From f0d548f84ca0dd390924a7397ec639c8a6f7b4c0 Mon Sep 17 00:00:00 2001 From: Faris Date: Tue, 28 Apr 2026 01:07:26 +0100 Subject: [PATCH] Add/remove server containers --- home/podman.nix | 368 ++++++++++++++++++++++++++++++-------- hosts/server/settings.nix | 100 +++-------- 2 files changed, 315 insertions(+), 153 deletions(-) diff --git a/home/podman.nix b/home/podman.nix index 3ea7687..0e3415e 100644 --- a/home/podman.nix +++ b/home/podman.nix @@ -6,6 +6,30 @@ }: { + +systemd.user.services.podman-prune = { + Unit = { + Description = "Prune unused Podman resources for admin user"; + }; + Service = { + Type = "oneshot"; + ExecStart = "${pkgs.podman}/bin/podman system prune -f --all"; + }; +}; + +systemd.user.timers.podman-prune = { + Unit = { + Description = "Weekly Podman prune timer"; + }; + Timer = { + OnCalendar = "weekly"; + Persistent = true; + }; + Install = { + WantedBy = [ "timers.target" ]; + }; +}; + services.podman.networks = { internal_net = { driver = "bridge"; @@ -57,6 +81,50 @@ }; }; +# akaunting = { +# image = "docker.io/akaunting/akaunting:latest"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/akaunting" +# ]; +# volumes = [ +# "/pool/services/podman/akaunting/data:/var/www/html/akaunting" +# ]; +# ports = [ +# "8003:80" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; +# +# akaunting-db = { +# image = "docker.io/mariadb:latest"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/akaunting" +# ]; +# volumes = [ +# "/pool/services/podman/akaunting/db:/var/lib/mysql" +# ]; +# ports = [ +# "3307:3306" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; + archivebox = { image = "docker.io/archivebox/archivebox:latest"; autoStart = true; @@ -94,75 +162,6 @@ }; }; }; - - authentik-server = { - image = "ghcr.io/goauthentik/server:2026.2.1"; - autoStart = true; - autoUpdate = "registry"; - network = "internal_net"; - exec = "server"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/authentik" - ]; - volumes = [ - "/pool/services/podman/authentik/data:/data" - "/pool/services/podman/authentik/certs:/certs" - "/pool/services/podman/authentik/templates:/templates" - ]; - extraPodmanArgs = [ - "--shm-size=256m" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; - - authentik-postgresql = { - image = "docker.io/postgres:16-alpine"; - autoStart = true; - autoUpdate = "registry"; - network = "internal_net"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/authentik" - ]; - volumes = [ - "/pool/services/podman/authentik/db:/var/lib/postgresql/data" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; - - authentik-worker = { - image = "ghcr.io/goauthentik/server:2026.2.1"; - autoStart = true; - autoUpdate = "registry"; - network = "internal_net"; - exec = "worker"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/authentik" - ]; - volumes = [ - "/pool/services/podman/authentik/data:/data" - "/pool/services/podman/authentik/certs:/certs" - "/pool/services/podman/authentik/templates:/templates" - ]; - extraPodmanArgs = [ - "--shm-size=256m" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; caddy-local = { image = "ghcr.io/caddybuilds/caddy-cloudflare:latest"; autoStart = true; @@ -188,6 +187,25 @@ }; }; + cleanuparr = { + image = "ghcr.io/cleanuparr/cleanuparr:latest"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + environmentFile = [ + "/pool/services/secrets/default" + ]; + volumes = [ + "/pool/services/podman/cleanuparr:/config" + "/pool/media/torrents:/downloads" + ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + bazarr = { image = "lscr.io/linuxserver/bazarr:latest"; autoStart = true; @@ -253,10 +271,14 @@ autoStart = true; autoUpdate = "registry"; network = "internal_net"; - environmentFile = [ - "/pool/services/secrets/default" - "/pool/services/secrets/freshrss" - ]; + environment = { + OIDC_ENABLED="1"; + OIDC_PROVIDER_METADATA_URL="https://authentik.mektem.com/application/o/fresh-rss/.well-known/openid-configuration"; + OIDC_CLIENT_ID="PsqRnVLTezIKL7582E8pnKNFIF0W41kVyMhh4RoG"; + OIDC_CLIENT_SECRET="h1XsvbUcRn33rq7qBBS0GUENEgn6zTJQeHpVPhzcqG4ekdwlCghIn1ALhydYXF1pfS8HaskM3KntHXDTC8a7athLxLzT95Gxr8OpvN9iOY75pUXrNnLJXUrY9o4qKM7m"; + OIDC_X_FORWARDED_HEADERS="X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host"; + OIDC_SCOPES="openid email profile"; + }; volumes = [ "/pool/services/podman/freshrss:/config" ]; @@ -403,6 +425,9 @@ volumes = [ "/pool/services/podman/immich/db:/var/lib/postgresql/data:z" ]; + ports = [ + "5433:5432" + ]; userNS = "keep-id"; extraConfig = { Service = { @@ -423,6 +448,9 @@ volumes = [ "/pool/services/podman/immich/cache:/cache" ]; + ports = [ + "3003:3003" + ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -439,6 +467,9 @@ "/pool/services/secrets/default" "/pool/services/secrets/immich" ]; + ports = [ + "6379:6379" + ]; extraConfig = { Service = { TimeoutStartSec = 900; @@ -508,6 +539,47 @@ }; }; +# joplin = { +# image = "docker.io/joplin/server:latest"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/joplin" +# ]; +# ports = [ +# "22300:22300" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; +# +# joplin-db = { +# image = "docker.io/postgres:15"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/joplin" +# ]; +# volumes = [ +# "/pool/services/podman/joplin-db:/var/lib/postgresql/data" +# ]; +# ports = [ +# "5432:5432" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; + kiwix = { image = "ghcr.io/kiwix/kiwix-serve:latest"; autoStart = true; @@ -567,6 +639,71 @@ }; }; +# mastodon = { +# image = "ghcr.io/linuxserver/mastodon:amd64-latest"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/mastodon" +# ]; +# volumes = [ +# "/pool/services/podman/mastodon/config:/config" +# ]; +# ports = [ +# "808:80" +# "8449:443" +# "3009:3000" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; +# +# mastodon-db = { +# image = "docker.io/postgres:16-alpine"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# "/pool/services/secrets/mastodon-db" +# ]; +# volumes = [ +# "/pool/services/podman/mastodon/db:/var/lib/postgresql/data" +# ]; +# ports = [ +# "5435:5432" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; +# +# mastodon-redis = { +# image = "registry.hub.docker.com/library/redis:6.2-alpine"; +# autoStart = true; +# autoUpdate = "registry"; +# network = "internal_net"; +# environmentFile = [ +# "/pool/services/secrets/default" +# ]; +# ports = [ +# "6382:6379" +# ]; +# extraConfig = { +# Service = { +# TimeoutStartSec = 900; +# }; +# }; +# }; + + metube = { image = "ghcr.io/alexta69/metube:latest"; autoStart = true; @@ -623,6 +760,88 @@ # }; # }; + #nginx-proxy-manager = { + # image = "docker.io/jc21/nginx-proxy-manager:2.9.22"; + # autoStart = true; + # autoUpdate = "registry"; + # network = "internal_net"; + # environmentFile = [ + # "/pool/services/secrets/default" + # ]; + # volumes = [ + # "/pool/services/podman/nginx-proxy-manager:/data" + # "/pool/services/podman/letsencrypt:/etc/letsencrypt" + # ]; + # ports = [ + # "80:80" + # "443:443" + # "81:81" + # ]; + # extraConfig = { + # Service = { + # TimeoutStartSec = 900; + # }; + # }; + #}; + + nextcloud = { + image = "docker.io/nextcloud"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + environmentFile = [ + "/pool/services/secrets/default" + "/pool/services/secrets/nextcloud" + ]; + volumes = [ + "/pool/services/podman/nextcloud/app:/var/www/html" + ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + + nextcloud-db = { + image = "docker.io/mariadb:10.6"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + exec = "--transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW"; + environmentFile = [ + "/pool/services/secrets/default" + "/pool/services/secrets/nextcloud" + ]; + volumes = [ + "/pool/services/podman/nextcloud/db:/var/lib/mysql" + ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + + ntfy = { + image = "docker.io/binwiederhier/ntfy"; + autoStart = true; + autoUpdate = "registry"; + network = "internal_net"; + exec = "serve"; + environmentFile = [ + "/pool/services/secrets/default" + "/pool/services/secrets/ntfy" + ]; + volumes = [ + "/pool/services/podman/ntfy:/var/lib/ntfy" + ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; ntp = { image = "docker.io/cturra/ntp"; autoStart = true; @@ -631,6 +850,9 @@ environmentFile = [ "/pool/services/secrets/default" ]; + ports = [ + "123:123/udp" + ]; extraConfig = { Service = { TimeoutStartSec = 900; diff --git a/hosts/server/settings.nix b/hosts/server/settings.nix index adbc7f9..eaa5662 100644 --- a/hosts/server/settings.nix +++ b/hosts/server/settings.nix @@ -59,6 +59,21 @@ systemd.services.podman-network-vlan50 = { }; users.users.admin.linger = true; + #services.xserver.videoDrivers = [ "nvidia" ]; + + # hardware = { + # graphics.enable = true; + # nvidia = { + # modesetting.enable = true; + # powerManagement.enable = true; + # powerManagement.finegrained = false; + # open = false; + # nvidiaSettings = false; + # package = config.boot.kernelPackages.nvidiaPackages.stable; + # }; + # nvidia-container-toolkit.enable = true; + # }; + hardware.graphics = { enable = true; enable32Bit = true; # only needed if you run 32-bit apps @@ -138,6 +153,7 @@ systemd.services.podman-network-vlan50 = { boot.supportedFilesystems = [ "zfs" ]; boot.zfs.forceImportRoot = false; boot.zfs.extraPools = [ "pool" ]; + #environment.etc."zfs/keys/pool.key".source = config.age.secrets."zfs/pool.key".path; services.zfs.autoScrub = { enable = true; @@ -146,45 +162,15 @@ systemd.services.podman-network-vlan50 = { services.smartd = { enable = true; - notifications = { - mail.enable = true; - mail.recipient = "faris@mektem.com"; - }; #devices = [ "DEVICESCAN -a" ]; # autodetect all drives }; - - programs.msmtp = { - enable = true; - accounts.default = { - auth = true; - tls = true; - host = "smtp.protonmail.ch"; - port = 587; - from = "faris@mektem.com"; - user = "faris@mektem.com"; - passwordeval = "cat /pool/services/secrets/mail.txt"; - }; - }; - environment.etc."zfs/zed-notify.sh" = { - mode = "0755"; - text = '' - #!/bin/sh - # ZED calls: ZED_EMAIL_PROG "subject" "recipient" - SUBJECT="$1" - TO="$2" - (echo "Subject: $SUBJECT"; echo "To: $TO"; echo ""; cat) | \ - ${pkgs.msmtp}/bin/msmtp "$TO" - ''; - }; - services.zfs.zed = { - enableMail = true; settings = { - ZED_EMAIL_ADDR = [ "faris@mektem.com" ]; - ZED_EMAIL_PROG = "/etc/zfs/zed-notify.sh"; # Or ssmtp - ZED_EMAIL_OPTS = ""; - ZED_NOTIFY_INTERVAL_SECS = 3600; + ZED_NTFY_URL="https://ntfy.mektem.com"; + ZED_NTFY_TOPIC="zfs"; + ZED_NTFY_ACCESS_TOKEN="tk_gtjia7itxhg1qik7j58wkgey2parr"; + ZED_NOTIFY_INTERVAL_SECS = 1; ZED_NOTIFY_VERBOSE = true; # Set to false to only get alerts on degradation }; }; @@ -274,29 +260,6 @@ systemd.services.podman-network-vlan50 = { # }; }; - # headscale = { - # image = "docker.io/headscale/headscale:stable"; - # autoStart = true; - # #utoUpdate = "registry"; - # networks = [ "vlan50" ]; - # cmd = [ "serve" ]; - # environmentFiles = [ - # "/pool/services/secrets/default" - # ]; - # volumes = [ - # "/pool/services/podman/headscale/config:/etc/headscale:ro" - # "/pool/services/podman/headscale/lib:/var/lib/headscale" - # ]; - # extraOptions = [ - # "--ip=192.168.50.38" - # ]; - # #extraConfig = { - # # Service = { - # # TimeoutStartSec = 900; - # # }; - # ##}; - # }; - matrix = { image = "ghcr.io/element-hq/synapse"; autoStart = true; @@ -342,29 +305,6 @@ systemd.services.podman-network-vlan50 = { # }; }; - ntfy = { - image = "docker.io/binwiederhier/ntfy"; - autoStart = true; - #autoUpdate = "registry"; - networks = [ "vlan50" ]; - cmd = [ "serve" ]; - environmentFiles = [ - "/pool/services/secrets/default" - "/pool/services/secrets/ntfy" - ]; - volumes = [ - "/pool/services/podman/ntfy:/var/lib/ntfy" - ]; - extraOptions = [ - "--ip=192.168.50.35" - ]; - # extraConfig = { - # Service = { - # TimeoutStartSec = 900; - # }; - # }; - }; - privatebin = { image = "docker.io/privatebin/nginx-fpm-alpine:latest"; autoStart = true;