From 2de1a62d2f8a63ad15c69e34613b5823950dea6f Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Tue, 23 Dec 2025 19:46:22 +0100 Subject: [PATCH 01/12] init --- machines/terra/modules.nix | 5 ++ modules/containers/default.nix | 17 ++++ modules/containers/forgejo.nix | 153 +++++++++++++++++++++++++++++++++ modules/containers/nginx.nix | 70 +++++++++++++++ modules/default.nix | 1 + 5 files changed, 246 insertions(+) create mode 100644 modules/containers/default.nix create mode 100644 modules/containers/forgejo.nix create mode 100644 modules/containers/nginx.nix diff --git a/machines/terra/modules.nix b/machines/terra/modules.nix index 52cae86..5746d0b 100644 --- a/machines/terra/modules.nix +++ b/machines/terra/modules.nix @@ -8,6 +8,11 @@ users.default.enable = true; + containers = { + nginx.enable = true; + forgejo.enable = true; + }; + base = { nix.enable = true; locale.enable = true; diff --git a/modules/containers/default.nix b/modules/containers/default.nix new file mode 100644 index 0000000..9e61d5b --- /dev/null +++ b/modules/containers/default.nix @@ -0,0 +1,17 @@ +{...}: { + imports = [ + ./nginx.nix + ./forgejo.nix + ]; + + config = { + networking.nat = { + enable = true; + # Use "ve-*" when using nftables instead of iptables + internalInterfaces = ["ve-+"]; + externalInterface = "eno1"; + # Lazy IPv6 connectivity for the container + enableIPv6 = true; + }; + }; +} diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix new file mode 100644 index 0000000..a54522f --- /dev/null +++ b/modules/containers/forgejo.nix @@ -0,0 +1,153 @@ +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: let + inherit (lib) mkEnableOption mkIf; + cfg = config.horseman.containers.forgejo; + username = config.horseman.username; + + HTTP_PORT = 3000; + SSH_PORT = 34916; + INSTANCE_URL = "http://local.git.server:3000"; + SECRET = "7c31591e8b67225a116d4a4519ea8e507e08f71f"; # TODO REMOVE + DATA_DIR = "/home/${username}/backups/volumes/forgejo"; + BACKUP_FILE = "/home/${username}/backups/forgejo.tar"; + +in { + options = { + horseman.containers.forgejo = { + enable = mkEnableOption "forgejo containers"; + }; + }; + + config = mkIf cfg.enable { + networking.extraHosts = "192.168.100.3 local.git.server"; + + + systemd.timers."backup-forgejo" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + }; + + environment.systemPackages = [ pkgs.gnutar ]; + systemd.services."backup-forgejo" = { + script = '' + ${pkgs.gnutar} -cf ${BACKUP_FILE} ${DATA_DIR} + ''; + serviceConfig = { + User = "root"; + }; + }; + + containers.forgejoRunner = { + autoStart = true; + privateNetwork = true; + hostAddress = "172.16.0.2"; + localAddress = "192.168.100.2"; + + config = { + config, + pkgs, + ... + }: let + configFile = pkgs.writeText "runner.yml" '' + runner: + labels: + - "self-hosted:host" + ''; + in { + environment.systemPackages = with pkgs; [ + forgejo-runner + ]; + + users.groups.runner = {}; + users.users.runner = { + isNormalUser = true; + group = "runner"; + }; + + systemd.services.startup = { + script = '' + cd ${config.users.users.runner.home} + ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret ${SECRET} --name runner + sleep 10 + ${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile} + ''; + serviceConfig.User = "runner"; + wantedBy = ["multi-user.target"]; + }; + + system.stateVersion = "23.11"; + }; + }; + + containers.forgejo = { + autoStart = true; + privateNetwork = true; + hostAddress = "172.16.0.3"; + localAddress = "192.168.100.3"; + + bindMounts = { + "/var/lib/forgejo" = { + hostPath = DATA_DIR; + isReadOnly = false; + }; + }; + + config = { + config, + pkgs, + ... + }: { + environment.systemPackages = [pkgs.forgejo]; + services.forgejo = { + enable = true; + + stateDir = "/var/lib/forgejo"; + + settings = { + server = { + HTTP_PORT = HTTP_PORT; + SSH_PORT = SSH_PORT; + ROOT_URL = INSTANCE_URL; + }; + session = { + COOKIE_SECURE = false; # TODO Set to true + }; + service = { + DISABLE_REGISTRATION = true; + }; + }; + }; + + systemd.services.startup = { + script = '' + cd ${config.users.users.forgejo.home} + ${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret ${SECRET} --config ${config.services.forgejo.stateDir}/custom/conf/app.ini + ''; + serviceConfig.User = "forgejo"; + wantedBy = ["multi-user.target"]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [HTTP_PORT SSH_PORT]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + system.stateVersion = "23.11"; + }; + }; + }; +} diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix new file mode 100644 index 0000000..87be28c --- /dev/null +++ b/modules/containers/nginx.nix @@ -0,0 +1,70 @@ +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: let + inherit (lib) mkEnableOption mkIf mkOption types; + cfg = config.horseman.containers.nginx; +in { + options = { + horseman.containers.nginx = { + enable = mkEnableOption "nginx container"; + }; + }; + + config = mkIf cfg.enable { + networking.extraHosts = "192.168.100.1 koendev.nl *.koendev.nl"; + + containers.nginx = { + autoStart = true; + privateNetwork = true; + hostAddress = "172.16.0.1"; + localAddress = "192.168.100.1"; + + bindMounts = { + "/var/www/portfolio" = { + hostPath = "/home/horseman/Programming/portfolio/_site"; + isReadOnly = true; + }; + }; + + config = { + config, + pkgs, + lib, + ... + }: { + services.nginx = { + enable = true; + + virtualHosts = { + "koendev.nl" = { + # addSSL = false; + # enableACME = false; + root = "/var/www/portfolio"; + }; + + "vault.koendev.nl" = { + locations."/" = { + proxyPass = "http://172.16.0.2"; + }; + }; + }; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [80]; + }; + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + system.stateVersion = "23.11"; + }; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 7b85bd5..2c57013 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -12,6 +12,7 @@ in { ./base ./boot ./catppuccin + ./containers ./hardware ./network ./timers From f1b3559434215deb96b867217933769c1defc833 Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Thu, 25 Dec 2025 13:11:54 +0100 Subject: [PATCH 02/12] Foregejo containers fully operational --- modules/base/secrets.nix | 31 ++++++++++++++++----------- modules/containers/forgejo.nix | 23 ++++++++++++++------ secrets.nix | 1 + secrets/containers/forgejo-secret.age | 19 ++++++++++++++++ 4 files changed, 55 insertions(+), 19 deletions(-) create mode 100644 secrets/containers/forgejo-secret.age diff --git a/modules/base/secrets.nix b/modules/base/secrets.nix index 6699d79..429d96e 100644 --- a/modules/base/secrets.nix +++ b/modules/base/secrets.nix @@ -6,7 +6,7 @@ }: let inherit (lib) mkEnableOption mkIf; cfg = config.horseman.base.secrets; - secretFile = path: ../../secrets/${path}; + secretFile = path: ../../secrets/${path}.age; username = config.horseman.username; in { options = { @@ -19,38 +19,45 @@ in { environment.systemPackages = [pkgs.ragenix]; age.secrets = { - wifi.file = secretFile "wifi.age"; + wifi.file = secretFile "wifi"; personalSSHpub = { - file = secretFile "ssh/id_personal.pub.age"; + file = secretFile "ssh/id_personal.pub"; owner = username; group = "users"; - path = "/home/horseman/.ssh/id_ed25519.pub"; + path = "/home/${username}/.ssh/id_ed25519.pub"; }; personalSSH = { - file = secretFile "ssh/id_personal.age"; + file = secretFile "ssh/id_personal"; owner = username; group = "users"; - path = "/home/horseman/.ssh/id_ed25519"; + path = "/home/${username}/.ssh/id_ed25519"; }; githubSSHpub = { - file = secretFile "ssh/id_github.pub.age"; + file = secretFile "ssh/id_github.pub"; owner = username; group = "users"; - path = "/home/horseman/.ssh/id_github.pub"; + path = "/home/${username}/.ssh/id_github.pub"; }; githubSSH = { - file = secretFile "ssh/id_github.age"; + file = secretFile "ssh/id_github"; owner = username; group = "users"; - path = "/home/horseman/.ssh/id_github"; + path = "/home/${username}/.ssh/id_github"; }; sshConfig = { - file = secretFile "ssh/config.age"; + file = secretFile "ssh/config"; owner = username; group = "users"; - path = "/home/horseman/.ssh/config"; + path = "/home/${username}/.ssh/config"; + }; + + forgejo-secret = { + file = secretFile "containers/forgejo-secret"; + path = "/run/forgejo-secrets/secret"; + symlink = false; + mode = "444"; }; }; }; diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix index a54522f..bc7333b 100644 --- a/modules/containers/forgejo.nix +++ b/modules/containers/forgejo.nix @@ -13,10 +13,8 @@ HTTP_PORT = 3000; SSH_PORT = 34916; INSTANCE_URL = "http://local.git.server:3000"; - SECRET = "7c31591e8b67225a116d4a4519ea8e507e08f71f"; # TODO REMOVE - DATA_DIR = "/home/${username}/backups/volumes/forgejo"; + DATA_DIR = "/home/${username}/backups/volumes/forgejo"; BACKUP_FILE = "/home/${username}/backups/forgejo.tar"; - in { options = { horseman.containers.forgejo = { @@ -27,7 +25,6 @@ in { config = mkIf cfg.enable { networking.extraHosts = "192.168.100.3 local.git.server"; - systemd.timers."backup-forgejo" = { wantedBy = ["timers.target"]; timerConfig = { @@ -36,7 +33,7 @@ in { }; }; - environment.systemPackages = [ pkgs.gnutar ]; + environment.systemPackages = [pkgs.gnutar]; systemd.services."backup-forgejo" = { script = '' ${pkgs.gnutar} -cf ${BACKUP_FILE} ${DATA_DIR} @@ -52,6 +49,13 @@ in { hostAddress = "172.16.0.2"; localAddress = "192.168.100.2"; + bindMounts = { + "/var/lib/secrets" = { + hostPath = "/run/forgejo-secrets"; + isReadOnly = true; + }; + }; + config = { config, pkgs, @@ -76,7 +80,7 @@ in { systemd.services.startup = { script = '' cd ${config.users.users.runner.home} - ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret ${SECRET} --name runner + ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret $(cat /var/lib/secrets/secret) --name runner sleep 10 ${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile} ''; @@ -99,6 +103,11 @@ in { hostPath = DATA_DIR; isReadOnly = false; }; + + "/var/lib/secrets" = { + hostPath = "/run/forgejo-secrets"; + isReadOnly = true; + }; }; config = { @@ -130,7 +139,7 @@ in { systemd.services.startup = { script = '' cd ${config.users.users.forgejo.home} - ${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret ${SECRET} --config ${config.services.forgejo.stateDir}/custom/conf/app.ini + ${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret $(cat /var/lib/secrets/secret) --config ${config.services.forgejo.stateDir}/custom/conf/app.ini ''; serviceConfig.User = "forgejo"; wantedBy = ["multi-user.target"]; diff --git a/secrets.nix b/secrets.nix index 52a7f5c..edb111b 100644 --- a/secrets.nix +++ b/secrets.nix @@ -17,6 +17,7 @@ let "ssh/id_github" "ssh/id_github.pub" "ssh/config" + "containers/forgejo-secret" ]; attrs = map (secret: {"secrets/${secret}.age".publicKeys = all;}) secrets; in diff --git a/secrets/containers/forgejo-secret.age b/secrets/containers/forgejo-secret.age new file mode 100644 index 0000000..ce8bab1 --- /dev/null +++ b/secrets/containers/forgejo-secret.age @@ -0,0 +1,19 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9tczZkdyAvNG9K +UEttaC8zNHlPVDJFT1NoOHBBKzduaThIcFR3TkdvZVF3UVFBSFhvClpLZGw0RmVp +cm1JRkNwL2RKN0lKRlEyb25YeUpjSWx0WXorNWZIa2ZHMzgKLT4gc3NoLWVkMjU1 +MTkgZ1BJZFpBIEUyeGlybExFS3dPWXZOdk41TG9GYWQzajFPeVh3MjBlcjQ2b3Bn +NkRiRXcKSzdORWN3NC9IQ2JCRTF3UVRRc1k4eW5uQ2tMZXo0UEczWk1IS3BDbEV4 +UQotPiBzc2gtZWQyNTUxOSBXeUlGekEgR0hhQitRZ2haZExXeVNlV0pBY0JkWTY0 +S05PMnNmdVh5QUUyVmhjK1psNApMVWtDR0ZUNjBHNHdUbDVEdFI3SkU3TnhtbHN4 +L3hiYnlYdmx5L2VmU3NBCi0+IHNzaC1lZDI1NTE5IGRiT2VoQSBpK2h2YlFCTk9a +Z21YZS9tQk9iUDdCQmpYNE9RK0k1SGtCbzhDdG9wVUFrCmlrNjBRQk9lWHVRRHVJ +dnFsSmJsTmNnaFA3MUorYkFGTklkWk94TUk3dHMKLT4gc3NoLWVkMjU1MTkgdHYv +Q3pnIGRUb21iKzlKY3hzcUhqaEZlK2EraEFQTmN0Nm5SZ05jdG1ia0xlN2NoelkK +d0R5Z0sxa0VDMy9aUTFJSS9jRmdDOGk5ZWVVVjIwdzJ4MUI3clR2bVE5SQotPiBi +NlJDOTpCWS1ncmVhc2UKR25PbzYrN2JsTXZwbXV5Z0NuUTZ0b2dTdU11Rlh6cmFL +cDlVOUUxNFd3VWg2V1ltU1N5dXZBWVM5UGI4d3cKLS0tIC9qQ0ZZUnVQRkc5dHRX +L0xpOTFxRk4xdTRCdUEwclU1dzB5RkVZbFRVZlUKhXXapogUWYhZ+Baie7Alcv7Z +hnMTGD+Wti8VhvHOmwS+z66mpbidJdNwcoiGOpeCfIJyKbQehQrzsI0wWbqjyA50 +PKWqT6dq3w== +-----END AGE ENCRYPTED FILE----- From 02eb92a4438ec1b1e695e8e9a33c925d54f89a16 Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Mon, 29 Dec 2025 01:45:04 +0100 Subject: [PATCH 03/12] forgejo works now but vaultwarden is fucky --- machines/artemis/modules.nix | 6 ++ modules/containers/default.nix | 1 + modules/containers/forgejo.nix | 32 ++++++--- modules/containers/nginx.nix | 13 ++-- modules/containers/vaultwarden.nix | 103 +++++++++++++++++++++++++++++ 5 files changed, 140 insertions(+), 15 deletions(-) create mode 100644 modules/containers/vaultwarden.nix diff --git a/machines/artemis/modules.nix b/machines/artemis/modules.nix index 843dc8b..8fa0ec1 100644 --- a/machines/artemis/modules.nix +++ b/machines/artemis/modules.nix @@ -10,6 +10,12 @@ users.default.enable = true; + containers = { + forgejo.enable = true; + nginx.enable = true; + vaultwarden.enable = true; + }; + base = { nix.enable = true; locale.enable = true; diff --git a/modules/containers/default.nix b/modules/containers/default.nix index 9e61d5b..e3c6178 100644 --- a/modules/containers/default.nix +++ b/modules/containers/default.nix @@ -2,6 +2,7 @@ imports = [ ./nginx.nix ./forgejo.nix + ./vaultwarden.nix ]; config = { diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix index bc7333b..38bfcec 100644 --- a/modules/containers/forgejo.nix +++ b/modules/containers/forgejo.nix @@ -6,25 +6,35 @@ pkgs, ... }: let - inherit (lib) mkEnableOption mkIf; + inherit (lib) types mkOption mkEnableOption mkIf; cfg = config.horseman.containers.forgejo; username = config.horseman.username; - HTTP_PORT = 3000; - SSH_PORT = 34916; - INSTANCE_URL = "http://local.git.server:3000"; DATA_DIR = "/home/${username}/backups/volumes/forgejo"; BACKUP_FILE = "/home/${username}/backups/forgejo.tar"; in { options = { horseman.containers.forgejo = { enable = mkEnableOption "forgejo containers"; + + port = mkOption { + default = 3000; + type = types.int; + }; + + sshPort = mkOption { + default = 34916; + type = types.int; + }; + + url = mkOption { + default = "https://git.koendev.nl"; + type = types.str; + }; }; }; config = mkIf cfg.enable { - networking.extraHosts = "192.168.100.3 local.git.server"; - systemd.timers."backup-forgejo" = { wantedBy = ["timers.target"]; timerConfig = { @@ -36,7 +46,7 @@ in { environment.systemPackages = [pkgs.gnutar]; systemd.services."backup-forgejo" = { script = '' - ${pkgs.gnutar} -cf ${BACKUP_FILE} ${DATA_DIR} + ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR} ''; serviceConfig = { User = "root"; @@ -123,9 +133,9 @@ in { settings = { server = { - HTTP_PORT = HTTP_PORT; - SSH_PORT = SSH_PORT; - ROOT_URL = INSTANCE_URL; + HTTP_PORT = cfg.port; + SSH_PORT = cfg.sshPort; + ROOT_URL = cfg.url; }; session = { COOKIE_SECURE = false; # TODO Set to true @@ -148,7 +158,7 @@ in { networking = { firewall = { enable = true; - allowedTCPPorts = [HTTP_PORT SSH_PORT]; + allowedTCPPorts = [cfg.port cfg.sshPort]; }; # Use systemd-resolved inside the container # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index 87be28c..5b24f35 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -8,6 +8,7 @@ }: let inherit (lib) mkEnableOption mkIf mkOption types; cfg = config.horseman.containers.nginx; + osConfig = config; in { options = { horseman.containers.nginx = { @@ -16,7 +17,7 @@ in { }; config = mkIf cfg.enable { - networking.extraHosts = "192.168.100.1 koendev.nl *.koendev.nl"; + networking.extraHosts = "192.168.100.1 koendevLocal.nl git.koendevLocal.nl vault.koendevLocal.nl"; containers.nginx = { autoStart = true; @@ -41,15 +42,19 @@ in { enable = true; virtualHosts = { - "koendev.nl" = { + "koendevLocal.nl" = { # addSSL = false; # enableACME = false; root = "/var/www/portfolio"; + default = true; + extraConfig = '' + error_page 404 /404.html; + ''; }; - "vault.koendev.nl" = { + "git.koendevLocal.nl" = { locations."/" = { - proxyPass = "http://172.16.0.2"; + proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}"; }; }; }; diff --git a/modules/containers/vaultwarden.nix b/modules/containers/vaultwarden.nix new file mode 100644 index 0000000..5d05a9f --- /dev/null +++ b/modules/containers/vaultwarden.nix @@ -0,0 +1,103 @@ +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: let + inherit (lib) types mkOption mkEnableOption mkIf; + cfg = config.horseman.containers.vaultwarden; + username = config.horseman.username; + + DATA_DIR = "/home/${username}/backups/volumes/vaultwarden"; + BACKUP_FILE = "/home/${username}/backups/vaultwarden.tar"; +in { + options = { + horseman.containers.vaultwarden = { + enable = mkEnableOption "forgejo containers"; + + port = mkOption { + default = 3000; + type = types.int; + }; + + url = mkOption { + default = "https://vault.koendev.nl"; + type = types.str; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.timers."backup-vaultwarden" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + }; + + environment.systemPackages = [pkgs.gnutar]; + systemd.services."backup-vaultwarden" = { + script = '' + ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR} + ''; + serviceConfig = { + User = "root"; + }; + }; + + containers.vaultwarden = { + autoStart = true; + privateNetwork = true; + hostAddress = "172.16.0.4"; + localAddress = "192.168.100.4"; + + bindMounts = { + "/var/lib/vaultwarden" = { + hostPath = DATA_DIR; + isReadOnly = false; + }; # TODO set correct + }; + + config = { + config, + pkgs, + ... + }: { + environment.variables = { + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = toString cfg.port; + WEB_VAULT_ENABLED = "false"; + }; + + services.vaultwarden = { + enable = true; + backupDir = "/var/local/vaultwarden/backup"; + # in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file + # be aware that this file must be created by hand (or via secrets management like sops) + environmentFile = "/var/lib/vaultwarden/vaultwarden.env"; + config = { + DOMAIN = cfg.url; + SIGNUPS_ALLOWED = false; + + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = cfg.port; + ROCKET_LOG = "critical"; + }; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [cfg.port]; + }; + useHostResolvConf = lib.mkForce false; + }; + + system.stateVersion = "23.11"; + }; + }; + }; +} From 423bfff09d88b616b091d891941a3a46812b6696 Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Fri, 2 Jan 2026 23:09:16 +0100 Subject: [PATCH 04/12] idk --- machines/terra/modules.nix | 1 + modules/containers/nginx.nix | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/machines/terra/modules.nix b/machines/terra/modules.nix index 5746d0b..e1e69f7 100644 --- a/machines/terra/modules.nix +++ b/machines/terra/modules.nix @@ -11,6 +11,7 @@ containers = { nginx.enable = true; forgejo.enable = true; + vaultwarden.enable = true; }; base = { diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index 5b24f35..ad209dc 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -57,6 +57,12 @@ in { proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}"; }; }; + + "vault.koendevLocal.nl" = { + locations."/" = { + proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}"; + }; + }; }; }; From 7019a808835a07cd38e810dbeb3d0c0e51528bd5 Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Mon, 9 Feb 2026 13:09:23 +0100 Subject: [PATCH 05/12] finally works --- modules/containers/nginx.nix | 18 +++++++++++++++++- modules/containers/vaultwarden.nix | 21 ++++++--------------- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index ad209dc..6fb29c6 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -50,18 +50,34 @@ in { extraConfig = '' error_page 404 /404.html; ''; + + addSSL = true; + sslCertificate = "/var/www/portfolio/cert.pem"; + sslCertificateKey = "/var/www/portfolio/key.pem"; }; "git.koendevLocal.nl" = { + # addSSL = false; + # enableACME = false; locations."/" = { proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}"; }; + + addSSL = true; + sslCertificate = "/var/www/portfolio/cert.pem"; + sslCertificateKey = "/var/www/portfolio/key.pem"; }; "vault.koendevLocal.nl" = { + # addSSL = false; + # enableACME = false; locations."/" = { proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}"; }; + + forceSSL = true; + sslCertificate = "/var/www/portfolio/cert.pem"; + sslCertificateKey = "/var/www/portfolio/key.pem"; }; }; }; @@ -69,7 +85,7 @@ in { networking = { firewall = { enable = true; - allowedTCPPorts = [80]; + allowedTCPPorts = [80 443]; }; useHostResolvConf = lib.mkForce false; }; diff --git a/modules/containers/vaultwarden.nix b/modules/containers/vaultwarden.nix index 5d05a9f..2d5963b 100644 --- a/modules/containers/vaultwarden.nix +++ b/modules/containers/vaultwarden.nix @@ -15,7 +15,7 @@ in { options = { horseman.containers.vaultwarden = { - enable = mkEnableOption "forgejo containers"; + enable = mkEnableOption "Password manager"; port = mkOption { default = 3000; @@ -66,25 +66,16 @@ in { pkgs, ... }: { - environment.variables = { - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = toString cfg.port; - WEB_VAULT_ENABLED = "false"; - }; + environment.systemPackages = with pkgs; [ + vaultwarden.webvault + ]; services.vaultwarden = { enable = true; - backupDir = "/var/local/vaultwarden/backup"; - # in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file - # be aware that this file must be created by hand (or via secrets management like sops) - environmentFile = "/var/lib/vaultwarden/vaultwarden.env"; config = { - DOMAIN = cfg.url; - SIGNUPS_ALLOWED = false; - - ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = cfg.port; - ROCKET_LOG = "critical"; + ROCKET_ADDRESS = "0.0.0.0"; + WEB_VAULT_FOLDER = "${pkgs.vaultwarden.webvault}/share/vaultwarden/vault"; }; }; From c340cf4ff3f84672aaba615c9a9fa102d9e395af Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Mon, 9 Feb 2026 13:19:41 +0100 Subject: [PATCH 06/12] add public server --- modules/containers/nginx.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index 6fb29c6..e101640 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -17,7 +17,7 @@ in { }; config = mkIf cfg.enable { - networking.extraHosts = "192.168.100.1 koendevLocal.nl git.koendevLocal.nl vault.koendevLocal.nl"; + networking.extraHosts = "192.168.100.1 koendevLocal.nl public.koendevLocal.nl git.koendevLocal.nl vault.koendevLocal.nl"; containers.nginx = { autoStart = true; @@ -30,6 +30,10 @@ in { hostPath = "/home/horseman/Programming/portfolio/_site"; isReadOnly = true; }; + "/var/www/public" = { + hostPath = "/home/horseman/Public"; + isReadOnly = true; + }; }; config = { @@ -56,6 +60,14 @@ in { sslCertificateKey = "/var/www/portfolio/key.pem"; }; + "public.koendevLocal.nl" = { + root = "/var/www/public"; + + addSSL = true; + sslCertificate = "/var/www/portfolio/cert.pem"; + sslCertificateKey = "/var/www/portfolio/key.pem"; + }; + "git.koendevLocal.nl" = { # addSSL = false; # enableACME = false; From a6bff8a4676d9c4bd0be5c18aa8e1106daa7d9d1 Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Mon, 9 Feb 2026 13:45:20 +0100 Subject: [PATCH 07/12] gonna deploy now --- modules/containers/default.nix | 10 ++++- modules/containers/forgejo.nix | 5 ++- modules/containers/nginx.nix | 53 ++++++++++++--------------- modules/containers/vaultwarden.nix | 5 ++- secrets/containers/forgejo-secret.age | 33 ++++++++--------- 5 files changed, 54 insertions(+), 52 deletions(-) diff --git a/modules/containers/default.nix b/modules/containers/default.nix index e3c6178..841dcdb 100644 --- a/modules/containers/default.nix +++ b/modules/containers/default.nix @@ -1,10 +1,18 @@ -{...}: { +{lib, ...}: let + inherit (lib) mkOption types; +in { imports = [ ./nginx.nix ./forgejo.nix ./vaultwarden.nix ]; + options = { + backupDir = mkOption { + type = types.str; + }; + }; + config = { networking.nat = { enable = true; diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix index 38bfcec..f8e7a8e 100644 --- a/modules/containers/forgejo.nix +++ b/modules/containers/forgejo.nix @@ -10,8 +10,8 @@ cfg = config.horseman.containers.forgejo; username = config.horseman.username; + BACKUP_DIR = config.horseman.containers.backupDir; DATA_DIR = "/home/${username}/backups/volumes/forgejo"; - BACKUP_FILE = "/home/${username}/backups/forgejo.tar"; in { options = { horseman.containers.forgejo = { @@ -46,7 +46,8 @@ in { environment.systemPackages = [pkgs.gnutar]; systemd.services."backup-forgejo" = { script = '' - ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR} + cd ${BACKUP_DIR} + ${pkgs.gnutar}/bin/tar -cf forgejo-$(date +'%Y-%m-%d').tar ${DATA_DIR} ''; serviceConfig = { User = "root"; diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index e101640..4687eb8 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -13,12 +13,15 @@ in { options = { horseman.containers.nginx = { enable = mkEnableOption "nginx container"; + + domain = mkOption { + type = types.str; + default = "koendev.nl"; + }; }; }; config = mkIf cfg.enable { - networking.extraHosts = "192.168.100.1 koendevLocal.nl public.koendevLocal.nl git.koendevLocal.nl vault.koendevLocal.nl"; - containers.nginx = { autoStart = true; privateNetwork = true; @@ -27,11 +30,11 @@ in { bindMounts = { "/var/www/portfolio" = { - hostPath = "/home/horseman/Programming/portfolio/_site"; + hostPath = "/var/www/portfolio"; isReadOnly = true; }; "/var/www/public" = { - hostPath = "/home/horseman/Public"; + hostPath = "/var/www/public"; isReadOnly = true; }; }; @@ -46,50 +49,40 @@ in { enable = true; virtualHosts = { - "koendevLocal.nl" = { - # addSSL = false; - # enableACME = false; + "${cfg.domain}" = { + forceSSL = true; + enableACME = true; + root = "/var/www/portfolio"; default = true; extraConfig = '' error_page 404 /404.html; ''; - - addSSL = true; - sslCertificate = "/var/www/portfolio/cert.pem"; - sslCertificateKey = "/var/www/portfolio/key.pem"; }; - "public.koendevLocal.nl" = { + "public.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + root = "/var/www/public"; - - addSSL = true; - sslCertificate = "/var/www/portfolio/cert.pem"; - sslCertificateKey = "/var/www/portfolio/key.pem"; }; - "git.koendevLocal.nl" = { - # addSSL = false; - # enableACME = false; + "git.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}"; }; - - addSSL = true; - sslCertificate = "/var/www/portfolio/cert.pem"; - sslCertificateKey = "/var/www/portfolio/key.pem"; }; - "vault.koendevLocal.nl" = { - # addSSL = false; - # enableACME = false; + "vault.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}"; }; - - forceSSL = true; - sslCertificate = "/var/www/portfolio/cert.pem"; - sslCertificateKey = "/var/www/portfolio/key.pem"; }; }; }; diff --git a/modules/containers/vaultwarden.nix b/modules/containers/vaultwarden.nix index 2d5963b..6d748dc 100644 --- a/modules/containers/vaultwarden.nix +++ b/modules/containers/vaultwarden.nix @@ -10,8 +10,8 @@ cfg = config.horseman.containers.vaultwarden; username = config.horseman.username; + BACKUP_DIR = config.horseman.containers.backupDir; DATA_DIR = "/home/${username}/backups/volumes/vaultwarden"; - BACKUP_FILE = "/home/${username}/backups/vaultwarden.tar"; in { options = { horseman.containers.vaultwarden = { @@ -41,7 +41,8 @@ in { environment.systemPackages = [pkgs.gnutar]; systemd.services."backup-vaultwarden" = { script = '' - ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR} + cd ${BACKUP_DIR} + ${pkgs.gnutar}/bin/tar -cf vaultwarden-$(date +'%Y-%m-%d').tar ${DATA_DIR} ''; serviceConfig = { User = "root"; diff --git a/secrets/containers/forgejo-secret.age b/secrets/containers/forgejo-secret.age index ce8bab1..81b3f0a 100644 --- a/secrets/containers/forgejo-secret.age +++ b/secrets/containers/forgejo-secret.age @@ -1,19 +1,18 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9tczZkdyAvNG9K -UEttaC8zNHlPVDJFT1NoOHBBKzduaThIcFR3TkdvZVF3UVFBSFhvClpLZGw0RmVp -cm1JRkNwL2RKN0lKRlEyb25YeUpjSWx0WXorNWZIa2ZHMzgKLT4gc3NoLWVkMjU1 -MTkgZ1BJZFpBIEUyeGlybExFS3dPWXZOdk41TG9GYWQzajFPeVh3MjBlcjQ2b3Bn -NkRiRXcKSzdORWN3NC9IQ2JCRTF3UVRRc1k4eW5uQ2tMZXo0UEczWk1IS3BDbEV4 -UQotPiBzc2gtZWQyNTUxOSBXeUlGekEgR0hhQitRZ2haZExXeVNlV0pBY0JkWTY0 -S05PMnNmdVh5QUUyVmhjK1psNApMVWtDR0ZUNjBHNHdUbDVEdFI3SkU3TnhtbHN4 -L3hiYnlYdmx5L2VmU3NBCi0+IHNzaC1lZDI1NTE5IGRiT2VoQSBpK2h2YlFCTk9a -Z21YZS9tQk9iUDdCQmpYNE9RK0k1SGtCbzhDdG9wVUFrCmlrNjBRQk9lWHVRRHVJ -dnFsSmJsTmNnaFA3MUorYkFGTklkWk94TUk3dHMKLT4gc3NoLWVkMjU1MTkgdHYv -Q3pnIGRUb21iKzlKY3hzcUhqaEZlK2EraEFQTmN0Nm5SZ05jdG1ia0xlN2NoelkK -d0R5Z0sxa0VDMy9aUTFJSS9jRmdDOGk5ZWVVVjIwdzJ4MUI3clR2bVE5SQotPiBi -NlJDOTpCWS1ncmVhc2UKR25PbzYrN2JsTXZwbXV5Z0NuUTZ0b2dTdU11Rlh6cmFL -cDlVOUUxNFd3VWg2V1ltU1N5dXZBWVM5UGI4d3cKLS0tIC9qQ0ZZUnVQRkc5dHRX -L0xpOTFxRk4xdTRCdUEwclU1dzB5RkVZbFRVZlUKhXXapogUWYhZ+Baie7Alcv7Z -hnMTGD+Wti8VhvHOmwS+z66mpbidJdNwcoiGOpeCfIJyKbQehQrzsI0wWbqjyA50 -PKWqT6dq3w== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9tczZkdyAvWjRI +VkpQNWpZNHdiZm9jVlZvcTYxS04wUk1hTWtmdWRXL2dydGwxc3pVCklSOWZYNThu +aVBSeDBwRldwTjVzT0VOaG9kNnV5SWJnT2M1YXVRSjUwUFkKLT4gc3NoLWVkMjU1 +MTkgZ1BJZFpBIExmTUxudEFaR21CQzg5ejlUaXRoQW5ORmVqcUlRd1o2L0pZbTd5 +UVBIeWcKZWVSV3k4bHZqV3pDaDMxYzBnZW9FL085TG14bkl0UlZoQ25CbW9iVENv +RQotPiBzc2gtZWQyNTUxOSBXeUlGekEgY2Zkd0VaZmxRaVV4cXBlRnNHeDMyUFFV +YVVzZlF2SXFjak5LREZINFRTMAp6dmFKOTd5eUMrczZ0WUU2T3hER3lkSHlTTGZj +U1k4ZVV1THJMK0RSd21zCi0+IHNzaC1lZDI1NTE5IGRiT2VoQSB0WkJpSkZHZ1BM +QitLdG9SdDdjckxVa0dxQ2dmQlNGekVITlllN2R3OWxZCmt2Zk5VSjNTdnB4Z2ln +TnExNytuZ2FtVE83NWZWcm1Fd25MS1NEL3JsbzgKLT4gc3NoLWVkMjU1MTkgdHYv +Q3pnIFVDMU9Kbld0aHFia3FmTEs2aGF2THdaSk1Ec2h2WWlMVjZvUkNHTFpCR1EK +NkR6R2JaZkZtbitBMmk1UjRFS3FFZ293bFhDUWxmR2M0ZHFoSVRGV2E1ZwotPiAn +eCFtQ3htLWdyZWFzZQp4VFZWeTlDNWlsNDI5WWlPTzNGbQotLS0gRmZIdXk3UUVw +ZEJjOGdnVVdlWWN5Y0VxaUJORG0ycTBQdVFGVGw1RVpZdwqD8VD14PUaG2u0/h9o +6VeX+m3nJkJgsXUkGPskTHHEc+1NaZ9MQM5dXzrmjfVHBT7N27bDcYlGG2RIfehC +Xz5jRZwSTG58wzt9 -----END AGE ENCRYPTED FILE----- From fde1d41bb8b485c38ac395215ee89b37f82bc57f Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Mon, 9 Feb 2026 14:38:02 +0100 Subject: [PATCH 08/12] add acme shit --- modules/containers/nginx.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index 4687eb8..348447d 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -22,6 +22,11 @@ in { }; config = mkIf cfg.enable { + security.acme = { + acceptTerms = true; + defaults.email = "koen.de.ruiter@hotmail.com"; + }; + containers.nginx = { autoStart = true; privateNetwork = true; From 4c66c514a326b98f0cd7c85555b1987d84ff810b Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Tue, 10 Feb 2026 01:04:47 +0100 Subject: [PATCH 09/12] runs on prod now :) --- machines/solis/modules.nix | 13 +++- modules/containers/default.nix | 20 +++-- modules/containers/forgejo.nix | 12 +-- modules/containers/nginx.nix | 117 ++++++++++++----------------- modules/containers/vaultwarden.nix | 8 +- 5 files changed, 83 insertions(+), 87 deletions(-) diff --git a/machines/solis/modules.nix b/machines/solis/modules.nix index 0c9e32e..2eef00c 100644 --- a/machines/solis/modules.nix +++ b/machines/solis/modules.nix @@ -1,4 +1,6 @@ -{...}: { +{config, ...}: let + username = config.horseman.username; +in { imports = [ ../../modules ]; @@ -6,6 +8,15 @@ config.horseman = { users.default.enable = true; + containers = { + enable = true; + backupDir = "/home/${username}/backups"; + + nginx.enable = true; + vaultwarden.enable = true; + forgejo.enable = true; + }; + base = { nix.enable = true; locale.enable = true; diff --git a/modules/containers/default.nix b/modules/containers/default.nix index 841dcdb..4bc2f02 100644 --- a/modules/containers/default.nix +++ b/modules/containers/default.nix @@ -1,5 +1,10 @@ -{lib, ...}: let - inherit (lib) mkOption types; +{ + config, + lib, + ... +}: let + inherit (lib) mkIf mkEnableOption mkOption types; + cfg = config.horseman.containers; in { imports = [ ./nginx.nix @@ -8,17 +13,20 @@ in { ]; options = { - backupDir = mkOption { - type = types.str; + horseman.containers = { + enable = mkEnableOption "Containers"; + backupDir = mkOption { + type = types.str; + }; }; }; - config = { + config = mkIf cfg.enable { networking.nat = { enable = true; # Use "ve-*" when using nftables instead of iptables internalInterfaces = ["ve-+"]; - externalInterface = "eno1"; + externalInterface = "enp2s0"; # Lazy IPv6 connectivity for the container enableIPv6 = true; }; diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix index f8e7a8e..20801d9 100644 --- a/modules/containers/forgejo.nix +++ b/modules/containers/forgejo.nix @@ -57,8 +57,8 @@ in { containers.forgejoRunner = { autoStart = true; privateNetwork = true; - hostAddress = "172.16.0.2"; - localAddress = "192.168.100.2"; + hostAddress = "172.168.100.2"; + localAddress = "192.168.100.102"; bindMounts = { "/var/lib/secrets" = { @@ -91,7 +91,7 @@ in { systemd.services.startup = { script = '' cd ${config.users.users.runner.home} - ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret $(cat /var/lib/secrets/secret) --name runner + ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance ${cfg.url} --secret $(cat /var/lib/secrets/secret) --name runner sleep 10 ${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile} ''; @@ -106,8 +106,8 @@ in { containers.forgejo = { autoStart = true; privateNetwork = true; - hostAddress = "172.16.0.3"; - localAddress = "192.168.100.3"; + hostAddress = "192.168.100.3"; + localAddress = "192.168.100.103"; bindMounts = { "/var/lib/forgejo" = { @@ -139,7 +139,7 @@ in { ROOT_URL = cfg.url; }; session = { - COOKIE_SECURE = false; # TODO Set to true + COOKIE_SECURE = true; }; service = { DISABLE_REGISTRATION = true; diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index 4687eb8..6b0cc6d 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -8,7 +8,6 @@ }: let inherit (lib) mkEnableOption mkIf mkOption types; cfg = config.horseman.containers.nginx; - osConfig = config; in { options = { horseman.containers.nginx = { @@ -22,80 +21,58 @@ in { }; config = mkIf cfg.enable { - containers.nginx = { - autoStart = true; - privateNetwork = true; - hostAddress = "172.16.0.1"; - localAddress = "192.168.100.1"; + security.acme = { + acceptTerms = true; + defaults.email = "koen.de.ruiter@hotmail.com"; + }; - bindMounts = { - "/var/www/portfolio" = { - hostPath = "/var/www/portfolio"; - isReadOnly = true; + services.fail2ban.enable = true; + services.nginx = { + enable = true; + + virtualHosts = { + "${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + root = "/var/www/portfolio"; + default = true; + extraConfig = '' + error_page 404 /404.html; + ''; }; - "/var/www/public" = { - hostPath = "/var/www/public"; - isReadOnly = true; + + "public.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + root = "/var/www/public"; + }; + + "git.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://${config.containers.forgejo.localAddress}:${toString config.horseman.containers.forgejo.port}"; + }; + }; + + "vault.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://${config.containers.vaultwarden.localAddress}:${toString config.horseman.containers.vaultwarden.port}"; + }; }; }; + }; - config = { - config, - pkgs, - lib, - ... - }: { - services.nginx = { - enable = true; - - virtualHosts = { - "${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - root = "/var/www/portfolio"; - default = true; - extraConfig = '' - error_page 404 /404.html; - ''; - }; - - "public.${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - root = "/var/www/public"; - }; - - "git.${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}"; - }; - }; - - "vault.${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}"; - }; - }; - }; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [80 443]; - }; - useHostResolvConf = lib.mkForce false; - }; - services.resolved.enable = true; - system.stateVersion = "23.11"; + networking = { + firewall = { + enable = true; + allowedTCPPorts = [80 443]; }; }; }; diff --git a/modules/containers/vaultwarden.nix b/modules/containers/vaultwarden.nix index 6d748dc..02707c3 100644 --- a/modules/containers/vaultwarden.nix +++ b/modules/containers/vaultwarden.nix @@ -52,14 +52,14 @@ in { containers.vaultwarden = { autoStart = true; privateNetwork = true; - hostAddress = "172.16.0.4"; - localAddress = "192.168.100.4"; + hostAddress = "192.168.100.4"; + localAddress = "192.168.100.104"; bindMounts = { - "/var/lib/vaultwarden" = { + "/var/lib/bitwarden_rs" = { hostPath = DATA_DIR; isReadOnly = false; - }; # TODO set correct + }; }; config = { From 8aab959e42d80faea0aacb27d414673cef0548db Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Tue, 10 Feb 2026 15:17:32 +0100 Subject: [PATCH 10/12] idk I fixed some stuff --- modules/containers/forgejo.nix | 12 ++++++++++++ modules/containers/nginx.nix | 9 ++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix index 20801d9..00984df 100644 --- a/modules/containers/forgejo.nix +++ b/modules/containers/forgejo.nix @@ -127,6 +127,18 @@ in { ... }: { environment.systemPackages = [pkgs.forgejo]; + + services.openssh = { + enable = true; + ports = [cfg.sshPort]; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + # AllowUsers = ["git"]; + }; + }; + services.forgejo = { enable = true; diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index 6b0cc6d..6526eae 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -30,6 +30,13 @@ in { services.nginx = { enable = true; + streamConfig = '' + server { + listen ${toString config.horseman.containers.forgejo.sshPort}; + proxy_pass ${config.containers.forgejo.localAddress}:${toString config.horseman.containers.forgejo.sshPort}; + } + ''; + virtualHosts = { "${cfg.domain}" = { forceSSL = true; @@ -72,7 +79,7 @@ in { networking = { firewall = { enable = true; - allowedTCPPorts = [80 443]; + allowedTCPPorts = [80 443 config.horseman.containers.forgejo.sshPort]; }; }; }; From 7bf67683233514221add7285d5c17f5924eb4c4a Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Tue, 10 Feb 2026 15:20:30 +0100 Subject: [PATCH 11/12] merge --- modules/containers/forgejo.nix | 2 +- modules/containers/nginx.nix | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix index 00984df..3401e38 100644 --- a/modules/containers/forgejo.nix +++ b/modules/containers/forgejo.nix @@ -57,7 +57,7 @@ in { containers.forgejoRunner = { autoStart = true; privateNetwork = true; - hostAddress = "172.168.100.2"; + hostAddress = "192.168.100.2"; localAddress = "192.168.100.102"; bindMounts = { diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index 6526eae..4a2d81b 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -1,9 +1,6 @@ { - inputs, - outputs, lib, config, - pkgs, ... }: let inherit (lib) mkEnableOption mkIf mkOption types; From bdb287e492c33c85502a9766d6139737c1bfd7eb Mon Sep 17 00:00:00 2001 From: KoenDR06 Date: Tue, 10 Feb 2026 15:23:47 +0100 Subject: [PATCH 12/12] remove containers from other machines --- machines/artemis/modules.nix | 6 ------ machines/terra/modules.nix | 6 ------ 2 files changed, 12 deletions(-) diff --git a/machines/artemis/modules.nix b/machines/artemis/modules.nix index 2513b45..40208c2 100644 --- a/machines/artemis/modules.nix +++ b/machines/artemis/modules.nix @@ -29,12 +29,6 @@ users.default.enable = true; - containers = { - forgejo.enable = true; - nginx.enable = true; - vaultwarden.enable = true; - }; - base = { nix.enable = true; locale.enable = true; diff --git a/machines/terra/modules.nix b/machines/terra/modules.nix index 145ba7e..c6db737 100644 --- a/machines/terra/modules.nix +++ b/machines/terra/modules.nix @@ -37,12 +37,6 @@ users.default.enable = true; - containers = { - nginx.enable = true; - forgejo.enable = true; - vaultwarden.enable = true; - }; - base = { nix.enable = true; locale.enable = true;