Merge branch 'main' of ssh://gitea.xeovalyte.dev:2222/xeovalyte/nix

Merge

homelab/.gitignore

@@ -0,0 +1,2 @@
+secrets/
+.env

homelab/README.md

@@ -0,0 +1,5 @@
+# Create proxy network
+`docker network create proxy`
+
+# Configure caddy cloudflare
+Find instructions on [caddy-dns cloudflare](https://github.com/caddy-dns/cloudflare)

homelab/adguard/docker-compose.yml

@@ -0,0 +1,21 @@
+services:
+  adguardhome:
+    image: adguard/adguardhome:latest
+    container_name: adguardhome
+    restart: unless-stopped
+    ports:
+      - 53:53/tcp
+      - 53:53/udp
+#      - 80:3000 # Only use during setup
+    volumes:
+      - work:/opt/adguardhome/work
+      - conf:/opt/adguardhome/conf
+
+volumes:
+  work:
+  conf:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/authelia/config/.gitignore

@@ -0,0 +1,2 @@
+db.sqlite3
+notifications.txt

homelab/authelia/docker-compose.yml

@@ -0,0 +1,35 @@
+services:
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    restart: unless-stopped
+    volumes:
+      - ./config:/config
+    depends_on:
+      - lldap
+    environment:
+      JWT_SECRET: ${AUTHELIA_JWT_SECRET}
+      SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
+      STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ${LLDAP_ADMIN_PASSWORD}
+
+  lldap:
+    image: lldap/lldap:latest
+    container_name: lldap
+    restart: unless-stopped
+    volumes:
+      - data_lldap:/data
+    environment:
+      LLDAP_JWT_SECRET: ${LLDAP_JWT_SECRET}
+      LLDAP_KEY_SEED: ${LLDAP_KEY_SEED}
+      LLDAP_LDAP_BASE_DN: dc=bmrs,dc=nl
+      LLDAP_LDAP_USER_PASS: ${LLDAP_ADMIN_PASSWORD}
+
+volumes:
+  data_lldap:
+
+networks:
+  default:
+    name: proxy
+    external: true
+

homelab/caddy/Dockerfile

@@ -0,0 +1,8 @@
+FROM caddy:2.8-builder AS builder
+
+RUN xcaddy build \
+  --with github.com/caddy-dns/cloudflare
+
+FROM caddy:2.8
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy

homelab/caddy/README.md

@@ -0,0 +1,2 @@
+# Caddy reverse proxy
+Follow [this](https://github.com/caddy-dns/cloudflare) to obtain secrets

homelab/caddy/caddyfiles/Caddyfile

@@ -0,0 +1,16 @@
+localhost {
+	respond "Hello world!"
+}
+
+
+*.timo.bmrs.nl timo.bmrs.nl {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_TOKEN}
+			api_token {env.CF_API_TOKEN}
+		}
+		resolvers 1.1.1.1
+	}
+
+	import routes/*
+}

homelab/caddy/caddyfiles/routes/adguard

@@ -0,0 +1,9 @@
+@adguard host adguard.timo.bmrs.nl
+handle @adguard {
+	forward_auth authelia:9091 {
+		uri /api/authz/forward-auth
+		copy_headers Remote-User Remote-Groups Remote-Email Remote-Name		
+	}
+
+	reverse_proxy adguardhome:3000
+}

homelab/caddy/caddyfiles/routes/authelia

@@ -0,0 +1,9 @@
+@ldap host ldap.timo.bmrs.nl
+handle @ldap {
+	reverse_proxy lldap:17170
+}
+
+@authelia host auth.timo.bmrs.nl
+handle @authelia {
+	reverse_proxy authelia:9091
+}

homelab/caddy/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   caddy:
-    image: caddy:2.8
+    build: .
     container_name: caddy
     restart: unless-stopped
     cap_add:
@@ -10,10 +10,18 @@ services:
       - 443:443
       - 443:443/udp
     volumes:
-      - caddy_data:/data
+      - data:/data
-      - caddy_config:/config
+      - config:/config
       - ./caddyfiles:/etc/caddy/
+    environment:
+      CF_ZONE_TOKEN: ${CF_ZONE_TOKEN}
+      CF_API_TOKEN: ${CF_API_TOKEN}
 
 volumes:
-  caddy_data:
+  data:
-  caddy_config:
+  config:
+
+networks:
+  default:
+    name: proxy
+    external: true

hosts/pm01vm01/default.nix

@@ -37,7 +37,11 @@
   # Enable ssh
   services.openssh.enable = true;
 
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  # Forward ports
+  networking.firewall = {
+    allowedTCPPorts = [ 80 443 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
 
   system.stateVersion = "24.05";
 

hosts/pm01vm01/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ohci_pci" "ehci_pci" "virtio_pci" "ahci" "usbhid" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/649666ff-db85-4666-86d0-c088732505d6";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/A157-F96E";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/f8c0a59c-7e1a-4eb7-960e-20ba65fec156"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s8.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

modules/system/cli/docker.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
   virtualisation.docker = {
@@ -10,4 +10,13 @@
   };
 
   users.users.xeovalyte.extraGroups = [ "docker" ];
+
+  security.wrappers = {
+    docker-rootlesskit = {
+      owner = "root";
+      group = "root";
+      capabilities = "cap_net_bind_service+ep";
+      source = "${pkgs.rootlesskit}/bin/rootlesskit";
+    };
+  };
 }

modules/system/hardware/firewall.nix

@@ -3,7 +3,7 @@
 {
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 53317 3000 24800 ];
+    allowedTCPPorts = [ ];
-    allowedUDPPorts = [ 53317 24800 ];
+    allowedUDPPorts = [ ];
   };
 }