diff --git a/system/hosts/mcp/configuration.nix b/system/hosts/mcp/configuration.nix index aa9d920..66c5d59 100644 --- a/system/hosts/mcp/configuration.nix +++ b/system/hosts/mcp/configuration.nix @@ -62,6 +62,7 @@ "networkmanager" "wheel" "docker-registry" + "docker" ]; shell = pkgs.zsh; # Enable linger so that systemd services run for this user are started and diff --git a/system/hosts/mcp/containers.nix b/system/hosts/mcp/containers.nix index 4bc595d..b4d709a 100644 --- a/system/hosts/mcp/containers.nix +++ b/system/hosts/mcp/containers.nix @@ -1,5 +1,9 @@ -# Started from https://nixos.wiki/wiki/Podman -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: { # Additional configuration imports = [ @@ -30,102 +34,130 @@ ./static-site-hooks.nix ]; - # Enable common container config files in /etc/containers - virtualisation.containers.enable = true; - virtualisation = { - # docker = { - # enable = true; - # # Enable rootless so that I can run containers as other users for security. - # rootless = { - # enable = true; - # }; - # }; - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # Required for containers under podman-compose to be able to talk to each other. - defaultNetwork.settings.dns_enabled = true; - - extraPackages = [ pkgs.zfs ]; + options.local = with lib; { + container-backend = mkOption { + type = with types; uniq str; + default = "docker"; + example = "docker"; + description = "Which backend to use for containers: docker or podman"; + }; + container-socket = mkOption { + type = with types; uniq str; + default = "/var/run/docker.sock"; + example = "/var/run/docker.sock"; + description = "Path to the container management deamon's socket."; }; }; - virtualisation.oci-containers.backend = "podman"; - # Useful other development tools - environment.systemPackages = with pkgs; [ - dive # look into docker image layers - podman-tui # status of containers in the terminal - docker-compose # start group of containers for dev - #podman-compose # start group of containers for dev - ]; + config = { + # local = { + # container-backend = "docker"; + # container-socket = "/var/run/docker.sock"; + # }; + local = { + container-backend = "podman"; + container-socket = "/var/run/podman/podman.sock"; + }; - virtualisation.oci-containers.containers = - let - inherit (import ./containers/lib.nix config) - localHostRuleHavenisms - havenisms - ; - in - { - homepage = { - image = "ghcr.io/gethomepage/homepage:latest"; - autoStart = true; - extraOptions = [ - "-l=traefik.enable=true" - "-l=traefik.http.routers.homepage.rule=${localHostRuleHavenisms "start"}" - "-l=traefik.http.services.homepage.loadbalancer.server.port=3000" - ]; - volumes = [ - "/tank/config/homepage:/app/config" - "/tank/secrets/deluge.pass:/app/config/secrets/deluge.pass" - "/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key" - "/tank/secrets/radarr.key:/app/config/secrets/radarr.key" - "/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key" - "/var/run/podman/podman.sock:/var/run/docker.sock:ro" - ]; - environment = { - HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key"; - HOMEPAGE_FILE_RADARR_KEY = "/app/config/secrets/radarr.key"; - HOMEPAGE_FILE_SONARR_KEY = "/app/config/secrets/sonarr.key"; - HOMEPAGE_FILE_READARR_KEY = "/app/config/secrets/readarr.key"; - HOMEPAGE_FILE_DELUGE_PASSWORD = "/app/config/secrets/deluge.pass"; + # Enable common container config files in /etc/containers + + virtualisation = { + containers.enable = true; + oci-containers.backend = config.local.container-backend; + + docker = lib.mkIf (config.local.container-backend == "docker") { + enable = true; + # Enable rootless so that I can run containers as other users for security. + rootless = { + enable = true; + # Set this to make the default DOCKER_HOST be the rootless version for normal users. + setSocketVariable = true; }; }; - scrutiny = { - image = "ghcr.io/analogj/scrutiny:master-omnibus"; - autoStart = true; - extraOptions = [ - "-l=traefik.enable=true" - "-l=traefik.http.routers.scrutiny.rule=${localHostRuleHavenisms "scrutiny"}" - "-l=traefik.http.services.scrutiny.loadbalancer.server.port=8080" - "-l=homepage.group=Infra" - "-l=homepage.name=Scrutiny" - "-l=homepage.icon=scrutiny-light.png" - "-l=homepage.href=https://scrutiny.${havenisms}" - "-l=homepage.description=S.M.A.R.T. monitoring" - "-l=homepage.widget.type=scrutiny" - "-l=homepage.widget.url=http://scrutiny:8080" - "--cap-add=SYS_RAWIO" - "--device=/dev/sda:/dev/sda" - "--device=/dev/sdb:/dev/sdb" - "--device=/dev/sdc:/dev/sdc" - "--device=/dev/sdd:/dev/sdd" - ]; - volumes = [ - "/run/udev:/run/udev:ro" - "/tank/config/scrutiny/config:/opt/scrutiny/config" - "/tank/config/scrutiny/influxdb:/opt/scrutiny/influxdb" - ]; - }; - valkey = { - image = "docker.io/valkey/valkey:7-alpine"; - autoStart = true; - volumes = [ - "/tank/config/valkey:/usr/local/etc/valkey" - ]; + podman = lib.mkIf (config.local.container-backend == "podman") { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # Required for containers under podman-compose to be able to talk to each other. + defaultNetwork.settings.dns_enabled = true; + + extraPackages = [ pkgs.zfs ]; }; }; + + # Useful other development tools + environment.systemPackages = with pkgs; [ + dive # look into docker image layers + docker-compose # start group of containers for dev + ]; + + virtualisation.oci-containers.containers = + let + inherit (import ./containers/lib.nix config) + localHostRuleHavenisms + havenisms + ; + in + { + homepage = { + image = "ghcr.io/gethomepage/homepage:latest"; + autoStart = true; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.homepage.rule=${localHostRuleHavenisms "start"}" + "-l=traefik.http.services.homepage.loadbalancer.server.port=3000" + ]; + volumes = [ + "/tank/config/homepage:/app/config" + "/tank/secrets/deluge.pass:/app/config/secrets/deluge.pass" + "/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key" + "/tank/secrets/radarr.key:/app/config/secrets/radarr.key" + "/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key" + "${config.local.container-socket}:/var/run/docker.sock:ro" + ]; + environment = { + HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key"; + HOMEPAGE_FILE_RADARR_KEY = "/app/config/secrets/radarr.key"; + HOMEPAGE_FILE_SONARR_KEY = "/app/config/secrets/sonarr.key"; + HOMEPAGE_FILE_READARR_KEY = "/app/config/secrets/readarr.key"; + HOMEPAGE_FILE_DELUGE_PASSWORD = "/app/config/secrets/deluge.pass"; + }; + }; + scrutiny = { + image = "ghcr.io/analogj/scrutiny:master-omnibus"; + autoStart = true; + extraOptions = [ + "-l=traefik.enable=true" + "-l=traefik.http.routers.scrutiny.rule=${localHostRuleHavenisms "scrutiny"}" + "-l=traefik.http.services.scrutiny.loadbalancer.server.port=8080" + "-l=homepage.group=Infra" + "-l=homepage.name=Scrutiny" + "-l=homepage.icon=scrutiny-light.png" + "-l=homepage.href=https://scrutiny.${havenisms}" + "-l=homepage.description=S.M.A.R.T. monitoring" + "-l=homepage.widget.type=scrutiny" + "-l=homepage.widget.url=http://scrutiny:8080" + "--cap-add=SYS_RAWIO" + "--device=/dev/sda:/dev/sda" + "--device=/dev/sdb:/dev/sdb" + "--device=/dev/sdc:/dev/sdc" + "--device=/dev/sdd:/dev/sdd" + ]; + volumes = [ + "/run/udev:/run/udev:ro" + "/tank/config/scrutiny/config:/opt/scrutiny/config" + "/tank/config/scrutiny/influxdb:/opt/scrutiny/influxdb" + ]; + }; + valkey = { + image = "docker.io/valkey/valkey:7-alpine"; + autoStart = true; + volumes = [ + "/tank/config/valkey:/usr/local/etc/valkey" + ]; + }; + }; + }; } diff --git a/system/hosts/mcp/containers/bookstack.nix b/system/hosts/mcp/containers/bookstack.nix index 6fde8db..0a76df0 100644 --- a/system/hosts/mcp/containers/bookstack.nix +++ b/system/hosts/mcp/containers/bookstack.nix @@ -1,7 +1,8 @@ { config, ... }: -let +let inherit (import ./lib.nix config) mkContainer mkMariaDbContainer havenisms; -in { +in +{ imports = [ (mkMariaDbContainer { name = "bookstack"; @@ -14,12 +15,12 @@ in { sops.secrets = { bookstack_app_key = { - restartUnits = [ "podman-bookstack.service" ]; + restartUnits = [ "${config.local.container-backend}-bookstack.service" ]; mode = "0400"; owner = config.users.users.bookstack.name; }; bookstack_db = { - restartUnits = [ "podman-bookstack-mariadb.service" ]; + restartUnits = [ "${config.local.container-backend}-bookstack-mariadb.service" ]; mode = "0400"; owner = config.users.users.bookstack.name; }; diff --git a/system/hosts/mcp/containers/focalboard.nix b/system/hosts/mcp/containers/focalboard.nix index e653a64..40a360c 100644 --- a/system/hosts/mcp/containers/focalboard.nix +++ b/system/hosts/mcp/containers/focalboard.nix @@ -1,7 +1,8 @@ { config, ... }: let inherit (import ./lib.nix config) mkContainer mkPostgresContainer terakoda; -in { +in +{ imports = [ (mkPostgresContainer { name = "focalboard"; @@ -14,21 +15,26 @@ in { sops.secrets = { "focalboard/database" = { - restartUnits = [ "podman-focalboard.service" "podman-focalboard-postgres.service" ]; + restartUnits = [ + "${config.local.container-backend}-focalboard.service" + "${config.local.container-backend}-focalboard-postgres.service" + ]; mode = "0400"; owner = config.users.users.focalboard.name; }; }; sops.templates."focalboard-config.json" = { - restartUnits = [ "podman-focalboard.service" ]; + restartUnits = [ "${config.local.container-backend}-focalboard.service" ]; owner = config.users.users.focalboard.name; content = builtins.toJSON { # Defaults from https://github.com/mattermost-community/focalboard/blob/main/config.json "serverRoot" = "https://focalboard.terakoda.com"; "port" = 8000; "dbtype" = "postgres"; - "dbconfig" = "postgres://focalboard:${config.sops.placeholder."focalboard/database"}@focalboard-postgres/focalboard?sslmode=disable&connect_timeout=10"; + "dbconfig" = "postgres://focalboard:${ + config.sops.placeholder."focalboard/database" + }@focalboard-postgres/focalboard?sslmode=disable&connect_timeout=10"; "useSSL" = true; "prometheus_address" = ":9092"; "session_expire_time" = 2592000; diff --git a/system/hosts/mcp/containers/gitea.nix b/system/hosts/mcp/containers/gitea.nix index 6503414..0caecfa 100644 --- a/system/hosts/mcp/containers/gitea.nix +++ b/system/hosts/mcp/containers/gitea.nix @@ -1,14 +1,14 @@ { config, ... }: -let +let inherit (import ./lib.nix config) mkContainer blazestar; in { sops.secrets = { "gitea/db_password" = { - restartUnits = [ "podman-gitea.service" ]; + restartUnits = [ "${config.local.container-backend}-gitea.service" ]; }; "gitea/registration_token" = { - restartUnits = [ "podman-gitea-runner.service" ]; + restartUnits = [ "${config.local.container-backend}-gitea-runner.service" ]; }; }; @@ -66,7 +66,7 @@ in ]; volumes = [ # The runner will spawn new containers to run the actions - "/var/run/podman/podman.sock:/var/run/docker.sock:ro" + "${config.local.container-socket}:/var/run/docker.sock:ro" ]; }; } diff --git a/system/hosts/mcp/containers/havenisms.com/chat.nix b/system/hosts/mcp/containers/havenisms.com/chat.nix index ba5d8a2..bc44bdd 100644 --- a/system/hosts/mcp/containers/havenisms.com/chat.nix +++ b/system/hosts/mcp/containers/havenisms.com/chat.nix @@ -8,10 +8,10 @@ in sops.secrets = { "matrix/syncv3/db-password" = { - restartUnits = [ "podman-matrix-sliding-sync.service" ]; + restartUnits = [ "${config.local.container-backend}-matrix-sliding-sync.service" ]; }; "matrix/syncv3/secret" = { - restartUnits = [ "podman-matrix-sliding-sync.service" ]; + restartUnits = [ "${config.local.container-backend}-matrix-sliding-sync.service" ]; }; }; diff --git a/system/hosts/mcp/containers/mariadb.nix b/system/hosts/mcp/containers/mariadb.nix index 7fe0af4..8d0f148 100644 --- a/system/hosts/mcp/containers/mariadb.nix +++ b/system/hosts/mcp/containers/mariadb.nix @@ -1,8 +1,8 @@ # Common config for all mariadb containers -{ ... }: +{ config, ... }: { sops.secrets."mariadb_root_password" = { - restartUnits = [ "podman-mariadb.service" ]; + restartUnits = [ "${config.local.container-backend}-mariadb.service" ]; mode = "0440"; group = "mariadb"; }; diff --git a/system/hosts/mcp/containers/oauth2proxy.nix b/system/hosts/mcp/containers/oauth2proxy.nix index 32b31c0..b36ae50 100644 --- a/system/hosts/mcp/containers/oauth2proxy.nix +++ b/system/hosts/mcp/containers/oauth2proxy.nix @@ -5,11 +5,11 @@ in { sops.secrets = { "oauth2-proxy/cookie-secret" = { - restartUnits = [ "podman-oauth2-proxy.service" ]; + restartUnits = [ "${config.local.container-backend}-oauth2-proxy.service" ]; mode = "0400"; }; "oauth2-proxy/client-secret" = { - restartUnits = [ "podman-oauth2-proxy.service" ]; + restartUnits = [ "${config.local.container-backend}-oauth2-proxy.service" ]; mode = "0400"; }; }; diff --git a/system/hosts/mcp/containers/openproject.nix b/system/hosts/mcp/containers/openproject.nix index 4623dcd..a71e330 100644 --- a/system/hosts/mcp/containers/openproject.nix +++ b/system/hosts/mcp/containers/openproject.nix @@ -1,19 +1,20 @@ { config, ... }: -let +let inherit (import ./lib.nix config) mkContainer havenisms; hostName = "projects"; -in { +in +{ sops.secrets = { "openproject/secret-key-base" = { - restartUnits = [ "podman-openproject.service" ]; + restartUnits = [ "${config.local.container-backend}-openproject.service" ]; mode = "0400"; owner = config.users.users.bookstack.name; }; }; sops.templates."openproject.env" = { - restartUnits = [ "podman-openproject.service" ]; + restartUnits = [ "${config.local.container-backend}-openproject.service" ]; content = '' OPENPROJECT_SECRET_KEY_BASE=${config.sops.placeholder."openproject/secret-key-base"} OPENPROJECT_HOST__NAME=${hostName}.${havenisms} diff --git a/system/hosts/mcp/containers/traefik.nix b/system/hosts/mcp/containers/traefik.nix index 4a34638..2939254 100644 --- a/system/hosts/mcp/containers/traefik.nix +++ b/system/hosts/mcp/containers/traefik.nix @@ -10,11 +10,11 @@ in sops.secrets = { "traefik/oauth2-client-secret" = { - restartUnits = [ "podman-traefik.service" ]; + restartUnits = [ "${config.local.container-backend}-traefik.service" ]; mode = "0400"; }; "traefik/oauth2-plugin-secret" = { - restartUnits = [ "podman-traefik.service" ]; + restartUnits = [ "${config.local.container-backend}-traefik.service" ]; mode = "0400"; }; }; @@ -47,7 +47,7 @@ in "8448:8448" ]; volumes = [ - "/var/run/podman/podman.sock:/var/run/docker.sock:ro" + "${config.local.container-socket}:/var/run/docker.sock:ro" # All the configs from the config directory "${traefikConfigDir}:/etc/traefik" # Oauth2 config containing secrets