migrate blarm to x86, enable firewall

2025-05-08 09:59:28 +02:00 · 2025-05-08 09:59:28 +02:00 · 7d8e0da9ec
commit 7d8e0da9ec
parent dc33352e5f
3 changed files with 86 additions and 8 deletions
--- a/modules/nixos/services/caddy/default.nix
+++ b/modules/nixos/services/caddy/default.nix
@ -15,6 +15,11 @@ in
  };

  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      1338
+      8686
+    ];
+
    services.caddy = {
      enable = true;
      virtualHosts = {
@ -24,11 +29,6 @@ in
            file_server
          '';
        };
-        ":1339" = {
-          extraConfig = ''
-            reverse_proxy 192.168.1.241:3080
-          '';
-        };
        ":8686" = {
          extraConfig = ''
            root * /var/lib/caddy/cinny
--- a/modules/nixos/virtualisation/podman/invidious/default.nix
+++ b/modules/nixos/virtualisation/podman/invidious/default.nix
@ -15,6 +15,10 @@ in
  };

  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      3000
+    ];
+
    sops.secrets.invidious-db = {
      format = "dotenv";
      sopsFile = ../../../../../secrets/invidious-db.env;
@ -46,12 +50,12 @@ in

    virtualisation.oci-containers.containers = {
      invidious = {
-        image = "quay.io/invidious/invidious:latest-arm64";
+        image = "quay.io/invidious/invidious:latest";
        hostname = "invidious";
        volumes = [ "/run/secrets/invidious-config:/invidious/config/config.yml" ];
        ports = [
-          "192.168.1.202:3000:3000"
-          "[fd00:192:168:1::202]:3000:3000"
+          "192.168.10.3:3000:3000"
+          "[fd00:192:168:10::3]:3000:3000"
        ];
        dependsOn = [ "invidious-db" ];
      };
--- a/systems/x86_64-linux/blarm/default.nix
+++ b/systems/x86_64-linux/blarm/default.nix
@ -0,0 +1,74 @@
+{
+  lib,
+  pkgs,
+  namespace,
+  modulesPath,
+  ...
+}:
+with lib.${namespace};
+{
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+  ];
+
+  nix.settings = {
+    trusted-users = [ "philipp" ];
+    experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+  };
+
+  networking.hostName = "blarm";
+
+  # Disable documentation
+  documentation = {
+    nixos.enable = false;
+    man.generateCaches = false;
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  users.users.philipp = {
+    isNormalUser = true;
+    description = "Philipp Böhm";
+    extraGroups = [
+      "wheel"
+      "caddy"
+    ];
+  };
+
+  snowfallorg.users.philipp = {
+    create = true;
+    admin = true;
+    home = {
+      enable = true;
+    };
+  };
+
+  awesome-flake = {
+    services = {
+      ssh = enabled;
+      caddy = enabled;
+      restic = enabled;
+    };
+
+    container = {
+      invidious = enabled;
+    };
+
+    system.sops = enabled;
+    cli.neovim = enabled;
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+  ];
+
+  system.stateVersion = "24.11";
+
+}