Koen/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

forgejo works now but vaultwarden is fucky

Browse source
This commit is contained in:
KoenDR06 2025-12-29 01:45:04 +01:00
parent f1b3559434
commit 02eb92a443
5 changed files with 140 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

6
machines/artemis/modules.nix
View file

@ -10,6 +10,12 @@
users.default.enable = true;
containers = {
forgejo.enable = true;
nginx.enable = true;
vaultwarden.enable = true;
};
base = {
nix.enable = true;
locale.enable = true;

1
modules/containers/default.nix
View file

@ -2,6 +2,7 @@
imports = [
./nginx.nix
./forgejo.nix
./vaultwarden.nix
];
config = {

32
modules/containers/forgejo.nix
View file

@ -6,25 +6,35 @@
pkgs,
...
}: let
inherit (lib) mkEnableOption mkIf;
inherit (lib) types mkOption mkEnableOption mkIf;
cfg = config.horseman.containers.forgejo;
username = config.horseman.username;
HTTP_PORT = 3000;
SSH_PORT = 34916;
INSTANCE_URL = "http://local.git.server:3000";
DATA_DIR = "/home/${username}/backups/volumes/forgejo";
BACKUP_FILE = "/home/${username}/backups/forgejo.tar";
in {
options = {
horseman.containers.forgejo = {
enable = mkEnableOption "forgejo containers";
port = mkOption {
default = 3000;
type = types.int;
};
sshPort = mkOption {
default = 34916;
type = types.int;
};
url = mkOption {
default = "https://git.koendev.nl";
type = types.str;
};
};
};
config = mkIf cfg.enable {
networking.extraHosts = "192.168.100.3 local.git.server";
systemd.timers."backup-forgejo" = {
wantedBy = ["timers.target"];
timerConfig = {
@ -36,7 +46,7 @@ in {
environment.systemPackages = [pkgs.gnutar];
systemd.services."backup-forgejo" = {
script = ''
${pkgs.gnutar} -cf ${BACKUP_FILE} ${DATA_DIR}
${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR}
'';
serviceConfig = {
User = "root";
@ -123,9 +133,9 @@ in {
settings = {
server = {
HTTP_PORT = HTTP_PORT;
SSH_PORT = SSH_PORT;
ROOT_URL = INSTANCE_URL;
HTTP_PORT = cfg.port;
SSH_PORT = cfg.sshPort;
ROOT_URL = cfg.url;
};
session = {
COOKIE_SECURE = false; # TODO Set to true
@ -148,7 +158,7 @@ in {
networking = {
firewall = {
enable = true;
allowedTCPPorts = [HTTP_PORT SSH_PORT];
allowedTCPPorts = [cfg.port cfg.sshPort];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686

13
modules/containers/nginx.nix
View file

@ -8,6 +8,7 @@
}: let
inherit (lib) mkEnableOption mkIf mkOption types;
cfg = config.horseman.containers.nginx;
osConfig = config;
in {
options = {
horseman.containers.nginx = {
@ -16,7 +17,7 @@ in {
};
config = mkIf cfg.enable {
networking.extraHosts = "192.168.100.1 koendev.nl *.koendev.nl";
networking.extraHosts = "192.168.100.1 koendevLocal.nl git.koendevLocal.nl vault.koendevLocal.nl";
containers.nginx = {
autoStart = true;
@ -41,15 +42,19 @@ in {
enable = true;
virtualHosts = {
"koendev.nl" = {
"koendevLocal.nl" = {
# addSSL = false;
# enableACME = false;
root = "/var/www/portfolio";
default = true;
extraConfig = ''
error_page 404 /404.html;
'';
};
"vault.koendev.nl" = {
"git.koendevLocal.nl" = {
locations."/" = {
proxyPass = "http://172.16.0.2";
proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}";
};
};
};

103
modules/containers/vaultwarden.nix Normal file
View file

@ -0,0 +1,103 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: let
inherit (lib) types mkOption mkEnableOption mkIf;
cfg = config.horseman.containers.vaultwarden;
username = config.horseman.username;
DATA_DIR = "/home/${username}/backups/volumes/vaultwarden";
BACKUP_FILE = "/home/${username}/backups/vaultwarden.tar";
in {
options = {
horseman.containers.vaultwarden = {
enable = mkEnableOption "forgejo containers";
port = mkOption {
default = 3000;
type = types.int;
};
url = mkOption {
default = "https://vault.koendev.nl";
type = types.str;
};
};
};
config = mkIf cfg.enable {
systemd.timers."backup-vaultwarden" = {
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
environment.systemPackages = [pkgs.gnutar];
systemd.services."backup-vaultwarden" = {
script = ''
${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR}
'';
serviceConfig = {
User = "root";
};
};
containers.vaultwarden = {
autoStart = true;
privateNetwork = true;
hostAddress = "172.16.0.4";
localAddress = "192.168.100.4";
bindMounts = {
"/var/lib/vaultwarden" = {
hostPath = DATA_DIR;
isReadOnly = false;
}; # TODO set correct
};
config = {
config,
pkgs,
...
}: {
environment.variables = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = toString cfg.port;
WEB_VAULT_ENABLED = "false";
};
services.vaultwarden = {
enable = true;
backupDir = "/var/local/vaultwarden/backup";
# in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
# be aware that this file must be created by hand (or via secrets management like sops)
environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
config = {
DOMAIN = cfg.url;
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = cfg.port;
ROCKET_LOG = "critical";
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [cfg.port];
};
useHostResolvConf = lib.mkForce false;
};
system.stateVersion = "23.11";
};
};
};
}