diff --git a/config/common.nix b/config/common.nix index 7f7d83f..1e01f7f 100644 --- a/config/common.nix +++ b/config/common.nix @@ -102,4 +102,5 @@ tree ]; + powerManagement.powertop.enable = true; } diff --git a/home/podman.nix b/home/podman.nix index 9fca9a2..e29d829 100644 --- a/home/podman.nix +++ b/home/podman.nix @@ -7,12 +7,9 @@ { services.podman.networks = { - vlan50 = { - driver = "macvlan"; - gateway = "192.168.50.1"; - subnet = "192.168.50.0/24"; - extraPodmanArgs= [ "--opt parent=ens18" ]; - }; + internal_net = { + driver = "bridge"; + }; }; services.podman.enable = true; services.podman.autoUpdate.enable = true; @@ -23,7 +20,7 @@ # image = "docker.io/thijsvanloef/palworld-server-docker:latest"; # autoStart = true; # autoUpdate = "registry"; -# network = "bridge"; +# network = "internal_net"; # environmentFile = [ # "/pool/services/secrets/default" # "/pool/services/secrets/palworld" @@ -46,16 +43,13 @@ image = "docker.io/actualbudget/actual-server:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/actual:/data" ]; - ports = [ - "5006:5006" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -63,55 +57,55 @@ }; }; - akaunting = { - image = "docker.io/akaunting/akaunting:latest"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/akaunting" - ]; - volumes = [ - "/pool/services/podman/akaunting/data:/var/www/html/akaunting" - ]; - ports = [ - "8003:80" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; - - akaunting-db = { - image = "docker.io/mariadb:latest"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/akaunting" - ]; - volumes = [ - "/pool/services/podman/akaunting/db:/var/lib/mysql" - ]; - ports = [ - "3307:3306" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; +# akaunting = { +# image = "docker.io/akaunting/akaunting:latest"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/akaunting" +# ]; +# volumes = [ +# "/pool/services/podman/akaunting/data:/var/www/html/akaunting" +# ]; +# ports = [ +# "8003:80" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; +# +# akaunting-db = { +# image = "docker.io/mariadb:latest"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/akaunting" +# ]; +# volumes = [ +# "/pool/services/podman/akaunting/db:/var/lib/mysql" +# ]; +# ports = [ +# "3307:3306" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; archivebox = { image = "docker.io/archivebox/archivebox:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/archivebox" @@ -119,8 +113,117 @@ volumes = [ "/pool/services/podman/archivebox:/data" ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + + authelia = { + image = "docker.io/authelia/authelia:latest"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + environmentFile = [ + "/pool/services/secrets/default" + "/pool/services/secrets/authelia" + ]; + volumes = [ + "/pool/services/podman/authelia/config:/config" + ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + + authentik-server = { + image = "ghcr.io/goauthentik/server:2026.2.1"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + exec = "server"; + environmentFile = [ + "/pool/services/secrets/default" + "/pool/services/secrets/authentik" + ]; + volumes = [ + "/pool/services/podman/authentik/data:/data" + "/pool/services/podman/authentik/certs:/certs" + "/pool/services/podman/authentik/templates:/templates" + ]; + extraPodmanArgs = [ + "--shm-size=256m" + ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + + authentik-postgresql = { + image = "docker.io/postgres:16-alpine"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + environmentFile = [ + "/pool/services/secrets/default" + "/pool/services/secrets/authentik" + ]; + volumes = [ + "/pool/services/podman/authentik/db:/var/lib/postgresql/data" + ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + + authentik-worker = { + image = "ghcr.io/goauthentik/server:2026.2.1"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + exec = "worker"; + environmentFile = [ + "/pool/services/secrets/default" + "/pool/services/secrets/authentik" + ]; + volumes = [ + "/pool/services/podman/authentik/data:/data" + "/pool/services/podman/authentik/certs:/certs" + "/pool/services/podman/authentik/templates:/templates" + ]; + extraPodmanArgs = [ + "--shm-size=256m" + ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + caddy-local = { + image = "ghcr.io/caddybuilds/caddy-cloudflare:latest"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + environmentFile = [ + "/pool/services/secrets/default" + ]; + volumes = [ + "/pool/services/podman/caddy-local/conf:/etc/caddy" + "/pool/services/podman/caddy-local/site:/srv" + "/pool/services/podman/caddy-local/data:/data" + "/pool/services/podman/caddy-local/config:/config" + ]; ports = [ - "8002:8000" + "80:80" + "443:443" ]; extraConfig = { Service = { @@ -133,7 +236,7 @@ image = "lscr.io/linuxserver/bazarr:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -142,9 +245,6 @@ "/pool/media/video/movies:/movies" "/pool/media/video/tv:/tv" ]; - ports = [ - "6767:6767" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -156,7 +256,7 @@ image = "lscr.io/linuxserver/ddclient:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -174,7 +274,7 @@ image = "docker.io/eclipse-mosquitto:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -196,16 +296,18 @@ image = "lscr.io/linuxserver/freshrss:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/pool/services/secrets/default" - ]; + network = "internal_net"; + environment = { + OIDC_ENABLED="1"; + OIDC_PROVIDER_METADATA_URL="https://authentik.mektem.com/application/o/fresh-rss/.well-known/openid-configuration"; + OIDC_CLIENT_ID="PsqRnVLTezIKL7582E8pnKNFIF0W41kVyMhh4RoG"; + OIDC_CLIENT_SECRET="h1XsvbUcRn33rq7qBBS0GUENEgn6zTJQeHpVPhzcqG4ekdwlCghIn1ALhydYXF1pfS8HaskM3KntHXDTC8a7athLxLzT95Gxr8OpvN9iOY75pUXrNnLJXUrY9o4qKM7m"; + OIDC_X_FORWARDED_HEADERS="X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host"; + OIDC_SCOPES="openid email profile"; + }; volumes = [ "/pool/services/podman/freshrss:/config" ]; - ports = [ - "8555:80" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -217,7 +319,8 @@ image = "ghcr.io/blakeblackshear/frigate:0.17.0"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; + devices = [ "/dev/dri/renderD128:/dev/dri/renderD128" ]; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/frigate" @@ -228,8 +331,6 @@ "/pool/services/cctv:/media/frigate" ]; ports = [ - "5005:5000" - "5001:8971" "1935:1935" "8554:8554" ]; @@ -243,46 +344,46 @@ }; }; - gitea-anubis = { - image = "ghcr.io/techarohq/anubis:latest"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/anubis-default" #WHY DOES THIS NOT WORK???? - "/pool/services/secrets/anubis-nginx" - ]; - environment = { - DIFFICULTY = "4"; - SERVE_ROBOTS_TXT = "true"; - POLICY_FNAME = "/data/cfg/botPolicy.json"; - OG_PASSTHROUGH = "true"; - OG_EXPIRY_TIME = "24h"; - BIND = ":3002"; - METRICS_BIND = ":9090"; - TARGET = "http://192.168.0.30:3001"; - }; - - volumes = [ - "/pool/services/podman/anubis/botPolicy.json:/data/cfg/botPolicy.json:ro" - ]; - ports = [ - "3002:3002" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; +# gitea-anubis = { +# image = "ghcr.io/techarohq/anubis:latest"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/anubis-default" #WHY DOES THIS NOT WORK???? +# "/pool/services/secrets/anubis-nginx" +# ]; +# environment = { +# DIFFICULTY = "4"; +# SERVE_ROBOTS_TXT = "true"; +# POLICY_FNAME = "/data/cfg/botPolicy.json"; +# OG_PASSTHROUGH = "true"; +# OG_EXPIRY_TIME = "24h"; +# BIND = ":3002"; +# METRICS_BIND = ":9090"; +# TARGET = "http://192.168.0.30:3001"; +# }; +# +# volumes = [ +# "/pool/services/podman/anubis/botPolicy.json:/data/cfg/botPolicy.json:ro" +# ]; +# ports = [ +# "3002:3002" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; home-assistant = { image = "ghcr.io/home-assistant/home-assistant:stable"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -290,9 +391,6 @@ "/etc/localtime:/etc/localtime:ro" "/pool/services/podman/homeassistant:/config" ]; - ports = [ - "8123:8123" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -304,16 +402,13 @@ image = "docker.io/b4bz/homer"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/homer:/www/assets" ]; - ports = [ - "1000:8080" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -326,7 +421,7 @@ autoStart = true; autoUpdate = "registry"; exec = "server -s /src/mektem.com -D"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -348,7 +443,7 @@ image = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/immich" @@ -368,10 +463,10 @@ }; immich-machine-learning = { - image = "ghcr.io/immich-app/immich-machine-learning:release-cuda"; + image = "ghcr.io/immich-app/immich-machine-learning:release"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/immich" @@ -393,7 +488,7 @@ image = "registry.hub.docker.com/library/redis:6.2-alpine"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/immich" @@ -412,7 +507,7 @@ image = "ghcr.io/immich-app/immich-server:release"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/immich" @@ -421,9 +516,6 @@ "/pool/services/immich:/usr/src/app/upload" "/etc/localtime:/etc/localtime:ro" ]; - ports = [ - "2283:2283" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -435,7 +527,8 @@ image = "docker.io/jellyfin/jellyfin:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; + devices = [ "/dev/dri/renderD128:/dev/dri/renderD128" ]; environmentFile = [ "/pool/services/secrets/default" ]; @@ -447,9 +540,6 @@ "/pool/media/video/family:/family" "/pool/media/video/livetv:/livetv" ]; - ports = [ - "8096:8096" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -461,16 +551,13 @@ image = "ghcr.io/fallenbagel/jellyseerr"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/jellyseerr:/app/config" ]; - ports = [ - "5055:5055" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -478,52 +565,52 @@ }; }; - joplin = { - image = "docker.io/joplin/server:latest"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/joplin" - ]; - ports = [ - "22300:22300" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; - - joplin-db = { - image = "docker.io/postgres:15"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/joplin" - ]; - volumes = [ - "/pool/services/podman/joplin-db:/var/lib/postgresql/data" - ]; - ports = [ - "5432:5432" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; +# joplin = { +# image = "docker.io/joplin/server:latest"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/joplin" +# ]; +# ports = [ +# "22300:22300" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; +# +# joplin-db = { +# image = "docker.io/postgres:15"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/joplin" +# ]; +# volumes = [ +# "/pool/services/podman/joplin-db:/var/lib/postgresql/data" +# ]; +# ports = [ +# "5432:5432" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; kiwix = { image = "ghcr.io/kiwix/kiwix-serve:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; exec = "*.zim"; environmentFile = [ "/pool/services/secrets/default" @@ -531,9 +618,6 @@ volumes = [ "/pool/media/kiwix:/data" ]; - ports = [ - "8088:8080" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -545,7 +629,7 @@ image = "lscr.io/linuxserver/lazylibrarian:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -554,9 +638,6 @@ "/pool/media/torrents:/downloads" "/pool/media/books:/books" ]; - ports = [ - "5299:5299" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -568,7 +649,7 @@ image = "lscr.io/linuxserver/lidarr:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -577,9 +658,6 @@ "/pool/media/audio/music/flac:/music" "/pool/media/torrents:/downloads" ]; - ports = [ - "8686:8686" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -591,7 +669,7 @@ # image = "ghcr.io/linuxserver/mastodon:amd64-latest"; # autoStart = true; # autoUpdate = "registry"; -# network = "bridge"; +# network = "internal_net"; # environmentFile = [ # "/pool/services/secrets/default" # "/pool/services/secrets/mastodon" @@ -615,7 +693,7 @@ # image = "docker.io/postgres:16-alpine"; # autoStart = true; # autoUpdate = "registry"; -# network = "bridge"; +# network = "internal_net"; # environmentFile = [ # "/pool/services/secrets/default" # "/pool/services/secrets/mastodon-db" @@ -637,7 +715,7 @@ # image = "registry.hub.docker.com/library/redis:6.2-alpine"; # autoStart = true; # autoUpdate = "registry"; -# network = "bridge"; +# network = "internal_net"; # environmentFile = [ # "/pool/services/secrets/default" # ]; @@ -656,7 +734,7 @@ image = "ghcr.io/alexta69/metube:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -712,7 +790,7 @@ # image = "docker.io/jc21/nginx-proxy-manager:2.9.22"; # autoStart = true; # autoUpdate = "registry"; - # network = "bridge"; + # network = "internal_net"; # environmentFile = [ # "/pool/services/secrets/default" # ]; @@ -736,7 +814,7 @@ image = "docker.io/cturra/ntp"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -754,7 +832,7 @@ image = "docker.io/oleduc/docker-obsidian-livesync-couchdb"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/obsidian-livesync" @@ -776,7 +854,7 @@ image = "docker.io/ollama/ollama:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/ollama" @@ -784,9 +862,6 @@ volumes = [ "/pool/services/podman/ollama:/root/.ollama" ]; - ports = [ - "11434:11434" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -798,7 +873,7 @@ image = "ghcr.io/open-webui/open-webui:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/open-webui" @@ -806,9 +881,6 @@ volumes = [ "/pool/services/podman/open-webui:/app/backend/data" ]; - ports = [ - "3000:8080" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -820,7 +892,7 @@ image = "ghcr.io/paperless-ngx/paperless-ngx:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/paperless-ngx" @@ -831,9 +903,6 @@ "/pool/services/podman/paperless-ngx/export:/usr/src/paperless/export" "/pool/data/scans:/usr/src/paperless/consume" ]; - ports = [ - "8010:8000" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -845,13 +914,10 @@ image = "registry.hub.docker.com/library/redis:6.2-alpine"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; - ports = [ - "6380:6379" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -863,16 +929,13 @@ image = "lscr.io/linuxserver/prowlarr:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/prowlarr:/config" ]; - ports = [ - "9696:9696" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -884,7 +947,7 @@ image = "lscr.io/linuxserver/radarr:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -893,9 +956,6 @@ "/pool/media/video/movies:/movies" "/pool/media/torrents:/downloads" ]; - ports = [ - "7878:7878" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -907,7 +967,7 @@ image = "docker.io/rommapp/romm:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/romm" @@ -919,9 +979,6 @@ "/pool/services/podman/romm/config:/romm/config" "/pool/media/romm:/romm/library" ]; - ports = [ - "8011:8080" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -933,7 +990,7 @@ image = "docker.io/mariadb:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/romm" @@ -941,9 +998,6 @@ volumes = [ "/pool/services/podman/romm/db:/var/lib/mysql" ]; - ports = [ - "3306:3306" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -954,7 +1008,7 @@ # image = "docker.io/itzg/minecraft-server:java8"; # autoStart = true; # autoUpdate = "registry"; -# network = "bridge"; +# network = "internal_net"; # environmentFile = [ # "/pool/services/secrets/default" # "/pool/services/secrets/rlcraft" @@ -976,7 +1030,7 @@ image = "docker.io/crazymax/rtorrent-rutorrent:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -986,8 +1040,6 @@ "/pool/media/torrents:/downloads" ]; ports = [ - "8888:8080" - "5000:8000" "50000:50000" ]; extraConfig = { @@ -1001,16 +1053,13 @@ image = "docker.io/searxng/searxng:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/searxng:/etc/searxng" ]; - ports = [ - "8880:8080" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -1022,7 +1071,7 @@ image = "lscr.io/linuxserver/sonarr:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; @@ -1031,9 +1080,6 @@ "/pool/media/video/tv:/tv" "/pool/media/torrents:/downloads" ]; - ports = [ - "8989:8989" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -1042,64 +1088,81 @@ }; - tandoor = { - image = "docker.io/vabene1111/recipes"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/tandoor" - ]; - volumes = [ - "/pool/services/podman/tandoor/staticfiles:/opt/recipes/staticfiles" - "/pool/services/podman/tandoor/mediafiles:/opt/recipes/mediafiles" - ]; - ports = [ - "9092:80" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; +# tandoor = { +# image = "docker.io/vabene1111/recipes"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/tandoor" +# ]; +# volumes = [ +# "/pool/services/podman/tandoor/staticfiles:/opt/recipes/staticfiles" +# "/pool/services/podman/tandoor/mediafiles:/opt/recipes/mediafiles" +# ]; +# ports = [ +# "9092:80" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; +# +# tandoor-db = { +# image = "docker.io/postgres:16-alpine"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/tandoor" +# ]; +# volumes = [ +# "/pool/services/podman/tandoor/db:/var/lib/postgresql/data" +# ]; +# ports = [ +# "5434:5432" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; - tandoor-db = { - image = "docker.io/postgres:16-alpine"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/tandoor" - ]; - volumes = [ - "/pool/services/podman/tandoor/db:/var/lib/postgresql/data" - ]; - ports = [ - "5434:5432" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; thelounge = { image = "lscr.io/linuxserver/thelounge:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/thelounge:/config" ]; - ports = [ - "9000:9000" + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + + tinyauth = { + image = "ghcr.io/steveiliop56/tinyauth:v5"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + environmentFile = [ + "/pool/services/secrets/default" + "/pool/services/secrets/tinyauth" + ]; + volumes = [ + "/pool/services/podman/tinyauth/:/data" ]; extraConfig = { Service = { @@ -1112,7 +1175,7 @@ image = "docker.io/bbilly1/tubearchivist"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/tubearchivist" @@ -1121,9 +1184,6 @@ "/pool/media/video/youtube:/youtube" "/pool/services/podman/tubearchivist/cache:/cache" ]; - ports = [ - "8005:8000" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -1135,16 +1195,13 @@ image = "docker.io/redis"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/tubearchivist/redis:/data" ]; - ports = [ - "6381:6379" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -1156,7 +1213,7 @@ image = "docker.io/bbilly1/tubearchivist-es"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/tubearchivist-es" @@ -1164,9 +1221,6 @@ volumes = [ "/pool/services/podman/tubearchivist/es:/usr/share/elasticsearch/data" ]; - ports = [ - "9200:9200" - ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -1178,15 +1232,31 @@ image = "docker.io/louislam/uptime-kuma"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/uptime-kuma:/app/data" ]; - ports = [ - "3005:3001" + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + + vaultwarden = { + image = "docker.io/vaultwarden/server:latest"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + environmentFile = [ + "/pool/services/secrets/default" + "/pool/services/secrets/vaultwarden" + ]; + volumes = [ + "/pool/services/podman/vaultwarden:/data" ]; extraConfig = { Service = { @@ -1199,7 +1269,7 @@ image = "docker.io/bytemark/webdav:latest"; autoStart = true; autoUpdate = "registry"; - network = "bridge"; + network = "internal_net"; environmentFile = [ "/pool/services/secrets/default" "/pool/services/secrets/webdav" @@ -1218,27 +1288,27 @@ }; - zigbee2mqtt = { - image = "docker.io/koenkk/zigbee2mqtt"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - devices = [ "/dev/ttyACM0:/dev/ttyACM0" ]; - environmentFile = [ - "/pool/services/secrets/default" - ]; - volumes = [ - "/pool/services/podman/zigbee2mqtt:/app/data" - ]; - ports = [ - "8808:8080" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; +# zigbee2mqtt = { +# image = "docker.io/koenkk/zigbee2mqtt"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# devices = [ "/dev/ttyACM0:/dev/ttyACM0" ]; +# environmentFile = [ +# "/pool/services/secrets/default" +# ]; +# volumes = [ +# "/pool/services/podman/zigbee2mqtt:/app/data" +# ]; +# ports = [ +# "8808:8080" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; }; diff --git a/hosts/server/hardware.nix b/hosts/server/hardware.nix index 59c716a..b4858ac 100644 --- a/hosts/server/hardware.nix +++ b/hosts/server/hardware.nix @@ -5,21 +5,27 @@ { imports = - [ (modulesPath + "/profiles/qemu-guest.nix") + [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "mpt3sas" "xhci_pci" "sd_mod" "sr_mod" "virtio_blk" ]; + boot.initrd.availableKernelModules = [ "mpt3sas" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/54d867b3-a9cf-42cd-bc1a-56fbd758ecc4"; + { device = "/dev/disk/by-uuid/b9cc7972-36ae-4cb4-a6f4-e342eaca679e"; fsType = "ext4"; }; + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/542D-865C"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + swapDevices = - [ { device = "/dev/disk/by-uuid/b5e77330-ad8c-4c5b-99fc-aedfb6e0b145"; } + [ { device = "/dev/disk/by-uuid/1032bbd9-0124-419f-a696-a977755aaf17"; } ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking @@ -27,7 +33,8 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/server/settings.nix b/hosts/server/settings.nix index dc8f5d6..a61c0fb 100644 --- a/hosts/server/settings.nix +++ b/hosts/server/settings.nix @@ -11,10 +11,8 @@ age.identityPaths = [ "${config.users.users.admin.home}/.ssh/id_ed25519" ]; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.useOSProber = true; - + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; #boot.loader.limine.biosDevice = "/dev/vda"; #boot.loader.efi.efiSysMountPoint = "/boot"; @@ -43,7 +41,7 @@ systemd.services.podman-network-vlan50 = { vlans = { vlan50 = { id = 50; - interface = "ens18"; + interface = "enp7s0"; }; }; hostName = "nixos-server"; @@ -57,7 +55,7 @@ systemd.services.podman-network-vlan50 = { } ]; }; - interfaces.ens18 = { + interfaces.enp7s0 = { ipv4.addresses = [ { address = "192.168.0.30"; @@ -85,6 +83,16 @@ systemd.services.podman-network-vlan50 = { # nvidia-container-toolkit.enable = true; # }; + hardware.graphics = { + enable = true; + enable32Bit = true; # only needed if you run 32-bit apps + extraPackages = with pkgs; [ + mesa.drivers + libva + libva-utils # provides vainfo + ]; + }; + boot.kernel.sysctl = { "net.ipv4.ip_unprivileged_port_start" = 0; "net.ipv4.conf.all.src_valid_mark" = 1; @@ -105,28 +113,28 @@ systemd.services.podman-network-vlan50 = { }; }; - # services.restic.backups.backup = { - # initialize = true; - # environmentFile = config.age.secrets."restic/environmentFile".path; - # repositoryFile = config.age.secrets."restic/repositoryFile".path; - # passwordFile = config.age.secrets."restic/passwordFile".path; -# - # paths = [ - # "/pool/services" - # "/pool/data" - # ]; -# - # exclude = [ - # "/pool/services/cctv" - # ]; -# - # pruneOpts = [ - # "--keep-daily 7" - # "--keep-weekly 5" - # "--keep-monthly 12" - # ]; -# - # }; + services.restic.backups.backup = { + initialize = true; + environmentFile = "/pool/services/secrets/restic/environmentFile"; + repositoryFile = "/pool/services/secrets/restic/repositoryFile"; + passwordFile = "/pool/services/secrets/restic/passwordFile"; + + paths = [ + "/pool/services" + "/pool/data" + ]; + + exclude = [ + "/pool/services/cctv" + ]; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + ]; + + }; # systemd.timers."prune-podman" = { # wantedBy = [ "timers.target" ]; @@ -158,10 +166,8 @@ systemd.services.podman-network-vlan50 = { services.zfs.autoScrub = { enable = true; - interval = "weekly"; }; services.zfs.autoSnapshot.enable = true; - services.zfs.trim.enable = true; services.smartd = { enable = true; @@ -172,16 +178,53 @@ systemd.services.podman-network-vlan50 = { #devices = [ "DEVICESCAN -a" ]; # autodetect all drives }; + + programs.msmtp = { + enable = true; + accounts.default = { + auth = true; + tls = true; + host = "smtp.protonmail.ch"; + port = 587; + from = "faris@mektem.com"; + user = "faris@mektem.com"; + passwordeval = "cat /pool/services/secrets/mail.txt"; + }; + }; + environment.etc."zfs/zed-notify.sh" = { + mode = "0755"; + text = '' + #!/bin/sh + # ZED calls: ZED_EMAIL_PROG "subject" "recipient" + SUBJECT="$1" + TO="$2" + (echo "Subject: $SUBJECT"; echo "To: $TO"; echo ""; cat) | \ + ${pkgs.msmtp}/bin/msmtp "$TO" + ''; + }; + + services.zfs.zed = { + enableMail = true; + settings = { + ZED_EMAIL_ADDR = [ "faris@mektem.com" ]; + ZED_EMAIL_PROG = "/etc/zfs/zed-notify.sh"; # Or ssmtp + ZED_EMAIL_OPTS = ""; + ZED_NOTIFY_INTERVAL_SECS = 3600; + ZED_NOTIFY_VERBOSE = true; # Set to false to only get alerts on degradation + }; + }; + services.samba = { enable = true; openFirewall = true; settings = { global = { + "server min protocol" = "SMB2_10"; "workgroup" = "WORKGROUP"; "server string" = "smbnix"; "netbios name" = "smbnix"; "security" = "user"; - "hosts allow" = "192.168.0. 127.0.0.1 localhost"; + "hosts allow" = "192.168.0. 192.168.30. 192.168.40.10 127.0.0.1 localhost"; "hosts deny" = "0.0.0.0/0"; "guest account" = "nobody"; "map to guest" = "never"; @@ -368,28 +411,6 @@ systemd.services.podman-network-vlan50 = { # }; }; - vaultwarden = { - image = "docker.io/vaultwarden/server:latest"; - autoStart = true; - #autoUpdate = "registry"; - networks = [ "vlan50" ]; - environmentFiles = [ - "/pool/services/secrets/default" - "/pool/services/secrets/vaultwarden" - ]; - volumes = [ - "/pool/services/podman/vaultwarden:/data/" - ]; - extraOptions = [ - "--ip=192.168.50.37" - ]; - # extraConfig = { - # Service = { - # TimeoutStartSec = 900; - # }; - # }; - }; - }; system.stateVersion = "24.11";