From 0dfc11363a166df5ac08b64f18a3fd67b9e72130 Mon Sep 17 00:00:00 2001 From: Christoph Urlacher Date: Thu, 10 Jul 2025 00:41:05 +0200 Subject: [PATCH] System/Thinknix: Add thinknix config --- system/default.nix | 1 + system/services/nginx-proxy-manager.nix | 4 +- system/services/portainer-agent.nix | 38 +++++++++++ system/services/portainer.nix | 37 ++--------- system/services/wireguard.nix | 43 +++++++++++++ system/thinknix/default.nix | 74 ++++++++++++++++++++++ system/thinknix/hardware-configuration.nix | 65 +++++++++++++++++++ 7 files changed, 229 insertions(+), 33 deletions(-) create mode 100644 system/services/portainer-agent.nix create mode 100644 system/services/wireguard.nix create mode 100644 system/thinknix/default.nix create mode 100644 system/thinknix/hardware-configuration.nix diff --git a/system/default.nix b/system/default.nix index c937bf1d..ad887b1a 100644 --- a/system/default.nix +++ b/system/default.nix @@ -48,6 +48,7 @@ with mylib.networking; { # Use podman on the desktops, the servers are # already configured using docker though... + # TODO: Use podman on the servers podman = !headless; docker.rootless = true; }; diff --git a/system/services/nginx-proxy-manager.nix b/system/services/nginx-proxy-manager.nix index 2b8a7e69..1e51fdf2 100644 --- a/system/services/nginx-proxy-manager.nix +++ b/system/services/nginx-proxy-manager.nix @@ -17,9 +17,7 @@ passwordFile = "${config.sops.secrets.docker-password.path}"; }; - dependsOn = [ - # "pihole" - ]; + dependsOn = []; ports = [ "80:80" diff --git a/system/services/portainer-agent.nix b/system/services/portainer-agent.nix new file mode 100644 index 00000000..b90c34e9 --- /dev/null +++ b/system/services/portainer-agent.nix @@ -0,0 +1,38 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.portainer-agent = { + image = "portainer/agent:latest"; + autoStart = true; + + login = { + # Uses DockerHub by default + # registry = ""; + + # DockerHub Credentials + username = "christoph.urlacher@protonmail.com"; + passwordFile = "${config.sops.secrets.docker-password.path}"; + }; + + dependsOn = []; + + ports = [ + "9001:9001" + ]; + + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + "/var/lib/docker/volumes:/var/lib/docker/volumes" + ]; + + environment = {}; + + extraOptions = [ + # This container needs to be accessible from another machine inside the LAN + # "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/portainer.nix b/system/services/portainer.nix index 71ce3fd7..272ba112 100644 --- a/system/services/portainer.nix +++ b/system/services/portainer.nix @@ -4,32 +4,8 @@ pkgs, ... }: { - # virtualisation.oci-containers.containers.portainer = { - # image = "portainer/portainer-ce:latest"; - # autoStart = true; - - # dependsOn = []; - - # ports = [ - # # "8000:8000" - # # "9443:9443" - # ]; - - # volumes = [ - # "portainer_config:/data" - - # "/var/run/docker.sock:/var/run/docker.sock" - # ]; - - # environment = {}; - - # extraOptions = [ - # "--net=behind-nginx" - # ]; - # }; - - virtualisation.oci-containers.containers.portainer-agent = { - image = "portainer/agent:latest"; + virtualisation.oci-containers.containers.portainer = { + image = "portainer/portainer-ce:latest"; autoStart = true; login = { @@ -44,19 +20,20 @@ dependsOn = []; ports = [ - "9001:9001" + # "8000:8000" + # "9443:9443" ]; volumes = [ + "portainer_config:/data" + "/var/run/docker.sock:/var/run/docker.sock" - "/var/lib/docker/volumes:/var/lib/docker/volumes" ]; environment = {}; extraOptions = [ - # This container needs to be accessible from another machine inside the LAN - # "--net=behind-nginx" + "--net=behind-nginx" ]; }; } diff --git a/system/services/wireguard.nix b/system/services/wireguard.nix new file mode 100644 index 00000000..84d7a400 --- /dev/null +++ b/system/services/wireguard.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.wireguard = { + image = "linuxserver/wireguard:latest"; + autoStart = true; + + login = { + # Uses DockerHub by default + # registry = ""; + + # DockerHub Credentials + username = "christoph.urlacher@protonmail.com"; + passwordFile = "${config.sops.secrets.docker-password.path}"; + }; + + dependsOn = []; + + ports = [ + "51820:51820" + ]; + + volumes = [ + "wireguard_vps_config:/config" + "wireguard_vps_modules:/lib/modules" + ]; + + environment = { + PUID = "1000"; + PGID = "1000"; + TZ = "Europe/Berlin"; + }; + + extraOptions = [ + "--cap-add=NET_ADMIN" + "--cap-add=SYS_MODULE" + # "--net=behind-nginx" + ]; + }; +} diff --git a/system/thinknix/default.nix b/system/thinknix/default.nix new file mode 100644 index 00000000..957ca229 --- /dev/null +++ b/system/thinknix/default.nix @@ -0,0 +1,74 @@ +{ + inputs, + hostname, + lib, + mylib, + config, + pkgs, + system, + username, + headless, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + + ../modules + + # General services + ../services/adguard.nix + ../services/nginx-proxy-manager.nix + ../services/portainer.nix + ../services/whats-up-docker.nix + ../services/wireguard.nix + ]; + + modules = { + docker.networks."behind-nginx" = { + disable_masquerade = false; + ipv6.enable = false; + }; + + network = { + useNetworkManager = false; + + networks = { + "10-ether-1G" = mylib.networking.mkStaticSystemdNetwork { + interface = "ens18"; + ips = ["192.168.86.26/24"]; + routers = ["192.168.86.5"]; + nameservers = ["127.0.0.1"]; + routable = true; + }; + }; + + allowedTCPPorts = [ + 53 # DNS + 80 # HTTP + ]; + allowedUDPPorts = [ + 53 # DNS + 67 # DHCP + ]; + }; + }; + + services = { + # Configure keymap in X11 + xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + qemuGuest.enable = true; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/system/thinknix/hardware-configuration.nix b/system/thinknix/hardware-configuration.nix new file mode 100644 index 00000000..dc305879 --- /dev/null +++ b/system/thinknix/hardware-configuration.nix @@ -0,0 +1,65 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"]; + initrd.kernelModules = []; + kernelModules = ["kvm-intel"]; + extraModulePackages = []; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/2d1b1f62-f008-4562-906e-5a63d854b18b"; + fsType = "ext4"; + options = ["defaults" "rw" "relatime"]; + }; + + # Synology DS223j + + "/media/synology-syncthing" = { + device = "192.168.86.15:/volume1/DockerVolumes"; + fsType = "nfs"; + options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"]; + }; + + # SG Exos Mirror Shares + + "/media/Movie" = { + device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Movie"; + fsType = "nfs"; + options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"]; + }; + + "/media/Show" = { + device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Show"; + fsType = "nfs"; + options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"]; + }; + + "/media/TV-Music" = { + device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Music"; + fsType = "nfs"; + options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"]; + }; + }; + + swapDevices = []; + + hardware = { + enableAllFirmware = true; + enableRedistributableFirmware = true; + cpu.intel.updateMicrocode = true; + bluetooth.enable = false; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +}