toph/dot.nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial Setups for Nix, Komodo and Cloud LXC, not yet tested to work.

Browse source
This commit is contained in:
Chris Toph 2025-03-31 12:22:05 -04:00
parent 771336eb74
commit 1e8cef208e
12 changed files with 910 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
home/toph/komodo/default.nix Normal file
View file

@ -0,0 +1,24 @@
{
pkgs,
...
}:
{
imports = [
## Required Configs ##
../common/core # required
## Host-specific Optional Configs ##
];
# Useful for this host
home.file = {
Pool.source = config.lib.file.mkOutOfStoreSymlink "/pool";
DockerStorage.source = config.lib.file.mkOutOfStoreSymlink "/mnt/DockerStorage";
};
## Packages with no needed configs ##
# home.packages = builtins.attrValues {
# inherit (pkgs)
# ;
# };
}

23
home/toph/nix/default.nix Normal file
View file

@ -0,0 +1,23 @@
{
pkgs,
...
}:
{
imports = [
## Required Configs ##
../common/core # required
## Host-specific Optional Configs ##
../common/optional/vscode-server.nix
];
## Packages with no needed configs ##
home.packages = builtins.attrValues {
inherit (pkgs)
chafa
nodejs
pnpm
# x2goserver
;
};
}

83
hosts/common/optional/containers/authentik/compose.yaml Normal file
View file

@ -0,0 +1,83 @@
name: authentik
services:
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ./database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ./redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ./media:/media
- ./custom-templates:/templates
env_file:
- .env
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./templates:/templates
env_file:
- .env
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy

210
hosts/common/optional/containers/authentik/default.nix Normal file
View file

@ -0,0 +1,210 @@
# Auto-generated using compose2nix v0.3.1.
{ pkgs, lib, ... }:
let
# Only available in the Komodo LXC
DockerStorage = "/mnt/DockerStorage/komodo/stacks/authentik";
in
{
# Containers
virtualisation.oci-containers.containers."authentik-postgresql" = {
image = "docker.io/library/postgres:16-alpine";
environmentFiles = [
./authentik.env
];
volumes = [
"${DockerStorage}/database:/var/lib/postgresql/data:rw"
];
log-driver = "journald";
extraOptions = [
"--health-cmd=pg_isready -d \${POSTGRES_DB} -U \${POSTGRES_USER}"
"--health-interval=30s"
"--health-retries=5"
"--health-start-period=20s"
"--health-timeout=5s"
"--network-alias=postgresql"
"--network=authentik_default"
];
};
systemd.services."docker-authentik-postgresql" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-authentik_default.service"
];
requires = [
"docker-network-authentik_default.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
];
};
virtualisation.oci-containers.containers."authentik-redis" = {
image = "docker.io/library/redis:alpine";
environmentFiles = [
./authentik.env
];
volumes = [
"${DockerStorage}/redis:/data:rw"
];
cmd = [
"--save"
"60"
"1"
"--loglevel"
"warning"
];
log-driver = "journald";
extraOptions = [
"--health-cmd=redis-cli ping | grep PONG"
"--health-interval=30s"
"--health-retries=5"
"--health-start-period=20s"
"--health-timeout=3s"
"--network-alias=redis"
"--network=authentik_default"
];
};
systemd.services."docker-authentik-redis" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-authentik_default.service"
];
requires = [
"docker-network-authentik_default.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
];
};
virtualisation.oci-containers.containers."authentik-server" = {
image = "ghcr.io/goauthentik/server:2024.12.2";
environmentFiles = [
./authentik.env
];
volumes = [
"${DockerStorage}/custom-templates:/templates:rw"
"${DockerStorage}/media:/media:rw"
];
ports = [
"9000:9000/tcp"
"9443:9443/tcp"
];
cmd = [ "server" ];
dependsOn = [
"authentik-postgresql"
"authentik-redis"
];
log-driver = "journald";
extraOptions = [
"--network-alias=server"
"--network=authentik_default"
];
};
systemd.services."docker-authentik-server" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-authentik_default.service"
];
requires = [
"docker-network-authentik_default.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
];
};
virtualisation.oci-containers.containers."authentik-worker" = {
image = "ghcr.io/goauthentik/server:2024.12.2";
environmentFiles = [
./authentik.env
];
volumes = [
"${DockerStorage}/certs:/certs:rw"
"${DockerStorage}/media:/media:rw"
"${DockerStorage}/templates:/templates:rw"
"/var/run/docker.sock:/var/run/docker.sock:rw"
];
cmd = [ "worker" ];
dependsOn = [
"authentik-postgresql"
"authentik-redis"
];
user = "root";
log-driver = "journald";
extraOptions = [
"--network-alias=worker"
"--network=authentik_default"
];
};
systemd.services."docker-authentik-worker" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-authentik_default.service"
];
requires = [
"docker-network-authentik_default.service"
];
partOf = [
"docker-compose-authentik-root.target"
];
wantedBy = [
"docker-compose-authentik-root.target"
"docker-compose-komodo-root.target"
];
};
# Networks
systemd.services."docker-network-authentik_default" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "docker network rm -f authentik_default";
};
script = ''
docker network inspect authentik_default || docker network create authentik_default
'';
partOf = [ "docker-compose-authentik-root.target" ];
wantedBy = [ "docker-compose-authentik-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."docker-compose-authentik-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [
"multi-user.target"
];
};
}

102
hosts/common/optional/containers/komodo/compose.yaml Normal file
View file

@ -0,0 +1,102 @@
################################
# 🦎 KOMODO COMPOSE - MONGO 🦎 #
################################
## This compose file will deploy:
## 1. MongoDB
## 2. Komodo Core
## 3. Komodo Periphery
name: komodo
services:
mongo:
image: mongo
labels:
komodo.skip: # Prevent Komodo from stopping with StopAllContainers
command: --quiet --wiredTigerCacheSizeGB 0.25
restart: unless-stopped
logging:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- default
# ports:
# - 27017:27017
volumes:
- /mnt/DockerStorage/komodo/mongo/data:/data/db:rw
- /mnt/DockerStorage/komodo/mongo/config:/data/configdb:rw
environment:
MONGO_INITDB_ROOT_USERNAME: ${DB_USERNAME}
MONGO_INITDB_ROOT_PASSWORD: ${DB_PASSWORD}
core:
image: ghcr.io/mbecker20/komodo:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
labels:
komodo.skip: # Prevent Komodo from stopping with StopAllContainers
restart: unless-stopped
depends_on:
- mongo
logging:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- default
ports:
- 9120:9120
env_file: ./komodo.env
environment:
KOMODO_DATABASE_ADDRESS: mongo:27017
KOMODO_DATABASE_USERNAME: ${DB_USERNAME}
KOMODO_DATABASE_PASSWORD: ${DB_PASSWORD}
volumes:
## Core cache for repos for latest commit hash / contents
- /mnt/DockerStorage/komodo/cache:/repo-cache:rw
## Store sync files on server
- /mnt/DockerStorage/komodo/syncs:/syncs
## Optionally mount a custom core.config.toml
- /mnt/DockerStorage/komodo/core.config.toml:/config/config.toml
## Allows for systemd Periphery connection at
## "http://host.docker.internal:8120"
# extra_hosts:
# - host.docker.internal:host-gateway
## Deploy Periphery container using this block,
## or deploy the Periphery binary with systemd using
## https://github.com/mbecker20/komodo/tree/main/scripts
periphery:
image: ghcr.io/mbecker20/periphery:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
labels:
komodo.skip: # Prevent Komodo from stopping with StopAllContainers
restart: unless-stopped
logging:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- default
env_file: ./komodo.env
volumes:
## Mount external docker socket
- /var/run/docker.sock:/var/run/docker.sock
## Allow Periphery to see processes outside of container
- /proc:/proc
## use self signed certs in docker volume,
## or mount your own signed certs.
- /mnt/DockerStorage/komodo/ssl:/etc/komodo/ssl:rw
## manage repos in a docker volume,
## or change it to an accessible host directory.
- /mnt/DockerStorage/komodo/repos:/etc/komodo/repos:rw
## manage stack files in a docker volume,
## or change it to an accessible host directory.
- /mnt/DockerStorage/komodo/stacks:/etc/komodo/stacks:rw
## Optionally mount a path to store compose files
# - /path/to/compose:/host/compose
volumes:
# Mongo
mongo-data:
mongo-config:
# Core
repo-cache:
# Periphery
ssl-certs:
repos:
stacks:
networks:
default: {}

191
hosts/common/optional/containers/komodo/default.nix Normal file
View file

@ -0,0 +1,191 @@
# Auto-generated using compose2nix v0.3.1.
{
pkgs,
lib,
admin,
...
}:
let
# Only available in the Komodo LXC
DockerStorage = "/mnt/DockerStorage/komodo";
in
{
# Containers
virtualisation.oci-containers.containers."komodo-core" = {
image = "ghcr.io/moghtech/komodo-core:latest";
environmentFiles = [
./komodo.env
];
volumes = [
"${DockerStorage}/cache:/repo-cache:rw"
];
ports = [
"9120:9120/tcp"
];
labels = {
"komodo.skip" = "";
};
dependsOn = [
"komodo-mongo"
];
log-driver = "local";
extraOptions = [
"--network-alias=core"
"--network=komodo_default"
"--pull=always"
];
};
systemd.services."docker-komodo-core" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-komodo_default.service"
# "docker-volume-komodo_repo-cache.service"
];
requires = [
"docker-network-komodo_default.service"
# "docker-volume-komodo_repo-cache.service"
];
partOf = [
"docker-compose-komodo-root.target"
];
wantedBy = [
"docker-compose-komodo-root.target"
];
};
virtualisation.oci-containers.containers."komodo-mongo" = {
image = "mongo";
environmentFiles = [
./komodo.env
];
volumes = [
"${DockerStorage}/mongo/config:/data/configdb:rw"
"${DockerStorage}/mongo/data:/data/db:rw"
];
cmd = [
"--quiet"
"--wiredTigerCacheSizeGB"
"0.25"
];
labels = {
"komodo.skip" = "";
};
log-driver = "local";
extraOptions = [
"--network-alias=mongo"
"--network=komodo_default"
];
};
systemd.services."docker-komodo-mongo" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-komodo_default.service"
# "docker-volume-komodo_mongo-config.service"
# "docker-volume-komodo_mongo-data.service"
];
requires = [
"docker-network-komodo_default.service"
# "docker-volume-komodo_mongo-config.service"
# "docker-volume-komodo_mongo-data.service"
];
partOf = [
"docker-compose-komodo-root.target"
];
wantedBy = [
"docker-compose-komodo-root.target"
];
};
virtualisation.oci-containers.containers."komodo-periphery" = {
image = "ghcr.io/moghtech/komodo-periphery:latest";
environmentFiles = [
./komodo.env
];
volumes = [
"/proc:/proc:rw"
"/var/run/docker.sock:/var/run/docker.sock:rw"
"${DockerStorage}/repos:/etc/komodo/repos:rw"
"${DockerStorage}/ssl:/etc/komodo/ssl:rw"
"${DockerStorage}/stacks:${DockerStorage}/stacks:rw"
];
labels = {
"komodo.skip" = "";
};
log-driver = "local";
extraOptions = [
"--network-alias=periphery"
"--network=komodo_default"
"--pull=always"
];
};
systemd.services."docker-komodo-periphery" = {
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
RestartSec = lib.mkOverride 90 "100ms";
RestartSteps = lib.mkOverride 90 9;
};
after = [
"docker-network-komodo_default.service"
# "docker-volume-komodo_repos.service"
# "docker-volume-komodo_ssl-certs.service"
# "docker-volume-komodo_stacks.service"
];
requires = [
"docker-network-komodo_default.service"
# "docker-volume-komodo_repos.service"
# "docker-volume-komodo_ssl-certs.service"
# "docker-volume-komodo_stacks.service"
];
partOf = [
"docker-compose-komodo-root.target"
];
wantedBy = [
"docker-compose-komodo-root.target"
];
};
# Networks
systemd.services."docker-network-komodo_default" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "docker network rm -f komodo_default";
};
script = ''
docker network inspect komodo_default || docker network create komodo_default
'';
partOf = [ "docker-compose-komodo-root.target" ];
wantedBy = [ "docker-compose-komodo-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."docker-compose-komodo-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
after = [
"docker-authentik-worker.service"
];
requires = [
"docker-authentik-worker.service"
];
wantedBy = [ "multi-user.target" ];
};
}

74
hosts/nixos/cloud/default.nix Normal file
View file

@ -0,0 +1,74 @@
###############################################################
#
# Prozy - LXC Container
# NixOS container, Ryzen 5 5600G (3 Cores), 2GB/2GB RAM/SWAP
#
###############################################################
{
inputs,
lib,
config,
pkgs,
...
}:
let
username = "toph";
in
{
imports = lib.flatten [
## Hardware ##
./hardware.nix
(map lib.custom.relativeToRoot [
## Required Configs ##
"hosts/common/core"
## Optional Configs ##
"hosts/common/optional/acme"
"hosts/common/optional/caddy"
"hosts/common/optional/docker.nix"
"hosts/common/optional/containers/cloudflared.nix"
## Cloud Specific ##
"hosts/users/${username}" # # Not the best solution but I always have one user so ¯\_(ツ)_/¯
])
];
## Host Specifications ##
hostSpec = {
hostName = "cloud";
username = username;
handle = "tophC7";
password = "[REDACTED]";
[REDACTED];
email = "[REDACTED]";
userFullName = "[REDACTED]";
isARM = false;
};
networking = {
enableIPv6 = false;
# Container Ports
[REDACTED]
80 # Caddy
443 # Caddy
[REDACTED]
];
};
## System-wide packages ##
programs.nix-ld.enable = true;
environment.systemPackages = with pkgs; [
lazydocker
];
environment.etc = {
"cloudflared/.keep" = {
text = "This directory is used to store cloudflared configuration files.";
};
};
# https://wiki.nixos.org/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.11";
}

12
hosts/nixos/cloud/hardware.nix Normal file
View file

@ -0,0 +1,12 @@
{
lib,
...
}:
{
imports = lib.flatten [
(map lib.custom.relativeToRoot [
"hosts/common/optional/system/lxc.nix"
"hosts/common/optional/system/pool.nix"
])
];
}

102
hosts/nixos/komodo/default.nix Normal file
View file

@ -0,0 +1,102 @@
###############################################################
#
# Komodo - LXC Container
# NixOS container, Ryzen 5 5600G (12 Cores), 30GB/2GB RAM/SWAP
#
###############################################################
{
inputs,
lib,
config,
pkgs,
...
}:
let
username = "toph";
in
{
imports = lib.flatten [
## Hardware ##
./hardware.nix
(map lib.custom.relativeToRoot [
## Required Configs ##
"hosts/common/core"
## Optional Configs ##
"hosts/common/optional/acme"
"hosts/common/optional/caddy"
"hosts/common/optional/docker.nix"
"hosts/common/containers/authentik"
"hosts/common/containers/komodo"
## Komodo Specific ##
"hosts/users/${username}" # # Not the best solution but I always have one user so ¯\_(ツ)_/¯
])
];
## Host Specifications ##
hostSpec = {
hostName = "komodo";
username = username;
handle = "tophC7";
password = "[REDACTED]";
[REDACTED];
email = "[REDACTED]";
userFullName = "[REDACTED]";
isARM = false;
};
networking = {
enableIPv6 = false;
# Container Ports
firewall = {
allowedTCPPorts = [
[REDACTED]
[REDACTED]
[REDACTED]
222 # Forgejo SSH
[REDACTED]
[REDACTED]
[REDACTED]
[REDACTED]
[REDACTED]
8080 # File Browser
[REDACTED]
[REDACTED]
[REDACTED]
[REDACTED]
[REDACTED]
];
# Game Server Ports
allowedTCPPortRanges = [
{
[REDACTED]
[REDACTED]
}
];
allowedUDPPorts = [
8089 # Grafana
];
};
};
## System-wide packages ##
programs.nix-ld.enable = true;
environment.systemPackages = with pkgs; [
lazydocker
compose2nix
];
# environment.etc = {
# "cloudflared/.keep" = {
# text = "This directory is used to store cloudflared configuration files.";
# };
# };
# https://wiki.nixos.org/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.11";
}

12
hosts/nixos/komodo/hardware.nix Normal file
View file

@ -0,0 +1,12 @@
{
lib,
...
}:
{
imports = lib.flatten [
(map lib.custom.relativeToRoot [
"hosts/common/optional/system/lxc.nix"
"hosts/common/optional/system/pool.nix"
])
];
}

65
hosts/nixos/nix/default.nix Normal file
View file

@ -0,0 +1,65 @@
###############################################################
#
# Nix - LXC Container
# NixOS container, Ryzen 5 5600G (10 Cores), 12GB/6GB RAM/SWAP
#
###############################################################
# TODO: x2go server for remote access
{
inputs,
lib,
config,
pkgs,
...
}:
let
username = "toph";
in
{
imports = lib.flatten [
## Hardware ##
./hardware.nix
(map lib.custom.relativeToRoot [
## Required Configs ##
"hosts/common/core"
## Optional Configs ##
## Nix Specific ##
"hosts/users/${username}" # # Not the best solution but I always have one user so ¯\_(ツ)_/¯
])
];
## Host Specifications ##
hostSpec = {
hostName = "nix";
username = username;
handle = "tophC7";
password = "[REDACTED]";
[REDACTED];
email = "[REDACTED]";
userFullName = "[REDACTED]";
isARM = false;
};
networking = {
enableIPv6 = false;
};
## System-wide packages ##
programs.nix-ld.enable = true;
# environment.systemPackages = with pkgs; [
# ];
# environment.etc = {
# "cloudflared/.keep" = {
# text = "This directory is used to store cloudflared configuration files.";
# };
# };
# https://wiki.nixos.org/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.11";
}

12
hosts/nixos/nix/hardware.nix Normal file
View file

@ -0,0 +1,12 @@
{
lib,
...
}:
{
imports = lib.flatten [
(map lib.custom.relativeToRoot [
"hosts/common/optional/system/lxc.nix"
"hosts/common/optional/system/pool.nix"
])
];
}