numbus/Numbus
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Update systemd services.

Browse Source
This commit is contained in:
Raphaël Numbus
2026-02-01 17:26:24 +01:00
parent 23aef89e2b
commit 1ef5a922ec
14 changed files with 241 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy.sh
-4
View File
@@ -420,11 +420,7 @@ services_generation() {
export HOME_ASSISTANT_MQTT_USER="$(xkcdpass -d "-" -n 2)"
export HOME_ASSISTANT_MQTT_PASSWORD="$(xkcdpass -d "-")"
mkdir -p final-nix-config/mnt/config/mqtt/
mkdir -p final-nix-config/mnt/config/home-assistant/
mkdir -p final-nix-config/mnt/config/frigate/
envsubst < templates/podman-config/home-assistant/mosquitto.conf > final-nix-config/mnt/config/mqtt/mosquitto.conf
envsubst < templates/podman-config/home-assistant/configuration.yaml > final-nix-config/mnt/config/home-assistant/configuration.yaml
envsubst < templates/podman-config/frigate/config.yaml > final-nix-config/mnt/config/frigate/config.yaml
touch final-nix-config/mnt/config/mqtt/password.txt
chmod 0700 final-nix-config/mnt/config/mqtt/password.txt
mosquitto_passwd -b final-nix-config/mnt/config/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD"
templates/nix-config/configuration.nix
+1 -2
View File
@@ -6,7 +6,6 @@
(modulesPath + "/profiles/qemu-guest.nix")
inputs.sops-nix.nixosModules.sops
./disks/disko.nix
./misc/activation.nix
./misc/mail.nix
./misc/networking.nix
./misc/smart.nix
@@ -27,9 +26,9 @@
sops.defaultSopsFile = ./secrets/secrets.yaml;
sops.age.sshKeyPaths = [ "/home/numbus-admin/.ssh/id_ed25519" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
sops.secrets."ssh_public_keys" = { owner = "numbus-admin"; path = "/etc/ssh/authorized_keys.d/numbus-admin"; };
sops.secrets."sender_email_address_password" = {};
sops.secrets."domain_name" = {};
sops.secrets."podman/frigate" = { owner = "numbus-admin"; path = "/etc/podman/frigate/.env"; };
sops.secrets."podman/gitea" = { owner = "numbus-admin"; path = "/etc/podman/gitea/.env"; };
sops.secrets."podman/home_assistant" = { owner = "numbus-admin"; path = "/etc/podman/home-assistant/.env"; };
templates/nix-config/misc/activation.nix
+74 -2
View File
@@ -23,8 +23,6 @@
chown -R numbus-admin:users /mnt/data/
chown -R 100032:users /mnt/data/nextcloud/
chown -R numbus-admin:users /home/numbus-admin/.numbus-server/
chown -R numbus-admin:users /mnt/config/frigate/config.yaml
chmod 644 /mnt/config/frigate/config.yaml
touch /home/numbus-admin/.numbus-server/chowned.true
'';
@@ -52,4 +50,78 @@ PODMAN_NETWORKS
touch /home/numbus-admin/.numbus-server/networked.true
'';
};
systemd.services.numbus-quirks = {
description = "Numbus-Server services : Apply quirks";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"local-fs.target"
"numbus-activation-chowned.service"
"numbus-activation-networked.service"
"pi-hole.service"
"home-assistant.service"
];
path = [ pkgs.curl pkgs.coreutils pkgs.systemd ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
#!/usr/bin/env bash
if [[ -e /home/numbus-admin/.numbus-server/quirked.true ]]; then
exit 0
fi
DOMAIN_NAME="$(cat /run/secrets/domain_name)"
if [[ ! -e /etc/nixos/podman/pi-hole.nix ]]; then
until curl -s "https://pi-hole.$DOMAIN_NAME/admin/login" | grep -q "Pi-hole"; do
echo "Waiting for Pi-hole to be ready..."
sleep 15
done
systemctl restart pi-hole.service
echo "Pi-Hole quirk applied and service ready !"
fi
if [[ ! -e /etc/nixos/podman/home-assistant.nix ]]; then
until [[ -e /mnt/config/home-assistant/configuration.yaml ]]; do
echo "Waiting for Home Assistant to be ready..."
sleep 15
done
sleep 180
systemctl stop frigate.service
cat << 'EOF' >> /mnt/config/home-assistant/configuration.yaml
http:
use_x_forwarded_for: true
trusted_proxies: 172.16.20.253
zha:
EOF
systemctl start home-assistant.service
echo "Home Assistant quirk applied and service ready !"
fi
if [[ ! -e /etc/nixos/podman/frigate.nix ]]; then
until [[ -e /mnt/config/frigate/config.yaml ]]; do
echo "Waiting for Frigate to be ready..."
sleep 15
done
sleep 180
systemctl stop frigate.service
cat << 'EOF' >> /mnt/config/frigate/config.yaml
tls:
enabled: false
EOF
systemctl start frigate.service
echo "Frigate quirk applied and service ready !"
fi
mkdir -p /home/numbus-admin/.numbus-server/
touch /home/numbus-admin/.numbus-server/quirked.true
'';
};
}
templates/nix-config/podman/frigate.nix
+2 -1
View File
@@ -64,8 +64,9 @@ in
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
TimeoutStartSec = "600";
ExecStartPre = [
"${pkgs.coreutils}/bin/sleep 180"
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 180))'"
"-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
templates/nix-config/podman/gitea.nix
+25 -6
View File
@@ -35,6 +35,7 @@ in
- GITEA__server__ROOT_URL=gitea.$DOMAIN_NAME
labels:
- traefik.enable=true
- traefik.docker.network=gitea_frontend
- traefik.http.services.gitea.loadbalancer.server.port=3000
- traefik.http.services.gitea.loadbalancer.server.scheme=http
- traefik.http.routers.gitea-https.entrypoints=websecure
@@ -65,27 +66,45 @@ in
external: true
'';
systemd.services.${container_name} = {
systemd.services."${container_name}" = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
path = [ pkgs.podman pkgs.coreutils ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
TimeoutStartSec = "900";
ExecStartPre = [
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 400))'"
"-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
systemd.services."update-${container_name}" = {
description = "Update ${container_name} container";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service";
};
};
systemd.timers."update-${container_name}" = {
timerConfig = {
OnCalendar = "02:00";
RandomizedDelaySec = "60m";
Unit = "update-${container_name}.service";
};
wantedBy = [ "timers.target" ];
};
};
}
templates/nix-config/podman/home-assistant.nix
+7 -2
View File
@@ -28,6 +28,7 @@ in
# --- home-assistant devices --- #
labels:
- traefik.enable=true
- traefik.docker.network=home-assistant_frontend
- traefik.http.services.home-assistant.loadbalancer.server.port=8123
- traefik.http.services.home-assistant.loadbalancer.server.scheme=http
- traefik.http.routers.home-assistant-https.entrypoints=websecure
@@ -57,14 +58,18 @@ in
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
path = [ pkgs.podman pkgs.coreutils ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
TimeoutStartSec = "600";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
ExecStartPre = [
"${pkgs.coreutils}/bin/sleep 180"
"-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
];
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
templates/nix-config/podman/immich.nix
+25 -6
View File
@@ -27,6 +27,7 @@ in
# --- immich devices --- #
labels:
- traefik.enable=true
- traefik.docker.network=immich_frontend
- traefik.http.services.immich.loadbalancer.server.port=2283
- traefik.http.services.immich.loadbalancer.server.scheme=http
- traefik.http.routers.immich-https.entrypoints=websecure
@@ -89,27 +90,45 @@ in
external: true
'';
systemd.services.${container_name} = {
systemd.services."${container_name}" = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
path = [ pkgs.podman pkgs.coreutils ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
TimeoutStartSec = "900";
ExecStartPre = [
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 400))'"
"-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
systemd.services."update-${container_name}" = {
description = "Update ${container_name} container";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service";
};
};
systemd.timers."update-${container_name}" = {
timerConfig = {
OnCalendar = "02:00";
RandomizedDelaySec = "60m";
Unit = "update-${container_name}.service";
};
wantedBy = [ "timers.target" ];
};
};
}
templates/nix-config/podman/it-tools.nix
+26 -7
View File
@@ -20,6 +20,7 @@ in
it-tools_frontend:
labels:
- traefik.enable=true
- traefik.docker.network=it-tools_frontend
- traefik.http.services.it-tools.loadbalancer.server.port=80
- traefik.http.services.it-tools.loadbalancer.server.scheme=http
- traefik.http.routers.it-tools-https.entrypoints=websecure
@@ -32,27 +33,45 @@ in
external: true
'';
systemd.services.${container_name} = {
systemd.services."${container_name}" = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
path = [ pkgs.podman pkgs.coreutils ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "sleep 90 && ${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
TimeoutStartSec = "600";
ExecStartPre = [
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 180))'"
"-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
systemd.services."update-${container_name}" = {
description = "Update ${container_name} container";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service";
};
};
systemd.timers."update-${container_name}" = {
timerConfig = {
OnCalendar = "02:00";
RandomizedDelaySec = "60m";
Unit = "update-${container_name}.service";
};
wantedBy = [ "timers.target" ];
};
};
}
templates/nix-config/podman/nextcloud.nix
+26 -7
View File
@@ -37,6 +37,7 @@ in
WATCHTOWER_DOCKER_SOCKET_PATH: /run/user/1000/podman/podman.sock
labels:
- traefik.enable=true
- traefik.docker.network=nextcloud-aio
- traefik.http.services.nextcloud-aio.loadbalancer.server.port=8080
- traefik.http.services.nextcloud-aio.loadbalancer.server.scheme=https
- traefik.http.routers.nextcloud-aio-https.entrypoints=websecure
@@ -55,27 +56,45 @@ in
name: nextcloud_aio_mastercontainer
'';
systemd.services.${container_name} = {
systemd.services."${container_name}" = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
path = [ pkgs.podman pkgs.coreutils ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "sleep 100 && ${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
TimeoutStartSec = "600";
ExecStartPre = [
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 180))'"
"-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
systemd.services."update-${container_name}" = {
description = "Update ${container_name} container";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service";
};
};
systemd.timers."update-${container_name}" = {
timerConfig = {
OnCalendar = "02:00";
RandomizedDelaySec = "60m";
Unit = "update-${container_name}.service";
};
wantedBy = [ "timers.target" ];
};
};
}
templates/nix-config/podman/passbolt.nix
+26 -7
View File
@@ -39,6 +39,7 @@ in
PASSBOLT_SSL_FORCE: true
labels:
- traefik.enable=true
- traefik.docker.network=passbolt_frontend
- traefik.http.services.passbolt.loadbalancer.server.port=4433
- traefik.http.services.passbolt.loadbalancer.server.scheme=https
- traefik.http.routers.passbolt-https.entrypoints=websecure
@@ -84,27 +85,45 @@ in
passbolt-jwt:
'';
systemd.services.${container_name} = {
systemd.services."${container_name}" = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
path = [ pkgs.podman pkgs.coreutils ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "sleep 110 && ${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
TimeoutStartSec = "600";
ExecStartPre = [
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 180))'"
"-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
systemd.services."update-${container_name}" = {
description = "Update ${container_name} container";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service";
};
};
systemd.timers."update-${container_name}" = {
timerConfig = {
OnCalendar = "02:00";
RandomizedDelaySec = "60m";
Unit = "update-${container_name}.service";
};
wantedBy = [ "timers.target" ];
};
};
}
templates/nix-config/podman/pi-hole.nix
+26 -12
View File
@@ -26,10 +26,6 @@ in
environment:
TZ: $TZ
FTLCONF_webserver_api_password: $FTLCONF_webserver_api_password
FTLCONF_dns_listeningMode: "all"
FTLCONF_dns_revServers: true,$HOME_ROUTER_SUBNET,$HOME_ROUTER_IP,home
FTLCONF_dns_domain_name: "home"
FTLCONF_dns_domain_local: "true"
FTLCONF_dns_hosts: |
$HOME_SERVER_IP frigate.$DOMAIN_NAME
$HOME_SERVER_IP gitea.$DOMAIN_NAME
@@ -52,6 +48,7 @@ in
- SYS_NICE
labels:
- traefik.enable=true
- traefik.docker.network=pi-hole_frontend
- traefik.http.services.pihole.loadbalancer.server.port=80
- traefik.http.services.pihole.loadbalancer.server.scheme=http
- traefik.http.routers.pihole-https.entrypoints=websecure
@@ -64,29 +61,46 @@ in
pi-hole_frontend:
external: true
'';
systemd.services.${container_name} = {
systemd.services."${container_name}" = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
path = [ pkgs.podman pkgs.coreutils ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
AmbientCapabilities = "CAP_SYS_NICE";
LimitNICE = -20;
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
TimeoutStartSec = "600";
ExecStartPre = [
"${pkgs.bash}/bin/bash -c 'sleep 20'"
"-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
systemd.services."update-${container_name}" = {
description = "Update ${container_name} container";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service";
};
};
systemd.timers."update-${container_name}" = {
timerConfig = {
OnCalendar = "02:00";
RandomizedDelaySec = "60m";
Unit = "update-${container_name}.service";
};
wantedBy = [ "timers.target" ];
};
};
}
templates/nix-config/podman/traefik.nix
+2 -4
View File
@@ -31,6 +31,7 @@ TRAEFIK_NETWORKS
- CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN
labels:
- traefik.enable=true
- traefik.docker.network=home-assistant_frontend
- traefik.http.services.traefik.loadbalancer.server.port=8080
- traefik.http.services.traefik.loadbalancer.server.scheme=http
- traefik.http.routers.traefik-https.entrypoints=websecure
@@ -46,17 +47,14 @@ TRAEFIK_REF_NETWORKS
description = "Podman container : ${container_name}";
after = [ "numbus-activation-networked.service" "numbus-activation-chowned.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
path = [ pkgs.podman pkgs.coreutils ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
templates/nix-config/sops-nix/secrets.yaml
+1
View File
@@ -1,5 +1,6 @@
ssh_public_keys: "$SSH_PUBLIC_KEY"
sender_email_address_password: "$SENDER_EMAIL_ADDRESS_PASSWORD"
domain_name: "$DOMAIN_NAME"
podman:
frigate: |
templates/podman-config/home-assistant/configuration.yaml
-17
View File
@@ -1,17 +0,0 @@
# Loads default set of integrations. Do not remove.
default_config:
# Load frontend themes from the themes folder
frontend:
themes: !include_dir_merge_named themes
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
http:
use_x_forwarded_for: true
trusted_proxies: 172.16.20.253
zha: