From 7f72059966ebca21d9a10ec560ec331bf113fa75 Mon Sep 17 00:00:00 2001 From: Nathan Date: Thu, 21 Nov 2024 20:32:36 -0600 Subject: [PATCH] back to compose --- flake.lock | 18 +- .../configuration/homebox/default.nix | 3 - .../containers/authentik-nix/default.nix | 33 +-- .../authentik-nix/docker-compose.nix | 128 +++++----- .../services/containers/pihole/default.nix | 25 +- .../containers/pihole/docker-compose.nix | 228 +++++++++--------- 6 files changed, 217 insertions(+), 218 deletions(-) diff --git a/flake.lock b/flake.lock index d71ebbf..50036b6 100644 --- a/flake.lock +++ b/flake.lock @@ -1210,11 +1210,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-Hripi5dnBGegbRPwCt1+a3oH6b1AQxEoJXodiLE8KKw=", - "path": "/nix/store/32h16ywb0xb37hvimz74apw471i7c7jq-source/home-manager", + "path": "/nix/store/c03d0p3h8ip9fsk8c48m8saawwyl9skk-source/home-manager", "type": "path" }, "original": { - "path": "/nix/store/32h16ywb0xb37hvimz74apw471i7c7jq-source/home-manager", + "path": "/nix/store/c03d0p3h8ip9fsk8c48m8saawwyl9skk-source/home-manager", "type": "path" } }, @@ -1766,11 +1766,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-QahOuoQdXshu38W5uO7hLhG/yFkT7S2l8Dxicq0wdGk=", - "path": "/nix/store/2k345pz1g04x3zhhqdh4pbn81zsaiijn-source/programs", + "path": "/nix/store/51g3y0jm8d2gb5v3qsx2qybyxfn2hgvm-source/programs", "type": "path" }, "original": { - "path": "/nix/store/2k345pz1g04x3zhhqdh4pbn81zsaiijn-source/programs", + "path": "/nix/store/51g3y0jm8d2gb5v3qsx2qybyxfn2hgvm-source/programs", "type": "path" } }, @@ -1838,11 +1838,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", - "path": "/nix/store/2k345pz1g04x3zhhqdh4pbn81zsaiijn-source/services/sddm", + "path": "/nix/store/51g3y0jm8d2gb5v3qsx2qybyxfn2hgvm-source/services/sddm", "type": "path" }, "original": { - "path": "/nix/store/2k345pz1g04x3zhhqdh4pbn81zsaiijn-source/services/sddm", + "path": "/nix/store/51g3y0jm8d2gb5v3qsx2qybyxfn2hgvm-source/services/sddm", "type": "path" } }, @@ -1873,12 +1873,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-VI/PphvaiElKATCFaBzInEqU7WnoCmItIy8wfzcD9U8=", - "path": "/nix/store/32h16ywb0xb37hvimz74apw471i7c7jq-source/system-config", + "narHash": "sha256-E9AQdp838eaLX++tzBDDN7d6nrfuLaasX03PtLUurN8=", + "path": "/nix/store/c03d0p3h8ip9fsk8c48m8saawwyl9skk-source/system-config", "type": "path" }, "original": { - "path": "/nix/store/32h16ywb0xb37hvimz74apw471i7c7jq-source/system-config", + "path": "/nix/store/c03d0p3h8ip9fsk8c48m8saawwyl9skk-source/system-config", "type": "path" } }, diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 7743a7a..fb91f24 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -132,7 +132,6 @@ docker-compose ]; - #virtualisation.oci-containers.backend = "podman"; boot.initrd.postDeviceCommands = lib.mkAfter '' mkdir /btrfs_tmp @@ -194,8 +193,6 @@ "authentik/pass" = {}; "authentik/secret_key" = {}; - "pihole/pass" = {}; - "nextcloud/pass" = {}; }; }; diff --git a/system-config/services/containers/authentik-nix/default.nix b/system-config/services/containers/authentik-nix/default.nix index e5c5f43..ab1c227 100644 --- a/system-config/services/containers/authentik-nix/default.nix +++ b/system-config/services/containers/authentik-nix/default.nix @@ -5,20 +5,23 @@ default = false; }; - config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable (lib.mkMerge [ - - (import ./docker-compose.nix) - { - sops.templates."authentik.env" = { - content = '' - POSTGRES_DB=authentik-db - POSTGRES_USER=authentik-admin - POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"} - AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} - ''; + imports = [ + ./docker-compose.nix + ]; - path = "/ssd1/Authentik/.env"; - }; - } - ]); + config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable { + sops.templates."authentik.env" = { + content = '' + POSTGRES_DB=authentik-db + POSTGRES_USER=authentik-admin + POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"} + AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} + AUTHENTIK_POSTGRESQL__NAME=authentik-db + AUTHENTIK_POSTGRESQL__USER=authentik-admin + AUTHENTIK_POSTGRESQL__PASSWORD=${config.sops.placeholder."authentik/pass"} + ''; + + path = "/ssd1/Authentik/.env"; + }; + }; } diff --git a/system-config/services/containers/authentik-nix/docker-compose.nix b/system-config/services/containers/authentik-nix/docker-compose.nix index 242318e..a7fa514 100644 --- a/system-config/services/containers/authentik-nix/docker-compose.nix +++ b/system-config/services/containers/authentik-nix/docker-compose.nix @@ -3,28 +3,17 @@ { # Runtime - virtualisation.podman = { + virtualisation.docker = { enable = true; autoPrune.enable = true; - dockerCompat = true; - defaultNetwork.settings = { - # Required for container networking to be able to use names. - dns_enabled = true; - }; }; - - # Enable container name DNS for non-default Podman networks. - # https://github.com/NixOS/nixpkgs/issues/226365 - networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; - - virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.backend = "docker"; # Containers virtualisation.oci-containers.containers."authentik-postgresql" = { image = "docker.io/library/postgres:16-alpine"; - environmentFiles = [ - "/ssd1/Authentik/.env" - ]; + + environmentFiles = [ "/ssd1/Authentik/.env" ]; volumes = [ "authentik_database:/var/lib/postgresql/data:rw" ]; @@ -39,23 +28,26 @@ "--network=authentik_backend" ]; }; - systemd.services."podman-authentik-postgresql" = { + systemd.services."docker-authentik-postgresql" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; }; after = [ - "podman-network-authentik_backend.service" - "podman-volume-authentik_database.service" + "docker-network-authentik_backend.service" + "docker-volume-authentik_database.service" ]; requires = [ - "podman-network-authentik_backend.service" - "podman-volume-authentik_database.service" + "docker-network-authentik_backend.service" + "docker-volume-authentik_database.service" ]; partOf = [ - "podman-compose-authentik-root.target" + "docker-compose-authentik-root.target" ]; wantedBy = [ - "podman-compose-authentik-root.target" + "docker-compose-authentik-root.target" ]; }; virtualisation.oci-containers.containers."authentik-redis" = { @@ -75,36 +67,35 @@ "--network=authentik_backend" ]; }; - systemd.services."podman-authentik-redis" = { + systemd.services."docker-authentik-redis" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; }; after = [ - "podman-network-authentik_backend.service" - "podman-volume-authentik_redis.service" + "docker-network-authentik_backend.service" + "docker-volume-authentik_redis.service" ]; requires = [ - "podman-network-authentik_backend.service" - "podman-volume-authentik_redis.service" + "docker-network-authentik_backend.service" + "docker-volume-authentik_redis.service" ]; partOf = [ - "podman-compose-authentik-root.target" + "docker-compose-authentik-root.target" ]; wantedBy = [ - "podman-compose-authentik-root.target" + "docker-compose-authentik-root.target" ]; }; virtualisation.oci-containers.containers."authentik-server" = { - image = "ghcr.io/goauthentik/server:2024.10.2"; + image = "ghcr.io/goauthentik/server:2024.10.4"; environment = { "AUTHENTIK_ERROR_REPORTING__ENABLED" = "true"; - "AUTHENTIK_POSTGRESQL__HOST" = "postgresql"; - "AUTHENTIK_POSTGRESQL__NAME" = ""; - "AUTHENTIK_POSTGRESQL__PASSWORD" = ""; - "AUTHENTIK_POSTGRESQL__USER" = ""; "AUTHENTIK_REDIS__HOST" = "redis"; - "AUTHENTIK_SECRET_KEY" = ""; }; + environmentFiles = [ "/ssd1/Authentik/.env" ]; volumes = [ "/ssd1/Authentik/custom-templates:/templates:rw" "/ssd1/Authentik/media:/media:rw" @@ -124,34 +115,34 @@ "--network=authentik_backend" ]; }; - systemd.services."podman-authentik-server" = { + systemd.services."docker-authentik-server" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; }; after = [ - "podman-network-authentik_backend.service" + "docker-network-authentik_backend.service" ]; requires = [ - "podman-network-authentik_backend.service" + "docker-network-authentik_backend.service" ]; partOf = [ - "podman-compose-authentik-root.target" + "docker-compose-authentik-root.target" ]; wantedBy = [ - "podman-compose-authentik-root.target" + "docker-compose-authentik-root.target" ]; }; virtualisation.oci-containers.containers."authentik-worker" = { - image = "ghcr.io/goauthentik/server:2024.10.2"; + image = "ghcr.io/goauthentik/server:2024.10.4"; environment = { "AUTHENTIK_ERROR_REPORTING__ENABLED" = "true"; "AUTHENTIK_POSTGRESQL__HOST" = "postgresql"; - "AUTHENTIK_POSTGRESQL__NAME" = ""; - "AUTHENTIK_POSTGRESQL__PASSWORD" = ""; - "AUTHENTIK_POSTGRESQL__USER" = ""; "AUTHENTIK_REDIS__HOST" = "redis"; - "AUTHENTIK_SECRET_KEY" = ""; }; + environmentFiles = [ "/ssd1/Authentik/.env" ]; volumes = [ "/ssd1/Authentik/certs:/certs:rw" "/ssd1/Authentik/custom-templates:/templates:rw" @@ -170,69 +161,72 @@ "--network=authentik_backend" ]; }; - systemd.services."podman-authentik-worker" = { + systemd.services."docker-authentik-worker" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; }; after = [ - "podman-network-authentik_backend.service" + "docker-network-authentik_backend.service" ]; requires = [ - "podman-network-authentik_backend.service" + "docker-network-authentik_backend.service" ]; partOf = [ - "podman-compose-authentik-root.target" + "docker-compose-authentik-root.target" ]; wantedBy = [ - "podman-compose-authentik-root.target" + "docker-compose-authentik-root.target" ]; }; # Networks - systemd.services."podman-network-authentik_backend" = { - path = [ pkgs.podman ]; + systemd.services."docker-network-authentik_backend" = { + path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStop = "podman network rm -f authentik_backend"; + ExecStop = "docker network rm -f authentik_backend"; }; script = '' - podman network inspect authentik_backend || podman network create authentik_backend + docker network inspect authentik_backend || docker network create authentik_backend ''; - partOf = [ "podman-compose-authentik-root.target" ]; - wantedBy = [ "podman-compose-authentik-root.target" ]; + partOf = [ "docker-compose-authentik-root.target" ]; + wantedBy = [ "docker-compose-authentik-root.target" ]; }; # Volumes - systemd.services."podman-volume-authentik_database" = { - path = [ pkgs.podman ]; + systemd.services."docker-volume-authentik_database" = { + path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' - podman volume inspect authentik_database || podman volume create authentik_database --driver=local + docker volume inspect authentik_database || docker volume create authentik_database --driver=local ''; - partOf = [ "podman-compose-authentik-root.target" ]; - wantedBy = [ "podman-compose-authentik-root.target" ]; + partOf = [ "docker-compose-authentik-root.target" ]; + wantedBy = [ "docker-compose-authentik-root.target" ]; }; - systemd.services."podman-volume-authentik_redis" = { - path = [ pkgs.podman ]; + systemd.services."docker-volume-authentik_redis" = { + path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' - podman volume inspect authentik_redis || podman volume create authentik_redis --driver=local + docker volume inspect authentik_redis || docker volume create authentik_redis --driver=local ''; - partOf = [ "podman-compose-authentik-root.target" ]; - wantedBy = [ "podman-compose-authentik-root.target" ]; + partOf = [ "docker-compose-authentik-root.target" ]; + wantedBy = [ "docker-compose-authentik-root.target" ]; }; # Root service # When started, this will automatically create all resources and start # the containers. When stopped, this will teardown all resources. - systemd.targets."podman-compose-authentik-root" = { + systemd.targets."docker-compose-authentik-root" = { unitConfig = { Description = "Root target generated by compose2nix."; }; diff --git a/system-config/services/containers/pihole/default.nix b/system-config/services/containers/pihole/default.nix index 8e11aa8..ba2b7c7 100644 --- a/system-config/services/containers/pihole/default.nix +++ b/system-config/services/containers/pihole/default.nix @@ -5,17 +5,20 @@ default = false; }; - config = lib.mkIf config.sysconfig.opts.virtualization.pihole.enable (lib.mkMerge [ + imports = [ + ./docker-compose.nix + ]; - (import ./docker-compose.nix) - { - sops.templates."pihole.env" = { - content = '' - WEBPASSWORD=${config.sops.placeholder."pihole/pass"} - ''; + config = lib.mkIf config.sysconfig.opts.virtualization.pihole.enable { + sops.secrets."pihole/pass" = {}; - path = "/ssd1/Pihole/.env"; - }; - } - ]); + sops.templates."pihole.env" = { + content = '' + WEBPASSWORD=${config.sops.placeholder."pihole/pass"} + ''; + + path = "/ssd1/Pihole/.env"; + }; + }; + } diff --git a/system-config/services/containers/pihole/docker-compose.nix b/system-config/services/containers/pihole/docker-compose.nix index c170bea..d06c6fd 100644 --- a/system-config/services/containers/pihole/docker-compose.nix +++ b/system-config/services/containers/pihole/docker-compose.nix @@ -1,123 +1,125 @@ # Auto-generated using compose2nix v0.3.2-pre. -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: { - # Runtime - virtualisation.podman = { - enable = true; - autoPrune.enable = true; - dockerCompat = true; - defaultNetwork.settings = { - # Required for container networking to be able to use names. - dns_enabled = true; - }; - }; + config = lib.mkIf config.sysconfig.opts.virtualization.pihole.enable { +# Runtime + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + defaultNetwork.settings = { +# Required for container networking to be able to use names. + dns_enabled = true; + }; + }; - # Enable container name DNS for non-default Podman networks. - # https://github.com/NixOS/nixpkgs/issues/226365 - networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; +# Enable container name DNS for non-default Podman networks. +# https://github.com/NixOS/nixpkgs/issues/226365 + networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; - virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.backend = "podman"; - # Containers - virtualisation.oci-containers.containers."pihole" = { - image = "pihole/pihole:latest"; - environment = { - "PIHOLE_DNS" = "'192.168.101.2#5335'"; - "TZ" = "'America/Chicago'"; - }; - environmentFiles = [ - "/ssd1/Pihole/.env" - ]; - volumes = [ - "/ssd1/Pihole/etc-dnsmasq.d:/etc/dnsmasq.d:rw" - "/ssd1/Pihole/etc-pihole:/etc/pihole:rw" - ]; - ports = [ - "53:53/tcp" - "53:53/udp" - "8080:80/tcp" - ]; - log-driver = "journald"; - extraOptions = [ - "--ip=192.168.101.1" - "--network-alias=pihole" - "--network=pihole_dns_net" - ]; - }; - systemd.services."podman-pihole" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - }; - after = [ - "podman-network-pihole_dns_net.service" - ]; - requires = [ - "podman-network-pihole_dns_net.service" - ]; - partOf = [ - "podman-compose-pihole-root.target" - ]; - wantedBy = [ - "podman-compose-pihole-root.target" - ]; - }; - virtualisation.oci-containers.containers."unbound" = { - image = "mvance/unbound:latest"; - volumes = [ - "/ssd1/Pihole/unbound:/opt/unbound/etc/unbound:rw" - ]; - ports = [ - "5335:53/tcp" - "5335:53/udp" - ]; - log-driver = "journald"; - extraOptions = [ - "--ip=192.168.101.2" - "--network-alias=unbound" - "--network=pihole_dns_net" - ]; - }; - systemd.services."podman-unbound" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - }; - after = [ - "podman-network-pihole_dns_net.service" - ]; - requires = [ - "podman-network-pihole_dns_net.service" - ]; - partOf = [ - "podman-compose-pihole-root.target" - ]; - wantedBy = [ - "podman-compose-pihole-root.target" - ]; - }; +# Containers + virtualisation.oci-containers.containers."pihole" = { + image = "pihole/pihole:latest"; + environment = { + "PIHOLE_DNS" = "'192.169.101.2#5335'"; + "TZ" = "'America/Chicago'"; + }; + environmentFiles = [ + "/ssd1/Pihole/.env" + ]; + volumes = [ + "/ssd1/Pihole/etc-dnsmasq.d:/etc/dnsmasq.d:rw" + "/ssd1/Pihole/etc-pihole:/etc/pihole:rw" + ]; + ports = [ + "53:53/tcp" + "53:53/udp" + "8080:80/tcp" + ]; + log-driver = "journald"; + extraOptions = [ + "--ip=192.169.101.1" + "--network-alias=pihole" + "--network=pihole_dns_net" + ]; + }; + systemd.services."podman-pihole" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-pihole_dns_net.service" + ]; + requires = [ + "podman-network-pihole_dns_net.service" + ]; + partOf = [ + "podman-compose-pihole-root.target" + ]; + wantedBy = [ + "podman-compose-pihole-root.target" + ]; + }; + virtualisation.oci-containers.containers."unbound" = { + image = "mvance/unbound:latest"; + volumes = [ + "/ssd1/Pihole/unbound:/opt/unbound/etc/unbound:rw" + ]; + ports = [ + "5335:53/tcp" + "5335:53/udp" + ]; + log-driver = "journald"; + extraOptions = [ + "--ip=192.169.101.2" + "--network-alias=unbound" + "--network=pihole_dns_net" + ]; + }; + systemd.services."podman-unbound" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-pihole_dns_net.service" + ]; + requires = [ + "podman-network-pihole_dns_net.service" + ]; + partOf = [ + "podman-compose-pihole-root.target" + ]; + wantedBy = [ + "podman-compose-pihole-root.target" + ]; + }; - # Networks - systemd.services."podman-network-pihole_dns_net" = { - path = [ pkgs.podman ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "podman network rm -f pihole_dns_net"; - }; - script = '' - podman network inspect pihole_dns_net || podman network create pihole_dns_net --driver=bridge --subnet=192.168.0.0/16 - ''; - partOf = [ "podman-compose-pihole-root.target" ]; - wantedBy = [ "podman-compose-pihole-root.target" ]; - }; +# Networks + systemd.services."podman-network-pihole_dns_net" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "podman network rm -f pihole_dns_net"; + }; + script = '' + podman network inspect pihole_dns_net || podman network create pihole_dns_net --driver=bridge --subnet=192.169.0.0/16 + ''; + partOf = [ "podman-compose-pihole-root.target" ]; + wantedBy = [ "podman-compose-pihole-root.target" ]; + }; - # Root service - # When started, this will automatically create all resources and start - # the containers. When stopped, this will teardown all resources. - systemd.targets."podman-compose-pihole-root" = { - unitConfig = { - Description = "Root target generated by compose2nix."; +# Root service +# When started, this will automatically create all resources and start +# the containers. When stopped, this will teardown all resources. + systemd.targets."podman-compose-pihole-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; }; - wantedBy = [ "multi-user.target" ]; - }; }