small changes

lol
2024-08-07 15:16:45 +02:00 · 2024-08-07 15:16:45 +02:00 · e011751f61
commit e011751f61
parent ae1594d006
10 changed files with 328 additions and 305 deletions
--- a/hosts/ds9/containers.nix
+++ b/hosts/ds9/containers.nix
@ -0,0 +1,128 @@
+{ config, pkgs, lib, ... }:
+let
+  postgres-multi-db = pkgs.writeText "postgres-multiple-db.sh" ''
+    #!/usr/bin/env bash
+    set -eu
+
+    if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
+      echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
+      (
+        for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
+          echo "CREATE DATABASE $db;"
+        done
+        for user in $(echo $POSTGRES_MULTIPLE_DATABASES_USERS | tr ',' ' '); do
+          while IFS=":" read -r usr pw
+          do
+          echo "CREATE USER $usr PASSWORD '$pw';"
+          echo "GRANT ALL PRIVILEGES ON DATABASE \"$usr\" TO $usr;"
+          done <(echo $user)
+        done
+      ) | psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER"
+    fi
+  '';
+in
+{
+  networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
+  networking.firewall.interfaces."podman+".allowedTCPPorts = [ 12300 3001 ];
+  fileSystems."/var/lib/containers" = {
+    device = "spool/safe/containers";
+    fsType = "zfs";
+  };
+  # plex
+  networking.firewall = {
+    allowedTCPPorts = [ 32400 3005 8324 32469 ];
+    allowedUDPPorts = [ 1900 5353 32410 32412 32413 32414 ];
+  };
+  virtualisation.oci-containers.containers.plex = {
+    image = "docker.io/plexinc/pms-docker";
+    extraOptions = [ "--network=host" ];
+    environment = {
+      TZ = "Europe/Berlin";
+      PLEX_UID = "1000";
+      PLEX_GID = "100";
+    };
+
+    volumes = [
+      "/data/media:/data/media"
+      "plex-transcode:/transcode"
+      "plex-db:/config"
+    ];
+  };
+  # postgres
+  ragon.agenix.secrets.ds9PostgresEnv = { };
+  systemd.services."podman-db-network" = {
+    script = ''
+      ${pkgs.podman}/bin/podman network exists db-net || ${pkgs.podman}/bin/podman network create db-net --internal --ipv6
+    '';
+  };
+  virtualisation.oci-containers.containers.postgres = {
+    image = "docker.io/tensorchord/pgvecto-rs:pg16-v0.2.1";
+    extraOptions = [ "--network=db-net" "--health-cmd" "pg_isready -U postgres" ];
+    dependsOn = [ "db-network" ];
+    environment = {
+      POSTGRES_INITDB_ARGS = "--data-checksums";
+    };
+    environmentFiles = [
+      config.age.secrets.ds9PostgresEnv.path
+    ];
+    volumes = [
+      "${postgres-multi-db}:/docker-entrypoint-initdb.d/create-multiple-postgresql-databases.sh"
+      "postgres:/var/lib/postgresql/data"
+    ];
+  };
+  # immich
+  ragon.agenix.secrets.ds9ImmichEnv = { };
+  systemd.services."podman-immich-network" = {
+    script = ''
+      echo "Creating immich network"
+      ${pkgs.podman}/bin/podman network exists immich-net || ${pkgs.podman}/bin/podman network create immich-net --internal --ipv6
+      echo "Created immich network"
+    '';
+  };
+  virtualisation.oci-containers.containers.immich-redis = {
+    image = "docker.io/valkey/valkey:7.2.6-alpine";
+    environment.TZ = "Europe/Berlin";
+    extraOptions = [ "--health-cmd" "valkey-cli ping || exit 1" "--network=immich-net" ];
+    environmentFiles = [
+      config.age.secrets.ds9ImmichEnv.path
+    ];
+    dependsOn = [ "immich-network" ];
+  };
+  virtualisation.oci-containers.containers.immich-server = {
+    user = "1000:100";
+    image = "ghcr.io/immich-app/immich-server:release";
+    extraOptions = [ "--network=immich-net" "--network=db-net" ];
+    dependsOn = [ "immich-network" "immich-redis" "postgres" ];
+    ports = [ "8765:3001" ];
+    volumes = [
+      "/data/immich:/usr/src/app/upload"
+    ];
+    environment = {
+      IMICH_HOST = "0.0.0.0";
+      DB_HOSTNAME = "postgres";
+      REDIS_HOSTNAME = "immich-redis";
+      TZ = "Europe/Berlin";
+    };
+    environmentFiles = [
+      config.age.secrets.ds9ImmichEnv.path
+    ];
+  };
+  virtualisation.oci-containers.containers.immich-machine-learning = {
+    user = "1000:100";
+    image = "ghcr.io/immich-app/immich-machine-learning:release";
+    extraOptions = [ "--network=immich-net" "--network=db-net" "--network=podman" ];
+    dependsOn = [ "immich-network" "immich-redis" "postgres" ];
+    volumes = [
+      "immich-model-cache:/cache"
+    ];
+    environment = {
+      DB_HOSTNAME = "postgres";
+      REDIS_HOSTNAME = "immich-redis";
+      TZ = "Europe/Berlin";
+    };
+    environmentFiles = [
+      config.age.secrets.ds9ImmichEnv.path
+    ];
+  };
+
+}
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -8,16 +8,17 @@ in
    [
      ./hardware-configuration.nix

+      ./containers.nix
      ./backup.nix
-      ./plex.nix
+      # ./plex.nix
      ./samba.nix

      ../../nixos-modules/networking/tailscale.nix
      ../../nixos-modules/services/docker.nix
      ../../nixos-modules/services/libvirt.nix
      ../../nixos-modules/services/msmtp.nix
-      ../../nixos-modules/services/paperless.nix
-      ../../nixos-modules/services/photoprism.nix
+      # ../../nixos-modules/services/paperless.nix
+      # ../../nixos-modules/services/photoprism.nix
      ../../nixos-modules/services/samba.nix
      ../../nixos-modules/services/ssh.nix
      ../../nixos-modules/services/caddy
@ -137,13 +138,13 @@ in
      }
    '';
    virtualHosts."*.hailsatan.eu".extraConfig = ''
-      @paperless host paperless.hailsatan.eu
-      handle @paperless {
-        reverse_proxy ${config.ragon.services.paperless.location}
-      }
-      @photos host photos.hailsatan.eu
-      handle @photos {
-        reverse_proxy ${config.ragon.services.photoprism.location}
+      @immich host immich.hailsatan.eu
+      handle @immich {
+        reverse_proxy http://immich-server:3001 {
+          transport http {
+            resolvers 10.89.0.1 # podman dns
+          }
+        }
      }
      @bzzt-api host bzzt-api.hailsatan.eu
      handle @bzzt-api {
@ -165,44 +166,45 @@ in

  home-manager.users.ragon = { pkgs, lib, inputs, config, ... }: {
    imports = [
-      ../../hm-modules/nvim
-      ../../hm-modules/zsh
+      # ../../hm-modules/nvim
+      ../../hm-modules/helix
+      # ../../hm-modules/zsh
      ../../hm-modules/tmux
-      ../../hm-modules/xonsh
+      # ../../hm-modules/xonsh
      ../../hm-modules/cli.nix
      ../../hm-modules/files.nix
    ];
-    ragon.xonsh.enable = true;
+    # ragon.xonsh.enable = true;

    programs.home-manager.enable = true;
    home.stateVersion = "23.11";
  };

  # begin kube
-  services.k3s = {
-    enable = true;
-    extraFlags = "--disable=traefik --cluster-cidr 10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112 --vpn-auth-file=/persistent/tailscale-auth-file";
-  };
-  systemd.services.k3s.path =  [pkgs.tailscale pkgs.coreutils pkgs.bash];
+  # services.k3s = {
+  #   enable = true;
+  #   extraFlags = "--disable=traefik --cluster-cidr 10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112 --vpn-auth-file=/persistent/tailscale-auth-file";
+  #};
+  # systemd.services.k3s.path =  [pkgs.tailscale pkgs.coreutils pkgs.bash];
  # end kube

  ragon = {
    agenix.secrets."ionos" = { };
    user.enable = true;
    persist.enable = true;
-    persist.extraDirectories = [ "/var/lib/syncthing" config.services.plex.dataDir "/var/lib/minecraft" "/var/lib/bzzt" "/var/lib/rancher" "/etc/rancher" ];
+    persist.extraDirectories = [ "/var/lib/syncthing" "/var/lib/minecraft" "/var/lib/bzzt" "/var/lib/rancher" "/etc/rancher" "/root/.cache" ];

    services = {
      caddy.enable = true;
      docker.enable = true;
      ssh.enable = true;
      msmtp.enable = true;
-      photoprism.enable = true;
+      # photoprism.enable = true;
      tailscale.enable = true;
      tailscale.exitNode = true;
      tailscale.extraUpCommands = "--advertise-routes=10.0.0.0/16";
      libvirt.enable = true;
-      paperless.enable = true;
+      # paperless.enable = true;
    };

  };