feat: container migaration (#12)

2023-05-14 01:49:21 -04:00 · 2023-05-14 01:49:21 -04:00 · fc9294bd3e
commit fc9294bd3e
parent 941a017882 1b7aafd9a9
14 changed files with 197 additions and 5 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &notoh age1ckvmyqkwk69j64ev3fmckytz6k2dv79z4gn5qf6gxqyevp5yjfesdfkxmn
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+      - age:
+        - *notoh
--- a/hosts/hime/default.nix
+++ b/hosts/hime/default.nix
@ -22,7 +22,6 @@
    xkbVariant = "";
  };

-  virtualisation.docker.enable = true;
  users = {
    defaultUserShell = pkgs.nushell;
    users.oh = {
@ -33,7 +32,6 @@
  };

  environment.systemPackages = with pkgs; [
-    docker-compose
    hugo
    wget
    python3Full
--- a/hosts/sakura/default.nix
+++ b/hosts/sakura/default.nix
@ -6,6 +6,7 @@
  imports = [
    ./hardware-configuration.nix
    ../../modules
+    ../../modules/services
  ];

  boot.loader = {
@ -16,7 +17,6 @@
      useOSProber = false;
    };
  };
-
  networking = {
    hostName = "sakura";
  };
@ -26,7 +26,6 @@
    xkbVariant = "";
  };

-  virtualisation.docker.enable = true;
  users = {
    defaultUserShell = pkgs.nushell;
    users.notoh = {
--- a/hosts/sutakku/default.nix
+++ b/hosts/sutakku/default.nix
@ -26,7 +26,6 @@
    xkbVariant = "";
  };

-  virtualisation.docker.enable = true;
  users = {
    defaultUserShell = pkgs.nushell;
    users.oh = {
--- a/modules/default.nix
+++ b/modules/default.nix
@ -5,5 +5,6 @@
    ./nix.nix
    ./system.nix
    ./openssh.nix
+    ./virtualisation.nix
  ];
 }
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -0,0 +1,10 @@
+{...}: {
+  imports = [
+    ./traefik.nix
+    ./homepage.nix
+    ./searxng.nix
+    ./hugo.nix
+    ./stash.nix
+    ./foundryvtt.nix
+  ];
+}
--- a/modules/services/foundryvtt.nix
+++ b/modules/services/foundryvtt.nix
@ -0,0 +1,13 @@
+{inputs, ...}: {
+  virtualisation.oci-containers.containers.foundryvtt = {
+    image = "felddy/foundryvtt:release";
+    ports = ["30000:30000"];
+    volumes = [
+      "/home/notoh/docker/foundryvtt:/data"
+    ];
+    environment = {
+      FOUNDRY_USERNAME = inputs.sops.secrets.foundry-username;
+      FOUNDRY_PASSWORD = inputs.sops.secrets.foundry-password;
+    };
+  };
+}
--- a/modules/services/homepage.nix
+++ b/modules/services/homepage.nix
@ -0,0 +1,10 @@
+{pkgs, ...}: {
+  virtualisation.oci-containers.containers.homepage = {
+    ports = ["3000:3000"];
+    image = "ghcr.io/benphelps/homepage";
+    volumes = [
+      "/home/notoh/docker/homepage:/app/config"
+      "/var/run/docker.sock:/var/run/docker.sock:ro"
+    ];
+  };
+}
--- a/modules/services/hugo.nix
+++ b/modules/services/hugo.nix
@ -0,0 +1,10 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [hugo];
+  virtualisation.oci-containers.containers.hugo = {
+    image = "klakegg/hugo:0.101.0";
+    cmd = ["server" "sh"];
+    volumes = [
+      "/home/notoh/docker/hugo:/src"
+    ];
+  };
+}
--- a/modules/services/searxng.nix
+++ b/modules/services/searxng.nix
@ -0,0 +1,12 @@
+{...}: {
+  virtualisation.oci-containers.containers.searxng = {
+    image = "searxng/searxng";
+    ports = ["8085:8080"];
+    volumes = [
+      "/home/notoh/docker/searxng:/etc/searxng:rw"
+    ];
+    environment = {
+      INSTANCE_NAME = "test_instance";
+    };
+  };
+}
--- a/modules/services/stash.nix
+++ b/modules/services/stash.nix
@ -0,0 +1,23 @@
+{...}: {
+  virtualisation.oci-containers.containers.stash = {
+    image = "stashapp/stash";
+    ports = [
+      "9999:9999"
+    ];
+    environment = {
+      STASH_STASH = "/data/";
+      STASH_GENERATED = "/generated/";
+      STASH_METADATA = "/metadata/";
+      STASH_CACHE = "/cache/";
+      STASH_PORT = "9999";
+    };
+    volumes = [
+      "/etc/localtime:/etc/localtime:ro"
+      "/home/notoh/docker/stash/.config:/root/.stash"
+      "/home/notoh/docker/stash/data:/data"
+      "/home/notoh/docker/stash/.metadata:/metadata"
+      "/home/notoh/docker/stash/cache:/cache"
+      "/home/notoh/docker/stash/generated:/generated"
+    ];
+  };
+}
--- a/modules/services/traefik.nix
+++ b/modules/services/traefik.nix
@ -0,0 +1,72 @@
+{...}: {
+  networking.firewall.allowedTCPPorts = [80 443 8080];
+
+  services.traefik = {
+    enable = true;
+    group = "docker";
+    dynamicConfigOptions = {
+      http = {
+        routers = {
+          api = {
+            rule = "PathPrefix(`/api/`)";
+            entryPoints = ["websecure"];
+            service = "api@internal";
+          };
+          homepage = {
+            rule = "Host(`homepage.lab`)";
+            entrypoints = ["web"];
+            service = "homepage@docker";
+          };
+          searxng = {
+            rule = "Host(`test`)";
+            entrypoints = ["web"];
+            service = "searxng@docker";
+          };
+          hugo = {
+            rule = "Host(`hugo.lab`)";
+            entryPoints = ["websecure"];
+            service = "hugo@docker";
+          };
+          stash = {
+            rule = "Host(`stash.lab`)";
+            entrypoints = ["web"];
+            service = "stash@docker";
+          };
+        };
+      };
+    };
+    staticConfigOptions = {
+      api.dashboard = true;
+      api.insecure = true;
+      providers.docker = true;
+      global = {
+        checkNewVersion = false;
+        sendAnonymousUsage = false;
+      };
+      entryPoints = {
+        websecure.address = ":443";
+        web.address = ":80";
+      };
+      certificatesResolvers = {
+        staging.acme = {
+          email = "x3xr6n66@notohh.dev";
+          storage = "/var/lib/traefik/acme.json";
+          caServer = "https://acme-staging-v02.api.letsencrypt.org/directory";
+          dnsChallenge = {
+            provider = "cloudflare";
+            delayBeforeCheck = 0;
+          };
+        };
+        production.acme = {
+          email = "x3xr6n66@notohh.dev";
+          storage = "/var/lib/traefik/acme.json";
+          caServer = "https://acme-v02.api.letsencrypt.org/directory";
+          dnsChallenge = {
+            provider = "cloudflare";
+            delayBeforeCheck = 0;
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/virtualisation.nix
+++ b/modules/virtualisation.nix
@ -0,0 +1,16 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [docker-compose];
+
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.docker = {
+    enable = true;
+    enableOnBoot = true;
+    autoPrune = {
+      enable = true;
+      dates = "weekly";
+    };
+    listenOptions = [
+      "/run/docker.sock"
+    ];
+  };
+}
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,22 @@
+foundry-username: ENC[AES256_GCM,data:WgcWG577,iv:62k3mxXNAwvfugCE8uWfMIkG0TEmnW8YYMPF5Q5Q00g=,tag:hv2rqcwha12eZX2WmnKmMQ==,type:str]
+foundry-password: ENC[AES256_GCM,data:xb2UNAhXvj0ayVsf3sTYTqH0n2FnEPQSqoli1zHVEIQ=,iv:B8Kh228CDIyggNweljqqU/CXfTpjQpxcz4J4MnKcgb4=,tag:KnsvAjvL4WGKEQKqlhYiZA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ckvmyqkwk69j64ev3fmckytz6k2dv79z4gn5qf6gxqyevp5yjfesdfkxmn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRyt5K0FUSDBjVnY3NTZz
+            T0NmeE9HREUrSTR5WWtLTzA5TWtndlpBd0FrClBZbzB5bGFxTFYrcEljd1NIZm9K
+            V3pOZldWTmx6WG4vQU44ZXJDQ29oNTAKLS0tIFhqa1RmeVcwbnhlaWdpOEFJeFBX
+            YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
+            5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-05-14T05:40:38Z"
+    mac: ENC[AES256_GCM,data:Yz8y7vgXcU3SWyQANTM835Od+za7QraqdEjkqVCVuySmACdt93HlT1YdRRnXFennvXnNIsr/J7td+X3tmIwJnOXxbLhSdtluLl0KC8rYjaLN9ijThbA0p6umY+0WMUqRNfugzFzM/3J2L6GbMhczS8+cZ94JsOGu+RNZlydAuVw=,iv:Aw3n05FbB9pV6SztHI6H7vGjbpUQrr4WG6HqjNDMCr8=,tag:mrr6QzeR9yHM9S2Ut7gzbg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3