diff --git a/flake.nix b/flake.nix index 2eff20f..7f4b95a 100644 --- a/flake.nix +++ b/flake.nix @@ -27,20 +27,27 @@ }; }; - outputs = { self, nixpkgs, ... }@inputs: { - nixosConfigurations = { - drew-desktop = (import ./system/hosts/drew-desktop) { - inherit inputs; - inherit self; - inherit nixpkgs; + outputs = + { self, nixpkgs, ... }@inputs: + { + nixosConfigurations = { + drew-desktop = (import ./system/hosts/drew-desktop) { + inherit inputs; + inherit self; + inherit nixpkgs; + }; + mcp = (import ./system/hosts/mcp) { + inherit inputs; + inherit self; + inherit nixpkgs; + }; + }; + darwinConfigurations = { + DGVGYQLQP5 = (import ./system/hosts/tarro-mbp) { + inherit inputs; + inherit self; + inherit nixpkgs; + }; }; }; - darwinConfigurations = { - DGVGYQLQP5 = (import ./system/hosts/tarro-mbp) { - inherit inputs; - inherit self; - inherit nixpkgs; - }; - }; - }; } diff --git a/home-manager/features/development/development.nix b/home-manager/features/development/development.nix index 420fce2..96e7303 100644 --- a/home-manager/features/development/development.nix +++ b/home-manager/features/development/development.nix @@ -4,7 +4,6 @@ # Dev apps ../git.nix ../shell.nix - ../terminal.nix ../neovim ../ssh.nix diff --git a/home-manager/features/linux-desktop.nix b/home-manager/features/linux-desktop.nix index 66ecabb..8059ae6 100644 --- a/home-manager/features/linux-desktop.nix +++ b/home-manager/features/linux-desktop.nix @@ -7,6 +7,7 @@ ./nix.nix ../apps/element.nix ../apps/eww + ./terminal.nix ]; home.packages = with pkgs; [ diff --git a/system/hosts/mcp/LICENSE b/system/hosts/mcp/LICENSE new file mode 100644 index 0000000..558f5bd --- /dev/null +++ b/system/hosts/mcp/LICENSE @@ -0,0 +1,9 @@ +MIT License + +Copyright (c) 2024 Havenisms + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/system/hosts/mcp/README.md b/system/hosts/mcp/README.md new file mode 100644 index 0000000..a459e8b --- /dev/null +++ b/system/hosts/mcp/README.md @@ -0,0 +1,3 @@ +# mcp + +Configuration for the MCP server \ No newline at end of file diff --git a/system/hosts/mcp/configuration.nix b/system/hosts/mcp/configuration.nix new file mode 100644 index 0000000..53177c2 --- /dev/null +++ b/system/hosts/mcp/configuration.nix @@ -0,0 +1,119 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./vars.nix + ./zfs.nix + ./containers.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Set the kernel to be compatible with ZFS + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + + networking.hostName = "mcp"; # Define your hostname. + networking.hostId = "5e292f2d"; # Define a host ID for ZFS with `head -c 8 /etc/machine-id` + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.drew = { + isNormalUser = true; + description = "Drew Haven"; + extraGroups = [ + "networkmanager" + "wheel" + "docker-registry" + ]; + shell = pkgs.zsh; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + programs.zsh.enable = true; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + services.dockerRegistry = { + enable = true; + port = 5000; + openFirewall = true; + # Bind to the podman network so Traefik can route to it. + # Note that it may fail to start if this network has not been created yet. + listenAddress = "10.88.0.1"; + }; + + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + + ### Firewall + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + ### State version + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/system/hosts/mcp/containers.nix b/system/hosts/mcp/containers.nix new file mode 100644 index 0000000..a6d4208 --- /dev/null +++ b/system/hosts/mcp/containers.nix @@ -0,0 +1,441 @@ +# Started from https://nixos.wiki/wiki/Podman +{ config, pkgs, ... }: +{ + # Additional configuration + imports = + [ + ./containers/nextcloud.nix + ./containers/prometheus.nix + ./containers/searxng.nix + ./containers/synapse.nix + ]; + + # Enable common container config files in /etc/containers + virtualisation.containers.enable = true; + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # Required for containers under podman-compose to be able to talk to each other. + defaultNetwork.settings.dns_enabled = true; + + extraPackages = [ pkgs.zfs ]; + }; + }; + + # Useful other development tools + environment.systemPackages = with pkgs; [ + dive # look into docker image layers + podman-tui # status of containers in the terminal + docker-compose # start group of containers for dev + #podman-compose # start group of containers for dev + ]; + + users.groups = { + git = {}; + timetagger = {}; + }; + users.users = { + gitea = { + uid = 2001; + isSystemUser = true; + description = "System User for Gitea"; + extraGroups = [ "git" ]; + group = "git"; + }; + timetagger = { + uid = 2002; + isSystemUser = true; + description = "System User for TimeTagger"; + group = "timetagger"; + }; + }; + + virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.containers = let + domain = "havenisms.com"; + hostRule = host: "Host(`${host}.${domain}`)"; + localNet = "192.168.0.0/16"; + localNetRule = "ClientIP(`${localNet}`)"; + localHostRule = host: "${localNetRule} && ${hostRule host}"; + in { + traefik = { + image = "traefik"; + autoStart = true; + cmd = []; + extraOptions = [ + # Proxying Traefik itself + "-l=traefik.enable=true" + "-l=traefik.http.routers.traefik.rule=${localHostRule "proxy"}" + "-l=traefik.http.services.traefik.loadbalancer.server.port=8080" + "-l=homepage.group=Infra" + "-l=homepage.name=Traefik" + "-l=homepage.icon=traefik.svg" + "-l=homepage.href=https://proxy.${domain}" + "-l=homepage.description=Reverse proxy" + "-l=homepage.widget.type=traefik" + "-l=homepage.widget.url=http://traefik:8080" + ]; + ports = [ + "443:443" + "80:80" + ]; + environmentFiles = [ + ]; + volumes = [ + "/var/run/podman/podman.sock:/var/run/docker.sock:ro" + "/tank/config/traefik:/etc/traefik" + ]; + }; + jellyfin = { + image = "lscr.io/linuxserver/jellyfin"; + autoStart = true; + extraOptions = [ + "--device=/dev/dri:/dev/dri" + "-l=traefik.enable=true" + "-l=traefik.http.routers.jellyfin.rule=${hostRule "jellyfin"}" + "-l=traefik.http.services.jellyfin.loadbalancer.server.port=8096" + "-l=homepage.group=Apps" + "-l=homepage.name=Jellyfin" + "-l=homepage.icon=jellyfin.svg" + "-l=homepage.href=https://jellyfin.${domain}" + "-l=homepage.description=Media player" + "-l=homepage.widget.type=jellyfin" + "-l=homepage.widget.key={{HOMEPAGE_FILE_JELLYFIN_KEY}}" + "-l=homepage.widget.url=http://jellyfin:8096" + "-l=homepage.widget.enableBlocks=true" + ]; + volumes = [ + "/tank/media/collection:/data" + "/tank/config/jellyfin:/config" + ]; + # environment = { + # TZ = vars.timeZone; + # PUID = "994"; + # UMASK = "002"; + # GUID = "993"; + # }; + }; + # Shared Postgres Database + db = { + image = "docker.io/postgres:16-alpine"; + autoStart = true; + volumes = [ + # TODO: move to faster storage? + "/tank/db:/var/lib/postgresql/data" + ]; + environment = {}; + extraOptions = [ + "-l=traefik.enable=false" + ]; + }; + deluge = { + image = "linuxserver/deluge:latest"; + autoStart = true; + dependsOn = [ + "gluetun" + ]; + extraOptions = [ + "--network=container:gluetun" + "-l=homepage.group=Arr" + "-l=homepage.name=Deluge" + "-l=homepage.icon=deluge.svg" + "-l=homepage.href=https://deluge.${domain}" + "-l=homepage.description=Torrent client" + "-l=homepage.widget.type=deluge" + "-l=homepage.widget.password={{HOMEPAGE_FILE_DELUGE_PASSWORD}}" + "-l=homepage.widget.url=http://gluetun:8112" + ]; + volumes = [ + "/tank/media:/data" + "/tank/config/deluge:/config" + ]; + }; + qbittorrent = { + image = "linuxserver/qbittorrent:latest"; + autoStart = true; + dependsOn = [ + "gluetun" + ]; + extraOptions = [ + "--network=container:gluetun" + "-l=homepage.group=Arr" + "-l=homepage.name=qBitTorrent" + "-l=homepage.icon=qbittorrent.svg" + "-l=homepage.href=https://torrents.${domain}" + "-l=homepage.description=Torrent client" + "-l=homepage.widget.type=qbittorrent" + "-l=homepage.widget.url=http://torrents.${domain}" + ]; + volumes = [ + "/tank/media/Downloads:/downloads" + "/tank/config/qbittorrent:/config" + ]; + environment = { + PUID = "911"; + PGID = "911"; + UMASK = "002"; + }; + }; + gluetun = { + image = "qmcgaw/gluetun:latest"; + autoStart = true; + extraOptions = [ + # add network admin capability. + "--cap-add=NET_ADMIN" + "--device=/dev/net/tun:/dev/net/tun" + "-l=traefik.enable=true" + "-l=traefik.http.routers.torrents.rule=${localHostRule "torrents"}" + "-l=traefik.http.routers.torrents.service=torrents" + "-l=traefik.http.services.torrents.loadbalancer.server.port=8080" + "-l=homepage.group=Infra" + "-l=homepage.name=GlueTun" + "-l=homepage.icon=gluetun.svg" + "-l=homepage.href=https://torrents.${domain}" + "-l=homepage.description=VPN killswitch" + "-l=homepage.widget.type=gluetun" + "-l=homepage.widget.url=http://gluetun:8000" + ]; + ports = [ + "127.0.0.1:8083:8000" + ]; + environmentFiles = [ + "/tank/config/gluetun/vpn.env" + ]; + environment = { + VPN_SERVICE_PROVIDER = "protonvpn"; + UMASK = "002"; + }; + }; + prowlarr = { + image = "lscr.io/linuxserver/prowlarr"; + autoStart = true; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.prowlarr.rule=${localHostRule "prowlarr"}" + "-l=traefik.http.services.prowlarr.loadbalancer.server.port=9696" + "-l=homepage.group=Arr" + "-l=homepage.name=Prowlarr" + "-l=homepage.icon=prowlarr.svg" + "-l=homepage.href=https://prowlarr.${domain}" + "-l=homepage.description=Torrent indexer" + ]; + volumes = [ + "/tank/config/prowlarr:/config" + ]; + environment = { + UMASK = "002"; + }; + }; + # Currently broken and doesn't work. :( + # flaresolverr = { + # image = "ghcr.io/flaresolverr/flaresolverr:latest"; + # autoStart = true; + # extraOptions = [ + # "-l=homepage.group=Infra" + # "-l=homepage.name=FlareSolverr" + # "-l=homepage.icon=flaresolverr.svg" + # "-l=homepage.href=https://flaresolverr.${domain}" + # "-l=homepage.description=Cloudflare bypass" + # ]; + # volumes = [ + # "/tank/config/flaresolverr:/config" + # ]; + # environment = { + # UMASK = "002"; + # }; + # }; + radarr = { + image = "lscr.io/linuxserver/radarr"; + autoStart = true; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.radarr.rule=${localHostRule "radarr"}" + "-l=traefik.http.services.radarr.loadbalancer.server.port=7878" + "-l=homepage.group=Arr" + "-l=homepage.name=Radarr" + "-l=homepage.icon=radarr.svg" + "-l=homepage.href=https://radarr.${domain}" + "-l=homepage.description=Movie acquisition" + "-l=homepage.widget.type=radarr" + "-l=homepage.widget.url=http://radarr:7878" + "-l=homepage.widget.key={{HOMEPAGE_FILE_RADARR_KEY}}" + ]; + volumes = [ + "/tank/media:/data" + "/tank/config/radarr:/config" + ]; + environment = { + UMASK = "002"; + }; + }; + sonarr = { + image = "lscr.io/linuxserver/sonarr"; + autoStart = true; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.sonarr.rule=${localHostRule "sonarr"}" + "-l=traefik.http.services.sonarr.loadbalancer.server.port=8989" + "-l=homepage.group=Arr" + "-l=homepage.name=Sonarr" + "-l=homepage.icon=sonarr.svg" + "-l=homepage.href=https://sonarr.${domain}" + "-l=homepage.description=Show acquisition" + "-l=homepage.widget.type=sonarr" + "-l=homepage.widget.url=http://sonarr:8989" + "-l=homepage.widget.key={{HOMEPAGE_FILE_SONARR_KEY}}" + ]; + volumes = [ + "/tank/media:/data" + "/tank/config/sonarr:/config" + ]; + environment = { + UMASK = "002"; + }; + }; + readarr = { + # The Linuxserver version of this image doesn't have a latest tag. Odd. + image = "lscr.io/linuxserver/readarr:develop"; + autoStart = true; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.readarr.rule=${localHostRule "readarr"}" + "-l=traefik.http.services.readarr.loadbalancer.server.port=8787" + "-l=homepage.group=Arr" + "-l=homepage.name=Readarr" + "-l=homepage.icon=readarr.svg" + "-l=homepage.href=https://readarr.${domain}" + "-l=homepage.description=E-book acquisition" + "-l=homepage.widget.type=readarr" + "-l=homepage.widget.url=http://readarr:8787" + "-l=homepage.widget.key={{HOMEPAGE_FILE_READARR_KEY}}" + ]; + volumes = [ + "/tank/media:/data" + "/tank/config/readarr:/config" + ]; + environment = { + UMASK = "002"; + }; + }; + homepage = { + image = "ghcr.io/gethomepage/homepage:latest"; + autoStart = true; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.homepage.rule=${localHostRule "start"}" + "-l=traefik.http.services.homepage.loadbalancer.server.port=3000" + ]; + volumes = [ + "/tank/config/homepage:/app/config" + "/tank/secrets/deluge.pass:/app/config/secrets/deluge.pass" + "/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key" + "/tank/secrets/radarr.key:/app/config/secrets/radarr.key" + "/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key" + "/var/run/podman/podman.sock:/var/run/docker.sock:ro" + ]; + environment = { + HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key"; + HOMEPAGE_FILE_RADARR_KEY = "/app/config/secrets/radarr.key"; + HOMEPAGE_FILE_SONARR_KEY = "/app/config/secrets/sonarr.key"; + HOMEPAGE_FILE_READARR_KEY = "/app/config/secrets/readarr.key"; + HOMEPAGE_FILE_DELUGE_PASSWORD = "/app/config/secrets/deluge.pass"; + }; + }; + scrutiny = { + image = "ghcr.io/analogj/scrutiny:master-omnibus"; + autoStart = true; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.scrutiny.rule=${localHostRule "scrutiny"}" + "-l=traefik.http.services.scrutiny.loadbalancer.server.port=8080" + "-l=homepage.group=Infra" + "-l=homepage.name=Scrutiny" + "-l=homepage.icon=scrutiny-light.png" + "-l=homepage.href=https://scrutiny.${domain}" + "-l=homepage.description=S.M.A.R.T. monitoring" + "-l=homepage.widget.type=scrutiny" + "-l=homepage.widget.url=http://scrutiny:8080" + "--cap-add=SYS_RAWIO" + "--device=/dev/sda:/dev/sda" + "--device=/dev/sdb:/dev/sdb" + "--device=/dev/sdc:/dev/sdc" + "--device=/dev/sdd:/dev/sdd" + ]; + volumes = [ + "/run/udev:/run/udev:ro" + "/tank/config/scrutiny/config:/opt/scrutiny/config" + "/tank/config/scrutiny/influxdb:/opt/scrutiny/influxdb" + ]; + }; + valkey = { + image = "docker.io/valkey/valkey:7-alpine"; + autoStart = true; + volumes = [ + "/tank/config/valkey:/usr/local/etc/valkey" + ]; + }; + grafana = { + image = "grafana/grafana-enterprise"; + autoStart = true; + dependsOn = [ + "db" + ]; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.grafana.rule=${localHostRule "grafana"}" + "-l=traefik.http.services.grafana.loadbalancer.server.port=3000" + "-l=homepage.group=Infra" + "-l=homepage.name=Grafana" + "-l=homepage.icon=grafana.png" + "-l=homepage.href=https://grafana.${domain}" + "-l=homepage.description=Database visualization" + "-l=homepage.widget.type=grafana" + "-l=homepage.widget.url=http://grafana:3000" + ]; + volumes = [ + "grafana-storage:/var/lib/grafana" + ]; + environment = { + GF_SERVER_ROOT_URL = "https://grafna.havenisms.com"; + }; + }; + gitea = { + image = "gitea/gitea:latest-rootless"; + autoStart = true; + dependsOn = [ + "db" + ]; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.gitea.rule=${localHostRule "git"}" + "-l=traefik.http.services.gitea.loadbalancer.server.port=3000" + "-l=homepage.group=Apps" + "-l=homepage.name=Gitea" + "-l=homepage.icon=gitea.png" + "-l=homepage.href=https://git.${domain}" + "-l=homepage.description=Git Server" + ]; + ports = [ + "2222:2222" + ]; + volumes = [ + "/tank/git:/var/lib/gitea" + "/tank/config/gitea:/etc/gitea" + ]; + user = toString config.users.users.gitea.uid; + environment = { + USER_UID = toString config.users.users.gitea.uid; + USER_GID = toString config.users.groups.git.gid; + GITEA__database__DB_TYPE = "postgres"; + GITEA__database__HOST= "db"; + GITEA__database__NAME="gitea"; + GITEA__database__USER="gitea"; + GITEA__database__PASSWD="gitea123"; + }; + }; + }; +} diff --git a/system/hosts/mcp/containers/appflowy.nix b/system/hosts/mcp/containers/appflowy.nix new file mode 100644 index 0000000..32c23c6 --- /dev/null +++ b/system/hosts/mcp/containers/appflowy.nix @@ -0,0 +1,89 @@ +# Status: Far too complicated to set up right now. There's a lot of built-in +# assumptions about the database and a lot of services to connect to. I think +# they tried to open-source their production code, but it's not particularly +# generic right now. +# +# See https://github.com/AppFlowy-IO/AppFlowy-Cloud/blob/main/doc/DEPLOYMENT.md +{ config, pkgs, ... }: +let + inherit (import ./lib.nix config) mkContainer; + inherit (import ./secrets.nix) appflowy; +in +{ + virtualisation.oci-containers.containers = { + appflowy = mkContainer { + image = "appflowyinc/appflowy_cloud:latest"; + hostName = "appflowy"; + dependsOn = [ + "appflowy-gotrue" + "appflowy-db" + ]; + port = 80; + volumes = []; + environment = { + RUST_LOG = "info"; + APPFLOWY_ENVIRONMENT = "production"; + APPFLOWY_DATABASE_URL = "postgres://${appflowy.db.username}:${appflowy.db.password}@appflowy-db:5432/${appflowy.db.database}"; + APPFLOWY_REDIS_URI = redis://valkey:6379; + APPFLOWY_GOTRUE_JWT_SECRET=appflowy.gotrue.jwt.secret; + APPFLOWY_GOTRUE_JWT_EXP = toString appflowy.gotrue.jwt.expiration; + APPFLOWY_GOTRUE_BASE_URL= "http://appflowy-gotrue:9999"; + APPFLOWY_GOTRUE_EXT_URL = "http://appflowy-gotrue.havenisms.com"; + APPFLOWY_GOTRUE_ADMIN_EMAIL = appflowy.gotrue.admin.email; + APPFLOWY_GOTRUE_ADMIN_PASSWORD = appflowy.gotrue.admin.password; + APPFLOWY_S3_USE_MINIO = "true"; + APPFLOWY_S3_MINIO_URL= "https://minio.${config.domainName}"; + APPFLOWY_S3_ACCESS_KEY = appflowy.s3.accessKey; + APPFLOWY_S3_SECRET_KEY = appflowy.s3.secretKey; + APPFLOWY_S3_BUCKET = appflowy.s3.bucket; + APPFLOWY_S3_REGION="us-east-1"; + # APPFLOWY_MAILER_SMTP_HOST=${APPFLOWY_MAILER_SMTP_HOST} + # APPFLOWY_MAILER_SMTP_PORT=${APPFLOWY_MAILER_SMTP_PORT} + # APPFLOWY_MAILER_SMTP_USERNAME=${APPFLOWY_MAILER_SMTP_USERNAME} + # APPFLOWY_MAILER_SMTP_PASSWORD=${APPFLOWY_MAILER_SMTP_PASSWORD} + # APPFLOWY_ACCESS_CONTROL=${APPFLOWY_ACCESS_CONTROL} + # APPFLOWY_DATABASE_MAX_CONNECTIONS=${APPFLOWY_DATABASE_MAX_CONNECTIONS} + # APPFLOWY_AI_SERVER_HOST=${APPFLOWY_AI_SERVER_HOST} + # APPFLOWY_AI_SERVER_PORT=${APPFLOWY_AI_SERVER_PORT} + # APPFLOWY_OPENAI_API_KEY=${APPFLOWY_OPENAI_API_KEY} + }; + homepageOpts = { + group = "Apps "; + name = "Appflowy"; + icon = "appflowy.svg"; + description = "Knowledge Base"; + }; + }; + appflowy-db = { + image = "docker.io/postgres:16-alpine"; + autoStart = true; + volumes = [ + # TODO: move to faster storage? + "/tank/appflowy/db:/var/lib/postgresql/data" + "/tank/appflowy/migrations/before:/docker-entrypoint-initdb.d" + ]; + environment = { + POSTGRES_USER = appflowy.db.username; + POSTGRES_PASSWORD = appflowy.db.password; + POSTGRES_DB = appflowy.db.database; + }; + extraOptions = []; + }; + appflowy-gotrue = { + image = "appflowyinc/gotrue:latest"; + autoStart = true; + dependsOn = []; + extraOptions = []; + volumes = []; + environment = { + GOTRUE_SITE_URL = "https://appflowy.havenisms.com"; + GOTRUE_JWT_SECRET = appflowy.gotrue.jwt.secret; + GOTRUE_JWT_EXP = toString appflowy.gotrue.jwt.expiration; + GOTRUE_DB_DRIVER = "postgres"; + API_EXTERNAL_URL = "http://appflowy-gotrue.havenisms.com"; + DATABASE_URL = "postgres://supabase_auth_admin:root@appflowy-db:5432/${appflowy.db.database}"; + PORT = "9999"; + }; + }; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/atomicserver.nix b/system/hosts/mcp/containers/atomicserver.nix new file mode 100644 index 0000000..d88c6d4 --- /dev/null +++ b/system/hosts/mcp/containers/atomicserver.nix @@ -0,0 +1,25 @@ +{ config, pkgs, ... }: +let + inherit (import ./lib.nix config) mkContainer; +in { + virtualisation.oci-containers.containers.atomicserver = mkContainer { + image = "joepmeneer/atomic-server"; + hostName = "atomic"; + port = 80; + volumes = [ + "/tank/atomicserver:/atomic-storage" + ]; + environment = { + ATOMIC_INITIALIZE = "true"; + ATOMIC_SERVER_URL = "https://atomic.havenisms.com"; + ATOMIC_DOMAIN = "atomic.havenisms.com"; + ATOMIC_HTTPS = "false"; + }; + homepageOpts = { + group = "Apps"; + name = "Atomic Server"; + icon = "atomicserver.svg"; + description = "Atomic Knowledge Management System"; + }; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/baserow.nix b/system/hosts/mcp/containers/baserow.nix new file mode 100644 index 0000000..753c676 --- /dev/null +++ b/system/hosts/mcp/containers/baserow.nix @@ -0,0 +1,22 @@ +# Not in use, just reference. +{ config, pkgs, ... }: +let inherit (import ./lib.nix config) mkContainer; in +{ + virtualisation.oci-containers.containers.baserow = mkContainer { + image = "baserow/baserow"; + hostName = "baserow"; + port = 80; + volumes = [ + "/tank/baserow:/baserow/data" + ]; + environment = { + BASEROW_PUBLIC_URL = "https://baserow.havenisms.com"; + }; + homepageOpts = { + group = "Apps"; + name = "Baserow"; + icon = "baserow.svg"; + description = "No-Code Databases"; + }; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/collabora.nix b/system/hosts/mcp/containers/collabora.nix new file mode 100644 index 0000000..75b4c06 --- /dev/null +++ b/system/hosts/mcp/containers/collabora.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: +let inherit (import ./lib.nix config) mkContainer; in +{ + virtualisation.oci-containers.containers.collabora = { + image = "collabora/code"; + volumes = [ + "/tank/config/collabora:/etc/coolwsd" + ]; + environment = { + DONT_GEN_SSL_CERT = "true"; + }; + autoStart = true; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/lib.nix b/system/hosts/mcp/containers/lib.nix new file mode 100644 index 0000000..2ee2e55 --- /dev/null +++ b/system/hosts/mcp/containers/lib.nix @@ -0,0 +1,30 @@ +config: +let + hostRule = host: "Host(`${host}.${config.domainName}`)"; + localNetRule = "ClientIP(`${config.localNet}`)"; + localHostRule = host: "${localNetRule} && ${hostRule host}"; +in +{ + inherit hostRule localNetRule localHostRule; + + mkContainer = { image, dependsOn ? [], hostName, port, volumes ? [], environment ? [], homepageOpts, public ? false}: + let routerRule = if public then hostRule hostName else localHostRule hostName; + in + { + image = image; + autoStart = true; + dependsOn = dependsOn; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.${hostName}.rule=${routerRule}" + "-l=traefik.http.services.${hostName}.loadbalancer.server.port=${toString port}" + "-l=homepage.group=${homepageOpts.group}" + "-l=homepage.name=${homepageOpts.name}" + "-l=homepage.icon=${homepageOpts.icon}" + "-l=homepage.href=https://${hostName}.${config.domainName}" + "-l=homepage.description=${homepageOpts.description}" + ]; + volumes = volumes; + environment = environment; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/mariadb.nix b/system/hosts/mcp/containers/mariadb.nix new file mode 100644 index 0000000..10e4911 --- /dev/null +++ b/system/hosts/mcp/containers/mariadb.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: +let inherit (import ./lib.nix config) mkContainer; in +{ + virtualisation.oci-containers.containers.mariadb = { + image = "mariadb:11"; + autoStart = true; + extraOptions = [ + ]; + volumes = [ + "/tank/mariadb:/var/lib/mysql" + ]; + cmd = [ + "--innodb-buffer-pool-size=512M" + "--transaction-isolation=READ-COMMITTED" + "--character-set-server=utf8mb4" + "--collation-server=utf8mb4_unicode_ci" + "--max-connections=512" + "--innodb-rollback-on-timeout=OFF" + "--innodb-lock-wait-timeout=120" + ]; + environment = { + MARIADB_DATABASE = "mariadb"; + MARIADB_ROOT_PASSWORD = "root123"; + }; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/minio.nix b/system/hosts/mcp/containers/minio.nix new file mode 100644 index 0000000..6112721 --- /dev/null +++ b/system/hosts/mcp/containers/minio.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ... }: +let + inherit (import ./lib.nix config) localHostRule; + inherit (import ./secrets.nix) minioAdminPassword; +in +{ + virtualisation.oci-containers.containers.minio = { + image = "minio/minio"; + autoStart = true; + volumes = [ + "/tank/minio:/data" + ]; + cmd = [ "server" "/data" "--console-address" ":9001" ]; + environment = { + MINIO_BROWSER_REDIRECT_URL = "https://console.minio.havenisms.com/"; + MINIO_ROOT_USER = "minioadmin"; + MINIO_ROOT_PASSWORD = minioAdminPassword; + }; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.minio.rule=${localHostRule "minio"}" + "-l=traefik.http.routers.minio.service=minio" + "-l=traefik.http.services.minio.loadbalancer.server.port=9000" + "-l=traefik.http.routers.minio-console.rule=${localHostRule "console.minio"}" + "-l=traefik.http.routers.minio-console.service=minio-console" + "-l=traefik.http.services.minio-console.loadbalancer.server.port=9001" + "-l=homepage.group=Infra" + "-l=homepage.name=Minio" + "-l=homepage.icon=mino.svg" + "-l=homepage.href=https://minio-admin.${config.domainName}" + "-l=homepage.description=Reverse proxy" + ]; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/nextcloud.nix b/system/hosts/mcp/containers/nextcloud.nix new file mode 100644 index 0000000..9fa8b15 --- /dev/null +++ b/system/hosts/mcp/containers/nextcloud.nix @@ -0,0 +1,29 @@ + +{ config, pkgs, ... }: +let inherit (import ./lib.nix config) hostRule; in +{ + virtualisation.oci-containers.containers.nextcloud = { + image = "docker.io/library/nextcloud:latest"; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.nextcloud.rule=${hostRule "cloud"}" + "-l=traefik.http.services.nextcloud.loadbalancer.server.port=80" + "-l=homepage.group=Apps" + "-l=homepage.name=NextCloud" + "-l=homepage.icon=nextcloud.png" + "-l=homepage.href=https://cloud.${config.domainName}" + "-l=homepage.description=Productivity suite" + "-l=homepage.widget.type=nextcloud" + "-l=homepage.widget.url=http://nextcloud:8080" + ]; + volumes = [ + "/tank/nextcloud:/var/www/html" + ]; + environment = { + POSTGRES_HOST = "db"; + POSTGRES_DB = "nextcloud"; + POSTGRES_USER = "nextcloud"; + POSTGRES_PASSWORD = "nextcloud123"; + }; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/prometheus.nix b/system/hosts/mcp/containers/prometheus.nix new file mode 100644 index 0000000..700e0a1 --- /dev/null +++ b/system/hosts/mcp/containers/prometheus.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: +let inherit (import ./lib.nix config) mkContainer; in +{ + virtualisation.oci-containers.containers.prometheus = mkContainer { + image = "prom/prometheus"; + hostName = "prometheus"; + port = 9090; + volumes = [ + "/tank/config/prometheus:/etc/prometheus" + ]; + environment = { + }; + homepageOpts = { + group = "Infra"; + name = "Prometheus"; + icon = "prometheus.svg"; + description = "Prometheus monitoring"; + }; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/searxng.nix b/system/hosts/mcp/containers/searxng.nix new file mode 100644 index 0000000..a8a7292 --- /dev/null +++ b/system/hosts/mcp/containers/searxng.nix @@ -0,0 +1,27 @@ + +{ config, pkgs, ... }: +let inherit (import ./lib.nix config) mkContainer; in +{ + virtualisation.oci-containers.containers.searxng = mkContainer { + hostName = "search"; + image = "docker.io/searxng/searxng:latest"; + port = 8080; + public = true; + dependsOn = [ + "valkey" + ]; + homepageOpts = { + group = "Apps"; + name = "SearXNG"; + icon = "searxng.svg"; + description = "Web search proxy"; + }; + volumes = [ + "/tank/config/searxng:/etc/searxng" + ]; + environment = { + SEARXNG_BASE_URL = "https://search.${config.domainName}"; + SEARXNG_REDIS_URL = "redis://valkey:6379/0"; + }; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/containers/synapse.nix b/system/hosts/mcp/containers/synapse.nix new file mode 100644 index 0000000..902e87b --- /dev/null +++ b/system/hosts/mcp/containers/synapse.nix @@ -0,0 +1,60 @@ +{ config, pkgs, ... }: +let inherit (import ./lib.nix config) hostRule; + syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))"; + wellKnownRule = "PathPrefix(`/.well-known`)"; +in +{ + virtualisation.oci-containers.containers = { + synapse = { + image = "docker.io/matrixdotorg/synapse:latest"; + autoStart = true; + dependsOn = [ + "db" + ]; + volumes = [ + "/tank/config/synapse/data:/data" + ]; + ports = [ + "8008:8008/tcp" + ]; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.synapse.rule=${hostRule "chat"} && !(${syncRule} || ${wellKnownRule})" + "-l=traefik.http.services.synapse.loadbalancer.server.port=8008" + ]; + }; + matrix_sliding_sync = { + image = "ghcr.io/matrix-org/sliding-sync:latest"; + dependsOn = ["db"]; + ports = [ + "8009:8009" + ]; + environment = { + SYNCV3_SERVER = "http://synapse:8008"; + # TODO: Store password securely + SYNCV3_DB = "postgres://syncv3:TZKr3RNmVx@db:5432/syncv3?sslmode=disable"; + # TODO: Store secret securely + SYNCV3_SECRET = "4917590296b90910ec31ba355af6c7731409fd5f284d24912b852c3f928fa162"; + SYNCV3_BINDADDR = ":8009"; + }; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.syncv3.rule=${hostRule "chat"} && ${syncRule}" + "-l=traefik.http.services.syncv3.loadbalancer.server.port=8009" + ]; + }; + # This server helps to serve the .well-known files that are required by clients to find the sync server. + matrix_well_known = { + image = "nginx"; + ports = [ "80" ]; + volumes = [ + "/tank/config/synapse/static-files:/usr/share/nginx/html:ro" + ]; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.matrix-static.rule=${hostRule "chat"} && ${wellKnownRule}" + "-l=traefik.http.services.matrix-static.loadbalancer.server.port=80" + ]; + }; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/default.nix b/system/hosts/mcp/default.nix new file mode 100644 index 0000000..b13bca1 --- /dev/null +++ b/system/hosts/mcp/default.nix @@ -0,0 +1,27 @@ +{ nixpkgs, inputs, ... }: +nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./configuration.nix + ./hardware-configuration.nix + inputs.home-manager.nixosModules.home-manager + { + nixpkgs.config.allowUnfree = true; + home-manager.users.drew = + { ... }: + { + imports = [ + ./drew.nix + ]; + }; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { + inherit inputs; + }; + } + ]; + specialArgs = { + inherit inputs; + }; +} diff --git a/system/hosts/mcp/drew.nix b/system/hosts/mcp/drew.nix new file mode 100644 index 0000000..5e655c7 --- /dev/null +++ b/system/hosts/mcp/drew.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: +{ + imports = map (x: ../../../home-manager + x) [ + "/features/development/development.nix" + ]; + + home.stateVersion = "24.11"; + + home.username = "drew"; + home.homeDirectory = "/home/drew"; + + programs.git = { + userName = "Drew Haven"; + userEmail = "drew.haven@gmail.com"; + }; + + home.packages = with pkgs; [ + # Applications + discord + signal-desktop + obsidian + firefox + ]; +} diff --git a/system/hosts/mcp/pull-and-switch.sh b/system/hosts/mcp/pull-and-switch.sh new file mode 100755 index 0000000..dc4c8d2 --- /dev/null +++ b/system/hosts/mcp/pull-and-switch.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Fail on errors +set -e + +# Validate the sudo access +sudo -v + +# Switch to the Nixos configuration directory +cd /etc/nixos + +# Pull the latest changes from the remote repository +sudo git fetch origin main +sudo git reset --hard origin/main + +# Switch to the latest configuration +sudo nixos-rebuild switch \ No newline at end of file diff --git a/system/hosts/mcp/vars.nix b/system/hosts/mcp/vars.nix new file mode 100644 index 0000000..362f888 --- /dev/null +++ b/system/hosts/mcp/vars.nix @@ -0,0 +1,12 @@ +{ config, lib, ...}: +{ + options = with lib; with types; { + domainName = mkOption { type = str; }; + localNet = mkOption { type = str; }; + }; + + config = { + domainName = "havenisms.com"; + localNet = "192.168.0.0/16"; + }; +} \ No newline at end of file diff --git a/system/hosts/mcp/zfs.nix b/system/hosts/mcp/zfs.nix new file mode 100644 index 0000000..ed172ce --- /dev/null +++ b/system/hosts/mcp/zfs.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: + +{ + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.forceImportRoot = false; + # Set up the pool to be imported on boot. + # Note that mountpoints are managed by ZFS on this system. + boot.zfs.extraPools = [ "tank" ]; +} diff --git a/system/hosts/tarro-mbp/drew.nix b/system/hosts/tarro-mbp/drew.nix index e53a9fa..753ee6f 100644 --- a/system/hosts/tarro-mbp/drew.nix +++ b/system/hosts/tarro-mbp/drew.nix @@ -1,9 +1,11 @@ -{ pkgs, self, ... }: +{ pkgs, ... }: { imports = [ ../../../home-manager/features/kubernetes.nix ../../../home-manager/features/macos ../../../home-manager/features/nix.nix + ../../../home-manager/features/terminal.nix + ../../../home-manager/features/development/development.nix ../../../home-manager/features/development/macos.nix ../../../home-manager/features/development/rust.nix ];