diff --git a/hosts/nixos/hs/system.nix b/hosts/nixos/hs/system.nix index a97e47c..19fd371 100644 --- a/hosts/nixos/hs/system.nix +++ b/hosts/nixos/hs/system.nix @@ -4,6 +4,8 @@ ./disk-config.nix home-manager.nixosModules.home-manager ../../../modules/tailscale.nix + ../../../modules/podman.nix + ../../../modules/traefik.nix ]; # GRUB bootloader with ZFS support @@ -63,8 +65,7 @@ hostName = "hs"; hostId = "8425e349"; # Required for ZFS, good practice for any system networkmanager.enable = true; - firewall.enable = false; - # firewall.allowedTCPPorts = [ 22 ]; # SSH + firewall = { enable = false; }; }; # Set your time zone @@ -154,46 +155,6 @@ }; }; - # Container virtualization with Podman - virtualisation = { - podman = { - enable = true; - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - # Required for containers under podman-compose to be able to talk to each other - defaultNetwork.settings.dns_enabled = true; - # Create macvlan network for Home Assistant - extraPackages = [ pkgs.netavark pkgs.aardvark-dns ]; - }; - # Enable OCI container support - oci-containers = { - backend = "podman"; - - containers.homeassistant = { - image = "ghcr.io/home-assistant/home-assistant:stable"; - - volumes = [ - "/home/yanlin/deploy/data/home/config:/config" - "/etc/localtime:/etc/localtime:ro" - "/run/dbus:/run/dbus:ro" - ]; - - environment = { - TZ = "Europe/Copenhagen"; - }; - - extraOptions = [ - "--privileged" # Required for USB device access - "--network=host" # Use host networking - "--device=/dev/ttyUSB0:/dev/ttyUSB0" # Sky Connect Zigbee dongle - "--device=/dev/dri:/dev/dri" # Hardware acceleration - ]; - - autoStart = true; - }; - }; - }; - # SnapRAID configuration for parity protection services.snapraid = { enable = true; @@ -241,7 +202,6 @@ ]; }; - # Enable smartd for disk health monitoring services.smartd = { enable = true; diff --git a/modules/podman.nix b/modules/podman.nix new file mode 100644 index 0000000..6aeff9e --- /dev/null +++ b/modules/podman.nix @@ -0,0 +1,47 @@ +{ config, pkgs, lib, ... }: + +{ + # Container virtualization with Podman + virtualisation = { + podman = { + enable = true; + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + # Required for containers under podman-compose to be able to talk to each other + defaultNetwork.settings.dns_enabled = true; + # Extra packages for networking + extraPackages = [ pkgs.netavark pkgs.aardvark-dns ]; + }; + # Enable OCI container support + oci-containers = { + backend = "podman"; + + containers.homeassistant = { + image = "ghcr.io/home-assistant/home-assistant:stable"; + + volumes = [ + "/home/yanlin/deploy/data/home/config:/config" + "/etc/localtime:/etc/localtime:ro" + "/run/dbus:/run/dbus:ro" + ]; + + environment = { + TZ = "Europe/Copenhagen"; + # Configure Home Assistant to trust reverse proxy + HASS_HTTP_TRUSTED_PROXY_1 = "127.0.0.1"; + HASS_HTTP_TRUSTED_PROXY_2 = "::1"; + HASS_HTTP_USE_X_FORWARDED_FOR = "true"; + }; + + extraOptions = [ + "--privileged" # Required for USB device access + "--network=host" # Use host networking + "--device=/dev/ttyUSB0:/dev/ttyUSB0" # Sky Connect Zigbee dongle + "--device=/dev/dri:/dev/dri" # Hardware acceleration + ]; + + autoStart = true; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/traefik.nix b/modules/traefik.nix new file mode 100644 index 0000000..b20296b --- /dev/null +++ b/modules/traefik.nix @@ -0,0 +1,109 @@ +{ config, pkgs, lib, ... }: + +{ + # Traefik reverse proxy service + services.traefik = { + enable = true; + + # Static configuration + staticConfigOptions = { + # Entry points for HTTP and HTTPS + entrypoints = { + web = { + address = ":80"; + http.redirections.entrypoint = { + to = "websecure"; + scheme = "https"; + permanent = true; + }; + }; + websecure = { + address = ":443"; + }; + }; + + # Certificate resolver using Cloudflare DNS challenge + certificatesResolvers.cloudflare = { + acme = { + email = "cloudflare@yanlincs.com"; + storage = "/var/lib/traefik/acme.json"; + dnsChallenge = { + provider = "cloudflare"; + delayBeforeCheck = 60; + resolvers = [ + "1.1.1.1:53" + "8.8.8.8:53" + ]; + }; + }; + }; + + # API and dashboard + api = { + dashboard = true; + debug = false; + }; + + # Logging + log = { + level = "INFO"; + }; + accessLog = {}; + + # Global settings + global = { + checkNewVersion = false; + sendAnonymousUsage = false; + }; + }; + + # Dynamic configuration for services + dynamicConfigOptions = { + http = { + routers = { + homeassistant = { + rule = "Host(`home.hs.yanlincs.com`)"; + service = "homeassistant"; + tls = { + certResolver = "cloudflare"; + domains = [{ + main = "*.hs.yanlincs.com"; + }]; + }; + }; + }; + services = { + homeassistant = { + loadBalancer = { + servers = [{ + url = "http://localhost:8123"; + }]; + }; + }; + }; + }; + }; + + # Environment variables for Cloudflare + environmentFiles = [ "/run/secrets/traefik-env" ]; + }; + + # Create environment file for Traefik Cloudflare credentials + systemd.services.traefik-env-setup = { + description = "Setup Traefik environment file"; + before = [ "traefik.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + mkdir -p /run/secrets + cat > /run/secrets/traefik-env << 'EOF' + CF_API_EMAIL=cloudflare@yanlincs.com + CF_DNS_API_TOKEN=JtIInpXOB8NIDGuYvjyV6kLCysN0mb7MKvryuya- + EOF + chmod 600 /run/secrets/traefik-env + ''; + }; +} \ No newline at end of file