Periodic/system-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[nix] Modularized the container backend so I can easily switch it with an option

Browse Source
This commit is contained in:
Drew Haven
2025-06-24 17:31:30 -07:00
parent c74e40e69e
commit f4dd4583db
10 changed files with 158 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

216
system/hosts/mcp/containers.nix
View File

@@ -1,5 +1,9 @@
# Started from https://nixos.wiki/wiki/Podman
{ config, pkgs, ... }:
{
config,
pkgs,
lib,
...
}:
{
# Additional configuration
imports = [
@@ -30,102 +34,130 @@
./static-site-hooks.nix
];
# Enable common container config files in /etc/containers
virtualisation.containers.enable = true;
virtualisation = {
# docker = {
# enable = true;
# # Enable rootless so that I can run containers as other users for security.
# rootless = {
# enable = true;
# };
# };
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
extraPackages = [ pkgs.zfs ];
options.local = with lib; {
container-backend = mkOption {
type = with types; uniq str;
default = "docker";
example = "docker";
description = "Which backend to use for containers: docker or podman";
};
container-socket = mkOption {
type = with types; uniq str;
default = "/var/run/docker.sock";
example = "/var/run/docker.sock";
description = "Path to the container management deamon's socket.";
};
};
virtualisation.oci-containers.backend = "podman";
# Useful other development tools
environment.systemPackages = with pkgs; [
dive # look into docker image layers
podman-tui # status of containers in the terminal
docker-compose # start group of containers for dev
#podman-compose # start group of containers for dev
];
config = {
# local = {
# container-backend = "docker";
# container-socket = "/var/run/docker.sock";
# };
local = {
container-backend = "podman";
container-socket = "/var/run/podman/podman.sock";
};
virtualisation.oci-containers.containers =
let
inherit (import ./containers/lib.nix config)
localHostRuleHavenisms
havenisms
;
in
{
homepage = {
image = "ghcr.io/gethomepage/homepage:latest";
autoStart = true;
extraOptions = [
"-l=traefik.enable=true"
"-l=traefik.http.routers.homepage.rule=${localHostRuleHavenisms "start"}"
"-l=traefik.http.services.homepage.loadbalancer.server.port=3000"
];
volumes = [
"/tank/config/homepage:/app/config"
"/tank/secrets/deluge.pass:/app/config/secrets/deluge.pass"
"/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key"
"/tank/secrets/radarr.key:/app/config/secrets/radarr.key"
"/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key"
"/var/run/podman/podman.sock:/var/run/docker.sock:ro"
];
environment = {
HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key";
HOMEPAGE_FILE_RADARR_KEY = "/app/config/secrets/radarr.key";
HOMEPAGE_FILE_SONARR_KEY = "/app/config/secrets/sonarr.key";
HOMEPAGE_FILE_READARR_KEY = "/app/config/secrets/readarr.key";
HOMEPAGE_FILE_DELUGE_PASSWORD = "/app/config/secrets/deluge.pass";
# Enable common container config files in /etc/containers
virtualisation = {
containers.enable = true;
oci-containers.backend = config.local.container-backend;
docker = lib.mkIf (config.local.container-backend == "docker") {
enable = true;
# Enable rootless so that I can run containers as other users for security.
rootless = {
enable = true;
# Set this to make the default DOCKER_HOST be the rootless version for normal users.
setSocketVariable = true;
};
};
scrutiny = {
image = "ghcr.io/analogj/scrutiny:master-omnibus";
autoStart = true;
extraOptions = [
"-l=traefik.enable=true"
"-l=traefik.http.routers.scrutiny.rule=${localHostRuleHavenisms "scrutiny"}"
"-l=traefik.http.services.scrutiny.loadbalancer.server.port=8080"
"-l=homepage.group=Infra"
"-l=homepage.name=Scrutiny"
"-l=homepage.icon=scrutiny-light.png"
"-l=homepage.href=https://scrutiny.${havenisms}"
"-l=homepage.description=S.M.A.R.T. monitoring"
"-l=homepage.widget.type=scrutiny"
"-l=homepage.widget.url=http://scrutiny:8080"
"--cap-add=SYS_RAWIO"
"--device=/dev/sda:/dev/sda"
"--device=/dev/sdb:/dev/sdb"
"--device=/dev/sdc:/dev/sdc"
"--device=/dev/sdd:/dev/sdd"
];
volumes = [
"/run/udev:/run/udev:ro"
"/tank/config/scrutiny/config:/opt/scrutiny/config"
"/tank/config/scrutiny/influxdb:/opt/scrutiny/influxdb"
];
};
valkey = {
image = "docker.io/valkey/valkey:7-alpine";
autoStart = true;
volumes = [
"/tank/config/valkey:/usr/local/etc/valkey"
];
podman = lib.mkIf (config.local.container-backend == "podman") {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
extraPackages = [ pkgs.zfs ];
};
};
# Useful other development tools
environment.systemPackages = with pkgs; [
dive # look into docker image layers
docker-compose # start group of containers for dev
];
virtualisation.oci-containers.containers =
let
inherit (import ./containers/lib.nix config)
localHostRuleHavenisms
havenisms
;
in
{
homepage = {
image = "ghcr.io/gethomepage/homepage:latest";
autoStart = true;
extraOptions = [
"-l=traefik.enable=true"
"-l=traefik.http.routers.homepage.rule=${localHostRuleHavenisms "start"}"
"-l=traefik.http.services.homepage.loadbalancer.server.port=3000"
];
volumes = [
"/tank/config/homepage:/app/config"
"/tank/secrets/deluge.pass:/app/config/secrets/deluge.pass"
"/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key"
"/tank/secrets/radarr.key:/app/config/secrets/radarr.key"
"/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key"
"${config.local.container-socket}:/var/run/docker.sock:ro"
];
environment = {
HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key";
HOMEPAGE_FILE_RADARR_KEY = "/app/config/secrets/radarr.key";
HOMEPAGE_FILE_SONARR_KEY = "/app/config/secrets/sonarr.key";
HOMEPAGE_FILE_READARR_KEY = "/app/config/secrets/readarr.key";
HOMEPAGE_FILE_DELUGE_PASSWORD = "/app/config/secrets/deluge.pass";
};
};
scrutiny = {
image = "ghcr.io/analogj/scrutiny:master-omnibus";
autoStart = true;
extraOptions = [
"-l=traefik.enable=true"
"-l=traefik.http.routers.scrutiny.rule=${localHostRuleHavenisms "scrutiny"}"
"-l=traefik.http.services.scrutiny.loadbalancer.server.port=8080"
"-l=homepage.group=Infra"
"-l=homepage.name=Scrutiny"
"-l=homepage.icon=scrutiny-light.png"
"-l=homepage.href=https://scrutiny.${havenisms}"
"-l=homepage.description=S.M.A.R.T. monitoring"
"-l=homepage.widget.type=scrutiny"
"-l=homepage.widget.url=http://scrutiny:8080"
"--cap-add=SYS_RAWIO"
"--device=/dev/sda:/dev/sda"
"--device=/dev/sdb:/dev/sdb"
"--device=/dev/sdc:/dev/sdc"
"--device=/dev/sdd:/dev/sdd"
];
volumes = [
"/run/udev:/run/udev:ro"
"/tank/config/scrutiny/config:/opt/scrutiny/config"
"/tank/config/scrutiny/influxdb:/opt/scrutiny/influxdb"
];
};
valkey = {
image = "docker.io/valkey/valkey:7-alpine";
autoStart = true;
volumes = [
"/tank/config/valkey:/usr/local/etc/valkey"
];
};
};
};
}