diff --git a/flake.lock b/flake.lock index e7ad6de..3486c25 100644 --- a/flake.lock +++ b/flake.lock @@ -50,11 +50,11 @@ ] }, "locked": { - "lastModified": 1776613567, - "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=", + "lastModified": 1777713215, + "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=", "owner": "nix-community", "repo": "disko", - "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d", + "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267", "type": "github" }, "original": { @@ -144,11 +144,11 @@ ] }, "locked": { - "lastModified": 1775425411, - "narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=", + "lastModified": 1777771528, + "narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=", "owner": "nix-community", "repo": "home-manager", - "rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe", + "rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51", "type": "github" }, "original": { @@ -181,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1776983936, - "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=", + "lastModified": 1777796046, + "narHash": "sha256-bEJp/zaQApzynGRaAO62BZSz9tFikKtIHCn2yIA/s7Q=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61", + "rev": "eeb02f6e29fc8139c0b15af5ff0fdfdc6d0d3d90", "type": "github" }, "original": { @@ -197,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1776734388, - "narHash": "sha256-vl3dkhlE5gzsItuHoEMVe+DlonsK+0836LIRDnm6MXQ=", + "lastModified": 1777673416, + "narHash": "sha256-5c2POKPOjU40Kh0MirOdScBLG0bu9TAuPYAtPRNZMBs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "10e7ad5bbcb421fe07e3a4ad53a634b0cd57ffac", + "rev": "26ef669cffa904b6f6832ab57b77892a37c1a671", "type": "github" }, "original": { @@ -261,11 +261,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1776877367, - "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=", + "lastModified": 1777578337, + "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57", + "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab", "type": "github" }, "original": { @@ -307,11 +307,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1775228763, - "narHash": "sha256-8fKOEOouCaPZLBTdWPS+uU0bxsPp1OmfloDNoNSiu8w=", + "lastModified": 1777731636, + "narHash": "sha256-OkFcWIKnrl0n5ULcFnzmLjdfD7Z8IHtYLge3e7EuARs=", "owner": "SaumonNet", "repo": "proxmox-nixos", - "rev": "e803cb839e5e5207fa37d92bc6ac7290f4dba633", + "rev": "22b690085bfb2b82cbbc8e9d637a67c9c704b6db", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d3bb15e..0937102 100644 --- a/flake.nix +++ b/flake.nix @@ -143,6 +143,9 @@ specialArgs = { inherit inputs outputs; + pkgs-unstable = import nixpkgs-unstable { + inherit system; + }; }; modules = [ @@ -177,7 +180,6 @@ inherit inputs outputs; pkgs-unstable = import nixpkgs-unstable { inherit system; - config.allowUnfree = true; }; }; diff --git a/hosts/busch-main-docker/default.nix b/hosts/busch-main-docker/default.nix index 42b93a4..21d1cc9 100644 --- a/hosts/busch-main-docker/default.nix +++ b/hosts/busch-main-docker/default.nix @@ -1,4 +1,4 @@ -{ inputs, outputs, config, lib, pkgs, ... }: +{ inputs, outputs, config, lib, pkgs, pkgs-unstable, ... }: { imports = @@ -12,6 +12,7 @@ ../../modules/server-cli.nix ../../modules/sshd.nix ../../modules/docker.nix + ../../modules/netbird-client.nix "${inputs.secrets}/modules/opkssh.nix" # Include the results of the hardware scan. @@ -26,6 +27,13 @@ }; networking.hostName = "docker-main"; # Define your hostname. + services.netbird-client = { + enable = true; + managementUrl = "https://netbird.jfreudenberger.de"; + host.setupKey = "DB64713B-FB23-49F1-A4A7-9B9E37B585D4"; + docker.setupKey = "B9ECD884-B445-4156-8643-D0F34D64C200"; + }; + # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # Most users should NEVER change this value after the initial install, for any reason, diff --git a/hosts/srv03/default.nix b/hosts/srv03/default.nix index 1cc29bf..78f2cfc 100644 --- a/hosts/srv03/default.nix +++ b/hosts/srv03/default.nix @@ -1,4 +1,4 @@ -{ inputs, outputs, config, lib, pkgs, ... }: +{ inputs, outputs, config, lib, pkgs, pkgs-unstable, ... }: { imports = @@ -17,6 +17,8 @@ ../../modules/traefik.nix ../../modules/pocket-id.nix ../../modules/netbird-docker.nix + ../../modules/netbird-client.nix + ../../modules/dockhand.nix ../../modules/auto-upgrade.nix "${inputs.secrets}/modules/opkssh.nix" # Include the results of the hardware scan. @@ -44,6 +46,11 @@ environmentFile = config.age.secrets.pocket-id.path; }; + dockhand = { + enable = true; + appUrl = "dockhand.jfreudenberger.de"; + }; + netbird-docker = { enable = true; secrets = config.age.secrets.netbird-server; @@ -59,10 +66,16 @@ management.domain = domain; dashboard.domain = domain; signal.domain = domain; - management.oidcConfigEndpoint = "https://login.jfreudenberger.de/.well-known/openid-configuration"; }; }; + services.netbird-client = { + enable = true; + managementUrl = "https://netbird.jfreudenberger.de"; + host.setupKey = "B57B7B1D-AFBF-4D73-91F5-014A0D8645A4"; + docker.setupKey = "F49C8243-DB76-4C8C-9136-25498D72B494"; + }; + systemd.network = { enable = true; networks."10-wan" = { diff --git a/modules/dockhand.nix b/modules/dockhand.nix index 5f43cda..ad30426 100644 --- a/modules/dockhand.nix +++ b/modules/dockhand.nix @@ -17,7 +17,7 @@ in { config = lib.mkIf cfg.enable { virtualisation.oci-containers.containers = { dockhand = { - image = "fnsys/dockhand:v1.0.12"; + image = "fnsys/dockhand:v1.0.27"; volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; @@ -26,16 +26,8 @@ in { PGID = "1000"; }; networks = [ - "pangolin" + "webproxy" ]; - labels = { - "pangolin.public-resources.dockhand.name" = "dockhand"; - "pangolin.public-resources.dockhand.full-domain" = cfg.appUrl; - "pangolin.public-resources.dockhand.protocol" = "http"; - "pangolin.public-resources.dockhand.auth.sso-enabled" = "true"; - "pangolin.public-resources.dockhand.auth.auto-login-idp" = "1"; - "pangolin.public-resources.dockhand.targets[0].method" = "http"; - }; extraOptions = [ ''--mount=type=volume,source=dockhand-data,target=/app/data,volume-driver=local'' ''--group-add=${toString config.ids.gids.docker}'' diff --git a/modules/gui-coding.nix b/modules/gui-coding.nix index 223f2b6..225d602 100644 --- a/modules/gui-coding.nix +++ b/modules/gui-coding.nix @@ -11,6 +11,21 @@ zed-editor.fhs k6 + + (pkgs.lazy-app.override { + pkg = pkgs.dbeaver-bin; + desktopItem = pkgs.makeDesktopItem { + name = "DBeaver"; + exec = "env NO_AT_BRIDGE=1 dbeaver %U"; + icon = "dbeaver"; + desktopName = "DBeaver"; + comment = "SQL Integrated Development Environment"; + categories = [ "IDE" "Development" ]; + mimeTypes = [ + "application/sql" + ]; + }; + }) ]; } diff --git a/modules/netbird-client.nix b/modules/netbird-client.nix new file mode 100644 index 0000000..e2b04db --- /dev/null +++ b/modules/netbird-client.nix @@ -0,0 +1,99 @@ +{ + pkgs, + pkgs-unstable, + utils, + config, + lib, + ... +}: +let + + cfg = config.services.netbird-client; + + clientVersion = "0.69.0"; + + clientConfiguration = lib.types.submodule { + options = { + setupKey = lib.mkOption { + description = "Setup Key for this client"; + type = lib.types.str; + }; + }; + }; + +in { + + options.services.netbird-client = { + enable = lib.mkEnableOption "Netbird client, with possiblities for host connection and for docker based connection."; + managementUrl = lib.mkOption { + description = "Management URL of netbird server."; + type = lib.types.str; + }; + host = lib.mkOption { + description = "Configuration for host connection"; + type = clientConfiguration; + }; + docker = lib.mkOption { + description = "Configuration for docker connection"; + type = clientConfiguration; + }; + }; + + config = lib.mkIf cfg.enable { + services.netbird = { + package = pkgs-unstable.netbird; + useRoutingFeatures = "both"; + clients.wt0 = { + hardened = false; + login = { + enable = true; + setupKeyFile = (pkgs.writeText "setupKey" cfg.host.setupKey).outPath; + }; + port = 51820; + environment = { + NB_MANAGEMENT_URL = cfg.managementUrl; + }; + }; + }; + systemd.services.${config.services.netbird.clients.wt0.service.name}.path = [ pkgs.shadow ]; + + virtualisation.oci-containers.containers = { + netbird = { + image = "netbirdio/netbird:${clientVersion}-rootless"; + autoStart = true; + hostname = "${config.networking.hostName}-docker"; + networks = [ + "webproxy" + ]; + environment = { + NB_MANAGEMENT_URL = cfg.managementUrl; + PEER_NAME = "${config.networking.hostName}-docker"; + NB_SETUP_KEY = cfg.docker.setupKey; + }; + extraOptions = [ + ''--mount=type=volume,source=netbird_client_data,target=/var/lib/netbird,volume-driver=local'' + ]; + }; + }; + + systemd.services."docker-netbird" = { + after = [ + "docker-network-webproxy.service" + ]; + requires = [ + "docker-network-webproxy.service" + ]; + }; + + + systemd.services."docker-network-webproxy" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + }; + script = '' + docker network inspect webproxy || docker network create webproxy --ipv4 --ipv6 --subnet=172.20.0.0/16 --gateway=172.20.0.1 + ''; + }; + }; +} diff --git a/modules/netbird-docker.nix b/modules/netbird-docker.nix index 076fdaf..a71f2ed 100644 --- a/modules/netbird-docker.nix +++ b/modules/netbird-docker.nix @@ -54,7 +54,7 @@ in { image = "netbirdio/dashboard:v${dashboardVersion}"; autoStart = true; networks = [ - "webproxy" + "traefik" ]; environment = { NETBIRD_MGMT_API_ENDPOINT = "https://${netbirdCfg.server.management.domain}"; @@ -88,7 +88,7 @@ in { image = "netbirdio/netbird-server:${serverVersion}"; autoStart = true; networks = [ - "webproxy" + "traefik" ]; entrypoint = "/bin/sh"; cmd = [ @@ -169,7 +169,7 @@ in { "51820:51820/udp" ]; networks = [ - "webproxy" + "traefik" ]; dependsOn = [ "netbird-server" diff --git a/modules/pocket-id.nix b/modules/pocket-id.nix index 48ac9cb..ff62097 100644 --- a/modules/pocket-id.nix +++ b/modules/pocket-id.nix @@ -21,12 +21,13 @@ in { image = "ghcr.io/pocket-id/pocket-id:v${version}"; autoStart = true; networks = [ - "webproxy" + "traefik" ]; environment = { APP_URL = pocketidCfg.settings.APP_URL; TRUST_PROXY = lib.boolToString pocketidCfg.settings.TRUST_PROXY; ANALYTICS_DISABLED = lib.boolToString pocketidCfg.settings.ANALYTICS_DISABLED; + GEOLITE_DB_URL = "https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City/download?suffix=tar.gz"; }; environmentFiles = [ pocketidCfg.environmentFile ]; extraOptions = [ diff --git a/modules/traefik.nix b/modules/traefik.nix index 8888dac..7f4ef6b 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -35,7 +35,7 @@ in { "--providers.docker=true" "--providers.docker.endpoint=http://docker-socket-proxy:2375" "--providers.docker.exposedByDefault=false" - "--providers.docker.network=webproxy" + "--providers.docker.network=traefik" "--providers.file.directory=/dynamic-config" "--log.level=INFO" "--api=true" @@ -62,7 +62,7 @@ in { "443:443" ]; networks = [ - "webproxy" + "traefik" "docker-socket" ]; environmentFiles = lib.forEach cfg.dnsSecrets (secret: secret.path); @@ -102,22 +102,22 @@ in { systemd.services."docker-traefik" = { after = [ - "docker-network-webproxy.service" + "docker-network-traefik.service" "docker-network-docker-socket.service" ]; requires = [ - "docker-network-webproxy.service" + "docker-network-traefik.service" "docker-network-docker-socket.service" ]; }; - systemd.services."docker-network-webproxy" = { + systemd.services."docker-network-traefik" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; }; script = '' - docker network inspect webproxy || docker network create webproxy --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1 + docker network inspect traefik || docker network create traefik --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1 ''; };