Add/remove server containers

home/podman.nix

@@ -6,6 +6,30 @@
 }:
 
 {
+
+systemd.user.services.podman-prune = {
+  Unit = {
+    Description = "Prune unused Podman resources for admin user";
+  };
+  Service = {
+    Type = "oneshot";
+    ExecStart = "${pkgs.podman}/bin/podman system prune -f --all";
+  };
+};
+
+systemd.user.timers.podman-prune = {
+  Unit = {
+    Description = "Weekly Podman prune timer";
+  };
+  Timer = {
+    OnCalendar = "weekly";
+    Persistent = true;
+  };
+  Install = {
+    WantedBy = [ "timers.target" ];
+  };
+};
+
   services.podman.networks = {
     internal_net = {
       driver = "bridge";
@@ -57,6 +81,50 @@
       };
     };
 
+#    akaunting = {
+#      image = "docker.io/akaunting/akaunting:latest";
+#      autoStart = true;
+#      autoUpdate = "registry";
+#      network = "internal_net";
+#      environmentFile = [
+#        "/pool/services/secrets/default"
+#        "/pool/services/secrets/akaunting"
+#      ];
+#      volumes = [
+#        "/pool/services/podman/akaunting/data:/var/www/html/akaunting"
+#      ];
+#      ports = [
+#        "8003:80"
+#      ];
+#      extraConfig = {
+#        Service = {
+#          TimeoutStartSec = 900;
+#        };
+#      };
+#    };
+#
+#    akaunting-db = {
+#      image = "docker.io/mariadb:latest";
+#      autoStart = true;
+#      autoUpdate = "registry";
+#      network = "internal_net";
+#      environmentFile = [
+#        "/pool/services/secrets/default"
+#        "/pool/services/secrets/akaunting"
+#      ];
+#      volumes = [
+#        "/pool/services/podman/akaunting/db:/var/lib/mysql"
+#      ];
+#      ports = [
+#        "3307:3306"
+#      ];
+#      extraConfig = {
+#        Service = {
+#          TimeoutStartSec = 900;
+#        };
+#      };
+#    };
+
     archivebox = {
       image = "docker.io/archivebox/archivebox:latest";
       autoStart = true;
@@ -94,75 +162,6 @@
         };
       };
     };
-
-    authentik-server = {
-      image = "ghcr.io/goauthentik/server:2026.2.1";
-      autoStart = true;
-      autoUpdate = "registry";
-      network = "internal_net";
-      exec = "server";
-      environmentFile = [
-        "/pool/services/secrets/default"
-        "/pool/services/secrets/authentik"
-      ];
-      volumes = [
-        "/pool/services/podman/authentik/data:/data"
-        "/pool/services/podman/authentik/certs:/certs"
-        "/pool/services/podman/authentik/templates:/templates"
-      ];
-      extraPodmanArgs = [
-        "--shm-size=256m"
-      ];
-      extraConfig = {
-        Service = {
-          TimeoutStartSec = 900;
-        };
-      };
-    };
-
-    authentik-postgresql = {
-      image = "docker.io/postgres:16-alpine";
-      autoStart = true;
-      autoUpdate = "registry";
-      network = "internal_net";
-      environmentFile = [
-        "/pool/services/secrets/default"
-        "/pool/services/secrets/authentik"
-      ];
-      volumes = [
-        "/pool/services/podman/authentik/db:/var/lib/postgresql/data"
-      ];
-      extraConfig = {
-        Service = {
-          TimeoutStartSec = 900;
-        };
-      };
-    };
-
-    authentik-worker = {
-      image = "ghcr.io/goauthentik/server:2026.2.1";
-      autoStart = true;
-      autoUpdate = "registry";
-      network = "internal_net";
-      exec = "worker";
-      environmentFile = [
-        "/pool/services/secrets/default"
-        "/pool/services/secrets/authentik"
-      ];
-      volumes = [
-        "/pool/services/podman/authentik/data:/data"
-        "/pool/services/podman/authentik/certs:/certs"
-        "/pool/services/podman/authentik/templates:/templates"
-      ];
-      extraPodmanArgs = [
-        "--shm-size=256m"
-      ];
-      extraConfig = {
-        Service = {
-          TimeoutStartSec = 900;
-        };
-      };
-    };
     caddy-local = {
       image = "ghcr.io/caddybuilds/caddy-cloudflare:latest";
       autoStart = true;
@@ -188,6 +187,25 @@
       };
     };
 
+    cleanuparr = {
+      image = "ghcr.io/cleanuparr/cleanuparr:latest";
+      autoStart = true;
+      autoUpdate = "registry";
+      network = "internal_net";
+      environmentFile = [
+        "/pool/services/secrets/default"
+      ];
+      volumes = [
+        "/pool/services/podman/cleanuparr:/config"
+        "/pool/media/torrents:/downloads"
+      ];
+      extraConfig = {
+        Service = {
+          TimeoutStartSec = 900;
+        };
+      };
+    };
+
     bazarr = {
       image = "lscr.io/linuxserver/bazarr:latest";
       autoStart = true;
@@ -253,10 +271,14 @@
       autoStart = true;
       autoUpdate = "registry";
       network = "internal_net";
-      environmentFile = [
+      environment = {
-        "/pool/services/secrets/default"
+        OIDC_ENABLED="1";
-        "/pool/services/secrets/freshrss"
+        OIDC_PROVIDER_METADATA_URL="https://authentik.mektem.com/application/o/fresh-rss/.well-known/openid-configuration";
-      ];
+        OIDC_CLIENT_ID="PsqRnVLTezIKL7582E8pnKNFIF0W41kVyMhh4RoG";
+        OIDC_CLIENT_SECRET="h1XsvbUcRn33rq7qBBS0GUENEgn6zTJQeHpVPhzcqG4ekdwlCghIn1ALhydYXF1pfS8HaskM3KntHXDTC8a7athLxLzT95Gxr8OpvN9iOY75pUXrNnLJXUrY9o4qKM7m";
+        OIDC_X_FORWARDED_HEADERS="X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host";
+        OIDC_SCOPES="openid email profile";
+      };
       volumes = [
         "/pool/services/podman/freshrss:/config"
       ];
@@ -403,6 +425,9 @@
       volumes = [
         "/pool/services/podman/immich/db:/var/lib/postgresql/data:z"
       ];
+      ports = [
+        "5433:5432"
+      ];
       userNS = "keep-id";
       extraConfig = {
         Service = {
@@ -423,6 +448,9 @@
       volumes = [
         "/pool/services/podman/immich/cache:/cache"
       ];
+      ports = [
+        "3003:3003"
+      ];
       extraConfig = {
         Service = {
           TimeoutStartSec = 900;
@@ -439,6 +467,9 @@
         "/pool/services/secrets/default"
         "/pool/services/secrets/immich"
       ];
+      ports = [
+        "6379:6379"
+      ];
       extraConfig = {
         Service = {
           TimeoutStartSec = 900;
@@ -508,6 +539,47 @@
       };
     };
 
+#    joplin = {
+#      image = "docker.io/joplin/server:latest";
+#      autoStart = true;
+#      autoUpdate = "registry";
+#      network = "internal_net";
+#      environmentFile = [
+#        "/pool/services/secrets/default"
+#        "/pool/services/secrets/joplin"
+#      ];
+#      ports = [
+#        "22300:22300"
+#      ];
+#      extraConfig = {
+#        Service = {
+#          TimeoutStartSec = 900;
+#        };
+#      };
+#    };
+#
+#    joplin-db = {
+#      image = "docker.io/postgres:15";
+#      autoStart = true;
+#      autoUpdate = "registry";
+#      network = "internal_net";
+#      environmentFile = [
+#        "/pool/services/secrets/default"
+#        "/pool/services/secrets/joplin"
+#      ];
+#      volumes = [
+#        "/pool/services/podman/joplin-db:/var/lib/postgresql/data"
+#      ];
+#      ports = [
+#        "5432:5432"
+#      ];
+#      extraConfig = {
+#        Service = {
+#          TimeoutStartSec = 900;
+#        };
+#      };
+#    };
+
     kiwix = {
       image = "ghcr.io/kiwix/kiwix-serve:latest";
       autoStart = true;
@@ -567,6 +639,71 @@
       };
     };
 
+#    mastodon = {
+#      image = "ghcr.io/linuxserver/mastodon:amd64-latest";
+#      autoStart = true;
+#      autoUpdate = "registry";
+#      network = "internal_net";
+#      environmentFile = [
+#        "/pool/services/secrets/default"
+#        "/pool/services/secrets/mastodon"
+#      ];
+#      volumes = [
+#        "/pool/services/podman/mastodon/config:/config"
+#      ];
+#      ports = [
+#        "808:80"
+#        "8449:443"
+#        "3009:3000"
+#      ];
+#      extraConfig = {
+#        Service = {
+#          TimeoutStartSec = 900;
+#        };
+#      };
+#    };
+#
+#    mastodon-db = {
+#      image = "docker.io/postgres:16-alpine";
+#      autoStart = true;
+#      autoUpdate = "registry";
+#      network = "internal_net";
+#      environmentFile = [
+#        "/pool/services/secrets/default"
+#        "/pool/services/secrets/mastodon-db"
+#      ];
+#      volumes = [
+#        "/pool/services/podman/mastodon/db:/var/lib/postgresql/data"
+#      ];
+#      ports = [
+#        "5435:5432"
+#      ];
+#      extraConfig = {
+#        Service = {
+#          TimeoutStartSec = 900;
+#        };
+#      };
+#    };
+#
+#    mastodon-redis = {
+#      image = "registry.hub.docker.com/library/redis:6.2-alpine";
+#      autoStart = true;
+#      autoUpdate = "registry";
+#      network = "internal_net";
+#      environmentFile = [
+#        "/pool/services/secrets/default"
+#      ];
+#      ports = [
+#        "6382:6379"
+#      ];
+#      extraConfig = {
+#        Service = {
+#          TimeoutStartSec = 900;
+#        };
+#      };
+#    };
+
+
     metube = {
       image = "ghcr.io/alexta69/metube:latest";
       autoStart = true;
@@ -623,6 +760,88 @@
     #   };
     # };
 
+    #nginx-proxy-manager = {
+    #  image = "docker.io/jc21/nginx-proxy-manager:2.9.22";
+    #  autoStart = true;
+    #  autoUpdate = "registry";
+    #  network = "internal_net";
+    #  environmentFile = [
+    #    "/pool/services/secrets/default"
+    #  ];
+    #  volumes = [
+    #    "/pool/services/podman/nginx-proxy-manager:/data"
+    #    "/pool/services/podman/letsencrypt:/etc/letsencrypt"
+    #  ];
+    #  ports = [
+    #    "80:80"
+    #    "443:443"
+    #    "81:81"
+    #  ];
+    #  extraConfig = {
+    #    Service = {
+    #      TimeoutStartSec = 900;
+    #    };
+    #  };
+    #};
+
+    nextcloud = {
+      image = "docker.io/nextcloud";
+      autoStart = true;
+      autoUpdate = "registry";
+      network = "internal_net";
+      environmentFile = [
+        "/pool/services/secrets/default"
+        "/pool/services/secrets/nextcloud"
+      ];
+      volumes = [
+        "/pool/services/podman/nextcloud/app:/var/www/html"
+      ];
+      extraConfig = {
+        Service = {
+          TimeoutStartSec = 900;
+        };
+      };
+    };
+
+    nextcloud-db = {
+      image = "docker.io/mariadb:10.6";
+      autoStart = true;
+      autoUpdate = "registry";
+      network = "internal_net";
+      exec = "--transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW";
+      environmentFile = [
+        "/pool/services/secrets/default"
+        "/pool/services/secrets/nextcloud"
+      ];
+      volumes = [
+        "/pool/services/podman/nextcloud/db:/var/lib/mysql"
+      ];
+      extraConfig = {
+        Service = {
+          TimeoutStartSec = 900;
+        };
+      };
+    };
+
+    ntfy = {
+      image = "docker.io/binwiederhier/ntfy";
+      autoStart = true;
+      autoUpdate = "registry";
+      network = "internal_net";
+      exec = "serve";
+      environmentFile = [
+        "/pool/services/secrets/default"
+        "/pool/services/secrets/ntfy"
+      ];
+      volumes = [
+        "/pool/services/podman/ntfy:/var/lib/ntfy"
+      ];
+      extraConfig = {
+        Service = {
+          TimeoutStartSec = 900;
+        };
+      };
+    };
     ntp = {
       image = "docker.io/cturra/ntp";
       autoStart = true;
@@ -631,6 +850,9 @@
       environmentFile = [
         "/pool/services/secrets/default"
       ];
+      ports = [
+        "123:123/udp"
+      ];
       extraConfig = {
         Service = {
           TimeoutStartSec = 900;

hosts/server/settings.nix

@@ -59,6 +59,21 @@ systemd.services.podman-network-vlan50 = {
   };
   users.users.admin.linger = true;
 
+  #services.xserver.videoDrivers = [ "nvidia" ];
+
+  # hardware = {
+  #   graphics.enable = true;
+  #   nvidia = {
+  #     modesetting.enable = true;
+  #     powerManagement.enable = true;
+  #     powerManagement.finegrained = false;
+  #     open = false;
+  #     nvidiaSettings = false;
+  #     package = config.boot.kernelPackages.nvidiaPackages.stable;
+  #   };
+  #   nvidia-container-toolkit.enable = true;
+  # };
+
   hardware.graphics = {
     enable = true;
     enable32Bit = true;  # only needed if you run 32-bit apps
@@ -138,6 +153,7 @@ systemd.services.podman-network-vlan50 = {
   boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.forceImportRoot = false;
   boot.zfs.extraPools = [ "pool" ];
+  #environment.etc."zfs/keys/pool.key".source = config.age.secrets."zfs/pool.key".path;
   
   services.zfs.autoScrub = {
     enable = true;
@@ -146,45 +162,15 @@ systemd.services.podman-network-vlan50 = {
 
   services.smartd = {
     enable = true;
-    notifications = {
-      mail.enable = true;
-      mail.recipient = "faris@mektem.com";
-    };
     #devices = [ "DEVICESCAN -a" ]; # autodetect all drives
   };
 
-
-  programs.msmtp = {
-    enable = true;
-    accounts.default = {
-      auth = true;
-      tls = true;
-      host = "smtp.protonmail.ch";
-      port = 587;
-      from = "faris@mektem.com";
-      user = "faris@mektem.com";
-      passwordeval = "cat /pool/services/secrets/mail.txt";
-    };
-  };
-  environment.etc."zfs/zed-notify.sh" = {
-    mode = "0755";
-    text = ''
-      #!/bin/sh
-      # ZED calls: ZED_EMAIL_PROG "subject" "recipient"
-      SUBJECT="$1"
-      TO="$2"
-      (echo "Subject: $SUBJECT"; echo "To: $TO"; echo ""; cat) | \
-        ${pkgs.msmtp}/bin/msmtp "$TO"
-    '';
-  };
-
   services.zfs.zed = {
-    enableMail = true;
     settings = {
-      ZED_EMAIL_ADDR = [ "faris@mektem.com" ];
+      ZED_NTFY_URL="https://ntfy.mektem.com";
-      ZED_EMAIL_PROG = "/etc/zfs/zed-notify.sh"; # Or ssmtp
+      ZED_NTFY_TOPIC="zfs";
-	  ZED_EMAIL_OPTS = "";
+      ZED_NTFY_ACCESS_TOKEN="tk_gtjia7itxhg1qik7j58wkgey2parr";
-      ZED_NOTIFY_INTERVAL_SECS = 3600;
+      ZED_NOTIFY_INTERVAL_SECS = 1;
       ZED_NOTIFY_VERBOSE = true; # Set to false to only get alerts on degradation
     };
   };
@@ -274,29 +260,6 @@ systemd.services.podman-network-vlan50 = {
       # };
     };
 
-    # headscale = {
-    #   image = "docker.io/headscale/headscale:stable";
-    #   autoStart = true;
-    #   #utoUpdate = "registry";
-    #   networks = [ "vlan50" ];
-    #   cmd = [ "serve" ];
-    #   environmentFiles = [
-    #     "/pool/services/secrets/default"
-    #   ];
-    #   volumes = [
-    #     "/pool/services/podman/headscale/config:/etc/headscale:ro"
-    #     "/pool/services/podman/headscale/lib:/var/lib/headscale"
-    #   ];
-    #   extraOptions = [
-    #     "--ip=192.168.50.38"
-    #   ];
-    #   #extraConfig = {
-    #    # Service = {
-    #     #  TimeoutStartSec = 900;
-    #    # };
-    #   ##};
-    # };
-
     matrix = {
       image = "ghcr.io/element-hq/synapse";
       autoStart = true;
@@ -342,29 +305,6 @@ systemd.services.podman-network-vlan50 = {
       # };
     };
 
-    ntfy = {
-      image = "docker.io/binwiederhier/ntfy";
-      autoStart = true;
-      #autoUpdate = "registry";
-      networks = [ "vlan50" ];
-      cmd = [ "serve" ];
-      environmentFiles = [
-        "/pool/services/secrets/default"
-        "/pool/services/secrets/ntfy"
-      ];
-      volumes = [
-        "/pool/services/podman/ntfy:/var/lib/ntfy"
-      ];
-      extraOptions = [
-        "--ip=192.168.50.35"
-      ];
-      # extraConfig = {
-      #   Service = {
-      #     TimeoutStartSec = 900;
-      #   };
-      # };
-    };
-
     privatebin = {
       image = "docker.io/privatebin/nginx-fpm-alpine:latest";
       autoStart = true;