From ee91f96f460cc70a362cc0d7a43389a85d03a447 Mon Sep 17 00:00:00 2001 From: System administrator Date: Fri, 24 Jan 2025 16:54:04 +0000 Subject: [PATCH 1/6] add printing to sparky --- hosts/sparky/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix index d0e8e57..b266f92 100644 --- a/hosts/sparky/default.nix +++ b/hosts/sparky/default.nix @@ -29,7 +29,7 @@ in { ../common/optional/openssh.nix ../common/optional/persistence.nix ../common/optional/fileserver/nfs-client/media.nix - # ../common/optional/printing.nix + ../common/optional/printing.nix ../common/optional/distributed-builds/local-machine.nix outputs.nixosModules.nixosAutoUpgrade ]; From 93b808ed8f2a147df778955e1873491d6c9b716a Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 24 Jan 2025 17:41:20 +0000 Subject: [PATCH 2/6] update flake secrets --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 9786635..d4f1eac 100644 --- a/flake.lock +++ b/flake.lock @@ -539,11 +539,11 @@ }, "nix-secrets": { "locked": { - "lastModified": 1737643624, - "narHash": "sha256-RAnbZSi2yagPCpNcm3U3wA6FAzbhGUi9ifvnu6Du3Rs=", + "lastModified": 1737740428, + "narHash": "sha256-g6jR8HUlypeCbroKFSvzPOLj2GVnDbYDg8WtqUi/42w=", "ref": "refs/heads/master", - "rev": "5260822187ce58af680e5aceba8fb01f10415def", - "revCount": 248, + "rev": "04277bd2942365d518ac4233abf832badff32d23", + "revCount": 249, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, From f09f5b258805c459bce6dada34caae19efebbc26 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 24 Jan 2025 18:31:29 +0000 Subject: [PATCH 3/6] modify blackbox exporter metrics and import searx config --- .../optional/arion-containers/searxng.nix | 32 +++++++++++++++++++ .../optional/nixos-containers/docker.nix | 4 +-- .../nixos-containers/metrics-server.nix | 8 ++--- 3 files changed, 38 insertions(+), 6 deletions(-) create mode 100644 hosts/common/optional/arion-containers/searxng.nix diff --git a/hosts/common/optional/arion-containers/searxng.nix b/hosts/common/optional/arion-containers/searxng.nix new file mode 100644 index 0000000..373451f --- /dev/null +++ b/hosts/common/optional/arion-containers/searxng.nix @@ -0,0 +1,32 @@ +{configVars, ...}: +let + # configVars = import ../../../../vars {inherit inputs}; + piholeIp = configVars.networking.addresses.pihole.ip; +in +{ + virtualisation.arion = { + backend = "podman-socket"; + projects.searxng = { + settings = { + services.redis.service = { + container_name = "redis"; + image = "redis:alpine"; + restart = "always"; + command = [ "redis-server" "--save" "" "--appendonly" "no" ]; + tmpfs = [ "/var/lib/redis" ]; + capabilities = { ALL = false; SETGID = true; SETUID = true; DAC_OVERRIDE = true; }; + }; + services.searxng.service = { + container_name = "searxng"; + image = "searxng/searxng:latest"; + restart = "always"; + ports = [ "8855:8080" ]; + dns = [ piholeIp ]; + volumes = [ "/srv/docker/searxng-docker/searxng:/etc/searxng:rw" ]; + capabilities = { ALL = false; CHOWN = true; SETGID = true; SETUID = true; DAC_OVERRIDE = true; }; + }; + }; + }; + }; +} + diff --git a/hosts/common/optional/nixos-containers/docker.nix b/hosts/common/optional/nixos-containers/docker.nix index b9df440..cc74b46 100644 --- a/hosts/common/optional/nixos-containers/docker.nix +++ b/hosts/common/optional/nixos-containers/docker.nix @@ -2,9 +2,9 @@ pkgs, lib, inputs, - configVars, config, outputs, + configVars, ... }: let containerName = "docker"; @@ -119,7 +119,6 @@ in { secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; in { - nixpkgs.overlays = [ outputs.overlays.unstable-packages ]; @@ -179,6 +178,7 @@ in { ../arion-containers/jellyfin.nix ../arion-containers/photoprism.nix ../arion-containers/syncthing.nix + (import ../arion-containers/searxng.nix {configVars = configVars;}) ]; environment.systemPackages = [ diff --git a/hosts/common/optional/nixos-containers/metrics-server.nix b/hosts/common/optional/nixos-containers/metrics-server.nix index 4b2ac05..50417f4 100644 --- a/hosts/common/optional/nixos-containers/metrics-server.nix +++ b/hosts/common/optional/nixos-containers/metrics-server.nix @@ -159,10 +159,10 @@ in { preferred_ip_protocol: ip4 valid_http_versions: ["HTTP/1.1", "HTTP/2"] method: GET - fail_if_ssl: false - fail_if_not_ssl: true - tls_config: - insecure_skip_verify: true + # fail_if_ssl: false + # fail_if_not_ssl: true + # tls_config: + # insecure_skip_verify: true tcp_connect: prober: tcp tcp: From 9fe0c08363bb7e83706769cb42a13d203078c758 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 24 Jan 2025 19:11:04 +0000 Subject: [PATCH 4/6] update flake secrets --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index d4f1eac..c2b0dd8 100644 --- a/flake.lock +++ b/flake.lock @@ -539,11 +539,11 @@ }, "nix-secrets": { "locked": { - "lastModified": 1737740428, - "narHash": "sha256-g6jR8HUlypeCbroKFSvzPOLj2GVnDbYDg8WtqUi/42w=", + "lastModified": 1737745804, + "narHash": "sha256-ix/gu0HJmJISlZM2PjCssg+4fhD1g0CrrpLaKb84dRo=", "ref": "refs/heads/master", - "rev": "04277bd2942365d518ac4233abf832badff32d23", - "revCount": 249, + "rev": "3a049490d4853b61e9cf778347ff8fa175488ede", + "revCount": 251, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, From d189ffa38d03d9074a87e58c837129e919dd5397 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 24 Jan 2025 23:35:38 +0000 Subject: [PATCH 5/6] add reverse proxy and domain names to config --- .../optional/desktop/common/firefox.nix | 36 +++--- .../nixos-containers/reverse-proxy.nix | 112 ++++++++++++++++++ hosts/semita/default.nix | 1 + 3 files changed, 135 insertions(+), 14 deletions(-) create mode 100644 hosts/common/optional/nixos-containers/reverse-proxy.nix diff --git a/home/common/optional/desktop/common/firefox.nix b/home/common/optional/desktop/common/firefox.nix index 3c17bd1..0b7a2df 100644 --- a/home/common/optional/desktop/common/firefox.nix +++ b/home/common/optional/desktop/common/firefox.nix @@ -5,7 +5,6 @@ ... }: let user = config.home.username; - bitcoinNodeIp = configVars.networking.addresses.bitcoin-node.ip; dockerContainerIp = configVars.networking.addresses.docker.ip; in { programs.firefox = { @@ -22,14 +21,8 @@ in { { template = "https://search.nixos.org/packages"; params = [ - { - name = "type"; - value = "packages"; - } - { - name = "query"; - value = "{searchTerms}"; - } + { name = "type"; value = "packages"; } + { name = "query"; value = "{searchTerms}"; } ]; } ]; @@ -43,7 +36,7 @@ in { definedAliases = ["@nw"]; }; "Searx" = { - urls = [{template = "http://${dockerContainerIp}:8855/?q={searchTerms}";}]; + urls = [{template = "http://searx.lan/?q={searchTerms}";}]; iconUpdateURL = "https://docs.searxng.org/_static/searxng-wordmark.svg"; updateInterval = 24 * 60 * 60 * 1000; # every day definedAliases = ["@searx"]; @@ -60,11 +53,27 @@ in { bookmarks = [ { name = "Jellyfin"; - url = "http://${dockerContainerIp}:8096"; + url = "http://jellyfin.lan"; + } + { + name = "Pihole"; + url = "http://dns.lan"; + } + { + name = "Searx"; + url = "http://searx.lan"; } { name = "Mempool"; - url = "http://${bitcoinNodeIp}:4080"; + url = "http://mempool.lan"; + } + { + name = "Grafana"; + url = "http://grafana.lan"; + } + { + name = "Prometheus"; + url = "http://prometheus.lan"; } { name = "Nixos Package Search"; @@ -80,7 +89,7 @@ in { "identity.fxaccounts.enabled" = false; "signon.rememberSignons" = false; "browser.compactmode.show" = true; - "browser.startup.homepage" = "http://${dockerContainerIp}:8855"; + "browser.startup.homepage" = "http://searx.lan"; "browser.search.defaultenginename" = "Searx"; "browser.search.order.1" = "Searx"; }; @@ -91,7 +100,6 @@ in { bitwarden sponsorblock darkreader - vimium privacy-badger zotero-connector ]; diff --git a/hosts/common/optional/nixos-containers/reverse-proxy.nix b/hosts/common/optional/nixos-containers/reverse-proxy.nix new file mode 100644 index 0000000..b2abf5c --- /dev/null +++ b/hosts/common/optional/nixos-containers/reverse-proxy.nix @@ -0,0 +1,112 @@ +{ + pkgs, + lib, + configVars, + ... +}: let + containerName = "reverse-proxy"; + containerIp = configVars.networking.addresses.reverse-proxy.ip; + + gatewayIp = configVars.networking.addresses.gateway.ip; + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + + dockerContainerIp = configVars.networking.addresses.docker.ip; + bdWorker = configVars.networking.addresses.bd-worker.ip; + pihole = configVars.networking.addresses.pihole.ip; + bitcoinNode = configVars.networking.addresses.bitcoin-node.ip; + metricsServer = configVars.networking.addresses.metrics-server.ip; +in { + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "br0"; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${containerName}" + ]; + }; + + containers."${containerName}" = { + enableTun = true; + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + nixpkgs = pkgs.path; + + config = { + pkgs, + lib, + config, + ... + }: { + networking = { + defaultGateway = "${gatewayIp}"; + interfaces.eth0.ipv4.addresses = [ + { + "address" = "${containerIp}"; + "prefixLength" = 24; + } + ]; + firewall = { + enable = true; + allowedTCPPorts = [ + 80 + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + imports = [ + ]; + + environment.systemPackages = [ + pkgs.vim + pkgs.git + pkgs.nginx + ]; + + services.nginx = { + enable = true; + virtualHosts = { + "jellyfin.lan" = { + locations."/".proxyPass = "http://${dockerContainerIp}:8096"; + }; + "mempool.lan" = { + locations."/".proxyPass = "http://${bitcoinNode}:4080"; + }; + "grafana.lan" = { + locations."/".proxyPass = "http://${metricsServer}:2342"; + }; + "metrics.lan" = { + locations."/".proxyPass = "http://${metricsServer}:9001"; + }; + "searx.lan" = { + locations."/".proxyPass = "http://${dockerContainerIp}:8855"; + }; + "dns.lan" = { + locations."/".proxyPass = "http://${pihole}:80"; + }; + "prefect.lan" = { + locations."/".proxyPass = "http://${bdWorker}:4200"; + }; + }; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users = { + root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + }; + + system.stateVersion = "24.05"; + }; + }; +} diff --git a/hosts/semita/default.nix b/hosts/semita/default.nix index aaa4a37..afcb549 100644 --- a/hosts/semita/default.nix +++ b/hosts/semita/default.nix @@ -60,6 +60,7 @@ in { ../common/optional/fileserver/nfs-client/personal.nix ../common/optional/distributed-builds/local-machine.nix + ../common/optional/nixos-containers/reverse-proxy.nix outputs.nixosModules.nixosAutoUpgrade ]; From 84f6501679881414370fd1b50fddd30b123d3b0f Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 24 Jan 2025 23:37:23 +0000 Subject: [PATCH 6/6] add oom killer to merlin --- hosts/merlin/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts/merlin/default.nix b/hosts/merlin/default.nix index b8eb206..7844783 100644 --- a/hosts/merlin/default.nix +++ b/hosts/merlin/default.nix @@ -85,6 +85,13 @@ in { fsType = "btrfs"; }; + services = { + earlyoom = { + enable = true; + freeMemThreshold = 3; + }; + }; + networking = { hostName = "merlin"; nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];