From f57afcc50c211e03f5a2525a7b7935591ed4ad26 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 6 Oct 2024 17:25:27 +0100 Subject: [PATCH] add postgres and jellyfin nixos-containers --- .../optional/nixos-containers/jellyfin.nix | 75 ++++++++++++ .../{ => nixos-containers}/nix-bitcoin.nix | 48 ++++---- .../optional/nixos-containers/postgres.nix | 113 ++++++++++++++++++ 3 files changed, 211 insertions(+), 25 deletions(-) create mode 100644 hosts/common/optional/nixos-containers/jellyfin.nix rename hosts/common/optional/{ => nixos-containers}/nix-bitcoin.nix (90%) create mode 100644 hosts/common/optional/nixos-containers/postgres.nix diff --git a/hosts/common/optional/nixos-containers/jellyfin.nix b/hosts/common/optional/nixos-containers/jellyfin.nix new file mode 100644 index 0000000..5fd75fb --- /dev/null +++ b/hosts/common/optional/nixos-containers/jellyfin.nix @@ -0,0 +1,75 @@ +{ + lib, + pkgs, + ... +}: let + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + container_name = "jellyfin"; + container_ip = "10.0.10.6"; +in { + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${container_name}" + ]; + }; + + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "br0"; + + containers.postgres = { + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + nixpkgs = pkgs.path; + + config = { + pkgs, + lib, + ... + }: { + networking = { + defaultGateway = "10.0.10.1"; + interfaces.eth0.ipv4.addresses = [ + { + "address" = "${container_ip}"; + "prefixLength" = 24; + } + ]; + firewall = { + enable = true; + allowedTCPPorts = [ + 5432 + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + services.jellyfin = { + enable = true; + openFirewall = true; + }; + + environment.systemPackages = [ + pkgs.jellyfin + pkgs.jellyfin-web + pkgs.jellyfin-ffmpeg + pkgs.lsof + ]; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users.root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + + system.stateVersion = "24.05"; + }; + }; +} diff --git a/hosts/common/optional/nix-bitcoin.nix b/hosts/common/optional/nixos-containers/nix-bitcoin.nix similarity index 90% rename from hosts/common/optional/nix-bitcoin.nix rename to hosts/common/optional/nixos-containers/nix-bitcoin.nix index 045368b..81a71f8 100644 --- a/hosts/common/optional/nix-bitcoin.nix +++ b/hosts/common/optional/nixos-containers/nix-bitcoin.nix @@ -9,7 +9,9 @@ bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path; bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path; bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path; - pubKeys = lib.filesystem.listFilesRecursive ../users/keys; + container_name = "bitcoin-node"; + container_ip = "10.0.10.5"; + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; in { sops.secrets = { "software/bitcoind/bitcoin-rpcpassword-privileged" = {}; @@ -18,14 +20,18 @@ in { "software/bitcoind/bitcoin-HMAC-public" = {}; }; + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${container_name}" + ]; + }; + networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; - # networking.firewall.enable = true; - # networking.firewall.allowedTCPPorts = [80 443 22]; - # networking.firewall.trustedInterfaces = ["ve-btcnode"]; - containers.bitcoin-node = { + containers.${container_name} = { autoStart = true; privateNetwork = true; hostBridge = "br0"; @@ -65,14 +71,6 @@ in { }; }; - # forwardPorts = [ - # { - # containerPort = 50001; - # hostPort = 50001; - # protocol = "tcp"; - # } - # ]; - config = { pkgs, lib, @@ -88,7 +86,7 @@ in { ]; networking = { defaultGateway = "10.0.10.1"; - interfaces.eth0.ipv4.addresses = [ { "address" = "10.0.10.4"; "prefixLength" = 24; } ]; + interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ @@ -105,18 +103,8 @@ in { services.resolved.enable = true; - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; - - nix-bitcoin.generateSecrets = true; - - users.users.root = { - openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); - }; - # node services here + nix-bitcoin.generateSecrets = true; services = { tor = { enable = true; @@ -165,6 +153,16 @@ in { electrs.enable = true; mempool-frontend.enable = true; }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users.root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/common/optional/nixos-containers/postgres.nix b/hosts/common/optional/nixos-containers/postgres.nix new file mode 100644 index 0000000..2082dbb --- /dev/null +++ b/hosts/common/optional/nixos-containers/postgres.nix @@ -0,0 +1,113 @@ +{ + inputs, + lib, + config, + pkgs, + ... +}: let + postgresPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/postgres/password".path; + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + container_name = "postgres"; + container_ip = "10.0.10.5"; +in { + sops.secrets = { + "software/postgres/postgres/password" = { + }; + }; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${container_name}" + ]; + }; + + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "br0"; + + containers.postgres = { + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + nixpkgs = pkgs.path; + bindMounts = { + "/var/lib/postgresql" = { + hostPath = "/media/main-ssd/postgresql"; + isReadOnly = false; + }; + }; + + config = { + pkgs, + lib, + ... + }: { + networking = { + defaultGateway = "10.0.10.1"; + interfaces.eth0.ipv4.addresses = [ + { + "address" = "${container_ip}"; + "prefixLength" = 24; + } + ]; + firewall = { + enable = true; + allowedTCPPorts = [ + 5432 + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + environment.systemPackages = with pkgs; [ + lsof + ]; + + services.postgresql = { + enable = true; + enableJIT = true; + package = pkgs.postgresql_16; + extraPlugins = with pkgs.postgresql_16.pkgs; [ postgis ]; + settings = { + max_worker_processes = "12"; + max_parallel_workers = "8"; + max_parallel_workers_per_gather = "4"; + max_connections = "100"; + autovacuum_work_mem = "2GB"; + shared_buffers = "32GB"; + work_mem = "0.32GB"; + maintenance_work_mem = "64MB"; + }; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + ''; + }; + + systemd.services.postgresql.postStart = '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('${postgresPasswordPath}'), E'\n', ''')); + EXECUTE format('ALTER ROLE postgres WITH PASSWORD '''%s''';', password); + END $$; + EOF + ''; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users.root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + + system.stateVersion = "24.05"; + }; + }; +}