homelab/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add proxy and git hosts and a bunch of extra documentation work

Browse source
This commit is contained in:
kalle 2025-04-11 12:20:01 +02:00
parent 756b3dd576
commit 261e1b5364
9 changed files with 205 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
README.md
View file

@ -29,6 +29,54 @@ The nix based configuration for my home lab.
- confgi.nix # Global configuration options - confgi.nix # Global configuration options
``` ```
## IP ranges
```
192.168.10.1 -> Main router
192.168.10.2 -> Openwrt accesspoint
192.168.10.3 -> Proxmox 1
192.168.10.4 -> Media share (Deprecated)
192.168.10.5 -> Mini 1 (Proxmox)
192.168.10.6 -> Mini 2 (Proxmox) (To be deployed)
192.168.10.[10-50] -> VM hosts
10 -> Proxy
11 -> Git
99 -> Nix test host
192.168.10.[100-200] -> DHCP range
174 -> Bluesky PDS
188 -> Portainer (Deprecated)
189 -> Bastion
190 -> Wings 1
191 -> Adguard (Deprecated)
192 -> Home assistant
```
## Data storage guidance
There are three categories of data used by applications, each should be
stored in their own specific way to ensure minimal possibility of data loss.
**Nothing should be deployed if it doesn't follow these guidelines!**
**Runtime state:** Data that has to be persisted to disk, but is not required
to be present after a restart of the application. Things such as encoding caches
fall in this category. **This data should be stored on the ephemeral file system
only**.
**Long term state:** Data that is generated by the application that has uses
between restarts, but can be easily replaced if it is lost. This is things such
as SSL certificates for traefik, as re-requesting these might cause
rate-limiting related issues. **This data should be persisted to the
`/persistent` directory. Use nix-impermanence for this.**.
**Application/user data:** This is most data managed by the system. This is data
that can not easily be replaced, such as pictures, videos, and other user
uploaded files, but also databases which are not purely generated, such as
Immich's database. **This data should be persisted to the Ceph cluster.
Preferably in real-time, but if this is infeasible, for example, running
databases on top of ceph incurs a large performance hit, the data should be
persisted in an automated fashion, such as through a cron job making a backup
every x hours.
## TODO: ## TODO:
### Services ### Services
@ -36,7 +84,7 @@ The nix based configuration for my home lab.
- FreshRSS: RSS server/reader - FreshRSS: RSS server/reader
- Gramps: Family tree - Gramps: Family tree
- hoarder: Bookmark manager - hoarder: Bookmark manager
- immich: Fotos - immich: Photos
- Jellyfin: Watching media files - Jellyfin: Watching media files
- Nextcloud: Files, contacts, calendar, etc - Nextcloud: Files, contacts, calendar, etc
- Pterodactyl panel: Game servers - Pterodactyl panel: Game servers

2
config.nix
View file

@ -1,5 +1,5 @@
{ {
domain = "staging.kallestruik.nl"; domain = "kallestruik.nl";
shortDomain = "khs.li"; shortDomain = "khs.li";
# Networking # Networking
defaultDNS = [ "192.168.10.1" ]; defaultDNS = [ "192.168.10.1" ];

8
hosts/adguard.nix Normal file
View file

@ -0,0 +1,8 @@
{
...
}:
{
hostname = "adguard";
managed = false;
ip = "192.168.10.191";
}

19
hosts/git.nix Normal file
View file

@ -0,0 +1,19 @@
{
roles,
hlConfig,
}:
{
hostname = "git";
managed = true;
ip = "192.168.10.11";
roles = with roles; [
postgres
forgejo
];
config = {
forgejo.domain = "git.${hlConfig.domain}";
};
stateVersion = "24.05";
}

17
hosts/portainer.nix Normal file
View file

@ -0,0 +1,17 @@
{
...
}:
rec {
hostname = "portainer";
managed = false;
ip = "192.168.10.188";
traefikRoutes = [
{
name = "${hostname}-traefik-fallback";
rule = "HostRegexp(`.*`)";
target = "http://${ip}:80";
priority = 1;
}
];
}

21
hosts/proxy.nix Normal file
View file

@ -0,0 +1,21 @@
{
roles,
hlConfig,
}:
{
hostname = "proxy";
managed = true;
ip = "192.168.10.10";
roles = with roles; [
traefik
];
config = {
traefik.wildcardDomains = [
hlConfig.domain
hlConfig.shortDomain
"pds.${hlConfig.domain}"
];
};
stateVersion = "24.05";
}

1
roles/traefik.nix
View file

@ -129,6 +129,7 @@
entrypoints = [ "websecure" ]; entrypoints = [ "websecure" ];
service = route.name; service = route.name;
rule = route.rule; rule = route.rule;
priority = route.priority or "0";
}; };
}) routes }) routes
); );

47
secrets/git.yaml Normal file
View file

@ -0,0 +1,47 @@
forgejo:
db_pass: ENC[AES256_GCM,data:Kbsfciqm7InemdMohjVU90P03N+AyG5xK3DC8Ali+86Sk1iuOqGvZrxeWQFC+C33LYBSQObcauK6zhd6mtniSg==,iv:JyktRVc9D0Bx5AAv21AzoZp0h/aFLPt6qjXQDodyND0=,tag:xunAgH+zAdecQNMtMGqyvA==,type:str]
email_host: ENC[AES256_GCM,data:xmQQelGSqEwWhuiUYgvYlxP5LTkiuw==,iv:t0H4OA4kgOFXhL2bkgGTGl+fuaHwkxwzFSwQXqZbnGA=,tag:PZhGpttL5lxMN+ar/Vdqyg==,type:str]
email_port: ENC[AES256_GCM,data:ERRb,iv:5Cs7ryQTXbIJMExHOXeCFBvHPqjaO1t7TA8VrhtiTbM=,tag:vXZnUQQ6gT/SiuGzK/+Q/g==,type:str]
email_from: ENC[AES256_GCM,data:xFFAgVmf0boB0mOcQKKhiiRQ,iv:P8jW12RYOp4zwnRKGxjFPpTU6vS6LYozTXGPoGqXv3Q=,tag:MnIKOW3NQUumWDNLZogSzw==,type:str]
email_username: ENC[AES256_GCM,data:iJ70yLlPzsmCkuq6XvsKpujx,iv:XlA7n1GIVhgWuGWoD3io0jSPy5pdlmwzyMdqztQqyGo=,tag:5YsLkLD0SOn0YJhKEKvJ8Q==,type:str]
email_password: ENC[AES256_GCM,data:Wx1y1hyIeT+D0k5kXflo86cYl3Q=,iv:uTTIsEK0y1pCIsophxBNwEKoYBBNDa8qv4arjj9c4Mw=,tag:obv6lL2btVLf9365vyb+Pg==,type:str]
postgres:
forgejo: ENC[AES256_GCM,data:jG1RpH+5t9Q2aBiB0s/euEj5xLd7+7ZY7wQ9klskjFIDbjfDT8A+Llm2VlVbQDgXlhvfGjLIA2OiR4vaEH9U4g==,iv:POoGsB0P8VmuAM16IoQinGpnkpxQxb3rNDo88THfOwQ=,tag:FazT+fvxjh0AfLsoVHD+qw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQzFEVXA0OUZMQUJtZm9o
eGFOdDVwQUNJdlRob2xwQ21lcmNvRHdtTEd3ClVyVDlWZllTcWF1SVFkMUhQR0dR
U2c3N25LRlRPYU5uTUFiTnh6M3BGRjgKLS0tIGZ5TzZCZmRDVjVhVUI4c2Q1SXRJ
OXdlazF0a2V0eWcxNitlZ2FvRjNGZXMKUYa0smUtciuNPlltmygDNe5KVBLXxLru
JeiHzNy5hEtG+3nStBR8m1A7gMJGuKEn2cvDedOOhlATKWHpb39/2A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1htf3j7d0me9f24fadwth7avs40qm8yzhczljfgh0wjepdr8utfvqd369xp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOXdQMy90QS9Uckk4SlFH
TzJlUWsrRGNFdE1yc2FZWnhsZ3hub3ZPdkVnCkY4OFhIY0tzajBkYy92K0RBejZS
MmtqbElJdEVhdXk2QlFzOStYRFB4YTgKLS0tIElrOUw2NGx3NGxFS211VlNBYWw2
N0dOcEM5aTdFd0tnV0NJOWI1eUpMY00K0ZHvxPjaVJm7HdaX0HUdx7CuzMEFoSAW
razcSD3PSvF/hBAyWSE4gjWpiKX65t/P+HVmLvE8wCY0ou88H53UVA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwL1NHV1Rjd2dOamVhZUVR
RldsWko3ZkF5cGM3c241Q3MzbHRqQ2NqM2pBClpHN0RaQnZOcEVqTDVjYTNackE2
Vzd2YXRndHBSY04xVTdvdnJBL2xoNFkKLS0tIFloYVlXSHhyU1pWRW5SVXM1UFlN
TWZsbWF0U3pCZmJKRjQwRGhKNmN6d2sKgwe0htUOOw4FEC5Xvg7FAnnb8jpt+pRP
x7OUZZG/Jeb99at9YqjJDJp2hB6SsnZsHgqrrHupqGoAYZncAF4Ngg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-08T10:49:24Z"
mac: ENC[AES256_GCM,data:DczVEHMow0k66KVcfU9tlsg131VUZhwUMSiDLBTb22KtHJs/eSrjqQ+P+naTX8a4lOAn4KzQiRugl1AieBmPhB77RyFjM2WRDLYZlbxv9d8StjNlgAdpOok4aGhxf8fncI+op+Gk5HOSoVsT7IVnofK+0V+14XhmgfQJpHuP2yE=,iv:Z4yfkbrvhlubP8DNhGkfwzvOI1CRJBgo7MolxGV3/EU=,tag:ptATWw7zn0UP/GFBRSy/bg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

42
secrets/proxy.yaml Normal file
View file

@ -0,0 +1,42 @@
traefik:
acmeEmail: ENC[AES256_GCM,data:2NIn1rMLFehqkAO3tjFDn9UF7BMBKhD9aGU=,iv:WoFtJFykx8IEXxThJSVmNlOm0zfI0WP9Y3Ew8Eqg8aQ=,tag:r2LMLztbW0MBXwBPwoZJ5w==,type:str]
CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:IyhExThwo41VOdWBO55KsDZfaEnTuBXkdA==,iv:amtywKJXT87IuqeKqhX7Jx8VeWtZ4KaVyc5CRoRg7SM=,tag:2EZTdhdXrG7JC0NDfjd3Dg==,type:str]
CLOUDFLARE_DNS_API_TOKEN: ENC[AES256_GCM,data:WaHJsdz9/SLNeKvxm54uXnZs7+e7phSbtWaccQPbX4Qv4aDF9CSVog==,iv:1bJen5qfY/bLd87LUTdbioMQPT1iH/91YhJm3Syf8yw=,tag:vdt5cPk3Zb/6ka9AJ5uk0w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeGxXdll5TkxVWHJBSVVr
WVF4VTlRWUErdUJqTGl5V24zV0hRYmd1N3hJCjVOMXZVVVpTREtUdzhranJiWSs5
cUd2N0VWa2gxUXhkQjlGV05EclRWOHMKLS0tIHFsMloxZ2d1UzU5eDVGT3dXWTNq
c3dpUlNCVjJzcE5aeS9xTFkrRXowVmcK799dYn13LAhigtQxD+uO8hcjddkdK0QG
F5txOFUUozgf7bgiTDhLlNQk2IV8cxk5TlNUKwr32C/bLsxyTvcTHg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1htf3j7d0me9f24fadwth7avs40qm8yzhczljfgh0wjepdr8utfvqd369xp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaRjlkcXNyMitndy8zNnpP
ZnU3dnNzWEdvKzNBRVk2UVdaRVYrZVlDNVg0CnQ3MlpWTVBheUhsZ0RmZGJnL2VK
ZlZ0clFZRmtma0xZU1hYaGVUSXcvSEUKLS0tIFd4NmhPNUdCalpDVmQ3SHB1QWlV
UWo5dWdTelJvdzVqU1l4cU8zZlcvWFkK6/4uT9YwqyVBkT3z9w+SuLHttVTRZw4s
ztujbvxEgxfG/57PdbBXjPKyke/GZIJbUSFrWMNId5Ni5PsOJrMK+Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycm5IOGM2VDRwejRiS1Y1
dUZ2Zyt6c3RLaVFwYkJmaTFCeVk5UU1ZdzFVCklMRjRoZFgrL2oweko4eC9XenFy
OStrSzFOQnlSbllKYWpLMEs4QllNUDgKLS0tIFI0YmptcDlGM0tjdkNtdW9OdU84
SkJER2I3bDRGcjA5TFkwWDlwcFd0bUkKqsnJjdyDhA6d4aux89pI6uqxh1tAvfop
QE7Y7p7C8mRizec9HSjbSzHXvqic4shhxRzgk6jQy07nvIe+1CW7pQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-08T10:49:42Z"
mac: ENC[AES256_GCM,data:ClOIl+pDrTl1+ppHnCm//C5jPzAwQeaPck7Utr9KxKBfJzVfSQIvZdokXSCrOKm9vFrg4SODpGsYF2sUD3H0W9otys1FyDghoX1yZhWLkeBBcxzfb35hALZQFt+wUm0n0QGkNjAq/YtT0431Y8tr42h4MeSGv6JgyZEBkLf8D4o=,iv:k1B92QH6RkdcHyJC/z9fkg/OWkln4wdGQCBwuCYTo04=,tag:KWk6hRf/IqeGaUO+2hKIOA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1