merged agenix

isengard: added mindwtr container
addend agenix
2026-02-27 22:39:49 +01:00 · 2026-02-27 22:22:58 +01:00 · 2026-02-19 17:10:05 +01:00
9 changed files with 227 additions and 7 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,50 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@ -21,6 +66,27 @@
      }
    },
    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@ -58,10 +124,26 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "disko": "disko",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
        "nixpkgs": "nixpkgs"
      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -7,9 +7,12 @@
        disko.inputs.nixpkgs.follows = "nixpkgs";
        home-manager.url = "github:nix-community/home-manager";
        home-manager.inputs.nixpkgs.follows = "nixpkgs";
+        agenix.url = "github:ryantm/agenix";
+        agenix.inputs.nixpkgs.follows = "nixpkgs";
+
    };

-    outputs = { self, nixpkgs, disko, home-manager }:
+    outputs = { self, nixpkgs, disko, home-manager, agenix }:
    let
        # options
        system = "x86_64-linux";
@ -22,7 +25,7 @@
        nixosConfigurations = {
            isengard = lib.nixosSystem {
                inherit system;
-                specialArgs = { inherit release myUser disko; };
+                specialArgs = { inherit release myUser disko agenix; };
                modules = [
                    ./modules/base.nix
                    ./hosts/isengard.nix
--- a/hosts/isengard.nix
+++ b/hosts/isengard.nix
@ -4,9 +4,13 @@
    # Imports
    imports = [
        disko.nixosModules.disko ../disko/isengard/btrfs-legacy.nix
+        
+        # Secrets
+        ../modules/agenix.nix

        # Containers
        ../modules/containers/ntfy.nix
+        ../modules/containers/mindwtr.nix

    ];
    # Disks
@ -38,4 +42,3 @@

    system.stateVersion = release;
 }
-
--- a/modules/agenix.nix
+++ b/modules/agenix.nix
@ -0,0 +1,21 @@
+{ config, pkgs, agenix, system, ... }:
+
+{
+
+    imports = [
+        agenix.nixosModules.default
+    ];
+    environment.systemPackages = [
+        agenix.packages.${system}.default
+    ];
+
+    # Secrets
+    age.secrets = {
+        mindwtr = {
+            file = ../secrets/mindwtr.age;
+            owner = "root";
+            group = "root";
+            mode = "0400";
+        };
+    };
+}
--- a/modules/containers/mindwtr.nix
+++ b/modules/containers/mindwtr.nix
@ -0,0 +1,54 @@
+{ config, ... }:
+
+let
+    workDir = "/srv/containers/mindwtr";
+in
+{
+    systemd.tmpfiles.rules = [
+        "d ${workDir} 2775 root admin"
+    ];
+
+    virtualisation.oci-containers.containers.mindwtr-app = {
+
+        autoStart = true;
+
+        image = "ghcr.io/dongdongbh/mindwtr-app:latest";
+
+        ports = [
+            "10001:5173/tcp"
+        ];
+    };
+
+    virtualisation.oci-containers.containers.mindwtr-cloud = {
+
+        autoStart = true;
+
+        image = "ghcr.io/dongdongbh/mindwtr-cloud:latest";
+
+        ports = [
+            "10002:8787/tcp"
+        ];
+
+        volumes = [
+            "${workDir}:/app/cloud_data"
+        ];
+
+        extraOptions = [
+            "--health-cmd=curl -f http://localhost:8787/health || echo 'Health check failed'"
+            "--health-interval=1m30s"
+            "--health-retries=3"
+            "--health-start-period=30s"
+            "--health-timeout=10s"
+        ];
+
+        environmentFiles = [
+            config.age.secrets.mindwtr.path
+        ];
+
+        # For directory permissions
+        environment = {
+            UID = "1000";
+            GID = "10000";
+        };
+    };
+}
--- a/modules/containers/ntfy.nix
+++ b/modules/containers/ntfy.nix
@ -1,11 +1,11 @@
 { config, ... }:

 let
-    ntfyDir = "/srv/containers/ntfy";
+    workDir = "/srv/containers/ntfy";
 in
 {
    systemd.tmpfiles.rules = [
-        "d ${ntfyDir} 2775 root admin"
+        "d ${workDir} 2775 root admin"
    ];

    virtualisation.oci-containers.containers.ntfy = {
@ -19,7 +19,7 @@ in
        ];

        volumes = [
-            "${ntfyDir}:/var/lib/ntfy"
+            "${workDir}:/var/lib/ntfy"
        ];

        cmd = [ "serve" ];
--- a/modules/containers/vaultwarden.nix
+++ b/modules/containers/vaultwarden.nix
@ -0,0 +1,34 @@
+{ config, ... }:
+
+let
+    workDir = "/srv/containers/vaultwarden";
+in
+{
+    systemd.tmpfiles.rules = [
+        "d ${workDir} 2775 root admin"
+    ];
+
+    virtualisation.oci-containers.containers.vaultwarden = {
+        autoStart = true;
+        image = "vaultwarden/server:latest";
+
+        ports = [
+            "0.0.0.0:10003:80"
+        ];
+
+        volumes = [
+            "${workDir}:/data"
+        ];
+        
+        environment = {
+            TZ = "Europe/Bucharest";
+            WEBSOCKET_ENABLED = "true";
+            SIGNUPS_ALLOWED = "false";
+            ROCKET_PORT = "80";
+            ROCKET_ADDRESS = "0.0.0.0";
+
+            UID = "1000";
+            GID = "10000";
+        };
+    };
+}
--- a/secrets/mindwtr.age
+++ b/secrets/mindwtr.age
@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFA5bEdnQSB1ajky
+R0RZREFKM3ZUaS9KdVN4cGJCbXhlQzBYbndyQ3NHNzlQTnBCM2dnCmpSS25CdzhR
+akxBa1hXbFAzSjNDY012cERlMHNSTlM0QlZROE9UZXFxdGMKLT4gc3NoLWVkMjU1
+MTkgS0tuNDVBIExqaWZHbDQ0Z25xYm9VK2VJYzVZZ0lQZUFqbzRQUDhlY1lnZ1Az
+VzY1aEEKR2dHZmdHeWpJR3hWbEpPckg4QzRiVDN4NG9mRURKYmxJNk54bmZlNzZ1
+MAotPiBxTiYtZ3JlYXNlIDNZISBBMnBmWFwhLSBGP2onfWsKTU5qekFBdkxnbkgw
+NzhjK2lvcnRvYUMwcGNUMStXL04yeDZyWGVnM1NCYVJhdE0KLS0tIExNbGthT1VR
+VDMxd3l1U0lIbGczaHlJQ0dxdFdBZDAzU1hPRFhxZk5jYUkK/PpI923pRhBaNIYC
+IZQJOp3ocz23sKh7Q5y+dFeVg5SVRLnPJbCvvbNdjgFIN+M/f4b/ch3T6gJVfVdM
+MlVhvJtvGRJi3HV7lV6JOa4K4XefKh4U9K6o2/Z3YEp1kAosfhGANDufyVxgnpNW
+qg==
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,10 @@
+let
+  victor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiNyGO4RAxSdxvn2ZIBZ2Ze4iVVMrBNmu/V9JO70PoT victor@battleship";
+  users = [ victor ];
+
+  isengard = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpsaUGNNrF8kHzmHAPOc4C15vF0SE9Nn6h+NC7nONX7 root@isengard";
+  systems = [ isengard ];
+in
+{
+  "mindwtr.age".publicKeys = [ victor isengard ];
+}
Author	SHA1	Message	Date
Victor Ișan	348f8b107d	merged agenix	2026-02-27 22:39:49 +01:00
Victor Ișan	658420779c	isengard: added mindwtr container	2026-02-27 22:22:58 +01:00
Victor Ișan	9ee7b77ca3	addend agenix	2026-02-19 17:10:05 +01:00