From e127cd0c0a9f39b5d7981238fee47d40d74f77ac Mon Sep 17 00:00:00 2001 From: Nathan Date: Thu, 21 Nov 2024 13:21:31 -0600 Subject: [PATCH] compose2nix --- .../configuration/homebox/default.nix | 2 +- .../containers/authentik-nix/default.nix | 58 ++--- .../authentik-nix/docker-compose.nix | 241 ++++++++++++++++++ .../services/containers/pihole/default.nix | 32 +-- .../containers/pihole/docker-compose.nix | 123 +++++++++ 5 files changed, 392 insertions(+), 64 deletions(-) create mode 100644 system-config/services/containers/authentik-nix/docker-compose.nix create mode 100644 system-config/services/containers/pihole/docker-compose.nix diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 46a1909..7743a7a 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -111,7 +111,7 @@ #hashedPasswordFile = config.sops.secrets."nathan/pass".path; extraGroups = [ "wheel" - "docker" + "podman" ]; # Enable ‘sudo’ for the user. openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop" diff --git a/system-config/services/containers/authentik-nix/default.nix b/system-config/services/containers/authentik-nix/default.nix index 9010bf4..e5c5f43 100644 --- a/system-config/services/containers/authentik-nix/default.nix +++ b/system-config/services/containers/authentik-nix/default.nix @@ -1,52 +1,24 @@ -{ config, lib, inputs, ... }: { +{ config, lib, ... }: { options.sysconfig.opts.virtualization.authentik.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; - config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable { + config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable (lib.mkMerge [ + + (import ./docker-compose.nix) + { + sops.templates."authentik.env" = { + content = '' + POSTGRES_DB=authentik-db + POSTGRES_USER=authentik-admin + POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"} + AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} + ''; - sops.templates."authentik.env" = { - content = '' - AUTHENTIK_EMAIL__PASSWORD=${config.sops.placeholder."authentik/pass"} - AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} - ''; - - path = "/ssd1/Authentik/data/authentik.env"; - }; - - containers.authentik = { - - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.12"; - bindMounts = { - "/root/data" = { - hostPath = "/ssd1/Authentik/data"; - isReadOnly = false; - }; + path = "/ssd1/Authentik/.env"; }; - config = { - - imports = [ - inputs.authentik-nix.nixosModules.default - ]; - - services.authentik = { - - enable = true; - environmentFile = "/root/data/authentik.env"; - settings = { - disable_startup_analytics = false; - avatars = "initials"; - }; - }; - - networking.firewall.enable = false; - }; - }; - - }; + } + ]); } diff --git a/system-config/services/containers/authentik-nix/docker-compose.nix b/system-config/services/containers/authentik-nix/docker-compose.nix new file mode 100644 index 0000000..242318e --- /dev/null +++ b/system-config/services/containers/authentik-nix/docker-compose.nix @@ -0,0 +1,241 @@ +# Auto-generated using compose2nix v0.3.2-pre. +{ pkgs, lib, ... }: + +{ + # Runtime + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + defaultNetwork.settings = { + # Required for container networking to be able to use names. + dns_enabled = true; + }; + }; + + # Enable container name DNS for non-default Podman networks. + # https://github.com/NixOS/nixpkgs/issues/226365 + networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; + + virtualisation.oci-containers.backend = "podman"; + + # Containers + virtualisation.oci-containers.containers."authentik-postgresql" = { + image = "docker.io/library/postgres:16-alpine"; + environmentFiles = [ + "/ssd1/Authentik/.env" + ]; + volumes = [ + "authentik_database:/var/lib/postgresql/data:rw" + ]; + log-driver = "journald"; + extraOptions = [ + "--health-cmd=pg_isready -d \${POSTGRES_DB} -U \${POSTGRES_USER}" + "--health-interval=30s" + "--health-retries=5" + "--health-start-period=20s" + "--health-timeout=5s" + "--network-alias=postgresql" + "--network=authentik_backend" + ]; + }; + systemd.services."podman-authentik-postgresql" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-authentik_backend.service" + "podman-volume-authentik_database.service" + ]; + requires = [ + "podman-network-authentik_backend.service" + "podman-volume-authentik_database.service" + ]; + partOf = [ + "podman-compose-authentik-root.target" + ]; + wantedBy = [ + "podman-compose-authentik-root.target" + ]; + }; + virtualisation.oci-containers.containers."authentik-redis" = { + image = "docker.io/library/redis:alpine"; + volumes = [ + "authentik_redis:/data:rw" + ]; + cmd = [ "--save" "60" "1" "--loglevel" "warning" ]; + log-driver = "journald"; + extraOptions = [ + "--health-cmd=redis-cli ping | grep PONG" + "--health-interval=30s" + "--health-retries=5" + "--health-start-period=20s" + "--health-timeout=3s" + "--network-alias=redis" + "--network=authentik_backend" + ]; + }; + systemd.services."podman-authentik-redis" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-authentik_backend.service" + "podman-volume-authentik_redis.service" + ]; + requires = [ + "podman-network-authentik_backend.service" + "podman-volume-authentik_redis.service" + ]; + partOf = [ + "podman-compose-authentik-root.target" + ]; + wantedBy = [ + "podman-compose-authentik-root.target" + ]; + }; + virtualisation.oci-containers.containers."authentik-server" = { + image = "ghcr.io/goauthentik/server:2024.10.2"; + environment = { + "AUTHENTIK_ERROR_REPORTING__ENABLED" = "true"; + "AUTHENTIK_POSTGRESQL__HOST" = "postgresql"; + "AUTHENTIK_POSTGRESQL__NAME" = ""; + "AUTHENTIK_POSTGRESQL__PASSWORD" = ""; + "AUTHENTIK_POSTGRESQL__USER" = ""; + "AUTHENTIK_REDIS__HOST" = "redis"; + "AUTHENTIK_SECRET_KEY" = ""; + }; + volumes = [ + "/ssd1/Authentik/custom-templates:/templates:rw" + "/ssd1/Authentik/media:/media:rw" + ]; + ports = [ + "9000:9000/tcp" + "9443:9443/tcp" + ]; + cmd = [ "server" ]; + dependsOn = [ + "authentik-postgresql" + "authentik-redis" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=server" + "--network=authentik_backend" + ]; + }; + systemd.services."podman-authentik-server" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-authentik_backend.service" + ]; + requires = [ + "podman-network-authentik_backend.service" + ]; + partOf = [ + "podman-compose-authentik-root.target" + ]; + wantedBy = [ + "podman-compose-authentik-root.target" + ]; + }; + virtualisation.oci-containers.containers."authentik-worker" = { + image = "ghcr.io/goauthentik/server:2024.10.2"; + environment = { + "AUTHENTIK_ERROR_REPORTING__ENABLED" = "true"; + "AUTHENTIK_POSTGRESQL__HOST" = "postgresql"; + "AUTHENTIK_POSTGRESQL__NAME" = ""; + "AUTHENTIK_POSTGRESQL__PASSWORD" = ""; + "AUTHENTIK_POSTGRESQL__USER" = ""; + "AUTHENTIK_REDIS__HOST" = "redis"; + "AUTHENTIK_SECRET_KEY" = ""; + }; + volumes = [ + "/ssd1/Authentik/certs:/certs:rw" + "/ssd1/Authentik/custom-templates:/templates:rw" + "/ssd1/Authentik/media:/media:rw" + "/var/run/podman/podman.sock:/var/run/docker.sock:rw" + ]; + cmd = [ "worker" ]; + dependsOn = [ + "authentik-postgresql" + "authentik-redis" + ]; + user = "root"; + log-driver = "journald"; + extraOptions = [ + "--network-alias=worker" + "--network=authentik_backend" + ]; + }; + systemd.services."podman-authentik-worker" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-authentik_backend.service" + ]; + requires = [ + "podman-network-authentik_backend.service" + ]; + partOf = [ + "podman-compose-authentik-root.target" + ]; + wantedBy = [ + "podman-compose-authentik-root.target" + ]; + }; + + # Networks + systemd.services."podman-network-authentik_backend" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "podman network rm -f authentik_backend"; + }; + script = '' + podman network inspect authentik_backend || podman network create authentik_backend + ''; + partOf = [ "podman-compose-authentik-root.target" ]; + wantedBy = [ "podman-compose-authentik-root.target" ]; + }; + + # Volumes + systemd.services."podman-volume-authentik_database" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect authentik_database || podman volume create authentik_database --driver=local + ''; + partOf = [ "podman-compose-authentik-root.target" ]; + wantedBy = [ "podman-compose-authentik-root.target" ]; + }; + systemd.services."podman-volume-authentik_redis" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect authentik_redis || podman volume create authentik_redis --driver=local + ''; + partOf = [ "podman-compose-authentik-root.target" ]; + wantedBy = [ "podman-compose-authentik-root.target" ]; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."podman-compose-authentik-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/system-config/services/containers/pihole/default.nix b/system-config/services/containers/pihole/default.nix index 2431b21..8e11aa8 100644 --- a/system-config/services/containers/pihole/default.nix +++ b/system-config/services/containers/pihole/default.nix @@ -1,29 +1,21 @@ -{ config, lib, pkgs, ... }: { +{ config, lib, ... }: { options.sysconfig.opts.virtualization.pihole.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; - config = lib.mkIf config.sysconfig.opts.virtualization.pihole.enable { - - sops.templates."pihole.env" = { - content = '' - WEBPASSWORD=${config.sops.placeholder."pihole/pass"} - ''; + config = lib.mkIf config.sysconfig.opts.virtualization.pihole.enable (lib.mkMerge [ - path = "/ssd1/Pihole/.env"; - }; - systemd.services.launchPihole = { + (import ./docker-compose.nix) + { + sops.templates."pihole.env" = { + content = '' + WEBPASSWORD=${config.sops.placeholder."pihole/pass"} + ''; - enable = false; - - wantedBy = [ "multi-user.target" ]; - - script = '' - cd /ssd1/Pihole - ${pkgs.docker-compose}/bin/docker-compose up - ''; - }; - }; + path = "/ssd1/Pihole/.env"; + }; + } + ]); } diff --git a/system-config/services/containers/pihole/docker-compose.nix b/system-config/services/containers/pihole/docker-compose.nix new file mode 100644 index 0000000..c170bea --- /dev/null +++ b/system-config/services/containers/pihole/docker-compose.nix @@ -0,0 +1,123 @@ +# Auto-generated using compose2nix v0.3.2-pre. +{ pkgs, lib, ... }: + +{ + # Runtime + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + defaultNetwork.settings = { + # Required for container networking to be able to use names. + dns_enabled = true; + }; + }; + + # Enable container name DNS for non-default Podman networks. + # https://github.com/NixOS/nixpkgs/issues/226365 + networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; + + virtualisation.oci-containers.backend = "podman"; + + # Containers + virtualisation.oci-containers.containers."pihole" = { + image = "pihole/pihole:latest"; + environment = { + "PIHOLE_DNS" = "'192.168.101.2#5335'"; + "TZ" = "'America/Chicago'"; + }; + environmentFiles = [ + "/ssd1/Pihole/.env" + ]; + volumes = [ + "/ssd1/Pihole/etc-dnsmasq.d:/etc/dnsmasq.d:rw" + "/ssd1/Pihole/etc-pihole:/etc/pihole:rw" + ]; + ports = [ + "53:53/tcp" + "53:53/udp" + "8080:80/tcp" + ]; + log-driver = "journald"; + extraOptions = [ + "--ip=192.168.101.1" + "--network-alias=pihole" + "--network=pihole_dns_net" + ]; + }; + systemd.services."podman-pihole" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-pihole_dns_net.service" + ]; + requires = [ + "podman-network-pihole_dns_net.service" + ]; + partOf = [ + "podman-compose-pihole-root.target" + ]; + wantedBy = [ + "podman-compose-pihole-root.target" + ]; + }; + virtualisation.oci-containers.containers."unbound" = { + image = "mvance/unbound:latest"; + volumes = [ + "/ssd1/Pihole/unbound:/opt/unbound/etc/unbound:rw" + ]; + ports = [ + "5335:53/tcp" + "5335:53/udp" + ]; + log-driver = "journald"; + extraOptions = [ + "--ip=192.168.101.2" + "--network-alias=unbound" + "--network=pihole_dns_net" + ]; + }; + systemd.services."podman-unbound" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-pihole_dns_net.service" + ]; + requires = [ + "podman-network-pihole_dns_net.service" + ]; + partOf = [ + "podman-compose-pihole-root.target" + ]; + wantedBy = [ + "podman-compose-pihole-root.target" + ]; + }; + + # Networks + systemd.services."podman-network-pihole_dns_net" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "podman network rm -f pihole_dns_net"; + }; + script = '' + podman network inspect pihole_dns_net || podman network create pihole_dns_net --driver=bridge --subnet=192.168.0.0/16 + ''; + partOf = [ "podman-compose-pihole-root.target" ]; + wantedBy = [ "podman-compose-pihole-root.target" ]; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."podman-compose-pihole-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; +}