From 4c66c514a326b98f0cd7c85555b1987d84ff810b Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Tue, 10 Feb 2026 01:04:47 +0100 Subject: [PATCH] runs on prod now :) --- machines/solis/modules.nix | 13 +++- modules/containers/default.nix | 20 +++-- modules/containers/forgejo.nix | 12 +-- modules/containers/nginx.nix | 117 ++++++++++++----------------- modules/containers/vaultwarden.nix | 8 +- 5 files changed, 83 insertions(+), 87 deletions(-) diff --git a/machines/solis/modules.nix b/machines/solis/modules.nix index 0c9e32e..2eef00c 100644 --- a/machines/solis/modules.nix +++ b/machines/solis/modules.nix @@ -1,4 +1,6 @@ -{...}: { +{config, ...}: let + username = config.horseman.username; +in { imports = [ ../../modules ]; @@ -6,6 +8,15 @@ config.horseman = { users.default.enable = true; + containers = { + enable = true; + backupDir = "/home/${username}/backups"; + + nginx.enable = true; + vaultwarden.enable = true; + forgejo.enable = true; + }; + base = { nix.enable = true; locale.enable = true; diff --git a/modules/containers/default.nix b/modules/containers/default.nix index 841dcdb..4bc2f02 100644 --- a/modules/containers/default.nix +++ b/modules/containers/default.nix @@ -1,5 +1,10 @@ -{lib, ...}: let - inherit (lib) mkOption types; +{ + config, + lib, + ... +}: let + inherit (lib) mkIf mkEnableOption mkOption types; + cfg = config.horseman.containers; in { imports = [ ./nginx.nix @@ -8,17 +13,20 @@ in { ]; options = { - backupDir = mkOption { - type = types.str; + horseman.containers = { + enable = mkEnableOption "Containers"; + backupDir = mkOption { + type = types.str; + }; }; }; - config = { + config = mkIf cfg.enable { networking.nat = { enable = true; # Use "ve-*" when using nftables instead of iptables internalInterfaces = ["ve-+"]; - externalInterface = "eno1"; + externalInterface = "enp2s0"; # Lazy IPv6 connectivity for the container enableIPv6 = true; }; diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix index f8e7a8e..20801d9 100644 --- a/modules/containers/forgejo.nix +++ b/modules/containers/forgejo.nix @@ -57,8 +57,8 @@ in { containers.forgejoRunner = { autoStart = true; privateNetwork = true; - hostAddress = "172.16.0.2"; - localAddress = "192.168.100.2"; + hostAddress = "172.168.100.2"; + localAddress = "192.168.100.102"; bindMounts = { "/var/lib/secrets" = { @@ -91,7 +91,7 @@ in { systemd.services.startup = { script = '' cd ${config.users.users.runner.home} - ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret $(cat /var/lib/secrets/secret) --name runner + ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance ${cfg.url} --secret $(cat /var/lib/secrets/secret) --name runner sleep 10 ${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile} ''; @@ -106,8 +106,8 @@ in { containers.forgejo = { autoStart = true; privateNetwork = true; - hostAddress = "172.16.0.3"; - localAddress = "192.168.100.3"; + hostAddress = "192.168.100.3"; + localAddress = "192.168.100.103"; bindMounts = { "/var/lib/forgejo" = { @@ -139,7 +139,7 @@ in { ROOT_URL = cfg.url; }; session = { - COOKIE_SECURE = false; # TODO Set to true + COOKIE_SECURE = true; }; service = { DISABLE_REGISTRATION = true; diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index 4687eb8..6b0cc6d 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -8,7 +8,6 @@ }: let inherit (lib) mkEnableOption mkIf mkOption types; cfg = config.horseman.containers.nginx; - osConfig = config; in { options = { horseman.containers.nginx = { @@ -22,80 +21,58 @@ in { }; config = mkIf cfg.enable { - containers.nginx = { - autoStart = true; - privateNetwork = true; - hostAddress = "172.16.0.1"; - localAddress = "192.168.100.1"; + security.acme = { + acceptTerms = true; + defaults.email = "koen.de.ruiter@hotmail.com"; + }; - bindMounts = { - "/var/www/portfolio" = { - hostPath = "/var/www/portfolio"; - isReadOnly = true; + services.fail2ban.enable = true; + services.nginx = { + enable = true; + + virtualHosts = { + "${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + root = "/var/www/portfolio"; + default = true; + extraConfig = '' + error_page 404 /404.html; + ''; }; - "/var/www/public" = { - hostPath = "/var/www/public"; - isReadOnly = true; + + "public.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + root = "/var/www/public"; + }; + + "git.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://${config.containers.forgejo.localAddress}:${toString config.horseman.containers.forgejo.port}"; + }; + }; + + "vault.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://${config.containers.vaultwarden.localAddress}:${toString config.horseman.containers.vaultwarden.port}"; + }; }; }; + }; - config = { - config, - pkgs, - lib, - ... - }: { - services.nginx = { - enable = true; - - virtualHosts = { - "${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - root = "/var/www/portfolio"; - default = true; - extraConfig = '' - error_page 404 /404.html; - ''; - }; - - "public.${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - root = "/var/www/public"; - }; - - "git.${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}"; - }; - }; - - "vault.${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}"; - }; - }; - }; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [80 443]; - }; - useHostResolvConf = lib.mkForce false; - }; - services.resolved.enable = true; - system.stateVersion = "23.11"; + networking = { + firewall = { + enable = true; + allowedTCPPorts = [80 443]; }; }; }; diff --git a/modules/containers/vaultwarden.nix b/modules/containers/vaultwarden.nix index 6d748dc..02707c3 100644 --- a/modules/containers/vaultwarden.nix +++ b/modules/containers/vaultwarden.nix @@ -52,14 +52,14 @@ in { containers.vaultwarden = { autoStart = true; privateNetwork = true; - hostAddress = "172.16.0.4"; - localAddress = "192.168.100.4"; + hostAddress = "192.168.100.4"; + localAddress = "192.168.100.104"; bindMounts = { - "/var/lib/vaultwarden" = { + "/var/lib/bitwarden_rs" = { hostPath = DATA_DIR; isReadOnly = false; - }; # TODO set correct + }; }; config = {