From 261e1b53642e01304b39750d6e4de83a9cb3fc8b Mon Sep 17 00:00:00 2001 From: Kalle Struik Date: Fri, 11 Apr 2025 12:20:01 +0200 Subject: [PATCH] Add proxy and git hosts and a bunch of extra documentation work --- README.md | 50 ++++++++++++++++++++++++++++++++++++++++++++- config.nix | 2 +- hosts/adguard.nix | 8 ++++++++ hosts/git.nix | 19 +++++++++++++++++ hosts/portainer.nix | 17 +++++++++++++++ hosts/proxy.nix | 21 +++++++++++++++++++ roles/traefik.nix | 1 + secrets/git.yaml | 47 ++++++++++++++++++++++++++++++++++++++++++ secrets/proxy.yaml | 42 +++++++++++++++++++++++++++++++++++++ 9 files changed, 205 insertions(+), 2 deletions(-) create mode 100644 hosts/adguard.nix create mode 100644 hosts/git.nix create mode 100644 hosts/portainer.nix create mode 100644 hosts/proxy.nix create mode 100644 secrets/git.yaml create mode 100644 secrets/proxy.yaml diff --git a/README.md b/README.md index 55d13c8..8e1d471 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,54 @@ The nix based configuration for my home lab. - confgi.nix # Global configuration options ``` + +## IP ranges +``` +192.168.10.1 -> Main router +192.168.10.2 -> Openwrt accesspoint +192.168.10.3 -> Proxmox 1 +192.168.10.4 -> Media share (Deprecated) +192.168.10.5 -> Mini 1 (Proxmox) +192.168.10.6 -> Mini 2 (Proxmox) (To be deployed) +192.168.10.[10-50] -> VM hosts + 10 -> Proxy + 11 -> Git + 99 -> Nix test host +192.168.10.[100-200] -> DHCP range + 174 -> Bluesky PDS + 188 -> Portainer (Deprecated) + 189 -> Bastion + 190 -> Wings 1 + 191 -> Adguard (Deprecated) + 192 -> Home assistant +``` + +## Data storage guidance +There are three categories of data used by applications, each should be +stored in their own specific way to ensure minimal possibility of data loss. +**Nothing should be deployed if it doesn't follow these guidelines!** + +**Runtime state:** Data that has to be persisted to disk, but is not required +to be present after a restart of the application. Things such as encoding caches +fall in this category. **This data should be stored on the ephemeral file system +only**. + +**Long term state:** Data that is generated by the application that has uses +between restarts, but can be easily replaced if it is lost. This is things such +as SSL certificates for traefik, as re-requesting these might cause +rate-limiting related issues. **This data should be persisted to the +`/persistent` directory. Use nix-impermanence for this.**. + +**Application/user data:** This is most data managed by the system. This is data +that can not easily be replaced, such as pictures, videos, and other user +uploaded files, but also databases which are not purely generated, such as +Immich's database. **This data should be persisted to the Ceph cluster. +Preferably in real-time, but if this is infeasible, for example, running +databases on top of ceph incurs a large performance hit, the data should be +persisted in an automated fashion, such as through a cron job making a backup +every x hours. + + ## TODO: ### Services @@ -36,7 +84,7 @@ The nix based configuration for my home lab. - FreshRSS: RSS server/reader - Gramps: Family tree - hoarder: Bookmark manager -- immich: Fotos +- immich: Photos - Jellyfin: Watching media files - Nextcloud: Files, contacts, calendar, etc - Pterodactyl panel: Game servers diff --git a/config.nix b/config.nix index 9949d67..c82902d 100644 --- a/config.nix +++ b/config.nix @@ -1,5 +1,5 @@ { - domain = "staging.kallestruik.nl"; + domain = "kallestruik.nl"; shortDomain = "khs.li"; # Networking defaultDNS = [ "192.168.10.1" ]; diff --git a/hosts/adguard.nix b/hosts/adguard.nix new file mode 100644 index 0000000..d042d75 --- /dev/null +++ b/hosts/adguard.nix @@ -0,0 +1,8 @@ +{ + ... +}: +{ + hostname = "adguard"; + managed = false; + ip = "192.168.10.191"; +} diff --git a/hosts/git.nix b/hosts/git.nix new file mode 100644 index 0000000..bc9c8b4 --- /dev/null +++ b/hosts/git.nix @@ -0,0 +1,19 @@ +{ + roles, + hlConfig, +}: +{ + hostname = "git"; + managed = true; + ip = "192.168.10.11"; + + roles = with roles; [ + postgres + + forgejo + ]; + config = { + forgejo.domain = "git.${hlConfig.domain}"; + }; + stateVersion = "24.05"; +} diff --git a/hosts/portainer.nix b/hosts/portainer.nix new file mode 100644 index 0000000..6571c4c --- /dev/null +++ b/hosts/portainer.nix @@ -0,0 +1,17 @@ +{ + ... +}: +rec { + hostname = "portainer"; + managed = false; + ip = "192.168.10.188"; + + traefikRoutes = [ + { + name = "${hostname}-traefik-fallback"; + rule = "HostRegexp(`.*`)"; + target = "http://${ip}:80"; + priority = 1; + } + ]; +} diff --git a/hosts/proxy.nix b/hosts/proxy.nix new file mode 100644 index 0000000..9ed1e76 --- /dev/null +++ b/hosts/proxy.nix @@ -0,0 +1,21 @@ +{ + roles, + hlConfig, +}: +{ + hostname = "proxy"; + managed = true; + ip = "192.168.10.10"; + + roles = with roles; [ + traefik + ]; + config = { + traefik.wildcardDomains = [ + hlConfig.domain + hlConfig.shortDomain + "pds.${hlConfig.domain}" + ]; + }; + stateVersion = "24.05"; +} diff --git a/roles/traefik.nix b/roles/traefik.nix index b4fe736..c802be4 100644 --- a/roles/traefik.nix +++ b/roles/traefik.nix @@ -129,6 +129,7 @@ entrypoints = [ "websecure" ]; service = route.name; rule = route.rule; + priority = route.priority or "0"; }; }) routes ); diff --git a/secrets/git.yaml b/secrets/git.yaml new file mode 100644 index 0000000..65592cf --- /dev/null +++ b/secrets/git.yaml @@ -0,0 +1,47 @@ +forgejo: + db_pass: ENC[AES256_GCM,data:Kbsfciqm7InemdMohjVU90P03N+AyG5xK3DC8Ali+86Sk1iuOqGvZrxeWQFC+C33LYBSQObcauK6zhd6mtniSg==,iv:JyktRVc9D0Bx5AAv21AzoZp0h/aFLPt6qjXQDodyND0=,tag:xunAgH+zAdecQNMtMGqyvA==,type:str] + email_host: ENC[AES256_GCM,data:xmQQelGSqEwWhuiUYgvYlxP5LTkiuw==,iv:t0H4OA4kgOFXhL2bkgGTGl+fuaHwkxwzFSwQXqZbnGA=,tag:PZhGpttL5lxMN+ar/Vdqyg==,type:str] + email_port: ENC[AES256_GCM,data:ERRb,iv:5Cs7ryQTXbIJMExHOXeCFBvHPqjaO1t7TA8VrhtiTbM=,tag:vXZnUQQ6gT/SiuGzK/+Q/g==,type:str] + email_from: ENC[AES256_GCM,data:xFFAgVmf0boB0mOcQKKhiiRQ,iv:P8jW12RYOp4zwnRKGxjFPpTU6vS6LYozTXGPoGqXv3Q=,tag:MnIKOW3NQUumWDNLZogSzw==,type:str] + email_username: ENC[AES256_GCM,data:iJ70yLlPzsmCkuq6XvsKpujx,iv:XlA7n1GIVhgWuGWoD3io0jSPy5pdlmwzyMdqztQqyGo=,tag:5YsLkLD0SOn0YJhKEKvJ8Q==,type:str] + email_password: ENC[AES256_GCM,data:Wx1y1hyIeT+D0k5kXflo86cYl3Q=,iv:uTTIsEK0y1pCIsophxBNwEKoYBBNDa8qv4arjj9c4Mw=,tag:obv6lL2btVLf9365vyb+Pg==,type:str] +postgres: + forgejo: ENC[AES256_GCM,data:jG1RpH+5t9Q2aBiB0s/euEj5xLd7+7ZY7wQ9klskjFIDbjfDT8A+Llm2VlVbQDgXlhvfGjLIA2OiR4vaEH9U4g==,iv:POoGsB0P8VmuAM16IoQinGpnkpxQxb3rNDo88THfOwQ=,tag:FazT+fvxjh0AfLsoVHD+qw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQzFEVXA0OUZMQUJtZm9o + eGFOdDVwQUNJdlRob2xwQ21lcmNvRHdtTEd3ClVyVDlWZllTcWF1SVFkMUhQR0dR + U2c3N25LRlRPYU5uTUFiTnh6M3BGRjgKLS0tIGZ5TzZCZmRDVjVhVUI4c2Q1SXRJ + OXdlazF0a2V0eWcxNitlZ2FvRjNGZXMKUYa0smUtciuNPlltmygDNe5KVBLXxLru + JeiHzNy5hEtG+3nStBR8m1A7gMJGuKEn2cvDedOOhlATKWHpb39/2A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1htf3j7d0me9f24fadwth7avs40qm8yzhczljfgh0wjepdr8utfvqd369xp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOXdQMy90QS9Uckk4SlFH + TzJlUWsrRGNFdE1yc2FZWnhsZ3hub3ZPdkVnCkY4OFhIY0tzajBkYy92K0RBejZS + MmtqbElJdEVhdXk2QlFzOStYRFB4YTgKLS0tIElrOUw2NGx3NGxFS211VlNBYWw2 + N0dOcEM5aTdFd0tnV0NJOWI1eUpMY00K0ZHvxPjaVJm7HdaX0HUdx7CuzMEFoSAW + razcSD3PSvF/hBAyWSE4gjWpiKX65t/P+HVmLvE8wCY0ou88H53UVA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwL1NHV1Rjd2dOamVhZUVR + RldsWko3ZkF5cGM3c241Q3MzbHRqQ2NqM2pBClpHN0RaQnZOcEVqTDVjYTNackE2 + Vzd2YXRndHBSY04xVTdvdnJBL2xoNFkKLS0tIFloYVlXSHhyU1pWRW5SVXM1UFlN + TWZsbWF0U3pCZmJKRjQwRGhKNmN6d2sKgwe0htUOOw4FEC5Xvg7FAnnb8jpt+pRP + x7OUZZG/Jeb99at9YqjJDJp2hB6SsnZsHgqrrHupqGoAYZncAF4Ngg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-08T10:49:24Z" + mac: ENC[AES256_GCM,data:DczVEHMow0k66KVcfU9tlsg131VUZhwUMSiDLBTb22KtHJs/eSrjqQ+P+naTX8a4lOAn4KzQiRugl1AieBmPhB77RyFjM2WRDLYZlbxv9d8StjNlgAdpOok4aGhxf8fncI+op+Gk5HOSoVsT7IVnofK+0V+14XhmgfQJpHuP2yE=,iv:Z4yfkbrvhlubP8DNhGkfwzvOI1CRJBgo7MolxGV3/EU=,tag:ptATWw7zn0UP/GFBRSy/bg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/secrets/proxy.yaml b/secrets/proxy.yaml new file mode 100644 index 0000000..4abafd3 --- /dev/null +++ b/secrets/proxy.yaml @@ -0,0 +1,42 @@ +traefik: + acmeEmail: ENC[AES256_GCM,data:2NIn1rMLFehqkAO3tjFDn9UF7BMBKhD9aGU=,iv:WoFtJFykx8IEXxThJSVmNlOm0zfI0WP9Y3Ew8Eqg8aQ=,tag:r2LMLztbW0MBXwBPwoZJ5w==,type:str] + CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:IyhExThwo41VOdWBO55KsDZfaEnTuBXkdA==,iv:amtywKJXT87IuqeKqhX7Jx8VeWtZ4KaVyc5CRoRg7SM=,tag:2EZTdhdXrG7JC0NDfjd3Dg==,type:str] + CLOUDFLARE_DNS_API_TOKEN: ENC[AES256_GCM,data:WaHJsdz9/SLNeKvxm54uXnZs7+e7phSbtWaccQPbX4Qv4aDF9CSVog==,iv:1bJen5qfY/bLd87LUTdbioMQPT1iH/91YhJm3Syf8yw=,tag:vdt5cPk3Zb/6ka9AJ5uk0w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeGxXdll5TkxVWHJBSVVr + WVF4VTlRWUErdUJqTGl5V24zV0hRYmd1N3hJCjVOMXZVVVpTREtUdzhranJiWSs5 + cUd2N0VWa2gxUXhkQjlGV05EclRWOHMKLS0tIHFsMloxZ2d1UzU5eDVGT3dXWTNq + c3dpUlNCVjJzcE5aeS9xTFkrRXowVmcK799dYn13LAhigtQxD+uO8hcjddkdK0QG + F5txOFUUozgf7bgiTDhLlNQk2IV8cxk5TlNUKwr32C/bLsxyTvcTHg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1htf3j7d0me9f24fadwth7avs40qm8yzhczljfgh0wjepdr8utfvqd369xp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaRjlkcXNyMitndy8zNnpP + ZnU3dnNzWEdvKzNBRVk2UVdaRVYrZVlDNVg0CnQ3MlpWTVBheUhsZ0RmZGJnL2VK + ZlZ0clFZRmtma0xZU1hYaGVUSXcvSEUKLS0tIFd4NmhPNUdCalpDVmQ3SHB1QWlV + UWo5dWdTelJvdzVqU1l4cU8zZlcvWFkK6/4uT9YwqyVBkT3z9w+SuLHttVTRZw4s + ztujbvxEgxfG/57PdbBXjPKyke/GZIJbUSFrWMNId5Ni5PsOJrMK+Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycm5IOGM2VDRwejRiS1Y1 + dUZ2Zyt6c3RLaVFwYkJmaTFCeVk5UU1ZdzFVCklMRjRoZFgrL2oweko4eC9XenFy + OStrSzFOQnlSbllKYWpLMEs4QllNUDgKLS0tIFI0YmptcDlGM0tjdkNtdW9OdU84 + SkJER2I3bDRGcjA5TFkwWDlwcFd0bUkKqsnJjdyDhA6d4aux89pI6uqxh1tAvfop + QE7Y7p7C8mRizec9HSjbSzHXvqic4shhxRzgk6jQy07nvIe+1CW7pQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-08T10:49:42Z" + mac: ENC[AES256_GCM,data:ClOIl+pDrTl1+ppHnCm//C5jPzAwQeaPck7Utr9KxKBfJzVfSQIvZdokXSCrOKm9vFrg4SODpGsYF2sUD3H0W9otys1FyDghoX1yZhWLkeBBcxzfb35hALZQFt+wUm0n0QGkNjAq/YtT0431Y8tr42h4MeSGv6JgyZEBkLf8D4o=,iv:k1B92QH6RkdcHyJC/z9fkg/OWkln4wdGQCBwuCYTo04=,tag:KWk6hRf/IqeGaUO+2hKIOA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1