Improvements to server

2026-05-06 22:48:09 +02:00
parent d73bbd8b18
commit c457867440
6 changed files with 85 additions and 29 deletions
--- a/modules/home/cli/git/default.nix
+++ b/modules/home/cli/git/default.nix
@@ -1,9 +1,9 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {

  programs.git = {
    enable = true;
-    signing = {
-      key = "${config.usercfg.git.key}";
+    signing = lib.mkIf (config.usercfg.git.key != null) {
+      key = config.usercfg.git.key;
      signByDefault = true;
    };
    ignores = [ "*result*" ".direnv" "node_modules" ];
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -8,6 +8,7 @@ let
    }
  ) enabledConfigs;
  mergedContainers = lib.attrsets.mergeAttrsList  (lib.map(e: e.containers) containerSetsList);
+  allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
 in
 {
  config = lib.mkIf ( enabledConfigs != {} ) {
@@ -17,5 +18,23 @@ in
      containers = mergedContainers;
    };

+    systemd.services.podman-gc = {
+      description = "Podman garbage collection";
+      serviceConfig.Type = "oneshot";
+      script = ''
+        ${pkgs.podman}/bin/podman container prune -f
+        ${pkgs.podman}/bin/podman image prune -f
+      '';
+      startAt = "weekly";
+    };
+    
+    system.activationScripts.container-setup-dirs = {
+      deps = [ "users" "groups" ];
+      text = lib.concatStringsSep "\n" (map (cfg: ''
+        mkdir -p "${cfg.path}"
+        chown ${cfg.owner} "${cfg.path}"
+        chmod ${cfg.mode} "${cfg.path}"
+      '') allPathConfigs);
+    };
  };
 }
--- a/modules/server/containers/defs/authentik.nix
+++ b/modules/server/containers/defs/authentik.nix
@@ -1,10 +1,17 @@
 { config, containerCfg, pkgs, lib, ... }:
-let serverCfg = config.syscfg.server;
+let 
+serverCfg = config.syscfg.server;
 in {
-  systemd.tmfiles.rules = [
-    "d ${serverCfg.dataPath}/authentik/media 0755 root root -"
-    "d ${serverCfg.dataPath}/authentik/template 0755 root root -"
-  ];
+  paths = [{
+    path="${serverCfg.dataPath}/authentik/media";
+    owner = "1000:1000";
+    mode = "0755";
+  }{
+    path="${serverCfg.dataPath}/authentik/templates";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+
  containers = {

    auth_server = {
@@ -18,7 +25,8 @@ in {
        config.sops.secrets."AUTHENTIK".path
      ];
      environment = {
-        "AUTHENTIK_POSTGRESQL__HOST" = "10.88.0.1";
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
@@ -38,6 +46,9 @@ in {
      };
      cmd = [ "server" ];
      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+        "--replace"
+        "--rm"
        "--ip=${containerCfg.ip}"
      ];
      ports = [
@@ -57,11 +68,15 @@ in {
        config.sops.secrets."AUTHENTIK".path
      ];
      environment = {
-        "AUTHENTIK_POSTGRESQL__HOST" = "10.88.0.1";
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
      };
      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+        "--replace"
+        "--rm"
      ];
      cmd = [ "worker" ];
    };
--- a/modules/server/database/default.nix
+++ b/modules/server/database/default.nix
@@ -17,14 +17,14 @@ in {
      settings = {
        listen_addresses = lib.mkForce "*"; 
      };
-      # authentication = pkgs.lib.mkOverride 10 ''
-      #   # TYPE  DATABASE        USER            ADDRESS                 METHOD
-      #   local   all             all                                     trust
-      #   host    all             all             127.0.0.1/32            trust
-      #   host    all             all             10.0.0.0/8              scram-sha-256
-      #   host    all             all             169.254.0.0/16          scram-sha-256
-      #   host    all             all             ::1/128                 trust
-      # '';
+      authentication = pkgs.lib.mkOverride 10 ''
+         # TYPE  DATABASE        USER            ADDRESS                 METHOD
+         local   all             all                                     trust
+         host    all             all             127.0.0.1/32            trust
+         host    all             all             ::1/128                 trust
+         host    all             all             10.0.0.0/8              scram-sha-256
+         host    all             all             169.254.0.0/16          scram-sha-256
+      '';
      ensureDatabases = map (name: "${name}_db") allApps;
      ensureUsers = map (name: { name = "${name}_user"; }) allApps;
    };
@@ -35,21 +35,42 @@ in {
      backupAll = true; # Backs up all databases and roles
    };

-    systemd.services.postgresql.postStart = lib.mkAfter ''
+    services.redis.servers."main" = {
+      enable = true;
+      port = 6379;
+      bind = "*";
+      settings.protected-mode = "no";
+    };
+
+
+    systemd.services.postgresql-init = {
+      description = "Custom Postgres Setup (Ownership & Passwords)";
+      after = [ "postgresql.service" ];
+      wantedBy = [ "multi-user.target" ];
+      
+      serviceConfig = {
+        Type = "oneshot";
+        User = "postgres";
+        RemainAfterExit = true;
+      };
+
+      script = ''
        ${pkgs.coreutils}/bin/sleep 2
        PSQL="${pkgs.postgresql}/bin/psql"
        ${lib.concatMapStringsSep "\n" (name: ''
-          until $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1; do
-            echo "Waiting for user ${name}_user..."
-            sleep 1
-          done
          $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
          
          if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
            PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
-            $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';"
+            echo $PASS
+            if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
+                echo "✅ Successfully set password for ${name}_user"
+            else
+                echo "❌ FAILED to set password for ${name}_user"
+            fi
          fi
        '') allApps}
      '';
    };
+  };
 }
--- a/modules/server/nftables/default.nix
+++ b/modules/server/nftables/default.nix
@@ -12,7 +12,8 @@
      table inet filter {
        chain input {
          type filter hook input priority filter; policy accept;
-          tcp dport 5432 ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
+          tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
+          
        }
      }
      table inet nat {
--- a/modules/shared/syscfg/default.nix
+++ b/modules/shared/syscfg/default.nix
@@ -13,9 +13,9 @@ let
      default = "-";
    };
    git = {
-      username = mkOption { type = types.str; };
-      email = mkOption { type = types.str; };
-      key = mkOption { type = types.str; };
+      username = mkOption { type = types.str; default = "Anonymous";};
+      email = mkOption { type = types.str; default = "anonymous@domain"; };
+      key = mkOption { type = types.nullOr types.str; default=null; };
    };
  };
  netOpt = with lib; {