From fcc9fe0773b692132be6c95f260e88226c2c4ef0 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Fri, 25 Apr 2025 21:09:55 +0200 Subject: [PATCH 01/14] Modified caddy to make a simple working code --- hosts/v-th-ctr-01/configuration.nix | 31 +++++++++++++++++++++++++++++ hosts/v-th-ctr-01/home.nix | 2 +- modules/home/containers/caddy.nix | 8 ++++---- 3 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 hosts/v-th-ctr-01/configuration.nix diff --git a/hosts/v-th-ctr-01/configuration.nix b/hosts/v-th-ctr-01/configuration.nix new file mode 100644 index 0000000..d2c230a --- /dev/null +++ b/hosts/v-th-ctr-01/configuration.nix @@ -0,0 +1,31 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ modulesPath, ... }: + +{ + imports = [ + # Include the default incus configuration. + "${modulesPath}/virtualisation/lxc-container.nix" + # Include the container-specific autogenerated configuration. + ]; + + networking = { + dhcpcd.enable = false; + useDHCP = false; + useHostResolvConf = false; + }; + + systemd.network = { + enable = true; + networks."50-eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; +} diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index 76b9a45..5538f19 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -37,7 +37,7 @@ containers = { nginx.enable = true; - caddy.enbale = true; + caddy.enable = true; }; }; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index 6338e68..669d2a2 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -23,14 +23,14 @@ in { "1443:8443" ]; volumes = [ - "~/containers/caddy/Caddyfile:/etc/caddy/Caddyfile" + "/home/deploy/containers/caddy/Caddyfile:/etc/caddy/Caddyfile:Z" ]; }; home.file."containers/caddy/Caddyfile".text = '' - localhost - - response "Hello, world!" + http://localhost { + respond "Hello there" + } ''; }; } From 8dbddaf62dd75fc4241158b4d8527bb1817218f2 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Sat, 26 Apr 2025 11:49:14 +0200 Subject: [PATCH 02/14] fixed caddy container and added acme --- dockerfiles/caddy.Dockerfile | 8 ++++++++ hosts/v-th-ctr-01/default.nix | 8 ++++++-- hosts/v-th-ctr-01/home.nix | 4 +++- modules/home/containers/caddy.nix | 18 ++++++++++++++---- 4 files changed, 31 insertions(+), 7 deletions(-) create mode 100644 dockerfiles/caddy.Dockerfile diff --git a/dockerfiles/caddy.Dockerfile b/dockerfiles/caddy.Dockerfile new file mode 100644 index 0000000..eda476f --- /dev/null +++ b/dockerfiles/caddy.Dockerfile @@ -0,0 +1,8 @@ +FROM caddy:2.8-builder AS builder + +RUN xcaddy build \ + --with github.com/caddy-dns/transip + +FROM caddy:2.8 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/hosts/v-th-ctr-01/default.nix b/hosts/v-th-ctr-01/default.nix index 6f42900..40b58f9 100644 --- a/hosts/v-th-ctr-01/default.nix +++ b/hosts/v-th-ctr-01/default.nix @@ -56,8 +56,12 @@ networking.firewall = { enable = true; - allowedTCPPorts = [ 80 443 53 ]; - allowedUDPPorts = [ 80 443 53 ]; + allowedTCPPorts = [ 1080 1443 1053 ]; + allowedUDPPorts = [ 1080 1443 1053 ]; + }; + + networking.hosts = { + "127.0.0.1" = [ "tbmrs.nl" ]; }; users.users.deploy = { diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index 5538f19..d97da91 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -23,7 +23,7 @@ applications.ssh.enable = true; applications.thunderbird.enable = false; applications.yazi.enable = true; - applications.zellij.enable = false; + applications.zellij.enable = true; services.nextcloud-sync.enable = false; services.podman.enable = true; @@ -42,6 +42,8 @@ }; home.packages = with pkgs; [ + unstable.helix + lazygit ]; # Enable home-manager diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index 669d2a2..b150e8c 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -17,18 +17,28 @@ in { config = mkIf cfg.enable { services.podman.containers.caddy = { - image = "ghcr.io/iarekylew00t/caddy-cloudflare:latest"; + image = "localhost/tboomers/caddy-custom:latest"; ports = [ "1080:80" - "1443:8443" + "1443:443" ]; volumes = [ - "/home/deploy/containers/caddy/Caddyfile:/etc/caddy/Caddyfile:Z" + "%h/containers/caddy/Caddyfile:/etc/caddy/Caddyfile" + "%h/containers/caddy/acme_key:/etc/caddy/acme_key" + "%h/containers/caddy/data:/data" ]; }; home.file."containers/caddy/Caddyfile".text = '' - http://localhost { + { + acme_dns transip xeovalyte /etc/caddy/acme_key + } + + tbmrs.nl { + respond "Hello there" + } + + http://tbmrs.nl { respond "Hello there" } ''; From af39ac1be48a58ba997d9c66a567588599af0b3b Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Sat, 26 Apr 2025 12:23:41 +0200 Subject: [PATCH 03/14] Added boilerplate for lldap and handle wildcard certificates for tbmrs.nl --- hosts/v-th-ctr-01/home.nix | 2 ++ modules/home/containers/auth.nix | 34 +++++++++++++++++++++++++++++ modules/home/containers/caddy.nix | 24 ++++++++++++-------- modules/home/containers/network.nix | 24 ++++++++++++++++++++ modules/home/default.nix | 5 ++++- 5 files changed, 79 insertions(+), 10 deletions(-) create mode 100644 modules/home/containers/auth.nix create mode 100644 modules/home/containers/network.nix diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index d97da91..a9a38c1 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -36,6 +36,8 @@ desktop-environments.hyprland.enable = false; containers = { + network.enable = true; + nginx.enable = true; caddy.enable = true; }; diff --git a/modules/home/containers/auth.nix b/modules/home/containers/auth.nix new file mode 100644 index 0000000..9c5b3e2 --- /dev/null +++ b/modules/home/containers/auth.nix @@ -0,0 +1,34 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.nginx; +in { + options = { + settings.containers.auth.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable authelia and lldap container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.lldap = { + image = "lldap/lldap:stable"; + network = "proxy"; + volumes = [ + "%h/containers/lldap/data:/data" + ]; + environment = { + TZ = "Europe/Amsterdam"; + LLDAP_JWT_SECRET = ""; + LLDAP_KEY_SEED = ""; + LLDAP_LDAP_BASE_DN = "dc=tbmrs,dc=nl"; + LLDAP_LDAP_USER_PASS= "changeme!"; + }; + }; + }; +} diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index b150e8c..607bd24 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -18,6 +18,7 @@ in { config = mkIf cfg.enable { services.podman.containers.caddy = { image = "localhost/tboomers/caddy-custom:latest"; + network = "proxy"; ports = [ "1080:80" "1443:443" @@ -30,16 +31,21 @@ in { }; home.file."containers/caddy/Caddyfile".text = '' - { - acme_dns transip xeovalyte /etc/caddy/acme_key - } - - tbmrs.nl { - respond "Hello there" - } + *.tbmrs.nl, tbmrs.nl { + tls { + dns transip xeovalyte /etc/caddy/acme_key + resolvers 1.1.1.1 + } - http://tbmrs.nl { - respond "Hello there" + @root host tbmrs.nl + handle @root { + respond "Hello there" + } + + @lldap host ldap.tbmrs.nl + handle @lldap { + reverse_proxy lldap:17170 + } } ''; }; diff --git a/modules/home/containers/network.nix b/modules/home/containers/network.nix new file mode 100644 index 0000000..b26d751 --- /dev/null +++ b/modules/home/containers/network.nix @@ -0,0 +1,24 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.nginx; +in { + options = { + settings.containers.network.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable network + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.networks.proxy = { + description = "Container network for the proxy"; + autoStart = true; + }; + }; +} diff --git a/modules/home/default.nix b/modules/home/default.nix index c184e98..3bed31b 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -22,7 +22,10 @@ ./desktop-environments/hyprland/default.nix - ./containers/nginx.nix + ./containers/network.nix + + ./containers/auth.nix ./containers/caddy.nix + ./containers/nginx.nix ]; } From 4788bd8cd4c973e3dcfea6b393607702c1f8aad6 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Sat, 26 Apr 2025 14:09:34 +0200 Subject: [PATCH 04/14] Changed lldap to kanidm configuration --- hosts/v-th-ctr-01/home.nix | 1 + modules/home/containers/auth.nix | 34 ------------------------- modules/home/containers/caddy.nix | 6 ++--- modules/home/containers/kanidm.nix | 40 ++++++++++++++++++++++++++++++ modules/home/default.nix | 2 +- 5 files changed, 45 insertions(+), 38 deletions(-) delete mode 100644 modules/home/containers/auth.nix create mode 100644 modules/home/containers/kanidm.nix diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index a9a38c1..9df957b 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -40,6 +40,7 @@ nginx.enable = true; caddy.enable = true; + kanidm.enable = true; }; }; diff --git a/modules/home/containers/auth.nix b/modules/home/containers/auth.nix deleted file mode 100644 index 9c5b3e2..0000000 --- a/modules/home/containers/auth.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, ... }: - -with lib; - -let - cfg = config.settings.containers.nginx; -in { - options = { - settings.containers.auth.enable = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - Enable authelia and lldap container - ''; - }; - }; - - config = mkIf cfg.enable { - services.podman.containers.lldap = { - image = "lldap/lldap:stable"; - network = "proxy"; - volumes = [ - "%h/containers/lldap/data:/data" - ]; - environment = { - TZ = "Europe/Amsterdam"; - LLDAP_JWT_SECRET = ""; - LLDAP_KEY_SEED = ""; - LLDAP_LDAP_BASE_DN = "dc=tbmrs,dc=nl"; - LLDAP_LDAP_USER_PASS= "changeme!"; - }; - }; - }; -} diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index 607bd24..25f0955 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -42,9 +42,9 @@ in { respond "Hello there" } - @lldap host ldap.tbmrs.nl - handle @lldap { - reverse_proxy lldap:17170 + @kanidm host auth.tbmrs.nl + handle @kanidm { + reverse_proxy https://auth.tbmrs.nl:8443 } } ''; diff --git a/modules/home/containers/kanidm.nix b/modules/home/containers/kanidm.nix new file mode 100644 index 0000000..4098640 --- /dev/null +++ b/modules/home/containers/kanidm.nix @@ -0,0 +1,40 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.nginx; +in { + options = { + settings.containers.kanidm.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable kanidm container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.kanidm = { + image = "kanidm/server:latest"; + network = "proxy"; + networkAlias = [ + "auth.tbmrs.nl" + ]; + volumes = [ + "%h/containers/kanidm/data:/data" + "%h/containers/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.tbmrs.nl:/data/keys" + ]; + environment = { + KANIDM_VERSION = "2"; + KANIDM_BINDADDRESS = "[::]:8443"; + KANIDM_DB_PATH = "/data/kanidm.db"; + KANIDM_TLS_CHAIN = "/data/keys/wildcard_.tbmrs.nl.crt"; + KANIDM_TLS_KEY = "/data/keys/wildcard_.tbmrs.nl.key"; + KANIDM_DOMAIN = "auth.tbmrs.nl"; + KANIDM_ORIGIN = "https://auth.tbmrs.nl"; + }; + }; + }; +} diff --git a/modules/home/default.nix b/modules/home/default.nix index 3bed31b..000e70f 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -24,8 +24,8 @@ ./containers/network.nix - ./containers/auth.nix ./containers/caddy.nix + ./containers/kanidm.nix ./containers/nginx.nix ]; } From 01343006a59a2d32a8f7e43350f01733d60e8372 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Sat, 26 Apr 2025 14:54:08 +0200 Subject: [PATCH 05/14] Add forgejo container --- hosts/v-th-ctr-01/home.nix | 1 + modules/home/containers/caddy.nix | 7 ++++++- modules/home/containers/forgejo.nix | 32 +++++++++++++++++++++++++++++ modules/home/containers/kanidm.nix | 2 +- modules/home/default.nix | 1 + 5 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 modules/home/containers/forgejo.nix diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index 9df957b..4a6cf08 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -41,6 +41,7 @@ nginx.enable = true; caddy.enable = true; kanidm.enable = true; + forgejo.enable = true; }; }; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index 25f0955..ad160ea 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -44,7 +44,12 @@ in { @kanidm host auth.tbmrs.nl handle @kanidm { - reverse_proxy https://auth.tbmrs.nl:8443 + reverse_proxy https://auth.tbmrs.nl + } + + @forgejo host git.tbmrs.nl + handle @forgejo { + reverse_proxy forgejo:3000 } } ''; diff --git a/modules/home/containers/forgejo.nix b/modules/home/containers/forgejo.nix new file mode 100644 index 0000000..0ba3526 --- /dev/null +++ b/modules/home/containers/forgejo.nix @@ -0,0 +1,32 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.forgejo; +in { + options = { + settings.containers.forgejo.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable forgejo container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.forgejo = { + image = "codeberg.org/forgejo/forgejo:11"; + network = "proxy"; + volumes = [ + "%h/containers/forgejo/data:/data" + ]; + environment = { + FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + FORGEJO__service__SHOW_REGISTRATION_BUTTON = false; + FORGEJO__service__ENABLE_PASSWORD_SIGNIN_FORM = false; + }; + }; + }; +} diff --git a/modules/home/containers/kanidm.nix b/modules/home/containers/kanidm.nix index 4098640..7f59f21 100644 --- a/modules/home/containers/kanidm.nix +++ b/modules/home/containers/kanidm.nix @@ -28,7 +28,7 @@ in { ]; environment = { KANIDM_VERSION = "2"; - KANIDM_BINDADDRESS = "[::]:8443"; + KANIDM_BINDADDRESS = "[::]:443"; KANIDM_DB_PATH = "/data/kanidm.db"; KANIDM_TLS_CHAIN = "/data/keys/wildcard_.tbmrs.nl.crt"; KANIDM_TLS_KEY = "/data/keys/wildcard_.tbmrs.nl.key"; diff --git a/modules/home/default.nix b/modules/home/default.nix index 000e70f..4e623b1 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -27,5 +27,6 @@ ./containers/caddy.nix ./containers/kanidm.nix ./containers/nginx.nix + ./containers/forgejo.nix ]; } From 4c47313accd78d706376b25b0549cbabc96da96f Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Mon, 28 Apr 2025 07:45:33 +0200 Subject: [PATCH 06/14] updated inputs --- flake.lock | 36 +++++++++++++++++----------------- hosts/ti-clt-dsk01/default.nix | 8 +++++++- 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/flake.lock b/flake.lock index f51e865..8651766 100644 --- a/flake.lock +++ b/flake.lock @@ -303,11 +303,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1745545895, - "narHash": "sha256-1C1pkAtoZ30J/a2Pn5OpgKN1dc/AoqlNK0SsF5al6UY=", + "lastModified": 1745752145, + "narHash": "sha256-SRvolJBy9oRUdfik/xtcsguQtcDHrkzq1yf5NbsLBhY=", "owner": "lilyinstarlight", "repo": "nixos-cosmic", - "rev": "96c8bca3ff32ca3f111cda1c9307e562465f25ba", + "rev": "0ba6c63681ae317d122a5e76bc2bf556737a53d0", "type": "github" }, "original": { @@ -334,11 +334,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1745391562, - "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", + "lastModified": 1745526057, + "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "rev": "f771eb401a46846c1aebd20552521b233dd7e18b", "type": "github" }, "original": { @@ -365,11 +365,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1745279238, - "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=", + "lastModified": 1745487689, + "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3", + "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3", "type": "github" }, "original": { @@ -381,11 +381,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1745391562, - "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", + "lastModified": 1745526057, + "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "rev": "f771eb401a46846c1aebd20552521b233dd7e18b", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1745462120, - "narHash": "sha256-TbVjPOl+Cg5vZ7TIn1KpQ8SOfHKD6OEgu84b6YSCfKE=", + "lastModified": 1745721366, + "narHash": "sha256-dm93104HXjKWzkrr7yAPtxpbllOSzrwFFruc+rKQHSg=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "79d3acd1a7e67fb9315fa5c5556eb6adf93dc2da", + "rev": "621131c9e281d1047bf8937547ed77e97c464aba", "type": "github" }, "original": { @@ -464,11 +464,11 @@ "tinted-tmux": "tinted-tmux" }, "locked": { - "lastModified": 1744152965, - "narHash": "sha256-LWUeN1+bH3k46fwtIv0bNgtmkqB0UduyX7T2i+230n0=", + "lastModified": 1745750068, + "narHash": "sha256-LbbioU14KbJpXE0DKcPJaW6W2lB8ayHE4YddupfvU+c=", "owner": "danth", "repo": "stylix", - "rev": "8748db082ca15d32243c86e5d785d5dfc8a65719", + "rev": "ed3f7d9ecbf2c95cc4fe633f648cb776385efd86", "type": "github" }, "original": { diff --git a/hosts/ti-clt-dsk01/default.nix b/hosts/ti-clt-dsk01/default.nix index e8beb49..8e113eb 100644 --- a/hosts/ti-clt-dsk01/default.nix +++ b/hosts/ti-clt-dsk01/default.nix @@ -77,7 +77,13 @@ nix.settings.trusted-users = [ "root" "xeovalyte" ]; networking.hosts = { - "192.168.100.118" = [ "timo.bmrs.nl" "www.timo.bmrs.nl" "homeassistant.timo.bmrs.nl" "adguard.timo.bmrs.nl" "git.timo.bmrs.nl" "auth.timo.bmrs.nl" "ldap.timo.bmrs.nl" "dozzle.timo.bmrs.nl" "home.timo.bmrs.nl" "immich.timo.bmrs.nl" "paperless.timo.bmrs.nl" "search.timo.bmrs.nl" ]; + "192.168.100.118" = [ + "tbmrs.nl" + "auth.tbmrs.nl" + "git.tbmrs.nl" + "photos.tbmrs.nl" + "home.tbmrs.nl" + ]; }; services.openssh.enable = true; From b6a91b7dcbb26b0fc5e5cf9c8e1ec5e24f32f55f Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Mon, 28 Apr 2025 09:23:05 +0200 Subject: [PATCH 07/14] Added homepage, immich and uptime kuma --- hosts/v-th-ctr-01/home.nix | 3 + modules/home/containers/caddy.nix | 15 ++++ modules/home/containers/homepage.nix | 94 +++++++++++++++++++++++++ modules/home/containers/immich.nix | 75 ++++++++++++++++++++ modules/home/containers/uptime-kuma.nix | 27 +++++++ modules/home/default.nix | 3 + 6 files changed, 217 insertions(+) create mode 100644 modules/home/containers/homepage.nix create mode 100644 modules/home/containers/immich.nix create mode 100644 modules/home/containers/uptime-kuma.nix diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index 4a6cf08..fff0b13 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -42,6 +42,9 @@ caddy.enable = true; kanidm.enable = true; forgejo.enable = true; + immich.enable = true; + homepage.enable = true; + uptime-kuma.enable = true; }; }; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index ad160ea..b448266 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -51,6 +51,21 @@ in { handle @forgejo { reverse_proxy forgejo:3000 } + + @immich host photos.tbmrs.nl + handle @immich { + reverse_proxy immich-server:2283 + } + + @homepage host home.tbmrs.nl + handle @homepage { + reverse_proxy homepage:3000 + } + + @uptime-kuma host uptime.tbmrs.nl + handle @uptime-kuma { + reverse_proxy uptime-kuma:3001 + } } ''; }; diff --git a/modules/home/containers/homepage.nix b/modules/home/containers/homepage.nix new file mode 100644 index 0000000..5e4626b --- /dev/null +++ b/modules/home/containers/homepage.nix @@ -0,0 +1,94 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.settings.containers.homepage; +in { + options = { + settings.containers.homepage.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable homepage container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.homepage = { + image = "ghcr.io/gethomepage/homepage:latest"; + network = "proxy"; + volumes = [ + "%h/containers/homepage/config:/app/config" + "%h/containers/homepage/config/settings.yaml:/app/config/settings.yaml" + "%h/containers/homepage/config/services.yaml:/app/config/services.yaml" + "%h/containers/homepage/config/docker.yaml:/app/config/docker.yaml" + "/run/user/1000/podman/podman.sock:/var/run/podman.sock:ro" + ]; + environment = { + HOMEPAGE_ALLOWED_HOSTS = "home.tbmrs.nl"; + }; + }; + + home.file."containers/homepage/config/settings.yaml".source = (pkgs.formats.yaml { }).generate "settings" { + title = "Timo's Server"; + description = "server from Timo"; + theme = "dark"; + color = "slate"; + }; + + home.file."containers/homepage/config/services.yaml".source = (pkgs.formats.yaml { }).generate "services" [ + { + "Infra" = [ + { + "Kanidm" = { + href = "https://auth.tbmrs.nl"; + description = "Oauth2 and ldap provider"; + icon = "kanidm"; + server = "podman"; + container = "kanidm"; + }; + } + { + "Uptime Kuma" = { + href = "https://uptime.tbmrs.nl"; + description = "Uptime and status"; + icon = "uptime-kuma"; + server = "podman"; + container = "uptime-kuma"; + }; + } + ]; + } + { + "Services" = [ + { + "Forgejo" = { + href = "https://git.tbmrs.nl"; + description = "Git server"; + icon = "forgejo"; + server = "podman"; + container = "forgejo"; + }; + } + { + "Immich" = { + href = "https://photos.tbmrs.nl"; + description = "Photo's and videos"; + icon = "immich"; + server = "podman"; + container = "immich-server"; + }; + } + ]; + } + ]; + + home.file."containers/homepage/config/docker.yaml".source = (pkgs.formats.yaml {}).generate "docker" { + podman = { + socket = "/var/run/podman.sock"; + }; + }; + }; +} diff --git a/modules/home/containers/immich.nix b/modules/home/containers/immich.nix new file mode 100644 index 0000000..77efae6 --- /dev/null +++ b/modules/home/containers/immich.nix @@ -0,0 +1,75 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.immich; +in { + options = { + settings.containers.immich.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable immich container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.immich-server = { + image = "ghcr.io/immich-app/immich-server:release"; + network = "proxy"; + volumes = [ + "%h/containers/immich/upload:/usr/src/app/upload" + "/etc/localtime:/etc/localtime:ro" + ]; + extraConfig = { + Unit = { + After = [ + "podman-immich-redis.service" + "podman-immich-database.service" + ]; + Requires = [ + "podman-immich-redis.service" + "podman-immich-database.service" + ]; + }; + }; + environment = { + DB_PASSWORD = "changeme"; + DB_USERNAME = "postgres"; + DB_DATABASE_NAME = "immich"; + DB_HOSTNAME = "immich-database"; + REDIS_HOSTNAME = "immich-redis"; + }; + }; + + services.podman.containers.immich-machine-learning = { + image = "ghcr.io/immich-app/immich-machine-learning:release"; + network = "proxy"; + volumes = [ + "%h/containers/immich/model-cache:/cache" + ]; + }; + + services.podman.containers.immich-redis = { + image = "docker.io/valkey/valkey:8-bookworm@sha256:42cba146593a5ea9a622002c1b7cba5da7be248650cbb64ecb9c6c33d29794b1"; + network = "proxy"; + }; + + services.podman.containers.immich-database = { + image = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; + network = "proxy"; + volumes = [ + "%h/containers/immich/database-data:/var/lib/postgresql/data" + ]; + environment = { + POSTGRES_PASSWORD = "changeme"; + POSTGRES_USER = "postgres"; + POSTGRES_DB = "immich"; + POSTGRES_INITDB_ARGS = "--data-checksums"; + }; + exec = ''postgres -c shared_preload_libraries=vectors.so -c 'search_path="$$user", public, vectors' -c logging_collector=on -c max_wal_size=2GB -c shared_buffers=512MB -c wal_compression=on''; + }; + }; +} diff --git a/modules/home/containers/uptime-kuma.nix b/modules/home/containers/uptime-kuma.nix new file mode 100644 index 0000000..7ff72c9 --- /dev/null +++ b/modules/home/containers/uptime-kuma.nix @@ -0,0 +1,27 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.uptime-kuma; +in { + options = { + settings.containers.uptime-kuma.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable uptime kuma container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.uptime-kuma = { + image = "louislam/uptime-kuma:1"; + network = "proxy"; + volumes = [ + "%h/containers/uptime-kuma/data:/app/data" + ]; + }; + }; +} diff --git a/modules/home/default.nix b/modules/home/default.nix index 4e623b1..8436fb2 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -28,5 +28,8 @@ ./containers/kanidm.nix ./containers/nginx.nix ./containers/forgejo.nix + ./containers/immich.nix + ./containers/homepage.nix + ./containers/uptime-kuma.nix ]; } From 40a5f794ea0a0eb41f75ab5a5a652d94cbb0d7b3 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Tue, 29 Apr 2025 17:35:13 +0200 Subject: [PATCH 08/14] Added pingvin and vaultwarden --- .sops.yaml | 7 +++ flake.lock | 37 +++++++++++- flake.nix | 4 +- hosts/v-th-ctr-01/home.nix | 3 + modules/home/containers/caddy.nix | 17 ++++++ modules/home/containers/homepage.nix | 9 +++ modules/home/containers/pingvin-share.nix | 69 +++++++++++++++++++++++ modules/home/containers/vaultwarden.nix | 30 ++++++++++ modules/home/default.nix | 3 + modules/home/services/sops.nix | 38 +++++++++++++ secrets/secrets.yaml | 24 ++++++++ 11 files changed, 239 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml create mode 100644 modules/home/containers/pingvin-share.nix create mode 100644 modules/home/containers/vaultwarden.nix create mode 100644 modules/home/services/sops.nix create mode 100644 secrets/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..fb3acc6 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &v-th-ctr-01 age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *v-th-ctr-01 diff --git a/flake.lock b/flake.lock index 8651766..63b9297 100644 --- a/flake.lock +++ b/flake.lock @@ -395,6 +395,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1743703532, "narHash": "sha256-s1KLDALEeqy+ttrvqV3jx9mBZEvmthQErTVOAzbjHZs=", @@ -421,6 +437,7 @@ "nixpkgs-stable" ], "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix", "stylix": "stylix" } }, @@ -445,6 +462,24 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1745310711, + "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", @@ -457,7 +492,7 @@ "git-hooks": "git-hooks", "gnome-shell": "gnome-shell", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "systems": "systems", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", diff --git a/flake.nix b/flake.nix index b77a529..5e0f789 100644 --- a/flake.nix +++ b/flake.nix @@ -22,9 +22,11 @@ nixos-cosmic = { url = "github:lilyinstarlight/nixos-cosmic"; }; + + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, home-manager, nix-colors, stylix, nixos-cosmic, ... }: + outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, home-manager, nix-colors, stylix, nixos-cosmic, sops-nix, ... }: let system = "x86_64-linux"; overlay-unstable = final: prev: { diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index fff0b13..727121b 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -27,6 +27,7 @@ services.nextcloud-sync.enable = false; services.podman.enable = true; + services.sops.enable = true; theming.fonts.enable = false; theming.stylix.enable = false; @@ -45,6 +46,8 @@ immich.enable = true; homepage.enable = true; uptime-kuma.enable = true; + pingvin-share.enable = true; + vaultwarden.enable = true; }; }; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index b448266..a86310e 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -66,6 +66,23 @@ in { handle @uptime-kuma { reverse_proxy uptime-kuma:3001 } + + @pingvin-share host share.tbmrs.nl + handle @pingvin-share { + reverse_proxy pingvin-share:3000 + } + } + + *.local.tbmrs.nl { + tls { + dns transip xeovalyte /etc/caddy/acme_key + resolvers 1.1.1.1 + } + + @vaultwarden + handle @vaultwarden { + reverse_proxy vaultwarden:80 + } } ''; }; diff --git a/modules/home/containers/homepage.nix b/modules/home/containers/homepage.nix index 5e4626b..17a0dac 100644 --- a/modules/home/containers/homepage.nix +++ b/modules/home/containers/homepage.nix @@ -81,6 +81,15 @@ in { container = "immich-server"; }; } + { + "Pingvin" = { + href = "https://share.tbmrs.nl"; + description = "File sharing"; + icon = "pingvin-share"; + server = "podman"; + container = "pingvin-share"; + }; + } ]; } ]; diff --git a/modules/home/containers/pingvin-share.nix b/modules/home/containers/pingvin-share.nix new file mode 100644 index 0000000..d34e836 --- /dev/null +++ b/modules/home/containers/pingvin-share.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.settings.containers.pingvin-share; +in { + options = { + settings.containers.pingvin-share.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable Pingvin share container + ''; + }; + }; + + config = mkIf cfg.enable { + settings.services.sops.enable = true; + + services.podman.containers.pingvin-share = { + image = "ghcr.io/stonith404/pingvin-share"; + network = "proxy"; + volumes = [ + "%h/containers/pingvin-share/data:/opt/app/backend/data" + # "%h/containers/pingvin-share/config.yaml:/opt/app/config.yaml" + "${config.sops.templates."container-pingvin.yaml".path}:/opt/app/config.yaml" + ]; + environment = { + TRUST_PROXY = true; + }; + userNS = "keep-id"; + extraConfig = { + Unit = { + After = [ + "sops-nix.service" + ]; + }; + }; + }; + + sops.templates = { + "container-pingvin.yaml" = { + content = /*yaml*/ '' + general: + secureCookies: "true" + appUrl: https://share.tbmrs.nl + showHomePage: "false" + share: + allowRegistration: "true" + maxSize: "10000000000" + oauth: + disablePassword: "false" + oidc-enabled: "true" + oidc-discoveryUri: "https://auth.tbmrs.nl/oauth2/openid/pingvin/.well-known/openid-configuration" + oidc-clientId: pingvin + oidc-clientSecret: "${config.sops.placeholder."containers/pingvin-share/oidc-secret"}" + initUser: + enabled: "true" + username: "admin" + email: "admin@example.com" + password: "my-secure-password" + isAdmin: true + ldapDN: "" + ''; + }; + }; + }; +} diff --git a/modules/home/containers/vaultwarden.nix b/modules/home/containers/vaultwarden.nix new file mode 100644 index 0000000..8eeb548 --- /dev/null +++ b/modules/home/containers/vaultwarden.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.settings.containers.vaultwarden; +in { + options = { + settings.containers.vaultwarden.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable Vaultwarden container + ''; + }; + }; + + config = mkIf cfg.enable { + services.podman.containers.vaultwarden = { + image = "ghcr.io/dani-garcia/vaultwarden:latest"; + network = "proxy"; + volumes = [ + "%h/containers/vaultwarden/data:/data" + ]; + environment = { + DOMAIN = "https://vault.local.tbmrs.nl"; + }; + }; + }; +} diff --git a/modules/home/default.nix b/modules/home/default.nix index 8436fb2..4adb436 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -16,6 +16,7 @@ ./services/nextcloud.nix ./services/podman.nix + ./services/sops.nix ./theming/fonts.nix ./theming/stylix.nix @@ -31,5 +32,7 @@ ./containers/immich.nix ./containers/homepage.nix ./containers/uptime-kuma.nix + ./containers/pingvin-share.nix + ./containers/vaultwarden.nix ]; } diff --git a/modules/home/services/sops.nix b/modules/home/services/sops.nix new file mode 100644 index 0000000..8060f37 --- /dev/null +++ b/modules/home/services/sops.nix @@ -0,0 +1,38 @@ +{ lib, config, inputs, pkgs, ... }: + +with lib; + +let + cfg = config.settings.services.sops; +in { + options = { + settings.services.sops.enable = lib.mkOption { + type = lib.types.bool; + description = '' + Enable sops secret management + ''; + default = false; + }; + }; + + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + sops + age + ]; + + sops = { + age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password! + + defaultSopsFile = ../../../secrets/secrets.yaml; + + secrets = { + "containers/pingvin-share/oidc-secret" = { }; + }; + }; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..efde024 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,24 @@ +example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str] +containers: + pingvin-share: + oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV + aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4 + NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF + bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE + ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-28T10:30:25Z" + mac: ENC[AES256_GCM,data:+0xSa0mD9hLgJ1bihW1v/j6HyLgOWQFBcbuv74yORHoa7gNWNAA8JtlrpWAMfWJPP9zXgUicw3hj9Z9ZGDSbEIpaDRDxcrc8HNFQEq7iOhJJCoBmeXzB5XOkeh6Xf33rR713xjL+FssMhXxCKZfEKYrC/G23JdxlLoVoT/M7lH8=,iv:s7G5jB6dHJNsPiz9TVkjNLrnX4FbS+PbbQeNC3JBg2M=,tag:gSPq6099NJqf7TSPNUxPFg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 From e17752dec49679df301665780ea4752993bd46be Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Wed, 30 Apr 2025 14:16:44 +0200 Subject: [PATCH 09/14] Paperless added and fixes for old services --- hosts/v-th-ctr-01/default.nix | 1 + hosts/v-th-ctr-01/home.nix | 1 + modules/home/containers/caddy.nix | 7 +- modules/home/containers/homepage.nix | 18 +++++ modules/home/containers/paperless-ngx.nix | 97 +++++++++++++++++++++++ modules/home/containers/pingvin-share.nix | 4 + modules/home/containers/vaultwarden.nix | 1 + modules/home/default.nix | 1 + modules/home/services/sops.nix | 6 +- secrets/deploy.yaml | 28 +++++++ secrets/secrets.yaml | 24 ------ 11 files changed, 158 insertions(+), 30 deletions(-) create mode 100644 modules/home/containers/paperless-ngx.nix create mode 100644 secrets/deploy.yaml delete mode 100644 secrets/secrets.yaml diff --git a/hosts/v-th-ctr-01/default.nix b/hosts/v-th-ctr-01/default.nix index 40b58f9..c571632 100644 --- a/hosts/v-th-ctr-01/default.nix +++ b/hosts/v-th-ctr-01/default.nix @@ -68,6 +68,7 @@ isNormalUser = true; description = "Deploy"; extraGroups = [ "networkmanager" "wheel" "dialout" ]; + linger = true; }; nix.settings.trusted-users = [ "root" "deploy" ]; diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index 727121b..fb88fe8 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -48,6 +48,7 @@ uptime-kuma.enable = true; pingvin-share.enable = true; vaultwarden.enable = true; + paperless-ngx.enable = true; }; }; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index a86310e..c08041b 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -79,10 +79,15 @@ in { resolvers 1.1.1.1 } - @vaultwarden + @vaultwarden host vault.local.tbmrs.nl handle @vaultwarden { reverse_proxy vaultwarden:80 } + + @paperless-ngx host paperless.local.tbmrs.nl + handle @paperless-ngx { + reverse_proxy paperless-ngx:8000 + } } ''; }; diff --git a/modules/home/containers/homepage.nix b/modules/home/containers/homepage.nix index 17a0dac..bfb2d65 100644 --- a/modules/home/containers/homepage.nix +++ b/modules/home/containers/homepage.nix @@ -90,6 +90,24 @@ in { container = "pingvin-share"; }; } + { + "Vaultwarden" = { + href = "https://vault.local.tbmrs.nl"; + description = "Password management"; + icon = "vaultwarden"; + server = "podman"; + container = "vaultwarden"; + }; + } + { + "Paperless" = { + href = "https://paperless.local.tbmrs.nl"; + description = "Documents management"; + icon = "paperless-ngx"; + server = "podman"; + container = "paperless-ngx"; + }; + } ]; } ]; diff --git a/modules/home/containers/paperless-ngx.nix b/modules/home/containers/paperless-ngx.nix new file mode 100644 index 0000000..6831ae2 --- /dev/null +++ b/modules/home/containers/paperless-ngx.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.settings.containers.paperless-ngx; +in { + options = { + settings.containers.paperless-ngx.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable Paperless NGX container + ''; + }; + }; + + config = mkIf cfg.enable { + settings.services.sops.enable = true; + + services.podman.containers.paperless-ngx = { + image = "ghcr.io/paperless-ngx/paperless-ngx:latest"; + network = "proxy"; + volumes = [ + "%h/containers/paperless-ngx/data:/usr/src/paperless/data" + "%h/containers/paperless-ngx/media:/usr/src/paperless/media" + "%h/containers/paperless-ngx/export:/usr/src/paperless/export" + "%h/containers/paperless-ngx/consume:/usr/src/paperless/consume" + + "${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password" + "${config.sops.secrets."containers/paperless-ngx/secret".path}:/run/secrets/secret" + "${config.sops.secrets."containers/paperless-ngx/openid-providers".path}:/run/secrets/openid-providers" + ]; + environment = { + PAPERLESS_REDIS = "redis://paperless-ngx-broker:6379"; + PAPERLESS_DBHOST = "paperless-ngx-db"; + PAPERLESS_URL = "https://paperless.local.tbmrs.nl"; + PAPERLESS_DBPASS_FILE = "/run/secrets/db-password"; + PAPERLESS_SECRET_KEY_FILE = "/run/secrets/secret"; + + PAPERLESS_DISABLE_REGULAR_LOGIN = false; + PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; + PAPERLESS_SOCIALACCOUNT_PROVIDERS_FILE = "/run/secrets/openid-providers"; + PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS = true; + }; + extraConfig = { + Unit = { + After = [ + "sops-nix.service" + "podman-paperless-ngx-db.service" + "podman-paperless-ngx-broker.service" + ]; + Requires = [ + "podman-paperless-ngx-db.service" + "podman-paperless-ngx-broker.service" + ]; + }; + }; + }; + + services.podman.containers.paperless-ngx-db = { + image = "docker.io/library/postgres:17"; + network = "proxy"; + volumes = [ + "%h/containers/paperless-ngx/db-data:/var/lib/postgresql/data" + + "${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password" + ]; + environment = { + POSTGRES_DB = "paperless"; + POSTGRES_USER = "paperless"; + POSTGRES_PASSWORD_FILE = "/run/secrets/db-password"; + }; + extraConfig = { + Unit = { + After = [ + "sops-nix.service" + ]; + }; + }; + }; + + services.podman.containers.paperless-ngx-broker = { + image = "docker.io/library/redis:7"; + network = "proxy"; + volumes = [ + "%h/containers/paperless-ngx/redis-data:/data" + ]; + }; + + sops.secrets = { + "containers/paperless-ngx/db-password" = { }; + "containers/paperless-ngx/secret" = { }; + "containers/paperless-ngx/openid-providers" = { }; + }; + }; +} diff --git a/modules/home/containers/pingvin-share.nix b/modules/home/containers/pingvin-share.nix index d34e836..3a6c4f3 100644 --- a/modules/home/containers/pingvin-share.nix +++ b/modules/home/containers/pingvin-share.nix @@ -65,5 +65,9 @@ in { ''; }; }; + + sops.secrets = { + "containers/pingvin-share/oidc-secret" = { }; + }; }; } diff --git a/modules/home/containers/vaultwarden.nix b/modules/home/containers/vaultwarden.nix index 8eeb548..a3d42cb 100644 --- a/modules/home/containers/vaultwarden.nix +++ b/modules/home/containers/vaultwarden.nix @@ -24,6 +24,7 @@ in { ]; environment = { DOMAIN = "https://vault.local.tbmrs.nl"; + SIGNUPS_ALLOWED = true; }; }; }; diff --git a/modules/home/default.nix b/modules/home/default.nix index 4adb436..caf6c8a 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -34,5 +34,6 @@ ./containers/uptime-kuma.nix ./containers/pingvin-share.nix ./containers/vaultwarden.nix + ./containers/paperless-ngx.nix ]; } diff --git a/modules/home/services/sops.nix b/modules/home/services/sops.nix index 8060f37..2bc2ecd 100644 --- a/modules/home/services/sops.nix +++ b/modules/home/services/sops.nix @@ -28,11 +28,7 @@ in { sops = { age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password! - defaultSopsFile = ../../../secrets/secrets.yaml; - - secrets = { - "containers/pingvin-share/oidc-secret" = { }; - }; + defaultSopsFile = ../../../secrets/deploy.yaml; }; }; } diff --git a/secrets/deploy.yaml b/secrets/deploy.yaml new file mode 100644 index 0000000..1096fe0 --- /dev/null +++ b/secrets/deploy.yaml @@ -0,0 +1,28 @@ +example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str] +containers: + pingvin-share: + oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str] + paperless-ngx: + db-password: ENC[AES256_GCM,data:H21HVshmFuWJ5qNIrjm0VMGHEsT7cCvScgamU+CAaNZ6j5ux/r4xiF9zP7Qh40sKTOvyoWGTcHGPHE5ClpGuQA==,iv:tDIRfThBOfHr+gGRqywlHAk/x4MkhHRFsJEp5nnlGPA=,tag:XbYKD90l3u93Ur4VOqOn6w==,type:str] + secret: ENC[AES256_GCM,data:+1hriBiSbt+zUjEkBTEM90PFNlxfNwRAmz8wHyeyOnq6ThI+PtlDu83sunBFL2FUYJX0N4h3R4FvJBUkrPr0NQ==,iv:zzhFaoLnskspp1S291KABLZITgcof63cjShnsZrlAmw=,tag:+aafTLgZVBWeclQLQvVlQg==,type:str] + openid-providers: ENC[AES256_GCM,data:bpUnVFvvMUTkjApqkWi8gcVXgvaM8d/bcuoiQgco/UJZBQqbSEQys8BSb9yaSx8HAIZEcWjpb4N5FEb3P1uH8de4Nq7nlAg+GdDuS4WjInF5KOWQY9p0T4HfnMJyfx7zIiWW7nPSaxPNtMNZxQiXnW8oJr1fmz/O49T4egw1tdxWj6CO4d+T6aRKBsS26Ie1HYJ6BTT1B6qiIgiBpAvXh558nduk3tIz1blTCeV9XpnZgKlj45mS+g6+Eqqj0ATI7CC5y5CEVaMs1rC0NzlVm7/rEV4dBpVlmHtN5KE4aRMiH3YUYnJ5Nbo7EVfPQ7xkEPRmIOtXzXut8Hpml3QkFhdvHH5ZbworFrwL+LHm4GpHbUyCGc6OkWZ9+/mILos3o4BaI0qLQRchoGddvx5dOJyn5lJj3AfRgLB8zu9JSXZDre/LHovcJwpzmOip09mmjk7CGjea2f8wDnnX2HRXlM9alUbwlvXU69+MhTJBmqWe4kCBB8riz5gHRg2lQRMnMg64roPv7C7B1VoHANISDA3LHG4hocXknO69rBnjTjIYJNblDEtTztSTJdQvYb2102gFrxg4Grxu6/gQcXTbe4DScqUmIhebk98Nc7xlca9l+FGzmFB8cbznFFiaLE3wRK3G7g540+GOPoyXXxTGp3l5cOi6VE8cDd+HK5KDBnlgFecR/5QCRw40e9qvmCSttaxDCme+YrFHW248jgVwWvsNiFT5bBR4phS5c0VjrHdcy+1zY3R6GsnmXMfonIYHcq8apMhqVCdqHAzV2Qij4/RIyqCQoOeX86fi/pdDCvtMEbYt2nVqITmmxgOFRk4GSbLcjkbKG0SPVQWjGGXNkB/MfhUsvHG7E00IrAt1DgFEzqSar4Ildd7D4MzURJZxWNqoES0IhyVcxOgweCTakXM9QHqt,iv:ba2bri2F/B6Sp3HfpXVWZ/WMVFOPF4+DyAtdS56yNqQ=,tag:1uW6iDXiZm0vXUjmJPBchw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV + aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4 + NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF + bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE + ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-30T09:15:42Z" + mac: ENC[AES256_GCM,data:Mxq3LnXRpnVv/U7QEGL5I3gF3y8W8IfsdTvinIsn5Qi6m04JinyJ0Vgr4JbMstB/8gh259MsAO2na7/vZ8brLuol0X8vZeIlgIoX8DazuI6dpNr284zPWsiRNr8gzBViYDRb4GVf+GF11iXcw3UlJE8uB+N4z4Y4sUbobOt402c=,iv:G86XwJp6ZRB8ioDbNDGKxLPNIcAmcusH/blT/8FKFlk=,tag:emMQZ7TAJGy7yqSpD7+1Cg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml deleted file mode 100644 index efde024..0000000 --- a/secrets/secrets.yaml +++ /dev/null @@ -1,24 +0,0 @@ -example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str] -containers: - pingvin-share: - oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV - aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4 - NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF - bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE - ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-28T10:30:25Z" - mac: ENC[AES256_GCM,data:+0xSa0mD9hLgJ1bihW1v/j6HyLgOWQFBcbuv74yORHoa7gNWNAA8JtlrpWAMfWJPP9zXgUicw3hj9Z9ZGDSbEIpaDRDxcrc8HNFQEq7iOhJJCoBmeXzB5XOkeh6Xf33rR713xjL+FssMhXxCKZfEKYrC/G23JdxlLoVoT/M7lH8=,iv:s7G5jB6dHJNsPiz9TVkjNLrnX4FbS+PbbQeNC3JBg2M=,tag:gSPq6099NJqf7TSPNUxPFg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4 From c4f86996d95b1947487f0b282915cd385ac6f81a Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Wed, 30 Apr 2025 14:18:34 +0200 Subject: [PATCH 10/14] Changed hosts --- hosts/ti-clt-dsk01/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/ti-clt-dsk01/default.nix b/hosts/ti-clt-dsk01/default.nix index 8e113eb..3e8dce7 100644 --- a/hosts/ti-clt-dsk01/default.nix +++ b/hosts/ti-clt-dsk01/default.nix @@ -83,6 +83,10 @@ "git.tbmrs.nl" "photos.tbmrs.nl" "home.tbmrs.nl" + "uptime.tbmrs.nl" + "share.tbmrs.nl" + "vault.local.tbmrs.nl" + "paperless.local.tbmrs.nl" ]; }; From 1a6889d5618388242b3d9e77878fcede165664c0 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Wed, 30 Apr 2025 15:00:05 +0200 Subject: [PATCH 11/14] added prototype of beszel container --- modules/home/containers/beszel.nix | 51 ++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 modules/home/containers/beszel.nix diff --git a/modules/home/containers/beszel.nix b/modules/home/containers/beszel.nix new file mode 100644 index 0000000..f0f47aa --- /dev/null +++ b/modules/home/containers/beszel.nix @@ -0,0 +1,51 @@ +{ config, lib, ... }: + +with lib; + +let + cfg = config.settings.containers.beszel; +in { + options = { + settings.containers.beszel.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable Beszel container + ''; + }; + }; + + config = mkIf cfg.enable { + settings.services.sops.enable = true; + + services.podman.containers.beszel = { + image = "henrygd/beszel:latest"; + network = "proxy"; + volumes = [ + "%h/containers/beszel/data:/beszel_data" + "%h/containers/beszel/socket:/beszel_socket" + ]; + environment = { + DISABLE_PASSWORD_AUTH = false; + USER_CREATION = true; + }; + }; + + services.podman.containers.beszel-agent = { + image = "henrygd/beszel-agent:latest"; + network = "proxy"; + volumes = [ + "%h/containers/beszel/beszel_socket:/beszel_socket" + "/run/user/1000/podman/podman.sock:/var/run/podman.sock:ro" + ]; + environment = { + LISTEN = "/beszel_socket/beszel.sock"; + KEY_FILE = "/run/secrets/key"; + }; + }; + + sops.secrets = { + "containers/beszel/key" = { }; + }; + }; +} From 5f0eb272815704546a94eadaf3e92f75ba258d14 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Wed, 30 Apr 2025 15:24:02 +0200 Subject: [PATCH 12/14] Added beszel monitoring --- .sops.yaml | 2 +- hosts/v-th-ctr-01/home.nix | 1 + modules/home/containers/beszel.nix | 4 +++- modules/home/containers/caddy.nix | 5 +++++ modules/home/default.nix | 1 + secrets/deploy.yaml | 6 ++++-- 6 files changed, 15 insertions(+), 4 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index fb3acc6..f108aec 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,7 @@ keys: - &v-th-ctr-01 age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg creation_rules: - - path_regex: secrets/secrets.yaml$ + - path_regex: secrets/deploy.yaml$ key_groups: - age: - *v-th-ctr-01 diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index fb88fe8..c0639a8 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -49,6 +49,7 @@ pingvin-share.enable = true; vaultwarden.enable = true; paperless-ngx.enable = true; + beszel.enable = true; }; }; diff --git a/modules/home/containers/beszel.nix b/modules/home/containers/beszel.nix index f0f47aa..e98b035 100644 --- a/modules/home/containers/beszel.nix +++ b/modules/home/containers/beszel.nix @@ -35,8 +35,10 @@ in { image = "henrygd/beszel-agent:latest"; network = "proxy"; volumes = [ - "%h/containers/beszel/beszel_socket:/beszel_socket" + "%h/containers/beszel/socket:/beszel_socket" "/run/user/1000/podman/podman.sock:/var/run/podman.sock:ro" + + "${config.sops.secrets."containers/beszel/key".path}:/run/secrets/key" ]; environment = { LISTEN = "/beszel_socket/beszel.sock"; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index c08041b..1964b15 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -88,6 +88,11 @@ in { handle @paperless-ngx { reverse_proxy paperless-ngx:8000 } + + @beszel host monitor.local.tbmrs.nl + handle @beszel { + reverse_proxy beszel:8090 + } } ''; }; diff --git a/modules/home/default.nix b/modules/home/default.nix index caf6c8a..cdb3b4b 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -35,5 +35,6 @@ ./containers/pingvin-share.nix ./containers/vaultwarden.nix ./containers/paperless-ngx.nix + ./containers/beszel.nix ]; } diff --git a/secrets/deploy.yaml b/secrets/deploy.yaml index 1096fe0..fc70749 100644 --- a/secrets/deploy.yaml +++ b/secrets/deploy.yaml @@ -2,6 +2,8 @@ example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4 containers: pingvin-share: oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str] + beszel: + key: ENC[AES256_GCM,data:rRtx8Jx/aHOqeRa9dlyc42/62UwwqhkiLDLnZCM65rpW5nL5cQG2dS81YOMVPrE7Sa/cHlE3bvxqETaxMmsJGYukjmZph8skpF0qukCDe4Q=,iv:OS/+jF4MtwPdijXPpG2pgpJQTYyer9bms97B+kO8XhI=,tag:va7jCSGrXp2YKBlYzLI39g==,type:str] paperless-ngx: db-password: ENC[AES256_GCM,data:H21HVshmFuWJ5qNIrjm0VMGHEsT7cCvScgamU+CAaNZ6j5ux/r4xiF9zP7Qh40sKTOvyoWGTcHGPHE5ClpGuQA==,iv:tDIRfThBOfHr+gGRqywlHAk/x4MkhHRFsJEp5nnlGPA=,tag:XbYKD90l3u93Ur4VOqOn6w==,type:str] secret: ENC[AES256_GCM,data:+1hriBiSbt+zUjEkBTEM90PFNlxfNwRAmz8wHyeyOnq6ThI+PtlDu83sunBFL2FUYJX0N4h3R4FvJBUkrPr0NQ==,iv:zzhFaoLnskspp1S291KABLZITgcof63cjShnsZrlAmw=,tag:+aafTLgZVBWeclQLQvVlQg==,type:str] @@ -21,8 +23,8 @@ sops: bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-30T09:15:42Z" - mac: ENC[AES256_GCM,data:Mxq3LnXRpnVv/U7QEGL5I3gF3y8W8IfsdTvinIsn5Qi6m04JinyJ0Vgr4JbMstB/8gh259MsAO2na7/vZ8brLuol0X8vZeIlgIoX8DazuI6dpNr284zPWsiRNr8gzBViYDRb4GVf+GF11iXcw3UlJE8uB+N4z4Y4sUbobOt402c=,iv:G86XwJp6ZRB8ioDbNDGKxLPNIcAmcusH/blT/8FKFlk=,tag:emMQZ7TAJGy7yqSpD7+1Cg==,type:str] + lastmodified: "2025-04-30T13:11:24Z" + mac: ENC[AES256_GCM,data:JA1T9q0otjshJWyb8fingvD0CmYyTKdhvNMI3RVoZaMEAwBV4AwMCftG9zWMOgof4NcG4EhdOI7KG7qhctpo25K9j5IhaY8GA/p7BStBopuowTTUZecWHxXy4OFEtuW1PXBGrkgfkupV+RZfeisoa1gGFhQ2tW+fOqtoTFFCLHA=,iv:CM5zgvA2krzLHGiVeiSTVzcswwk9+QJmNCr+3hqw+To=,tag:H0x1UasoXNb38+Cq0CP0YA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 From 4ab5ad76cf3058e76b31dd17b637befb369f1c04 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Wed, 30 Apr 2025 15:56:19 +0200 Subject: [PATCH 13/14] Added beszel to homepage --- modules/home/containers/beszel.nix | 3 +++ modules/home/containers/homepage.nix | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/modules/home/containers/beszel.nix b/modules/home/containers/beszel.nix index e98b035..1b4b0a8 100644 --- a/modules/home/containers/beszel.nix +++ b/modules/home/containers/beszel.nix @@ -40,9 +40,12 @@ in { "${config.sops.secrets."containers/beszel/key".path}:/run/secrets/key" ]; + user = 1000; + userNS = "keep-id"; environment = { LISTEN = "/beszel_socket/beszel.sock"; KEY_FILE = "/run/secrets/key"; + DOCKER_HOST = "unix:///var/run/podman.sock"; }; }; diff --git a/modules/home/containers/homepage.nix b/modules/home/containers/homepage.nix index bfb2d65..b553725 100644 --- a/modules/home/containers/homepage.nix +++ b/modules/home/containers/homepage.nix @@ -59,6 +59,15 @@ in { container = "uptime-kuma"; }; } + { + "Beszel" = { + href = "https://monitor.local.tbmrs.nl"; + description = "Server monitoring"; + icon = "beszel"; + server = "podman"; + container = "beszel"; + }; + } ]; } { From 9147a68f0b5e35c2072c3ee3dfc405c5af949634 Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Thu, 1 May 2025 18:50:16 +0200 Subject: [PATCH 14/14] Reconfigured zellij configuration --- hosts/ti-clt-dsk01/default.nix | 1 + modules/home/applications/zellij.nix | 41 +++++++++++++++++++++++++- modules/system/applications/common.nix | 1 + 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/hosts/ti-clt-dsk01/default.nix b/hosts/ti-clt-dsk01/default.nix index 3e8dce7..90b4e20 100644 --- a/hosts/ti-clt-dsk01/default.nix +++ b/hosts/ti-clt-dsk01/default.nix @@ -87,6 +87,7 @@ "share.tbmrs.nl" "vault.local.tbmrs.nl" "paperless.local.tbmrs.nl" + "monitor.local.tbmrs.nl" ]; }; diff --git a/modules/home/applications/zellij.nix b/modules/home/applications/zellij.nix index 00449b0..e541510 100644 --- a/modules/home/applications/zellij.nix +++ b/modules/home/applications/zellij.nix @@ -1,9 +1,38 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; let cfg = config.settings.applications.zellij; + sesh = pkgs.writeScriptBin "sesh" '' + #! /usr/bin/env sh + + # Taken from https://github.com/zellij-org/zellij/issues/884#issuecomment-1851136980 + # select a directory using zoxide + ZOXIDE_RESULT=$(${pkgs.zoxide}/bin/zoxide query --interactive) + + # checks whether a directory has been selected + if [[ -z "$ZOXIDE_RESULT" ]]; then + # if there was no directory, select returns without executing + exit 0 + fi + # extracts the directory name from the absolute path + SESSION_TITLE=$(echo "$ZOXIDE_RESULT" | sed 's#.*/##') + + # get the list of sessions + SESSION_LIST=$(zellij list-sessions -n | awk '{print $1}') + + # checks if SESSION_TITLE is in the session list + if echo "$SESSION_LIST" | grep -q "^$SESSION_TITLE$"; then + # if so, attach to existing session + zellij attach "$SESSION_TITLE" + else + # if not, create a new session + echo "Creating new session $SESSION_TITLE and CD $ZOXIDE_RESULT" + cd $ZOXIDE_RESULT + zellij attach -c "$SESSION_TITLE" + fi + ''; in { options = { settings.applications.zellij.enable = lib.mkOption { @@ -19,6 +48,15 @@ in { enable = true; }; + programs.zoxide = { + enable = true; + enableZshIntegration = true; + }; + + home.packages = [ + sesh + ]; + home.file.zellij = { target = ".config/zellij/config.kdl"; text = '' @@ -26,6 +64,7 @@ in { keybinds { normal { bind "Ctrl e" { ToggleFloatingPanes; SwitchToMode "normal"; } + bind "Ctrl d" { Detach; } bind "Alt 1" { GoToTab 1; } bind "Alt 2" { GoToTab 2; } bind "Alt 3" { GoToTab 3; } diff --git a/modules/system/applications/common.nix b/modules/system/applications/common.nix index 512e7eb..4f4b777 100644 --- a/modules/system/applications/common.nix +++ b/modules/system/applications/common.nix @@ -22,6 +22,7 @@ in { btop git yazi + zoxide just ];