alex/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:alexmickelson/infrastructure

Browse Source
This commit is contained in:
Alex Mickelson
2026-01-22 14:10:58 -07:00
parent a93b432adf 929d32724f
commit fdd7420fdb
33 changed files with 624 additions and 1042 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
.github/workflows/apply-kubernetes.yml vendored Normal file
View File

@@ -0,0 +1,36 @@
name: Apply Kuberentes Configs
on: [push, workflow_dispatch]
jobs:
update-repo:
runs-on: [home-server]
steps:
- name: checkout repo
working-directory: /home/github/infrastructure
run: |
if [ -d "infrastructure" ]; then
cd infrastructure
echo "Infrastructure folder exists. Resetting to the most recent commit."
git reset --hard HEAD
git pull https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} $(git rev-parse --abbrev-ref HEAD)
else
git clone https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
fi
update-infrastructure:
runs-on: [home-server]
needs: update-repo
steps:
- name: update home server containers
env:
KUBECONFIG: /home/github/.kube/config
MY_GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }}
HOMEASSISTANT_TOKEN: ${{ secrets.HOMEASSISTANT_TOKEN }}
GRAFANA_PASSWORD: ${{ secrets.GRAFANA_PASSWORD }}
CLOUDFLARE_CONFIG: ${{ secrets.CLOUDFLARE_CONFIG }}
COPILOT_TOKEN: ${{ secrets.COPILOT_TOKEN }}
working-directory: /home/github/infrastructure/infrastructure
run: |
# kubectl apply -f kubernetes/ingress
kubectl apply -f kubernetes/proxy-ingress
kubectl annotate ingressclass nginx \
ingressclass.kubernetes.io/is-default-class="true" --overwrite

6
.github/workflows/beets-sync.yml vendored
View File

@@ -1,8 +1,8 @@
name: Beets name: Beets
on: on:
schedule: # schedule:
# Run 4 times a day: 6am, 12pm, 6pm, 12am UTC # # Run 4 times a day: 6am, 12pm, 6pm, 12am UTC
- cron: '0 6,12,18,0 * * *' # - cron: '0 6,12,18,0 * * *'
workflow_dispatch: # Allow manual trigger workflow_dispatch: # Allow manual trigger
jobs: jobs:

4
README.md
View File

@@ -1,6 +1,10 @@
![home server update](https://github.com/alexmickelson/infrastructure/actions/workflows/update-home-server.yml/badge.svg) ![home server update](https://github.com/alexmickelson/infrastructure/actions/workflows/update-home-server.yml/badge.svg)
[![ZFS Backup](https://github.com/alexmickelson/infrastructure/actions/workflows/backup-zfs.yml/badge.svg)](https://github.com/alexmickelson/infrastructure/actions/workflows/backup-zfs.yml) [![ZFS Backup](https://github.com/alexmickelson/infrastructure/actions/workflows/backup-zfs.yml/badge.svg)](https://github.com/alexmickelson/infrastructure/actions/workflows/backup-zfs.yml)
[![Manage Jellyfin Playlists](https://github.com/alexmickelson/infrastructure/actions/workflows/update-playlist.yml/badge.svg)](https://github.com/alexmickelson/infrastructure/actions/workflows/update-playlist.yml) [![Manage Jellyfin Playlists](https://github.com/alexmickelson/infrastructure/actions/workflows/update-playlist.yml/badge.svg)](https://github.com/alexmickelson/infrastructure/actions/workflows/update-playlist.yml)

56
home-server/docker-compose.yml
View File

@@ -183,33 +183,33 @@ services:
# - 0.0.0.0:9162:9162 # - 0.0.0.0:9162:9162
# docker run -it --rm -p 9162:9162 --net=host sfudeus/apcupsd_exporter:master_1.19 # docker run -it --rm -p 9162:9162 --net=host sfudeus/apcupsd_exporter:master_1.19
reverse-proxy: # reverse-proxy:
image: ghcr.io/linuxserver/swag # image: ghcr.io/linuxserver/swag
container_name: reverse-proxy # container_name: reverse-proxy
restart: unless-stopped # restart: unless-stopped
cap_add: # cap_add:
- NET_ADMIN # - NET_ADMIN
environment: # environment:
- PUID=1000 # - PUID=1000
- PGID=1000 # - PGID=1000
- TZ=America/Denver # - TZ=America/Denver
- URL=alexmickelson.guru # - URL=alexmickelson.guru
- SUBDOMAINS=wildcard # - SUBDOMAINS=wildcard
- VALIDATION=dns # - VALIDATION=dns
- DNSPLUGIN=cloudflare # - DNSPLUGIN=cloudflare
volumes: # volumes:
- ./nginx.conf:/config/nginx/site-confs/default.conf # - ./nginx.conf:/config/nginx/site-confs/default.conf
- /data/swag:/config # - /data/swag:/config
- /data/cloudflare/cloudflare.ini:/config/dns-conf/cloudflare.ini # - /data/cloudflare/cloudflare.ini:/config/dns-conf/cloudflare.ini
ports: # ports:
- 0.0.0.0:80:80 # - 0.0.0.0:80:80
- 0.0.0.0:443:443 # - 0.0.0.0:443:443
# - 0.0.0.0:7080:80 # # - 0.0.0.0:7080:80
# - 0.0.0.0:7443:443 # # - 0.0.0.0:7443:443
extra_hosts: # extra_hosts:
- host.docker.internal:host-gateway # - host.docker.internal:host-gateway
networks: # networks:
- proxy # - proxy
audiobookshelf: audiobookshelf:
@@ -220,7 +220,6 @@ services:
volumes: volumes:
- /data/media/audiobooks:/audiobooks - /data/media/audiobooks:/audiobooks
- /data/media/audiobooks-libation:/audiobooks-libation - /data/media/audiobooks-libation:/audiobooks-libation
# - </path/to/podcasts>:/podcasts
- /data/audiobookshelf/config:/config - /data/audiobookshelf/config:/config
- /data/audiobookshelf/metadata:/metadata - /data/audiobookshelf/metadata:/metadata
networks: networks:
@@ -262,6 +261,7 @@ services:
environment: environment:
- SEARXNG_BASE_URL=http://server.alexmickelson.guru:4446/ - SEARXNG_BASE_URL=http://server.alexmickelson.guru:4446/
restart: unless-stopped restart: unless-stopped
networks: networks:
proxy: proxy:
name: proxy name: proxy

12
home-server/nginx.conf
View File

@@ -55,18 +55,6 @@ server {
} }
} }
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name plex.alexmickelson.guru;
location / {
proxy_pass http://host.docker.internal:32400;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
server { server {
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;

31
kubernetes/gitea/web.yml
View File

@@ -15,7 +15,7 @@ spec:
spec: spec:
containers: containers:
- name: gitea - name: gitea
image: docker.io/gitea/gitea:1.23 image: docker.io/gitea/gitea:1.25
ports: ports:
- containerPort: 3000 - containerPort: 3000
- containerPort: 22 - containerPort: 22
@@ -34,6 +34,8 @@ spec:
value: "gitea" value: "gitea"
- name: GITEA__database__PASSWD - name: GITEA__database__PASSWD
value: wauiofnasufnweaiufbsdklfjb23456 value: wauiofnasufnweaiufbsdklfjb23456
- name: GITEA__server__ROOT_URL
value: "https://gitea.alexmickelson.guru/"
volumeMounts: volumeMounts:
- name: gitea-data - name: gitea-data
mountPath: /data mountPath: /data
@@ -81,20 +83,21 @@ metadata:
name: gitea name: gitea
namespace: projects namespace: projects
annotations: annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer # not really working with tailscale cert-manager.io/cluster-issuer: cloudflare-issuer
spec: spec:
ingressClassName: tailscale ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- gitea.alexmickelson.guru - gitea.alexmickelson.guru
secretName: gitea-tls-cert secretName: gitea-tls-cert2
rules: rules:
- http: - host: gitea.alexmickelson.guru
http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: gitea-web-svc name: gitea-web-svc
port: port:
number: 3000 number: 3000

782
kubernetes/ingress/ingress-nginx.yml
View File

@@ -1,782 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "false"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: "true"
# http-snippet: |
# proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=static-cache:2m max_size=100m inactive=7d use_temp_path=off;
# proxy_cache_key $scheme$proxy_host$request_uri;
# proxy_cache_lock on;
# proxy_cache_use_stale updating;
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
# ---
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# labels:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# app.kubernetes.io/part-of: ingress-nginx
# app.kubernetes.io/version: 1.10.0
# name: ingress-nginx-controller
# namespace: ingress-nginx
# spec:
# minReadySeconds: 0
# revisionHistoryLimit: 10
# selector:
# matchLabels:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# strategy:
# rollingUpdate:
# maxUnavailable: 1
# type: RollingUpdate
# template:
# metadata:
# labels:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# app.kubernetes.io/part-of: ingress-nginx
# app.kubernetes.io/version: 1.10.0
# spec:
# hostNetwork: true
# containers:
# - args:
# - /nginx-ingress-controller
# - --election-id=ingress-nginx-leader
# - --controller-class=k8s.io/ingress-nginx
# - --ingress-class=nginx
# - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
# - --validating-webhook=:8443
# - --validating-webhook-certificate=/usr/local/certificates/cert
# - --validating-webhook-key=/usr/local/certificates/key
# - --enable-metrics=false
# env:
# - name: POD_NAME
# valueFrom:
# fieldRef:
# fieldPath: metadata.name
# - name: POD_NAMESPACE
# valueFrom:
# fieldRef:
# fieldPath: metadata.namespace
# - name: LD_PRELOAD
# value: /usr/local/lib/libmimalloc.so
# image: registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
# imagePullPolicy: IfNotPresent
# lifecycle:
# preStop:
# exec:
# command:
# - /wait-shutdown
# livenessProbe:
# failureThreshold: 5
# httpGet:
# path: /healthz
# port: 10254
# scheme: HTTP
# initialDelaySeconds: 10
# periodSeconds: 10
# successThreshold: 1
# timeoutSeconds: 1
# name: controller
# ports:
# - containerPort: 80
# name: http
# protocol: TCP
# - containerPort: 443
# name: https
# protocol: TCP
# - containerPort: 8443
# name: webhook
# protocol: TCP
# readinessProbe:
# failureThreshold: 3
# httpGet:
# path: /healthz
# port: 10254
# scheme: HTTP
# initialDelaySeconds: 10
# periodSeconds: 10
# successThreshold: 1
# timeoutSeconds: 1
# resources:
# requests:
# cpu: 100m
# memory: 90Mi
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# add:
# - NET_BIND_SERVICE
# drop:
# - ALL
# readOnlyRootFilesystem: false
# runAsNonRoot: true
# runAsUser: 101
# seccompProfile:
# type: RuntimeDefault
# volumeMounts:
# - mountPath: /usr/local/certificates/
# name: webhook-cert
# readOnly: true
# dnsPolicy: ClusterFirst
# nodeSelector:
# kubernetes.io/os: linux
# serviceAccountName: ingress-nginx
# terminationGracePeriodSeconds: 300
# volumes:
# - name: webhook-cert
# secret:
# secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
spec:
hostNetwork: true
containers:
- args:
- /nginx-ingress-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-metrics=false
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
# kubernetes.io/hostname: alex-office2
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

9
kubernetes/jellyfin/deployment.yml
View File

@@ -13,13 +13,18 @@ spec:
labels: labels:
app: jellyfin app: jellyfin
spec: spec:
hostNetwork: true
containers: containers:
- name: jellyfin - name: jellyfin
image: jellyfin/jellyfin image: jellyfin/jellyfin
securityContext: securityContext:
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000
supplementalGroups:
- 303 # render group for GPU access
volumeMounts: volumeMounts:
- name: dri-device
mountPath: /dev/dri/renderD128
- name: config-volume - name: config-volume
mountPath: /config mountPath: /config
- name: cache-volume - name: cache-volume
@@ -52,4 +57,8 @@ spec:
- name: tvshows-volume - name: tvshows-volume
hostPath: hostPath:
path: /data/jellyfin/tvshows path: /data/jellyfin/tvshows
- name: dri-device
hostPath:
path: /dev/dri/renderD128
type: CharDevice
restartPolicy: Always restartPolicy: Always

28
kubernetes/jellyfin/ingress.yml
View File

@@ -1,14 +1,14 @@
apiVersion: networking.k8s.io/v1 # apiVersion: networking.k8s.io/v1
kind: Ingress # kind: Ingress
metadata: # metadata:
name: jellyfin-ingress # name: jellyfin-ingress
namespace: projects # namespace: projects
spec: # spec:
rules: # rules:
- host: jellyfin.alexmickelson.guru # - host: jellyfin.alexmickelson.guru
http: # http:
paths: # paths:
- path: / # - path: /
backend: # backend:
service: jellyfin # service: jellyfin
port: 8096 # port: 8096

16
kubernetes/jellyfin/service.yml
View File

@@ -10,4 +10,18 @@ spec:
- protocol: TCP - protocol: TCP
port: 8096 port: 8096
targetPort: 8096 targetPort: 8096
type: ClusterIP nodePort: 30096
type: NodePort
# apiVersion: v1
# kind: Service
# metadata:
# name: jellyfin
# namespace: projects
# spec:
# selector:
# app: jellyfin
# ports:
# - protocol: TCP
# port: 8096
# targetPort: 8096
# type: ClusterIP

28
kubernetes/proxy-ingress/audiobook-proxy-ingress.yml
View File

@@ -19,15 +19,35 @@ spec:
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: audiobookshelf-service name: audiobookshelf
port: port:
number: 13378 number: 13378
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: audiobookshelf-service name: audiobookshelf
namespace: projects namespace: projects
spec: spec:
type: ExternalName ports:
externalName: 100.122.128.107 - port: 13378
targetPort: 13378
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: audiobookshelf
namespace: projects
labels:
kubernetes.io/service-name: audiobookshelf
addressType: IPv4
ports:
- name: http
port: 13378
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

53
kubernetes/proxy-ingress/copilot-proxy-ingress.yml Normal file
View File

@@ -0,0 +1,53 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: copilot-ingress
namespace: projects
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
spec:
ingressClassName: nginx
tls:
- hosts:
- copilot.alexmickelson.guru
secretName: copilot-tls-cert
rules:
- host: copilot.alexmickelson.guru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: copilot
port:
number: 4444
---
apiVersion: v1
kind: Service
metadata:
name: copilot
namespace: projects
spec:
ports:
- port: 4444
targetPort: 4444
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: copilot
namespace: projects
labels:
kubernetes.io/service-name: copilot
addressType: IPv4
ports:
- name: http
port: 4444
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

28
kubernetes/proxy-ingress/grafana-proxy-ingress.yml
View File

@@ -19,15 +19,35 @@ spec:
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: grafana-service name: grafana
port: port:
number: 3000 number: 3000
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: grafana-service name: grafana
namespace: projects namespace: projects
spec: spec:
type: ExternalName ports:
externalName: 100.122.128.107 - port: 3000
targetPort: 3000
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: grafana
namespace: projects
labels:
kubernetes.io/service-name: grafana
addressType: IPv4
ports:
- name: http
port: 3000
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

28
kubernetes/proxy-ingress/ha-proxy-ingress.yml
View File

@@ -19,15 +19,35 @@ spec:
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: home-assistant-service name: home-assistant
port: port:
number: 8123 number: 8123
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: home-assistant-service name: home-assistant
namespace: projects namespace: projects
spec: spec:
type: ExternalName ports:
externalName: 100.122.128.107 - port: 8123
targetPort: 8123
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: home-assistant
namespace: projects
labels:
kubernetes.io/service-name: home-assistant
addressType: IPv4
ports:
- name: http
port: 8123
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/homepage-proxy-ingress.yml
View File

@@ -8,26 +8,46 @@ metadata:
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- home.alexmickelson.guru - home.alexmickelson.guru
secretName: home-tls-cert secretName: home-tls-cert
rules: rules:
- host: home.alexmickelson.guru - host: home.alexmickelson.guru
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: homepage-service name: homepage
port: port:
number: 3001 number: 3001
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: homepage-service name: homepage
namespace: projects namespace: projects
spec: spec:
type: ExternalName ports:
externalName: 100.122.128.107 - port: 3001
targetPort: 3001
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: homepage
namespace: projects
labels:
kubernetes.io/service-name: homepage
addressType: IPv4
ports:
- name: http
port: 3001
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/immich-proxy-ingress.yml
View File

@@ -12,26 +12,46 @@ metadata:
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- photos.alexmickelson.guru - photos.alexmickelson.guru
secretName: immich-tls-cert secretName: immich-tls-cert
rules: rules:
- host: photos.alexmickelson.guru - host: photos.alexmickelson.guru
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: immich-service name: immich
port: port:
number: 2283 number: 2283
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: immich-service name: immich
namespace: projects namespace: projects
spec: spec:
type: ExternalName ports:
externalName: 100.122.128.107 - port: 2283
targetPort: 2283
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: immich
namespace: projects
labels:
kubernetes.io/service-name: immich
addressType: IPv4
ports:
- name: http
port: 2283
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/jellyfin-proxy-ingress.yml
View File

@@ -8,26 +8,46 @@ metadata:
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- jellyfin.alexmickelson.guru - jellyfin.alexmickelson.guru
secretName: jellyfin-tls-cert secretName: jellyfin-tls-cert
rules: rules:
- host: jellyfin.alexmickelson.guru - host: jellyfin.alexmickelson.guru
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: jellyfin-service name: jellyfin
port: port:
number: 8096 number: 8096
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: jellyfin-service name: jellyfin
namespace: projects namespace: projects
spec: spec:
type: ExternalName ports:
externalName: 100.122.128.107 - port: 8096
targetPort: 8096
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: jellyfin
namespace: projects
labels:
kubernetes.io/service-name: jellyfin
addressType: IPv4
ports:
- name: http
port: 8096
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/musicassistant-proxy-ingress.yml
View File

@@ -8,26 +8,46 @@ metadata:
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- sound.alexmickelson.guru - sound.alexmickelson.guru
secretName: sound-tls-cert secretName: sound-tls-cert
rules: rules:
- host: sound.alexmickelson.guru - host: sound.alexmickelson.guru
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: musicassistant-service name: musicassistant
port: port:
number: 8095 number: 8095
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: musicassistant-service name: musicassistant
namespace: projects namespace: projects
spec: spec:
type: ExternalName ports:
externalName: 100.122.128.107 - port: 8095
targetPort: 8095
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: musicassistant
namespace: projects
labels:
kubernetes.io/service-name: musicassistant
addressType: IPv4
ports:
- name: http
port: 8095
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

60
kubernetes/proxy-ingress/nextcloud-proxy-ingress.yml
View File

@@ -7,39 +7,59 @@ metadata:
cert-manager.io/cluster-issuer: cloudflare-issuer cert-manager.io/cluster-issuer: cloudflare-issuer
nginx.ingress.kubernetes.io/proxy-body-size: 51200m nginx.ingress.kubernetes.io/proxy-body-size: 51200m
nginx.ingress.kubernetes.io/server-snippet: |- nginx.ingress.kubernetes.io/server-snippet: |-
server_tokens off; server_tokens off;
proxy_hide_header X-Powered-By; proxy_hide_header X-Powered-By;
nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For
nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 225m nginx.ingress.kubernetes.io/proxy-buffer-size: 225m
nginx.ingress.kubernetes.io/proxy-buffering: "on" nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-request-buffering: "on" nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- next.alexmickelson.guru - next.alexmickelson.guru
secretName: nextcloud-tls-cert secretName: nextcloud-tls-cert
rules: rules:
- host: next.alexmickelson.guru - host: next.alexmickelson.guru
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: nextcloud-service name: nextcloud
port: port:
number: 9001 number: 9001
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: nextcloud-service name: nextcloud
namespace: projects namespace: projects
spec: spec:
type: ExternalName ports:
externalName: 100.122.128.107 - port: 9001
targetPort: 9001
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: nextcloud
namespace: projects
labels:
kubernetes.io/service-name: nextcloud
addressType: IPv4
ports:
- name: http
port: 9001
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

52
kubernetes/proxy-ingress/prometheus-proxy-ingress.yml
View File

@@ -8,26 +8,46 @@ metadata:
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- prometheus.alexmickelson.guru - prometheus.alexmickelson.guru
secretName: prometheus-tls-cert secretName: prometheus-tls-cert
rules: rules:
- host: prometheus.alexmickelson.guru - host: prometheus.alexmickelson.guru
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: prometheus-service name: prometheus
port: port:
number: 9091 number: 9091
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: prometheus-service name: prometheus
namespace: projects namespace: projects
spec: spec:
type: ExternalName ports:
externalName: 100.122.128.107 - port: 9091
targetPort: 9091
protocol: TCP
---
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: prometheus
namespace: projects
labels:
kubernetes.io/service-name: prometheus
addressType: IPv4
ports:
- name: http
port: 9091
protocol: TCP
endpoints:
- addresses:
- 100.122.128.107
conditions:
ready: true

27
kubernetes/readme.md
View File

@@ -34,8 +34,33 @@ Currently clouflare domains cannot be CNAME'd to tailscale domains:
## Kubernetes ingress controller ## Kubernetes ingress controller
I had to modify the base ingress to allow for use on 80 and 443. There should be a way to do this with helm, but I can never quite get it to work <!-- I had to modify the base ingress to allow for use on 80 and 443. There should be a way to do this with helm, but I can never quite get it to work
this is the original: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/baremetal/deploy.yaml this is the original: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/baremetal/deploy.yaml
the `ingress-nginx-controller` was changed to a daemonset rather than an deployment the `ingress-nginx-controller` was changed to a daemonset rather than an deployment
-->
ingress
```bash
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.kind=DaemonSet \
--set controller.hostPort.enabled=true \
--set controller.hostPort.ports.http=80 \
--set controller.hostPort.ports.https=443 \
--set controller.service.type=NodePort \
--set controller.allowSnippetAnnotations=true \
--set controller.config.annotations-risk-level=Critical \
--set controller.metrics.enabled=false \
--set controller.ingressClassResource.default=true
```
<!-- https://github.com/kubernetes/ingress-nginx/issues/12618 for why anotation risk needs to be critical-->

4
nix/ai-server-1.nix
View File

@@ -122,7 +122,7 @@
dbus dbus
# protontricks stuff?
freetype freetype
# freetype.bin # freetype.bin
fontconfig fontconfig
@@ -131,6 +131,8 @@
zlib zlib
quickemu quickemu
git-lfs
]; ];
programs.nix-ld.enable = true; programs.nix-ld.enable = true;

1
nix/ai-vm.nix
View File

@@ -72,6 +72,7 @@
git git
tmux tmux
vscode vscode
zip
]; ];
}; };
home-manager.users.alex = { pgks, ...}: { home-manager.users.alex = { pgks, ...}: {

61
nix/alex-desktop.nix
View File

@@ -9,8 +9,7 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "alex-desktop"; # Define your hostname. networking.hostName = "alex-desktop";
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
@@ -50,8 +49,21 @@
alsa.enable = true; alsa.enable = true;
alsa.support32Bit = true; alsa.support32Bit = true;
pulse.enable = true; pulse.enable = true;
wireplumber = {
enable = true;
extraConfig = {
"disable-x11" = {
"wireplumber.settings" = {
"support.x11" = false;
};
};
};
};
}; };
users.users.alex = { users.users.alex = {
isNormalUser = true; isNormalUser = true;
description = "alex"; description = "alex";
@@ -73,6 +85,7 @@
services.fwupd.enable = true; services.fwupd.enable = true;
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
hardware.firmware = with pkgs; [ linux-firmware ]; hardware.firmware = with pkgs; [ linux-firmware ];
programs.nix-ld.enable = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@@ -91,7 +104,6 @@
mangohud mangohud
mlocate mlocate
wineWowPackages.stable wineWowPackages.stable
wine wine
(wine.override { wineBuild = "wine64"; }) (wine.override { wineBuild = "wine64"; })
@@ -99,20 +111,13 @@
wineWowPackages.staging wineWowPackages.staging
winetricks winetricks
wineWowPackages.waylandFull wineWowPackages.waylandFull
# woeusb ntfs3g
# (lutris.override {
# extraLibraries = pkgs: [
# # List library dependencies here
# ];
# extraPkgs = pkgs: [
# # List package dependencies here
# ];
# })
mesa-gl-headers mesa-gl-headers
mesa mesa
driversi686Linux.mesa driversi686Linux.mesa
mesa-demos
android-tools
]; ];
services.tailscale.enable = true; services.tailscale.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
@@ -122,20 +127,6 @@
programs.fish.enable = true; programs.fish.enable = true;
services.flatpak.enable = true; services.flatpak.enable = true;
hardware.steam-hardware.enable = true; hardware.steam-hardware.enable = true;
programs.adb.enable = true; # graphene
# programs.gamescope = {
# enable = true;
# capSysNice = true;
# };
# programs.gamemode.enable = true;
# programs.steam = {
# enable = true;
# gamescopeSession.enable = true;
# remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
# dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
# localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
# };
networking.firewall.enable = false; networking.firewall.enable = false;
hardware.graphics = { hardware.graphics = {
@@ -143,7 +134,6 @@
enable = true; enable = true;
}; };
fileSystems."/steam-data" = fileSystems."/steam-data" =
{ {
device = "/dev/disk/by-uuid/437358fd-b9e4-46e2-bd45-f6b368acaac1"; device = "/dev/disk/by-uuid/437358fd-b9e4-46e2-bd45-f6b368acaac1";
@@ -155,6 +145,21 @@
boot.zfs.extraPools = [ "data" "data2" ]; boot.zfs.extraPools = [ "data" "data2" ];
systemd.timers."nix-garbage-collect-weekly" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "weekly";
Persistent = true;
};
};
systemd.services."nix-garbage-collect-weekly" = {
serviceConfig = {
Type = "oneshot";
ExecStart = "/run/current-system/sw/bin/nix-collect-garbage --delete-older-than 7d";
};
};
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave # on your system were taken. Its perfectly fine and recommended to leave

6
nix/flakes/opencode/flake.lock generated
View File

@@ -20,11 +20,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1759520764, "lastModified": 1767726775,
"narHash": "sha256-jERdfBm1rQc9qAdPi1lMEv9inEl7kvvnXCst//ZD2Yc=", "narHash": "sha256-mpA/pevxXJzu/5rbdb7u0BzgEJCDDQd1EZ3oyyOo8VI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bcbcd4e5a8cb24199859dd73e448494c8c7d55cb", "rev": "f8ce89e3edbc488a5b17c559ad55f083282420e9",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
nix/flakes/opencode/flake.nix
View File

@@ -19,6 +19,7 @@
}; };
models = { models = {
"gpt-oss-120b" = { }; "gpt-oss-120b" = { };
"devstral-123b" = { };
}; };
}; };
home = { home = {

6
nix/home-manager/alex.home.nix
View File

@@ -29,6 +29,10 @@
programs.direnv = { programs.direnv = {
enable = true; enable = true;
}; };
programs.ghostty = {
enable = true;
enableFishIntegration = true;
};
home.sessionVariables = { home.sessionVariables = {
EDITOR = "vim"; EDITOR = "vim";
}; };
@@ -58,6 +62,8 @@ export DOTNET_WATCH_RESTART_ON_RUDE_EDIT=1
export DOTNET_CLI_TELEMETRY_OPTOUT=1 export DOTNET_CLI_TELEMETRY_OPTOUT=1
set -x LIBVIRT_DEFAULT_URI qemu:///system set -x LIBVIRT_DEFAULT_URI qemu:///system
alias blue="bluetui"
alias jelly="jellyfin-tui"
''; '';
}; };
home.file = { home.file = {

10
nix/home-manager/desktop.home.nix
View File

@@ -20,11 +20,21 @@
ffmpeg ffmpeg
gh gh
bitwarden-desktop bitwarden-desktop
jellyfin-tui
bluetui
nexusmods-app-unfree
]; ];
programs.ghostty = { programs.ghostty = {
enable = true; enable = true;
enableFishIntegration = true; enableFishIntegration = true;
settings = {
window-inherit-working-directory = "false";
theme = "Atom";
font-size = 14;
window-height = 30;
window-width = 100;
};
}; };
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;

1
nix/home-manager/server.home.nix
View File

@@ -5,5 +5,6 @@
opencode opencode
quickemu quickemu
tree tree
kubernetes-helm
]; ];
} }

46
nix/home-manager/work.home.nix
View File

@@ -2,6 +2,8 @@
let let
opencodeFlake = builtins.getFlake (toString ../flakes/opencode); opencodeFlake = builtins.getFlake (toString ../flakes/opencode);
monitorTuiFlake = builtins.getFlake (toString ../../monitors/monitor-tui-rs);
zenBrowserFlake = builtins.getFlake "github:youwen5/zen-browser-flake";
nixgl = import nixgl = import
(fetchTarball "https://github.com/nix-community/nixGL/archive/main.tar.gz") (fetchTarball "https://github.com/nix-community/nixGL/archive/main.tar.gz")
{ }; { };
@@ -50,10 +52,13 @@ in {
firefoxpwa firefoxpwa
bluetui bluetui
#nixfmt-classic #nixfmt-classic
opencodeFlake.packages.${system}.opencode opencodeFlake.packages.${pkgs.stdenv.hostPlatform.system}.opencode
monitorTuiFlake.packages.${pkgs.stdenv.hostPlatform.system}.default
(config.lib.nixGL.wrap zenBrowserFlake.packages.${pkgs.stdenv.hostPlatform.system}.default)
bitwarden-desktop bitwarden-desktop
wiremix wiremix
moonlight-qt (config.lib.nixGL.wrap moonlight-qt)
nvtopPackages.amd
# jan # jan
# texlivePackages.jetbrainsmono-otf # texlivePackages.jetbrainsmono-otf
# nerd-fonts.fira-code # nerd-fonts.fira-code
@@ -69,7 +74,17 @@ in {
}; };
programs.direnv = { enable = true; }; programs.direnv = { enable = true; };
programs.ghostty = { enable = true; }; programs.ghostty = {
enable = true;
enableFishIntegration = true;
settings = {
window-inherit-working-directory = "false";
theme = "Atom";
font-size = "18";
window-height = "30";
window-width = "120";
};
};
programs.fish = { programs.fish = {
enable = true; enable = true;
shellInit = '' shellInit = ''
@@ -106,6 +121,8 @@ in {
set -x LIBVIRT_DEFAULT_URI qemu:///system set -x LIBVIRT_DEFAULT_URI qemu:///system
set -x TERM xterm-256color # ghostty set -x TERM xterm-256color # ghostty
source "$HOME/.cargo/env.fish"
export SSH_AUTH_SOCK=/home/alexm/.bitwarden-ssh-agent.sock # ssh agent export SSH_AUTH_SOCK=/home/alexm/.bitwarden-ssh-agent.sock # ssh agent
''; '';
}; };
@@ -193,6 +210,28 @@ in {
Terminal=false Terminal=false
Categories=Network;WebBrowser; Categories=Network;WebBrowser;
''; '';
".local/share/applications/zen-browser.desktop".text = ''
[Desktop Entry]
Version=1.0
Type=Application
Name=Zen Browser
Comment=A calmer Firefox-based browser
Exec=nixGLIntel zen
Icon=${zenBrowserFlake.packages.${pkgs.stdenv.hostPlatform.system}.default}/share/icons/hicolor/128x128/apps/zen.png
Terminal=false
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;
StartupWMClass=zen
Actions=new-window;new-private-window;
[Desktop Action new-window]
Name=Open a New Window
Exec=nixGLIntel zen --new-window
[Desktop Action new-private-window]
Name=Open a New Private Window
Exec=nixGLIntel zen --private-window
'';
}; };
home.sessionVariables = { EDITOR = "vim"; }; home.sessionVariables = { EDITOR = "vim"; };
@@ -222,6 +261,5 @@ in {
package = pkgs.gnome-themes-extra; package = pkgs.gnome-themes-extra;
}; };
}; };
# Let Home Manager install and manage itself.
programs.home-manager.enable = true; programs.home-manager.enable = true;
} }

41
nix/home-server.nix
View File

@@ -58,6 +58,9 @@
description = "github"; description = "github";
extraGroups = [ "docker" ]; extraGroups = [ "docker" ];
shell = pkgs.fish; shell = pkgs.fish;
packages = with pkgs; [
kubernetes-helm
];
}; };
users.users.alex = { users.users.alex = {
isNormalUser = true; isNormalUser = true;
@@ -75,7 +78,7 @@
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
services.fwupd.enable = true; services.fwupd.enable = true;
systemd.timers."nix-garbage-collect-weekly" = { systemd.timers."nix-garbage-collect-weekly" = {
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnCalendar = "weekly"; OnCalendar = "weekly";
@@ -167,13 +170,6 @@
package = pkgs.qemu_kvm; package = pkgs.qemu_kvm;
runAsRoot = true; runAsRoot = true;
swtpm.enable = true; swtpm.enable = true;
ovmf = {
enable = true;
packages = [ pkgs.OVMFFull.fd ];
# packages = [
# (pkgs.OVMF.override { secureBoot = true; tpmSupport = true; }).fd
# ];
};
}; };
}; };
networking.interfaces.enp5s0.useDHCP = true; networking.interfaces.enp5s0.useDHCP = true;
@@ -184,18 +180,13 @@
}; };
}; };
# not working yet, in theory simplifies xml for vm
# environment.etc."qemu/edk2-x86_64-secure-code.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_CODE.secboot.fd";
# environment.etc."qemu/edk2-i386-vars.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_VARS.fd";
# environment.etc."qemu/edk2-x86_64-secure-code.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_CODE.secboot.fd";
# environment.etc."qemu/edk2-x86_64-secure-vars.fd".source = "${pkgs.OVMF.fd}/FV/OVMF_VARS.secboot.fd";
environment.etc = { environment.etc = {
"qemu/edk2-x86_64-secure-code.fd".source = "qemu/edk2-x86_64-secure-code.fd".source =
lib.mkForce "${pkgs.OVMF.fd}/FV/OVMF_CODE.ms.fd"; lib.mkForce "${pkgs.OVMFFull.fd}/FV/OVMF_CODE.ms.fd";
"qemu/edk2-x86_64-secure-vars.fd".source = "qemu/edk2-x86_64-secure-vars.fd".source =
lib.mkForce "${pkgs.OVMF.fd}/FV/OVMF_VARS.ms.fd"; lib.mkForce "${pkgs.OVMFFull.fd}/FV/OVMF_VARS.ms.fd";
"qemu/OVMF_VARS.fd".source =
lib.mkForce "${pkgs.OVMFFull.fd}/FV/OVMF_VARS.fd";
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/lib/libvirt/qemu/nvram 0755 root root -" "d /var/lib/libvirt/qemu/nvram 0755 root root -"
@@ -209,7 +200,7 @@
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false; boot.zfs.forceImportRoot = false;
networking.hostId = "eafe9551"; networking.hostId = "eafe9551";
boot.zfs.extraPools = [ "data-ssd" "backup" "vms" "vms-2" ]; boot.zfs.extraPools = [ "data-ssd" "backup" "vms-2" "vms-3" ];
services.sanoid = { services.sanoid = {
enable = true; enable = true;
templates.production = { templates.production = {
@@ -266,7 +257,6 @@
tokenFile = "/data/runner/github-infrastructure-token.txt"; tokenFile = "/data/runner/github-infrastructure-token.txt";
url = "https://github.com/alexmickelson/infrastructure"; url = "https://github.com/alexmickelson/infrastructure";
extraLabels = [ "home-server" ]; extraLabels = [ "home-server" ];
#workDir = "/data/runner/infrastructure/";
replace = true; replace = true;
serviceOverrides = { serviceOverrides = {
ReadWritePaths = [ ReadWritePaths = [
@@ -281,12 +271,8 @@
ProtectSystem = false; ProtectSystem = false;
PrivateMounts = false; PrivateMounts = false;
PrivateUsers = false; PrivateUsers = false;
#DynamicUser = true;
#NoNewPrivileges = false;
ProtectHome = false; ProtectHome = false;
#RuntimeDirectoryPreserve = "yes";
Restart = lib.mkForce "always"; Restart = lib.mkForce "always";
#RuntimeMaxSec = "7d";
}; };
extraPackages = with pkgs; [ extraPackages = with pkgs; [
docker docker
@@ -295,18 +281,13 @@
sanoid sanoid
mbuffer mbuffer
lzop lzop
kubectl
kubernetes-helm
]; ];
}; };
}; };
# services.cron = {
# enable = true;
# systemCronJobs = [
# "*/5 * * * * root date >> /tmp/cron.log"
# ];
# };
networking.firewall.enable = false; networking.firewall.enable = false;
# networking.firewall.trustedInterfaces = [ "docker0" ];
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions

8
nix/modules/k3s.nix
View File

@@ -6,11 +6,17 @@
enable = true; enable = true;
role = "server"; role = "server";
extraFlags = toString [ extraFlags = toString [
# "--debug" # Optionally add additional args to k3s
"--disable=traefik" "--disable=traefik"
"--bind-address 100.122.128.107" "--bind-address 100.122.128.107"
"--node-external-ip 100.122.128.107" "--node-external-ip 100.122.128.107"
"--tls-san 100.122.128.107" "--tls-san 100.122.128.107"
# Disable disk-based evictions
"--kubelet-arg=eviction-hard="
"--kubelet-arg=eviction-soft="
"--kubelet-arg=eviction-soft-grace-period="
"--kubelet-arg=eviction-pressure-transition-period=0s"
]; ];
serverAddr = "https://100.122.128.107:6443"; serverAddr = "https://100.122.128.107:6443";
}; };

3
nix/tv-computer.nix
View File

@@ -64,6 +64,7 @@
programs.firefox.enable = true; programs.firefox.enable = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
services.fwupd.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
@@ -101,6 +102,6 @@
systemd.targets.hibernate.enable = false; systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false; systemd.targets.hybrid-sleep.enable = false;
system.stateVersion = "24.05"; # Did you read the comment? system.stateVersion = "25.11"; # Did you read the comment?
} }