numbus/numbus-server-module
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Services are ready

Browse Source
This commit is contained in:
Raphaël Numbus
2026-02-23 23:05:54 +01:00
parent 944ffcea85
commit 4bbd62a93e
11 changed files with 276 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/global.nix
+12
View File
@@ -10,6 +10,18 @@ with lib;
default = "Numbus"; default = "Numbus";
description = "The name of the person who owns this server"; description = "The name of the person who owns this server";
}; };
language = {
type = type.str;
example = "FR";
default = "FR";
description = "The language for this server";
};
locale = {
type = type.str;
example = "fr_FR";
default = "fr_FR";
description = "The default locale for this server";
};
services = { services = {
domain = mkOption { domain = mkOption {
modules/networking/networking.nix
+6
View File
@@ -23,6 +23,12 @@ in
type = types.str; type = types.str;
example = "192.168.1.1"; example = "192.168.1.1";
}; };
networkSubnet = mkOption {
description = "The subnet of your network";
type = types.str;
default = "";
example = "192.168.1.0/24";
};
dnsServers = mkOption { dnsServers = mkOption {
description = "The list of DNS servers that this server will use"; description = "The list of DNS servers that this server will use";
type = types.listOf types.str; type = types.listOf types.str;
modules/secrets.nix
View File
modules/services/default.nix
+1 -1
View File
@@ -2,7 +2,7 @@
{ {
imports = [ imports = [
./adguard.nix # ./adguard.nix
./frigate.nix ./frigate.nix
./gitea.nix ./gitea.nix
./home-assistant.nix ./home-assistant.nix
modules/services/gitea.nix
+1 -6
View File
@@ -22,11 +22,6 @@ helper.mkPodmanService {
DB_USERNAME = "xkcdpass -n 2 -d -"; DB_USERNAME = "xkcdpass -n 2 -d -";
DB_PASSWORD = "xkcdpass -n 8 -d -"; DB_PASSWORD = "xkcdpass -n 8 -d -";
}; };
importedSecrets = {
DOMAIN_NAME = "${config.numbus.services.domain}";
POSTGRES_HOST="gitea-database";
POSTGRES_PORT=5432;
};
dirPermissions = [ dirPermissions = [
"100999:users ${cfg.configDir}" "100999:users ${cfg.configDir}"
]; ];
@@ -48,7 +43,7 @@ helper.mkPodmanService {
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
environment: environment:
- GITEA__database__DB_TYPE=postgres - GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=$POSTGRES_HOST:$POSTGRES_PORT - GITEA__database__HOST=gitea-database:5432
- GITEA__database__NAME=$DB_NAME - GITEA__database__NAME=$DB_NAME
- GITEA__database__USER=$DB_USERNAME - GITEA__database__USER=$DB_USERNAME
- GITEA__database__PASSWD=$DB_PASSWORD - GITEA__database__PASSWD=$DB_PASSWORD
modules/services/home-assistant.nix
+46 -46
View File
@@ -24,6 +24,50 @@ helper.mkPodmanService {
"100999:users ${cfg.configDir}/mqtt" "100999:users ${cfg.configDir}/mqtt"
]; ];
# Compose file good
composeText = ''
services:
home-assistant:
image: ghcr.io/home-assistant/home-assistant:${homeAssistantVersion}
container_name: home-assistant
hostname: home-assistant
networks:
home-assistant:
ports:
- "${cfg.port}:8123/tcp"
volumes:
- ${cfg.configDir}/home-assistant:/config
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
${lib.optionalString (cfg.devices != []) ''
devices:
${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)}
''}
security_opt:
- no-new-privileges:true
cap_drop:
- NET_RAW
restart: unless-stopped
home-assistant-mqtt:
image: docker.io/library/eclipse-mosquitto:${mqttVersion}
container_name: home-assistant-mqtt
hostname: home-assistant-mqtt
user: '1000:1000'
networks:
home-assistant:
volumes:
- ${cfg.configDir}/mqtt:/mosquitto
security_opt:
- no-new-privileges:true
cap_drop:
- NET_RAW
restart: unless-stopped
networks:
home-assistant:
name: home-assistant
driver: bridge
'';
extraOptions = { extraOptions = {
devices = mkOption { devices = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
@@ -83,7 +127,7 @@ EOF
}; };
script = '' script = ''
mkdir -p /var/lib/numbus-server/${name} mkdir -p /var/lib/numbus-server/${name}
if [[ -e /var/lib/numbus-server/${name}/quirk.true ]]; then if [[ -e /var/lib/numbus-server/${name}/quirk-2.true ]]; then
exit 0 exit 0
fi fi
cat << EOF >> ${cfg.configDir}/mqtt/mosquitto.conf cat << EOF >> ${cfg.configDir}/mqtt/mosquitto.conf
@@ -98,51 +142,7 @@ EOF
source /var/lib/numbus-server/${name}/.env source /var/lib/numbus-server/${name}/.env
mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD" mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD"
chmod 600 ${cfg.configDir}/mqtt/password.txt chmod 600 ${cfg.configDir}/mqtt/password.txt
touch /var/lib/numbus-server/${name}/quirk.true touch /var/lib/numbus-server/${name}/quirk-2.true
''; '';
}; };
# Compose file good
composeText = ''
services:
home-assistant:
image: ghcr.io/home-assistant/home-assistant:${homeAssistantVersion}
container_name: home-assistant
hostname: home-assistant
networks:
home-assistant:
ports:
- "${cfg.port}:8123/tcp"
volumes:
- ${cfg.configDir}/home-assistant:/config
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
${lib.optionalString (cfg.devices != []) ''
devices:
${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)}
''}
security_opt:
- no-new-privileges:true
cap_drop:
- NET_RAW
restart: unless-stopped
home-assistant-mqtt:
image: docker.io/library/eclipse-mosquitto:${mqttVersion}
container_name: home-assistant-mqtt
hostname: home-assistant-mqtt
user: '1000:1000'
networks:
home-assistant:
volumes:
- ${cfg.configDir}/mqtt:/mosquitto
security_opt:
- no-new-privileges:true
cap_drop:
- NET_RAW
restart: unless-stopped
networks:
home-assistant:
name: home-assistant
driver: bridge
'';
} }
modules/services/immich.nix
+2 -3
View File
@@ -25,7 +25,6 @@ helper.mkPodmanService {
DB_PASSWORD = "xkcdpass -n 8 -d -"; DB_PASSWORD = "xkcdpass -n 8 -d -";
}; };
importedSecrets = { importedSecrets = {
DOMAIN_NAME = "${config.numbus.services.domain}";
REDIS_HOSTNAME = "immich-redis"; REDIS_HOSTNAME = "immich-redis";
DB_HOSTNAME = "immich-database"; DB_HOSTNAME = "immich-database";
UPLOAD_LOCATION = "${cfg.dataDir}"; UPLOAD_LOCATION = "${cfg.dataDir}";
@@ -50,7 +49,7 @@ helper.mkPodmanService {
ports: ports:
- "${cfg.port}:2283/tcp" - "${cfg.port}:2283/tcp"
volumes: volumes:
- ${cfg.dataDir}:/data - $UPLOAD_LOCATION:/data
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
env_file: env_file:
- .env - .env
@@ -107,7 +106,7 @@ helper.mkPodmanService {
POSTGRES_DB: $DB_NAME POSTGRES_DB: $DB_NAME
POSTGRES_INITDB_ARGS: '--data-checksums' POSTGRES_INITDB_ARGS: '--data-checksums'
volumes: volumes:
- ${cfg.configDir}/database:/var/lib/postgresql/data - $DB_DATA_LOCATION:/var/lib/postgresql/data
shm_size: 128mb shm_size: 128mb
healthcheck: healthcheck:
disable: false disable: false
modules/services/nextcloud.nix
+136 -28
View File
@@ -3,39 +3,37 @@
with lib; with lib;
let let
# Version tagging
nextcloudVersion = "32.0.6"; nextcloudVersion = "32.0.6";
redisVersion = "8.6-alpine"; redisVersion = "8.6-alpine";
databaseVersion = "11.4"; databaseVersion = "11.8";
onlyofficeVersion = "9.2"; onlyofficeVersion = "9.2";
whiteboardVersion = "v1.5.6"; whiteboardVersion = "v1.5.6";
# Helper
helper = import ./lib.nix { inherit config pkgs lib; }; helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.nextcloud; cfg = config.numbus.services.nextcloud;
cfg2 = config.numbus.services.onlyoffice;
cfg3 = config.numbus.services.whiteboard;
in in
helper.mkPodmanService { helper.mkPodmanService {
description = "Nextcloud, your own online office suite"; description = "Nextcloud, your own online office suite";
name = "nextcloud"; name = "nextcloud";
pod = "nextcloud"; pod = "nextcloud";
defaultPort = "11000"; defaultPort = "1100";
generatedSecrets = { generatedSecrets = {
DB_NAME = "xkcdpass -n 2 -d -"; DB_NAME = "xkcdpass -n 2 -d -";
DB_USERNAME = "xkcdpass -n 2 -d -"; DB_USERNAME = "xkcdpass -n 2 -d -";
DB_PASSWORD = "xkcdpass -n 8 -d -"; DB_PASSWORD = "xkcdpass -n 10 -d -";
REDIS_PASSWORD = "xkcdpass -n 8 -d -"; REDIS_PASSWORD = "xkcdpass -n 10 -d -";
}; ONLYOFFICE_PASSWORD = "xkcdpass -n 10 -d -";
importedSecrets = { WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -";
DOMAIN_NAME = "${config.numbus.services.domain}"; SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
REDIS_HOSTNAME = "immich-redis";
DB_HOSTNAME = "immich-database";
UPLOAD_LOCATION = "${cfg.dataDir}";
DB_DATA_LOCATION = "${cfg.configDir}/database";
TZ = "${time.timeZone}";
}; };
dirPermissions = [ dirPermissions = [
"100999:users ${cfg.dataDir}" "100032:users ${cfg.configDir}/web"
"100999:users ${cfg.configDir}" "100999:users ${cfg.configDir}/redis"
"100999:users ${cfg.configDir}/database"
"100999:users ${cfg.configDir}/onlyoffice"
"100032:users ${cfg.dataDir}"
]; ];
# Compose file good # Compose file good
@@ -61,16 +59,21 @@ helper.mkPodmanService {
REDIS_HOST_PASSWORD: $REDIS_PASSWORD REDIS_HOST_PASSWORD: $REDIS_PASSWORD
NEXTCLOUD_TRUSTED_DOMAINS: ${cfg.subdomain}.${config.numbus.services.domain} NEXTCLOUD_TRUSTED_DOMAINS: ${cfg.subdomain}.${config.numbus.services.domain}
NEXTCLOUD_DATA_DIR: /mnt/ncdata NEXTCLOUD_DATA_DIR: /mnt/ncdata
SMTP_HOST: $SMTP_HOST
SMTP_SECURE: tls SMTP_SECURE: tls
SMTP_PORT: $SMTP_PORT SMTP_HOST: ${config.numbus.mail.smtpServer}
SMTP_NAME: $SMTP_NAME SMTP_PORT: ${config.numbus.mail.smtpPort}
SMTP_NAME: ${config.numbus.mail.smtpUsername}
SMTP_PASSWORD: $SMTP_PASSWORD SMTP_PASSWORD: $SMTP_PASSWORD
MAIL_FROM_ADDRESS: nextcloud-noreply MAIL_FROM_ADDRESS: nextcloud-noreply
MAIL_DOMAIN: ${config.numbus.services.domain} MAIL_DOMAIN: ${config.numbus.services.domain}
APACHE_DISABLE_REWRITE_IP: 1 APACHE_DISABLE_REWRITE_IP: 1
TRUSTED_PROXIES: 192.168.11.5 TRUSTED_PROXIES: ${config.numbus.networking.ipAddress}
OVERWRITEPROTOCOL: https OVERWRITEPROTOCOL: https
NC_default_phone_region: "${config.numbus.language}"
NC_default_language: "${config.numbus.language}"
NC_default_locale: "${config.numbus.locale}"
NC_default_timezone: "${time.timeZone}"
NC_maintenance_window_start: "1"
depends_on: depends_on:
- nextcloud-database - nextcloud-database
security_opt: security_opt:
@@ -87,7 +90,7 @@ helper.mkPodmanService {
nextcloud: nextcloud:
volumes: volumes:
- ${cfg.configDir}/redis:/data - ${cfg.configDir}/redis:/data
command: redis-server --requirepass $REDIS_HOST_PASSWORD --save 60 1 --loglevel warning command: redis-server --requirepass $REDIS_PASSWORD --save 60 1 --loglevel warning
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop: cap_drop:
@@ -111,19 +114,20 @@ helper.mkPodmanService {
- no-new-privileges:true - no-new-privileges:true
cap_drop: cap_drop:
- NET_RAW - NET_RAW
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: unless-stopped restart: unless-stopped
nextcloud-onlyoffice: nextcloud-onlyoffice:
container_name: nextcloud-onlyoffice container_name: nextcloud-onlyoffice
hostname: nextcloud-onlyoffice hostname: nextcloud-onlyoffice
image: docker.io/onlyoffice/documentserver:${onlyofficeVersion} image: docker.io/onlyoffice/documentserver:${onlyofficeVersion}
environment: environment:
- JWT_SECRET=$JWT_SECRET - JWT_SECRET=$ONLYOFFICE_PASSWORD
ports: ports:
- "${cfg2.port}:80/tcp" - "9980:80/tcp"
volumes: volumes:
- ${cfg2.configDir}/log:/var/log/onlyoffice - ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice
- ${cfg2.configDir}/cache:/var/lib/onlyoffice - ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice
- ${cfg2.configDir}/database:/var/lib/postgresql - ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop: cap_drop:
@@ -135,10 +139,10 @@ helper.mkPodmanService {
hostname: nextcloud-whiteboard hostname: nextcloud-whiteboard
user: '1000:1000' user: '1000:1000'
ports: ports:
- "${cfg3.port}:3002/tcp" - "3002:3002/tcp"
environment: environment:
NEXTCLOUD_URL: https://${cfg.subdomain}.${config.numbus.services.domain} NEXTCLOUD_URL: https://${cfg.subdomain}.${config.numbus.services.domain}
JWT_SECRET_KEY: $JWT_SECRET JWT_SECRET_KEY: $WHITEBOARD_PASSWORD
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop: cap_drop:
@@ -150,4 +154,108 @@ helper.mkPodmanService {
driver: bridge driver: bridge
''; '';
extraConfig = {
environment.etc."${config.numbus.traefikDynamicConfigDir}/nextcloud-onlyoffice.yaml".text = ''
http:
routers:
nextcloud-onlyoffice:
rule: "Host(`onlyoffice.${config.numbus.services.domain}`)"
entrypoints:
- "websecure"
service: nextcloud-onlyoffice
middlewares:
- "secureHeaders"
tls:
certresolver: "cloudflare"
options: "secureTLS"
services:
nextcloud-onlyoffice:
loadBalancer:
servers:
- url: "http://host.containers.internal:9980"
'';
environment.etc."${config.numbus.traefikDynamicConfigDir}/nextcloud-whiteboard.yaml".text = ''
http:
routers:
nextcloud-whiteboard:
rule: "Host(`whiteboard.${config.numbus.services.domain}`)"
entrypoints:
- "websecure"
service: nextcloud-whiteboard
middlewares:
- "secureHeaders"
tls:
certresolver: "cloudflare"
options: "secureTLS"
services:
nextcloud-whiteboard:
loadBalancer:
servers:
- url: "http://host.containers.internal:3002"
'';
systemd.services."${name}-quirk" = {
description = "Podman container quirk : ${name}";
wantedBy = [ "multi-user.target" ];
after = [ "${name}.service" "${name}-secrets.service" ];
onFailure = [ "service-failure-notify@%n.service" ];
startLimitBurst = 5;
startLimitIntervalSec = 600;
path = [ pkgs.coreutils pkgs.sudo pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p /var/lib/numbus-server/${name}
if [[ -e /var/lib/numbus-server/${name}/quirk.true ]]; then
exit 0
fi
source /var/lib/numbus-server/${name}/.env
sleep 300
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ background:cron
sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ db:add-missing-indices
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ maintenance:repair --include-expensive
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:scan --all
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:repair-tree
for app in calendar contacts mail note onlyoffice cookbook whiteboard; do
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:install $app
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:enable $app
done
for app in activity app_api federatedfilesharing federation webhook_listeners photos recommendations sharebymail teams support richdocumentscode; do
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:disable $app
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:remove $app
done
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerInternalUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_PASSWORD"
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard collabBackendUrl --value="https://whiteboard.${config.numbus.services.domain}"
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard jwt_secret_key --value="$WHITEBOARD_PASSWORD"
touch /var/lib/numbus-server/${name}/quirk.true
'';
};
systemd.services."${name}-cron" = {
description = "Podman container crontab : ${name}";
after = [ "${name}.service" "${name}-quirk.service" ];
onFailure = [ "service-failure-notify@%n.service" ];
path = [ pkgs.coreutils pkgs.sudo pkgs.podman ];
serviceConfig = {
Type = "oneshot";
ExecStart = "sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php";
};
};
systemd.timers."${name}-cron" = {
description = "Timer for Nextcloud cron";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "5m";
Unit = "${name}-cron.service";
};
};
};
} }
modules/services/passbolt.nix
+29 -22
View File
@@ -3,8 +3,10 @@
with lib; with lib;
let let
# Version tagging
passboltVersion = "5.9.0-1-ce-non-root"; passboltVersion = "5.9.0-1-ce-non-root";
databaseVersion = "12.2"; databaseVersion = "12.2";
# Helper
helper = import ./lib.nix { inherit config pkgs lib; }; helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.passbolt; cfg = config.numbus.services.passbolt;
in in
@@ -15,8 +17,18 @@ helper.mkPodmanService {
pod = "passbolt"; pod = "passbolt";
defaultPort = "4433"; defaultPort = "4433";
scheme = "https"; scheme = "https";
configDir = false; dataDirEnabled = false;
dataDir = false; generatedSecrets = {
DB_NAME = "xkcdpass -n 2 -d -";
DB_USERNAME = "xkcdpass -n 2 -d -";
DB_PASSWORD = "xkcdpass -n 10 -d -";
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
};
dirPermissions = [
"100032:users ${cfg.configDir}/gpg"
"100032:users ${cfg.configDir}/jwt"
"100999:users ${cfg.configDir}/database"
];
# Compose file good # Compose file good
composeText = '' composeText = ''
@@ -25,24 +37,25 @@ helper.mkPodmanService {
image: docker.io/passbolt/passbolt:${passboltVersion} image: docker.io/passbolt/passbolt:${passboltVersion}
container_name: passbolt-server container_name: passbolt-server
hostname: passbolt-server hostname: passbolt-server
user: '33:33'
networks: networks:
passbolt: passbolt:
ports: ports:
- "${cfg.port}:4433/tcp" - "${cfg.port}:4433/tcp"
volumes: volumes:
- passbolt-gpg:/etc/passbolt/gpg - ${cfg.configDir}/gpg:/etc/passbolt/gpg
- passbolt-jwt:/etc/passbolt/jwt - ${cfg.configDir}/jwt:/etc/passbolt/jwt
environment: environment:
APP_DEFAULT_TIMEZONE: $TZ APP_DEFAULT_TIMEZONE: ${time.timeZone}
APP_FULL_BASE_URL: https://${cfg.subdomain}.${config.numbus.services.domain} APP_FULL_BASE_URL: https://${cfg.subdomain}.${config.numbus.services.domain}
DATASOURCES_DEFAULT_HOST: "passbolt-database" DATASOURCES_DEFAULT_HOST: "passbolt-database"
DATASOURCES_DEFAULT_USERNAME: $PASSBOLT_MYSQL_USER DATASOURCES_DEFAULT_USERNAME: $DB_USERNAME
DATASOURCES_DEFAULT_PASSWORD: $PASSBOLT_MYSQL_PASSWORD DATASOURCES_DEFAULT_PASSWORD: $DB_PASSWORD
DATASOURCES_DEFAULT_DATABASE: $PASSBOLT_MYSQL_DATABASE DATASOURCES_DEFAULT_DATABASE: $DB_NAME
EMAIL_DEFAULT_FROM_NAME: "Passbolt" EMAIL_DEFAULT_FROM_NAME: "Passbolt"
EMAIL_TRANSPORT_DEFAULT_HOST: $EMAIL_TRANSPORT_DEFAULT_HOST EMAIL_TRANSPORT_DEFAULT_HOST: ${config.numbus.mail.smtpServer}
EMAIL_TRANSPORT_DEFAULT_PORT: $EMAIL_TRANSPORT_DEFAULT_PORT EMAIL_TRANSPORT_DEFAULT_PORT: ${config.numbus.mail.smtpPort}
EMAIL_TRANSPORT_DEFAULT_USERNAME: $EMAIL_TRANSPORT_DEFAULT_USERNAME EMAIL_TRANSPORT_DEFAULT_USERNAME: ${config.numbus.mail.smtpUsername}
EMAIL_TRANSPORT_DEFAULT_PASSWORD: $EMAIL_TRANSPORT_DEFAULT_PASSWORD EMAIL_TRANSPORT_DEFAULT_PASSWORD: $EMAIL_TRANSPORT_DEFAULT_PASSWORD
EMAIL_TRANSPORT_DEFAULT_TLS: true EMAIL_TRANSPORT_DEFAULT_TLS: true
EMAIL_DEFAULT_FROM: passbolt-noreply@${config.numbus.services.domain} EMAIL_DEFAULT_FROM: passbolt-noreply@${config.numbus.services.domain}
@@ -67,27 +80,21 @@ helper.mkPodmanService {
image: docker.io/library/mariadb:${databaseVersion} image: docker.io/library/mariadb:${databaseVersion}
container_name: passbolt-database container_name: passbolt-database
hostname: passbolt-database hostname: passbolt-database
user: '1000:1000'
networks: networks:
passbolt: passbolt:
volumes: volumes:
- passbolt-database:/var/lib/mysql - ${cfg.configDir}/database:/var/lib/mysql
environment: environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true" MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: $PASSBOLT_MYSQL_DATABASE MYSQL_DATABASE: $DB_NAME
MYSQL_USER: $PASSBOLT_MYSQL_USER MYSQL_USER: $DB_USERNAME
MYSQL_PASSWORD: $PASSBOLT_MYSQL_PASSWORD MYSQL_PASSWORD: $DB_PASSWORD
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop: cap_drop:
- NET_RAW - NET_RAW
restart: unless-stopped restart: unless-stopped
volumes:
passbolt-database:
name: passbolt-database
passbolt-gpg:
name: passbolt-gpg
passbolt-jwt:
name: passbolt-jwt
networks: networks:
passbolt: passbolt:
name: passbolt name: passbolt
modules/services/pi-hole.nix
+13 -9
View File
@@ -3,7 +3,9 @@
with lib; with lib;
let let
# Version tagging
piholeVersion = "2026.02.0"; piholeVersion = "2026.02.0";
# Helper
helper = import ./lib.nix { inherit config pkgs lib; }; helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.pi-hole; cfg = config.numbus.services.pi-hole;
in in
@@ -16,6 +18,12 @@ helper.mkPodmanService {
dependencies = [ "network.target" "multi-user.target" ]; dependencies = [ "network.target" "multi-user.target" ];
dataDir = false; dataDir = false;
delaySec = 10; delaySec = 10;
generatedSecrets = {
PIHOLE_PASSWORD = "xkcdpass -n 10 -d -";
};
dirPermissions = [
"numbus-admin:users ${cfg.configDir}"
];
# Compose file good # Compose file good
composeText = '' composeText = ''
@@ -29,24 +37,22 @@ helper.mkPodmanService {
- "${cfg.port}:443/tcp" - "${cfg.port}:443/tcp"
- "53:53/tcp" - "53:53/tcp"
- "53:53/udp" - "53:53/udp"
volumes:
- ${cfg.configDir}:/etc/pihole
environment: environment:
PIHOLE_UID: '1000' PIHOLE_UID: '1000'
PIHOLE_GID: '1000' PIHOLE_GID: '1000'
TZ: $TZ TZ: ${time.timeZone}
FTLCONF_webserver_api_password: $FTLCONF_webserver_api_password FTLCONF_webserver_api_password: $PIHOLE_PASSWORD
FTLCONF_webserver_domain: ${cfg.subdomain}.${config.numbus.services.domain} FTLCONF_webserver_domain: ${cfg.subdomain}.${config.numbus.services.domain}
FTLCONF_dns_upstreams: 9.9.9.9;149.112.112.112 FTLCONF_dns_upstreams: 9.9.9.9;149.112.112.112
FTLCONF_dns_hosts: | FTLCONF_dns_hosts: |
${lib.concatStringsSep "" (lib.mapAttrsToList (name: service: ${lib.concatStringsSep "" (lib.mapAttrsToList (name: service:
if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then
" $HOME_SERVER_IP ${service.subdomain}.${config.numbus.services.domain}\n" " ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n"
else else
"" ""
) config.numbus.services)} ) config.numbus.services)}
# TODO : get revServers to work
# FTLCONF_dns_revServers: |
# true,$HOME_ROUTER_SUBNET,$HOME_ROUTER_IP,${config.numbus.services.domain}
# true,$HOME_VPN_SUBNET,$HOME_VPN_IP,${config.numbus.services.domain}
FTLCONF_dns_listeningMode: "BIND" FTLCONF_dns_listeningMode: "BIND"
FTLCONF_dns_domain_name: "${config.numbus.services.domain}" FTLCONF_dns_domain_name: "${config.numbus.services.domain}"
FTLCONF_dns_domain_local: "true" FTLCONF_dns_domain_local: "true"
@@ -54,8 +60,6 @@ ${lib.concatStringsSep "" (lib.mapAttrsToList (name: service:
FTLCONF_ntp_ipv4_active: "false" FTLCONF_ntp_ipv4_active: "false"
FTLCONF_ntp_ipv6_active: "false" FTLCONF_ntp_ipv6_active: "false"
FTLCONF_ntp_sync_active: "false" FTLCONF_ntp_sync_active: "false"
volumes:
- ${cfg.configDir}:/etc/pihole
cap_add: cap_add:
- SYS_NICE - SYS_NICE
restart: unless-stopped restart: unless-stopped
modules/services/traefik.nix
+30 -18
View File
@@ -3,7 +3,9 @@
with lib; with lib;
let let
# Version tagging
traefikVersion = "v3.6.8"; traefikVersion = "v3.6.8";
# Helper
helper = import ./lib.nix { inherit config pkgs lib; }; helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.traefik; cfg = config.numbus.services.traefik;
in in
@@ -13,23 +15,16 @@ helper.mkPodmanService {
name = "traefik"; name = "traefik";
reverseProxied = false; reverseProxied = false;
dependencies = [ "network.target" "multi-user.target" ]; dependencies = [ "network.target" "multi-user.target" ];
configDir = false; dataDir = false;
delaySec = 10; delaySec = 10;
generatedSecrets = {
extraOptions = { CLOUDFLARE_DNS_API_TOKEN = "cat ${config.numbus.mail.smtpPasswordPath}";
enable.default = true;
staticConfigFile = mkOption {
type = types.str;
default = "traefik/config.yaml";
description = "The path for Traefik's static configuration file, relative to /etc/";
};
logLevel = mkOption {
type = types.enum [ "TRACE" "DEBUG" "INFO" "WARN" "ERROR" "FATAL" ];
default = "ERROR";
description = "The level of detail Traefik should print in the logs.";
};
# traefikDynamicConfigDir defined at global.nix
}; };
dirPermissions = [
"100999:users ${cfg.configDir}"
"100999:users /etc/${cfg.staticConfigFile}"
"100999:users ${config.numbus.traefikDynamicConfigDir}"
];
# Compose file good # Compose file good
composeText = '' composeText = ''
@@ -38,17 +33,19 @@ helper.mkPodmanService {
image: docker.io/library/traefik:${traefikVersion} image: docker.io/library/traefik:${traefikVersion}
container_name: traefik container_name: traefik
hostname: traefik hostname: traefik
user: '1000:1000'
network_mode: pasta network_mode: pasta
ports: ports:
- "80:80/tcp" - "80:80/tcp"
- "443:443/tcp" - "443:443/tcp"
volumes: volumes:
- /run/user/1000/podman/podman.sock:/run/docker.sock:ro
- /etc/${cfg.staticConfigFile}:/etc/traefik/traefik.yaml:ro - /etc/${cfg.staticConfigFile}:/etc/traefik/traefik.yaml:ro
- ${config.numbus.traefikDynamicConfigDir}:/etc/traefik/conf:ro - ${config.numbus.traefikDynamicConfigDir}:/etc/traefik/conf:ro
- ${cfg.dataDir}:/var/traefik/certs:rw - ${cfg.configDir}:/var/traefik/certs:rw
environment: environment:
- CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN - CF_DNS_API_TOKEN=$CLOUDFLARE_DNS_API_TOKEN
cap_add:
- NET_BIND_SERVICE
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
restart: unless-stopped restart: unless-stopped
@@ -138,4 +135,19 @@ helper.mkPodmanService {
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
''; '';
}; };
extraOptions = {
enable.default = true;
staticConfigFile = mkOption {
type = types.str;
default = "traefik/config.yaml";
description = "The path for Traefik's static configuration file, relative to /etc/";
};
logLevel = mkOption {
type = types.enum [ "TRACE" "DEBUG" "INFO" "WARN" "ERROR" "FATAL" ];
default = "ERROR";
description = "The level of detail Traefik should print in the logs.";
};
# traefikDynamicConfigDir defined at global.nix
};
} }