sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add postgres and jellyfin nixos-containers

This commit is contained in:
Sam 2024-10-06 17:25:27 +01:00
parent 9096d69f9a
commit f57afcc50c
3 changed files with 211 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
hosts/common/optional/nixos-containers/jellyfin.nix Normal file
View File

@ -0,0 +1,75 @@
{
lib,
pkgs,
...
}: let
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
container_name = "jellyfin";
container_ip = "10.0.10.6";
in {
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${container_name}"
];
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
containers.postgres = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
config = {
pkgs,
lib,
...
}: {
networking = {
defaultGateway = "10.0.10.1";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${container_ip}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
5432
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
services.jellyfin = {
enable = true;
openFirewall = true;
};
environment.systemPackages = [
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
pkgs.lsof
];
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
system.stateVersion = "24.05";
};
};
}

48
hosts/common/optional/nix-bitcoin.nix → hosts/common/optional/nixos-containers/nix-bitcoin.nix
View File

@ -9,7 +9,9 @@
bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path; bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;
bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path; bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path;
bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path; bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path;
pubKeys = lib.filesystem.listFilesRecursive ../users/keys; container_name = "bitcoin-node";
container_ip = "10.0.10.5";
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in { in {
sops.secrets = { sops.secrets = {
"software/bitcoind/bitcoin-rpcpassword-privileged" = {}; "software/bitcoind/bitcoin-rpcpassword-privileged" = {};
@ -18,14 +20,18 @@ in {
"software/bitcoind/bitcoin-HMAC-public" = {}; "software/bitcoind/bitcoin-HMAC-public" = {};
}; };
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${container_name}"
];
};
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
# networking.firewall.enable = true;
# networking.firewall.allowedTCPPorts = [80 443 22];
# networking.firewall.trustedInterfaces = ["ve-btcnode"];
containers.bitcoin-node = { containers.${container_name} = {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostBridge = "br0"; hostBridge = "br0";
@ -65,14 +71,6 @@ in {
}; };
}; };
# forwardPorts = [
# {
# containerPort = 50001;
# hostPort = 50001;
# protocol = "tcp";
# }
# ];
config = { config = {
pkgs, pkgs,
lib, lib,
@ -88,7 +86,7 @@ in {
]; ];
networking = { networking = {
defaultGateway = "10.0.10.1"; defaultGateway = "10.0.10.1";
interfaces.eth0.ipv4.addresses = [ { "address" = "10.0.10.4"; "prefixLength" = 24; } ]; interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ];
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
@ -105,18 +103,8 @@ in {
services.resolved.enable = true; services.resolved.enable = true;
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
nix-bitcoin.generateSecrets = true;
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
# node services here # node services here
nix-bitcoin.generateSecrets = true;
services = { services = {
tor = { tor = {
enable = true; enable = true;
@ -165,6 +153,16 @@ in {
electrs.enable = true; electrs.enable = true;
mempool-frontend.enable = true; mempool-frontend.enable = true;
}; };
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
system.stateVersion = "24.05"; system.stateVersion = "24.05";
}; };
}; };

113
hosts/common/optional/nixos-containers/postgres.nix Normal file
View File

@ -0,0 +1,113 @@
{
inputs,
lib,
config,
pkgs,
...
}: let
postgresPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/postgres/password".path;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
container_name = "postgres";
container_ip = "10.0.10.5";
in {
sops.secrets = {
"software/postgres/postgres/password" = {
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${container_name}"
];
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
containers.postgres = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/var/lib/postgresql" = {
hostPath = "/media/main-ssd/postgresql";
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: {
networking = {
defaultGateway = "10.0.10.1";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${container_ip}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
5432
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
environment.systemPackages = with pkgs; [
lsof
];
services.postgresql = {
enable = true;
enableJIT = true;
package = pkgs.postgresql_16;
extraPlugins = with pkgs.postgresql_16.pkgs; [ postgis ];
settings = {
max_worker_processes = "12";
max_parallel_workers = "8";
max_parallel_workers_per_gather = "4";
max_connections = "100";
autovacuum_work_mem = "2GB";
shared_buffers = "32GB";
work_mem = "0.32GB";
maintenance_work_mem = "64MB";
};
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
systemd.services.postgresql.postStart = ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${postgresPasswordPath}'), E'\n', '''));
EXECUTE format('ALTER ROLE postgres WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
system.stateVersion = "24.05";
};
};
}