From 4bbd62a93efaad0124ed2700eb387a6b1375bd59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Numbus?= Date: Mon, 23 Feb 2026 23:05:54 +0100 Subject: [PATCH] Services are ready --- modules/global.nix | 12 ++ modules/networking/networking.nix | 6 + modules/secrets.nix | 0 modules/services/default.nix | 2 +- modules/services/gitea.nix | 7 +- modules/services/home-assistant.nix | 92 ++++++++-------- modules/services/immich.nix | 5 +- modules/services/nextcloud.nix | 164 +++++++++++++++++++++++----- modules/services/passbolt.nix | 51 +++++---- modules/services/pi-hole.nix | 22 ++-- modules/services/traefik.nix | 48 +++++--- 11 files changed, 276 insertions(+), 133 deletions(-) delete mode 100644 modules/secrets.nix diff --git a/modules/global.nix b/modules/global.nix index 1b856f5..b41f16c 100644 --- a/modules/global.nix +++ b/modules/global.nix @@ -10,6 +10,18 @@ with lib; default = "Numbus"; description = "The name of the person who owns this server"; }; + language = { + type = type.str; + example = "FR"; + default = "FR"; + description = "The language for this server"; + }; + locale = { + type = type.str; + example = "fr_FR"; + default = "fr_FR"; + description = "The default locale for this server"; + }; services = { domain = mkOption { diff --git a/modules/networking/networking.nix b/modules/networking/networking.nix index cc4cef6..3424d48 100644 --- a/modules/networking/networking.nix +++ b/modules/networking/networking.nix @@ -23,6 +23,12 @@ in type = types.str; example = "192.168.1.1"; }; + networkSubnet = mkOption { + description = "The subnet of your network"; + type = types.str; + default = ""; + example = "192.168.1.0/24"; + }; dnsServers = mkOption { description = "The list of DNS servers that this server will use"; type = types.listOf types.str; diff --git a/modules/secrets.nix b/modules/secrets.nix deleted file mode 100644 index e69de29..0000000 diff --git a/modules/services/default.nix b/modules/services/default.nix index 6ce174d..7aca70e 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -2,7 +2,7 @@ { imports = [ - ./adguard.nix +# ./adguard.nix ./frigate.nix ./gitea.nix ./home-assistant.nix diff --git a/modules/services/gitea.nix b/modules/services/gitea.nix index 22b07a4..c1e42d4 100644 --- a/modules/services/gitea.nix +++ b/modules/services/gitea.nix @@ -22,11 +22,6 @@ helper.mkPodmanService { DB_USERNAME = "xkcdpass -n 2 -d -"; DB_PASSWORD = "xkcdpass -n 8 -d -"; }; - importedSecrets = { - DOMAIN_NAME = "${config.numbus.services.domain}"; - POSTGRES_HOST="gitea-database"; - POSTGRES_PORT=5432; - }; dirPermissions = [ "100999:users ${cfg.configDir}" ]; @@ -48,7 +43,7 @@ helper.mkPodmanService { - /etc/localtime:/etc/localtime:ro environment: - GITEA__database__DB_TYPE=postgres - - GITEA__database__HOST=$POSTGRES_HOST:$POSTGRES_PORT + - GITEA__database__HOST=gitea-database:5432 - GITEA__database__NAME=$DB_NAME - GITEA__database__USER=$DB_USERNAME - GITEA__database__PASSWD=$DB_PASSWORD diff --git a/modules/services/home-assistant.nix b/modules/services/home-assistant.nix index 2e0a7ba..d432ebb 100644 --- a/modules/services/home-assistant.nix +++ b/modules/services/home-assistant.nix @@ -24,6 +24,50 @@ helper.mkPodmanService { "100999:users ${cfg.configDir}/mqtt" ]; +# Compose file good + composeText = '' + services: + home-assistant: + image: ghcr.io/home-assistant/home-assistant:${homeAssistantVersion} + container_name: home-assistant + hostname: home-assistant + networks: + home-assistant: + ports: + - "${cfg.port}:8123/tcp" + volumes: + - ${cfg.configDir}/home-assistant:/config + - /etc/localtime:/etc/localtime:ro + - /run/dbus:/run/dbus:ro +${lib.optionalString (cfg.devices != []) '' + devices: +${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)} +''} + security_opt: + - no-new-privileges:true + cap_drop: + - NET_RAW + restart: unless-stopped + home-assistant-mqtt: + image: docker.io/library/eclipse-mosquitto:${mqttVersion} + container_name: home-assistant-mqtt + hostname: home-assistant-mqtt + user: '1000:1000' + networks: + home-assistant: + volumes: + - ${cfg.configDir}/mqtt:/mosquitto + security_opt: + - no-new-privileges:true + cap_drop: + - NET_RAW + restart: unless-stopped + networks: + home-assistant: + name: home-assistant + driver: bridge + ''; + extraOptions = { devices = mkOption { type = types.listOf types.str; @@ -83,7 +127,7 @@ EOF }; script = '' mkdir -p /var/lib/numbus-server/${name} - if [[ -e /var/lib/numbus-server/${name}/quirk.true ]]; then + if [[ -e /var/lib/numbus-server/${name}/quirk-2.true ]]; then exit 0 fi cat << EOF >> ${cfg.configDir}/mqtt/mosquitto.conf @@ -98,51 +142,7 @@ EOF source /var/lib/numbus-server/${name}/.env mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD" chmod 600 ${cfg.configDir}/mqtt/password.txt - touch /var/lib/numbus-server/${name}/quirk.true + touch /var/lib/numbus-server/${name}/quirk-2.true ''; }; - -# Compose file good - composeText = '' - services: - home-assistant: - image: ghcr.io/home-assistant/home-assistant:${homeAssistantVersion} - container_name: home-assistant - hostname: home-assistant - networks: - home-assistant: - ports: - - "${cfg.port}:8123/tcp" - volumes: - - ${cfg.configDir}/home-assistant:/config - - /etc/localtime:/etc/localtime:ro - - /run/dbus:/run/dbus:ro -${lib.optionalString (cfg.devices != []) '' - devices: -${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)} -''} - security_opt: - - no-new-privileges:true - cap_drop: - - NET_RAW - restart: unless-stopped - home-assistant-mqtt: - image: docker.io/library/eclipse-mosquitto:${mqttVersion} - container_name: home-assistant-mqtt - hostname: home-assistant-mqtt - user: '1000:1000' - networks: - home-assistant: - volumes: - - ${cfg.configDir}/mqtt:/mosquitto - security_opt: - - no-new-privileges:true - cap_drop: - - NET_RAW - restart: unless-stopped - networks: - home-assistant: - name: home-assistant - driver: bridge - ''; } diff --git a/modules/services/immich.nix b/modules/services/immich.nix index 631dd3b..973fc4c 100644 --- a/modules/services/immich.nix +++ b/modules/services/immich.nix @@ -25,7 +25,6 @@ helper.mkPodmanService { DB_PASSWORD = "xkcdpass -n 8 -d -"; }; importedSecrets = { - DOMAIN_NAME = "${config.numbus.services.domain}"; REDIS_HOSTNAME = "immich-redis"; DB_HOSTNAME = "immich-database"; UPLOAD_LOCATION = "${cfg.dataDir}"; @@ -50,7 +49,7 @@ helper.mkPodmanService { ports: - "${cfg.port}:2283/tcp" volumes: - - ${cfg.dataDir}:/data + - $UPLOAD_LOCATION:/data - /etc/localtime:/etc/localtime:ro env_file: - .env @@ -107,7 +106,7 @@ helper.mkPodmanService { POSTGRES_DB: $DB_NAME POSTGRES_INITDB_ARGS: '--data-checksums' volumes: - - ${cfg.configDir}/database:/var/lib/postgresql/data + - $DB_DATA_LOCATION:/var/lib/postgresql/data shm_size: 128mb healthcheck: disable: false diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 1995b2a..25ce1fb 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -3,39 +3,37 @@ with lib; let + # Version tagging nextcloudVersion = "32.0.6"; redisVersion = "8.6-alpine"; - databaseVersion = "11.4"; + databaseVersion = "11.8"; onlyofficeVersion = "9.2"; whiteboardVersion = "v1.5.6"; + # Helper helper = import ./lib.nix { inherit config pkgs lib; }; cfg = config.numbus.services.nextcloud; - cfg2 = config.numbus.services.onlyoffice; - cfg3 = config.numbus.services.whiteboard; in helper.mkPodmanService { description = "Nextcloud, your own online office suite"; name = "nextcloud"; pod = "nextcloud"; - defaultPort = "11000"; + defaultPort = "1100"; generatedSecrets = { DB_NAME = "xkcdpass -n 2 -d -"; DB_USERNAME = "xkcdpass -n 2 -d -"; - DB_PASSWORD = "xkcdpass -n 8 -d -"; - REDIS_PASSWORD = "xkcdpass -n 8 -d -"; - }; - importedSecrets = { - DOMAIN_NAME = "${config.numbus.services.domain}"; - REDIS_HOSTNAME = "immich-redis"; - DB_HOSTNAME = "immich-database"; - UPLOAD_LOCATION = "${cfg.dataDir}"; - DB_DATA_LOCATION = "${cfg.configDir}/database"; - TZ = "${time.timeZone}"; + DB_PASSWORD = "xkcdpass -n 10 -d -"; + REDIS_PASSWORD = "xkcdpass -n 10 -d -"; + ONLYOFFICE_PASSWORD = "xkcdpass -n 10 -d -"; + WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -"; + SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}"; }; dirPermissions = [ - "100999:users ${cfg.dataDir}" - "100999:users ${cfg.configDir}" + "100032:users ${cfg.configDir}/web" + "100999:users ${cfg.configDir}/redis" + "100999:users ${cfg.configDir}/database" + "100999:users ${cfg.configDir}/onlyoffice" + "100032:users ${cfg.dataDir}" ]; # Compose file good @@ -61,16 +59,21 @@ helper.mkPodmanService { REDIS_HOST_PASSWORD: $REDIS_PASSWORD NEXTCLOUD_TRUSTED_DOMAINS: ${cfg.subdomain}.${config.numbus.services.domain} NEXTCLOUD_DATA_DIR: /mnt/ncdata - SMTP_HOST: $SMTP_HOST SMTP_SECURE: tls - SMTP_PORT: $SMTP_PORT - SMTP_NAME: $SMTP_NAME + SMTP_HOST: ${config.numbus.mail.smtpServer} + SMTP_PORT: ${config.numbus.mail.smtpPort} + SMTP_NAME: ${config.numbus.mail.smtpUsername} SMTP_PASSWORD: $SMTP_PASSWORD MAIL_FROM_ADDRESS: nextcloud-noreply MAIL_DOMAIN: ${config.numbus.services.domain} APACHE_DISABLE_REWRITE_IP: 1 - TRUSTED_PROXIES: 192.168.11.5 + TRUSTED_PROXIES: ${config.numbus.networking.ipAddress} OVERWRITEPROTOCOL: https + NC_default_phone_region: "${config.numbus.language}" + NC_default_language: "${config.numbus.language}" + NC_default_locale: "${config.numbus.locale}" + NC_default_timezone: "${time.timeZone}" + NC_maintenance_window_start: "1" depends_on: - nextcloud-database security_opt: @@ -87,7 +90,7 @@ helper.mkPodmanService { nextcloud: volumes: - ${cfg.configDir}/redis:/data - command: redis-server --requirepass $REDIS_HOST_PASSWORD --save 60 1 --loglevel warning + command: redis-server --requirepass $REDIS_PASSWORD --save 60 1 --loglevel warning security_opt: - no-new-privileges:true cap_drop: @@ -111,19 +114,20 @@ helper.mkPodmanService { - no-new-privileges:true cap_drop: - NET_RAW + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW restart: unless-stopped nextcloud-onlyoffice: container_name: nextcloud-onlyoffice hostname: nextcloud-onlyoffice image: docker.io/onlyoffice/documentserver:${onlyofficeVersion} environment: - - JWT_SECRET=$JWT_SECRET + - JWT_SECRET=$ONLYOFFICE_PASSWORD ports: - - "${cfg2.port}:80/tcp" + - "9980:80/tcp" volumes: - - ${cfg2.configDir}/log:/var/log/onlyoffice - - ${cfg2.configDir}/cache:/var/lib/onlyoffice - - ${cfg2.configDir}/database:/var/lib/postgresql + - ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice + - ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice + - ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql security_opt: - no-new-privileges:true cap_drop: @@ -135,10 +139,10 @@ helper.mkPodmanService { hostname: nextcloud-whiteboard user: '1000:1000' ports: - - "${cfg3.port}:3002/tcp" + - "3002:3002/tcp" environment: NEXTCLOUD_URL: https://${cfg.subdomain}.${config.numbus.services.domain} - JWT_SECRET_KEY: $JWT_SECRET + JWT_SECRET_KEY: $WHITEBOARD_PASSWORD security_opt: - no-new-privileges:true cap_drop: @@ -150,4 +154,108 @@ helper.mkPodmanService { driver: bridge ''; + extraConfig = { + environment.etc."${config.numbus.traefikDynamicConfigDir}/nextcloud-onlyoffice.yaml".text = '' + http: + routers: + nextcloud-onlyoffice: + rule: "Host(`onlyoffice.${config.numbus.services.domain}`)" + entrypoints: + - "websecure" + service: nextcloud-onlyoffice + middlewares: + - "secureHeaders" + tls: + certresolver: "cloudflare" + options: "secureTLS" + services: + nextcloud-onlyoffice: + loadBalancer: + servers: + - url: "http://host.containers.internal:9980" + ''; + + environment.etc."${config.numbus.traefikDynamicConfigDir}/nextcloud-whiteboard.yaml".text = '' + http: + routers: + nextcloud-whiteboard: + rule: "Host(`whiteboard.${config.numbus.services.domain}`)" + entrypoints: + - "websecure" + service: nextcloud-whiteboard + middlewares: + - "secureHeaders" + tls: + certresolver: "cloudflare" + options: "secureTLS" + services: + nextcloud-whiteboard: + loadBalancer: + servers: + - url: "http://host.containers.internal:3002" + ''; + + systemd.services."${name}-quirk" = { + description = "Podman container quirk : ${name}"; + wantedBy = [ "multi-user.target" ]; + after = [ "${name}.service" "${name}-secrets.service" ]; + onFailure = [ "service-failure-notify@%n.service" ]; + startLimitBurst = 5; + startLimitIntervalSec = 600; + path = [ pkgs.coreutils pkgs.sudo pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + mkdir -p /var/lib/numbus-server/${name} + if [[ -e /var/lib/numbus-server/${name}/quirk.true ]]; then + exit 0 + fi + source /var/lib/numbus-server/${name}/.env + sleep 300 + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ background:cron + sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ db:add-missing-indices + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ maintenance:repair --include-expensive + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:scan --all + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:repair-tree + for app in calendar contacts mail note onlyoffice cookbook whiteboard; do + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:install $app + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:enable $app + done + for app in activity app_api federatedfilesharing federation webhook_listeners photos recommendations sharebymail teams support richdocumentscode; do + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:disable $app + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:remove $app + done + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerInternalUrl --value="https://onlyoffice.${config.numbus.services.domain}/" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerUrl --value="https://onlyoffice.${config.numbus.services.domain}/" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_PASSWORD" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard collabBackendUrl --value="https://whiteboard.${config.numbus.services.domain}" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard jwt_secret_key --value="$WHITEBOARD_PASSWORD" + touch /var/lib/numbus-server/${name}/quirk.true + ''; + }; + + systemd.services."${name}-cron" = { + description = "Podman container crontab : ${name}"; + after = [ "${name}.service" "${name}-quirk.service" ]; + onFailure = [ "service-failure-notify@%n.service" ]; + path = [ pkgs.coreutils pkgs.sudo pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php"; + }; + }; + + systemd.timers."${name}-cron" = { + description = "Timer for Nextcloud cron"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "5m"; + OnUnitActiveSec = "5m"; + Unit = "${name}-cron.service"; + }; + }; + }; } \ No newline at end of file diff --git a/modules/services/passbolt.nix b/modules/services/passbolt.nix index df5ae9c..2d31ae6 100644 --- a/modules/services/passbolt.nix +++ b/modules/services/passbolt.nix @@ -3,8 +3,10 @@ with lib; let + # Version tagging passboltVersion = "5.9.0-1-ce-non-root"; databaseVersion = "12.2"; + # Helper helper = import ./lib.nix { inherit config pkgs lib; }; cfg = config.numbus.services.passbolt; in @@ -15,8 +17,18 @@ helper.mkPodmanService { pod = "passbolt"; defaultPort = "4433"; scheme = "https"; - configDir = false; - dataDir = false; + dataDirEnabled = false; + generatedSecrets = { + DB_NAME = "xkcdpass -n 2 -d -"; + DB_USERNAME = "xkcdpass -n 2 -d -"; + DB_PASSWORD = "xkcdpass -n 10 -d -"; + SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}"; + }; + dirPermissions = [ + "100032:users ${cfg.configDir}/gpg" + "100032:users ${cfg.configDir}/jwt" + "100999:users ${cfg.configDir}/database" + ]; # Compose file good composeText = '' @@ -25,24 +37,25 @@ helper.mkPodmanService { image: docker.io/passbolt/passbolt:${passboltVersion} container_name: passbolt-server hostname: passbolt-server + user: '33:33' networks: passbolt: ports: - "${cfg.port}:4433/tcp" volumes: - - passbolt-gpg:/etc/passbolt/gpg - - passbolt-jwt:/etc/passbolt/jwt + - ${cfg.configDir}/gpg:/etc/passbolt/gpg + - ${cfg.configDir}/jwt:/etc/passbolt/jwt environment: - APP_DEFAULT_TIMEZONE: $TZ + APP_DEFAULT_TIMEZONE: ${time.timeZone} APP_FULL_BASE_URL: https://${cfg.subdomain}.${config.numbus.services.domain} DATASOURCES_DEFAULT_HOST: "passbolt-database" - DATASOURCES_DEFAULT_USERNAME: $PASSBOLT_MYSQL_USER - DATASOURCES_DEFAULT_PASSWORD: $PASSBOLT_MYSQL_PASSWORD - DATASOURCES_DEFAULT_DATABASE: $PASSBOLT_MYSQL_DATABASE + DATASOURCES_DEFAULT_USERNAME: $DB_USERNAME + DATASOURCES_DEFAULT_PASSWORD: $DB_PASSWORD + DATASOURCES_DEFAULT_DATABASE: $DB_NAME EMAIL_DEFAULT_FROM_NAME: "Passbolt" - EMAIL_TRANSPORT_DEFAULT_HOST: $EMAIL_TRANSPORT_DEFAULT_HOST - EMAIL_TRANSPORT_DEFAULT_PORT: $EMAIL_TRANSPORT_DEFAULT_PORT - EMAIL_TRANSPORT_DEFAULT_USERNAME: $EMAIL_TRANSPORT_DEFAULT_USERNAME + EMAIL_TRANSPORT_DEFAULT_HOST: ${config.numbus.mail.smtpServer} + EMAIL_TRANSPORT_DEFAULT_PORT: ${config.numbus.mail.smtpPort} + EMAIL_TRANSPORT_DEFAULT_USERNAME: ${config.numbus.mail.smtpUsername} EMAIL_TRANSPORT_DEFAULT_PASSWORD: $EMAIL_TRANSPORT_DEFAULT_PASSWORD EMAIL_TRANSPORT_DEFAULT_TLS: true EMAIL_DEFAULT_FROM: passbolt-noreply@${config.numbus.services.domain} @@ -67,27 +80,21 @@ helper.mkPodmanService { image: docker.io/library/mariadb:${databaseVersion} container_name: passbolt-database hostname: passbolt-database + user: '1000:1000' networks: passbolt: volumes: - - passbolt-database:/var/lib/mysql + - ${cfg.configDir}/database:/var/lib/mysql environment: MYSQL_RANDOM_ROOT_PASSWORD: "true" - MYSQL_DATABASE: $PASSBOLT_MYSQL_DATABASE - MYSQL_USER: $PASSBOLT_MYSQL_USER - MYSQL_PASSWORD: $PASSBOLT_MYSQL_PASSWORD + MYSQL_DATABASE: $DB_NAME + MYSQL_USER: $DB_USERNAME + MYSQL_PASSWORD: $DB_PASSWORD security_opt: - no-new-privileges:true cap_drop: - NET_RAW restart: unless-stopped - volumes: - passbolt-database: - name: passbolt-database - passbolt-gpg: - name: passbolt-gpg - passbolt-jwt: - name: passbolt-jwt networks: passbolt: name: passbolt diff --git a/modules/services/pi-hole.nix b/modules/services/pi-hole.nix index 83e8416..2f2f749 100644 --- a/modules/services/pi-hole.nix +++ b/modules/services/pi-hole.nix @@ -3,7 +3,9 @@ with lib; let + # Version tagging piholeVersion = "2026.02.0"; + # Helper helper = import ./lib.nix { inherit config pkgs lib; }; cfg = config.numbus.services.pi-hole; in @@ -16,6 +18,12 @@ helper.mkPodmanService { dependencies = [ "network.target" "multi-user.target" ]; dataDir = false; delaySec = 10; + generatedSecrets = { + PIHOLE_PASSWORD = "xkcdpass -n 10 -d -"; + }; + dirPermissions = [ + "numbus-admin:users ${cfg.configDir}" + ]; # Compose file good composeText = '' @@ -29,24 +37,22 @@ helper.mkPodmanService { - "${cfg.port}:443/tcp" - "53:53/tcp" - "53:53/udp" + volumes: + - ${cfg.configDir}:/etc/pihole environment: PIHOLE_UID: '1000' PIHOLE_GID: '1000' - TZ: $TZ - FTLCONF_webserver_api_password: $FTLCONF_webserver_api_password + TZ: ${time.timeZone} + FTLCONF_webserver_api_password: $PIHOLE_PASSWORD FTLCONF_webserver_domain: ${cfg.subdomain}.${config.numbus.services.domain} FTLCONF_dns_upstreams: 9.9.9.9;149.112.112.112 FTLCONF_dns_hosts: | ${lib.concatStringsSep "" (lib.mapAttrsToList (name: service: if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then - " $HOME_SERVER_IP ${service.subdomain}.${config.numbus.services.domain}\n" + " ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n" else "" ) config.numbus.services)} - # TODO : get revServers to work - # FTLCONF_dns_revServers: | - # true,$HOME_ROUTER_SUBNET,$HOME_ROUTER_IP,${config.numbus.services.domain} - # true,$HOME_VPN_SUBNET,$HOME_VPN_IP,${config.numbus.services.domain} FTLCONF_dns_listeningMode: "BIND" FTLCONF_dns_domain_name: "${config.numbus.services.domain}" FTLCONF_dns_domain_local: "true" @@ -54,8 +60,6 @@ ${lib.concatStringsSep "" (lib.mapAttrsToList (name: service: FTLCONF_ntp_ipv4_active: "false" FTLCONF_ntp_ipv6_active: "false" FTLCONF_ntp_sync_active: "false" - volumes: - - ${cfg.configDir}:/etc/pihole cap_add: - SYS_NICE restart: unless-stopped diff --git a/modules/services/traefik.nix b/modules/services/traefik.nix index 6b91905..704598e 100644 --- a/modules/services/traefik.nix +++ b/modules/services/traefik.nix @@ -3,7 +3,9 @@ with lib; let + # Version tagging traefikVersion = "v3.6.8"; + # Helper helper = import ./lib.nix { inherit config pkgs lib; }; cfg = config.numbus.services.traefik; in @@ -13,23 +15,16 @@ helper.mkPodmanService { name = "traefik"; reverseProxied = false; dependencies = [ "network.target" "multi-user.target" ]; - configDir = false; + dataDir = false; delaySec = 10; - - extraOptions = { - enable.default = true; - staticConfigFile = mkOption { - type = types.str; - default = "traefik/config.yaml"; - description = "The path for Traefik's static configuration file, relative to /etc/"; - }; - logLevel = mkOption { - type = types.enum [ "TRACE" "DEBUG" "INFO" "WARN" "ERROR" "FATAL" ]; - default = "ERROR"; - description = "The level of detail Traefik should print in the logs."; - }; - # traefikDynamicConfigDir defined at global.nix + generatedSecrets = { + CLOUDFLARE_DNS_API_TOKEN = "cat ${config.numbus.mail.smtpPasswordPath}"; }; + dirPermissions = [ + "100999:users ${cfg.configDir}" + "100999:users /etc/${cfg.staticConfigFile}" + "100999:users ${config.numbus.traefikDynamicConfigDir}" + ]; # Compose file good composeText = '' @@ -38,17 +33,19 @@ helper.mkPodmanService { image: docker.io/library/traefik:${traefikVersion} container_name: traefik hostname: traefik + user: '1000:1000' network_mode: pasta ports: - "80:80/tcp" - "443:443/tcp" volumes: - - /run/user/1000/podman/podman.sock:/run/docker.sock:ro - /etc/${cfg.staticConfigFile}:/etc/traefik/traefik.yaml:ro - ${config.numbus.traefikDynamicConfigDir}:/etc/traefik/conf:ro - - ${cfg.dataDir}:/var/traefik/certs:rw + - ${cfg.configDir}:/var/traefik/certs:rw environment: - - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN + - CF_DNS_API_TOKEN=$CLOUDFLARE_DNS_API_TOKEN + cap_add: + - NET_BIND_SERVICE security_opt: - no-new-privileges:true restart: unless-stopped @@ -138,4 +135,19 @@ helper.mkPodmanService { - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ''; }; + + extraOptions = { + enable.default = true; + staticConfigFile = mkOption { + type = types.str; + default = "traefik/config.yaml"; + description = "The path for Traefik's static configuration file, relative to /etc/"; + }; + logLevel = mkOption { + type = types.enum [ "TRACE" "DEBUG" "INFO" "WARN" "ERROR" "FATAL" ]; + default = "ERROR"; + description = "The level of detail Traefik should print in the logs."; + }; + # traefikDynamicConfigDir defined at global.nix + }; } \ No newline at end of file