James/eve-psr-nix0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove Docker and replace Swarm orchestration with Podman systemd units

Browse Source
This commit is contained in:
James Eversole
2023-06-25 13:27:19 -05:00
parent 1fa1f4e9d3
commit 5ba19a0cea
3 changed files with 128 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
containers.nix Normal file
View File

@ -0,0 +1,94 @@
{
containers = {
bind = {
image = "sameersbn/bind:latest";
ports =
[ "0.0.0.0:53:53/tcp" "0.0.0.0:53:53/udp" "0.0.0.0:5053:10000/tcp" ];
volumes = [ "/home/sezycei/srv/containerdata/bind/bind:/data" ];
environmentFiles = [ /home/sezycei/srv/containerdata/bind/.env ];
};
jellyfin = {
image = "linuxserver/jellyfin";
ports = [ "0.0.0.0:8096:8096" "0.0.0.0:8920:8920" ];
volumes = [
"/home/sezycei/srv/containerdata/jellyfin/config:/config"
"/home/torrent/data/completed:/data/unsorted"
"/home/torrent/data/TV:/data/tvshows"
"/home/torrent/data/Movies:/data/movies"
"/home/torrent/data/transcode:/data/transcode"
"/home/torrent/data/Music:/data/music"
];
environment = {
PGID = "1000";
PUID = "1000";
TZ = "America/Chicago";
UMASK_SET = "022";
};
};
legit = {
image = "docker.matri.cx/legit";
ports = [ "0.0.0.0:5121:8080" ];
volumes = [
"/home/sezycei/srv/swarmconfig/legit/static:/static"
"/home/sezycei/srv/swarmconfig/legit/templates:/templates"
"/home/sezycei/srv/containerdata/legit/legit.yml:/legit.yml"
"/home/sezycei/srv/containerdata/legit/repos:/var/www/git"
];
environment = { };
};
murmur = {
image = "goofball222/murmur";
ports = [ "0.0.0.0:64738:64738" "0.0.0.0:64738:64738/udp" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
"/home/sezycei/srv/containerdata/registry/registry/auth:/auth"
];
environment = { };
};
nginx = {
image = "nginx:alpine";
ports = [ "0.0.0.0:80:80" "0.0.0.0:443:443" "0.0.0.0:20222:20222" ];
volumes = [
"/home/sezycei/srv/web/www:/var/www/"
"/home/sezycei/srv/web/configuration/nginx.conf:/etc/nginx/nginx.conf"
"/home/sezycei/srv/web/configuration/htpasswd:/etc/nginx/htpasswd"
"/home/sezycei/srv/web/configuration/htpasswd-dock:/etc/nginx/htpasswd-dock"
"/home/sezycei/srv/web/configuration/sites-available:/etc/nginx/sites-enabled"
"/home/sezycei/srv/web/ssl/letsencrypt:/etc/letsencrypt"
"/home/sezycei/srv/web/ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem"
];
environment = { };
};
purr = {
image = "docker.matri.cx/purr";
ports = [ "0.0.0.0:5195:3000" ];
volumes = [
"/home/sezycei/dev/purr/data/Purr.sqlite:/app/data/Purr.sqlite"
"/home/sezycei/dev/purr/config.dhall:/app/config.dhall"
];
environment = { };
};
registry = {
image = "registry:2";
ports = [ "0.0.0.0:3001:5000" ];
volumes = [
"/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry"
"/home/sezycei/srv/containerdata/registry/registry/certs:/certs"
"/home/sezycei/srv/containerdata/registry/registry/auth:/auth"
];
environment = { };
};
transmission = {
image = "haugene/transmission-openvpn";
ports = [ "0.0.0.0:9091:9091" ];
volumes = [
"/home/sezycei/srv/scripts/transmission/settings.json:/etc/transmission-daemon/settings.json"
"/etc/localtime:/etc/localtime:ro"
"/home/torrent/data:/data"
];
environmentFiles = [ /home/sezycei/srv/containerdata/transmission/.env ];
extraOptions = [ "--cap-add=NET_ADMIN" "--privileged" ];
};
};
}

52
flake.nix
View File

@ -9,26 +9,30 @@
outputs = { self, nixpkgs, sops, ... }@attrs: outputs = { self, nixpkgs, sops, ... }@attrs:
let let
containerDef = import ./containers.nix;
serviceContainers = containerDef.containers;
pkgs = import nixpkgs { inherit system; }; pkgs = import nixpkgs { inherit system; };
system = "x86_64-linux"; system = "x86_64-linux";
in { in {
devShell.x86_64-linux = pkgs.mkShell { devShell.x86_64-linux = pkgs.mkShell {
buildInputs = buildInputs =
[ (pkgs.nixos { }).nixos-rebuild pkgs.terraform pkgs.sops ]; [ (pkgs.nixos { }).nixos-rebuild pkgs.terraform pkgs.sops ];
shellHook = shellHook = ''
" alias deploy=\"nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0\"\n"; alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0"
'';
}; };
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt;
nixosConfigurations = { nixosConfigurations = {
eve-psr-nix0 = nixpkgs.lib.nixosSystem { eve-psr-nix0 = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = attrs; specialArgs = attrs;
modules = [ modules = [
({ modulesPath, ... }: { ({ modulesPath, ... }: {
imports = [ sops.nixosModules.sops ./hardware-configuration.nix ]; imports = [ sops.nixosModules.sops ./hardware-configuration.nix ];
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
nix = { nix = {
buildMachines = [ ]; buildMachines = [ ];
@ -36,6 +40,12 @@
settings.experimental-features = [ "nix-command" "flakes" ]; settings.experimental-features = [ "nix-command" "flakes" ];
}; };
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
time.timeZone = "America/Chicago";
networking = { networking = {
hostName = "eve-psr-nix0"; hostName = "eve-psr-nix0";
firewall = { firewall = {
@ -44,9 +54,13 @@
}; };
}; };
time.timeZone = "America/Chicago"; environment.systemPackages = with pkgs; [ git pciutils vim wget ];
services = { services = {
openssh = {
enable = true;
};
hydra = { hydra = {
enable = true; enable = true;
hydraURL = "https://hydra.matri.cx"; hydraURL = "https://hydra.matri.cx";
@ -61,26 +75,24 @@
useSubstitutes = true; useSubstitutes = true;
notificationSender = "hydra@matri.cx"; notificationSender = "hydra@matri.cx";
buildMachinesFiles = []; buildMachinesFiles = [ ];
}; };
openssh.enable = true;
}; };
virtualisation.docker = { virtualisation = {
enable = true; oci-containers = {
liveRestore = false; backend = "podman";
containers = serviceContainers;
};
}; };
environment.systemPackages = with pkgs; [ git pciutils vim wget ]; security.sudo.wheelNeedsPassword = false;
programs.zsh.enable = true;
users = { users = {
defaultUserShell = pkgs.zsh;
users = { users = {
sezycei = { sezycei = {
isNormalUser = true; isNormalUser = true;
initialPassword = "bootMaster"; initialPassword = "bootMaster";
extraGroups = [ "wheel" "docker" ]; extraGroups = [ "wheel" ];
packages = with pkgs; [ byobu tmux stack ]; packages = with pkgs; [ byobu tmux stack ];
}; };
torrent = { torrent = {
@ -91,12 +103,12 @@
}; };
security.sudo.wheelNeedsPassword = false;
sops = { sops = {
age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; };
defaultSopsFile = ./secrets/keys.yaml; defaultSopsFile = ./secrets/keys.yaml;
secrets = { hostname = { }; }; secrets = {
hostname = { };
};
}; };
system.stateVersion = "22.11"; system.stateVersion = "22.11";

4
secrets/keys.yaml
View File

@ -23,8 +23,8 @@ sops:
S0JzQ1B6WUZlL0hVeXVMcFUyVDNBaVEKtbF6NwzyO69Y7Az36Wm4SOUNnQL7oCTU S0JzQ1B6WUZlL0hVeXVMcFUyVDNBaVEKtbF6NwzyO69Y7Az36Wm4SOUNnQL7oCTU
dx99asfwJW2+6wiofPbL6sn1LFIVqGH2jbAfeZIxyODabFYa8m984g== dx99asfwJW2+6wiofPbL6sn1LFIVqGH2jbAfeZIxyODabFYa8m984g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-09T19:16:10Z" lastmodified: "2023-06-25T18:25:59Z"
mac: ENC[AES256_GCM,data:ayliPO8bDg0yTC1u5K1ZARdBPCOpb3g2UfEorak/RNq1KeTK4zTaWwvwr8xNIuqTFLxqAHJvMFVmEbUGgkH7wCE+5hYsun59dChnSASayEhxMdyPUnOauzaGVMuRm0q2D4UKfmtkTBEtnTM9yvDeBqd9LD0vqUpeltXggesdKCA=,iv:oq8GQPNjFaj6x28qtwcUakmbt4urZxDOls2Lw3Z4Rns=,tag:WK89gCSh0HT3Az5cMSpuRg==,type:str] mac: ENC[AES256_GCM,data:MCvfrJ+xA5SyY+PJBFN1SxbAhKYxk18wMUIb1Kg48rUzIyAlN+/TF24msjgae64xvYiKEIIWGtv4kbocghHVM/2JkLa3ddhv73XpoQtn/iswS5a3Bw1eg4uwzDRwX8WQAQN0/JJHIJYbHI5tL+zDwg2R9gi+upadOPq6h540b90=,iv:WaHzOtRRaqBvWd8LyBinpiXQkHxEUES+BCtR75uYCy8=,tag:P8t5LDwMBvurBM3Ktt/M2A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3