add postgres and jellyfin nixos-containers

2024-10-06 17:25:27 +01:00 · 2024-10-06 17:25:27 +01:00 · f57afcc50c
parent 9096d69f9a
commit f57afcc50c
3 changed files with 211 additions and 25 deletions
--- a/hosts/common/optional/nixos-containers/jellyfin.nix
+++ b/hosts/common/optional/nixos-containers/jellyfin.nix
@ -0,0 +1,75 @@
+{
+  lib,
+  pkgs,
+  ...
+}: let
+  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
+  container_name = "jellyfin";
+  container_ip = "10.0.10.6";
+in {
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/nixos-containers/${container_name}"
+    ];
+  };
+
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = ["ve-+"];
+  networking.nat.externalInterface = "br0";
+
+  containers.postgres = {
+    autoStart = true;
+    privateNetwork = true;
+    hostBridge = "br0";
+    nixpkgs = pkgs.path;
+
+    config = {
+      pkgs,
+      lib,
+      ...
+    }: {
+      networking = {
+        defaultGateway = "10.0.10.1";
+        interfaces.eth0.ipv4.addresses = [
+          {
+            "address" = "${container_ip}";
+            "prefixLength" = 24;
+          }
+        ];
+        firewall = {
+          enable = true;
+          allowedTCPPorts = [
+            5432
+          ];
+        };
+        useHostResolvConf = lib.mkForce false;
+      };
+
+      services.resolved.enable = true;
+
+      services.jellyfin = {
+        enable = true;
+        openFirewall = true;
+      };
+
+      environment.systemPackages = [
+        pkgs.jellyfin
+        pkgs.jellyfin-web
+        pkgs.jellyfin-ffmpeg
+        pkgs.lsof
+      ];
+
+      services.openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+      };
+
+      users.users.root = {
+        openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+      };
+
+      system.stateVersion = "24.05";
+    };
+  };
+}
--- a/hosts/common/optional/nixos-containers/nix-bitcoin.nix
+++ b/hosts/common/optional/nixos-containers/nix-bitcoin.nix
@ -9,7 +9,9 @@
  bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;
  bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path;
  bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path;
-  pubKeys = lib.filesystem.listFilesRecursive ../users/keys;
+  container_name = "bitcoin-node";
+  container_ip = "10.0.10.5";
+  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
 in {
  sops.secrets = {
    "software/bitcoind/bitcoin-rpcpassword-privileged" = {};
@ -18,14 +20,18 @@ in {
    "software/bitcoind/bitcoin-HMAC-public" = {};
  };

+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/nixos-containers/${container_name}"
+    ];
+  };
+
  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "br0";
-  # networking.firewall.enable = true;
-  # networking.firewall.allowedTCPPorts = [80 443 22];
-  # networking.firewall.trustedInterfaces = ["ve-btcnode"];

-  containers.bitcoin-node = {
+  containers.${container_name} = {
    autoStart = true;
    privateNetwork = true;
    hostBridge = "br0";
@ -65,14 +71,6 @@ in {
      };
    };

-    # forwardPorts = [
-    #   {
-    #     containerPort = 50001;
-    #     hostPort = 50001;
-    #     protocol = "tcp";
-    #   }
-    # ];
-
    config = {
      pkgs,
      lib,
@ -88,7 +86,7 @@ in {
      ];
      networking = {
        defaultGateway = "10.0.10.1";
-        interfaces.eth0.ipv4.addresses = [ { "address" = "10.0.10.4"; "prefixLength" = 24; } ];
+        interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ];
        firewall = {
          enable = true;
          allowedTCPPorts = [
@ -105,18 +103,8 @@ in {

      services.resolved.enable = true;

-      services.openssh = {
-        enable = true;
-        settings.PasswordAuthentication = false;
-      };
-
-      nix-bitcoin.generateSecrets = true;
-
-      users.users.root = {
-        openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
-      };
-
      # node services here
+      nix-bitcoin.generateSecrets = true;
      services = {
        tor = {
          enable = true;
@ -165,6 +153,16 @@ in {
        electrs.enable = true;
        mempool-frontend.enable = true;
      };
+
+      services.openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+      };
+
+      users.users.root = {
+        openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+      };
+
      system.stateVersion = "24.05";
    };
  };
--- a/hosts/common/optional/nixos-containers/postgres.nix
+++ b/hosts/common/optional/nixos-containers/postgres.nix
@ -0,0 +1,113 @@
+{
+  inputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  postgresPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/postgres/password".path;
+  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
+  container_name = "postgres";
+  container_ip = "10.0.10.5";
+in {
+  sops.secrets = {
+    "software/postgres/postgres/password" = {
+    };
+  };
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/nixos-containers/${container_name}"
+    ];
+  };
+
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = ["ve-+"];
+  networking.nat.externalInterface = "br0";
+
+  containers.postgres = {
+    autoStart = true;
+    privateNetwork = true;
+    hostBridge = "br0";
+    nixpkgs = pkgs.path;
+    bindMounts = {
+      "/var/lib/postgresql" = {
+        hostPath = "/media/main-ssd/postgresql";
+        isReadOnly = false;
+      };
+    };
+
+    config = {
+      pkgs,
+      lib,
+      ...
+    }: {
+      networking = {
+        defaultGateway = "10.0.10.1";
+        interfaces.eth0.ipv4.addresses = [
+          {
+            "address" = "${container_ip}";
+            "prefixLength" = 24;
+          }
+        ];
+        firewall = {
+          enable = true;
+          allowedTCPPorts = [
+            5432
+          ];
+        };
+        useHostResolvConf = lib.mkForce false;
+      };
+
+      services.resolved.enable = true;
+
+      environment.systemPackages = with pkgs; [
+        lsof
+      ];
+
+      services.postgresql = {
+        enable = true;
+        enableJIT = true;
+        package = pkgs.postgresql_16;
+        extraPlugins = with pkgs.postgresql_16.pkgs; [ postgis ];
+        settings = {
+          max_worker_processes = "12";
+          max_parallel_workers = "8";
+          max_parallel_workers_per_gather = "4";
+          max_connections = "100";
+          autovacuum_work_mem = "2GB";
+          shared_buffers = "32GB";
+          work_mem = "0.32GB";
+          maintenance_work_mem = "64MB";
+        };
+        authentication = pkgs.lib.mkOverride 10 ''
+          #type database  DBuser  auth-method
+          local all       all     trust
+        '';
+      };
+
+      systemd.services.postgresql.postStart = ''
+        $PSQL -tA <<'EOF'
+          DO $$
+          DECLARE password TEXT;
+          BEGIN
+            password := trim(both from replace(pg_read_file('${postgresPasswordPath}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE postgres WITH PASSWORD '''%s''';', password);
+          END $$;
+        EOF
+      '';
+
+      services.openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+      };
+
+      users.users.root = {
+        openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+      };
+
+      system.stateVersion = "24.05";
+    };
+  };
+}