Merge branch 'container' into 'main'

Nixify and podmanify containers

See merge request https://git.cything.io/cy/infra/-/merge_requests/2

hosts/chunk/adguard.nix

@@ -11,6 +11,13 @@
           password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC";
         }
       ];
+      # do not listen eveywhere cause podman runs it's own DNS
+      dns.bind_hosts = [
+        "127.0.0.1"
+        "::1"
+        "31.59.129.225"
+        "2a0f:85c1:840:2bfb::1"
+      ];
     };
   };
 }

hosts/chunk/conduit.nix

@@ -0,0 +1,40 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  virtualisation.oci-containers.containers.conduit = {
+    image = "matrixconduit/matrix-conduit:latest";
+    autoStart = true;
+    ports = ["127.0.0.1:8448:8448"];
+    pull = "newer";
+    environment = {
+      CONDUIT_SERVER_NAME = "cything.io";
+      CONDUIT_DATABASE_PATH = "/var/lib/matrix-conduit/";
+      CONDUIT_DATABASE_BACKEND = "rocksdb";
+      CONDUIT_PORT = "8448";
+      CONDUIT_MAX_REQUEST_SIZE = "20000000"; # in bytes ~20MB
+      CONDUIT_ALLOW_REGISTRATION = "false";
+      CONDUIT_ALLOW_FEDERATION = "true";
+      CONDUIT_ALLOW_CHECK_FOR_UPDATES = "true";
+      CONDUIT_TRUSTED_SERVERS = ''["matrix.org"]'';
+      CONDUIT_ADDRESS = "0.0.0.0";
+      CONDUIT_CONFIG = "";
+    };
+    volumes = [
+      "/opt/conduit/db:/var/lib/matrix-conduit/"
+    ];
+    networks = ["conduit-net"];
+  };
+
+  systemd.services.create-conduit-net = {
+    serviceConfig.Type = "oneshot";
+    wantedBy = with config.virtualisation.oci-containers; [
+      "${backend}-conduit.service"
+    ];
+    script = ''
+      ${pkgs.podman}/bin/podman network exists conduit-net || \
+      ${pkgs.podman}/bin/podman network create conduit-net
+    '';
+  };
+}

hosts/chunk/default.nix

@@ -21,6 +21,9 @@
     ./wireguard.nix
     ./grafana.nix
     ./tor.nix
+    ./ghost.nix
+    ./conduit.nix
+    ./immich.nix
   ];
 
   sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@@ -126,7 +129,7 @@
 
   users.users.yt = {
     isNormalUser = true;
-    extraGroups = ["wheel" "networkmanager" "docker"];
+    extraGroups = ["wheel" "networkmanager" "podman"];
     openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"];
     shell = pkgs.zsh;
   };
@@ -170,5 +173,17 @@
     logFormat = lib.mkForce "level INFO";
   };
 
-  virtualisation.docker.enable = true;
+  # container stuff
+  virtualisation.containers.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    # create 'docker' alias for podman, to use as
+    # drop-in replacement
+    dockerCompat = true;
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      ipv6_enabled = true;
+    };
+  };
+  virtualisation.oci-containers.backend = "podman";
 }

hosts/chunk/ghost.nix

@@ -0,0 +1,51 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  virtualisation.oci-containers.containers.ghost = {
+    image = "ghost:5-alpine";
+    autoStart = true;
+    ports = ["127.0.0.1:8084:2368"];
+    pull = "newer";
+    environment = {
+      database__client = "mysql";
+      database__connection__host = "ghost-db";
+      database__connection__user = "root";
+      database__connection__password = "example";
+      database__connection__databse = "ghost";
+      url = "https://cything.io";
+      NODE_ENV = "production";
+    };
+    volumes = [
+      "/opt/ghost/data:/var/lib/ghost/content"
+    ];
+    networks = ["ghost-net"];
+    dependsOn = ["ghost-db"];
+  };
+
+  virtualisation.oci-containers.containers.ghost-db = {
+    image = "mysql:8.0";
+    autoStart = true;
+    pull = "newer";
+    environment = {
+      MYSQL_ROOT_PASSWORD = "example";
+    };
+    volumes = [
+      "/opt/ghost/db:/var/lib/mysql"
+    ];
+    networks = ["ghost-net"];
+  };
+
+  systemd.services.create-ghost-net = {
+    serviceConfig.Type = "oneshot";
+    wantedBy = with config.virtualisation.oci-containers; [
+      "${backend}-ghost.service"
+      "${backend}-ghost-db.service"
+    ];
+    script = ''
+      ${pkgs.podman}/bin/podman network exists ghost-net || \
+      ${pkgs.podman}/bin/podman network create ghost-net
+    '';
+  };
+}

hosts/chunk/immich.nix

@@ -0,0 +1,87 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  uploadLocation = "/mnt/photos/immich";
+  thumbsLocation = "/opt/immich/thumbs";
+  profileLocation = "/opt/immich/profile";
+  dbDataLocation = "/opt/immich/postgres";
+  modelCache = "/opt/immich-ml";
+in {
+  virtualisation.oci-containers.containers = {
+    immich-server = {
+      image = "ghcr.io/immich-app/immich-server:release";
+      autoStart = true;
+      ports = ["127.0.0.1:2283:2283"];
+      pull = "newer";
+      volumes = [
+        "${uploadLocation}:/usr/src/app/upload"
+        "${thumbsLocation}:/usr/src/app/upload/thumbs"
+        "${profileLocation}:/usr/src/app/upload/profile"
+      ];
+      environment = {
+        REDIS_HOSTNAME = "immich-redis";
+        DB_HOSTNAME = "immich-db";
+      };
+      networks = ["immich-net"];
+      dependsOn = ["immich-db" "immich-redis"];
+    };
+
+    immich-redis = {
+      image = "redis:6.2-alpine";
+      autoStart = true;
+      pull = "newer";
+      networks = ["immich-net"];
+    };
+
+    immich-db = {
+      image = "tensorchord/pgvecto-rs:pg14-v0.2.0";
+      autoStart = true;
+      pull = "newer";
+      environment = {
+        POSTGRES_PASSWORD = "postgres";
+        POSTGRES_USER = "postgres";
+        POSTGRES_DB = "immich";
+        POSTGRES_INITDB_ARGS = "--data-checksums";
+      };
+      volumes = ["${dbDataLocation}:/var/lib/postgresql/data"];
+      cmd = [
+        "postgres"
+        "-c" "shared_preload_libraries=vectors.so"
+        "-c" ''search_path="$$user", public, vectors''
+        "-c" "logging_collector=on"
+        "-c" "max_wal_size=2GB"
+        "-c" "shared_buffers=512MB"
+        "-c" "wal_compression=on"
+      ];
+      networks = ["immich-net"];
+    };
+
+    immich-ml = {
+      image = "ghcr.io/immich-app/immich-machine-learning:release";
+      autoStart = true;
+      pull = "newer";
+      environment = {
+        REDIS_HOSTNAME = "immich-redis";
+        DB_HOSTNAME = "immich-db";
+      };
+      volumes = ["${modelCache}:/cache"];
+      networks = ["immich-net"];
+    };
+  };
+
+  systemd.services.create-immich-net = {
+    serviceConfig.Type = "oneshot";
+    wantedBy = with config.virtualisation.oci-containers; [
+      "${backend}-immich.service"
+      "${backend}-immich-db.service"
+      "${backend}-immich-redis.service"
+      "${backend}-immich-ml.service"
+    ];
+    script = ''
+      ${pkgs.podman}/bin/podman network exists immich-net || \
+      ${pkgs.podman}/bin/podman network create immich-net
+    '';
+  };
+}