From 5ba19a0cead3c489666c6c04fe6c69a95271dc31 Mon Sep 17 00:00:00 2001 From: James Eversole Date: Sun, 25 Jun 2023 13:27:19 -0500 Subject: [PATCH] Remove Docker and replace Swarm orchestration with Podman systemd units --- containers.nix | 94 +++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 52 ++++++++++++++++---------- secrets/keys.yaml | 4 +- 3 files changed, 128 insertions(+), 22 deletions(-) create mode 100644 containers.nix diff --git a/containers.nix b/containers.nix new file mode 100644 index 0000000..c51d725 --- /dev/null +++ b/containers.nix @@ -0,0 +1,94 @@ +{ + containers = { + bind = { + image = "sameersbn/bind:latest"; + ports = + [ "0.0.0.0:53:53/tcp" "0.0.0.0:53:53/udp" "0.0.0.0:5053:10000/tcp" ]; + volumes = [ "/home/sezycei/srv/containerdata/bind/bind:/data" ]; + environmentFiles = [ /home/sezycei/srv/containerdata/bind/.env ]; + }; + jellyfin = { + image = "linuxserver/jellyfin"; + ports = [ "0.0.0.0:8096:8096" "0.0.0.0:8920:8920" ]; + volumes = [ + "/home/sezycei/srv/containerdata/jellyfin/config:/config" + "/home/torrent/data/completed:/data/unsorted" + "/home/torrent/data/TV:/data/tvshows" + "/home/torrent/data/Movies:/data/movies" + "/home/torrent/data/transcode:/data/transcode" + "/home/torrent/data/Music:/data/music" + ]; + environment = { + PGID = "1000"; + PUID = "1000"; + TZ = "America/Chicago"; + UMASK_SET = "022"; + }; + }; + legit = { + image = "docker.matri.cx/legit"; + ports = [ "0.0.0.0:5121:8080" ]; + volumes = [ + "/home/sezycei/srv/swarmconfig/legit/static:/static" + "/home/sezycei/srv/swarmconfig/legit/templates:/templates" + "/home/sezycei/srv/containerdata/legit/legit.yml:/legit.yml" + "/home/sezycei/srv/containerdata/legit/repos:/var/www/git" + ]; + environment = { }; + }; + murmur = { + image = "goofball222/murmur"; + ports = [ "0.0.0.0:64738:64738" "0.0.0.0:64738:64738/udp" ]; + volumes = [ + "/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry" + "/home/sezycei/srv/containerdata/registry/registry/certs:/certs" + "/home/sezycei/srv/containerdata/registry/registry/auth:/auth" + ]; + environment = { }; + }; + nginx = { + image = "nginx:alpine"; + ports = [ "0.0.0.0:80:80" "0.0.0.0:443:443" "0.0.0.0:20222:20222" ]; + volumes = [ + "/home/sezycei/srv/web/www:/var/www/" + "/home/sezycei/srv/web/configuration/nginx.conf:/etc/nginx/nginx.conf" + "/home/sezycei/srv/web/configuration/htpasswd:/etc/nginx/htpasswd" + "/home/sezycei/srv/web/configuration/htpasswd-dock:/etc/nginx/htpasswd-dock" + "/home/sezycei/srv/web/configuration/sites-available:/etc/nginx/sites-enabled" + "/home/sezycei/srv/web/ssl/letsencrypt:/etc/letsencrypt" + "/home/sezycei/srv/web/ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem" + ]; + environment = { }; + }; + purr = { + image = "docker.matri.cx/purr"; + ports = [ "0.0.0.0:5195:3000" ]; + volumes = [ + "/home/sezycei/dev/purr/data/Purr.sqlite:/app/data/Purr.sqlite" + "/home/sezycei/dev/purr/config.dhall:/app/config.dhall" + ]; + environment = { }; + }; + registry = { + image = "registry:2"; + ports = [ "0.0.0.0:3001:5000" ]; + volumes = [ + "/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry" + "/home/sezycei/srv/containerdata/registry/registry/certs:/certs" + "/home/sezycei/srv/containerdata/registry/registry/auth:/auth" + ]; + environment = { }; + }; + transmission = { + image = "haugene/transmission-openvpn"; + ports = [ "0.0.0.0:9091:9091" ]; + volumes = [ + "/home/sezycei/srv/scripts/transmission/settings.json:/etc/transmission-daemon/settings.json" + "/etc/localtime:/etc/localtime:ro" + "/home/torrent/data:/data" + ]; + environmentFiles = [ /home/sezycei/srv/containerdata/transmission/.env ]; + extraOptions = [ "--cap-add=NET_ADMIN" "--privileged" ]; + }; + }; +} diff --git a/flake.nix b/flake.nix index cb217c2..b3a85e3 100644 --- a/flake.nix +++ b/flake.nix @@ -9,26 +9,30 @@ outputs = { self, nixpkgs, sops, ... }@attrs: let + containerDef = import ./containers.nix; + serviceContainers = containerDef.containers; + pkgs = import nixpkgs { inherit system; }; system = "x86_64-linux"; in { devShell.x86_64-linux = pkgs.mkShell { buildInputs = [ (pkgs.nixos { }).nixos-rebuild pkgs.terraform pkgs.sops ]; - shellHook = - " alias deploy=\"nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0\"\n"; + shellHook = '' + alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0" + ''; }; + + formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt; + nixosConfigurations = { eve-psr-nix0 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = attrs; modules = [ ({ modulesPath, ... }: { + imports = [ sops.nixosModules.sops ./hardware-configuration.nix ]; - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - }; nix = { buildMachines = [ ]; @@ -36,6 +40,12 @@ settings.experimental-features = [ "nix-command" "flakes" ]; }; + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + }; + + time.timeZone = "America/Chicago"; networking = { hostName = "eve-psr-nix0"; firewall = { @@ -44,9 +54,13 @@ }; }; - time.timeZone = "America/Chicago"; + environment.systemPackages = with pkgs; [ git pciutils vim wget ]; services = { + openssh = { + enable = true; + }; + hydra = { enable = true; hydraURL = "https://hydra.matri.cx"; @@ -61,26 +75,24 @@ useSubstitutes = true; notificationSender = "hydra@matri.cx"; - buildMachinesFiles = []; + buildMachinesFiles = [ ]; }; - openssh.enable = true; }; - virtualisation.docker = { - enable = true; - liveRestore = false; + virtualisation = { + oci-containers = { + backend = "podman"; + containers = serviceContainers; + }; }; - environment.systemPackages = with pkgs; [ git pciutils vim wget ]; - - programs.zsh.enable = true; + security.sudo.wheelNeedsPassword = false; users = { - defaultUserShell = pkgs.zsh; users = { sezycei = { isNormalUser = true; initialPassword = "bootMaster"; - extraGroups = [ "wheel" "docker" ]; + extraGroups = [ "wheel" ]; packages = with pkgs; [ byobu tmux stack ]; }; torrent = { @@ -91,12 +103,12 @@ }; - security.sudo.wheelNeedsPassword = false; - sops = { age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; defaultSopsFile = ./secrets/keys.yaml; - secrets = { hostname = { }; }; + secrets = { + hostname = { }; + }; }; system.stateVersion = "22.11"; diff --git a/secrets/keys.yaml b/secrets/keys.yaml index 71fb23f..e1e6a8a 100644 --- a/secrets/keys.yaml +++ b/secrets/keys.yaml @@ -23,8 +23,8 @@ sops: S0JzQ1B6WUZlL0hVeXVMcFUyVDNBaVEKtbF6NwzyO69Y7Az36Wm4SOUNnQL7oCTU dx99asfwJW2+6wiofPbL6sn1LFIVqGH2jbAfeZIxyODabFYa8m984g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-09T19:16:10Z" - mac: ENC[AES256_GCM,data:ayliPO8bDg0yTC1u5K1ZARdBPCOpb3g2UfEorak/RNq1KeTK4zTaWwvwr8xNIuqTFLxqAHJvMFVmEbUGgkH7wCE+5hYsun59dChnSASayEhxMdyPUnOauzaGVMuRm0q2D4UKfmtkTBEtnTM9yvDeBqd9LD0vqUpeltXggesdKCA=,iv:oq8GQPNjFaj6x28qtwcUakmbt4urZxDOls2Lw3Z4Rns=,tag:WK89gCSh0HT3Az5cMSpuRg==,type:str] + lastmodified: "2023-06-25T18:25:59Z" + mac: ENC[AES256_GCM,data:MCvfrJ+xA5SyY+PJBFN1SxbAhKYxk18wMUIb1Kg48rUzIyAlN+/TF24msjgae64xvYiKEIIWGtv4kbocghHVM/2JkLa3ddhv73XpoQtn/iswS5a3Bw1eg4uwzDRwX8WQAQN0/JJHIJYbHI5tL+zDwg2R9gi+upadOPq6h540b90=,iv:WaHzOtRRaqBvWd8LyBinpiXQkHxEUES+BCtR75uYCy8=,tag:P8t5LDwMBvurBM3Ktt/M2A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3