr 2025 11:49:14 +0200 Subject: [PATCH 4/7] fixed caddy container and added acme --- dockerfiles/caddy.Dockerfile | 8 ++++++++ hosts/v-th-ctr-01/default.nix | 8 ++++++-- hosts/v-th-ctr-01/home.nix | 4 +++- modules/home/containers/caddy.nix | 18 ++++++++++++++---- 4 files changed, 31 insertions(+), 7 deletions(-) create mode 100644 dockerfiles/caddy.Dockerfile diff --git a/dockerfiles/caddy.Dockerfile b/dockerfiles/caddy.Dockerfile new file mode 100644 index 0000000..eda476f --- /dev/null +++ b/dockerfiles/caddy.Dockerfile @@ -0,0 +1,8 @@ +FROM caddy:2.8-builder AS builder + +RUN xcaddy build \ + --with github.com/caddy-dns/transip + +FROM caddy:2.8 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/hosts/v-th-ctr-01/default.nix b/hosts/v-th-ctr-01/default.nix index 6f42900..40b58f9 100644 --- a/hosts/v-th-ctr-01/default.nix +++ b/hosts/v-th-ctr-01/default.nix @@ -56,8 +56,12 @@ networking.firewall = { enable = true; - allowedTCPPorts = [ 80 443 53 ]; - allowedUDPPorts = [ 80 443 53 ]; + allowedTCPPorts = [ 1080 1443 1053 ]; + allowedUDPPorts = [ 1080 1443 1053 ]; + }; + + networking.hosts = { + "127.0.0.1" = [ "tbmrs.nl" ]; }; users.users.deploy = { diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index 5538f19..d97da91 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -23,7 +23,7 @@ applications.ssh.enable = true; applications.thunderbird.enable = false; applications.yazi.enable = true; - applications.zellij.enable = false; + applications.zellij.enable = true; services.nextcloud-sync.enable = false; services.podman.enable = true; @@ -42,6 +42,8 @@ }; home.packages = with pkgs; [ + unstable.helix + lazygit ]; # Enable home-manager diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index 669d2a2..b150e8c 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -17,18 +17,28 @@ in { config = mkIf cfg.enable { services.podman.containers.caddy = { - image = "ghcr.io/iarekylew00t/caddy-cloudflare:latest"; + image = "localhost/tboomers/caddy-custom:latest"; ports = [ "1080:80" - "1443:8443" + "1443:443" ]; volumes = [ - "/home/deploy/containers/caddy/Caddyfile:/etc/caddy/Caddyfile:Z" + "%h/containers/caddy/Caddyfile:/etc/caddy/Caddyfile" + "%h/containers/caddy/acme_key:/etc/caddy/acme_key" + "%h/containers/caddy/data:/data" ]; }; home.file."containers/caddy/Caddyfile".text = '' - http://localhost { + { + acme_dns transip xeovalyte /etc/caddy/acme_key + } + + tbmrs.nl { + respond "Hello there" + } + + http://tbmrs.nl { respond "Hello there" } ''; From af39ac1be48a58ba997d9c66a567588599af0b3b Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Sat, 26 Apr 2025 12:23:41 +0200 Subject: [PATCH 5/7] Added boilerplate for lldap and handle wildcard certificates for tbmrs.nl --- hosts/v-th-ctr-01/home.nix | 2 ++ modules/home/containers/auth.nix | 34 +++++++++++++++++++++++++++++ modules/home/containers/caddy.nix | 24 ++++++++++++-------- modules/home/containers/network.nix | 24 ++++++++++++++++++++ modules/home/default.nix | 5 ++++- 5 files changed, 79 insertions(+), 10 deletions(-) create mode 100644 modules/home/containers/auth.nix create mode 100644 modules/home/containers/network.nix diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index d97da91..a9a38c1 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -36,6 +36,8 @@ desktop-environments.hyprland.enable = false; containers = { + network.enable = true; + nginx.enable = true; caddy.enable = true; }; diff --git a/modules/home/containers/auth.nix b/modules/home/containers/auth.nix new file mode 100644 index 0000000..9c5b3e2 --- /dev/null +++ b/modules/home/containers/auth.nix @@ -0,0 +1,34 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.nginx; +in { + options = { + settings.containers.auth.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable authelia and lldap container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.lldap = { + image = "lldap/lldap:stable"; + network = "proxy"; + volumes = [ + "%h/containers/lldap/data:/data" + ]; + environment = { + TZ = "Europe/Amsterdam"; + LLDAP_JWT_SECRET = ""; + LLDAP_KEY_SEED = ""; + LLDAP_LDAP_BASE_DN = "dc=tbmrs,dc=nl"; + LLDAP_LDAP_USER_PASS= "changeme!"; + }; + }; + }; +} diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index b150e8c..607bd24 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -18,6 +18,7 @@ in { config = mkIf cfg.enable { services.podman.containers.caddy = { image = "localhost/tboomers/caddy-custom:latest"; + network = "proxy"; ports = [ "1080:80" "1443:443" @@ -30,16 +31,21 @@ in { }; home.file."containers/caddy/Caddyfile".text = '' - { - acme_dns transip xeovalyte /etc/caddy/acme_key - } - - tbmrs.nl { - respond "Hello there" - } + *.tbmrs.nl, tbmrs.nl { + tls { + dns transip xeovalyte /etc/caddy/acme_key + resolvers 1.1.1.1 + } - http://tbmrs.nl { - respond "Hello there" + @root host tbmrs.nl + handle @root { + respond "Hello there" + } + + @lldap host ldap.tbmrs.nl + handle @lldap { + reverse_proxy lldap:17170 + } } ''; }; diff --git a/modules/home/containers/network.nix b/modules/home/containers/network.nix new file mode 100644 index 0000000..b26d751 --- /dev/null +++ b/modules/home/containers/network.nix @@ -0,0 +1,24 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.nginx; +in { + options = { + settings.containers.network.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable network + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.networks.proxy = { + description = "Container network for the proxy"; + autoStart = true; + }; + }; +} diff --git a/modules/home/default.nix b/modules/home/default.nix index c184e98..3bed31b 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -22,7 +22,10 @@ ./desktop-environments/hyprland/default.nix - ./containers/nginx.nix + ./containers/network.nix + + ./containers/auth.nix ./containers/caddy.nix + ./containers/nginx.nix ]; } From 4788bd8cd4c973e3dcfea6b393607702c1f8aad6 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Sat, 26 Apr 2025 14:09:34 +0200 Subject: [PATCH 6/7] Changed lldap to kanidm configuration --- hosts/v-th-ctr-01/home.nix | 1 + modules/home/containers/auth.nix | 34 ------------------------- modules/home/containers/caddy.nix | 6 ++--- modules/home/containers/kanidm.nix | 40 ++++++++++++++++++++++++++++++ modules/home/default.nix | 2 +- 5 files changed, 45 insertions(+), 38 deletions(-) delete mode 100644 modules/home/containers/auth.nix create mode 100644 modules/home/containers/kanidm.nix diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index a9a38c1..9df957b 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -40,6 +40,7 @@ nginx.enable = true; caddy.enable = true; + kanidm.enable = true; }; }; diff --git a/modules/home/containers/auth.nix b/modules/home/containers/auth.nix deleted file mode 100644 index 9c5b3e2..0000000 --- a/modules/home/containers/auth.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, ... }: - -with lib; - -let - cfg = config.settings.containers.nginx; -in { - options = { - settings.containers.auth.enable = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - Enable authelia and lldap container - ''; - }; - }; - - config = mkIf cfg.enable { - services.podman.containers.lldap = { - image = "lldap/lldap:stable"; - network = "proxy"; - volumes = [ - "%h/containers/lldap/data:/data" - ]; - environment = { - TZ = "Europe/Amsterdam"; - LLDAP_JWT_SECRET = ""; - LLDAP_KEY_SEED = ""; - LLDAP_LDAP_BASE_DN = "dc=tbmrs,dc=nl"; - LLDAP_LDAP_USER_PASS= "changeme!"; - }; - }; - }; -} diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index 607bd24..25f0955 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -42,9 +42,9 @@ in { respond "Hello there" } - @lldap host ldap.tbmrs.nl - handle @lldap { - reverse_proxy lldap:17170 + @kanidm host auth.tbmrs.nl + handle @kanidm { + reverse_proxy https://auth.tbmrs.nl:8443 } } ''; diff --git a/modules/home/containers/kanidm.nix b/modules/home/containers/kanidm.nix new file mode 100644 index 0000000..4098640 --- /dev/null +++ b/modules/home/containers/kanidm.nix @@ -0,0 +1,40 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.nginx; +in { + options = { + settings.containers.kanidm.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable kanidm container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.kanidm = { + image = "kanidm/server:latest"; + network = "proxy"; + networkAlias = [ + "auth.tbmrs.nl" + ]; + volumes = [ + "%h/containers/kanidm/data:/data" + "%h/containers/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.tbmrs.nl:/data/keys" + ]; + environment = { + KANIDM_VERSION = "2"; + KANIDM_BINDADDRESS = "[::]:8443"; + KANIDM_DB_PATH = "/data/kanidm.db"; + KANIDM_TLS_CHAIN = "/data/keys/wildcard_.tbmrs.nl.crt"; + KANIDM_TLS_KEY = "/data/keys/wildcard_.tbmrs.nl.key"; + KANIDM_DOMAIN = "auth.tbmrs.nl"; + KANIDM_ORIGIN = "https://auth.tbmrs.nl"; + }; + }; + }; +} diff --git a/modules/home/default.nix b/modules/home/default.nix index 3bed31b..000e70f 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -24,8 +24,8 @@ ./containers/network.nix - ./containers/auth.nix ./containers/caddy.nix + ./containers/kanidm.nix ./containers/nginx.nix ]; } From 01343006a59a2d32a8f7e43350f01733d60e8372 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Sat, 26 Apr 2025 14:54:08 +0200 Subject: [PATCH 7/7] Add forgejo container --- hosts/v-th-ctr-01/home.nix | 1 + modules/home/containers/caddy.nix | 7 ++++++- modules/home/containers/forgejo.nix | 32 +++++++++++++++++++++++++++++ modules/home/containers/kanidm.nix | 2 +- modules/home/default.nix | 1 + 5 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 modules/home/containers/forgejo.nix diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index 9df957b..4a6cf08 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -41,6 +41,7 @@ nginx.enable = true; caddy.enable = true; kanidm.enable = true; + forgejo.enable = true; }; }; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index 25f0955..ad160ea 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -44,7 +44,12 @@ in { @kanidm host auth.tbmrs.nl handle @kanidm { - reverse_proxy https://auth.tbmrs.nl:8443 + reverse_proxy https://auth.tbmrs.nl + } + + @forgejo host git.tbmrs.nl + handle @forgejo { + reverse_proxy forgejo:3000 } } ''; diff --git a/modules/home/containers/forgejo.nix b/modules/home/containers/forgejo.nix new file mode 100644 index 0000000..0ba3526 --- /dev/null +++ b/modules/home/containers/forgejo.nix @@ -0,0 +1,32 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.forgejo; +in { + options = { + settings.containers.forgejo.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable forgejo container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.forgejo = { + image = "codeberg.org/forgejo/forgejo:11"; + network = "proxy"; + volumes = [ + "%h/containers/forgejo/data:/data" + ]; + environment = { + FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + FORGEJO__service__SHOW_REGISTRATION_BUTTON = false; + FORGEJO__service__ENABLE_PASSWORD_SIGNIN_FORM = false; + }; + }; + }; +} diff --git a/modules/home/containers/kanidm.nix b/modules/home/containers/kanidm.nix index 4098640..7f59f21 100644 --- a/modules/home/containers/kanidm.nix +++ b/modules/home/containers/kanidm.nix @@ -28,7 +28,7 @@ in { ]; environment = { KANIDM_VERSION = "2"; - KANIDM_BINDADDRESS = "[::]:8443"; + KANIDM_BINDADDRESS = "[::]:443"; KANIDM_DB_PATH = "/data/kanidm.db"; KANIDM_TLS_CHAIN = "/data/keys/wildcard_.tbmrs.nl.crt"; KANIDM_TLS_KEY = "/data/keys/wildcard_.tbmrs.nl.key"; diff --git a/modules/home/default.nix b/modules/home/default.nix index 000e70f..4e623b1 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -27,5 +27,6 @@ ./containers/caddy.nix ./containers/kanidm.nix ./containers/nginx.nix + ./containers/forgejo.nix ]; }