Periodic/system-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Periodic:c74e40e69e3505152c8bb1030b1b8a606eb0f182
Branches Tags
Periodic:main
..
compare: Periodic:b1510c3670fe830356799ace6e324924c4af7c32
Branches Tags
Periodic:main

2 Commits
c74e40e69e ... b1510c3670

Author SHA1 Message Date
Drew Haven
b1510c3670 [containers] Disables some containers, adds some docker config. 2025-06-24 18:32:15 -07:00
Drew Haven
f4dd4583db [nix] Modularized the container backend so I can easily switch it with an option 2025-06-24 17:31:30 -07:00
10 changed files with 181 additions and 120 deletions
Expand all files Collapse all files

1
system/hosts/mcp/configuration.nix
View File

@@ -62,6 +62,7 @@
"networkmanager" "networkmanager"
"wheel" "wheel"
"docker-registry" "docker-registry"
"docker"
]; ];
shell = pkgs.zsh; shell = pkgs.zsh;
# Enable linger so that systemd services run for this user are started and # Enable linger so that systemd services run for this user are started and

88
system/hosts/mcp/containers.nix
View File

@@ -1,5 +1,9 @@
# Started from https://nixos.wiki/wiki/Podman {
{ config, pkgs, ... }: config,
pkgs,
lib,
...
}:
{ {
# Additional configuration # Additional configuration
imports = [ imports = [
@@ -12,17 +16,17 @@
./containers/gitea.nix ./containers/gitea.nix
./containers/goatcounter.nix ./containers/goatcounter.nix
./containers/grafana.nix ./containers/grafana.nix
./containers/jobhunt.nix # ./containers/jobhunt.nix
./containers/mariadb.nix ./containers/mariadb.nix
./containers/media-system.nix ./containers/media-system.nix
./containers/nextcloud.nix ./containers/nextcloud.nix
./containers/offen.nix # ./containers/offen.nix
./containers/pocket-id.nix ./containers/pocket-id.nix
./containers/prometheus.nix ./containers/prometheus.nix
./containers/public-homepage.nix ./containers/public-homepage.nix
./containers/searxng.nix ./containers/searxng.nix
./containers/shared-postgres.nix ./containers/shared-postgres.nix
./containers/timetagger.nix # ./containers/timetagger.nix
./containers/traefik.nix ./containers/traefik.nix
./containers/users.nix ./containers/users.nix
@@ -30,17 +34,67 @@
./static-site-hooks.nix ./static-site-hooks.nix
]; ];
options.local = with lib; {
container-backend = mkOption {
type = with types; uniq str;
default = "docker";
example = "docker";
description = "Which backend to use for containers: docker or podman";
};
container-socket = mkOption {
type = with types; uniq str;
default = "/var/run/docker.sock";
example = "/var/run/docker.sock";
description = "Path to the container management deamon's socket.";
};
};
config = {
# local = {
# container-backend = "docker";
# container-socket = "/var/run/docker.sock";
# };
local = {
container-backend = "podman";
container-socket = "/var/run/podman/podman.sock";
};
# Enable common container config files in /etc/containers # Enable common container config files in /etc/containers
virtualisation.containers.enable = true;
virtualisation = { virtualisation = {
# docker = { containers.enable = true;
# enable = true; oci-containers.backend = config.local.container-backend;
# # Enable rootless so that I can run containers as other users for security.
# rootless = { docker = lib.mkIf (config.local.container-backend == "docker") {
# enable = true; enable = true;
# }; # Enable rootless so that I can run containers as other users for security.
# }; rootless = {
podman = { enable = true;
# Set this to make the default DOCKER_HOST be the rootless version for normal users.
setSocketVariable = true;
daemon = {
settings = {
default-address-pools = [
{
base = "10.88.0.0/16";
size = 24;
}
];
};
};
};
daemon = {
settings = {
default-address-pools = [
{
base = "10.88.0.0/16";
size = 24;
}
];
};
};
};
podman = lib.mkIf (config.local.container-backend == "podman") {
enable = true; enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement # Create a `docker` alias for podman, to use it as a drop-in replacement
@@ -52,14 +106,11 @@
extraPackages = [ pkgs.zfs ]; extraPackages = [ pkgs.zfs ];
}; };
}; };
virtualisation.oci-containers.backend = "podman";
# Useful other development tools # Useful other development tools
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
dive # look into docker image layers dive # look into docker image layers
podman-tui # status of containers in the terminal
docker-compose # start group of containers for dev docker-compose # start group of containers for dev
#podman-compose # start group of containers for dev
]; ];
virtualisation.oci-containers.containers = virtualisation.oci-containers.containers =
@@ -84,7 +135,7 @@
"/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key" "/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key"
"/tank/secrets/radarr.key:/app/config/secrets/radarr.key" "/tank/secrets/radarr.key:/app/config/secrets/radarr.key"
"/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key" "/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key"
"/var/run/podman/podman.sock:/var/run/docker.sock:ro" "${config.local.container-socket}:/var/run/docker.sock:ro"
]; ];
environment = { environment = {
HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key"; HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key";
@@ -128,4 +179,5 @@
]; ];
}; };
}; };
};
} }

7
system/hosts/mcp/containers/bookstack.nix
View File

@@ -1,7 +1,8 @@
{ config, ... }: { config, ... }:
let let
inherit (import ./lib.nix config) mkContainer mkMariaDbContainer havenisms; inherit (import ./lib.nix config) mkContainer mkMariaDbContainer havenisms;
in { in
{
imports = [ imports = [
(mkMariaDbContainer { (mkMariaDbContainer {
name = "bookstack"; name = "bookstack";
@@ -14,12 +15,12 @@ in {
sops.secrets = { sops.secrets = {
bookstack_app_key = { bookstack_app_key = {
restartUnits = [ "podman-bookstack.service" ]; restartUnits = [ "${config.local.container-backend}-bookstack.service" ];
mode = "0400"; mode = "0400";
owner = config.users.users.bookstack.name; owner = config.users.users.bookstack.name;
}; };
bookstack_db = { bookstack_db = {
restartUnits = [ "podman-bookstack-mariadb.service" ]; restartUnits = [ "${config.local.container-backend}-bookstack-mariadb.service" ];
mode = "0400"; mode = "0400";
owner = config.users.users.bookstack.name; owner = config.users.users.bookstack.name;
}; };

14
system/hosts/mcp/containers/focalboard.nix
View File

@@ -1,7 +1,8 @@
{ config, ... }: { config, ... }:
let let
inherit (import ./lib.nix config) mkContainer mkPostgresContainer terakoda; inherit (import ./lib.nix config) mkContainer mkPostgresContainer terakoda;
in { in
{
imports = [ imports = [
(mkPostgresContainer { (mkPostgresContainer {
name = "focalboard"; name = "focalboard";
@@ -14,21 +15,26 @@ in {
sops.secrets = { sops.secrets = {
"focalboard/database" = { "focalboard/database" = {
restartUnits = [ "podman-focalboard.service" "podman-focalboard-postgres.service" ]; restartUnits = [
"${config.local.container-backend}-focalboard.service"
"${config.local.container-backend}-focalboard-postgres.service"
];
mode = "0400"; mode = "0400";
owner = config.users.users.focalboard.name; owner = config.users.users.focalboard.name;
}; };
}; };
sops.templates."focalboard-config.json" = { sops.templates."focalboard-config.json" = {
restartUnits = [ "podman-focalboard.service" ]; restartUnits = [ "${config.local.container-backend}-focalboard.service" ];
owner = config.users.users.focalboard.name; owner = config.users.users.focalboard.name;
content = builtins.toJSON { content = builtins.toJSON {
# Defaults from https://github.com/mattermost-community/focalboard/blob/main/config.json # Defaults from https://github.com/mattermost-community/focalboard/blob/main/config.json
"serverRoot" = "https://focalboard.terakoda.com"; "serverRoot" = "https://focalboard.terakoda.com";
"port" = 8000; "port" = 8000;
"dbtype" = "postgres"; "dbtype" = "postgres";
"dbconfig" = "postgres://focalboard:${config.sops.placeholder."focalboard/database"}@focalboard-postgres/focalboard?sslmode=disable&connect_timeout=10"; "dbconfig" = "postgres://focalboard:${
config.sops.placeholder."focalboard/database"
}@focalboard-postgres/focalboard?sslmode=disable&connect_timeout=10";
"useSSL" = true; "useSSL" = true;
"prometheus_address" = ":9092"; "prometheus_address" = ":9092";
"session_expire_time" = 2592000; "session_expire_time" = 2592000;

6
system/hosts/mcp/containers/gitea.nix
View File

@@ -5,10 +5,10 @@ in
{ {
sops.secrets = { sops.secrets = {
"gitea/db_password" = { "gitea/db_password" = {
restartUnits = [ "podman-gitea.service" ]; restartUnits = [ "${config.local.container-backend}-gitea.service" ];
}; };
"gitea/registration_token" = { "gitea/registration_token" = {
restartUnits = [ "podman-gitea-runner.service" ]; restartUnits = [ "${config.local.container-backend}-gitea-runner.service" ];
}; };
}; };
@@ -66,7 +66,7 @@ in
]; ];
volumes = [ volumes = [
# The runner will spawn new containers to run the actions # The runner will spawn new containers to run the actions
"/var/run/podman/podman.sock:/var/run/docker.sock:ro" "${config.local.container-socket}:/var/run/docker.sock:ro"
]; ];
}; };
} }

4
system/hosts/mcp/containers/havenisms.com/chat.nix
View File

@@ -8,10 +8,10 @@ in
sops.secrets = { sops.secrets = {
"matrix/syncv3/db-password" = { "matrix/syncv3/db-password" = {
restartUnits = [ "podman-matrix-sliding-sync.service" ]; restartUnits = [ "${config.local.container-backend}-matrix-sliding-sync.service" ];
}; };
"matrix/syncv3/secret" = { "matrix/syncv3/secret" = {
restartUnits = [ "podman-matrix-sliding-sync.service" ]; restartUnits = [ "${config.local.container-backend}-matrix-sliding-sync.service" ];
}; };
}; };

4
system/hosts/mcp/containers/mariadb.nix
View File

@@ -1,8 +1,8 @@
# Common config for all mariadb containers # Common config for all mariadb containers
{ ... }: { config, ... }:
{ {
sops.secrets."mariadb_root_password" = { sops.secrets."mariadb_root_password" = {
restartUnits = [ "podman-mariadb.service" ]; restartUnits = [ "${config.local.container-backend}-mariadb.service" ];
mode = "0440"; mode = "0440";
group = "mariadb"; group = "mariadb";
}; };

4
system/hosts/mcp/containers/oauth2proxy.nix
View File

@@ -5,11 +5,11 @@ in
{ {
sops.secrets = { sops.secrets = {
"oauth2-proxy/cookie-secret" = { "oauth2-proxy/cookie-secret" = {
restartUnits = [ "podman-oauth2-proxy.service" ]; restartUnits = [ "${config.local.container-backend}-oauth2-proxy.service" ];
mode = "0400"; mode = "0400";
}; };
"oauth2-proxy/client-secret" = { "oauth2-proxy/client-secret" = {
restartUnits = [ "podman-oauth2-proxy.service" ]; restartUnits = [ "${config.local.container-backend}-oauth2-proxy.service" ];
mode = "0400"; mode = "0400";
}; };
}; };

7
system/hosts/mcp/containers/openproject.nix
View File

@@ -2,18 +2,19 @@
let let
inherit (import ./lib.nix config) mkContainer havenisms; inherit (import ./lib.nix config) mkContainer havenisms;
hostName = "projects"; hostName = "projects";
in { in
{
sops.secrets = { sops.secrets = {
"openproject/secret-key-base" = { "openproject/secret-key-base" = {
restartUnits = [ "podman-openproject.service" ]; restartUnits = [ "${config.local.container-backend}-openproject.service" ];
mode = "0400"; mode = "0400";
owner = config.users.users.bookstack.name; owner = config.users.users.bookstack.name;
}; };
}; };
sops.templates."openproject.env" = { sops.templates."openproject.env" = {
restartUnits = [ "podman-openproject.service" ]; restartUnits = [ "${config.local.container-backend}-openproject.service" ];
content = '' content = ''
OPENPROJECT_SECRET_KEY_BASE=${config.sops.placeholder."openproject/secret-key-base"} OPENPROJECT_SECRET_KEY_BASE=${config.sops.placeholder."openproject/secret-key-base"}
OPENPROJECT_HOST__NAME=${hostName}.${havenisms} OPENPROJECT_HOST__NAME=${hostName}.${havenisms}

6
system/hosts/mcp/containers/traefik.nix
View File

@@ -10,11 +10,11 @@ in
sops.secrets = { sops.secrets = {
"traefik/oauth2-client-secret" = { "traefik/oauth2-client-secret" = {
restartUnits = [ "podman-traefik.service" ]; restartUnits = [ "${config.local.container-backend}-traefik.service" ];
mode = "0400"; mode = "0400";
}; };
"traefik/oauth2-plugin-secret" = { "traefik/oauth2-plugin-secret" = {
restartUnits = [ "podman-traefik.service" ]; restartUnits = [ "${config.local.container-backend}-traefik.service" ];
mode = "0400"; mode = "0400";
}; };
}; };
@@ -47,7 +47,7 @@ in
"8448:8448" "8448:8448"
]; ];
volumes = [ volumes = [
"/var/run/podman/podman.sock:/var/run/docker.sock:ro" "${config.local.container-socket}:/var/run/docker.sock:ro"
# All the configs from the config directory # All the configs from the config directory
"${traefikConfigDir}:/etc/traefik" "${traefikConfigDir}:/etc/traefik"
# Oauth2 config containing secrets # Oauth2 config containing secrets