diff --git a/.github/workflows/apply-kubernetes.yml b/.github/workflows/apply-kubernetes.yml new file mode 100644 index 0000000..39ec4b1 --- /dev/null +++ b/.github/workflows/apply-kubernetes.yml @@ -0,0 +1,36 @@ +name: Apply Kuberentes Configs +on: [push, workflow_dispatch] +jobs: + update-repo: + runs-on: [home-server] + steps: + - name: checkout repo + working-directory: /home/github/infrastructure + run: | + if [ -d "infrastructure" ]; then + cd infrastructure + echo "Infrastructure folder exists. Resetting to the most recent commit." + git reset --hard HEAD + git pull https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} $(git rev-parse --abbrev-ref HEAD) + else + git clone https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git + fi + update-infrastructure: + runs-on: [home-server] + needs: update-repo + steps: + - name: update home server containers + env: + KUBECONFIG: /home/github/.kube/config + MY_GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + HOMEASSISTANT_TOKEN: ${{ secrets.HOMEASSISTANT_TOKEN }} + GRAFANA_PASSWORD: ${{ secrets.GRAFANA_PASSWORD }} + CLOUDFLARE_CONFIG: ${{ secrets.CLOUDFLARE_CONFIG }} + COPILOT_TOKEN: ${{ secrets.COPILOT_TOKEN }} + working-directory: /home/github/infrastructure/infrastructure + run: | + # kubectl apply -f kubernetes/ingress + kubectl apply -f kubernetes/proxy-ingress + + kubectl annotate ingressclass nginx \ + ingressclass.kubernetes.io/is-default-class="true" --overwrite diff --git a/.github/workflows/beets-sync.yml b/.github/workflows/beets-sync.yml index 7523cc5..c73fc2a 100644 --- a/.github/workflows/beets-sync.yml +++ b/.github/workflows/beets-sync.yml @@ -1,8 +1,8 @@ name: Beets on: - schedule: - # Run 4 times a day: 6am, 12pm, 6pm, 12am UTC - - cron: '0 6,12,18,0 * * *' + # schedule: + # # Run 4 times a day: 6am, 12pm, 6pm, 12am UTC + # - cron: '0 6,12,18,0 * * *' workflow_dispatch: # Allow manual trigger jobs: diff --git a/README.md b/README.md index 9f75fd6..7f4ff69 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,10 @@ ![home server update](https://github.com/alexmickelson/infrastructure/actions/workflows/update-home-server.yml/badge.svg) + [![ZFS Backup](https://github.com/alexmickelson/infrastructure/actions/workflows/backup-zfs.yml/badge.svg)](https://github.com/alexmickelson/infrastructure/actions/workflows/backup-zfs.yml) + + + [![Manage Jellyfin Playlists](https://github.com/alexmickelson/infrastructure/actions/workflows/update-playlist.yml/badge.svg)](https://github.com/alexmickelson/infrastructure/actions/workflows/update-playlist.yml) diff --git a/home-server/docker-compose.yml b/home-server/docker-compose.yml index a137078..833b6ce 100644 --- a/home-server/docker-compose.yml +++ b/home-server/docker-compose.yml @@ -183,33 +183,33 @@ services: # - 0.0.0.0:9162:9162 # docker run -it --rm -p 9162:9162 --net=host sfudeus/apcupsd_exporter:master_1.19 - reverse-proxy: - image: ghcr.io/linuxserver/swag - container_name: reverse-proxy - restart: unless-stopped - cap_add: - - NET_ADMIN - environment: - - PUID=1000 - - PGID=1000 - - TZ=America/Denver - - URL=alexmickelson.guru - - SUBDOMAINS=wildcard - - VALIDATION=dns - - DNSPLUGIN=cloudflare - volumes: - - ./nginx.conf:/config/nginx/site-confs/default.conf - - /data/swag:/config - - /data/cloudflare/cloudflare.ini:/config/dns-conf/cloudflare.ini - ports: - - 0.0.0.0:80:80 - - 0.0.0.0:443:443 - # - 0.0.0.0:7080:80 - # - 0.0.0.0:7443:443 - extra_hosts: - - host.docker.internal:host-gateway - networks: - - proxy + # reverse-proxy: + # image: ghcr.io/linuxserver/swag + # container_name: reverse-proxy + # restart: unless-stopped + # cap_add: + # - NET_ADMIN + # environment: + # - PUID=1000 + # - PGID=1000 + # - TZ=America/Denver + # - URL=alexmickelson.guru + # - SUBDOMAINS=wildcard + # - VALIDATION=dns + # - DNSPLUGIN=cloudflare + # volumes: + # - ./nginx.conf:/config/nginx/site-confs/default.conf + # - /data/swag:/config + # - /data/cloudflare/cloudflare.ini:/config/dns-conf/cloudflare.ini + # ports: + # - 0.0.0.0:80:80 + # - 0.0.0.0:443:443 + # # - 0.0.0.0:7080:80 + # # - 0.0.0.0:7443:443 + # extra_hosts: + # - host.docker.internal:host-gateway + # networks: + # - proxy audiobookshelf: @@ -220,7 +220,6 @@ services: volumes: - /data/media/audiobooks:/audiobooks - /data/media/audiobooks-libation:/audiobooks-libation - # - :/podcasts - /data/audiobookshelf/config:/config - /data/audiobookshelf/metadata:/metadata networks: @@ -262,6 +261,7 @@ services: environment: - SEARXNG_BASE_URL=http://server.alexmickelson.guru:4446/ restart: unless-stopped + networks: proxy: name: proxy diff --git a/home-server/nginx.conf b/home-server/nginx.conf index f4cb29b..48d92bd 100644 --- a/home-server/nginx.conf +++ b/home-server/nginx.conf @@ -55,18 +55,6 @@ server { } } -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name plex.alexmickelson.guru; - - location / { - proxy_pass http://host.docker.internal:32400; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } -} - server { listen 443 ssl; listen [::]:443 ssl; diff --git a/kubernetes/gitea/web.yml b/kubernetes/gitea/web.yml index 7801e95..aa894f8 100644 --- a/kubernetes/gitea/web.yml +++ b/kubernetes/gitea/web.yml @@ -15,7 +15,7 @@ spec: spec: containers: - name: gitea - image: docker.io/gitea/gitea:1.23 + image: docker.io/gitea/gitea:1.25 ports: - containerPort: 3000 - containerPort: 22 @@ -34,6 +34,8 @@ spec: value: "gitea" - name: GITEA__database__PASSWD value: wauiofnasufnweaiufbsdklfjb23456 + - name: GITEA__server__ROOT_URL + value: "https://gitea.alexmickelson.guru/" volumeMounts: - name: gitea-data mountPath: /data @@ -81,20 +83,21 @@ metadata: name: gitea namespace: projects annotations: - cert-manager.io/cluster-issuer: cloudflare-issuer # not really working with tailscale + cert-manager.io/cluster-issuer: cloudflare-issuer spec: - ingressClassName: tailscale + ingressClassName: nginx tls: - - hosts: - - gitea.alexmickelson.guru - secretName: gitea-tls-cert + - hosts: + - gitea.alexmickelson.guru + secretName: gitea-tls-cert2 rules: - - http: + - host: gitea.alexmickelson.guru + http: paths: - - path: / - pathType: Prefix - backend: - service: - name: gitea-web-svc - port: - number: 3000 \ No newline at end of file + - path: / + pathType: Prefix + backend: + service: + name: gitea-web-svc + port: + number: 3000 diff --git a/kubernetes/ingress/ingress-nginx.yml b/kubernetes/ingress/ingress-nginx.yml deleted file mode 100644 index 81dae7c..0000000 --- a/kubernetes/ingress/ingress-nginx.yml +++ /dev/null @@ -1,782 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - name: ingress-nginx ---- -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - coordination.k8s.io - resourceNames: - - ingress-nginx-leader - resources: - - leases - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: v1 -data: - allow-snippet-annotations: "false" -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-controller - namespace: ingress-nginx -data: - allow-snippet-annotations: "true" -# http-snippet: | -# proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=static-cache:2m max_size=100m inactive=7d use_temp_path=off; -# proxy_cache_key $scheme$proxy_host$request_uri; -# proxy_cache_lock on; -# proxy_cache_use_stale updating; ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: NodePort ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - ports: - - appProtocol: https - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: ClusterIP -# --- -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# labels: -# app.kubernetes.io/component: controller -# app.kubernetes.io/instance: ingress-nginx -# app.kubernetes.io/name: ingress-nginx -# app.kubernetes.io/part-of: ingress-nginx -# app.kubernetes.io/version: 1.10.0 -# name: ingress-nginx-controller -# namespace: ingress-nginx -# spec: -# minReadySeconds: 0 -# revisionHistoryLimit: 10 -# selector: -# matchLabels: -# app.kubernetes.io/component: controller -# app.kubernetes.io/instance: ingress-nginx -# app.kubernetes.io/name: ingress-nginx -# strategy: -# rollingUpdate: -# maxUnavailable: 1 -# type: RollingUpdate -# template: -# metadata: -# labels: -# app.kubernetes.io/component: controller -# app.kubernetes.io/instance: ingress-nginx -# app.kubernetes.io/name: ingress-nginx -# app.kubernetes.io/part-of: ingress-nginx -# app.kubernetes.io/version: 1.10.0 -# spec: -# hostNetwork: true -# containers: -# - args: -# - /nginx-ingress-controller -# - --election-id=ingress-nginx-leader -# - --controller-class=k8s.io/ingress-nginx -# - --ingress-class=nginx -# - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller -# - --validating-webhook=:8443 -# - --validating-webhook-certificate=/usr/local/certificates/cert -# - --validating-webhook-key=/usr/local/certificates/key -# - --enable-metrics=false -# env: -# - name: POD_NAME -# valueFrom: -# fieldRef: -# fieldPath: metadata.name -# - name: POD_NAMESPACE -# valueFrom: -# fieldRef: -# fieldPath: metadata.namespace -# - name: LD_PRELOAD -# value: /usr/local/lib/libmimalloc.so -# image: registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c -# imagePullPolicy: IfNotPresent -# lifecycle: -# preStop: -# exec: -# command: -# - /wait-shutdown -# livenessProbe: -# failureThreshold: 5 -# httpGet: -# path: /healthz -# port: 10254 -# scheme: HTTP -# initialDelaySeconds: 10 -# periodSeconds: 10 -# successThreshold: 1 -# timeoutSeconds: 1 -# name: controller -# ports: -# - containerPort: 80 -# name: http -# protocol: TCP -# - containerPort: 443 -# name: https -# protocol: TCP -# - containerPort: 8443 -# name: webhook -# protocol: TCP -# readinessProbe: -# failureThreshold: 3 -# httpGet: -# path: /healthz -# port: 10254 -# scheme: HTTP -# initialDelaySeconds: 10 -# periodSeconds: 10 -# successThreshold: 1 -# timeoutSeconds: 1 -# resources: -# requests: -# cpu: 100m -# memory: 90Mi -# securityContext: -# allowPrivilegeEscalation: false -# capabilities: -# add: -# - NET_BIND_SERVICE -# drop: -# - ALL -# readOnlyRootFilesystem: false -# runAsNonRoot: true -# runAsUser: 101 -# seccompProfile: -# type: RuntimeDefault -# volumeMounts: -# - mountPath: /usr/local/certificates/ -# name: webhook-cert -# readOnly: true -# dnsPolicy: ClusterFirst -# nodeSelector: -# kubernetes.io/os: linux -# serviceAccountName: ingress-nginx -# terminationGracePeriodSeconds: 300 -# volumes: -# - name: webhook-cert -# secret: -# secretName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission-create - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission-create - spec: - containers: - - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334 - imagePullPolicy: IfNotPresent - name: create - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - spec: - hostNetwork: true - containers: - - args: - - /nginx-ingress-controller - - --election-id=ingress-nginx-leader - - --controller-class=k8s.io/ingress-nginx - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - - --enable-metrics=false - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - livenessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - name: controller - ports: - - containerPort: 80 - name: http - protocol: TCP - - containerPort: 443 - name: https - protocol: TCP - - containerPort: 8443 - name: webhook - protocol: TCP - readinessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 90Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 101 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /usr/local/certificates/ - name: webhook-cert - readOnly: true - dnsPolicy: ClusterFirst - nodeSelector: - # kubernetes.io/hostname: alex-office2 - kubernetes.io/os: linux - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: 300 - volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission-patch - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission-patch - spec: - containers: - - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334 - imagePullPolicy: IfNotPresent - name: patch - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: nginx -spec: - controller: k8s.io/ingress-nginx ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.10.0 - name: ingress-nginx-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: ingress-nginx-controller-admission - namespace: ingress-nginx - path: /networking/v1/ingresses - failurePolicy: Fail - matchPolicy: Equivalent - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None diff --git a/kubernetes/jellyfin/deployment.yml b/kubernetes/jellyfin/deployment.yml index a61dc76..fcdcbbe 100644 --- a/kubernetes/jellyfin/deployment.yml +++ b/kubernetes/jellyfin/deployment.yml @@ -13,13 +13,18 @@ spec: labels: app: jellyfin spec: + hostNetwork: true containers: - name: jellyfin image: jellyfin/jellyfin securityContext: runAsUser: 1000 runAsGroup: 1000 + supplementalGroups: + - 303 # render group for GPU access volumeMounts: + - name: dri-device + mountPath: /dev/dri/renderD128 - name: config-volume mountPath: /config - name: cache-volume @@ -52,4 +57,8 @@ spec: - name: tvshows-volume hostPath: path: /data/jellyfin/tvshows - restartPolicy: Always \ No newline at end of file + - name: dri-device + hostPath: + path: /dev/dri/renderD128 + type: CharDevice + restartPolicy: Always diff --git a/kubernetes/jellyfin/ingress.yml b/kubernetes/jellyfin/ingress.yml index 5416f72..b9c1b0c 100644 --- a/kubernetes/jellyfin/ingress.yml +++ b/kubernetes/jellyfin/ingress.yml @@ -1,14 +1,14 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: jellyfin-ingress - namespace: projects -spec: - rules: - - host: jellyfin.alexmickelson.guru - http: - paths: - - path: / - backend: - service: jellyfin - port: 8096 \ No newline at end of file +# apiVersion: networking.k8s.io/v1 +# kind: Ingress +# metadata: +# name: jellyfin-ingress +# namespace: projects +# spec: +# rules: +# - host: jellyfin.alexmickelson.guru +# http: +# paths: +# - path: / +# backend: +# service: jellyfin +# port: 8096 \ No newline at end of file diff --git a/kubernetes/jellyfin/service.yml b/kubernetes/jellyfin/service.yml index 5fbd4ca..7e753d3 100644 --- a/kubernetes/jellyfin/service.yml +++ b/kubernetes/jellyfin/service.yml @@ -10,4 +10,18 @@ spec: - protocol: TCP port: 8096 targetPort: 8096 - type: ClusterIP \ No newline at end of file + nodePort: 30096 + type: NodePort +# apiVersion: v1 +# kind: Service +# metadata: +# name: jellyfin +# namespace: projects +# spec: +# selector: +# app: jellyfin +# ports: +# - protocol: TCP +# port: 8096 +# targetPort: 8096 +# type: ClusterIP \ No newline at end of file diff --git a/kubernetes/proxy-ingress/audiobook-proxy-ingress.yml b/kubernetes/proxy-ingress/audiobook-proxy-ingress.yml index ebd11fc..43b3958 100644 --- a/kubernetes/proxy-ingress/audiobook-proxy-ingress.yml +++ b/kubernetes/proxy-ingress/audiobook-proxy-ingress.yml @@ -8,7 +8,7 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: + - hosts: - audiobook.alexmickelson.guru secretName: audiobookshelf-tls-cert rules: @@ -19,15 +19,35 @@ spec: pathType: Prefix backend: service: - name: audiobookshelf-service + name: audiobookshelf port: number: 13378 --- apiVersion: v1 kind: Service metadata: - name: audiobookshelf-service + name: audiobookshelf namespace: projects spec: - type: ExternalName - externalName: 100.122.128.107 + ports: + - port: 13378 + targetPort: 13378 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: audiobookshelf + namespace: projects + labels: + kubernetes.io/service-name: audiobookshelf +addressType: IPv4 +ports: +- name: http + port: 13378 + protocol: TCP +endpoints: +- addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/proxy-ingress/copilot-proxy-ingress.yml b/kubernetes/proxy-ingress/copilot-proxy-ingress.yml new file mode 100644 index 0000000..509d511 --- /dev/null +++ b/kubernetes/proxy-ingress/copilot-proxy-ingress.yml @@ -0,0 +1,53 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: copilot-ingress + namespace: projects + annotations: + cert-manager.io/cluster-issuer: cloudflare-issuer +spec: + ingressClassName: nginx + tls: + - hosts: + - copilot.alexmickelson.guru + secretName: copilot-tls-cert + rules: + - host: copilot.alexmickelson.guru + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: copilot + port: + number: 4444 +--- +apiVersion: v1 +kind: Service +metadata: + name: copilot + namespace: projects +spec: + ports: + - port: 4444 + targetPort: 4444 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: copilot + namespace: projects + labels: + kubernetes.io/service-name: copilot +addressType: IPv4 +ports: +- name: http + port: 4444 + protocol: TCP +endpoints: +- addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/proxy-ingress/grafana-proxy-ingress.yml b/kubernetes/proxy-ingress/grafana-proxy-ingress.yml index 0127788..cc4af56 100644 --- a/kubernetes/proxy-ingress/grafana-proxy-ingress.yml +++ b/kubernetes/proxy-ingress/grafana-proxy-ingress.yml @@ -8,7 +8,7 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: + - hosts: - grafana.alexmickelson.guru secretName: grafana-tls-cert rules: @@ -19,15 +19,35 @@ spec: pathType: Prefix backend: service: - name: grafana-service + name: grafana port: number: 3000 --- apiVersion: v1 kind: Service metadata: - name: grafana-service + name: grafana namespace: projects spec: - type: ExternalName - externalName: 100.122.128.107 + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: grafana + namespace: projects + labels: + kubernetes.io/service-name: grafana +addressType: IPv4 +ports: +- name: http + port: 3000 + protocol: TCP +endpoints: +- addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/proxy-ingress/ha-proxy-ingress.yml b/kubernetes/proxy-ingress/ha-proxy-ingress.yml index 2332c20..bb310d1 100644 --- a/kubernetes/proxy-ingress/ha-proxy-ingress.yml +++ b/kubernetes/proxy-ingress/ha-proxy-ingress.yml @@ -8,7 +8,7 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: + - hosts: - ha.alexmickelson.guru secretName: ha-tls-cert rules: @@ -19,15 +19,35 @@ spec: pathType: Prefix backend: service: - name: home-assistant-service + name: home-assistant port: number: 8123 --- apiVersion: v1 kind: Service metadata: - name: home-assistant-service + name: home-assistant namespace: projects spec: - type: ExternalName - externalName: 100.122.128.107 + ports: + - port: 8123 + targetPort: 8123 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: home-assistant + namespace: projects + labels: + kubernetes.io/service-name: home-assistant +addressType: IPv4 +ports: +- name: http + port: 8123 + protocol: TCP +endpoints: +- addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/proxy-ingress/homepage-proxy-ingress.yml b/kubernetes/proxy-ingress/homepage-proxy-ingress.yml index 444ef0f..5bdcd10 100644 --- a/kubernetes/proxy-ingress/homepage-proxy-ingress.yml +++ b/kubernetes/proxy-ingress/homepage-proxy-ingress.yml @@ -8,26 +8,46 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - home.alexmickelson.guru - secretName: home-tls-cert + - hosts: + - home.alexmickelson.guru + secretName: home-tls-cert rules: - - host: home.alexmickelson.guru - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: homepage-service - port: - number: 3001 + - host: home.alexmickelson.guru + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: homepage + port: + number: 3001 --- apiVersion: v1 kind: Service metadata: - name: homepage-service + name: homepage namespace: projects spec: - type: ExternalName - externalName: 100.122.128.107 + ports: + - port: 3001 + targetPort: 3001 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: homepage + namespace: projects + labels: + kubernetes.io/service-name: homepage +addressType: IPv4 +ports: + - name: http + port: 3001 + protocol: TCP +endpoints: + - addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/proxy-ingress/immich-proxy-ingress.yml b/kubernetes/proxy-ingress/immich-proxy-ingress.yml index 46d6a0e..f1f8dd6 100644 --- a/kubernetes/proxy-ingress/immich-proxy-ingress.yml +++ b/kubernetes/proxy-ingress/immich-proxy-ingress.yml @@ -12,26 +12,46 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - photos.alexmickelson.guru - secretName: immich-tls-cert + - hosts: + - photos.alexmickelson.guru + secretName: immich-tls-cert rules: - - host: photos.alexmickelson.guru - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: immich-service - port: - number: 2283 + - host: photos.alexmickelson.guru + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: immich + port: + number: 2283 --- apiVersion: v1 kind: Service metadata: - name: immich-service + name: immich namespace: projects spec: - type: ExternalName - externalName: 100.122.128.107 + ports: + - port: 2283 + targetPort: 2283 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: immich + namespace: projects + labels: + kubernetes.io/service-name: immich +addressType: IPv4 +ports: + - name: http + port: 2283 + protocol: TCP +endpoints: + - addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/proxy-ingress/jellyfin-proxy-ingress.yml b/kubernetes/proxy-ingress/jellyfin-proxy-ingress.yml index a87f414..baa9178 100644 --- a/kubernetes/proxy-ingress/jellyfin-proxy-ingress.yml +++ b/kubernetes/proxy-ingress/jellyfin-proxy-ingress.yml @@ -8,26 +8,46 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - jellyfin.alexmickelson.guru - secretName: jellyfin-tls-cert + - hosts: + - jellyfin.alexmickelson.guru + secretName: jellyfin-tls-cert rules: - - host: jellyfin.alexmickelson.guru - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: jellyfin-service - port: - number: 8096 + - host: jellyfin.alexmickelson.guru + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: jellyfin + port: + number: 8096 --- apiVersion: v1 kind: Service metadata: - name: jellyfin-service + name: jellyfin namespace: projects spec: - type: ExternalName - externalName: 100.122.128.107 \ No newline at end of file + ports: + - port: 8096 + targetPort: 8096 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: jellyfin + namespace: projects + labels: + kubernetes.io/service-name: jellyfin +addressType: IPv4 +ports: + - name: http + port: 8096 + protocol: TCP +endpoints: + - addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/proxy-ingress/musicassistant-proxy-ingress.yml b/kubernetes/proxy-ingress/musicassistant-proxy-ingress.yml index 94fb76d..b6efc73 100644 --- a/kubernetes/proxy-ingress/musicassistant-proxy-ingress.yml +++ b/kubernetes/proxy-ingress/musicassistant-proxy-ingress.yml @@ -8,26 +8,46 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - sound.alexmickelson.guru - secretName: sound-tls-cert + - hosts: + - sound.alexmickelson.guru + secretName: sound-tls-cert rules: - - host: sound.alexmickelson.guru - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: musicassistant-service - port: - number: 8095 + - host: sound.alexmickelson.guru + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: musicassistant + port: + number: 8095 --- apiVersion: v1 kind: Service metadata: - name: musicassistant-service + name: musicassistant namespace: projects spec: - type: ExternalName - externalName: 100.122.128.107 + ports: + - port: 8095 + targetPort: 8095 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: musicassistant + namespace: projects + labels: + kubernetes.io/service-name: musicassistant +addressType: IPv4 +ports: + - name: http + port: 8095 + protocol: TCP +endpoints: + - addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/proxy-ingress/nextcloud-proxy-ingress.yml b/kubernetes/proxy-ingress/nextcloud-proxy-ingress.yml index 54e6131..d534bb0 100644 --- a/kubernetes/proxy-ingress/nextcloud-proxy-ingress.yml +++ b/kubernetes/proxy-ingress/nextcloud-proxy-ingress.yml @@ -5,41 +5,61 @@ metadata: namespace: projects annotations: cert-manager.io/cluster-issuer: cloudflare-issuer - nginx.ingress.kubernetes.io/proxy-body-size: 51200m + nginx.ingress.kubernetes.io/proxy-body-size: 51200m nginx.ingress.kubernetes.io/server-snippet: |- - server_tokens off; - proxy_hide_header X-Powered-By; + server_tokens off; + proxy_hide_header X-Powered-By; nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/proxy-buffer-size: 225m nginx.ingress.kubernetes.io/proxy-buffering: "on" - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" nginx.ingress.kubernetes.io/proxy-request-buffering: "on" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "60" + nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" spec: ingressClassName: nginx tls: - - hosts: - - next.alexmickelson.guru - secretName: nextcloud-tls-cert + - hosts: + - next.alexmickelson.guru + secretName: nextcloud-tls-cert rules: - - host: next.alexmickelson.guru - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: nextcloud-service - port: - number: 9001 + - host: next.alexmickelson.guru + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: nextcloud + port: + number: 9001 --- apiVersion: v1 kind: Service metadata: - name: nextcloud-service + name: nextcloud namespace: projects spec: - type: ExternalName - externalName: 100.122.128.107 + ports: + - port: 9001 + targetPort: 9001 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: nextcloud + namespace: projects + labels: + kubernetes.io/service-name: nextcloud +addressType: IPv4 +ports: + - name: http + port: 9001 + protocol: TCP +endpoints: + - addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/proxy-ingress/prometheus-proxy-ingress.yml b/kubernetes/proxy-ingress/prometheus-proxy-ingress.yml index 0b040fe..3a031e1 100644 --- a/kubernetes/proxy-ingress/prometheus-proxy-ingress.yml +++ b/kubernetes/proxy-ingress/prometheus-proxy-ingress.yml @@ -8,26 +8,46 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - prometheus.alexmickelson.guru - secretName: prometheus-tls-cert + - hosts: + - prometheus.alexmickelson.guru + secretName: prometheus-tls-cert rules: - - host: prometheus.alexmickelson.guru - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: prometheus-service - port: - number: 9091 + - host: prometheus.alexmickelson.guru + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: prometheus + port: + number: 9091 --- apiVersion: v1 kind: Service metadata: - name: prometheus-service + name: prometheus namespace: projects spec: - type: ExternalName - externalName: 100.122.128.107 + ports: + - port: 9091 + targetPort: 9091 + protocol: TCP +--- +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: prometheus + namespace: projects + labels: + kubernetes.io/service-name: prometheus +addressType: IPv4 +ports: + - name: http + port: 9091 + protocol: TCP +endpoints: + - addresses: + - 100.122.128.107 + conditions: + ready: true diff --git a/kubernetes/readme.md b/kubernetes/readme.md index eaac337..151f30c 100644 --- a/kubernetes/readme.md +++ b/kubernetes/readme.md @@ -34,8 +34,33 @@ Currently clouflare domains cannot be CNAME'd to tailscale domains: ## Kubernetes ingress controller -I had to modify the base ingress to allow for use on 80 and 443. There should be a way to do this with helm, but I can never quite get it to work + + +ingress + +```bash +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo update + +helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \ + --namespace ingress-nginx \ + --create-namespace \ + --set controller.kind=DaemonSet \ + --set controller.hostPort.enabled=true \ + --set controller.hostPort.ports.http=80 \ + --set controller.hostPort.ports.https=443 \ + --set controller.service.type=NodePort \ + --set controller.allowSnippetAnnotations=true \ + --set controller.config.annotations-risk-level=Critical \ + --set controller.metrics.enabled=false \ + --set controller.ingressClassResource.default=true +``` + + + + diff --git a/nix/ai-server-1.nix b/nix/ai-server-1.nix index e8ca66c..e322a9d 100644 --- a/nix/ai-server-1.nix +++ b/nix/ai-server-1.nix @@ -122,7 +122,7 @@ dbus - + # protontricks stuff? freetype # freetype.bin fontconfig @@ -131,6 +131,8 @@ zlib quickemu + + git-lfs ]; programs.nix-ld.enable = true; diff --git a/nix/ai-vm.nix b/nix/ai-vm.nix index e37d143..64d6634 100644 --- a/nix/ai-vm.nix +++ b/nix/ai-vm.nix @@ -72,6 +72,7 @@ git tmux vscode + zip ]; }; home-manager.users.alex = { pgks, ...}: { diff --git a/nix/alex-desktop.nix b/nix/alex-desktop.nix index 6ac4671..2cafd6b 100644 --- a/nix/alex-desktop.nix +++ b/nix/alex-desktop.nix @@ -9,8 +9,7 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "alex-desktop"; # Define your hostname. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.hostName = "alex-desktop"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; networking.networkmanager.enable = true; @@ -50,8 +49,21 @@ alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; + + wireplumber = { + enable = true; + + extraConfig = { + "disable-x11" = { + "wireplumber.settings" = { + "support.x11" = false; + }; + }; + }; + }; }; + users.users.alex = { isNormalUser = true; description = "alex"; @@ -73,6 +85,7 @@ services.fwupd.enable = true; hardware.enableAllFirmware = true; hardware.firmware = with pkgs; [ linux-firmware ]; + programs.nix-ld.enable = true; nixpkgs.config.allowUnfree = true; environment.systemPackages = with pkgs; [ @@ -91,7 +104,6 @@ mangohud mlocate - wineWowPackages.stable wine (wine.override { wineBuild = "wine64"; }) @@ -99,20 +111,13 @@ wineWowPackages.staging winetricks wineWowPackages.waylandFull - # woeusb ntfs3g - # (lutris.override { - # extraLibraries = pkgs: [ - # # List library dependencies here - # ]; - # extraPkgs = pkgs: [ - # # List package dependencies here - # ]; - # }) - mesa-gl-headers mesa driversi686Linux.mesa + mesa-demos + + android-tools ]; services.tailscale.enable = true; services.openssh.enable = true; @@ -122,20 +127,6 @@ programs.fish.enable = true; services.flatpak.enable = true; hardware.steam-hardware.enable = true; - programs.adb.enable = true; # graphene - - # programs.gamescope = { - # enable = true; - # capSysNice = true; - # }; - # programs.gamemode.enable = true; - # programs.steam = { - # enable = true; - # gamescopeSession.enable = true; - # remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play - # dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server - # localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers - # }; networking.firewall.enable = false; hardware.graphics = { @@ -143,7 +134,6 @@ enable = true; }; - fileSystems."/steam-data" = { device = "/dev/disk/by-uuid/437358fd-b9e4-46e2-bd45-f6b368acaac1"; @@ -155,6 +145,21 @@ boot.zfs.extraPools = [ "data" "data2" ]; + systemd.timers."nix-garbage-collect-weekly" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "weekly"; + Persistent = true; + }; + }; + + systemd.services."nix-garbage-collect-weekly" = { + serviceConfig = { + Type = "oneshot"; + ExecStart = "/run/current-system/sw/bin/nix-collect-garbage --delete-older-than 7d"; + }; + }; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nix/flakes/opencode/flake.lock b/nix/flakes/opencode/flake.lock index ad7d10e..c8fb9e9 100644 --- a/nix/flakes/opencode/flake.lock +++ b/nix/flakes/opencode/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759520764, - "narHash": "sha256-jERdfBm1rQc9qAdPi1lMEv9inEl7kvvnXCst//ZD2Yc=", + "lastModified": 1767726775, + "narHash": "sha256-mpA/pevxXJzu/5rbdb7u0BzgEJCDDQd1EZ3oyyOo8VI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bcbcd4e5a8cb24199859dd73e448494c8c7d55cb", + "rev": "f8ce89e3edbc488a5b17c559ad55f083282420e9", "type": "github" }, "original": { diff --git a/nix/flakes/opencode/flake.nix b/nix/flakes/opencode/flake.nix index f57834d..da0992b 100644 --- a/nix/flakes/opencode/flake.nix +++ b/nix/flakes/opencode/flake.nix @@ -19,6 +19,7 @@ }; models = { "gpt-oss-120b" = { }; + "devstral-123b" = { }; }; }; home = { diff --git a/nix/home-manager/alex.home.nix b/nix/home-manager/alex.home.nix index ba9488e..f21e53d 100644 --- a/nix/home-manager/alex.home.nix +++ b/nix/home-manager/alex.home.nix @@ -29,6 +29,10 @@ programs.direnv = { enable = true; }; + programs.ghostty = { + enable = true; + enableFishIntegration = true; + }; home.sessionVariables = { EDITOR = "vim"; }; @@ -58,6 +62,8 @@ export DOTNET_WATCH_RESTART_ON_RUDE_EDIT=1 export DOTNET_CLI_TELEMETRY_OPTOUT=1 set -x LIBVIRT_DEFAULT_URI qemu:///system +alias blue="bluetui" +alias jelly="jellyfin-tui" ''; }; home.file = { diff --git a/nix/home-manager/desktop.home.nix b/nix/home-manager/desktop.home.nix index dc8b5af..b75c917 100644 --- a/nix/home-manager/desktop.home.nix +++ b/nix/home-manager/desktop.home.nix @@ -20,11 +20,21 @@ ffmpeg gh bitwarden-desktop + jellyfin-tui + bluetui + nexusmods-app-unfree ]; programs.ghostty = { enable = true; enableFishIntegration = true; + settings = { + window-inherit-working-directory = "false"; + theme = "Atom"; + font-size = 14; + window-height = 30; + window-width = 100; + }; }; fonts.fontconfig.enable = true; diff --git a/nix/home-manager/server.home.nix b/nix/home-manager/server.home.nix index bbc9a06..b92931c 100644 --- a/nix/home-manager/server.home.nix +++ b/nix/home-manager/server.home.nix @@ -5,5 +5,6 @@ opencode quickemu tree + kubernetes-helm ]; } \ No newline at end of file diff --git a/nix/home-manager/work.home.nix b/nix/home-manager/work.home.nix index d0d1a96..655c0b6 100644 --- a/nix/home-manager/work.home.nix +++ b/nix/home-manager/work.home.nix @@ -2,6 +2,8 @@ let opencodeFlake = builtins.getFlake (toString ../flakes/opencode); + monitorTuiFlake = builtins.getFlake (toString ../../monitors/monitor-tui-rs); + zenBrowserFlake = builtins.getFlake "github:youwen5/zen-browser-flake"; nixgl = import (fetchTarball "https://github.com/nix-community/nixGL/archive/main.tar.gz") { }; @@ -50,10 +52,13 @@ in { firefoxpwa bluetui #nixfmt-classic - opencodeFlake.packages.${system}.opencode + opencodeFlake.packages.${pkgs.stdenv.hostPlatform.system}.opencode + monitorTuiFlake.packages.${pkgs.stdenv.hostPlatform.system}.default + (config.lib.nixGL.wrap zenBrowserFlake.packages.${pkgs.stdenv.hostPlatform.system}.default) bitwarden-desktop wiremix - moonlight-qt + (config.lib.nixGL.wrap moonlight-qt) + nvtopPackages.amd # jan # texlivePackages.jetbrainsmono-otf # nerd-fonts.fira-code @@ -69,7 +74,17 @@ in { }; programs.direnv = { enable = true; }; - programs.ghostty = { enable = true; }; + programs.ghostty = { + enable = true; + enableFishIntegration = true; + settings = { + window-inherit-working-directory = "false"; + theme = "Atom"; + font-size = "18"; + window-height = "30"; + window-width = "120"; + }; + }; programs.fish = { enable = true; shellInit = '' @@ -106,6 +121,8 @@ in { set -x LIBVIRT_DEFAULT_URI qemu:///system set -x TERM xterm-256color # ghostty + source "$HOME/.cargo/env.fish" + export SSH_AUTH_SOCK=/home/alexm/.bitwarden-ssh-agent.sock # ssh agent ''; }; @@ -193,6 +210,28 @@ in { Terminal=false Categories=Network;WebBrowser; ''; + ".local/share/applications/zen-browser.desktop".text = '' + [Desktop Entry] + Version=1.0 + Type=Application + Name=Zen Browser + Comment=A calmer Firefox-based browser + Exec=nixGLIntel zen + Icon=${zenBrowserFlake.packages.${pkgs.stdenv.hostPlatform.system}.default}/share/icons/hicolor/128x128/apps/zen.png + Terminal=false + Categories=Network;WebBrowser; + MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https; + StartupWMClass=zen + Actions=new-window;new-private-window; + + [Desktop Action new-window] + Name=Open a New Window + Exec=nixGLIntel zen --new-window + + [Desktop Action new-private-window] + Name=Open a New Private Window + Exec=nixGLIntel zen --private-window + ''; }; home.sessionVariables = { EDITOR = "vim"; }; @@ -222,6 +261,5 @@ in { package = pkgs.gnome-themes-extra; }; }; - # Let Home Manager install and manage itself. programs.home-manager.enable = true; } diff --git a/nix/home-server.nix b/nix/home-server.nix index a4e42f5..8e2546a 100644 --- a/nix/home-server.nix +++ b/nix/home-server.nix @@ -58,6 +58,9 @@ description = "github"; extraGroups = [ "docker" ]; shell = pkgs.fish; + packages = with pkgs; [ + kubernetes-helm + ]; }; users.users.alex = { isNormalUser = true; @@ -75,7 +78,7 @@ home-manager.useGlobalPkgs = true; services.fwupd.enable = true; - systemd.timers."nix-garbage-collect-weekly" = { + systemd.timers."nix-garbage-collect-weekly" = { wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = "weekly"; @@ -167,13 +170,6 @@ package = pkgs.qemu_kvm; runAsRoot = true; swtpm.enable = true; - ovmf = { - enable = true; - packages = [ pkgs.OVMFFull.fd ]; - # packages = [ - # (pkgs.OVMF.override { secureBoot = true; tpmSupport = true; }).fd - # ]; - }; }; }; networking.interfaces.enp5s0.useDHCP = true; @@ -183,19 +179,14 @@ interfaces = [ "enp5s0" ]; }; }; - - # not working yet, in theory simplifies xml for vm - # environment.etc."qemu/edk2-x86_64-secure-code.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_CODE.secboot.fd"; - # environment.etc."qemu/edk2-i386-vars.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_VARS.fd"; - - # environment.etc."qemu/edk2-x86_64-secure-code.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_CODE.secboot.fd"; - # environment.etc."qemu/edk2-x86_64-secure-vars.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_VARS.secboot.fd"; - + environment.etc = { "qemu/edk2-x86_64-secure-code.fd".source = - lib.mkForce "${pkgs.OVMF.fd}/FV/OVMF_CODE.ms.fd"; + lib.mkForce "${pkgs.OVMFFull.fd}/FV/OVMF_CODE.ms.fd"; "qemu/edk2-x86_64-secure-vars.fd".source = - lib.mkForce "${pkgs.OVMF.fd}/FV/OVMF_VARS.ms.fd"; + lib.mkForce "${pkgs.OVMFFull.fd}/FV/OVMF_VARS.ms.fd"; + "qemu/OVMF_VARS.fd".source = + lib.mkForce "${pkgs.OVMFFull.fd}/FV/OVMF_VARS.fd"; }; systemd.tmpfiles.rules = [ "d /var/lib/libvirt/qemu/nvram 0755 root root -" @@ -209,7 +200,7 @@ boot.supportedFilesystems = [ "zfs" ]; boot.zfs.forceImportRoot = false; networking.hostId = "eafe9551"; - boot.zfs.extraPools = [ "data-ssd" "backup" "vms" "vms-2" ]; + boot.zfs.extraPools = [ "data-ssd" "backup" "vms-2" "vms-3" ]; services.sanoid = { enable = true; templates.production = { @@ -266,7 +257,6 @@ tokenFile = "/data/runner/github-infrastructure-token.txt"; url = "https://github.com/alexmickelson/infrastructure"; extraLabels = [ "home-server" ]; - #workDir = "/data/runner/infrastructure/"; replace = true; serviceOverrides = { ReadWritePaths = [ @@ -281,12 +271,8 @@ ProtectSystem = false; PrivateMounts = false; PrivateUsers = false; - #DynamicUser = true; - #NoNewPrivileges = false; ProtectHome = false; - #RuntimeDirectoryPreserve = "yes"; Restart = lib.mkForce "always"; - #RuntimeMaxSec = "7d"; }; extraPackages = with pkgs; [ docker @@ -295,18 +281,13 @@ sanoid mbuffer lzop + kubectl + kubernetes-helm ]; }; }; - # services.cron = { - # enable = true; - # systemCronJobs = [ - # "*/5 * * * * root date >> /tmp/cron.log" - # ]; - # }; networking.firewall.enable = false; - # networking.firewall.trustedInterfaces = [ "docker0" ]; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/modules/k3s.nix b/nix/modules/k3s.nix index 4e9c4d4..b5d14d6 100644 --- a/nix/modules/k3s.nix +++ b/nix/modules/k3s.nix @@ -6,11 +6,17 @@ enable = true; role = "server"; extraFlags = toString [ - # "--debug" # Optionally add additional args to k3s "--disable=traefik" "--bind-address 100.122.128.107" "--node-external-ip 100.122.128.107" "--tls-san 100.122.128.107" + + + # Disable disk-based evictions + "--kubelet-arg=eviction-hard=" + "--kubelet-arg=eviction-soft=" + "--kubelet-arg=eviction-soft-grace-period=" + "--kubelet-arg=eviction-pressure-transition-period=0s" ]; serverAddr = "https://100.122.128.107:6443"; }; diff --git a/nix/tv-computer.nix b/nix/tv-computer.nix index 0b318a7..d094dd7 100644 --- a/nix/tv-computer.nix +++ b/nix/tv-computer.nix @@ -64,6 +64,7 @@ programs.firefox.enable = true; nixpkgs.config.allowUnfree = true; + services.fwupd.enable = true; environment.systemPackages = with pkgs; [ vim @@ -101,6 +102,6 @@ systemd.targets.hibernate.enable = false; systemd.targets.hybrid-sleep.enable = false; - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "25.11"; # Did you read the comment? } \ No newline at end of file