From 1bc21d0ca86f099c6d7c4947b47a5e03dae9ae19 Mon Sep 17 00:00:00 2001 From: Christoph Urlacher Date: Wed, 9 Jul 2025 00:10:50 +0200 Subject: [PATCH] System/Servenix: Add initial servenix system configuration --- system/servenix/default.nix | 113 ++++++++++++++++++ system/servenix/hardware-configuration.nix | 99 ++++++++++++++++ system/services/0_TEMPLATE.nix | 30 +++++ system/services/adguard.nix | 49 ++++++++ system/services/authelia.nix | 31 +++++ system/services/formula10.nix | 31 +++++ system/services/formula11.nix | 65 +++++++++++ system/services/gitea-runner.nix | 39 +++++++ system/services/gitea.nix | 79 +++++++++++++ system/services/heidi.nix | 31 +++++ system/services/immich.nix | 96 ++++++++++++++++ system/services/jellyfin.nix | 42 +++++++ system/services/kopia.nix | 81 +++++++++++++ system/services/nextcloud.nix | 126 +++++++++++++++++++++ system/services/nginx-proxy-manager.nix | 36 ++++++ system/services/paperless.nix | 87 ++++++++++++++ system/services/portainer.nix | 53 +++++++++ system/services/whats-up-docker.nix | 29 +++++ 18 files changed, 1117 insertions(+) create mode 100644 system/servenix/default.nix create mode 100644 system/servenix/hardware-configuration.nix create mode 100644 system/services/0_TEMPLATE.nix create mode 100644 system/services/adguard.nix create mode 100644 system/services/authelia.nix create mode 100644 system/services/formula10.nix create mode 100644 system/services/formula11.nix create mode 100644 system/services/gitea-runner.nix create mode 100644 system/services/gitea.nix create mode 100644 system/services/heidi.nix create mode 100644 system/services/immich.nix create mode 100644 system/services/jellyfin.nix create mode 100644 system/services/kopia.nix create mode 100644 system/services/nextcloud.nix create mode 100644 system/services/nginx-proxy-manager.nix create mode 100644 system/services/paperless.nix create mode 100644 system/services/portainer.nix create mode 100644 system/services/whats-up-docker.nix diff --git a/system/servenix/default.nix b/system/servenix/default.nix new file mode 100644 index 00000000..8314eb43 --- /dev/null +++ b/system/servenix/default.nix @@ -0,0 +1,113 @@ +{ + inputs, + hostname, + lib, + mylib, + config, + pkgs, + system, + username, + headless, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + + ../modules + + # My own services + ../services/heidi.nix + ../services/formula10.nix + ../services/formula11.nix + + # General services + ../services/authelia.nix + ../services/gitea.nix + ../services/gitea-runner.nix + ../services/immich.nix + ../services/jellyfin.nix + ../services/kopia.nix + ../services/nextcloud.nix + ../services/nginx-proxy-manager.nix + ../services/paperless.nix + ../services/portainer.nix + ../services/whats-up-docker.nix + ]; + + modules = { + network = { + useNetworkManager = false; + + networks = { + "10-ether-1G" = mylib.networking.mkStaticSystemdNetwork { + interface = "ens18"; + ips = ["192.168.86.25/24"]; + routers = ["192.168.86.5"]; + nameservers = ["192.168.86.26"]; + routable = true; + }; + }; + + allowedTCPPorts = [ + 53 # DNS + 80 # HTTP + 3000 # Gitea runner needs to reach local gitea instance + ]; + + allowedUDPPorts = [ + 53 # DNS + 67 # DHCP + 3000 # Gitea runner needs to reach local gitea instance + ]; + }; + }; + + networking.firewall.trustedInterfaces = ["docker0" "podman0"]; + + systemd.services.init-behind-nginx-docker-network = { + description = "Create a docker network bridge for all services behind nginx-proxy-manager."; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig.Type = "oneshot"; + script = let + cli = "${config.virtualisation.docker.package}/bin/docker"; + network = "behind-nginx"; + in '' + # Put a true at the end to prevent getting non-zero return code, which will + # crash the whole service. + check=$(${cli} network ls | grep ${network} || true) + if [ -z "$check" ]; then + # TODO: Disable IP masquerading to show individual containers in AdGuard/Pi-Hole + # - Disabling this prevents containers from having internet connection. DNS issue? + # ${cli} network create -o "com.docker.network.bridge.enable_ip_masquerade"="false" ${network} + + # ${cli} network create --ipv6 --gateway="2000::1" --subnet="2000::/80" ${network} + ${cli} network create ${network} + else + echo "${network} already exists in docker" + fi + ''; + }; + + # List services that you want to enable: + services = { + # Configure keymap in X11 + xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + videoDrivers = ["nvidia"]; + }; + + qemuGuest.enable = true; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/system/servenix/hardware-configuration.nix b/system/servenix/hardware-configuration.nix new file mode 100644 index 00000000..b659ad69 --- /dev/null +++ b/system/servenix/hardware-configuration.nix @@ -0,0 +1,99 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + initrd.kernelModules = []; + kernelModules = ["kvm-intel"]; + extraModulePackages = []; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/2d1b1f62-f008-4562-906e-5a63d854b18b"; + fsType = "ext4"; + options = ["defaults" "rw" "relatime"]; + }; + + "/home/christoph/ssd" = { + device = "/dev/disk/by-uuid/ff42f57c-cd45-41ea-a0ee-640e638b38bc"; + fsType = "ext4"; + options = ["defaults" "rw" "relatime"]; + }; + + # Synology DS223j + + "/media/synology-syncthing" = { + device = "192.168.86.15:/volume1/DockerVolumes"; + fsType = "nfs"; + options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"]; + }; + + # SG Exos Mirror Shares + + "/media/Movie" = { + device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Movie"; + fsType = "nfs"; + options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"]; + }; + + "/media/Show" = { + device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Show"; + fsType = "nfs"; + options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"]; + }; + + "/media/TV-Music" = { + device = "192.168.86.20:/mnt/SG Exos Mirror 18TB/Music"; + fsType = "nfs"; + options = ["defaults" "rw" "relatime" "_netdev" "bg" "soft"]; + }; + }; + + swapDevices = []; + + hardware = { + enableAllFirmware = true; + enableRedistributableFirmware = true; + cpu.intel.updateMicrocode = true; + bluetooth.enable = false; + nvidia-container-toolkit.enable = true; + + nvidia = { + package = config.boot.kernelPackages.nvidiaPackages.stable; + + modesetting.enable = false; + open = true; + nvidiaSettings = false; + }; + + graphics = { + enable = true; + enable32Bit = true; + + extraPackages = with pkgs; [ + vaapiVdpau + libvdpau-va-gl + + nvidia-vaapi-driver + ]; + }; + }; + + environment.variables = { + GBM_BACKEND = "nvidia-drm"; + __GLX_VENDOR_LIBRARY_NAME = "nvidia"; + LIBVA_DRIVER_NAME = "nvidia"; + NVD_BACKEND = "direct"; # egl + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/system/services/0_TEMPLATE.nix b/system/services/0_TEMPLATE.nix new file mode 100644 index 00000000..4ee6da75 --- /dev/null +++ b/system/services/0_TEMPLATE.nix @@ -0,0 +1,30 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.TEMPLATE = { + image = "TEMPLATE"; + autoStart = true; + + dependsOn = []; + + ports = []; + + volumes = []; + + environment = { + PUID = "1000"; + PGID = "1000"; + TZ = "Europe/Berlin"; + # NVIDIA_VISIBLE_DEVICES = "all"; + # NVIDIA_DRIVER_CAPABILITIES = "all"; + }; + + extraOptions = [ + # "--gpus=all" + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/adguard.nix b/system/services/adguard.nix new file mode 100644 index 00000000..933896a4 --- /dev/null +++ b/system/services/adguard.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.adguard = { + image = "adguard/adguardhome"; + autoStart = true; + + dependsOn = []; + + ports = [ + # DNS server + "53:53/tcp" + "53:53/udp" + # "853:853/tcp" # DNS over TLS + # "853:853/udp" # DNS over QUIC + + # DHCP server + # "67:67/udp" + # "68:68/tcp" + # "68:68/udp" + + # Admin panel + DNS over HTTPS + # "80:80/tcp" + # "443:443/tcp" + # "443:443/udp" + # "3100:3000/tcp" # Web interface + + # DNSCrypt + # "5443:5443/tcp" + # "5443:5443/udp" + + # "6060:6060/tcp" # Debugging + ]; + + volumes = [ + "adguard_config:/opt/adguardhome/conf" + "adguard_work:/opt/adguardhome/work" + ]; + + environment = {}; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/authelia.nix b/system/services/authelia.nix new file mode 100644 index 00000000..11f6e7b1 --- /dev/null +++ b/system/services/authelia.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.authelia = { + image = "authelia/authelia:latest"; + autoStart = true; + + dependsOn = [ + # "pihole" + ]; + + ports = [ + # "9091:9091" + ]; + + volumes = [ + "authelia_config:/config" + ]; + + environment = { + TZ = "Europe/Berlin"; + }; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/formula10.nix b/system/services/formula10.nix new file mode 100644 index 00000000..e7117090 --- /dev/null +++ b/system/services/formula10.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.formula10 = { + image = "gitea.vps.chriphost.de/christoph/formula10:latest"; + autoStart = true; + + dependsOn = []; + + ports = [ + "55555:5000" + ]; + + volumes = [ + "formula10_data:/app/instance" + "formula10_cache:/cache" + ]; + + environment = { + TZ = "Europe/Berlin"; + }; + + extraOptions = [ + "--init" # Make an init process take up PID 1, to make python receive the SIGTERM + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/formula11.nix b/system/services/formula11.nix new file mode 100644 index 00000000..24a3b0a3 --- /dev/null +++ b/system/services/formula11.nix @@ -0,0 +1,65 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.formula11_pocketbase = { + image = "gitea.vps.chriphost.de/christoph/pocketbase:0.25.0"; + autoStart = true; + + dependsOn = [ + # "pihole" + ]; + + ports = [ + "8090:8080" + ]; + + volumes = [ + "formula11_pb_data:/pb/pb_data" + ]; + + environment = {}; + + extraOptions = [ + # "--gpus=all" + "--net=behind-nginx" + ]; + }; + + virtualisation.oci-containers.containers.formula11 = { + image = "gitea.vps.chriphost.de/christoph/formula11:latest"; + autoStart = true; + + dependsOn = [ + "formula11_pocketbase" + ]; + + ports = [ + # "8080:8090" + "5173:3000" + ]; + + volumes = []; + + environment = { + # PB_PROTOCOL="http"; + # PB_HOST="formula11_pocketbase"; + # PB_PORT="8000"; + + # PB_PROTOCOL="https"; + # PB_URL="f11pb.vps.chriphost.de"; + + PUBLIC_PBURL="https://f11pb.vps.chriphost.de"; + + # Required by SvelteKit to prevent cross-site POST errors + ORIGIN="https://f11.vps.chriphost.de"; + }; + + extraOptions = [ + # "--gpus=all" + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/gitea-runner.nix b/system/services/gitea-runner.nix new file mode 100644 index 00000000..0611cff8 --- /dev/null +++ b/system/services/gitea-runner.nix @@ -0,0 +1,39 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.gitea-runner = { + image = "gitea/act_runner:latest"; # NOTE: vegardit has other runner images + autoStart = true; + + dependsOn = []; + + ports = []; + + volumes = [ + "gitea-runner_data:/data" + "gitea-runner_config:/config" # Managed by env variables for vegardit image + + "/var/run/docker.sock:/var/run/docker.sock" # Disable for dind + ]; + + environment = { + # NOTE: gitlab.local.chriphost.de doesn't work, because it gets resolved to 192.168.86.25:443, which is nginx + GITEA_INSTANCE_URL = "http://192.168.86.25:3000"; + GITEA_RUNNER_NAME = "servenix"; + + # Can be generated from inside the container using act_runner generate-config > /config/config.yaml + CONFIG_FILE = "/config/config.yaml"; + + # NOTE: This token is invalid, when re-registering is needed it has to be refreshed + GITEA_RUNNER_REGISTRATION_TOKEN = "Mq6wr0dPthqDij3iaryP8s5VYZA5kPfOQbHA6wm6"; + }; + + extraOptions = [ + # "--privileged" # Enable for dind + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/gitea.nix b/system/services/gitea.nix new file mode 100644 index 00000000..d66f2fb2 --- /dev/null +++ b/system/services/gitea.nix @@ -0,0 +1,79 @@ +{ + config, + lib, + pkgs, + ... +}: { + # Extra git user for Gitea + users.users.git = { + uid = 500; + group = "git"; + isNormalUser = false; + isSystemUser = true; + description = "Gitea User"; + extraGroups = ["docker" "podman"]; + shell = pkgs.fish; + }; + + virtualisation.oci-containers.containers.gitea-db = { + image = "postgres:14"; + autoStart = true; + + dependsOn = []; + + ports = []; + + volumes = [ + "gitea-db_data:/var/lib/postgresql/data" + ]; + + environment = { + POSTGRES_USER = "gitea"; + POSTGRES_PASSWORD = "gitea"; + POSTGRES_DB = "gitea"; + }; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; + + virtualisation.oci-containers.containers.gitea = { + image = "gitea/gitea:latest"; + autoStart = true; + + dependsOn = [ + "gitea-db" + ]; + + ports = [ + "3000:3000" + + # NOTE: Set .git/config url to ssh://christoph@gitea.local.chriphost.de:222/christoph/.git + "222:222" # Gitea SSH + ]; + + volumes = [ + "/etc/timezone:/etc/timezone:ro" + "/etc/localtime:/etc/localtime:ro" + + "gitea_data:/data" + ]; + + environment = { + USER = "git"; + USER_UID = "500"; + # USER_GID = "100"; + + GITEA__database__DB_TYPE = "postgres"; + GITEA__database__HOST = "gitea-db:5432"; + GITEA__database__NAME = "gitea"; + GITEA__database__USER = "gitea"; + GITEA__database__PASSWD = "gitea"; + }; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/heidi.nix b/system/services/heidi.nix new file mode 100644 index 00000000..35ade07e --- /dev/null +++ b/system/services/heidi.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.heidi = { + image = "gitea.vps.chriphost.de/christoph/discord-heidi:latest"; + autoStart = true; + + dependsOn = []; + + ports = []; + + volumes = [ + "heidi_config:/config" + + "/home/christoph/heidi-sounds:/sounds:ro" + ]; + + environment = { + DISCORD_TOKEN = (builtins.readFile ./heidi.discord_token); + DOCKER = "True"; + }; + + extraOptions = [ + "--init" # Make an init process take up PID 1, to make python receive the SIGTERM + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/immich.nix b/system/services/immich.nix new file mode 100644 index 00000000..3c6a92b7 --- /dev/null +++ b/system/services/immich.nix @@ -0,0 +1,96 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.immich-database = { + image = "ghcr.io/immich-app/postgres:15-vectorchord0.3.0-pgvectors0.2.0"; + autoStart = true; + + dependsOn = []; + + ports = [ + # "5432:5432" + ]; + + volumes = [ + "immich-database_data:/var/lib/postgresql/data" + ]; + + environment = { + POSTGRES_USER = "immich"; + POSTGRES_PASSWORD = "immich"; + POSTGRES_DB = "immich"; + }; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; + + virtualisation.oci-containers.containers.immich-redis = { + image = "redis"; + autoStart = true; + + dependsOn = []; + + ports = [ + # "6379:6379" + ]; + + volumes = []; + + environment = {}; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; + + virtualisation.oci-containers.containers.immich = { + image = "ghcr.io/imagegenius/immich:latest"; + autoStart = true; + + dependsOn = [ + "immich-database" + "immich-redis" + ]; + + ports = [ + "2283:8080" + ]; + + volumes = [ + "immich_config:/config" + "immich_data:/photos" + "immich_machine-learning:/config/machine-learning" + # "immich_imports:/import:ro" + ]; + + environment = { + PUID = "1000"; + PGID = "1000"; + TZ = "Europe/Berlin"; + + DB_HOSTNAME = "immich-database"; + DB_USERNAME = "immich"; + DB_PASSWORD = "immich"; + # DB_PORT = "5432"; + DB_DATABASE_NAME = "immich"; + + REDIS_HOSTNAME = "immich-redis"; + # REDIS_PORT = "6379"; + # REDIS_PASSWORD = ""; + + MACHINE_LEARNING_WORKERS = "1"; + MACHINE_LEARNING_WORKER_TIMEOUT = "120"; + }; + + extraOptions = [ + "--privileged" + "--gpus=all" + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/jellyfin.nix b/system/services/jellyfin.nix new file mode 100644 index 00000000..be5458df --- /dev/null +++ b/system/services/jellyfin.nix @@ -0,0 +1,42 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.jellyfin = { + image = "linuxserver/jellyfin:latest"; + autoStart = true; + + dependsOn = [ + # "pihole" + ]; + + ports = [ + "8096:8096" + ]; + + volumes = [ + "/media/Show:/data/tvshows" + "/media/Movie:/data/movies" + "/media/TV-Music:/data/music" + + "jellyfin_config:/config" + ]; + + environment = { + PUID = "3000"; + PGID = "3000"; + TZ = "Europe/Berlin"; + + NVIDIA_VISIBLE_DEVICES = "all"; + NVIDIA_DRIVER_CAPABILITIES = "all"; + }; + + extraOptions = [ + "--privileged" + "--gpus=all" + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/kopia.nix b/system/services/kopia.nix new file mode 100644 index 00000000..04bd413f --- /dev/null +++ b/system/services/kopia.nix @@ -0,0 +1,81 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.kopia = { + image = "kopia/kopia:latest"; + autoStart = true; + + dependsOn = []; + + ports = [ + # "51515:51515" + ]; + + volumes = [ + "kopia_config:/app/config" + "kopia_cache:/app/cache" + "kopia_logs:/app/logs" + "kopia_temp:/tmp" + + # Repository, where snapshots are stored (incrementally) + "/media/synology-syncthing:/repository" + + # Folders that are backed up + # "adguard_config:/data/adguard_config:ro" # ThinkNix + # "adguard_work:/data/adguard_work:ro" # ThinkNix + "authelia_config:/data/authelia_config:ro" + "formula10_cache:/data/formula10_cache:ro" + "formula10_data:/data/formula10_data:ro" + "gitea-db_data:/data/gitea-db_data:ro" + "gitea-runner_config:/data/gitea-runner_config:ro" + "gitea-runner_data:/data/gitea-runner_data:ro" + "gitea_data:/data/gitea_data:ro" + "heidi_config:/data/heidi_config:ro" + # "homeassistant_config:/data/homeassistant_config:ro" # ThinkNix + # "homepage_config:/data/homepage_config:ro" + "immich-database_data:/data/immich-database_data:ro" + "immich_config:/data/immich_config:ro" + "immich_data:/data/immich_data:ro" + "immich_machine-learning:/data/immich_machine-learning:ro" + "jellyfin_config:/data/jellyfin_config:ro" + "nextcloud-db_data:/data/nextcloud-db_data:ro" + "nextcloud_data:/data/nextcloud_data:ro" + "nginx_config:/data/nginx_config:ro" + "nginx_letsencrypt:/data/nginx_letsencrypt:ro" + "nginx_snippets:/data/nginx_snippets:ro" + "paperless-postgres_data:/data/paperless-postgres_data:ro" + "paperless_data:/data/paperless_data:ro" + # "portainer_config:/data/portainer_config:ro" + # "uptime-kuma_config:/data/uptime-kuma_config:ro" # Disabled + # "wireguard_vps_config:/data/wireguard_vps_config:ro" + ]; + + environment = { + TZ = "Europe/Berlin"; + USER = "christoph"; + KOPIA_PASSWORD = (builtins.readFile ./kopia.password); + }; + + entrypoint = "/bin/kopia"; + + cmd = [ + "server" + "start" + "--disable-csrf-token-checks" + "--insecure" + "--address=0.0.0.0:51515" + "--server-username=christoph" + "--server-password=kopia" + ]; + + extraOptions = [ + "--privileged" + "--device=/dev/fuse:/dev/fuse:rwm" + "--cap-add=SYS_ADMIN" + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/nextcloud.nix b/system/services/nextcloud.nix new file mode 100644 index 00000000..9f405fe5 --- /dev/null +++ b/system/services/nextcloud.nix @@ -0,0 +1,126 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.nextcloud-db = { + image = "postgres:alpine"; + autoStart = true; + + dependsOn = []; + + ports = [ + # "5432:5432" + ]; + + volumes = [ + "nextcloud-db_data:/var/lib/postgresql/data" + ]; + + environment = { + POSTGRES_PASSWORD = "nextcloud"; + POSTGRES_DB = "nextcloud"; + POSTGRES_USER = "nextcloud"; + }; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; + + virtualisation.oci-containers.containers.nextcloud-memcache = { + image = "redis:alpine"; + autoStart = true; + + dependsOn = []; + + ports = [ + # "6379:6379" + ]; + + volumes = [ + "nextcloud-memcache_data:/data" + ]; + + environment = {}; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; + + virtualisation.oci-containers.containers.nextcloud = { + image = "nextcloud:apache"; + autoStart = true; + + dependsOn = [ + "nextcloud-db" + "nextcloud-memcache" + ]; + + ports = [ + "8080:80" + ]; + + volumes = [ + "nextcloud_data:/var/www/html" + + # Paperless media + # "/media/paperless-consume:/media/paperless-consume" + # "/media/paperless-export:/media/paperless-export" + # "/media/paperless-media:/media/paperless-media" + "/home/christoph/nextcloud:/flow-scripts" + + # "/var/run/docker.sock:/var/run/docker.sock:ro" # For AiO + ]; + + environment = { + # Don't add PUID/PGID/TZ or sth like that! + + # Allow uploads larger than 1GB + APACHE_BODY_LIMIT = "0"; + NEXTCLOUD_TRUSTED_DOMAINS = "https://nextcloud.local.chriphost.de https://local.chriphost.de https://nextcloud.vps.chriphost.de https://vps.chriphost.de"; + + # Proxy + APACHE_DISABLE_REWRITE_IP = "1"; + TRUSTED_PROXIES = "192.168.86.25 212.227.233.241 172.19.0.1"; + OVERWRITEPROTOCOL = "https"; + + # DB + POSTGRES_HOST = "nextcloud-db"; + POSTGRES_PASSWORD = "nextcloud"; + POSTGRES_DB = "nextcloud"; + POSTGRES_USER = "nextcloud"; + + # Memcache + Transactional Locking + REDIS_HOST = "nextcloud-memcache"; + }; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; + + systemd.services.nextcloud-cron = { + enable = true; + description = "Nextcloud Cron Job"; + + serviceConfig = { + ExecStart = "${pkgs.docker}/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php"; + }; + }; + + systemd.timers.nextcloud-cron = { + enable = true; + description = "Nextcloud Cron Job"; + + timerConfig = { + OnBootSec = "5min"; + OnUnitActiveSec = "5min"; + Unit = "nextcloud-cron.service"; + }; + + wantedBy = ["timers.target"]; + }; +} diff --git a/system/services/nginx-proxy-manager.nix b/system/services/nginx-proxy-manager.nix new file mode 100644 index 00000000..a088b6c3 --- /dev/null +++ b/system/services/nginx-proxy-manager.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.nginx-proxy-manager = { + image = "jc21/nginx-proxy-manager:latest"; + autoStart = true; + + dependsOn = [ + # "pihole" + ]; + + ports = [ + "80:80" + # "81:81" # Web interface + "443:443" + ]; + + volumes = [ + "nginx_config:/data" + "nginx_snippets:/snippets" + "nginx_letsencrypt:/etc/letsencrypt" + ]; + + environment = { + DISABLE_IPV6 = "true"; + }; + + extraOptions = [ + # "--net=host" + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/paperless.nix b/system/services/paperless.nix new file mode 100644 index 00000000..951fc9ba --- /dev/null +++ b/system/services/paperless.nix @@ -0,0 +1,87 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.paperless-redis = { + image = "docker.io/library/redis:7"; + autoStart = true; + + dependsOn = []; + + ports = []; + + volumes = [ + "paperless-redis_data:/data" + ]; + + environment = {}; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; + + virtualisation.oci-containers.containers.paperless-postgres = { + image = "docker.io/library/postgres:15"; + autoStart = true; + + dependsOn = []; + + ports = []; + + volumes = [ + "paperless-postgres_data:/var/lib/postgresql/data" + ]; + + environment = { + POSTGRES_DB = "paperless"; + POSTGRES_USER = "paperless"; + POSTGRES_PASSWORD = "paperless"; + }; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; + + virtualisation.oci-containers.containers.paperless = { + image = "ghcr.io/paperless-ngx/paperless-ngx:latest"; + autoStart = true; + + dependsOn = [ + "paperless-redis" + "paperless-postgres" + ]; + + ports = [ + "8000:8000" + ]; + + volumes = [ + "paperless_data:/usr/src/paperless/data" + "/media/paperless-media:/usr/src/paperless/media" + "/media/paperless-export:/usr/src/paperless/export" + "/media/paperless-consume:/usr/src/paperless/consume" + ]; + + environment = { + PAPERLESS_REDIS = "redis://paperless-redis:6379"; + PAPERLESS_DBHOST = "paperless-postgres"; + + # PAPERLESS_ADMIN_USER = "root"; + # PAPERLESS_ADMIN_PASSWORD = "admin"; + + PAPERLESS_URL = "https://*.chriphost.de"; + # PAPERLESS_CSRF_TRUSTED_ORIGINS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]"; + # PAPERLESS_ALLOWED_HOSTS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]"; + # PAPERLESS_CORS_ALLOWED_HOSTS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]"; + }; + + extraOptions = [ + # "--gpus=all" + "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/portainer.nix b/system/services/portainer.nix new file mode 100644 index 00000000..7094ea94 --- /dev/null +++ b/system/services/portainer.nix @@ -0,0 +1,53 @@ +{ + config, + lib, + pkgs, + ... +}: { + # virtualisation.oci-containers.containers.portainer = { + # image = "portainer/portainer-ce:latest"; + # autoStart = true; + + # dependsOn = []; + + # ports = [ + # # "8000:8000" + # # "9443:9443" + # ]; + + # volumes = [ + # "portainer_config:/data" + + # "/var/run/docker.sock:/var/run/docker.sock" + # ]; + + # environment = {}; + + # extraOptions = [ + # "--net=behind-nginx" + # ]; + # }; + + virtualisation.oci-containers.containers.portainer-agent = { + image = "portainer/agent:latest"; + autoStart = true; + + dependsOn = []; + + ports = [ + "9001:9001" + ]; + + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + "/var/lib/docker/volumes:/var/lib/docker/volumes" + ]; + + environment = {}; + + extraOptions = [ + # This container needs to be accessible from another machine inside the LAN + # "--net=behind-nginx" + ]; + }; +} diff --git a/system/services/whats-up-docker.nix b/system/services/whats-up-docker.nix new file mode 100644 index 00000000..ec40357e --- /dev/null +++ b/system/services/whats-up-docker.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + pkgs, + ... +}: { + virtualisation.oci-containers.containers.whats-up-docker = { + image = "getwud/wud:latest"; + autoStart = true; + + dependsOn = [ + # "pihole" + ]; + + ports = [ + # "3001:3000" + ]; + + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + + environment = {}; + + extraOptions = [ + "--net=behind-nginx" + ]; + }; +}