From c457867440580717e46aa5dfdc02e2dca770f06b Mon Sep 17 00:00:00 2001 From: soraefir Date: Wed, 6 May 2026 22:48:09 +0200 Subject: [PATCH] Improvements to server --- modules/home/cli/git/default.nix | 6 +-- modules/server/containers/default.nix | 19 ++++++++ modules/server/containers/defs/authentik.nix | 29 ++++++++--- modules/server/database/default.nix | 51 ++++++++++++++------ modules/server/nftables/default.nix | 3 +- modules/shared/syscfg/default.nix | 6 +-- 6 files changed, 85 insertions(+), 29 deletions(-) diff --git a/modules/home/cli/git/default.nix b/modules/home/cli/git/default.nix index 53aa062..1fe0e74 100755 --- a/modules/home/cli/git/default.nix +++ b/modules/home/cli/git/default.nix @@ -1,9 +1,9 @@ -{ config, pkgs, ... }: { +{ config, lib, pkgs, ... }: { programs.git = { enable = true; - signing = { - key = "${config.usercfg.git.key}"; + signing = lib.mkIf (config.usercfg.git.key != null) { + key = config.usercfg.git.key; signByDefault = true; }; ignores = [ "*result*" ".direnv" "node_modules" ]; diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix index 6dd47cc..04f3e92 100644 --- a/modules/server/containers/default.nix +++ b/modules/server/containers/default.nix @@ -8,6 +8,7 @@ let } ) enabledConfigs; mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList); + allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList); in { config = lib.mkIf ( enabledConfigs != {} ) { @@ -17,5 +18,23 @@ in containers = mergedContainers; }; + systemd.services.podman-gc = { + description = "Podman garbage collection"; + serviceConfig.Type = "oneshot"; + script = '' + ${pkgs.podman}/bin/podman container prune -f + ${pkgs.podman}/bin/podman image prune -f + ''; + startAt = "weekly"; + }; + + system.activationScripts.container-setup-dirs = { + deps = [ "users" "groups" ]; + text = lib.concatStringsSep "\n" (map (cfg: '' + mkdir -p "${cfg.path}" + chown ${cfg.owner} "${cfg.path}" + chmod ${cfg.mode} "${cfg.path}" + '') allPathConfigs); + }; }; } \ No newline at end of file diff --git a/modules/server/containers/defs/authentik.nix b/modules/server/containers/defs/authentik.nix index 60a3e6c..ae02489 100644 --- a/modules/server/containers/defs/authentik.nix +++ b/modules/server/containers/defs/authentik.nix @@ -1,10 +1,17 @@ { config, containerCfg, pkgs, lib, ... }: -let serverCfg = config.syscfg.server; +let +serverCfg = config.syscfg.server; in { - systemd.tmfiles.rules = [ - "d ${serverCfg.dataPath}/authentik/media 0755 root root -" - "d ${serverCfg.dataPath}/authentik/template 0755 root root -" - ]; + paths = [{ + path="${serverCfg.dataPath}/authentik/media"; + owner = "1000:1000"; + mode = "0755"; + }{ + path="${serverCfg.dataPath}/authentik/templates"; + owner = "1000:1000"; + mode = "0755"; + }]; + containers = { auth_server = { @@ -18,7 +25,8 @@ in { config.sops.secrets."AUTHENTIK".path ]; environment = { - "AUTHENTIK_POSTGRESQL__HOST" = "10.88.0.1"; + "AUTHENTIK_REDIS__HOST" = "host.containers.internal"; + "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal"; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}"; @@ -38,6 +46,9 @@ in { }; cmd = [ "server" ]; extraOptions = [ + "--add-host=host.containers.internal:host-gateway" + "--replace" + "--rm" "--ip=${containerCfg.ip}" ]; ports = [ @@ -57,11 +68,15 @@ in { config.sops.secrets."AUTHENTIK".path ]; environment = { - "AUTHENTIK_POSTGRESQL__HOST" = "10.88.0.1"; + "AUTHENTIK_REDIS__HOST" = "host.containers.internal"; + "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal"; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; }; extraOptions = [ + "--add-host=host.containers.internal:host-gateway" + "--replace" + "--rm" ]; cmd = [ "worker" ]; }; diff --git a/modules/server/database/default.nix b/modules/server/database/default.nix index 9ce0c62..e6e20a8 100644 --- a/modules/server/database/default.nix +++ b/modules/server/database/default.nix @@ -17,14 +17,14 @@ in { settings = { listen_addresses = lib.mkForce "*"; }; - # authentication = pkgs.lib.mkOverride 10 '' - # # TYPE DATABASE USER ADDRESS METHOD - # local all all trust - # host all all 127.0.0.1/32 trust - # host all all 10.0.0.0/8 scram-sha-256 - # host all all 169.254.0.0/16 scram-sha-256 - # host all all ::1/128 trust - # ''; + authentication = pkgs.lib.mkOverride 10 '' + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 10.0.0.0/8 scram-sha-256 + host all all 169.254.0.0/16 scram-sha-256 + ''; ensureDatabases = map (name: "${name}_db") allApps; ensureUsers = map (name: { name = "${name}_user"; }) allApps; }; @@ -35,21 +35,42 @@ in { backupAll = true; # Backs up all databases and roles }; - systemd.services.postgresql.postStart = lib.mkAfter '' + services.redis.servers."main" = { + enable = true; + port = 6379; + bind = "*"; + settings.protected-mode = "no"; + }; + + + systemd.services.postgresql-init = { + description = "Custom Postgres Setup (Ownership & Passwords)"; + after = [ "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "oneshot"; + User = "postgres"; + RemainAfterExit = true; + }; + + script = '' ${pkgs.coreutils}/bin/sleep 2 PSQL="${pkgs.postgresql}/bin/psql" ${lib.concatMapStringsSep "\n" (name: '' - until $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1; do - echo "Waiting for user ${name}_user..." - sleep 1 - done $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;" if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-) - $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" + echo $PASS + if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then + echo "✅ Successfully set password for ${name}_user" + else + echo "❌ FAILED to set password for ${name}_user" + fi fi '') allApps} - ''; + ''; + }; }; } \ No newline at end of file diff --git a/modules/server/nftables/default.nix b/modules/server/nftables/default.nix index 6721985..27a5322 100644 --- a/modules/server/nftables/default.nix +++ b/modules/server/nftables/default.nix @@ -12,7 +12,8 @@ table inet filter { chain input { type filter hook input priority filter; policy accept; - tcp dport 5432 ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept + tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept + } } table inet nat { diff --git a/modules/shared/syscfg/default.nix b/modules/shared/syscfg/default.nix index 3f55f8d..0ea4ea2 100644 --- a/modules/shared/syscfg/default.nix +++ b/modules/shared/syscfg/default.nix @@ -13,9 +13,9 @@ let default = "-"; }; git = { - username = mkOption { type = types.str; }; - email = mkOption { type = types.str; }; - key = mkOption { type = types.str; }; + username = mkOption { type = types.str; default = "Anonymous";}; + email = mkOption { type = types.str; default = "anonymous@domain"; }; + key = mkOption { type = types.nullOr types.str; default=null; }; }; }; netOpt = with lib; {