numbus/numbus-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Big update. Folder reorganization. Disk selection logic finished. Improved services selection (not done yet).

Browse Source
This commit is contained in:
Raphael Numbus
2025-12-14 13:58:01 +01:00
parent 0e0ed4d3a3
commit f777e608b8
32 changed files with 435 additions and 261 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config-files/disks/pcr-check.nix
+125
View File
@@ -0,0 +1,125 @@
{ lib, utils, config, ... }:
let
inherit (lib)
head
optional
foldl'
nameValuePair
listToAttrs
optionals
concatStringsSep
sortOn
mkIf
mkEnableOption
mkOption
types
;
in
{
options = {
systemIdentity = {
enable = mkEnableOption "hashing of Luks values into PCR 15 and subsequent checks";
pcr15 = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The expected value of PCR 15 after all luks partitions have been unlocked
Should be a 64 character hex string as ouput by the sha256 field of
'systemd-analyze pcrs 15 --json=short'
If set to null (the default) it will not check the value.
If the check fails the boot will abort and you will be dropped into an emergency shell, if enabled.
In ermergency shell type:
'systemctl disable check-pcrs'
'systemctl default'
to continue booting
'';
example = "6214de8c3d861c4b451acc8c4e24294c95d55bcec516bbf15c077ca3bffb6547";
};
};
boot.initrd.luks.devices = lib.mkOption {
type =
with lib.types;
attrsOf (submodule {
config.crypttabExtraOpts = optionals config.systemIdentity.enable [
"tpm2-device=auto"
"tpm2-measure-pcr=yes"
];
});
};
};
config = mkIf config.systemIdentity.enable {
boot.kernelParams = [
"rd.luks=no"
];
boot.initrd.systemd.services =
{
check-pcrs = mkIf (config.systemIdentity.pcr15 != null) {
script = ''
echo "Checking PCR 15 value"
if [[ $(systemd-analyze pcrs 15 --json=short | jq -r ".[0].sha256") != "${config.systemIdentity.pcr15}" ]] ; then
echo "PCR 15 check failed"
exit 1
else
echo "PCR 15 check succeeded"
fi
'';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
unitConfig.DefaultDependencies = "no";
after = [ "cryptsetup.target" ];
before = [ "sysroot.mount" ];
requiredBy = [ "sysroot.mount" ];
};
}
// (listToAttrs (
foldl' (
acc: attrs:
let
extraOpts = attrs.value.crypttabExtraOpts ++ (optional attrs.value.allowDiscards "discard");
cfg = config.boot.initrd.systemd;
in
[
(nameValuePair "cryptsetup-${attrs.name}" {
unitConfig = {
Description = "Cryptography setup for ${attrs.name}";
DefaultDependencies = "no";
IgnoreOnIsolate = true;
Conflicts = [ "umount.target" ];
BindsTo = "${utils.escapeSystemdPath attrs.value.device}.device";
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
TimeoutSec = "infinity";
KeyringMode = "shared";
OOMScoreAdjust = 500;
ImportCredential = "cryptsetup.*";
ExecStart = ''${cfg.package}/bin/systemd-cryptsetup attach '${attrs.name}' '${attrs.value.device}' '-' '${concatStringsSep "," extraOpts}' '';
ExecStop = ''${cfg.package}/bin/systemd-cryptsetup detach '${attrs.name}' '';
};
after =
[
"cryptsetup-pre.target"
"systemd-udevd-kernel.socket"
"${utils.escapeSystemdPath attrs.value.device}.device"
]
++ (optional cfg.tpm2.enable "systemd-tpm2-setup-early.service")
++ optional (acc != [ ]) "${(head acc).name}.service";
before = [
"blockdev@dev-mapper-${attrs.name}.target"
"cryptsetup.target"
"umount.target"
];
wants = [ "blockdev@dev-mapper-${attrs.name}.target" ];
requiredBy = [ "sysroot.mount" ];
})
]
++ acc
) [ ] (sortOn (x: x.name) (lib.attrsets.attrsToList config.boot.initrd.luks.devices))
));
};
}
config-files/disks/snapraid.nix
+72
View File
@@ -0,0 +1,72 @@
{ config, lib, ... }:
let
### --> SnapRAID disks research
contentDiskMounts = lib.attrsets.attrNames (
lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/content-" name) config.fileSystems
);
parityDiskMounts = lib.attrsets.attrNames (
lib.attrsets.filterAttrs (name: value: lib.strings.hasPrefix "/mnt/parity-" name) config.fileSystems
);
snapraidDataDisks = lib.lists.foldl'
(acc: path: acc // { "d${toString (acc.i + 1)}" = path; i = acc.i + 1; })
{ i = 0; }
contentDiskMounts;
### SnapRAID disks research <--
### --> Spindown disks
hardDrives = [ ${DISK_ID_LIST[@]} ];
### Spindown disks <--
in
### --> MergerFS setup
{
fileSystems."/mnt/data-storage" = {
device = "mergerfs";
fsType = "fuse";
options = [
"defaults"
"allow_other"
"use_ino"
"cache.files=off"
"moveonenospc=true"
"category.create=mfs"
"srcmounts=${lib.strings.concatStringsSep ":" contentDiskMounts}"
];
};
### MergerFS setup <--
### --> SnapRAID setup
services.snapraid = {
enable = true;
contentFiles = map (disk: "${disk}/snapraid.content") contentDiskMounts;
parityFiles = map (disk: "${disk}/snapraid.parity") parityDiskMounts;
dataDisks = builtins.removeAttrs snapraidDataDisks [ "i" ];
};
### SnapRAID setup <--
### --> Disk spindown
systemd.services.hd-idle = {
description = "External HD spin down daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart =
let
idleTime = toString 1800;
hardDriveParameter = lib.strings.concatMapStringsSep " " (x: "-a ${x} -i ${idleTime}") hardDrives;
in
"${pkgs.hd-idle}/bin/hd-idle -i 0 ${hardDriveParameter}";
};
};
### Disk spindown <--
}
config-files/disks/boot-1.nix → config-files/disks/templates/boot-1.nix
View File
config-files/disks/boot-2.nix → config-files/disks/templates/boot-2.nix
View File
config-files/disks/content.nix → config-files/disks/templates/content.nix
View File
config-files/disks/mirror.nix → config-files/disks/templates/mirror.nix
View File
config-files/disks/parity.nix → config-files/disks/templates/parity.nix
View File
config-files/docker/compose/frigate.nix
+76
View File
@@ -0,0 +1,76 @@
{ config, pkgs, ... }:
let
container_name = "frigate";
compose-dir = "docker-compose/frigate";
config-dir = "/mnt/config-storage/docker-data/frigate";
data-dir = "/mnt/data-storage/docker-data/frigate";
in
{
config = {
environment.etc."${compose-dir}/compose.yaml".text =
/*
yaml
*/
''
services:
frigate:
image: ghcr.io/blakeblackshear/frigate:stable
container_name: frigate
shm_size: "512MB"
networks:
hass_frontend:
hass_backend:
volumes:
- ${config-dir}/config:/config
- ${data-dir}/clips:/media/frigate/clips
- ${data-dir}/recordings:/media/frigate/recordings
- ${data-dir}/exports:/media/frigate/exports
- /etc/localtime:/etc/localtime:ro
- type: tmpfs
target: /tmp/cache
tmpfs:
size: 2000000000
environment:
FRIGATE_MQTT_USER: $FRIGATE_MQTT_USER
FRIGATE_MQTT_PASSWORD: $FRIGATE_MQTT_PASSWORD
# --- frigate devices --- #
labels:
- traefik.enable=true
- traefik.http.services.frigate.loadbalancer.server.port=8971
- traefik.http.services.frigate.loadbalancer.server.scheme=http
- traefik.http.routers.frigate-https.entrypoints=websecure
- traefik.http.routers.frigate-https.rule=Host(`cctv.$DOMAIN_NAME`)
- traefik.http.routers.frigate-https.tls=true
- traefik.http.routers.frigate-https.tls.certresolver=cloudflare
restart: unless-stopped
networks:
hass_backend:
external: true
hass_frontend:
external: true
'';
systemd.services.frigate = {
description = "Docker container : ${container_name}";
after = [ "network.target" "docker.service" "docker.socket" "traefik.service" ];
requires = [ "docker.service" ];
wantedBy = ["multi-user.target"];
path = [ pkgs.docker ];
serviceConfig = {
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
# Bring the service up
ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";
Restart = "on-failure";
};
};
};
}
config-files/docker/compose/gitea.nix
+92
View File
@@ -0,0 +1,92 @@
{ config, pkgs, ... }:
let
container_name = "gitea";
compose-dir = "docker-compose/gitea";
config-dir = "/mnt/config-storage/docker-data/gitea";
in
{
config = {
environment.etc."${compose-dir}/compose.yaml".text =
/*DB_NAM
yaml
*/
''
services:
gitea:
image: gitea/gitea:latest
container_name: gitea
networks:
gitea_frontend:
gitea_backend:
volumes:
- ${config_dir}/data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=$POSTGRES_HOST:$POSTGRES_PORT
- GITEA__database__NAME=$DB_NAME
- GITEA__database__USER=$DB_USERNAME
- GITEA__database__PASSWD=$DB_PASSWORD
- GITEA__server__SSH_PORT=2424
- GITEA__server__ROOT_URL=gitea.$DOMAIN_NAME
labels:
- traefik.enable=true
- traefik.http.services.gitea.loadbalancer.server.port=3000
- traefik.http.services.gitea.loadbalancer.server.scheme=http
- traefik.http.routers.gitea-https.entrypoints=websecure
- traefik.http.routers.gitea-https.rule=Host(`gitea.$DOMAIN_NAME`)
- traefik.http.routers.gitea-https.tls=true
- traefik.http.routers.gitea-https.tls.certresolver=cloudflare
depends_on:
- gitea-database
restart: unless-stopped
gitea-database:
image: docker.io/library/postgres:17.5
container_name: gitea-database
environment:
- POSTGRES_USER=$DB_USERNAME
- POSTGRES_PASSWORD=$DB_PASSWORD
- POSTGRES_DB=$DB_NAME
networks:
gitea_backend:
volumes:
- gitea-database:/var/lib/postgresql/data
restart: unless-stopped
volumes:
gitea-database:
networks:
gitea_frontend:
external: true
gitea_backend:
external: true
'';
systemd.services.gitea = {
description = "Docker container : ${container_name}";
after = [ "network.target" "docker.service" "docker.socket" "traefik.service" ];
requires = [ "docker.service" ];
wantedBy = ["multi-user.target"];
path = [ pkgs.docker ];
serviceConfig = {
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
# Bring the service up
ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";
Restart = "on-failure";
};
};
};
}
config-files/docker/compose/home-assistant.nix
+75
View File
@@ -0,0 +1,75 @@
{ config, pkgs, ... }:
let
container_name = "home-assistant";
compose-dir = "docker-compose/hass";
config-dir = "/mnt/config-storage/docker-data/hass";
in
{
config = {
environment.etc."${compose-dir}/compose.yaml".text =
/*
yaml
*/
''
services:
home-assistant:
image: ghcr.io/home-assistant/home-assistant:latest
container_name: home-assistant
networks:
hass_frontend:
hass_backend:
volumes:
- ${config-dir}/config:/config
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
# --- hass devices --- #
labels:
- traefik.enable=true
- traefik.http.services.home-assistant.loadbalancer.server.port=8123
- traefik.http.services.home-assistant.loadbalancer.server.scheme=http
- traefik.http.routers.home-assistant-https.entrypoints=websecure
- traefik.http.routers.home-assistant-https.rule=Host(`hass.$DOMAIN_NAME`)
- traefik.http.routers.home-assistant-https.tls=true
- traefik.http.routers.home-assistant-https.tls.certresolver=cloudflare
restart: unless-stopped
frigate-mqtt:
image: eclipse-mosquitto
container_name: frigate-mqtt
user: 1000:1000
networks:
hass_backend:
volumes:
- ${config-dir}/mqtt:/mosquitto
restart: unless-stopped
networks:
hass_backend:
external: true
hass_frontend:
external: true
'';
systemd.services.hass = {
description = "Docker container : ${container_name}";
after = [ "network.target" "docker.service" "docker.socket" "traefik.service" ];
requires = [ "docker.service" ];
wantedBy = ["multi-user.target"];
path = [ pkgs.docker ];
serviceConfig = {
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
# Bring the service up
ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";
Restart = "on-failure";
};
};
};
}
config-files/docker/compose/immich.nix
+111
View File
@@ -0,0 +1,111 @@
{ config, pkgs, ... }:
let
container_name = "immich";
compose-dir = "docker-compose/immich";
config-dir = "/mnt/config-storage/docker-data/immich";
in
{
config = {
environment.etc."${compose-dir}/compose.yaml".text =
/*
yaml
*/
''
services:
immich-server:
image: ghcr.io/immich-app/immich-server:$IMMICH_VERSION
container_name: immich-server
networks:
immich_frontend:
immich_backend:
volumes:
- $UPLOAD_LOCATION:/data
- /etc/localtime:/etc/localtime:ro
# --- immich devices --- #
labels:
- traefik.enable=true
- traefik.http.services.immich.loadbalancer.server.port=2283
- traefik.http.services.immich.loadbalancer.server.scheme=http
- traefik.http.routers.immich-https.entrypoints=websecure
- traefik.http.routers.immich-https.rule=Host(`immich.$DOMAIN_NAME`)
- traefik.http.routers.immich-https.tls=true
- traefik.http.routers.immich-https.tls.certresolver=cloudflare
env_file:
- .env
depends_on:
- immich-redis
- immich-database
restart: always
healthcheck:
disable: false
immich-machine-learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:$IMMICH_VERSION
networks:
immich_backend:
volumes:
- ${config-dir}/models:/cache
env_file:
- .env
restart: always
healthcheck:
disable: false
immich-redis:
container_name: immich-redis
image: docker.io/valkey/valkey:8-bookworm@sha256:a137a2b60aca1a75130022d6bb96af423fefae4eb55faf395732db3544803280
networks:
immich_backend:
healthcheck:
test: redis-cli ping || exit 1
restart: always
immich-database:
container_name: immich-database
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:32324a2f41df5de9efe1af166b7008c3f55646f8d0e00d9550c16c9822366b4a
networks:
immich_backend:
shm_size: 128mb
volumes:
# Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
- $DB_DATA_LOCATION:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: $DB_PASSWORD
POSTGRES_USER: $DB_USERNAME
POSTGRES_DB: $DB_DATABASE_NAME
POSTGRES_INITDB_ARGS: '--data-checksums'
restart: always
healthcheck:
disable: false
networks:
immich_backend:
external: true
immich_frontend:
external: true
'';
systemd.services.immich = {
description = "Docker container : ${container_name}";
after = [ "network.target" "docker.service" "docker.socket" "traefik.service" ];
requires = [ "docker.service" ];
wantedBy = ["multi-user.target"];
path = [ pkgs.docker ];
serviceConfig = {
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
# Bring the service up
ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";
Restart = "on-failure";
};
};
};
}
config-files/docker/compose/it-tools.nix
+55
View File
@@ -0,0 +1,55 @@
{ config, pkgs, ... }:
let
container_name = "it-tools";
compose-dir = "docker-compose/it-tools";
in
{
config = {
environment.etc."${compose-dir}/compose.yaml".text =
/*
yaml
*/
''
services:
it-tools:
container_name: it-tools
image: corentinth/it-tools
networks:
it-tools:
labels:
- traefik.enable=true
- traefik.http.services.it-tools.loadbalancer.server.port=80
- traefik.http.services.it-tools.loadbalancer.server.scheme=http
- traefik.http.routers.it-tools-https.entrypoints=websecure
- traefik.http.routers.it-tools-https.rule=Host(`it-tools.$DOMAIN_NAME`)
- traefik.http.routers.it-tools-https.tls=true
- traefik.http.routers.it-tools-https.tls.certresolver=cloudflare
restart: unless-stopped
networks:
it-tools:
external: true
'';
systemd.services.it-tools = {
description = "Docker container : ${container_name}";
after = [ "network.target" "docker.service" "docker.socket" "traefik.service" ];
requires = [ "docker.service" ];
wantedBy = ["multi-user.target"];
path = [ pkgs.docker ];
serviceConfig = {
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
# Bring the service up
ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";
Restart = "on-failure";
};
};
};
}
config-files/docker/compose/nextcloud.nix
+78
View File
@@ -0,0 +1,78 @@
{ config, pkgs, ... }:
let
container_name = "nextcloud";
compose-dir = "docker-compose/nextcloud";
data-dir = "/mnt/data-storage/docker-data/nextcloud";
in
{
config = {
environment.etc."${compose-dir}/compose.yaml".text =
/*
yaml
*/
''
services:
nextcloud-aio-mastercontainer:
image: nextcloud/all-in-one:latest
container_name: nextcloud-aio-mastercontainer
networks:
nextcloud-aio:
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
APACHE_PORT: 11000
NEXTCLOUD_TRUSTED_DOMAINS: nextcloud.$DOMAIN_NAME nextcloud-aio.$DOMAIN_NAME
TRUSTED_PROXIES: 172.16.1.253
APACHE_IP_BINDING: 127.0.0.1
NEXTCLOUD_DATADIR: ${data-dir}
NEXTCLOUD_ENABLE_DRI_DEVICE: $NEXTCLOUD_ENABLE_DRI_DEVICE
NEXTCLOUD_UPLOAD_LIMIT: 16G
NEXTCLOUD_MAX_TIME: 3600
NEXTCLOUD_MEMORY_LIMIT: 2048M
SKIP_DOMAIN_VALIDATION: true
NEXTCLOUD_ADDITIONAL_APKS: imagemagick
NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick
labels:
- traefik.enable=true
- traefik.http.services.nextcloud-aio.loadbalancer.server.port=8080
- traefik.http.services.nextcloud-aio.loadbalancer.server.scheme=https
- traefik.http.routers.nextcloud-aio-https.entrypoints=websecure
- traefik.http.routers.nextcloud-aio-https.rule=Host(`nextcloud-aio.$DOMAIN_NAME`)
- traefik.http.routers.nextcloud-aio-https.tls=true
- traefik.http.routers.nextcloud-aio-https.tls.certresolver=cloudflare
init: true
restart: always
networks:
nextcloud-aio:
external: true
volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer
'';
systemd.services.nextcloud = {
description = "Docker container : ${container_name}";
after = [ "network.target" "docker.service" "docker.socket" "traefik.service" ];
requires = [ "docker.service" ];
wantedBy = ["multi-user.target"];
path = [ pkgs.docker ];
serviceConfig = {
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
# Bring the service up
ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";
Restart = "on-failure";
};
};
};
}
config-files/docker/compose/passbolt.nix
+107
View File
@@ -0,0 +1,107 @@
{ config, pkgs, ... }:
let
container_name = "passbolt";
compose-dir = "docker-compose/passbolt";
in
{
config = {
environment.etc."${compose-dir}/compose.yaml".text =
/*
yaml
*/
''
services:
passbolt:
image: passbolt/passbolt:latest-ce-non-root
container_name: passbolt
networks:
passbolt_frontend:
passbolt_backend:
volumes:
- passbolt-gpg:/etc/passbolt/gpg
- passbolt-jwt:/etc/passbolt/jwt
environment:
APP_DEFAULT_TIMEZONE: $TZ
APP_FULL_BASE_URL: https://passbolt.$DOMAIN_NAME
DATASOURCES_DEFAULT_HOST: "passbolt-database"
DATASOURCES_DEFAULT_USERNAME: $PASSBOLT_MYSQL_USER
DATASOURCES_DEFAULT_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
DATASOURCES_DEFAULT_DATABASE: $PASSBOLT_MYSQL_DATABASE
EMAIL_DEFAULT_FROM_NAME: "Passbolt"
EMAIL_TRANSPORT_DEFAULT_HOST: $SENDER_EMAIL_DOMAIN
EMAIL_TRANSPORT_DEFAULT_PORT: $SENDER_EMAIL_PORT
EMAIL_TRANSPORT_DEFAULT_USERNAME: $SENDER_EMAIL_ADDRESS
EMAIL_TRANSPORT_DEFAULT_PASSWORD: $SENDER_EMAIL_ADDRESS_PASSWORD
EMAIL_TRANSPORT_DEFAULT_TLS: true
EMAIL_DEFAULT_FROM: $EMAIL_ADDRESS
PASSBOLT_SSL_FORCE: true
labels:
- traefik.enable=true
- traefik.http.services.passbolt.loadbalancer.server.port=4433
- traefik.http.services.passbolt.loadbalancer.server.scheme=https
- traefik.http.routers.passbolt-https.entrypoints=websecure
- traefik.http.routers.passbolt-https.rule=Host(`passbolt.$DOMAIN_NAME`)
- traefik.http.routers.passbolt-https.tls=true
- traefik.http.routers.passbolt-https.tls.certresolver=cloudflare
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"passbolt-database:3306",
"--",
"/docker-entrypoint.sh",
]
depends_on:
- passbolt-database
restart: unless-stopped
passbolt-database:
image: mariadb:11.3
container_name: passbolt-database
networks:
passbolt_backend:
volumes:
- passbolt-database:/var/lib/mysql
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: $PASSBOLT_MYSQL_DATABASE
MYSQL_USER: $PASSBOLT_MYSQL_USER
MYSQL_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
restart: unless-stopped
networks:
passbolt_backend:
external: true
passbolt_frontend:
external: true
volumes:
passbolt-database:
passbolt-gpg:
passbolt-jwt:
'';
systemd.services.passbolt = {
description = "Docker container : ${container_name}";
after = [ "network.target" "docker.service" "docker.socket" "traefik.service" ];
requires = [ "docker.service" ];
wantedBy = ["multi-user.target"];
path = [ pkgs.docker ];
serviceConfig = {
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
# Bring the service up
ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";
Restart = "on-failure";
};
};
};
}
config-files/docker/compose/pi-hole.nix
+85
View File
@@ -0,0 +1,85 @@
{ config, pkgs, ... }:
let
container_name = "pihole";
compose-dir = "docker-compose/pihole";
config-dir = "/mnt/config-storage/docker-data/pihole";
in
{
config = {
environment.etc."${compose-dir}/compose.yaml".text =
/*
yaml
*/
''
services:
pihole:
image: pihole/pihole:latest
container_name: pihole
networks:
pihole:
ports:
# DNS Ports
- "53:53/tcp"
- "53:53/udp"
environment:
TZ: $TZ
FTLCONF_webserver_api_password: $FTLCONF_webserver_api_password
FTLCONF_dns_listeningMode: all
FTLCONF_dns_revServers: true,$HOME_ROUTER_SUBNET,$HOME_ROUTER_IP,home
FTLCONF_dns_domain_name: home
FTLCONF_dns_domain_local: true
FTLCONF_dns_hosts: |
$HOME_SERVER_IP dns.$DOMAIN_NAME
$HOME_SERVER_IP reverse.$DOMAIN_NAME
$HOME_SERVER_IP nextcloud.$DOMAIN_NAME
$HOME_SERVER_IP nextcloud-aio.$DOMAIN_NAME
$HOME_SERVER_IP hass.$DOMAIN_NAME
$HOME_SERVER_IP passbolt.$DOMAIN_NAME
FTLCONF_dhcp_active: false
FTLCONF_dns_upstreams: 9.9.9.11;149.112.112.11
PIHOLE_UID: 1000
PIHOLE_GID: 1000
volumes:
- ${config-dir}/config:/etc/pihole
cap_add:
- SYS_TIME
- SYS_NICE
labels:
- traefik.enable=true
- traefik.http.services.pihole.loadbalancer.server.port=443
- traefik.http.services.pihole.loadbalancer.server.scheme=https
- traefik.http.routers.pihole-https.entrypoints=websecure
- traefik.http.routers.pihole-https.rule=Host(`dns.$DOMAIN_NAME`)
- traefik.http.routers.pihole-https.tls=true
- traefik.http.routers.pihole-https.tls.certresolver=cloudflare
restart: unless-stopped
networks:
pihole:
external: true
'';
systemd.services.pihole = {
description = "Docker container : ${container_name}";
after = [ "network.target" "docker.service" "docker.socket" "traefik.service" ];
requires = [ "docker.service" ];
wantedBy = ["multi-user.target"];
path = [ pkgs.docker ];
serviceConfig = {
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
# Bring the service up
ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";
Restart = "on-failure";
};
};
};
}
config-files/docker/compose/traefik.nix
+129
View File
@@ -0,0 +1,129 @@
{ config, pkgs, ... }:
let
container_name = "traefik";
compose-dir = "docker-compose/traefik";
config-dir = "/mnt/config-storage/docker-data/traefik";
in
{
config = {
environment.etc."${compose-dir}/compose.yaml".text =
/*
yaml
*/
''
services:
traefik:
image: docker.io/library/traefik:latest
container_name: traefik
networks:
nextcloud-aio:
ipv4_address: 172.16.1.253
passbolt_frontend:
ipv4_address: 172.16.20.253
pihole:
ipv4_address: 172.16.3.253
hass_frontend:
ipv4_address: 172.16.40.253
immich_frontend:
ipv4_address: 172.16.50.253
ports:
- 80:80
- 443:443
volumes:
- /run/docker.sock:/run/docker.sock:ro
- ${config-dir}/config/conf/:/etc/traefik/conf/:ro
- ${config-dir}/config/traefik.yaml:/etc/traefik/traefik.yaml:ro
- ${config-dir}/certs/:/var/traefik/certs/:rw
environment:
- CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN
labels:
- traefik.enable=true
- traefik.http.services.traefik.loadbalancer.server.port=8080
- traefik.http.services.traefik.loadbalancer.server.scheme=http
- traefik.http.routers.traefik-https.entrypoints=websecure
- traefik.http.routers.traefik-https.rule=Host(`reverse.$DOMAIN_NAME`)
- traefik.http.routers.traefik-https.tls=true
- traefik.http.routers.traefik-https.tls.certresolver=cloudflare
restart: always
networks:
nextcloud-aio:
name: nextcloud-aio
driver: bridge
ipam:
config:
- subnet: "172.16.1.0/24"
gateway: "172.16.1.254"
passbolt_backend:
name: passbolt_backend
driver: bridge
ipam:
config:
- subnet: "172.16.2.0/24"
gateway: "172.16.2.254"
passbolt_frontend:
name: passbolt_frontend
driver: bridge
ipam:
config:
- subnet: "172.16.20.0/24"
gateway: "172.16.20.254"
pihole:
name: pihole
driver: bridge
ipam:
config:
- subnet: "172.16.3.0/24"
gateway: "172.16.3.254"
hass_backend:
name: hass_backend
driver: bridge
ipam:
config:
- subnet: "172.16.4.0/24"
gateway: "172.16.4.254"
hass_frontend:
name: hass_frontend
driver: bridge
ipam:
config:
- subnet: "172.16.40.0/24"
gateway: "172.16.40.254"
immich_backend:
name: immich_backend
driver: bridge
ipam:
config:
- subnet: "172.16.5.0/24"
gateway: "172.16.5.254"
immich_frontend:
name: immich_frontend
driver: bridge
ipam:
config:
- subnet: "172.16.50.0/24"
gateway: "172.16.50.254"
'';
systemd.services.traefik = {
description = "Docker container : ${container_name}";
after = [ "network.target" "docker.service" "docker.socket" ];
requires = [ "docker.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.docker ];
serviceConfig = {
Type = "exec";
# Pull the latest image before running
ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
# Bring the service up
ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
# Take it down gracefully
ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";
Restart = "on-failure";
};
};
};
}
config-files/docker/hass/mosquitto.conf → config-files/docker/config/hass/mosquitto.conf
View File
config-files/docker/traefik/headers.yaml → config-files/docker/config/traefik/headers.yaml
View File
config-files/docker/traefik/nextcloud.yaml → config-files/docker/config/traefik/nextcloud.yaml
View File
config-files/docker/traefik/tls.yaml → config-files/docker/config/traefik/tls.yaml
View File
config-files/docker/traefik/traefik.yaml → config-files/docker/config/traefik/traefik.yaml
View File
config-files/examples/deploy.example.conf
+1 -1
View File
@@ -3,7 +3,7 @@ TARGET_HOST="192.168.1.10"
SSH_PUBLIC_KEY="ssh-ed25519 AAAAoefzefpoipoeCEZJCPEACPAcjapjcpajepcjAPJECJPEJAPJAZ yours@yourdomain.com"
# TRAEFIK SETTINGS
DOMAIN_NAME="yourdomain.com"
EMAIL_ADDRESS="no-reply@yourdomain.com"
EMAIL_ADDRESS="your-mail@yourdomain.com"
CF_DNS_API_TOKEN="yourToken"
#SMTP SETTINGS
SENDER_EMAIL_ADDRESS="youraddress@gmail.com"
config-files/scripts/numbus-server.sh
+3
View File
@@ -0,0 +1,3 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p gum openssl sops ssh-to-age age sshpass envsubst pciutils usbutils mosquitto
config-files/sops-nix/secrets.yaml
+12 -4
View File
@@ -1,4 +1,5 @@
ssh_public_keys: $SSH_PUBLIC_KEY
sender_email_address_password: $SENDER_EMAIL_ADDRESS_PASSWORD
docker:
nextcloud: |
@@ -18,9 +19,9 @@ docker:
passbolt: |
DOMAIN_NAME=$DOMAIN_NAME
TZ=Europe/Paris
PASSBOLT_MYSQL_DATABASE=$PASSBOLT_MYSQL_DATABASE
PASSBOLT_MYSQL_USER=$PASSBOLT_MYSQL_USER
PASSBOLT_MYSQL_PASSWORD=$PASSBOLT_MYSQL_PASSWORD
PASSBOLT_MYSQL_DATABASE=$PASSBOLT_DB_NAME
PASSBOLT_MYSQL_USER=$PASSBOLT_DB_USERNAME
PASSBOLT_MYSQL_PASSWORD=$PASSBOLT_DB_PASSWORD
SENDER_EMAIL_ADDRESS=$SENDER_EMAIL_ADDRESS
SENDER_EMAIL_ADDRESS_PASSWORD=$SENDER_EMAIL_ADDRESS_PASSWORD
SENDER_EMAIL_DOMAIN=$SENDER_EMAIL_DOMAIN
@@ -41,10 +42,17 @@ docker:
IMMICH_TRUSTED_PROXIES=172.16.50.253
REDIS_HOSTNAME=immich-redis
DB_HOSTNAME=immich-database
DB_DATABASE_NAME=$IMMICH_DB_DATABASE_NAME
DB_DATABASE_NAME=$IMMICH_DB_NAME
DB_USERNAME=$IMMICH_DB_USERNAME
DB_PASSWORD=$IMMICH_DB_PASSWORD
DB_DATA_LOCATION=/mnt/config-storage/docker-data/immich/database
gitea: |
DOMAIN_NAME=$DOMAIN_NAME
POSTGRES_HOST=gitea-database
POSTGRES_PORT=5432
DB_NAME=$GITEA_DB_NAME
DB_USERNAME=$GITEA_DB_USERNAME
DB_PASSWORD=$GITEA_DB_PASSWORD
disks:
content-disk-1: $CONTENT_DISK_1_KEY