numbus/numbus-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

misc

Browse Source
This commit is contained in:
Raphaël Billet
2026-01-22 12:24:11 +01:00
parent 5b59fa1039
commit eb17551aec
40 changed files with 92 additions and 240 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config-files/docker/adguard.coming
+41
View File
@@ -0,0 +1,41 @@
{ config, pkgs, ... }:
let
container_name = "adguard";
compose_file = "podman/adguard/compose.yaml";
config_dir = "/mnt/config/adguard";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
'';
systemd.services.${container_name} = {
description = "Podman container : ${container_name}";
after = [ "network.target" "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman-compose pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "10m";
StartLimitBurst = "3";
StartLimitIntervalSec = "30s";
};
};
};
}
config-files/docker/config/hass/configuration.yaml
+17
View File
@@ -0,0 +1,17 @@
# Loads default set of integrations. Do not remove.
default_config:
# Load frontend themes from the themes folder
frontend:
themes: !include_dir_merge_named themes
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
http:
use_x_forwarded_for: true
trusted_proxies: 172.16.10.253
zha:
config-files/docker/config/hass/mosquitto.conf
+8
View File
@@ -0,0 +1,8 @@
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
listener 1883
## Authentication ##
allow_anonymous false
password_file /mosquitto/config/password.txt
config-files/docker/config/traefik/headers.yaml
+20
View File
@@ -0,0 +1,20 @@
http:
middlewares:
passbolt:
headers:
FrameDeny: true
AccessControlAllowMethods: 'GET,OPTIONS,PUT'
AccessControlAllowOriginList:
- origin-list-or-null
AccessControlMaxAge: 100
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
CustomFrameOptionsValue: SAMEORIGIN
ReferrerPolicy: same-origin
PermissionsPolicy: vibrate 'self'
STSSeconds: 315360000
config-files/docker/config/traefik/nextcloud.yaml
+41
View File
@@ -0,0 +1,41 @@
http:
routers:
nextcloud:
rule: "Host(`nextcloud.${DOMAIN_NAME}`)"
entrypoints:
- "websecure"
service: nextcloud
middlewares:
- nextcloud-chain
tls:
certresolver: "cloudflare"
services:
nextcloud:
loadBalancer:
servers:
- url: "http://nextcloud-aio-apache:11000"
middlewares:
nextcloud-secure-headers:
headers:
hostsProxyHeaders:
- "X-Forwarded-Host"
referrerPolicy: "same-origin"
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
STSSeconds: 315360000
https-redirect:
redirectscheme:
scheme: https
nextcloud-chain:
chain:
middlewares:
# - ... (e.g. rate limiting middleware)
- https-redirect
- nextcloud-secure-headers
config-files/docker/config/traefik/tls.yaml
+12
View File
@@ -0,0 +1,12 @@
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
curvePreferences:
- CurveP521
- CurveP384
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
config-files/docker/config/traefik/traefik.yaml
+54
View File
@@ -0,0 +1,54 @@
global:
checkNewVersion: false
sendAnonymousUsage: false
# - level: [TRACE, DEBUG, INFO, WARN, ERROR, FATAL]
log:
level: ERROR
accesslog: {}
api:
dashboard: true
insecure: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
forwardedHeaders:
trustedIPs:
# Local IPs
- "127.0.0.1/32"
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
certificatesResolvers:
cloudflare:
acme:
email: ${EMAIL_ADDRESS}
storage: /var/traefik/certs/cloudflare-acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "9.9.9.9:53"
serversTransport:
insecureSkipVerify: true
providers:
docker:
exposedByDefault: false
network: nextcloud-aio, passbolt_frontend, pihole, hass_frontend, immich_frontend, it-tools, gitrea_frontend
file:
directory: "/etc/traefik/conf/"
watch: true
config-files/docker/frigate.nix
+79
View File
@@ -0,0 +1,79 @@
{ config, pkgs, ... }:
let
container_name = "frigate";
compose_file = "podman/frigate/compose.yaml";
config_dir = "/mnt/config/frigate";
data_dir = "/mnt/data/frigate";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
services:
frigate:
image: ghcr.io/blakeblackshear/frigate:stable
container_name: frigate
shm_size: "512MB"
networks:
hass_frontend:
hass_backend:
volumes:
- ${config_dir}:/config
- ${data_dir}/clips:/media/frigate/clips
- ${data_dir}/recordings:/media/frigate/recordings
- ${data_dir}/exports:/media/frigate/exports
- /etc/localtime:/etc/localtime:ro
- type: tmpfs
target: /tmp/cache
tmpfs:
size: 2000000000
environment:
FRIGATE_MQTT_USER: $FRIGATE_MQTT_USER
FRIGATE_MQTT_PASSWORD: $FRIGATE_MQTT_PASSWORD
# --- frigate devices --- #
labels:
- traefik.enable=true
- traefik.http.services.frigate.loadbalancer.server.port=8971
- traefik.http.services.frigate.loadbalancer.server.scheme=http
- traefik.http.routers.frigate-https.entrypoints=websecure
- traefik.http.routers.frigate-https.rule=Host(`frigate.$DOMAIN_NAME`)
- traefik.http.routers.frigate-https.tls=true
- traefik.http.routers.frigate-https.tls.certresolver=cloudflare
restart: unless-stopped
networks:
hass_backend:
external: true
hass_frontend:
external: true
'';
systemd.services.${container_name} = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
};
}
config-files/docker/gitea.nix
+91
View File
@@ -0,0 +1,91 @@
{ config, pkgs, ... }:
let
container_name = "gitea";
compose_file = "podman/gitea/compose.yaml";
config_dir = "/mnt/config/gitea";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
services:
gitea:
image: docker.io/gitea/gitea:latest
container_name: gitea
networks:
gitea_frontend:
gitea_backend:
volumes:
- ${config_dir}:/data
- /etc/localtime:/etc/localtime:ro
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=$POSTGRES_HOST:$POSTGRES_PORT
- GITEA__database__NAME=$DB_NAME
- GITEA__database__USER=$DB_USERNAME
- GITEA__database__PASSWD=$DB_PASSWORD
- GITEA__server__SSH_PORT=2424
- GITEA__server__ROOT_URL=gitea.$DOMAIN_NAME
labels:
- traefik.enable=true
- traefik.http.services.gitea.loadbalancer.server.port=3000
- traefik.http.services.gitea.loadbalancer.server.scheme=http
- traefik.http.routers.gitea-https.entrypoints=websecure
- traefik.http.routers.gitea-https.rule=Host(`gitea.$DOMAIN_NAME`)
- traefik.http.routers.gitea-https.tls=true
- traefik.http.routers.gitea-https.tls.certresolver=cloudflare
depends_on:
- gitea-database
restart: unless-stopped
gitea-database:
image: docker.io/library/postgres:17.5
container_name: gitea-database
environment:
- POSTGRES_USER=$DB_USERNAME
- POSTGRES_PASSWORD=$DB_PASSWORD
- POSTGRES_DB=$DB_NAME
networks:
gitea_backend:
volumes:
- ${config_dir}:/var/lib/postgresql/data
restart: unless-stopped
networks:
gitea_frontend:
external: true
gitea_backend:
external: true
'';
systemd.services.${container_name} = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
};
}
config-files/docker/home-assistant.nix
+78
View File
@@ -0,0 +1,78 @@
{ config, pkgs, ... }:
let
container_name = "home-assistant";
compose_file = "podman/home-assistant/compose.yaml";
config_dir_1 = "/mnt/config/home-assistant";
config_dir_2 = "/mnt/config/mqtt";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
services:
home-assistant:
image: ghcr.io/home-assistant/home-assistant:latest
container_name: home-assistant
networks:
home-assistant_frontend:
home-assistant_backend:
volumes:
- ${config_dir_1}:/config
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
# --- home-assistant devices --- #
labels:
- traefik.enable=true
- traefik.http.services.home-assistant.loadbalancer.server.port=8123
- traefik.http.services.home-assistant.loadbalancer.server.scheme=http
- traefik.http.routers.home-assistant-https.entrypoints=websecure
- traefik.http.routers.home-assistant-https.rule=Host(`home-assistant.$DOMAIN_NAME`)
- traefik.http.routers.home-assistant-https.tls=true
- traefik.http.routers.home-assistant-https.tls.certresolver=cloudflare
restart: unless-stopped
frigate-mqtt:
image: eclipse-mosquitto
container_name: mqtt
user: 1000:1000
networks:
home-assistant_backend:
volumes:
- ${config_dir_2}:/mosquitto
restart: unless-stopped
networks:
home-assistant_backend:
external: true
home-assistant_frontend:
external: true
'';
systemd.services.${container_name} = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
};
}
config-files/docker/immich.nix
+115
View File
@@ -0,0 +1,115 @@
{ config, pkgs, ... }:
let
container_name = "immich";
compose_file = "podman/immich/compose.yaml";
config_dir = "/mnt/config/immich";
data_dir = "/mnt/data/immich";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
services:
immich-server:
image: ghcr.io/immich-app/immich-server:$IMMICH_VERSION
container_name: immich-server
networks:
immich_frontend:
immich_backend:
volumes:
- $UPLOAD_LOCATION:/data
- /etc/localtime:/etc/localtime:ro
# --- immich devices --- #
labels:
- traefik.enable=true
- traefik.http.services.immich.loadbalancer.server.port=2283
- traefik.http.services.immich.loadbalancer.server.scheme=http
- traefik.http.routers.immich-https.entrypoints=websecure
- traefik.http.routers.immich-https.rule=Host(`immich.$DOMAIN_NAME`)
- traefik.http.routers.immich-https.tls=true
- traefik.http.routers.immich-https.tls.certresolver=cloudflare
env_file:
- .env
depends_on:
- immich-redis
- immich-database
restart: always
healthcheck:
disable: false
immich-machine-learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:$IMMICH_VERSION
networks:
immich_backend:
volumes:
- ${config_dir}/models:/cache
env_file:
- .env
restart: always
healthcheck:
disable: false
immich-redis:
container_name: immich-redis
image: docker.io/valkey/valkey:8-bookworm@sha256:a137a2b60aca1a75130022d6bb96af423fefae4eb55faf395732db3544803280
networks:
immich_backend:
healthcheck:
test: redis-cli ping || exit 1
restart: always
immich-database:
container_name: immich-database
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:32324a2f41df5de9efe1af166b7008c3f55646f8d0e00d9550c16c9822366b4a
networks:
immich_backend:
shm_size: 128mb
volumes:
# Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
- $DB_DATA_LOCATION:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: $DB_PASSWORD
POSTGRES_USER: $DB_USERNAME
POSTGRES_DB: $DB_DATABASE_NAME
POSTGRES_INITDB_ARGS: '--data-checksums'
restart: always
healthcheck:
disable: false
networks:
immich_backend:
external: true
immich_frontend:
external: true
'';
systemd.services.${container_name} = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
};
}
config-files/docker/it-tools.nix
+58
View File
@@ -0,0 +1,58 @@
{ config, pkgs, ... }:
let
container_name = "it-tools";
compose_file = "podman/it-tools/compose.yaml";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
services:
it-tools:
container_name: it-tools
image: corentinth/it-tools
networks:
it-tools_frontend:
labels:
- traefik.enable=true
- traefik.http.services.it-tools.loadbalancer.server.port=80
- traefik.http.services.it-tools.loadbalancer.server.scheme=http
- traefik.http.routers.it-tools-https.entrypoints=websecure
- traefik.http.routers.it-tools-https.rule=Host(`it-tools.$DOMAIN_NAME`)
- traefik.http.routers.it-tools-https.tls=true
- traefik.http.routers.it-tools-https.tls.certresolver=cloudflare
restart: unless-stopped
networks:
it-tools_frontend:
external: true
'';
systemd.services.${container_name} = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
};
}
config-files/docker/nextcloud.nix
+81
View File
@@ -0,0 +1,81 @@
{ config, pkgs, ... }:
let
container_name = "nextcloud";
compose_file = "podman/nextcloud/compose.yaml";
data_dir = "/mnt/data/nextcloud";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
services:
nextcloud-aio-mastercontainer:
image: ghcr.io/nextcloud-releases/all-in-one:latest
container_name: nextcloud-aio-mastercontainer
networks:
nextcloud-aio:
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /run/user/1000/podman/podman.sock:/var/run/docker.sock:ro
environment:
APACHE_PORT: 11000
NEXTCLOUD_TRUSTED_DOMAINS: nextcloud.$DOMAIN_NAME nextcloud-aio.$DOMAIN_NAME
TRUSTED_PROXIES: 172.16.1.253
APACHE_IP_BINDING: 127.0.0.1
NEXTCLOUD_DATADIR: ${data_dir}
NEXTCLOUD_ENABLE_DRI_DEVICE: $NEXTCLOUD_ENABLE_DRI_DEVICE
NEXTCLOUD_UPLOAD_LIMIT: 16G
NEXTCLOUD_MAX_TIME: 3600
NEXTCLOUD_MEMORY_LIMIT: 2048M
NEXTCLOUD_ADDITIONAL_APKS: imagemagick
NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick
WATCHTOWER_DOCKER_SOCKET_PATH: /run/user/1000/podman/podman.sock
labels:
- traefik.enable=true
- traefik.http.services.nextcloud-aio.loadbalancer.server.port=8080
- traefik.http.services.nextcloud-aio.loadbalancer.server.scheme=https
- traefik.http.routers.nextcloud-aio-https.entrypoints=websecure
- traefik.http.routers.nextcloud-aio-https.rule=Host(`nextcloud-aio.$DOMAIN_NAME`)
- traefik.http.routers.nextcloud-aio-https.tls=true
- traefik.http.routers.nextcloud-aio-https.tls.certresolver=cloudflare
init: true
restart: always
networks:
nextcloud-aio:
external: true
volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer
'';
systemd.services.${container_name} = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
};
}
config-files/docker/passbolt.nix
+110
View File
@@ -0,0 +1,110 @@
{ config, pkgs, ... }:
let
container_name = "passbolt";
compose_file = "podman/passbolt/compose.yaml";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
services:
passbolt:
image: passbolt/passbolt:latest-ce-non-root
container_name: passbolt
networks:
passbolt_frontend:
passbolt_backend:
volumes:
- passbolt-gpg:/etc/passbolt/gpg
- passbolt-jwt:/etc/passbolt/jwt
environment:
APP_DEFAULT_TIMEZONE: $TZ
APP_FULL_BASE_URL: https://passbolt.$DOMAIN_NAME
DATASOURCES_DEFAULT_HOST: "passbolt-database"
DATASOURCES_DEFAULT_USERNAME: $PASSBOLT_MYSQL_USER
DATASOURCES_DEFAULT_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
DATASOURCES_DEFAULT_DATABASE: $PASSBOLT_MYSQL_DATABASE
EMAIL_DEFAULT_FROM_NAME: "Passbolt"
EMAIL_TRANSPORT_DEFAULT_HOST: $SENDER_EMAIL_DOMAIN
EMAIL_TRANSPORT_DEFAULT_PORT: $SENDER_EMAIL_PORT
EMAIL_TRANSPORT_DEFAULT_USERNAME: $SENDER_EMAIL_ADDRESS
EMAIL_TRANSPORT_DEFAULT_PASSWORD: $SENDER_EMAIL_ADDRESS_PASSWORD
EMAIL_TRANSPORT_DEFAULT_TLS: true
EMAIL_DEFAULT_FROM: $EMAIL_ADDRESS
PASSBOLT_SSL_FORCE: true
labels:
- traefik.enable=true
- traefik.http.services.passbolt.loadbalancer.server.port=4433
- traefik.http.services.passbolt.loadbalancer.server.scheme=https
- traefik.http.routers.passbolt-https.entrypoints=websecure
- traefik.http.routers.passbolt-https.rule=Host(`passbolt.$DOMAIN_NAME`)
- traefik.http.routers.passbolt-https.tls=true
- traefik.http.routers.passbolt-https.tls.certresolver=cloudflare
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"passbolt-database:3306",
"--",
"/docker-entrypoint.sh",
]
depends_on:
- passbolt-database
restart: unless-stopped
passbolt-database:
image: mariadb:11.3
container_name: passbolt-database
networks:
passbolt_backend:
volumes:
- passbolt-database:/var/lib/mysql
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: $PASSBOLT_MYSQL_DATABASE
MYSQL_USER: $PASSBOLT_MYSQL_USER
MYSQL_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
restart: unless-stopped
networks:
passbolt_backend:
external: true
passbolt_frontend:
external: true
volumes:
passbolt-database:
passbolt-gpg:
passbolt-jwt:
'';
systemd.services.${container_name} = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
};
}
config-files/docker/pi-hole.nix
+92
View File
@@ -0,0 +1,92 @@
{ config, pkgs, ... }:
let
container_name = "pi-hole";
compose_file = "podman/pi-hole/compose.yaml";
config_dir = "/mnt/config/pi-hole";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
services:
pihole:
image: pihole/pihole:latest
container_name: pi-hole
networks:
pi-hole_frontend:
ports:
# DNS Ports
- "53:53/tcp"
- "53:53/udp"
environment:
TZ: $TZ
FTLCONF_webserver_api_password: $FTLCONF_webserver_api_password
FTLCONF_dns_listeningMode: "all"
FTLCONF_dns_revServers: true,$HOME_ROUTER_SUBNET,$HOME_ROUTER_IP,home
FTLCONF_dns_domain_name: "home"
FTLCONF_dns_domain_local: "true"
FTLCONF_dns_hosts: |
$HOME_SERVER_IP frigate.$DOMAIN_NAME
$HOME_SERVER_IP gitea.$DOMAIN_NAME
$HOME_SERVER_IP home-assistant.$DOMAIN_NAME
$HOME_SERVER_IP immich.$DOMAIN_NAME
$HOME_SERVER_IP it-tools.$DOMAIN_NAME
$HOME_SERVER_IP nextcloud.$DOMAIN_NAME
$HOME_SERVER_IP nextcloud-aio.$DOMAIN_NAME
$HOME_SERVER_IP passbolt.$DOMAIN_NAME
$HOME_SERVER_IP pi-hole.$DOMAIN_NAME
$HOME_SERVER_IP traefik.$DOMAIN_NAME
FTLCONF_dhcp_active: "false"
FTLCONF_dns_upstreams: 9.9.9.9;149.112.112.112
FTLCONF_ntp_ipv4_active: "false"
FTLCONF_ntp_ipv6_active: "false"
FTLCONF_ntp_sync_active: "false"
volumes:
- ${config_dir}:/etc/pihole
cap_add:
- SYS_NICE
labels:
- traefik.enable=true
- traefik.http.services.pihole.loadbalancer.server.port=80
- traefik.http.services.pihole.loadbalancer.server.scheme=http
- traefik.http.routers.pihole-https.entrypoints=websecure
- traefik.http.routers.pihole-https.rule=Host(`pi-hole.$DOMAIN_NAME`)
- traefik.http.routers.pihole-https.tls=true
- traefik.http.routers.pihole-https.tls.certresolver=cloudflare
restart: unless-stopped
networks:
pi-hole_frontend:
external: true
'';
systemd.services.${container_name} = {
description = "Podman container : ${container_name}";
after = [ "network.target" ];
requires = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
AmbientCapabilities = "CAP_SYS_NICE";
LimitNICE = -20;
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
};
}
config-files/docker/traefik.nix
+67
View File
@@ -0,0 +1,67 @@
{ config, pkgs, ... }:
let
container_name = "traefik";
compose_file = "podman/traefik/compose.yaml";
config_dir = "/mnt/config/traefik";
in
{
config = {
environment.etc."${compose_file}".text =
/*
yaml
*/
''
services:
traefik:
image: docker.io/library/traefik:latest
container_name: traefik
networks:
TRAEFIK_NETWORKS
ports:
- "80:80"
- "443:443"
volumes:
- /run/user/1000/podman/podman.sock:/run/docker.sock:ro
- ${config_dir}/rules/:/etc/traefik/conf/:ro
- ${config_dir}/traefik.yaml:/etc/traefik/traefik.yaml:ro
- ${config_dir}/certs/:/var/traefik/certs/:rw
environment:
- CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN
labels:
- traefik.enable=true
- traefik.http.services.traefik.loadbalancer.server.port=8080
- traefik.http.services.traefik.loadbalancer.server.scheme=http
- traefik.http.routers.traefik-https.entrypoints=websecure
- traefik.http.routers.traefik-https.rule=Host(`traefik.$DOMAIN_NAME`)
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=cloudflare
restart: always
networks:
TRAEFIK_REF_NETWORKS
'';
systemd.services.traefik = {
description = "Podman container : ${container_name}";
after = [ "numbus-activation-networked.service" "numbus-activation-chowned.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.podman ];
serviceConfig = {
User = "numbus-admin";
Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull";
# Bring the service up
ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
Restart = "on-failure";
RestartSec = "5m";
StartLimitBurst = "3";
};
};
};
}