From 1b40ddcb978dec8cf52a82319f1f8b4e4eedd3f8 Mon Sep 17 00:00:00 2001 From: tdback Date: Sun, 26 Jan 2025 11:31:39 -0500 Subject: containers: reworked each container to be a standalone module --- modules/containers/freshrss/default.nix | 88 +++++++++++++++++++------ modules/containers/jellyfin/default.nix | 96 ++++++++++++++++++++++----- modules/containers/lubelogger/default.nix | 102 +++++++++++++++++++++-------- modules/containers/pinchflat/default.nix | 66 +++++++++++++++---- modules/containers/vaultwarden/default.nix | 93 +++++++++++++++++++------- modules/containers/watchtower/default.nix | 37 +++++++---- 6 files changed, 376 insertions(+), 106 deletions(-) (limited to 'modules') diff --git a/modules/containers/freshrss/default.nix b/modules/containers/freshrss/default.nix index 7cbe944..7d2e5eb 100644 --- a/modules/containers/freshrss/default.nix +++ b/modules/containers/freshrss/default.nix @@ -1,27 +1,77 @@ -{ ... }: +{ + config, + lib, + ... +}: +with lib; let - directory = "/opt/freshrss"; - port = "8888"; + service = "freshrss"; + cfg = config.modules.containers.${service}; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; + options.modules.containers.${service} = { + enable = mkEnableOption service; + user = mkOption { + default = "share"; + type = types.str; + }; + group = mkOption { + default = "share"; + type = types.str; + }; + port = mkOption { + default = 8888; + type = types.int; + }; + url = mkOption { + default = null; + type = types.str; + }; + configDir = mkOption { + default = "/opt/${service}"; + type = types.str; + }; + }; + + config = mkIf cfg.enable { + users.users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + }; + + users.groups.${cfg.group} = { }; - virtualisation.oci-containers.containers.freshrss = { - image = "freshrss/freshrss:latest"; - autoStart = true; - ports = [ "${port}:80" ]; - volumes = [ - "${directory}/data:/var/www/FreshRSS/data" - "${directory}/extensions:/var/www/FreshRSS/extensions" + networking.firewall.allowedTCPPorts = [ + 80 + 443 ]; - environment = { - TZ = "America/Detroit"; - CRON_MIN = "*/20"; + + services.caddy = { + enable = true; + virtualHosts = { + ${cfg.url}.extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:${builtins.toString cfg.port} + ''; + }; }; - }; - services.caddy.virtualHosts."fresh.brownbread.net".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:${port} - ''; + systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [ + cfg.configDir + ]; + + virtualisation.oci-containers.containers.${service} = { + image = "${service}/${service}:latest"; + autoStart = true; + ports = [ "${builtins.toString cfg.port}:80" ]; + volumes = [ + "${cfg.configDir}/data:/var/www/FreshRSS/data" + "${cfg.configDir}/extensions:/var/www/FreshRSS/extensions" + ]; + environment = { + TZ = "America/Detroit"; + CRON_MIN = "*/20"; + }; + }; + }; } diff --git a/modules/containers/jellyfin/default.nix b/modules/containers/jellyfin/default.nix index a7b9557..aa0d4b1 100644 --- a/modules/containers/jellyfin/default.nix +++ b/modules/containers/jellyfin/default.nix @@ -1,24 +1,86 @@ -{ ... }: +{ + config, + lib, + ... +}: +with lib; let - directory = "/opt/jellyfin"; + service = "jellyfin"; + cfg = config.modules.containers.${service}; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; + options.modules.containers.${service} = { + enable = mkEnableOption service; + user = mkOption { + default = "share"; + type = types.str; + }; + group = mkOption { + default = "share"; + type = types.str; + }; + port = mkOption { + default = 8096; + type = types.int; + }; + url = mkOption { + default = null; + type = types.str; + }; + mediaDir = mkOption { + type = types.str; + }; + configDir = mkOption { + default = "/opt/${service}"; + type = types.str; + }; + }; + + config = mkIf cfg.enable { + users.users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + }; - virtualisation.oci-containers.containers.jellyfin = { - image = "jellyfin/jellyfin:latest"; - autoStart = true; - user = "994:994"; - ports = [ "8096:8096/tcp" ]; - volumes = [ - "${directory}/config:/config" - "${directory}/cache:/cache" - "/tank/media:/media" + users.groups.${cfg.group} = { }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 ]; - }; - services.caddy.virtualHosts."buttered.brownbread.net".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:8096 - ''; + services.caddy = { + enable = true; + virtualHosts = { + ${cfg.url}.extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:${builtins.toString cfg.port} + ''; + }; + }; + + systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [ + cfg.configDir + ]; + + virtualisation.oci-containers.containers.${service} = + with config.users; + with builtins; + let + uid = toString users.${cfg.user}.uid; + gid = toString groups.${cfg.group}.gid; + port = toString cfg.port; + in + { + image = "${service}/${service}:latest"; + autoStart = true; + user = "${uid}:${gid}"; + ports = [ "${port}:${port}/tcp" ]; + volumes = [ + "${cfg.configDir}/config:/config" + "${cfg.configDir}/cache:/cache" + "${cfg.mediaDir}:/media" + ]; + }; + }; } diff --git a/modules/containers/lubelogger/default.nix b/modules/containers/lubelogger/default.nix index 6ff2b0d..c7ca98f 100644 --- a/modules/containers/lubelogger/default.nix +++ b/modules/containers/lubelogger/default.nix @@ -1,34 +1,84 @@ -{ ... }: +{ + config, + lib, + ... +}: +with lib; let - directory = "/opt/lubelogger"; - port = "8889"; + service = "lubelogger"; + cfg = config.modules.containers.${service}; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; + options.modules.containers.${service} = { + enable = mkEnableOption service; + user = mkOption { + default = "share"; + type = types.str; + }; + group = mkOption { + default = "share"; + type = types.str; + }; + port = mkOption { + default = 8889; + type = types.int; + }; + url = mkOption { + default = null; + type = types.str; + }; + configDir = mkOption { + default = "/opt/${service}"; + type = types.str; + }; + }; + + config = mkIf cfg.enable { + users.users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + }; + + users.groups.${cfg.group} = { }; - virtualisation.oci-containers.containers.lubelogger = { - image = "ghcr.io/hargata/lubelogger:latest"; - autoStart = true; - ports = [ "${port}:8080" ]; - volumes = [ - "${directory}/config:/App/config" - "${directory}/data:/App/data" - "${directory}/translations:/App/wwwroot/translations" - "${directory}/documents:/App/wwwroot/documents" - "${directory}/images:/App/wwwroot/images" - "${directory}/temp:/App/wwwroot/temp" - "${directory}/log:/App/log" - "${directory}/keys:/root/.aspnet/DataProtection-Keys" + networking.firewall.allowedTCPPorts = [ + 80 + 443 ]; - environment = { - LC_ALL = "en_US.UTF-8"; - LANG = "en_US.UTF-8"; - LUBELOGGER_ALLOWED_FILE_EXTENSIONS = "*"; + + services.caddy = { + enable = true; + virtualHosts = { + ${cfg.url}.extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:${builtins.toString cfg.port} + ''; + }; }; - }; - services.caddy.virtualHosts."garage.brownbread.net".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:${port} - ''; + systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [ + cfg.configDir + ]; + + virtualisation.oci-containers.containers.${service} = { + image = "ghcr.io/hargata/lubelogger:latest"; + autoStart = true; + ports = [ "${builtins.toString cfg.port}:8080" ]; + volumes = [ + "${cfg.configDir}/config:/App/config" + "${cfg.configDir}/data:/App/data" + "${cfg.configDir}/translations:/App/wwwroot/translations" + "${cfg.configDir}/documents:/App/wwwroot/documents" + "${cfg.configDir}/images:/App/wwwroot/images" + "${cfg.configDir}/temp:/App/wwwroot/temp" + "${cfg.configDir}/log:/App/log" + "${cfg.configDir}/keys:/root/.aspnet/DataProtection-Keys" + ]; + environment = { + LC_ALL = "en_US.UTF-8"; + LANG = "en_US.UTF-8"; + LUBELOGGER_ALLOWED_FILE_EXTENSIONS = "*"; + }; + }; + }; } diff --git a/modules/containers/pinchflat/default.nix b/modules/containers/pinchflat/default.nix index 6f9c825..6b5df23 100644 --- a/modules/containers/pinchflat/default.nix +++ b/modules/containers/pinchflat/default.nix @@ -1,18 +1,62 @@ -{ ... }: +{ + config, + lib, + ... +}: +with lib; let - directory = "/opt/pinchflat"; + service = "pinchflat"; + cfg = config.modules.containers.${service}; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; + options.modules.containers.${service} = { + enable = mkEnableOption service; + user = mkOption { + default = "share"; + type = types.str; + }; + group = mkOption { + default = "share"; + type = types.str; + }; + port = mkOption { + default = 8945; + type = types.int; + }; + url = mkOption { + default = null; + type = types.str; + }; + mediaDir = mkOption { + type = types.str; + }; + configDir = mkOption { + default = "/opt/${service}"; + type = types.str; + }; + }; + + config = mkIf cfg.enable { + users.users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + }; - virtualisation.oci-containers.containers.pinchflat = { - image = "keglin/pinchflat:latest"; - autoStart = true; - ports = [ "8945:8945" ]; - volumes = [ - "${directory}:/config" - "/tank/media/yt:/downloads" + users.groups.${cfg.group} = { }; + + systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [ + cfg.configDir ]; - environment.TZ = "America/Detroit"; + + virtualisation.oci-containers.containers.${service} = { + image = "keglin/pinchflat:latest"; + autoStart = true; + ports = [ "${builtins.toString cfg.port}:${builtins.toString cfg.port}" ]; + volumes = [ + "${cfg.configDir}:/config" + "${cfg.mediaDir}:/downloads" + ]; + environment.TZ = "America/Detroit"; + }; }; } diff --git a/modules/containers/vaultwarden/default.nix b/modules/containers/vaultwarden/default.nix index 7fb4ae0..c04d679 100644 --- a/modules/containers/vaultwarden/default.nix +++ b/modules/containers/vaultwarden/default.nix @@ -1,29 +1,78 @@ -{ ... }: +{ + config, + lib, + ... +}: +with lib; let - directory = "/opt/vaultwarden"; - domain = "steel-mountain.brownbread.net"; - port = "11001"; + service = "vaultwarden"; + cfg = config.modules.containers.${service}; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; - - virtualisation.oci-containers.containers.vaultwarden = { - image = "vaultwarden/server:latest"; - autoStart = true; - ports = [ "${port}:80" ]; - volumes = [ "${directory}/data:/data" ]; - environment = { - DOMAIN = domain; - WEBSOCKET_ENABLED = "true"; - SIGNUPS_ALLOWED = "false"; - SHOW_PASSWORD_HINT = "false"; + options.modules.containers.${service} = { + enable = mkEnableOption service; + user = mkOption { + default = "share"; + type = types.str; + }; + group = mkOption { + default = "share"; + type = types.str; + }; + port = mkOption { + default = 11001; + type = types.int; + }; + url = mkOption { + default = null; + type = types.str; + }; + configDir = mkOption { + default = "/opt/${service}"; + type = types.str; }; }; - services.caddy.virtualHosts.${domain}.extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:${port} { - header_up X-Real-IP {remote_host} - } - ''; + config = mkIf cfg.enable { + users.users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + }; + + users.groups.${cfg.group} = { }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.caddy = { + enable = true; + virtualHosts = { + ${cfg.url}.extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:${builtins.toString cfg.port} { + header_up X-Real-IP {remote_host} + } + ''; + }; + }; + + systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [ + cfg.configDir + ]; + + virtualisation.oci-containers.containers.${service} = { + image = "vaultwarden/server:latest"; + autoStart = true; + ports = [ "${builtins.toString cfg.port}:80" ]; + volumes = [ "${cfg.configDir}/data:/data" ]; + environment = { + DOMAIN = cfg.url; + WEBSOCKET_ENABLED = "true"; + SIGNUPS_ALLOWED = "false"; + SHOW_PASSWORD_HINT = "false"; + }; + }; + }; } diff --git a/modules/containers/watchtower/default.nix b/modules/containers/watchtower/default.nix index bc819cd..b7644ec 100644 --- a/modules/containers/watchtower/default.nix +++ b/modules/containers/watchtower/default.nix @@ -1,15 +1,30 @@ -{ ... }: { - virtualisation.oci-containers.containers.watchtower = { - image = "containrrr/watchtower:latest"; - autoStart = true; - volumes = [ - "/var/run/podman/podman.sock:/var/run/docker.sock:ro" - "/etc/localtime:/etc/localtime:ro" - ]; - environment = { - WATCHTOWER_CLEANUP = "true"; - WATCHTOWER_SCHEDULE = "0 0 5 * * *"; + config, + lib, + ... +}: +with lib; +let + service = "watchtower"; + cfg = config.modules.containers.${service}; +in +{ + options.modules.containers.${service} = { + enable = mkEnableOption service; + }; + + config = mkIf cfg.enable { + virtualisation.oci-containers.containers.${service} = { + image = "containrrr/watchtower:latest"; + autoStart = true; + volumes = [ + "/var/run/podman/podman.sock:/var/run/docker.sock:ro" + "/etc/localtime:/etc/localtime:ro" + ]; + environment = { + WATCHTOWER_CLEANUP = "true"; + WATCHTOWER_SCHEDULE = "0 0 5 * * *"; + }; }; }; } -- cgit v1.2.3