~

2025-03-13 16:03:25 +00:00 · 2025-03-07 22:21:40 -05:00 · 2025-03-07 22:21:40 -05:00 · fe52c9c97c
commit fe52c9c97c
parent 9e407cd78f
6 changed files with 170 additions and 2 deletions
--- a/nixos/docker/default.nix
+++ b/nixos/docker/default.nix
@ -1,5 +1,6 @@
 { ... }: {
 	imports = [
 		./pihole
 		./raspap
 	];
 }
--- a/nixos/docker/pihole/default.nix
+++ b/nixos/docker/pihole/default.nix
@ -7,6 +7,14 @@ in with lib; {
 			type = types.bool;
 			default = false;
 		};
 		listenPortHTTP = mkOption {
 			type = types.int;
 			default = 80;
 		};
 		listenPortHTTPS = mkOption {
 			type = types.int;
 			default = 443;
 		};
 		api-password = mkOption {
 			type = types.str;
 			default = "";
@ -21,10 +29,14 @@ in with lib; {
 					TZ = config.time.timeZone;
 					FTLCONF_webserver_api_password = mkIf (cfg.api-password != "") cfg.api-password;
 				};
 				ports = [
 					(builtins.toString cfg.listenPortHTTP + ":80")
 					(builtins.toString cfg.listenPortHTTPS + ":443")
 				];
 			};
 			networking.firewall = mkIf cfg.openFirewall {
-				allowedTCPPorts = [ 53 80 443 ];
+				allowedTCPPorts = [ 53 cfg.listenPortHTTP cfg.listenPortHTTPS ];
 			};
 		}
 	]);
--- a/nixos/docker/raspap/default.nix
+++ b/nixos/docker/raspap/default.nix
@ -0,0 +1,57 @@
 { pkgs, lib, config, ... }: let
 	cfg = config.r5e.containers.raspap;
 in with lib; {
 	options.r5e.containers.pihole = {
 		enable = mkEnableOption "raspap";
 		ssid = mkOption {
 			type = types.str;
 			default = "raspap-webgui";
 		};
 		password = mkOption {
 			type = types.str;
 			default = "ChangeMe";
 		};
 		country = mkOption {
 			type = types.str;
 			default = "US";
 		};
 		webgui = {
 			username = mkOption {
 				type = types.str;
 				default = "admin";
 			};
 			password = mkOption {
 				type = types.str;
 				default = "secret";
 			};
 			listenPort = mkOption {
 				type = types.int;
 				default = 80;
 			};
 			openFirewall = mkOption {
 				type = types.bool;
 				default = false;
 			};
 		};
 	};
 	config = mkIf cfg.enable (mkMerge [
 		(import ./docker-compose.nix { inherit pkgs lib; })
 		{
 			virtualisation.oci-containers.containers.pihole = {
 				environment = {
 					RASPAP_SSID = cfg.ssid;
 					RASPAP_SSID_PASS = cfg.password;
 					RASPAP_COUNTRY = cfg.country;
 					RASPAP_WEBGUI_USER = cfg.webgui.username;
 					RASPAP_WEBGUI_PASS = cfg.webgui.password;
 					RASPAP_WEBGUI_PORT = cfg.webgui.listenPort;
 				};
 			};
 			networking.firewall = mkIf cfg.webgui.openFirewall {
 				allowedTCPPorts = [ cfg.webgui.listenPort ];
 			};
 		}
 	]);
 }
--- a/nixos/docker/raspap/docker-compose.nix
+++ b/nixos/docker/raspap/docker-compose.nix
@ -0,0 +1,60 @@
 # Auto-generated using compose2nix v0.3.1.
 { pkgs, lib, ... }:
 {
  # Runtime
  virtualisation.docker = {
    enable = true;
    autoPrune.enable = true;
  };
  virtualisation.oci-containers.backend = "docker";
  # Containers
  virtualisation.oci-containers.containers."raspap" = {
    image = "ghcr.io/raspap/raspap-docker:latest";
    environment = {
      "RASPAP_COUNTRY" = "GB";
      "RASPAP_SSID" = "raspap-webgui";
      "RASPAP_SSID_PASS" = "ChangeMe";
      "RASPAP_WEBGUI_PASS" = "secret";
      "RASPAP_WEBGUI_PORT" = "80";
      "RASPAP_WEBGUI_USER" = "admin";
    };
    volumes = [
      "/sys/fs/cgroup:/sys/fs/cgroup:rw"
    ];
    ports = [
      "8081:8081/tcp"
    ];
    log-driver = "journald";
    extraOptions = [
      "--cap-add=SYS_ADMIN"
      "--network=host"
      "--privileged"
    ];
  };
  systemd.services."docker-raspap" = {
    serviceConfig = {
      Restart = lib.mkOverride 90 "always";
      RestartMaxDelaySec = lib.mkOverride 90 "1m";
      RestartSec = lib.mkOverride 90 "100ms";
      RestartSteps = lib.mkOverride 90 9;
    };
    partOf = [
      "docker-compose-raspap-root.target"
    ];
    wantedBy = [
      "docker-compose-raspap-root.target"
    ];
  };
  # Root service
  # When started, this will automatically create all resources and start
  # the containers. When stopped, this will teardown all resources.
  systemd.targets."docker-compose-raspap-root" = {
    unitConfig = {
      Description = "Root target generated by compose2nix.";
    };
    wantedBy = [ "multi-user.target" ];
  };
 }
--- a/nixos/docker/raspap/docker-compose.yml
+++ b/nixos/docker/raspap/docker-compose.yml
@ -0,0 +1,24 @@
 name: raspap
 version: "3.8"
 services:
  raspap:
    container_name: raspap
    image: ghcr.io/raspap/raspap-docker:latest
    #build: .
    ports:
      - "8081:8081"
    privileged: true
    network_mode: host
    cgroup: host # uncomment when using an ARM device
    environment:
      - RASPAP_SSID=raspap-webgui
      - RASPAP_SSID_PASS=ChangeMe
      - RASPAP_COUNTRY=GB
      - RASPAP_WEBGUI_USER=admin
      - RASPAP_WEBGUI_PASS=secret
      - RASPAP_WEBGUI_PORT=80
    cap_add:
      - SYS_ADMIN
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    restart: unless-stopped
--- a/nixos/hosts/near/configuration.nix
+++ b/nixos/hosts/near/configuration.nix
@ -16,6 +16,20 @@
 	r5e.containers = {
 		pihole = {
 			enable = true;
 			openFirewall = true;
 			listenPortHTTP = 8081;
 			listenPortHTTPS = 8443;
 		};
 		raspap = {
 			enable = true;
 			ssid = "near";
 			password = "RjkVTYUZE08HN"; #! world readable
 			webgui = {
 				username = "rae";
 				password = "EBjrJutn06C"; #! world readable
 				listenPort = 8080;
 				openFirewall = true;
 			};
 		};
 	};
@ -24,7 +38,7 @@
 		firewall.allowedTCPPorts = [ 22 ];
 	};
-	environment.systemPackages = with pkgs; [ git linux-wifi-hotspot ];
+	environment.systemPackages = with pkgs; [ git ];
 	time.timeZone = "America/New_York";