system-config/system/hosts/mcp/containers.nix

{
  config,
  pkgs,
  lib,
  ...
}:
{
  # Additional configuration
  imports = [
    ./containers/havenisms.com
    ./containers/blazestar.net

    # Docker containers
    ./containers/dm-companion.nix
    ./containers/freshrss.nix
    ./containers/gitea.nix
    ./containers/goatcounter.nix
    ./containers/grafana.nix
    ./containers/jobhunt.nix
    ./containers/mariadb.nix
    ./containers/media-system.nix
    ./containers/nextcloud.nix
    ./containers/offen.nix
    ./containers/pocket-id.nix
    ./containers/prometheus.nix
    ./containers/public-homepage.nix
    ./containers/searxng.nix
    ./containers/shared-postgres.nix
    ./containers/timetagger.nix
    ./containers/traefik.nix
    ./containers/users.nix

    # NixOS Containers
    ./static-site-hooks.nix
  ];

  options.local = with lib; {
    container-backend = mkOption {
      type = with types; uniq str;
      default = "docker";
      example = "docker";
      description = "Which backend to use for containers: docker or podman";
    };
    container-socket = mkOption {
      type = with types; uniq str;
      default = "/var/run/docker.sock";
      example = "/var/run/docker.sock";
      description = "Path to the container management deamon's socket.";
    };
  };

  config = {
    # local = {
    #   container-backend = "docker";
    #   container-socket = "/var/run/docker.sock";
    # };
    local = {
      container-backend = "podman";
      container-socket = "/var/run/podman/podman.sock";
    };

    # Enable common container config files in /etc/containers

    virtualisation = {
      containers.enable = true;
      oci-containers.backend = config.local.container-backend;

      docker = lib.mkIf (config.local.container-backend == "docker") {
        enable = true;
        # Enable rootless so that I can run containers as other users for security.
        rootless = {
          enable = true;
          # Set this to make the default DOCKER_HOST be the rootless version for normal users.
          setSocketVariable = true;
        };
      };
      podman = lib.mkIf (config.local.container-backend == "podman") {
        enable = true;

        # Create a `docker` alias for podman, to use it as a drop-in replacement
        dockerCompat = true;

        # Required for containers under podman-compose to be able to talk to each other.
        defaultNetwork.settings.dns_enabled = true;

        extraPackages = [ pkgs.zfs ];
      };
    };

    # Useful other development tools
    environment.systemPackages = with pkgs; [
      dive # look into docker image layers
      docker-compose # start group of containers for dev
    ];

    virtualisation.oci-containers.containers =
      let
        inherit (import ./containers/lib.nix config)
          localHostRuleHavenisms
          havenisms
          ;
      in
      {
        homepage = {
          image = "ghcr.io/gethomepage/homepage:latest";
          autoStart = true;
          extraOptions = [
            "-l=traefik.enable=true"
            "-l=traefik.http.routers.homepage.rule=${localHostRuleHavenisms "start"}"
            "-l=traefik.http.services.homepage.loadbalancer.server.port=3000"
          ];
          volumes = [
            "/tank/config/homepage:/app/config"
            "/tank/secrets/deluge.pass:/app/config/secrets/deluge.pass"
            "/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key"
            "/tank/secrets/radarr.key:/app/config/secrets/radarr.key"
            "/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key"
            "${config.local.container-socket}:/var/run/docker.sock:ro"
          ];
          environment = {
            HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key";
            HOMEPAGE_FILE_RADARR_KEY = "/app/config/secrets/radarr.key";
            HOMEPAGE_FILE_SONARR_KEY = "/app/config/secrets/sonarr.key";
            HOMEPAGE_FILE_READARR_KEY = "/app/config/secrets/readarr.key";
            HOMEPAGE_FILE_DELUGE_PASSWORD = "/app/config/secrets/deluge.pass";
          };
        };
        scrutiny = {
          image = "ghcr.io/analogj/scrutiny:master-omnibus";
          autoStart = true;
          extraOptions = [
            "-l=traefik.enable=true"
            "-l=traefik.http.routers.scrutiny.rule=${localHostRuleHavenisms "scrutiny"}"
            "-l=traefik.http.services.scrutiny.loadbalancer.server.port=8080"
            "-l=homepage.group=Infra"
            "-l=homepage.name=Scrutiny"
            "-l=homepage.icon=scrutiny-light.png"
            "-l=homepage.href=https://scrutiny.${havenisms}"
            "-l=homepage.description=S.M.A.R.T. monitoring"
            "-l=homepage.widget.type=scrutiny"
            "-l=homepage.widget.url=http://scrutiny:8080"
            "--cap-add=SYS_RAWIO"
            "--device=/dev/sda:/dev/sda"
            "--device=/dev/sdb:/dev/sdb"
            "--device=/dev/sdc:/dev/sdc"
            "--device=/dev/sdd:/dev/sdd"
          ];
          volumes = [
            "/run/udev:/run/udev:ro"
            "/tank/config/scrutiny/config:/opt/scrutiny/config"
            "/tank/config/scrutiny/influxdb:/opt/scrutiny/influxdb"
          ];
        };
        valkey = {
          image = "docker.io/valkey/valkey:7-alpine";
          autoStart = true;
          volumes = [
            "/tank/config/valkey:/usr/local/etc/valkey"
          ];
        };
      };
  };
}