cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'container' into 'main'

Browse source 
Nixify and podmanify containers

See merge request https://git.cything.io/cy/infra/-/merge_requests/2
This commit is contained in:
cy 2024-12-17 09:07:47 +00:00
commit 92a1ebf711
5 changed files with 202 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
hosts/chunk/adguard.nix
View file

@ -11,6 +11,13 @@
password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC";
}
];
# do not listen eveywhere cause podman runs it's own DNS
dns.bind_hosts = [
"127.0.0.1"
"::1"
"31.59.129.225"
"2a0f:85c1:840:2bfb::1"
];
};
};
}

40
hosts/chunk/conduit.nix Normal file
View file

@ -0,0 +1,40 @@
{
pkgs,
config,
...
}: {
virtualisation.oci-containers.containers.conduit = {
image = "matrixconduit/matrix-conduit:latest";
autoStart = true;
ports = ["127.0.0.1:8448:8448"];
pull = "newer";
environment = {
CONDUIT_SERVER_NAME = "cything.io";
CONDUIT_DATABASE_PATH = "/var/lib/matrix-conduit/";
CONDUIT_DATABASE_BACKEND = "rocksdb";
CONDUIT_PORT = "8448";
CONDUIT_MAX_REQUEST_SIZE = "20000000"; # in bytes ~20MB
CONDUIT_ALLOW_REGISTRATION = "false";
CONDUIT_ALLOW_FEDERATION = "true";
CONDUIT_ALLOW_CHECK_FOR_UPDATES = "true";
CONDUIT_TRUSTED_SERVERS = ''["matrix.org"]'';
CONDUIT_ADDRESS = "0.0.0.0";
CONDUIT_CONFIG = "";
};
volumes = [
"/opt/conduit/db:/var/lib/matrix-conduit/"
];
networks = ["conduit-net"];
};
systemd.services.create-conduit-net = {
serviceConfig.Type = "oneshot";
wantedBy = with config.virtualisation.oci-containers; [
"${backend}-conduit.service"
];
script = ''
${pkgs.podman}/bin/podman network exists conduit-net || \
${pkgs.podman}/bin/podman network create conduit-net
'';
};
}

19
hosts/chunk/default.nix
View file

@ -21,6 +21,9 @@
./wireguard.nix
./grafana.nix
./tor.nix
./ghost.nix
./conduit.nix
./immich.nix
];
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@ -126,7 +129,7 @@
users.users.yt = {
isNormalUser = true;
extraGroups = ["wheel" "networkmanager" "docker"];
extraGroups = ["wheel" "networkmanager" "podman"];
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"];
shell = pkgs.zsh;
};
@ -170,5 +173,17 @@
logFormat = lib.mkForce "level INFO";
};
virtualisation.docker.enable = true;
# container stuff
virtualisation.containers.enable = true;
virtualisation.podman = {
enable = true;
# create 'docker' alias for podman, to use as
# drop-in replacement
dockerCompat = true;
defaultNetwork.settings = {
dns_enabled = true;
ipv6_enabled = true;
};
};
virtualisation.oci-containers.backend = "podman";
}

51
hosts/chunk/ghost.nix Normal file
View file

@ -0,0 +1,51 @@
{
pkgs,
config,
...
}: {
virtualisation.oci-containers.containers.ghost = {
image = "ghost:5-alpine";
autoStart = true;
ports = ["127.0.0.1:8084:2368"];
pull = "newer";
environment = {
database__client = "mysql";
database__connection__host = "ghost-db";
database__connection__user = "root";
database__connection__password = "example";
database__connection__databse = "ghost";
url = "https://cything.io";
NODE_ENV = "production";
};
volumes = [
"/opt/ghost/data:/var/lib/ghost/content"
];
networks = ["ghost-net"];
dependsOn = ["ghost-db"];
};
virtualisation.oci-containers.containers.ghost-db = {
image = "mysql:8.0";
autoStart = true;
pull = "newer";
environment = {
MYSQL_ROOT_PASSWORD = "example";
};
volumes = [
"/opt/ghost/db:/var/lib/mysql"
];
networks = ["ghost-net"];
};
systemd.services.create-ghost-net = {
serviceConfig.Type = "oneshot";
wantedBy = with config.virtualisation.oci-containers; [
"${backend}-ghost.service"
"${backend}-ghost-db.service"
];
script = ''
${pkgs.podman}/bin/podman network exists ghost-net || \
${pkgs.podman}/bin/podman network create ghost-net
'';
};
}

87
hosts/chunk/immich.nix Normal file
View file

@ -0,0 +1,87 @@
{
pkgs,
config,
...
}: let
uploadLocation = "/mnt/photos/immich";
thumbsLocation = "/opt/immich/thumbs";
profileLocation = "/opt/immich/profile";
dbDataLocation = "/opt/immich/postgres";
modelCache = "/opt/immich-ml";
in {
virtualisation.oci-containers.containers = {
immich-server = {
image = "ghcr.io/immich-app/immich-server:release";
autoStart = true;
ports = ["127.0.0.1:2283:2283"];
pull = "newer";
volumes = [
"${uploadLocation}:/usr/src/app/upload"
"${thumbsLocation}:/usr/src/app/upload/thumbs"
"${profileLocation}:/usr/src/app/upload/profile"
];
environment = {
REDIS_HOSTNAME = "immich-redis";
DB_HOSTNAME = "immich-db";
};
networks = ["immich-net"];
dependsOn = ["immich-db" "immich-redis"];
};
immich-redis = {
image = "redis:6.2-alpine";
autoStart = true;
pull = "newer";
networks = ["immich-net"];
};
immich-db = {
image = "tensorchord/pgvecto-rs:pg14-v0.2.0";
autoStart = true;
pull = "newer";
environment = {
POSTGRES_PASSWORD = "postgres";
POSTGRES_USER = "postgres";
POSTGRES_DB = "immich";
POSTGRES_INITDB_ARGS = "--data-checksums";
};
volumes = ["${dbDataLocation}:/var/lib/postgresql/data"];
cmd = [
"postgres"
"-c" "shared_preload_libraries=vectors.so"
"-c" ''search_path="$$user", public, vectors''
"-c" "logging_collector=on"
"-c" "max_wal_size=2GB"
"-c" "shared_buffers=512MB"
"-c" "wal_compression=on"
];
networks = ["immich-net"];
};
immich-ml = {
image = "ghcr.io/immich-app/immich-machine-learning:release";
autoStart = true;
pull = "newer";
environment = {
REDIS_HOSTNAME = "immich-redis";
DB_HOSTNAME = "immich-db";
};
volumes = ["${modelCache}:/cache"];
networks = ["immich-net"];
};
};
systemd.services.create-immich-net = {
serviceConfig.Type = "oneshot";
wantedBy = with config.virtualisation.oci-containers; [
"${backend}-immich.service"
"${backend}-immich-db.service"
"${backend}-immich-redis.service"
"${backend}-immich-ml.service"
];
script = ''
${pkgs.podman}/bin/podman network exists immich-net || \
${pkgs.podman}/bin/podman network create immich-net
'';
};
}