diff --git a/deploy.sh b/deploy.sh index 99e104c..9d87c45 100644 --- a/deploy.sh +++ b/deploy.sh @@ -384,13 +384,25 @@ services_generation() { } echo -e "\n ✅ Writing configuration files for the selected homelab services..." - cp -avu templates/nix-config/podman/traefik.nix final-nix-config/etc/nixos/podman/traefik.nix cp -avu templates/nix-config/configuration.nix final-nix-config/etc/nixos/configuration.nix + cp -avu templates/nix-config/podman/traefik.nix final-nix-config/etc/nixos/podman/traefik.nix envsubst < templates/podman-config/traefik/traefik.yaml > final-nix-config/mnt/config/traefik/traefik.yaml +j=1 for service in "${SELECTED_SERVICES[@]}"; do - [[ "${service}" != "virtualization" ]] && cp -avu templates/nix-config/podman/"${service}".nix final-nix-config/etc/nixos/podman/"${service}".nix + [[ "${service}" != "virtualization" ]] && cp -avu templates/nix-config/podman/"${service}".nix final-nix-config/etc/nixos/podman/"${service}".nix + SERVICES_NETWORK_IDS+=("${j},$(( ${j} + 1 )):${service}") + PODMAN_NETWORKS+=" sudo -u numbus-admin podman network exists \"${service}_frontend\" || sudo -u numbus-admin podman network create --driver=\"bridge\" --subnet=\"172.16.${j}.0/24\" --ip-range=\"172.16.${j}.0/24\" --gateway=\"172.16.${j}.254\" \"${service}_frontend\""$'\n' + ((j++)) + PODMAN_NETWORKS+=" sudo -u numbus-admin podman network exists \"${service}_backend\" || sudo -u numbus-admin podman network create --driver=\"bridge\" --subnet=\"172.16.${j}.0/24\" --ip-range=\"172.16.${j}.0/24\" --gateway=\"172.16.${j}.254\" \"${service}_backend\""$'\n' + TRAEFIK_NETWORKS+=" ${service}_frontend:"$'\n' + TRAEFIK_NETWORKS+=" ipv4_address: 172.16.${j}.253"$'\n' + TRAEFIK_REF_NETWORKS+=" ${service}_frontend:"$'\n' + TRAEFIK_REF_NETWORKS+=" external: true"$'\n' + ((j++)) + done + for service in "${SELECTED_SERVICES[@]}"; do if [[ "${service}" == "frigate" ]]; then local FRIGATE_DEVICES_BLOCK="" [[ "${TARGET_GRAPHICS_RENDERER}" == "true" ]] && FRIGATE_DEVICES_BLOCK+=" - /dev/dri:/dev/dri\n" @@ -407,12 +419,6 @@ services_generation() { elif [[ "${service}" == "gitea" ]]; then generate_db_creds "GITEA" - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"gitea_frontend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.10.0/24\" --ip-range=\"172.16.10.0/24\" --gateway=\"172.16.10.254\" \"gitea_frontend\""$'\n' - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"gitea_backend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.1.0/24\" --ip-range=\"172.16.1.0/24\" --gateway=\"172.16.1.254\" \"gitea_backend\""$'\n' - TRAEFIK_NETWORKS+=" gitea_frontend:"$'\n' - TRAEFIK_NETWORKS+=" ipv4_address: 172.16.10.253"$'\n' - TRAEFIK_REF_NETWORKS+=" gitea_frontend:"$'\n' - TRAEFIK_REF_NETWORKS+=" external: true"$'\n' elif [[ "${service}" == "home-assistant" ]]; then if [[ -n "${TARGET_ZIGBEE_DEVICE}" ]]; then @@ -426,12 +432,6 @@ services_generation() { touch final-nix-config/mnt/config/mqtt/password.txt chmod 0700 final-nix-config/mnt/config/mqtt/password.txt mosquitto_passwd -b final-nix-config/mnt/config/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD" - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"home-assistant_frontend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.20.0/24\" --ip-range=\"172.16.20.0/24\" --gateway=\"172.16.20.254\" \"home-assistant_frontend\""$'\n' - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"home-assistant_backend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.2.0/24\" --ip-range=\"172.16.2.0/24\" --gateway=\"172.16.2.254\" \"home-assistant_backend\""$'\n' - TRAEFIK_NETWORKS+=" home-assistant_frontend:"$'\n' - TRAEFIK_NETWORKS+=" ipv4_address: 172.16.20.253"$'\n' - TRAEFIK_REF_NETWORKS+=" home-assistant_frontend:"$'\n' - TRAEFIK_REF_NETWORKS+=" external: true"$'\n' elif [[ "${service}" == "immich" ]]; then local IMMICH_DEVICES_BLOCK="" @@ -443,46 +443,17 @@ services_generation() { sed -i "s|# --- immich devices --- #|$REPLACEMENT|" final-nix-config/etc/nixos/podman/immich.nix fi generate_db_creds "IMMICH" - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"immich_frontend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.30.0/24\" --ip-range=\"172.16.30.0/24\" --gateway=\"172.16.30.254\" \"immich_frontend\""$'\n' - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"immich_backend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.3.0/24\" --ip-range=\"172.16.3.0/24\" --gateway=\"172.16.3.254\" \"immich_backend\""$'\n' - TRAEFIK_NETWORKS+=" immich_frontend:"$'\n' - TRAEFIK_NETWORKS+=" ipv4_address: 172.16.30.253"$'\n' - TRAEFIK_REF_NETWORKS+=" immich_frontend:"$'\n' - TRAEFIK_REF_NETWORKS+=" external: true"$'\n' - - elif [[ "${service}" == "it-tools" ]]; then - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"it-tools_frontend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.40.0/24\" --ip-range=\"172.16.40.0/24\" --gateway=\"172.16.40.254\" \"it-tools_frontend\""$'\n' - TRAEFIK_NETWORKS+=" it-tools_frontend:"$'\n' - TRAEFIK_NETWORKS+=" ipv4_address: 172.16.40.253"$'\n' - TRAEFIK_REF_NETWORKS+=" it-tools_frontend:"$'\n' - TRAEFIK_REF_NETWORKS+=" external: true"$'\n' elif [[ "${service}" == "nextcloud" ]]; then envsubst < templates/podman-config/traefik/nextcloud.yaml > final-nix-config/mnt/config/traefik/rules/nextcloud.yaml - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"nextcloud-aio\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.50.0/24\" --ip-range=\"172.16.50.0/24\" --gateway=\"172.16.50.254\" \"nextcloud-aio\""$'\n' - TRAEFIK_NETWORKS+=" nextcloud-aio:"$'\n' - TRAEFIK_NETWORKS+=" ipv4_address: 172.16.50.253"$'\n' - TRAEFIK_REF_NETWORKS+=" nextcloud-aio:"$'\n' - TRAEFIK_REF_NETWORKS+=" external: true"$'\n' elif [[ "${service}" == "passbolt" ]]; then generate_db_creds "PASSBOLT" envsubst < templates/podman-config/traefik/headers.yaml > final-nix-config/mnt/config/traefik/rules/headers.yaml envsubst < templates/podman-config/traefik/tls.yaml > final-nix-config/mnt/config/traefik/rules/tls.yaml - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"passbolt_frontend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.60.0/24\" --ip-range=\"172.16.60.0/24\" --gateway=\"172.16.60.254\" \"passbolt_frontend\""$'\n' - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"passbolt_backend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.6.0/24\" --ip-range=\"172.16.6.0/24\" --gateway=\"172.16.6.254\" \"passbolt_backend\""$'\n' - TRAEFIK_NETWORKS+=" passbolt_frontend:"$'\n' - TRAEFIK_NETWORKS+=" ipv4_address: 172.16.60.253"$'\n' - TRAEFIK_REF_NETWORKS+=" passbolt_frontend:"$'\n' - TRAEFIK_REF_NETWORKS+=" external: true"$'\n' elif [[ "${service}" == "pi-hole" ]]; then export FTLCONF_WEBSERVER_PASSWORD="$(xkcdpass -d "-")" - PODMAN_NETWORKS+=" \${pkgs.podman}/bin/podman network exists \"pi-hole_frontend\" || \${pkgs.podman}/bin/podman network create --driver=\"bridge\" --subnet=\"172.16.70.0/24\" --ip-range=\"172.16.70.0/24\" --gateway=\"172.16.70.254\" \"pi-hole_frontend\""$'\n' - TRAEFIK_NETWORKS+=" pi-hole_frontend:"$'\n' - TRAEFIK_NETWORKS+=" ipv4_address: 172.16.70.253"$'\n' - TRAEFIK_REF_NETWORKS+=" pi-hole_frontend:"$'\n' - TRAEFIK_REF_NETWORKS+=" external: true"$'\n' elif [[ "${service}" == "virtualization" ]]; then sed -i "s|# virtualisation.libvirtd.enable = true;| virtualisation.libvirtd.enable = true;|" final-nix-config/etc/nixos/configuration.nix @@ -810,23 +781,24 @@ export_configuration() { cp -avu templates/post-install/numbus-server.sh "$CONFIG_EXPORT_DIR" - echo "export TARGET_INTERFACE=\"${TARGET_INTERFACE}\"" >> $CONFIG_EXPORT_FILE - echo -e "\n# SERVER SETTINGS" >> $CONFIG_EXPORT_FILE - echo "export SERVER_OWNER_NAME=\"${SERVER_OWNER_NAME:-User}\"" >> $CONFIG_EXPORT_FILE - echo -e "\n# DISK SETTINGS" >> $CONFIG_EXPORT_FILE - echo "export BOOT_DISKS_ID=\"(${BOOT_DISKS_ID[@]})\"" >> $CONFIG_EXPORT_FILE - echo "export DATA_DISKS_ID=\"(${DATA_DISKS_ID[@]})\"" >> $CONFIG_EXPORT_FILE - echo "export DATA_DISKS_TYPE=\"(${DATA_DISKS_TYPE[@]})\"" >> $CONFIG_EXPORT_FILE - echo "export SPINDOWN_DISKS_ID=\"(${SPINDOWN_DISKS_ID[@]})\"" >> $CONFIG_EXPORT_FILE - echo "export CONTENT_DISK_NUMBER=\"${CONTENT_DISK_NUMBER}\"" >> $CONFIG_EXPORT_FILE - echo "export PARITY_DISK_NUMBER=\"${PARITY_DISK_NUMBER}\"" >> $CONFIG_EXPORT_FILE - echo -e "\n# TPM SETTINGS" >> $CONFIG_EXPORT_FILE - echo "export TARGET_TPM=\"${TARGET_TPM}\"" >> $CONFIG_EXPORT_FILE - echo "export TARGET_TPM_VERSION=\"${TARGET_TPM_VERSION:-}\"" >> $CONFIG_EXPORT_FILE - echo -e "\n# Podman SETTINGS" >> $CONFIG_EXPORT_FILE - echo "export PODMAN_NETWORKS=\"${PODMAN_NETWORKS}\"" >> $CONFIG_EXPORT_FILE - echo "export TRAEFIK_NETWORKS=\"${TRAEFIK_NETWORKS}\"" >> $CONFIG_EXPORT_FILE - echo "export TRAEFIK_REF_NETWORKS=\"${TRAEFIK_REF_NETWORKS}\"" >> $CONFIG_EXPORT_FILE + echo "export TARGET_INTERFACE=\"${TARGET_INTERFACE}\"" >> $CONFIG_EXPORT_FILE + echo -e "\n# SERVER SETTINGS" >> $CONFIG_EXPORT_FILE + echo "export SERVER_OWNER_NAME=\"${SERVER_OWNER_NAME:-User}\"" >> $CONFIG_EXPORT_FILE + echo -e "\n# DISK SETTINGS" >> $CONFIG_EXPORT_FILE + echo "export BOOT_DISKS_ID=\"(${BOOT_DISKS_ID[@]})\"" >> $CONFIG_EXPORT_FILE + echo "export DATA_DISKS_ID=\"(${DATA_DISKS_ID[@]})\"" >> $CONFIG_EXPORT_FILE + echo "export DATA_DISKS_TYPE=\"(${DATA_DISKS_TYPE[@]})\"" >> $CONFIG_EXPORT_FILE + echo "export SPINDOWN_DISKS_ID=\"(${SPINDOWN_DISKS_ID[@]})\"" >> $CONFIG_EXPORT_FILE + echo "export CONTENT_DISK_NUMBER=\"${CONTENT_DISK_NUMBER}\"" >> $CONFIG_EXPORT_FILE + echo "export PARITY_DISK_NUMBER=\"${PARITY_DISK_NUMBER}\"" >> $CONFIG_EXPORT_FILE + echo -e "\n# TPM SETTINGS" >> $CONFIG_EXPORT_FILE + echo "export TARGET_TPM=\"${TARGET_TPM}\"" >> $CONFIG_EXPORT_FILE + echo "export TARGET_TPM_VERSION=\"${TARGET_TPM_VERSION:-}\"" >> $CONFIG_EXPORT_FILE + echo -e "\n# Podman SETTINGS" >> $CONFIG_EXPORT_FILE + echo "export PODMAN_NETWORKS=\"${PODMAN_NETWORKS}\"" >> $CONFIG_EXPORT_FILE + echo "export TRAEFIK_NETWORKS=\"${TRAEFIK_NETWORKS}\"" >> $CONFIG_EXPORT_FILE + echo "export TRAEFIK_REF_NETWORKS=\"${TRAEFIK_REF_NETWORKS}\"" >> $CONFIG_EXPORT_FILE + echo "export SERVICES_NETWORK_IDS=\"(${SERVICES_NETWORK_IDS[@]})\"" >> $CONFIG_EXPORT_FILE } deploy() { @@ -871,7 +843,7 @@ postrun_action() { fi done - if [[ "${TARGET_TPM}" == "true" && "${TARGET_TPM_VERSION}" == "2" ]]; then + if [[ "${TARGET_TPM}" == "true" && ${TARGET_TPM_VERSION} -eq 2 ]]; then gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 " A TPM version 2 has been detected on the system. You can choose to enable automatic disk decryption on boot. Enabling automatic disk decryption on boot means that you won't have to enter your disk password everytime you start your server. @@ -901,7 +873,7 @@ EOF echo "Skipping TPM configuration." fi else - echo "No supported TPM detected (TPM2 required). Skipping TPM configuration." + echo "No supported TPM detected (TPM version 2 required). Skipping TPM configuration." fi gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 " diff --git a/templates/nix-config/misc/activation.nix b/templates/nix-config/misc/activation.nix index 944e044..eb305c2 100644 --- a/templates/nix-config/misc/activation.nix +++ b/templates/nix-config/misc/activation.nix @@ -1,11 +1,11 @@ { config, pkgs, ... }: { - systemd.services.numbus-activation-chowned = { + systemd.services.numbus-activation = { description = "Numbus-Server activation : Correct permissions"; wantedBy = [ "multi-user.target" "traefik.service" ]; after = [ "network.target" "local-fs.target" ]; - path = [ pkgs.coreutils ]; + path = [ pkgs.coreutils pkgs.podman pkgs.sudo ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -13,7 +13,7 @@ script = '' #!/usr/bin/env bash - if [[ -e /home/numbus-admin/.numbus-server/chowned.true ]]; then + if [[ -e /home/numbus-admin/.numbus-server/activated.true ]]; then exit 0 fi @@ -22,32 +22,12 @@ chown -R numbus-admin:users /mnt/config/ chown -R numbus-admin:users /mnt/data/ chown -R 100032:users /mnt/data/nextcloud/ - chown -R numbus-admin:users /home/numbus-admin/.numbus-server/ - - touch /home/numbus-admin/.numbus-server/chowned.true - ''; - }; - - systemd.services.numbus-activation-networked = { - description = "Numbus-Server activation : Create podman networks"; - wantedBy = [ "multi-user.target" "traefik.service" ]; - before = [ "traefik.service" ]; - after = [ "network.target" "local-fs.target" "numbus-activation-chowned.service" ]; - path = [ pkgs.podman pkgs.coreutils ]; - serviceConfig = { - User = "numbus-admin"; - Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ]; - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - #!/usr/bin/env bash - - export PATH=$PATH:/run/wrappers/bin PODMAN_NETWORKS + mkdir -p /home/numbus-admin/.numbus-server/ - touch /home/numbus-admin/.numbus-server/networked.true + touch /home/numbus-admin/.numbus-server/activated.true + chown -R numbus-admin:users /home/numbus-admin/.numbus-server/ ''; }; @@ -62,7 +42,7 @@ PODMAN_NETWORKS "pi-hole.service" "home-assistant.service" ]; - path = [ pkgs.curl pkgs.coreutils pkgs.systemd pkgs.podman ]; + path = [ pkgs.curl pkgs.coreutils pkgs.systemd pkgs.podman pkgs.sudo ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -79,12 +59,13 @@ PODMAN_NETWORKS if [[ -e /etc/nixos/podman/pi-hole.nix ]]; then mkdir -p /mnt/config/pi-hole/ + chown -R numbus-admin:users /mnt/config/pi-hole/ until [[ -e /mnt/config/pi-hole/pihole-FTL.db ]]; do echo "Waiting for Pi-hole to be ready..." sleep 15 done sleep 60 - podman exec pi-hole pihole -g + sudo -u numbus-admin podman exec pi-hole pihole -g sleep 60 systemctl restart pi-hole.service echo "Pi-Hole quirk applied and service ready !" @@ -92,6 +73,7 @@ PODMAN_NETWORKS if [[ -e /etc/nixos/podman/home-assistant.nix ]]; then mkdir -p /mnt/config/home-assistant/ + chown -R numbus-admin:users /mnt/config/home-assistant/ until [[ -e /mnt/config/home-assistant/configuration.yaml ]]; do echo "Waiting for Home Assistant to be ready..." sleep 15 @@ -112,6 +94,7 @@ EOF if [[ -e /etc/nixos/podman/frigate.nix ]]; then mkdir -p /mnt/config/frigate/ + chown -R numbus-admin:users /mnt/config/frigate/ until [[ -e /mnt/config/frigate/config.yaml ]]; do echo "Waiting for Frigate to be ready..." sleep 15 @@ -129,6 +112,7 @@ EOF mkdir -p /home/numbus-admin/.numbus-server/ touch /home/numbus-admin/.numbus-server/quirked.true + chown -R numbus-admin:users /home/numbus-admin/.numbus-server/ ''; }; } \ No newline at end of file