System/Servenix: Add initial servenix system configuration

system/services/0_TEMPLATE.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.TEMPLATE = {
+    image = "TEMPLATE";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [];
+
+    environment = {
+      PUID = "1000";
+      PGID = "1000";
+      TZ = "Europe/Berlin";
+      # NVIDIA_VISIBLE_DEVICES = "all";
+      # NVIDIA_DRIVER_CAPABILITIES = "all";
+    };
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/adguard.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.adguard = {
+    image = "adguard/adguardhome";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # DNS server
+      "53:53/tcp"
+      "53:53/udp"
+      # "853:853/tcp" # DNS over TLS
+      # "853:853/udp" # DNS over QUIC
+
+      # DHCP server
+      # "67:67/udp"
+      # "68:68/tcp"
+      # "68:68/udp"
+
+      # Admin panel + DNS over HTTPS
+      # "80:80/tcp"
+      # "443:443/tcp"
+      # "443:443/udp"
+      # "3100:3000/tcp" # Web interface
+
+      # DNSCrypt
+      # "5443:5443/tcp"
+      # "5443:5443/udp"
+
+      # "6060:6060/tcp" # Debugging
+    ];
+
+    volumes = [
+      "adguard_config:/opt/adguardhome/conf"
+      "adguard_work:/opt/adguardhome/work"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/authelia.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.authelia = {
+    image = "authelia/authelia:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      # "9091:9091"
+    ];
+
+    volumes = [
+      "authelia_config:/config"
+    ];
+
+    environment = {
+      TZ = "Europe/Berlin";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/formula10.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.formula10 = {
+    image = "gitea.vps.chriphost.de/christoph/formula10:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      "55555:5000"
+    ];
+
+    volumes = [
+      "formula10_data:/app/instance"
+      "formula10_cache:/cache"
+    ];
+
+    environment = {
+      TZ = "Europe/Berlin";
+    };
+
+    extraOptions = [
+      "--init" # Make an init process take up PID 1, to make python receive the SIGTERM
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/formula11.nix

@@ -0,0 +1,65 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.formula11_pocketbase = {
+    image = "gitea.vps.chriphost.de/christoph/pocketbase:0.25.0";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      "8090:8080"
+    ];
+
+    volumes = [
+      "formula11_pb_data:/pb/pb_data"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.formula11 = {
+    image = "gitea.vps.chriphost.de/christoph/formula11:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "formula11_pocketbase"
+    ];
+
+    ports = [
+      # "8080:8090"
+      "5173:3000"
+    ];
+
+    volumes = [];
+
+    environment = {
+      # PB_PROTOCOL="http";
+      # PB_HOST="formula11_pocketbase";
+      # PB_PORT="8000";
+
+      # PB_PROTOCOL="https";
+      # PB_URL="f11pb.vps.chriphost.de";
+
+      PUBLIC_PBURL="https://f11pb.vps.chriphost.de";
+
+      # Required by SvelteKit to prevent cross-site POST errors
+      ORIGIN="https://f11.vps.chriphost.de";
+    };
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/gitea-runner.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.gitea-runner = {
+    image = "gitea/act_runner:latest"; # NOTE: vegardit has other runner images
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "gitea-runner_data:/data"
+      "gitea-runner_config:/config" # Managed by env variables for vegardit image
+    
+      "/var/run/docker.sock:/var/run/docker.sock" # Disable for dind
+    ];
+
+    environment = {
+      # NOTE: gitlab.local.chriphost.de doesn't work, because it gets resolved to 192.168.86.25:443, which is nginx
+      GITEA_INSTANCE_URL = "http://192.168.86.25:3000";
+      GITEA_RUNNER_NAME = "servenix";
+
+      # Can be generated from inside the container using act_runner generate-config > /config/config.yaml
+      CONFIG_FILE = "/config/config.yaml";
+
+      # NOTE: This token is invalid, when re-registering is needed it has to be refreshed
+      GITEA_RUNNER_REGISTRATION_TOKEN = "Mq6wr0dPthqDij3iaryP8s5VYZA5kPfOQbHA6wm6";
+    };
+
+    extraOptions = [
+      # "--privileged" # Enable for dind
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/gitea.nix

@@ -0,0 +1,79 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Extra git user for Gitea
+  users.users.git = {
+    uid = 500;
+    group = "git";
+    isNormalUser = false;
+    isSystemUser = true;
+    description = "Gitea User";
+    extraGroups = ["docker" "podman"];
+    shell = pkgs.fish;
+  };
+
+  virtualisation.oci-containers.containers.gitea-db = {
+    image = "postgres:14";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "gitea-db_data:/var/lib/postgresql/data"
+    ];
+
+    environment = {
+      POSTGRES_USER = "gitea";
+      POSTGRES_PASSWORD = "gitea";
+      POSTGRES_DB = "gitea";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.gitea = {
+    image = "gitea/gitea:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "gitea-db"
+    ];
+
+    ports = [
+      "3000:3000"
+
+      # NOTE: Set .git/config url to ssh://christoph@gitea.local.chriphost.de:222/christoph/<repo>.git
+      "222:222" # Gitea SSH
+    ];
+
+    volumes = [
+      "/etc/timezone:/etc/timezone:ro"
+      "/etc/localtime:/etc/localtime:ro"
+
+      "gitea_data:/data"
+    ];
+
+    environment = {
+      USER = "git";
+      USER_UID = "500";
+      # USER_GID = "100";
+
+      GITEA__database__DB_TYPE = "postgres";
+      GITEA__database__HOST = "gitea-db:5432";
+      GITEA__database__NAME = "gitea";
+      GITEA__database__USER = "gitea";
+      GITEA__database__PASSWD = "gitea";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/heidi.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.heidi = {
+    image = "gitea.vps.chriphost.de/christoph/discord-heidi:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "heidi_config:/config"
+
+      "/home/christoph/heidi-sounds:/sounds:ro"
+    ];
+
+    environment = {
+      DISCORD_TOKEN = (builtins.readFile ./heidi.discord_token);
+      DOCKER = "True";
+    };
+
+    extraOptions = [
+      "--init" # Make an init process take up PID 1, to make python receive the SIGTERM
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/immich.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.immich-database = {
+    image = "ghcr.io/immich-app/postgres:15-vectorchord0.3.0-pgvectors0.2.0";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "5432:5432"
+    ];
+
+    volumes = [
+      "immich-database_data:/var/lib/postgresql/data"
+    ];
+
+    environment = {
+      POSTGRES_USER = "immich";
+      POSTGRES_PASSWORD = "immich";
+      POSTGRES_DB = "immich";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.immich-redis = {
+    image = "redis";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "6379:6379"
+    ];
+
+    volumes = [];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.immich = {
+    image = "ghcr.io/imagegenius/immich:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "immich-database"
+      "immich-redis"
+    ];
+
+    ports = [
+      "2283:8080"
+    ];
+
+    volumes = [
+      "immich_config:/config"
+      "immich_data:/photos"
+      "immich_machine-learning:/config/machine-learning"
+      # "immich_imports:/import:ro"
+    ];
+
+    environment = {
+      PUID = "1000";
+      PGID = "1000";
+      TZ = "Europe/Berlin";
+
+      DB_HOSTNAME = "immich-database";
+      DB_USERNAME = "immich";
+      DB_PASSWORD = "immich";
+      # DB_PORT = "5432";
+      DB_DATABASE_NAME = "immich";
+
+      REDIS_HOSTNAME = "immich-redis";
+      # REDIS_PORT = "6379";
+      # REDIS_PASSWORD = "";
+
+      MACHINE_LEARNING_WORKERS = "1";
+      MACHINE_LEARNING_WORKER_TIMEOUT = "120";
+    };
+
+    extraOptions = [
+      "--privileged"
+      "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/jellyfin.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.jellyfin = {
+    image = "linuxserver/jellyfin:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      "8096:8096"
+    ];
+
+    volumes = [
+      "/media/Show:/data/tvshows"
+      "/media/Movie:/data/movies"
+      "/media/TV-Music:/data/music"
+
+      "jellyfin_config:/config"
+    ];
+
+    environment = {
+      PUID = "3000";
+      PGID = "3000";
+      TZ = "Europe/Berlin";
+
+      NVIDIA_VISIBLE_DEVICES = "all";
+      NVIDIA_DRIVER_CAPABILITIES = "all";
+    };
+
+    extraOptions = [
+      "--privileged"
+      "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/kopia.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.kopia = {
+    image = "kopia/kopia:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "51515:51515"
+    ];
+
+    volumes = [
+      "kopia_config:/app/config"
+      "kopia_cache:/app/cache"
+      "kopia_logs:/app/logs"
+      "kopia_temp:/tmp"
+
+      # Repository, where snapshots are stored (incrementally)
+      "/media/synology-syncthing:/repository"
+
+      # Folders that are backed up
+      # "adguard_config:/data/adguard_config:ro" # ThinkNix
+      # "adguard_work:/data/adguard_work:ro" # ThinkNix
+      "authelia_config:/data/authelia_config:ro"
+      "formula10_cache:/data/formula10_cache:ro"
+      "formula10_data:/data/formula10_data:ro"
+      "gitea-db_data:/data/gitea-db_data:ro"
+      "gitea-runner_config:/data/gitea-runner_config:ro"
+      "gitea-runner_data:/data/gitea-runner_data:ro"
+      "gitea_data:/data/gitea_data:ro"
+      "heidi_config:/data/heidi_config:ro"
+      # "homeassistant_config:/data/homeassistant_config:ro" # ThinkNix
+      # "homepage_config:/data/homepage_config:ro"
+      "immich-database_data:/data/immich-database_data:ro"
+      "immich_config:/data/immich_config:ro"
+      "immich_data:/data/immich_data:ro"
+      "immich_machine-learning:/data/immich_machine-learning:ro"
+      "jellyfin_config:/data/jellyfin_config:ro"
+      "nextcloud-db_data:/data/nextcloud-db_data:ro"
+      "nextcloud_data:/data/nextcloud_data:ro"
+      "nginx_config:/data/nginx_config:ro"
+      "nginx_letsencrypt:/data/nginx_letsencrypt:ro"
+      "nginx_snippets:/data/nginx_snippets:ro"
+      "paperless-postgres_data:/data/paperless-postgres_data:ro"
+      "paperless_data:/data/paperless_data:ro"
+      # "portainer_config:/data/portainer_config:ro"
+      # "uptime-kuma_config:/data/uptime-kuma_config:ro" # Disabled
+      # "wireguard_vps_config:/data/wireguard_vps_config:ro"
+    ];
+
+    environment = {
+      TZ = "Europe/Berlin";
+      USER = "christoph";
+      KOPIA_PASSWORD = (builtins.readFile ./kopia.password);
+    };
+
+    entrypoint = "/bin/kopia";
+
+    cmd = [
+      "server"
+      "start"
+      "--disable-csrf-token-checks"
+      "--insecure"
+      "--address=0.0.0.0:51515"
+      "--server-username=christoph"
+      "--server-password=kopia"
+    ];
+
+    extraOptions = [
+      "--privileged"
+      "--device=/dev/fuse:/dev/fuse:rwm"
+      "--cap-add=SYS_ADMIN"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/nextcloud.nix

@@ -0,0 +1,126 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.nextcloud-db = {
+    image = "postgres:alpine";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "5432:5432"
+    ];
+
+    volumes = [
+      "nextcloud-db_data:/var/lib/postgresql/data"
+    ];
+
+    environment = {
+      POSTGRES_PASSWORD = "nextcloud";
+      POSTGRES_DB = "nextcloud";
+      POSTGRES_USER = "nextcloud";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.nextcloud-memcache = {
+    image = "redis:alpine";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      # "6379:6379"
+    ];
+
+    volumes = [
+      "nextcloud-memcache_data:/data"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.nextcloud = {
+    image = "nextcloud:apache";
+    autoStart = true;
+
+    dependsOn = [
+      "nextcloud-db"
+      "nextcloud-memcache"
+    ];
+
+    ports = [
+      "8080:80"
+    ];
+
+    volumes = [
+      "nextcloud_data:/var/www/html"
+
+      # Paperless media
+      # "/media/paperless-consume:/media/paperless-consume"
+      # "/media/paperless-export:/media/paperless-export"
+      # "/media/paperless-media:/media/paperless-media"
+      "/home/christoph/nextcloud:/flow-scripts"
+
+      # "/var/run/docker.sock:/var/run/docker.sock:ro" # For AiO
+    ];
+
+    environment = {
+      # Don't add PUID/PGID/TZ or sth like that!
+
+      # Allow uploads larger than 1GB
+      APACHE_BODY_LIMIT = "0";
+      NEXTCLOUD_TRUSTED_DOMAINS = "https://nextcloud.local.chriphost.de https://local.chriphost.de https://nextcloud.vps.chriphost.de https://vps.chriphost.de";
+
+      # Proxy
+      APACHE_DISABLE_REWRITE_IP = "1";
+      TRUSTED_PROXIES = "192.168.86.25 212.227.233.241 172.19.0.1";
+      OVERWRITEPROTOCOL = "https";
+      
+      # DB
+      POSTGRES_HOST = "nextcloud-db";
+      POSTGRES_PASSWORD = "nextcloud";
+      POSTGRES_DB = "nextcloud";
+      POSTGRES_USER = "nextcloud";
+
+      # Memcache + Transactional Locking
+      REDIS_HOST = "nextcloud-memcache";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  systemd.services.nextcloud-cron = {
+    enable = true;
+    description = "Nextcloud Cron Job";
+    
+    serviceConfig = {
+      ExecStart = "${pkgs.docker}/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php";
+    };
+  };
+
+  systemd.timers.nextcloud-cron = {
+    enable = true;
+    description = "Nextcloud Cron Job";
+
+    timerConfig = {
+      OnBootSec = "5min";
+      OnUnitActiveSec = "5min";
+      Unit = "nextcloud-cron.service";
+    };
+
+    wantedBy = ["timers.target"];
+  };
+}

system/services/nginx-proxy-manager.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.nginx-proxy-manager = {
+    image = "jc21/nginx-proxy-manager:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      "80:80"
+      # "81:81" # Web interface
+      "443:443"
+    ];
+
+    volumes = [
+      "nginx_config:/data"
+      "nginx_snippets:/snippets"
+      "nginx_letsencrypt:/etc/letsencrypt"
+    ];
+
+    environment = {
+      DISABLE_IPV6 = "true";
+    };
+
+    extraOptions = [
+      # "--net=host"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/paperless.nix

@@ -0,0 +1,87 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.paperless-redis = {
+    image = "docker.io/library/redis:7";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "paperless-redis_data:/data"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.paperless-postgres = {
+    image = "docker.io/library/postgres:15";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [];
+
+    volumes = [
+      "paperless-postgres_data:/var/lib/postgresql/data"
+    ];
+
+    environment = {
+      POSTGRES_DB = "paperless";
+      POSTGRES_USER = "paperless";
+      POSTGRES_PASSWORD = "paperless";
+    };
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+
+  virtualisation.oci-containers.containers.paperless = {
+    image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
+    autoStart = true;
+
+    dependsOn = [
+      "paperless-redis"
+      "paperless-postgres"
+    ];
+
+    ports = [
+      "8000:8000"
+    ];
+
+    volumes = [
+      "paperless_data:/usr/src/paperless/data"
+      "/media/paperless-media:/usr/src/paperless/media"
+      "/media/paperless-export:/usr/src/paperless/export"
+      "/media/paperless-consume:/usr/src/paperless/consume"
+    ];
+
+    environment = {
+      PAPERLESS_REDIS = "redis://paperless-redis:6379";
+      PAPERLESS_DBHOST = "paperless-postgres";
+
+      # PAPERLESS_ADMIN_USER = "root";
+      # PAPERLESS_ADMIN_PASSWORD = "admin";
+
+      PAPERLESS_URL = "https://*.chriphost.de";
+      # PAPERLESS_CSRF_TRUSTED_ORIGINS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]";
+      # PAPERLESS_ALLOWED_HOSTS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]";
+      # PAPERLESS_CORS_ALLOWED_HOSTS = "[https://paperless.local.chriphost.de,https://paperless.vps.chriphost.de]";
+    };
+
+    extraOptions = [
+      # "--gpus=all"
+      "--net=behind-nginx"
+    ];
+  };
+}

system/services/portainer.nix

@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # virtualisation.oci-containers.containers.portainer = {
+  #   image = "portainer/portainer-ce:latest";
+  #   autoStart = true;
+
+  #   dependsOn = [];
+
+  #   ports = [
+  #     # "8000:8000"
+  #     # "9443:9443"
+  #   ];
+
+  #   volumes = [
+  #     "portainer_config:/data"
+
+  #     "/var/run/docker.sock:/var/run/docker.sock"
+  #   ];
+
+  #   environment = {};
+
+  #   extraOptions = [
+  #     "--net=behind-nginx"
+  #   ];
+  # };
+
+  virtualisation.oci-containers.containers.portainer-agent = {
+    image = "portainer/agent:latest";
+    autoStart = true;
+
+    dependsOn = [];
+
+    ports = [
+      "9001:9001"
+    ];
+
+    volumes = [
+      "/var/run/docker.sock:/var/run/docker.sock"
+      "/var/lib/docker/volumes:/var/lib/docker/volumes"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      # This container needs to be accessible from another machine inside the LAN
+      # "--net=behind-nginx"
+    ];
+  };
+}

system/services/whats-up-docker.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  virtualisation.oci-containers.containers.whats-up-docker = {
+    image = "getwud/wud:latest";
+    autoStart = true;
+
+    dependsOn = [
+      # "pihole"
+    ];
+
+    ports = [
+      # "3001:3000"
+    ];
+
+    volumes = [
+      "/var/run/docker.sock:/var/run/docker.sock"
+    ];
+
+    environment = {};
+
+    extraOptions = [
+      "--net=behind-nginx"
+    ];
+  };
+}