AZ-Intec-GmbH/AZ-NIX
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

draft AZ-PRM-1 config

Browse Source
This commit is contained in:
sascha.koenig
2025-08-12 14:38:09 +02:00
parent 74a2a10393
commit 76750c062a
25 changed files with 1199 additions and 475 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
hosts/AZ-PRM-1/services/containers/baserow.nix Normal file
View File

@@ -0,0 +1,26 @@
{config, ...}: {
virtualisation.oci-containers.containers."baserow" = {
image = "docker.io/baserow/baserow:1.34.2";
environmentFiles = [config.age.secrets.baserow-env.path];
ports = ["127.0.0.1:3032:80"];
volumes = ["baserow_data:/baserow/data"];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.11" "--network=web"];
};
# Traefik configuration specific to baserow
services.traefik.dynamicConfigOptions.http = {
services.baserow.loadBalancer.servers = [
{
url = "http://localhost:3032/";
}
];
routers.baserow = {
rule = "Host(`db.i.az-intec.com`)";
tls = {
certResolver = "ionos";
};
service = "baserow";
entrypoints = "websecure";
};
};
}

6
hosts/AZ-PRM-1/services/containers/default.nix Normal file
View File

@@ -0,0 +1,6 @@
{
imports = [
#./baserow.nix
#./kestra.nix
];
}

34
hosts/AZ-PRM-1/services/containers/kestra.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, ... }: {
virtualisation.oci-containers.containers."kestra" = {
image = "docker.io/kestra/kestra:latest";
environmentFiles = [ config.age.secrets.kestra-env.path ];
cmd = [ "server" "standalone" "--config" "/etc/config/application.yaml"];
ports = [ "127.0.0.1:3031:8080" ];
user = "root";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"${config.age.secrets.kestra-config.path}:/etc/config/application.yaml"
"kestra_data:/app/storage"
"/tmp/kestra-wd:/tmp/kestra-wd"
];
extraOptions =
[ "--add-host=postgres:10.89.0.1" "--ip=10.89.0.12" "--network=web" ];
};
systemd.tmpfiles.rules = [
"d /tmp/kestra-wd 0750 1000 1000 - -"
];
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {
services.kestra.loadBalancer.servers =
[{ url = "http://localhost:3031/"; }];
routers.kestra = {
rule = "Host(`k.i.az-intec.com`)";
tls = { certResolver = "ionos"; };
service = "kestra";
entrypoints = "websecure";
};
};
}

8
hosts/AZ-PRM-1/services/default.nix Normal file
View File

@@ -0,0 +1,8 @@
{
imports = [
./n8n.nix
./postgres.nix
./traefik.nix
./vaultwarden.nix
];
}

26
hosts/AZ-PRM-1/services/n8n.nix Normal file
View File

@@ -0,0 +1,26 @@
{config, ...}: {
services.n8n = {
enable = true;
webhookUrl = "https://wf.az-group.com";
};
systemd.services.n8n.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.n8n-env.path}"];
};
# Traefik configuration specific to n8n
services.traefik.dynamicConfigOptions.http = {
services.n8n.loadBalancer.servers = [
{
url = "http://localhost:5678/";
}
];
routers.n8n = {
rule = "Host(`wf.i.az-intec.com`)";
tls = {
certResolver = "ionos";
};
service = "n8n";
entrypoints = "websecure";
};
};
}

68
hosts/AZ-PRM-1/services/postgres.nix Normal file
View File

@@ -0,0 +1,68 @@
{config, pkgs, ...}: {
services.postgresql = {
enable = true;
enableTCPIP = true;
package = pkgs.postgresql_17;
settings = {
ssl = true;
ssl_cert_file = config.age.secrets.pg-cert.path;
ssl_key_file = config.age.secrets.pg-key.path;
};
extensions = with pkgs.postgresql17Packages; [
pgvector
];
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
CREATE DATABASE baserow;
ALTER DATABASE baserow OWNER to baserow;
CREATE USER kestra WITH ENCRYPTED PASSWORD 'kestra';
CREATE DATABASE kestra;
ALTER DATABASE kestra OWNER to kestra;
CREATE USER n8n WITH ENCRYPTED PASSWORD 'n8n';
CREATE DATABASE n8n;
ALTER DATABASE n8n OWNER to n8n;
CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'n8n';
CREATE DATABASE vaultwarden;
ALTER DATABASE vaultwarden OWNER to vaultwarden;
'';
authentication = pkgs.lib.mkOverride 10 ''
# Local connections (Unix socket)
local all postgres peer
local n8n n8n scram-sha-256
local vaultwarden vaultwarden scram-sha-256
# Localhost connections (IPv4 and IPv6)
host all postgres 127.0.0.1/32 scram-sha-256
host all postgres ::1/128 scram-sha-256
host n8n n8n 127.0.0.1/32 scram-sha-256
host n8n n8n ::1/128 scram-sha-256
host vaultwarden vaultwarden 127.0.0.1/32 scram-sha-256
host vaultwarden vaultwarden ::1/128 scram-sha-256
# Podman network connections
host baserow baserow 10.89.0.0/24 scram-sha-256
host kestra kestra 10.89.0.0/24 scram-sha-256
# Deny all other connections
local all all reject
host all all 0.0.0.0/0 reject
host all all ::/0 reject
'';
};
services.postgresqlBackup = {
enable = true;
startAt = "03:10:00";
databases = ["baserow" "kestra" "n8n" "vaultwarden"];
};
networking.firewall = {
extraCommands = ''
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 5432 -j ACCEPT
'';
};
}

74
hosts/AZ-PRM-1/services/traefik.nix Normal file
View File

@@ -0,0 +1,74 @@
{config, ...}: {
services.traefik = {
enable = true;
staticConfigOptions = {
log = {level = "WARN";};
certificatesResolvers = {
ionos = {
acme = {
email = "sascha.koenig@azintec.com";
storage = "/var/lib/traefik/acme.json";
caserver = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "ionos";
resolvers = ["1.1.1.1:53" "8.8.8.8:53"];
propagation = {
delayBeforeChecks = 60;
disableChecks = true;
};
};
};
};
};
api = {};
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
};
};
};
dynamicConfigOptions = {
http = {
services = {
dummy = {
loadBalancer.servers = [
{url = "http://192.168.0.1";} # Diese URL wird nie verwendet
];
};
};
middlewares = {
auth = {
basicAuth = {
users = ["sascha.koenig:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."];
};
};
};
routers = {
api = {
rule = "Host(`r.az-gruppe.com`)";
service = "api@internal";
middlewares = ["auth"];
entrypoints = ["websecure"];
tls = {
certResolver = "ionos";
};
};
};
};
};
};
systemd.services.traefik.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.traefik-env.path}"];
};
networking.firewall.allowedTCPPorts = [80 443];
}

30
hosts/AZ-PRM-1/services/vaultwarden.nix Normal file
View File

@@ -0,0 +1,30 @@
{config, ...}: {
services.vaultwarden = {
enable = true;
backupDir = "/var/backup/vaultwarden";
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 3030;
};
environmentFile = "${config.age.secrets.vaultwarden-env.path}";
};
# Traefik configuration for headscale
services.traefik.dynamicConfigOptions.http = {
services.vaultwarden.loadBalancer.servers = [
{
url = "http://localhost:3030/";
}
];
routers.vaultwarden = {
rule = "Host(`pw.i.az-intec.com`)";
tls = {
certResolver = "ionos";
};
service = "vaultwarden";
entrypoints = "websecure";
};
};
}