feat: add shodan! (#119)
* feat: warning for adguard schema mismatch * Auto lint/format * fix: fix filtering * chore: tweak automerge * fix: whoogle * hack * hax * hack * feat: clean tmp on boot * M E G A H A C K * derp lel * chore: name * feat: add shodan! --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com> Co-authored-by: truxnell <truxnell@users.noreply.github.com>
This commit is contained in:
parent
b8a523d13c
commit
b6e2ee3155
27 changed files with 395 additions and 151 deletions
|
@ -7,21 +7,20 @@ and copy into networking.hostId to ensure ZFS doesnt get borked on reboot
|
||||||
|
|
||||||
# Partitioning
|
# Partitioning
|
||||||
|
|
||||||
parted /dev/nvme0n1 -- mklabel gpt
|
parted /dev/sda -- mklabel gpt
|
||||||
parted /dev/nvme0n1 -- mkpart root ext4 512MB -8GB
|
parted /dev/sda -- mkpart root ext4 512MB -8GB
|
||||||
parted /dev/nvme0n1 -- mkpart swap linux-swap -8GB 100%
|
parted /dev/sda -- mkpart ESP fat32 1MB 512MB
|
||||||
parted /dev/nvme0n1 -- mkpart ESP fat32 1MB 512MB
|
parted /dev/sda -- set 2 esp on
|
||||||
parted /dev/nvme0n1 -- set 3 esp on
|
|
||||||
|
|
||||||
# Formatting
|
# Formatting
|
||||||
|
|
||||||
mkswap -L swap /dev/nvme0n1p2
|
mkswap -L swap /dev/sdap2
|
||||||
swapon /dev/nvme0n1p2
|
swapon /dev/sdap2
|
||||||
mkfs.fat -F 32 -n boot /dev/nvme0n1p3
|
mkfs.fat -F 32 -n boot /dev/sdap3
|
||||||
|
|
||||||
# ZFS on root partition
|
# ZFS on root partition
|
||||||
|
|
||||||
zpool create -O mountpoint=none rpool /dev/nvme0n1p1
|
zpool create -O mountpoint=none rpool /dev/sdap1
|
||||||
|
|
||||||
zfs create -p -o mountpoint=legacy rpool/local/root
|
zfs create -p -o mountpoint=legacy rpool/local/root
|
||||||
|
|
||||||
|
@ -33,7 +32,7 @@ mount -t zfs rpool/local/root /mnt
|
||||||
# Boot partition
|
# Boot partition
|
||||||
|
|
||||||
mkdir /mnt/boot
|
mkdir /mnt/boot
|
||||||
mount /dev/nvme0n1p3 /mnt/boot
|
mount /dev/sdap3 /mnt/boot
|
||||||
|
|
||||||
#mk nix
|
#mk nix
|
||||||
zfs create -p -o mountpoint=legacy rpool/local/nix
|
zfs create -p -o mountpoint=legacy rpool/local/nix
|
||||||
|
|
29
flake.nix
29
flake.nix
|
@ -61,16 +61,23 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
rec {
|
||||||
# Use nixpkgs-fmt for 'nix fmt'
|
# Use nixpkgs-fmt for 'nix fmt'
|
||||||
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
|
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
|
||||||
|
|
||||||
# setup devshells against shell.nix
|
# setup devshells against shell.nix
|
||||||
devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
|
devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
|
||||||
|
|
||||||
|
# extend lib with my custom functions
|
||||||
|
lib = nixpkgs.lib.extend (
|
||||||
|
final: prev: {
|
||||||
|
inherit inputs;
|
||||||
|
myLib = import ./nixos/lib { inherit inputs; lib = final; };
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
nixosConfigurations =
|
nixosConfigurations =
|
||||||
# with self.lib;
|
with self.lib;
|
||||||
let
|
let
|
||||||
specialArgs = {
|
specialArgs = {
|
||||||
inherit inputs outputs;
|
inherit inputs outputs;
|
||||||
|
@ -107,7 +114,7 @@
|
||||||
, profileModules ? [ ]
|
, profileModules ? [ ]
|
||||||
}:
|
}:
|
||||||
nixpkgs.lib.nixosSystem {
|
nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system lib;
|
||||||
modules = baseModules ++ hardwareModules ++ profileModules;
|
modules = baseModules ++ hardwareModules ++ profileModules;
|
||||||
specialArgs = { inherit self inputs nixpkgs; };
|
specialArgs = { inherit self inputs nixpkgs; };
|
||||||
# Add our overlays
|
# Add our overlays
|
||||||
|
@ -217,6 +224,22 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"shodan" = mkNixosConfig {
|
||||||
|
# lenovo tiny NAS
|
||||||
|
|
||||||
|
hostname = "shodan";
|
||||||
|
system = "x86_64-linux";
|
||||||
|
hardwareModules = [
|
||||||
|
./nixos/profiles/hw-generic-x86.nix
|
||||||
|
];
|
||||||
|
profileModules = [
|
||||||
|
./nixos/profiles/role-server.nix
|
||||||
|
./nixos/profiles/impermanence.nix
|
||||||
|
{ home-manager.users.truxnell = ./nixos/home/truxnell/server.nix; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
27
nixos/hosts/bootstrap.nix
Normal file
27
nixos/hosts/bootstrap.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# Use the systemd-boot EFI boot loader.
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
services.openssh.enable = true;
|
||||||
|
|
||||||
|
users.users.truxnell = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||||
|
packages = with pkgs; [
|
||||||
|
];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
networking.hostId = "0a90730f";
|
||||||
|
system.stateVersion = "23.11";
|
||||||
|
}
|
|
@ -20,9 +20,11 @@
|
||||||
tautulli.enable = true;
|
tautulli.enable = true;
|
||||||
syncthing.enable = true;
|
syncthing.enable = true;
|
||||||
searxng.enable = true;
|
searxng.enable = true;
|
||||||
factorio.freight-forwarding.enable = true;
|
factorio.freight-forwarding.enable = true; # the factory must grow
|
||||||
whoogle.enable = true;
|
whoogle.enable = true;
|
||||||
|
|
||||||
|
redlib.enable = true;
|
||||||
|
|
||||||
|
|
||||||
};
|
};
|
||||||
mySystem.system.systemd.pushover-alerts.enable = false;
|
mySystem.system.systemd.pushover-alerts.enable = false;
|
||||||
|
@ -32,11 +34,11 @@
|
||||||
mySystem.system.motd.networkInterfaces = [ "eno1" ];
|
mySystem.system.motd.networkInterfaces = [ "eno1" ];
|
||||||
|
|
||||||
# Dev machine
|
# Dev machine
|
||||||
# mySystem.system.resticBackup =
|
mySystem.system.resticBackup =
|
||||||
# {
|
{
|
||||||
# local.enable = false;
|
local.enable = false;
|
||||||
# remote.enable = false;
|
remote.enable = false;
|
||||||
# };
|
};
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
|
|
||||||
|
|
74
nixos/hosts/shodan/default.nix
Normal file
74
nixos/hosts/shodan/default.nix
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
# Edit this configuration file to define what should be installed on
|
||||||
|
# your system. Help is available in the configuration.nix(5) man page, on
|
||||||
|
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
|
||||||
|
{ config
|
||||||
|
, lib
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}: {
|
||||||
|
mySystem.purpose = "Homelab";
|
||||||
|
mySystem.services = {
|
||||||
|
openssh.enable = true;
|
||||||
|
podman.enable = true;
|
||||||
|
traefik.enable = true;
|
||||||
|
|
||||||
|
gatus.enable = true;
|
||||||
|
homepage.enable = true;
|
||||||
|
# backrest.enable = true;
|
||||||
|
|
||||||
|
plex.enable = true;
|
||||||
|
tautulli.enable = true;
|
||||||
|
syncthing.enable = true;
|
||||||
|
searxng.enable = true;
|
||||||
|
factorio.freight-forwarding.enable = true; # the factory must grow
|
||||||
|
whoogle.enable = true;
|
||||||
|
|
||||||
|
redlib.enable = true;
|
||||||
|
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
mySystem.nfs.nas.enable = true;
|
||||||
|
mySystem.persistentFolder = "/persistent";
|
||||||
|
mySystem.system.motd.networkInterfaces = [ "enp1s0" ];
|
||||||
|
|
||||||
|
boot = {
|
||||||
|
|
||||||
|
initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
|
initrd.kernelModules = [ ];
|
||||||
|
kernelModules = [ "kvm-intel" ];
|
||||||
|
extraModulePackages = [ ];
|
||||||
|
|
||||||
|
# for managing/mounting ntfs
|
||||||
|
supportedFilesystems = [ "ntfs" ];
|
||||||
|
|
||||||
|
loader = {
|
||||||
|
systemd-boot.enable = true;
|
||||||
|
efi.canTouchEfiVariables = true;
|
||||||
|
# why not ensure we can memtest workstatons easily?
|
||||||
|
# TODO check whether this is actually working, cant see it in grub?
|
||||||
|
grub.memtest86.enable = true;
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "durandal"; # Define your hostname.
|
||||||
|
networking.hostId = "0a90730f";
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{
|
||||||
|
device = "/dev/disk/by-uuid/2e843998-f409-4ccc-bc7c-07099ee0e936";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{
|
||||||
|
device = "/dev/disk/by-uuid/12CE-A600";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[{ device = "/dev/disk/by-uuid/0ae2765b-f3f4-4b1a-8ea6-599f37504d70"; }];
|
||||||
|
|
||||||
|
}
|
111
nixos/lib/default.nix
Normal file
111
nixos/lib/default.nix
Normal file
|
@ -0,0 +1,111 @@
|
||||||
|
{ inputs, lib, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
rec {
|
||||||
|
|
||||||
|
firstOrDefault = first: default: if !isNull first then first else default;
|
||||||
|
|
||||||
|
existsOrDefault = x: set: default: if builtins.hasAttr x set then builtins.getAttr x set else default;
|
||||||
|
|
||||||
|
# Will be v. useful when i grok
|
||||||
|
# https://github.com/ahbk/my-nixos/blob/5fe1521b11422c66fd823b442393b3b044a5a5b8/nix#L5
|
||||||
|
# pick a list of attributes from an attrSet
|
||||||
|
# mySystem.pick = attrNames: attrSet: filterAttrs (name: value: elem name attrNames) attrSet;
|
||||||
|
|
||||||
|
# create an env-file (package) that can be sourced to set environment variables
|
||||||
|
# mySystem.mkEnv = name: value: pkgs.writeText "${name}-env" (concatStringsSep "\n" (mapAttrsToList (n: v: "${n}=${v}") value));
|
||||||
|
|
||||||
|
# loop over an attrSet and merge the attrSets returned from f into one (latter override the former in case of conflict)
|
||||||
|
# mySystem.mergeAttrs = f: attrs: builtins.foldlAttrs (acc: name: value: (recursiveUpdate acc (f name value))) { } attrs;
|
||||||
|
|
||||||
|
# main service builder
|
||||||
|
mkService = options: (
|
||||||
|
let
|
||||||
|
user = existsOrDefault "user" options "568";
|
||||||
|
group = existsOrDefault "group" options "568";
|
||||||
|
envFiles = existsOrDefault "envFiles" options [ ];
|
||||||
|
addTraefikLabels = if (builtins.hasAttr "container" options) && (builtins.hasAttr "addTraefikLabels" options.container) then options.container.addTraefikLabels else false;
|
||||||
|
homepageIcon = if (builtins.hasAttr "homepage" options) && (builtins.hasAttr "icon" options.homepage) then options.homepage.icon else "${options.app}.svg";
|
||||||
|
|
||||||
|
host = existsOrDefault "host" options "${options.app}.${options.domain}";
|
||||||
|
|
||||||
|
# nix doesnt have an exhausive list of options for oci
|
||||||
|
# so here i try to get a robust list of security options for containers
|
||||||
|
# because everyone needs more tinfoild hat right? RIGHT?
|
||||||
|
|
||||||
|
containerExtraOptions = [ ]
|
||||||
|
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [ "--privileged" ]
|
||||||
|
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [ "--read-only" ]
|
||||||
|
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs ${folders}") tmpfsFolders) ]
|
||||||
|
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt no-new-privileges" ]
|
||||||
|
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop ALL" ]
|
||||||
|
|
||||||
|
;
|
||||||
|
|
||||||
|
in
|
||||||
|
{
|
||||||
|
virtualisation.oci-containers.containers.${options.app} = {
|
||||||
|
image = "${options.image}";
|
||||||
|
user = "${user}:${group}";
|
||||||
|
environment = {
|
||||||
|
TZ = options.timeZone;
|
||||||
|
} // options.container.env;
|
||||||
|
environmentFiles = [ ] ++ envFiles;
|
||||||
|
volumes = [
|
||||||
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
|
];
|
||||||
|
|
||||||
|
labels = mkIf addTraefikLabels (mkTraefikLabels {
|
||||||
|
name = options.app;
|
||||||
|
port = options.port;
|
||||||
|
domain = options.domain;
|
||||||
|
url = host;
|
||||||
|
});
|
||||||
|
|
||||||
|
extraOptions = containerExtraOptions;
|
||||||
|
};
|
||||||
|
|
||||||
|
mySystem.services.homepage.media-services = mkIf options.addToHomepage [
|
||||||
|
{
|
||||||
|
${options.app} = {
|
||||||
|
icon = homepageIcon;
|
||||||
|
href = host;
|
||||||
|
host = host;
|
||||||
|
description = options.description;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
);
|
||||||
|
|
||||||
|
# build up traefik docker labels
|
||||||
|
mkTraefikLabels = options: (
|
||||||
|
let
|
||||||
|
inherit (options) name;
|
||||||
|
subdomain = if builtins.hasAttr "subdomain" options then options.subdomain else options.name;
|
||||||
|
host = existsOrDefault "host" options "${options.name}.${options.domain}";
|
||||||
|
|
||||||
|
# created if port is specified
|
||||||
|
service = if builtins.hasAttr "service" options then options.service else options.name;
|
||||||
|
middleware = if builtins.hasAttr "middleware" options then options.middleware else "local-ip-only@file";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.${name}.rule" = "Host(`${host}`)";
|
||||||
|
"traefik.http.routers.${name}.entrypoints" = "websecure";
|
||||||
|
"traefik.http.routers.${name}.middlewares" = "${middleware}";
|
||||||
|
} // attrsets.optionalAttrs (builtins.hasAttr "port" options) {
|
||||||
|
"traefik.http.routers.${name}.service" = service;
|
||||||
|
"traefik.http.services.${service}.loadbalancer.server.port" = "${builtins.toString options.port}";
|
||||||
|
} // attrsets.optionalAttrs (builtins.hasAttr "scheme" options) {
|
||||||
|
"traefik.http.routers.${name}.service" = service;
|
||||||
|
"traefik.http.services.${service}.loadbalancer.server.scheme" = "${options.scheme}";
|
||||||
|
} // attrsets.optionalAttrs (builtins.hasAttr "service" options) {
|
||||||
|
"traefik.http.routers.${name}.service" = service;
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -53,8 +53,10 @@ in
|
||||||
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -51,8 +51,10 @@ in
|
||||||
"${persistentFolder}:/config:rw"
|
"${persistentFolder}:/config:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -53,8 +53,10 @@ in
|
||||||
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -52,8 +52,10 @@ in
|
||||||
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -55,8 +55,10 @@ in
|
||||||
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -45,8 +45,10 @@ in
|
||||||
"${config.mySystem.nasFolder}/backup/nixos/nixos:/repos:rw"
|
"${config.mySystem.nasFolder}/backup/nixos/nixos:/repos:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -11,5 +11,6 @@
|
||||||
./searxng
|
./searxng
|
||||||
./factorio
|
./factorio
|
||||||
./whoogle
|
./whoogle
|
||||||
|
./redlib
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -41,8 +41,10 @@ in
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
ports = [ (builtins.toString port) ]; # expose port
|
ports = [ (builtins.toString port) ]; # expose port
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -129,8 +129,10 @@ in
|
||||||
"${configFile}:/config/config.yaml:ro"
|
"${configFile}:/config/config.yaml:ro"
|
||||||
];
|
];
|
||||||
|
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -282,8 +282,10 @@ in
|
||||||
# "traefik.http.routers.${app}.middlewares" = "local-ip-only@file";
|
# "traefik.http.routers.${app}.middlewares" = "local-ip-only@file";
|
||||||
# "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
# "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||||
# };
|
# };
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
# not using docker socket for discovery, just
|
# not using docker socket for discovery, just
|
||||||
|
|
|
@ -40,8 +40,10 @@ in
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
ports = [ (builtins.toString port) ]; # expose port
|
ports = [ (builtins.toString port) ]; # expose port
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -44,8 +44,10 @@ in
|
||||||
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
65
nixos/modules/nixos/containers/redlib/default.nix
Normal file
65
nixos/modules/nixos/containers/redlib/default.nix
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.mySystem.services.redlib;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.redlib.enable = mkEnableOption "redlib";
|
||||||
|
|
||||||
|
# fuck /u/spez
|
||||||
|
config =
|
||||||
|
myLib.mkService
|
||||||
|
{
|
||||||
|
app = "Redlib";
|
||||||
|
description = "Reddit alternate frontend";
|
||||||
|
image = "quay.io/redlib/redlib@sha256:7fa92bb9b5a281123ee86a0b77a443939c2ccdabba1c12595dcd671a84cd5a64";
|
||||||
|
port = 8080;
|
||||||
|
user = "nobody";
|
||||||
|
group = "nobody";
|
||||||
|
timeZone = config.time.timeZone;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
addToHomepage = true;
|
||||||
|
homepage.icon = "libreddit.svg";
|
||||||
|
container = {
|
||||||
|
env = {
|
||||||
|
REDLIB_DEFAULT_SHOW_NSFW = "on";
|
||||||
|
REDLIB_DEFAULT_USE_HLS = "on";
|
||||||
|
REDLIB_DEFAULT_HIDE_HLS_NOTIFICATION = "on";
|
||||||
|
};
|
||||||
|
addTraefikLabels = true;
|
||||||
|
caps = {
|
||||||
|
readOnly = true;
|
||||||
|
noNewPrivileges = true;
|
||||||
|
dropAll = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# mkService
|
||||||
|
# app: App Name, string, required
|
||||||
|
# appUrl: App url, string, default "https://APP.DOMAIN"
|
||||||
|
# description: App Description, string, required
|
||||||
|
# image: Container IMage, string, required
|
||||||
|
# port: port, int
|
||||||
|
# timeZone: timezone, required
|
||||||
|
# domain: domain of app, required
|
||||||
|
# addToHomepage: Flag to add to homepage, bool, default false
|
||||||
|
## HOMEPAGE
|
||||||
|
# homepage.icon: Icon for homepage listing, string, default "app.svg"
|
||||||
|
|
||||||
|
# user: user to run as, string, default 568
|
||||||
|
# group: group to run as, string, default 568
|
||||||
|
# envFiles, files to add as env, list of string, default [ TZ = timeZone ]
|
||||||
|
|
||||||
|
## CONTAINER
|
||||||
|
# container.env, env vars for container, attrset, default { }
|
||||||
|
# container.addTraefikLabels, flag for adding traefik exposing labels, default true
|
||||||
|
# caps.privileged: privileged pod, grant pod high privs, defualt SUPER false. SUPER DOOPER FALSE
|
||||||
|
# caps.readOnly: readonly pod (outside mounted paths etc). default false
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -38,8 +38,10 @@ in
|
||||||
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
"${config.mySystem.nasFolder}/natflix:/media:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -37,8 +37,10 @@ in
|
||||||
SEARXNG_BASE_URL = "https://searxng.${config.mySystem.domain}/";
|
SEARXNG_BASE_URL = "https://searxng.${config.mySystem.domain}/";
|
||||||
SEARXNG_URL = "https://searxng.${config.mySystem.domain}";
|
SEARXNG_URL = "https://searxng.${config.mySystem.domain}";
|
||||||
};
|
};
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
extraOptions = [
|
extraOptions = [
|
||||||
|
@ -54,7 +56,7 @@ in
|
||||||
|
|
||||||
mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
|
mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
|
||||||
{
|
{
|
||||||
Tautulli = {
|
Searxng = {
|
||||||
icon = "${app}.png";
|
icon = "${app}.png";
|
||||||
href = "https://${app}.${config.mySystem.domain}";
|
href = "https://${app}.${config.mySystem.domain}";
|
||||||
ping = "https://${app}.${config.mySystem.domain}";
|
ping = "https://${app}.${config.mySystem.domain}";
|
||||||
|
|
|
@ -1,70 +0,0 @@
|
||||||
{ lib
|
|
||||||
, config
|
|
||||||
, pkgs
|
|
||||||
, ...
|
|
||||||
}:
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
app = "searxng";
|
|
||||||
image = "docker.io/searxng/searxng:2023.11.1-b5a8ddfec";
|
|
||||||
user = "568"; #string
|
|
||||||
group = "568"; #string
|
|
||||||
port = 8080; #int
|
|
||||||
cfg = config.mySystem.services.${app};
|
|
||||||
appFolder = "containers/${app}";
|
|
||||||
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
|
|
||||||
config = { use_default_settings = { engines = { keep_only = [ "arch linux wiki" "google" "google images" "google news" "google videos" "google scholar" "google play apps" "duckduckgo" "brave" "startpage" "gitlab" "github" "codeberg" "sourcehut" "bitbucket" "apple app store" "wikipedia" "currency" "docker hub" "ddg definitions" "duckduckgo images" "bandcamp" "deviantart" "tineye" "apple maps" "fdroid" "flickr" "free software directory" "z-library" "lobste.rs" "azlyrics" "openstreetmap" "npm" "pypi" "lib.rs" "nyaa" "reddit" "sepiasearch" "soundcloud" "stackoverflow" "askubuntu" "superuser" "searchcode code" "unsplash" "youtube" "wolframalpha" "mojeek" ]; }; }; engines = [{ name = "brave"; disabled = false; } { name = "startpage"; disabled = false; } { name = "apple app store"; disabled = false; } { name = "ddg definitions"; disabled = false; } { name = "tineye"; disabled = false; } { name = "apple maps"; disabled = false; } { name = "duckduckgo images"; disabled = false; } { name = "fdroid"; disabled = false; } { name = "free software directory"; disabled = false; } { name = "bitbucket"; disabled = false; } { name = "gitlab"; disabled = false; } { name = "codeberg"; disabled = false; } { name = "google play apps"; disabled = false; } { name = "lobste.rs"; disabled = false; } { name = "azlyrics"; disabled = false; } { name = "npm"; disabled = false; } { name = "nyaa"; disabled = false; categories = "videos"; } { name = "searchcode code"; disabled = false; } { name = "mojeek"; disabled = false; } { name = "lib.rs"; disabled = false; } { name = "sourcehut"; disabled = false; }]; general = { instance_name = "NatFlix Search"; enable_metrics = false; }; brand = { new_issue_url = ""; docs_url = ""; public_instances = ""; wiki_url = ""; issue_url = ""; }; search = { safe_search = 0; autocomplete = "duckduckgo"; autocomplete_min = 2; default_lang = "en"; max_page = 0; }; server = { base_url = "https://searxng.\${EXTERNAL_DOMAIN}/"; image_proxy = true; http_protocol_version = "1.1"; method = "GET"; }; ui = { static_use_hash = true; infinite_scroll = true; default_theme = "simple"; theme_args = { simple_style = "dark"; }; }; enabled_plugins = [ "Hash plugin" "Search on category select" "Self Information" "Tracker URL remover" "Open Access DOI rewrite" "Vim-like hotkeys" ]; };
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.mySystem.services.${app} =
|
|
||||||
{
|
|
||||||
enable = mkEnableOption "${app}";
|
|
||||||
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
|
|
||||||
virtualisation.oci-containers.containers.${app} = {
|
|
||||||
image = "${image}";
|
|
||||||
user = "${user}:${group}";
|
|
||||||
volumes = [
|
|
||||||
"${configFile}:/etc/searxng/settings.yml:ro"
|
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
TZ = "${config.time.timeZone}";
|
|
||||||
SEARXNG_BASE_URL = "https://searxng.${config.mySystem.domain}/";
|
|
||||||
SEARXNG_URL = "https://searxng.${config.mySystem.domain}";
|
|
||||||
};
|
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
|
||||||
name = app;
|
|
||||||
inherit port;
|
|
||||||
};
|
|
||||||
extraOptions = [
|
|
||||||
"--read-only"
|
|
||||||
"--tmpfs=/etc/searxng/"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
|
|
||||||
{
|
|
||||||
Searxng = {
|
|
||||||
icon = "${app}.svg";
|
|
||||||
href = "https://${app}.${config.mySystem.domain}";
|
|
||||||
ping = "https://${app}.${config.mySystem.domain}";
|
|
||||||
description = "Private Search Engine";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
|
|
||||||
|
|
||||||
name = app;
|
|
||||||
group = "services";
|
|
||||||
url = "https://${app}.${config.mySystem.domain}";
|
|
||||||
interval = "1m";
|
|
||||||
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
|
|
||||||
}];
|
|
||||||
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -36,8 +36,10 @@ in
|
||||||
"${config.mySystem.nasFolder}/backup/kubernetes/apps/tautulli:/config/backup:rw"
|
"${config.mySystem.nasFolder}/backup/kubernetes/apps/tautulli:/config/backup:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -7,8 +7,8 @@ with lib;
|
||||||
let
|
let
|
||||||
app = "whoogle";
|
app = "whoogle";
|
||||||
image = "ghcr.io/benbusby/whoogle-search:0.8.4@sha256:93977c3aec8a039df94745a6e960d1b590a897e451b874c90ce484fbdbc3630f";
|
image = "ghcr.io/benbusby/whoogle-search:0.8.4@sha256:93977c3aec8a039df94745a6e960d1b590a897e451b874c90ce484fbdbc3630f";
|
||||||
user = "568"; #string
|
user = "927"; #string
|
||||||
group = "568"; #string
|
group = "927"; #string
|
||||||
port = 5000; #int
|
port = 5000; #int
|
||||||
cfg = config.mySystem.services.${app};
|
cfg = config.mySystem.services.${app};
|
||||||
appFolder = "containers/${app}";
|
appFolder = "containers/${app}";
|
||||||
|
@ -27,8 +27,31 @@ in
|
||||||
image = "${image}";
|
image = "${image}";
|
||||||
user = "${user}:${group}";
|
user = "${user}:${group}";
|
||||||
ports = [ (builtins.toString port) ]; # expose port
|
ports = [ (builtins.toString port) ]; # expose port
|
||||||
labels = config.lib.mySystem.mkTraefikLabels {
|
environment = {
|
||||||
|
TZ = "${config.time.timeZone}";
|
||||||
|
WHOOGLE_ALT_TW = "nitter.${config.networking.domain}";
|
||||||
|
WHOOGLE_ALT_YT = "invidious.${config.networking.domain}";
|
||||||
|
WHOOGLE_ALT_IG = "imginn.com";
|
||||||
|
WHOOGLE_ALT_RD = "redlib.${config.networking.domain}";
|
||||||
|
WHOOGLE_ALT_MD = "scribe.${config.networking.domain}";
|
||||||
|
WHOOGLE_ALT_TL = "";
|
||||||
|
WHOOGLE_ALT_IMG = "bibliogram.art";
|
||||||
|
WHOOGLE_ALT_IMDB = "";
|
||||||
|
WHOOGLE_ALT_WIKI = "";
|
||||||
|
WHOOGLE_ALT_QUORA = "";
|
||||||
|
WHOOGLE_CONFIG_ALTS = "1";
|
||||||
|
WHOOGLE_CONFIG_THEME = "system";
|
||||||
|
WHOOGLE_CONFIG_URL = "https://search.${config.networking.domain}";
|
||||||
|
WHOOGLE_CONFIG_GET_ONLY = "1";
|
||||||
|
WHOOGLE_CONFIG_COUNTRY = "AU";
|
||||||
|
WHOOGLE_CONFIG_VIEW_IMAGE = "1";
|
||||||
|
WHOOGLE_CONFIG_DISABLE = "1";
|
||||||
|
};
|
||||||
|
|
||||||
|
labels = lib.myLib.mkTraefikLabels {
|
||||||
name = app;
|
name = app;
|
||||||
|
domain = config.networking.domain;
|
||||||
|
|
||||||
inherit port;
|
inherit port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -2,31 +2,6 @@
|
||||||
with lib;
|
with lib;
|
||||||
{
|
{
|
||||||
|
|
||||||
# build up traefik docker labesl
|
|
||||||
lib.mySystem.mkTraefikLabels = options: (
|
|
||||||
let
|
|
||||||
inherit (options) name;
|
|
||||||
subdomain = if builtins.hasAttr "subdomain" options then options.subdomain else options.name;
|
|
||||||
|
|
||||||
# created if port is specified
|
|
||||||
service = if builtins.hasAttr "service" options then options.service else options.name;
|
|
||||||
middleware = if builtins.hasAttr "middleware" options then options.middleware else "local-ip-only@file";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"traefik.enable" = "true";
|
|
||||||
"traefik.http.routers.${name}.rule" = "Host(`${options.name}.${config.mySystem.domain}`)";
|
|
||||||
"traefik.http.routers.${name}.entrypoints" = "websecure";
|
|
||||||
"traefik.http.routers.${name}.middlewares" = "${middleware}";
|
|
||||||
} // lib.attrsets.optionalAttrs (builtins.hasAttr "port" options) {
|
|
||||||
"traefik.http.routers.${name}.service" = service;
|
|
||||||
"traefik.http.services.${service}.loadbalancer.server.port" = "${builtins.toString options.port}";
|
|
||||||
} // lib.attrsets.optionalAttrs (builtins.hasAttr "scheme" options) {
|
|
||||||
"traefik.http.routers.${name}.service" = service;
|
|
||||||
"traefik.http.services.${service}.loadbalancer.server.scheme" = "${options.scheme}";
|
|
||||||
} // lib.attrsets.optionalAttrs (builtins.hasAttr "service" options) {
|
|
||||||
"traefik.http.routers.${name}.service" = service;
|
|
||||||
}
|
|
||||||
);
|
|
||||||
|
|
||||||
# build a restic restore set for both local and remote
|
# build a restic restore set for both local and remote
|
||||||
lib.mySystem.mkRestic = options: (
|
lib.mySystem.mkRestic = options: (
|
||||||
|
@ -76,25 +51,7 @@ with lib;
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
# Will be v. useful when i grok
|
|
||||||
# https://github.com/ahbk/my-nixos/blob/5fe1521b11422c66fd823b442393b3b044a5a5b8/lib.nix#L5
|
|
||||||
# pick a list of attributes from an attrSet
|
|
||||||
lib.mySystem.pick = attrNames: attrSet: lib.filterAttrs (name: value: lib.elem name attrNames) attrSet;
|
|
||||||
|
|
||||||
# create an env-file (package) that can be sourced to set environment variables
|
|
||||||
lib.mySystem.mkEnv = name: value: pkgs.writeText "${name}-env" (concatStringsSep "\n" (mapAttrsToList (n: v: "${n}=${v}") value));
|
|
||||||
|
|
||||||
# loop over an attrSet and merge the attrSets returned from f into one (latter override the former in case of conflict)
|
|
||||||
lib.mySystem.mergeAttrs = f: attrs: foldlAttrs (acc: name: value: (recursiveUpdate acc (f name value))) { } attrs;
|
|
||||||
|
|
||||||
# Iterate all attrs in base and return
|
|
||||||
# the merged set from all iterated keys in base from
|
|
||||||
# return path
|
|
||||||
# lib.mySystem.mkMergeMap = base: return: builtins.concatMap (cfg: (cfg.return)) (builtins.attrValues base);
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# # useful?
|
|
||||||
# foldlAttrs
|
|
||||||
# # attrbypath?
|
|
||||||
# let
|
|
||||||
|
|
|
@ -179,7 +179,7 @@ in
|
||||||
|
|
||||||
mySystem.services.homepage.infrastructure-services = [
|
mySystem.services.homepage.infrastructure-services = [
|
||||||
{
|
{
|
||||||
Traefik = {
|
"Traefik ${config.networking.hostName}" = {
|
||||||
icon = "traefik.png";
|
icon = "traefik.png";
|
||||||
href = "https://traefik-${config.networking.hostName}.${config.mySystem.domain}/dashboard/";
|
href = "https://traefik-${config.networking.hostName}.${config.mySystem.domain}/dashboard/";
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,11 @@ with lib;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
|
||||||
|
boot.tmp.cleanOnBoot = true;
|
||||||
|
|
||||||
mySystem = {
|
mySystem = {
|
||||||
|
|
||||||
# basics for all devices
|
# basics for all devices
|
||||||
|
|
Reference in a new issue