Faris/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add/remove server containers

Browse Source
This commit is contained in:
Faris 2026-04-28 01:07:26 +01:00
parent f2f93b554b
commit f0d548f84c
2 changed files with 315 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

368
home/podman.nix
View File

@ -6,6 +6,30 @@
}:
{
systemd.user.services.podman-prune = {
Unit = {
Description = "Prune unused Podman resources for admin user";
};
Service = {
Type = "oneshot";
ExecStart = "${pkgs.podman}/bin/podman system prune -f --all";
};
};
systemd.user.timers.podman-prune = {
Unit = {
Description = "Weekly Podman prune timer";
};
Timer = {
OnCalendar = "weekly";
Persistent = true;
};
Install = {
WantedBy = [ "timers.target" ];
};
};
services.podman.networks = {
internal_net = {
driver = "bridge";
@ -57,6 +81,50 @@
};
};
# akaunting = {
# image = "docker.io/akaunting/akaunting:latest";
# autoStart = true;
# autoUpdate = "registry";
# network = "internal_net";
# environmentFile = [
# "/pool/services/secrets/default"
# "/pool/services/secrets/akaunting"
# ];
# volumes = [
# "/pool/services/podman/akaunting/data:/var/www/html/akaunting"
# ];
# ports = [
# "8003:80"
# ];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
# };
#
# akaunting-db = {
# image = "docker.io/mariadb:latest";
# autoStart = true;
# autoUpdate = "registry";
# network = "internal_net";
# environmentFile = [
# "/pool/services/secrets/default"
# "/pool/services/secrets/akaunting"
# ];
# volumes = [
# "/pool/services/podman/akaunting/db:/var/lib/mysql"
# ];
# ports = [
# "3307:3306"
# ];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
# };
archivebox = {
image = "docker.io/archivebox/archivebox:latest";
autoStart = true;
@ -94,75 +162,6 @@
};
};
};
authentik-server = {
image = "ghcr.io/goauthentik/server:2026.2.1";
autoStart = true;
autoUpdate = "registry";
network = "internal_net";
exec = "server";
environmentFile = [
"/pool/services/secrets/default"
"/pool/services/secrets/authentik"
];
volumes = [
"/pool/services/podman/authentik/data:/data"
"/pool/services/podman/authentik/certs:/certs"
"/pool/services/podman/authentik/templates:/templates"
];
extraPodmanArgs = [
"--shm-size=256m"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;
};
};
};
authentik-postgresql = {
image = "docker.io/postgres:16-alpine";
autoStart = true;
autoUpdate = "registry";
network = "internal_net";
environmentFile = [
"/pool/services/secrets/default"
"/pool/services/secrets/authentik"
];
volumes = [
"/pool/services/podman/authentik/db:/var/lib/postgresql/data"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;
};
};
};
authentik-worker = {
image = "ghcr.io/goauthentik/server:2026.2.1";
autoStart = true;
autoUpdate = "registry";
network = "internal_net";
exec = "worker";
environmentFile = [
"/pool/services/secrets/default"
"/pool/services/secrets/authentik"
];
volumes = [
"/pool/services/podman/authentik/data:/data"
"/pool/services/podman/authentik/certs:/certs"
"/pool/services/podman/authentik/templates:/templates"
];
extraPodmanArgs = [
"--shm-size=256m"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;
};
};
};
caddy-local = {
image = "ghcr.io/caddybuilds/caddy-cloudflare:latest";
autoStart = true;
@ -188,6 +187,25 @@
};
};
cleanuparr = {
image = "ghcr.io/cleanuparr/cleanuparr:latest";
autoStart = true;
autoUpdate = "registry";
network = "internal_net";
environmentFile = [
"/pool/services/secrets/default"
];
volumes = [
"/pool/services/podman/cleanuparr:/config"
"/pool/media/torrents:/downloads"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;
};
};
};
bazarr = {
image = "lscr.io/linuxserver/bazarr:latest";
autoStart = true;
@ -253,10 +271,14 @@
autoStart = true;
autoUpdate = "registry";
network = "internal_net";
environmentFile = [
"/pool/services/secrets/default"
"/pool/services/secrets/freshrss"
];
environment = {
OIDC_ENABLED="1";
OIDC_PROVIDER_METADATA_URL="https://authentik.mektem.com/application/o/fresh-rss/.well-known/openid-configuration";
OIDC_CLIENT_ID="PsqRnVLTezIKL7582E8pnKNFIF0W41kVyMhh4RoG";
OIDC_CLIENT_SECRET="h1XsvbUcRn33rq7qBBS0GUENEgn6zTJQeHpVPhzcqG4ekdwlCghIn1ALhydYXF1pfS8HaskM3KntHXDTC8a7athLxLzT95Gxr8OpvN9iOY75pUXrNnLJXUrY9o4qKM7m";
OIDC_X_FORWARDED_HEADERS="X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host";
OIDC_SCOPES="openid email profile";
};
volumes = [
"/pool/services/podman/freshrss:/config"
];
@ -403,6 +425,9 @@
volumes = [
"/pool/services/podman/immich/db:/var/lib/postgresql/data:z"
];
ports = [
"5433:5432"
];
userNS = "keep-id";
extraConfig = {
Service = {
@ -423,6 +448,9 @@
volumes = [
"/pool/services/podman/immich/cache:/cache"
];
ports = [
"3003:3003"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;
@ -439,6 +467,9 @@
"/pool/services/secrets/default"
"/pool/services/secrets/immich"
];
ports = [
"6379:6379"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;
@ -508,6 +539,47 @@
};
};
# joplin = {
# image = "docker.io/joplin/server:latest";
# autoStart = true;
# autoUpdate = "registry";
# network = "internal_net";
# environmentFile = [
# "/pool/services/secrets/default"
# "/pool/services/secrets/joplin"
# ];
# ports = [
# "22300:22300"
# ];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
# };
#
# joplin-db = {
# image = "docker.io/postgres:15";
# autoStart = true;
# autoUpdate = "registry";
# network = "internal_net";
# environmentFile = [
# "/pool/services/secrets/default"
# "/pool/services/secrets/joplin"
# ];
# volumes = [
# "/pool/services/podman/joplin-db:/var/lib/postgresql/data"
# ];
# ports = [
# "5432:5432"
# ];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
# };
kiwix = {
image = "ghcr.io/kiwix/kiwix-serve:latest";
autoStart = true;
@ -567,6 +639,71 @@
};
};
# mastodon = {
# image = "ghcr.io/linuxserver/mastodon:amd64-latest";
# autoStart = true;
# autoUpdate = "registry";
# network = "internal_net";
# environmentFile = [
# "/pool/services/secrets/default"
# "/pool/services/secrets/mastodon"
# ];
# volumes = [
# "/pool/services/podman/mastodon/config:/config"
# ];
# ports = [
# "808:80"
# "8449:443"
# "3009:3000"
# ];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
# };
#
# mastodon-db = {
# image = "docker.io/postgres:16-alpine";
# autoStart = true;
# autoUpdate = "registry";
# network = "internal_net";
# environmentFile = [
# "/pool/services/secrets/default"
# "/pool/services/secrets/mastodon-db"
# ];
# volumes = [
# "/pool/services/podman/mastodon/db:/var/lib/postgresql/data"
# ];
# ports = [
# "5435:5432"
# ];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
# };
#
# mastodon-redis = {
# image = "registry.hub.docker.com/library/redis:6.2-alpine";
# autoStart = true;
# autoUpdate = "registry";
# network = "internal_net";
# environmentFile = [
# "/pool/services/secrets/default"
# ];
# ports = [
# "6382:6379"
# ];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
# };
metube = {
image = "ghcr.io/alexta69/metube:latest";
autoStart = true;
@ -623,6 +760,88 @@
# };
# };
#nginx-proxy-manager = {
# image = "docker.io/jc21/nginx-proxy-manager:2.9.22";
# autoStart = true;
# autoUpdate = "registry";
# network = "internal_net";
# environmentFile = [
# "/pool/services/secrets/default"
# ];
# volumes = [
# "/pool/services/podman/nginx-proxy-manager:/data"
# "/pool/services/podman/letsencrypt:/etc/letsencrypt"
# ];
# ports = [
# "80:80"
# "443:443"
# "81:81"
# ];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
#};
nextcloud = {
image = "docker.io/nextcloud";
autoStart = true;
autoUpdate = "registry";
network = "internal_net";
environmentFile = [
"/pool/services/secrets/default"
"/pool/services/secrets/nextcloud"
];
volumes = [
"/pool/services/podman/nextcloud/app:/var/www/html"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;
};
};
};
nextcloud-db = {
image = "docker.io/mariadb:10.6";
autoStart = true;
autoUpdate = "registry";
network = "internal_net";
exec = "--transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW";
environmentFile = [
"/pool/services/secrets/default"
"/pool/services/secrets/nextcloud"
];
volumes = [
"/pool/services/podman/nextcloud/db:/var/lib/mysql"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;
};
};
};
ntfy = {
image = "docker.io/binwiederhier/ntfy";
autoStart = true;
autoUpdate = "registry";
network = "internal_net";
exec = "serve";
environmentFile = [
"/pool/services/secrets/default"
"/pool/services/secrets/ntfy"
];
volumes = [
"/pool/services/podman/ntfy:/var/lib/ntfy"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;
};
};
};
ntp = {
image = "docker.io/cturra/ntp";
autoStart = true;
@ -631,6 +850,9 @@
environmentFile = [
"/pool/services/secrets/default"
];
ports = [
"123:123/udp"
];
extraConfig = {
Service = {
TimeoutStartSec = 900;

100
hosts/server/settings.nix
View File

@ -59,6 +59,21 @@ systemd.services.podman-network-vlan50 = {
};
users.users.admin.linger = true;
#services.xserver.videoDrivers = [ "nvidia" ];
# hardware = {
# graphics.enable = true;
# nvidia = {
# modesetting.enable = true;
# powerManagement.enable = true;
# powerManagement.finegrained = false;
# open = false;
# nvidiaSettings = false;
# package = config.boot.kernelPackages.nvidiaPackages.stable;
# };
# nvidia-container-toolkit.enable = true;
# };
hardware.graphics = {
enable = true;
enable32Bit = true; # only needed if you run 32-bit apps
@ -138,6 +153,7 @@ systemd.services.podman-network-vlan50 = {
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
boot.zfs.extraPools = [ "pool" ];
#environment.etc."zfs/keys/pool.key".source = config.age.secrets."zfs/pool.key".path;
services.zfs.autoScrub = {
enable = true;
@ -146,45 +162,15 @@ systemd.services.podman-network-vlan50 = {
services.smartd = {
enable = true;
notifications = {
mail.enable = true;
mail.recipient = "faris@mektem.com";
};
#devices = [ "DEVICESCAN -a" ]; # autodetect all drives
};
programs.msmtp = {
enable = true;
accounts.default = {
auth = true;
tls = true;
host = "smtp.protonmail.ch";
port = 587;
from = "faris@mektem.com";
user = "faris@mektem.com";
passwordeval = "cat /pool/services/secrets/mail.txt";
};
};
environment.etc."zfs/zed-notify.sh" = {
mode = "0755";
text = ''
#!/bin/sh
# ZED calls: ZED_EMAIL_PROG "subject" "recipient"
SUBJECT="$1"
TO="$2"
(echo "Subject: $SUBJECT"; echo "To: $TO"; echo ""; cat) | \
${pkgs.msmtp}/bin/msmtp "$TO"
'';
};
services.zfs.zed = {
enableMail = true;
settings = {
ZED_EMAIL_ADDR = [ "faris@mektem.com" ];
ZED_EMAIL_PROG = "/etc/zfs/zed-notify.sh"; # Or ssmtp
ZED_EMAIL_OPTS = "";
ZED_NOTIFY_INTERVAL_SECS = 3600;
ZED_NTFY_URL="https://ntfy.mektem.com";
ZED_NTFY_TOPIC="zfs";
ZED_NTFY_ACCESS_TOKEN="tk_gtjia7itxhg1qik7j58wkgey2parr";
ZED_NOTIFY_INTERVAL_SECS = 1;
ZED_NOTIFY_VERBOSE = true; # Set to false to only get alerts on degradation
};
};
@ -274,29 +260,6 @@ systemd.services.podman-network-vlan50 = {
# };
};
# headscale = {
# image = "docker.io/headscale/headscale:stable";
# autoStart = true;
# #utoUpdate = "registry";
# networks = [ "vlan50" ];
# cmd = [ "serve" ];
# environmentFiles = [
# "/pool/services/secrets/default"
# ];
# volumes = [
# "/pool/services/podman/headscale/config:/etc/headscale:ro"
# "/pool/services/podman/headscale/lib:/var/lib/headscale"
# ];
# extraOptions = [
# "--ip=192.168.50.38"
# ];
# #extraConfig = {
# # Service = {
# # TimeoutStartSec = 900;
# # };
# ##};
# };
matrix = {
image = "ghcr.io/element-hq/synapse";
autoStart = true;
@ -342,29 +305,6 @@ systemd.services.podman-network-vlan50 = {
# };
};
ntfy = {
image = "docker.io/binwiederhier/ntfy";
autoStart = true;
#autoUpdate = "registry";
networks = [ "vlan50" ];
cmd = [ "serve" ];
environmentFiles = [
"/pool/services/secrets/default"
"/pool/services/secrets/ntfy"
];
volumes = [
"/pool/services/podman/ntfy:/var/lib/ntfy"
];
extraOptions = [
"--ip=192.168.50.35"
];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
};
privatebin = {
image = "docker.io/privatebin/nginx-fpm-alpine:latest";
autoStart = true;